* Fix a few bugs around page titles containing html. The worst of these

is an actual security hole as it allows insertion of html into the title element of a page, which is not processed by the htmlscrubber.
2007-03-21 06:05:21 +00:00 · 2007-03-21 06:05:21 +00:00 · 1c65ca4922
parent 9bf29d60b2
commit 1c65ca4922
7 changed files with 30 additions and 16 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,4 +1,4 @@
-ikiwiki (1.46) UNRELEASED; urgency=low
+ikiwiki (1.46) unstable; urgency=low

  * Fix a bug with inlined create page links, including Discussion links on
    blog post pages. The links will now create pages relative to the page that
@ -12,8 +12,11 @@ ikiwiki (1.46) UNRELEASED; urgency=low
    same time, and let the second person resolve the conflict.
  * Applied a patch from Michał to make the mercurial backend pass --quiet to
    hg.
+  * Fix a few bugs around page titles containing html. The worst of these
+    is an actual security hole as it allows insertion of html into the title
+    element of a page, which is not processed by the htmlscrubber.

- -- Joey Hess <joeyh@debian.org>  Sun, 18 Mar 2007 18:22:12 -0400
+ -- Joey Hess <joeyh@debian.org>  Wed, 21 Mar 2007 01:51:30 -0400

 ikiwiki (1.45) unstable; urgency=low

--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@ -293,3 +293,14 @@ This hole was discovered on 10 Feb 2007 and fixed the same day with the
 release of ikiwiki 1.42. A fix was also backported to Debian etch, as
 version 1.33.1. I recommend upgrading to one of these versions if your wiki
 allows web editing.
+
+## html insertion via title
+
+Missing html escaping of the title contents allowed a web-based editor to
+insert arbitrary html inside the title tag of a page. Since that part of
+the page is not processed by the htmlscrubber, evil html could be injected.
+
+This hole was discovered on 21 March 2007 and fixed the same day (er, hour) 
+with the release of ikiwiki 1.46. A fix was also backported to Debian etch,
+as version 1.33.2. I recommend upgrading to one of these versions if your
+wiki allows web editing or aggregates feeds.
--- a/po/ikiwiki.pot
+++ b/po/ikiwiki.pot
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2007-03-17 19:21-0400\n"
+"POT-Creation-Date: 2007-03-21 01:50-0400\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -41,17 +41,17 @@ msgstr ""
 msgid "creating %s"
 msgstr ""

-#: ../IkiWiki/CGI.pm:481 ../IkiWiki/CGI.pm:496 ../IkiWiki/CGI.pm:518
-#: ../IkiWiki/CGI.pm:562
+#: ../IkiWiki/CGI.pm:481 ../IkiWiki/CGI.pm:496 ../IkiWiki/CGI.pm:507
+#: ../IkiWiki/CGI.pm:533 ../IkiWiki/CGI.pm:577
 #, perl-format
 msgid "editing %s"
 msgstr ""

-#: ../IkiWiki/CGI.pm:659
+#: ../IkiWiki/CGI.pm:674
 msgid "You are banned."
 msgstr ""

-#: ../IkiWiki/CGI.pm:691
+#: ../IkiWiki/CGI.pm:706
 msgid "login failed, perhaps you need to turn on cookies?"
 msgstr ""

@ -472,15 +472,15 @@ msgstr ""
 msgid "generating wrappers.."
 msgstr ""

-#: ../IkiWiki/Setup/Standard.pm:71
+#: ../IkiWiki/Setup/Standard.pm:72
 msgid "rebuilding wiki.."
 msgstr ""

-#: ../IkiWiki/Setup/Standard.pm:74
+#: ../IkiWiki/Setup/Standard.pm:75
 msgid "refreshing wiki.."
 msgstr ""

-#: ../IkiWiki/Setup/Standard.pm:83
+#: ../IkiWiki/Setup/Standard.pm:84
 msgid "done"
 msgstr ""

--- a/templates/archivepage.tmpl
+++ b/templates/archivepage.tmpl
@ -1,5 +1,5 @@
 <p>
-<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE></a><br />
+<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE ESCAPE=HTML></a><br />
 <i>
 Posted <TMPL_VAR CTIME>
 </i>
--- a/templates/inlinepage.tmpl
+++ b/templates/inlinepage.tmpl
@ -10,9 +10,9 @@
 </TMPL_IF>
 <span class="header">
 <TMPL_IF NAME="PERMALINK">
-<a href="<TMPL_VAR PERMALINK>"><TMPL_VAR TITLE></a>
+<a href="<TMPL_VAR PERMALINK>"><TMPL_VAR TITLE ESCAPE=HTML></a>
 <TMPL_ELSE>
-<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE></a>
+<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE ESCAPE=HTML></a>
 </TMPL_IF>
 </span>
 <TMPL_VAR CONTENT>
--- a/templates/page.tmpl
+++ b/templates/page.tmpl
@ -3,7 +3,7 @@
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-<title><TMPL_VAR TITLE></title>
+<title><TMPL_VAR TITLE ESCAPE=HTML></title>
 <link rel="stylesheet" href="<TMPL_VAR BASEURL>style.css" type="text/css" />
 <link rel="stylesheet" href="<TMPL_VAR BASEURL>local.css" type="text/css" />
 <TMPL_IF NAME="FAVICON">
@ -19,7 +19,7 @@
 <TMPL_LOOP NAME="PARENTLINKS">
 <a href="<TMPL_VAR NAME=URL>"><TMPL_VAR NAME=PAGE></a>/ 
 </TMPL_LOOP>
-<TMPL_VAR TITLE>
+<TMPL_VAR TITLE ESCAPE=HTML>
 </span>
 <TMPL_IF NAME="SEARCHFORM">
 <TMPL_VAR SEARCHFORM>
--- a/templates/titlepage.tmpl
+++ b/templates/titlepage.tmpl
@ -1 +1 @@
-<p><a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE></a></p>
+<p><a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE ESCAPE=HTML></a></p>