urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

some updates about the recent hole

master
Joey Hess 2008-02-10 19:00:26 -05:00
parent 886adf9f9f
commit 0e445d62d2
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
doc/security.mdwn
View File

@ -356,9 +356,12 @@ allow the security hole to be exploited.
## javascript insertion via uris
The htmlscrubber did not block javascript in uris. This was fixed by adding
a whitelist of valid uri types, which does not include javascript.
a whitelist of valid uri types, which does not include javascript. Some
urls specifyable by the meta plugin could also theoretically have been used
to inject javascript; this was also blocked.
This hole was discovered on 10 February 2008 and fixed the same day
with the release of ikiwiki 2.31.1. A fix was also backported to Debian etch,
as version 1.33.4. I recommend upgrading to one of these versions if your
wiki can be edited by third parties.
with the release of ikiwiki 2.31.1. (And a few subsequent versions..)
A fix was also backported to Debian etch, as version 1.33.4. I recommend
upgrading to one of these versions if your wiki can be edited by third
parties.