* More security review.
parent
f4fd66fc1b
commit
140658bc51
|
@ -426,7 +426,7 @@ FILE: foreach my $file (@files) {
|
||||||
}
|
}
|
||||||
|
|
||||||
# Handle backlinks; if a page has added/removed links, update the
|
# Handle backlinks; if a page has added/removed links, update the
|
||||||
# pages it links to. Also handles rebuilding dependat pages.
|
# pages it links to. Also handles rebuilding dependant pages.
|
||||||
# TODO: inefficient; pages may get rendered above and again here;
|
# TODO: inefficient; pages may get rendered above and again here;
|
||||||
# problem is the backlinks could be wrong in the first pass render
|
# problem is the backlinks could be wrong in the first pass render
|
||||||
# above
|
# above
|
||||||
|
|
|
@ -3,8 +3,9 @@ ikiwiki (1.5) UNRELEASED; urgency=low
|
||||||
* Add --timeformat config option to allow changing how dates are displayed.
|
* Add --timeformat config option to allow changing how dates are displayed.
|
||||||
Note that as a side effect, dates will now be displayed using the local
|
Note that as a side effect, dates will now be displayed using the local
|
||||||
timezone, not as GMT.
|
timezone, not as GMT.
|
||||||
|
* More security review.
|
||||||
|
|
||||||
-- Joey Hess <joeyh@debian.org> Mon, 29 May 2006 00:50:34 -0400
|
-- Joey Hess <joeyh@debian.org> Thu, 1 Jun 2006 15:12:29 -0400
|
||||||
|
|
||||||
ikiwiki (1.4) unstable; urgency=low
|
ikiwiki (1.4) unstable; urgency=low
|
||||||
|
|
||||||
|
|
|
@ -184,12 +184,18 @@ their own can race it.
|
||||||
|
|
||||||
Similarly, a svn commit of a symlink could be made, ikiwiki ignores it
|
Similarly, a svn commit of a symlink could be made, ikiwiki ignores it
|
||||||
because of the above, but the symlink is still there, and then you edit the
|
because of the above, but the symlink is still there, and then you edit the
|
||||||
page from the web, which follows the symlink when reading the page, and
|
page from the web, which follows the symlink when reading the page
|
||||||
again when saving the changed page.
|
(exposing the content), and again when saving the changed page (changing
|
||||||
|
the content).
|
||||||
|
|
||||||
This was fixed by making ikiwiki refuse to read or write to files that are
|
This was fixed for page saving by making ikiwiki refuse to write to files
|
||||||
symlinks, or that are in subdirectories that are symlinks, combined with
|
that are symlinks, or that are in subdirectories that are symlinks,
|
||||||
the above locking.
|
combined with the above locking.
|
||||||
|
|
||||||
|
For page editing, it's fixed by ikiwiki checking to make sure that it
|
||||||
|
already has found a page by scanning the tree, before loading it for
|
||||||
|
editing, which as described above, also is done in a way that avoids
|
||||||
|
symlink attacks.
|
||||||
|
|
||||||
## underlaydir override attacks
|
## underlaydir override attacks
|
||||||
|
|
||||||
|
@ -198,20 +204,24 @@ pages to all wikis w/o needing to copy them into the wiki. Since ikiwiki
|
||||||
internally stores only the base filename from the underlaydir or srcdir,
|
internally stores only the base filename from the underlaydir or srcdir,
|
||||||
and searches for a file in either directory when reading a page source,
|
and searches for a file in either directory when reading a page source,
|
||||||
there is the potential for ikiwiki's scanner to reject a file from the
|
there is the potential for ikiwiki's scanner to reject a file from the
|
||||||
srcdir for some reason (such as it being a symlink), find a valid copy of
|
srcdir for some reason (such as it being contained in a directory that is
|
||||||
the file in the underlaydir, and then when loading the file, mistekenly
|
symlinked in), find a valid copy of the file in the underlaydir, and then
|
||||||
load the bad file from the srcdir.
|
when loading the file, mistakenly load the bad file from the srcdir.
|
||||||
|
|
||||||
This attack is avoided by making ikiwiki scan the srcdir first, and refuse
|
This attack is avoided by making ikiwiki refuse to add any files from the
|
||||||
to add any files from the underlaydir if a file also exists in the srcdir
|
underlaydir if a file also exists in the srcdir with the same name.
|
||||||
with the same name. **But**, note that this assumes that any given page can
|
|
||||||
be produced from a file with only one name (`page.mdwn` => `page.html`).
|
|
||||||
|
|
||||||
If it's possible for files with different names to produce a given page, it
|
## multiple page source issues
|
||||||
would still be possible to use this attack to confuse ikiwiki into
|
|
||||||
rendering the wrong thing. This is not currently possible, but must be kept
|
Note that I previously worried that underlay override attacks could also be
|
||||||
in mind in the future when for example adding support for generating html
|
accomplished if ikiwiki were extended to support other page markup
|
||||||
pages from source with some other extension.
|
languages besides markdown. However, a closer look indicates that this is
|
||||||
|
not a problem: ikiwiki does preserve the file extension when storing the
|
||||||
|
source filename of a page, so a file with another extension that renders to
|
||||||
|
the same page name can't bypass the check. Ie, ikiwiki won't skip foo.rst
|
||||||
|
in the srcdir, find foo.mdwn in the underlay, decide to render page foo and
|
||||||
|
then read the bad foo.mdwn. Instead it will remember the .rst extension and
|
||||||
|
only render a file with that extension.
|
||||||
|
|
||||||
## XSS attacks in page content
|
## XSS attacks in page content
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue