urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* More security review.

master
joey 2006-06-01 20:44:12 +00:00
parent f4fd66fc1b
commit 140658bc51
3 changed files with 30 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
IkiWiki/Render.pm
View File

@ -426,7 +426,7 @@ FILE: foreach my $file (@files) {
}
# Handle backlinks; if a page has added/removed links, update the
# pages it links to. Also handles rebuilding dependat pages.
# pages it links to. Also handles rebuilding dependant pages.
# TODO: inefficient; pages may get rendered above and again here;
# problem is the backlinks could be wrong in the first pass render
# above

3
debian/changelog vendored
View File

@ -3,8 +3,9 @@ ikiwiki (1.5) UNRELEASED; urgency=low
* Add --timeformat config option to allow changing how dates are displayed.
Note that as a side effect, dates will now be displayed using the local
timezone, not as GMT.
* More security review.
-- Joey Hess <joeyh@debian.org> Mon, 29 May 2006 00:50:34 -0400
-- Joey Hess <joeyh@debian.org> Thu, 1 Jun 2006 15:12:29 -0400
ikiwiki (1.4) unstable; urgency=low

44
doc/security.mdwn
View File

@ -184,12 +184,18 @@ their own can race it.
Similarly, a svn commit of a symlink could be made, ikiwiki ignores it
because of the above, but the symlink is still there, and then you edit the
page from the web, which follows the symlink when reading the page, and
again when saving the changed page.
page from the web, which follows the symlink when reading the page
(exposing the content), and again when saving the changed page (changing
the content).
This was fixed by making ikiwiki refuse to read or write to files that are
symlinks, or that are in subdirectories that are symlinks, combined with
the above locking.
This was fixed for page saving by making ikiwiki refuse to write to files
that are symlinks, or that are in subdirectories that are symlinks,
combined with the above locking.
For page editing, it's fixed by ikiwiki checking to make sure that it
already has found a page by scanning the tree, before loading it for
editing, which as described above, also is done in a way that avoids
symlink attacks.
## underlaydir override attacks
@ -198,20 +204,24 @@ pages to all wikis w/o needing to copy them into the wiki. Since ikiwiki
internally stores only the base filename from the underlaydir or srcdir,
and searches for a file in either directory when reading a page source,
there is the potential for ikiwiki's scanner to reject a file from the
srcdir for some reason (such as it being a symlink), find a valid copy of
the file in the underlaydir, and then when loading the file, mistekenly
load the bad file from the srcdir.
srcdir for some reason (such as it being contained in a directory that is
symlinked in), find a valid copy of the file in the underlaydir, and then
when loading the file, mistakenly load the bad file from the srcdir.
This attack is avoided by making ikiwiki scan the srcdir first, and refuse
to add any files from the underlaydir if a file also exists in the srcdir
with the same name. **But**, note that this assumes that any given page can
be produced from a file with only one name (`page.mdwn` => `page.html`).
This attack is avoided by making ikiwiki refuse to add any files from the
underlaydir if a file also exists in the srcdir with the same name.
If it's possible for files with different names to produce a given page, it
would still be possible to use this attack to confuse ikiwiki into
rendering the wrong thing. This is not currently possible, but must be kept
in mind in the future when for example adding support for generating html
pages from source with some other extension.
## multiple page source issues
Note that I previously worried that underlay override attacks could also be
accomplished if ikiwiki were extended to support other page markup
languages besides markdown. However, a closer look indicates that this is
not a problem: ikiwiki does preserve the file extension when storing the
source filename of a page, so a file with another extension that renders to
the same page name can't bypass the check. Ie, ikiwiki won't skip foo.rst
in the srcdir, find foo.mdwn in the underlay, decide to render page foo and
then read the bad foo.mdwn. Instead it will remember the .rst extension and
only render a file with that extension.
## XSS attacks in page content