urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

htmlscrubber: Security fix: In data:image/* uris, only allow a few whitelisted image types. No svg.

master
Joey Hess 2010-03-12 14:49:13 -05:00
parent 556181d417
commit 2ad3e60ee8
3 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
IkiWiki/Plugin/htmlscrubber.pm
View File

@ -30,9 +30,9 @@ sub import {
"msnim", "notes", "rsync", "secondlife", "skype", "ssh",
"sftp", "smb", "sms", "snews", "webcal", "ymsgr",
);
# data is a special case. Allow data:image/*, but
# disallow data:text/javascript and everything else.
$safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/|[^:]+(?:$|\/))/i;
# data is a special case. Allow a few data:image/ types,
# but disallow data:text/javascript and everything else.
$safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|\/))/i;
}
sub getsetup () {

4
debian/changelog vendored
View File

@ -1,4 +1,4 @@
ikiwiki (3.20100303) UNRELEASED; urgency=low
ikiwiki (3.20100312) unstable; urgency=HIGH
* Fix utf8 issues in calls to md5_hex.
* moderatedcomments: Added moderate_pagespec that can be used
@ -12,6 +12,8 @@ ikiwiki (3.20100303) UNRELEASED; urgency=low
* Fix missing span on recentchanges page template.
* search: Avoid '$' in the wikiname appearing unescaped on omega's
query template, where it might crash omega.
* htmlscrubber: Security fix: In data:image/* uris, only allow a few
whitelisted image types. No svg.
-- Joey Hess <joeyh@debian.org> Tue, 09 Mar 2010 19:46:35 -0500

12
doc/security.mdwn
View File

@ -427,3 +427,15 @@ enabling TeX configuration options that disallow unsafe TeX commands.
The fix was released on 30 Aug 2009 in version 3.1415926, and was
backported to stable in version 2.53.4. If you use the teximg plugin,
I recommend upgrading. ([[!cve CVE-2009-2944]])
## javascript insertion via svg uris
Ivan Shmakov pointed out that the htmlscrubber allowed `data:image/*` urls,
including `data:image/svg+xml`. But svg can contain javascript, so that is
unsafe.
This hole was discovered on 12 March 2010 and fixed the same day
with the release of ikiwiki 3.20100312.
A fix was also backported to Debian etch, as version 2.53.5. I recommend
upgrading to one of these versions if your wiki can be edited by third
parties.