urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Exclude working directory from library path (CVE-2016-1238) 

Current Perl versions put '.' at the end of the library search path
@INC, although this will be fixed in a future Perl release. This means
that when software loads an optionally-present module, it will be
looked for in the current working directory before giving up. An
attacker could use this to execute arbitrary Perl code from ikiwiki's
current working directory.

Removing '.' from the library search path in Perl is the correct
fix for this vulnerability, but is not trivial to do due to
backwards-compatibility concerns. Mitigate this (even if ikiwiki is run
with a vulnerable Perl version) by explicitly removing '.' from the
search path, and instead looking for ikiwiki's own modules relative
to the absolute path of the executable when run from the source
directory.

In tests that specifically want to use the current working directory,
use "-I".getcwd instead of "-I." so we use its absolute path, which
is immune to the removal of ".".
master
Simon McVittie 2016-07-28 09:50:09 +01:00
parent a6c453606e
commit 4729ff0812
18 changed files with 42 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ikiwiki-calendar.in
View File

@ -1,7 +1,8 @@
#!/usr/bin/perl #!/usr/bin/perl
no lib '.';
use warnings; use warnings;
use strict; use strict;
use lib '.'; # For use in nonstandard directory, munged by Makefile. use FindBin; use lib $FindBin::Bin; # For use in nonstandard directory, munged by Makefile.
use IkiWiki; use IkiWiki;
use IkiWiki::Setup; use IkiWiki::Setup;
use Getopt::Long; use Getopt::Long;

3
ikiwiki-comment.in
View File

@ -1,7 +1,8 @@
#!/usr/bin/perl #!/usr/bin/perl
no lib '.';
use warnings; use warnings;
use strict; use strict;
use lib '.'; # For use in nonstandard directory, munged by Makefile. use FindBin; use lib $FindBin::Bin; # For use in nonstandard directory, munged by Makefile.
use IkiWiki; use IkiWiki;
use IkiWiki::Plugin::comments; use IkiWiki::Plugin::comments;
use Getopt::Long; use Getopt::Long;

1
ikiwiki-mass-rebuild
View File

@ -1,4 +1,5 @@
#!/usr/bin/perl #!/usr/bin/perl
no lib '.';
use warnings; use warnings;
use strict; use strict;

3
ikiwiki-transition.in
View File

@ -1,7 +1,8 @@
#!/usr/bin/perl #!/usr/bin/perl
no lib '.';
use warnings; use warnings;
use strict; use strict;
use lib '.'; # For use in nonstandard directory, munged by Makefile. use FindBin; use lib $FindBin::Bin; # For use in nonstandard directory, munged by Makefile.
use IkiWiki; use IkiWiki;
use HTML::Entities; use HTML::Entities;

1
ikiwiki-update-wikilist
View File

@ -1,6 +1,7 @@
#!/usr/bin/perl -t #!/usr/bin/perl -t
# Add a user to the system wide wikilist. # Add a user to the system wide wikilist.
# This script can safely be made suid or put in /etc/sudoers. # This script can safely be made suid or put in /etc/sudoers.
no lib '.';
use warnings; use warnings;
use strict; use strict;
use English; use English;

3
ikiwiki.in
View File

@ -1,9 +1,10 @@
#!/usr/bin/perl #!/usr/bin/perl
package IkiWiki; package IkiWiki;
no lib '.';
use warnings; use warnings;
use strict; use strict;
use lib '.'; # For use in nonstandard directory, munged by Makefile. use FindBin; use lib $FindBin::Bin; # For use in nonstandard directory, munged by Makefile.
use IkiWiki 3.00; use IkiWiki 3.00;
sub usage () { sub usage () {

2
pm_filter
View File

@ -12,7 +12,7 @@ if (/INSTALLDIR_AUTOREPLACE/) {
elsif (/VERSION_AUTOREPLACE/) { elsif (/VERSION_AUTOREPLACE/) {
$_=qq{our \$version="$ver";}; $_=qq{our \$version="$ver";};
} }
elsif (/^use lib/) { elsif (/^(?:use FindBin; *)?use lib/) {
# The idea here is to figure out if the libdir the Makefile.PL # The idea here is to figure out if the libdir the Makefile.PL
# was configured to use is in perl's normal search path. # was configured to use is in perl's normal search path.
# If not, hard code it into ikiwiki. # If not, hard code it into ikiwiki.

5
t/basewiki_brokenlinks.t
View File

@ -1,6 +1,7 @@
#!/usr/bin/perl #!/usr/bin/perl
use warnings; use warnings;
use strict; use strict;
use Cwd qw(getcwd);
use Test::More; use Test::More;
my $installed = $ENV{INSTALLED_TESTS}; my $installed = $ENV{INSTALLED_TESTS};
@ -14,10 +15,10 @@ if ($installed) {
else { else {
ok(! system("make -s ikiwiki.out")); ok(! system("make -s ikiwiki.out"));
ok(! system("make underlay_install DESTDIR=`pwd`/t/tmp/install PREFIX=/usr >/dev/null")); ok(! system("make underlay_install DESTDIR=`pwd`/t/tmp/install PREFIX=/usr >/dev/null"));
@command = qw(env LC_ALL=C perl -I. ./ikiwiki.out @command = (qw(env LC_ALL=C perl), "-I".getcwd, qw(./ikiwiki.out
--underlaydir=t/tmp/install/usr/share/ikiwiki/basewiki --underlaydir=t/tmp/install/usr/share/ikiwiki/basewiki
--set underlaydirbase=t/tmp/install/usr/share/ikiwiki --set underlaydirbase=t/tmp/install/usr/share/ikiwiki
--templatedir=templates); --templatedir=templates));
} }
foreach my $plugin ("", "listdirectives") { foreach my $plugin ("", "listdirectives") {

5
t/comments.t
View File

@ -1,6 +1,7 @@
#!/usr/bin/perl #!/usr/bin/perl
use warnings; use warnings;
use strict; use strict;
use Cwd qw(getcwd);
use Test::More; use Test::More;
use IkiWiki; use IkiWiki;
@ -17,10 +18,10 @@ if ($installed) {
} }
else { else {
ok(! system("make -s ikiwiki.out")); ok(! system("make -s ikiwiki.out"));
@command = qw(perl -I. ./ikiwiki.out @command = ("perl", "-I".getcwd, qw(./ikiwiki.out
--underlaydir=underlays/basewiki --underlaydir=underlays/basewiki
--set underlaydirbase=underlays --set underlaydirbase=underlays
--templatedir=templates); --templatedir=templates));
} }
my $comment; my $comment;

5
t/conflicts.t
View File

@ -2,6 +2,7 @@
# Tests for bugs relating to conflicting files in the srcdir # Tests for bugs relating to conflicting files in the srcdir
use warnings; use warnings;
use strict; use strict;
use Cwd qw(getcwd);
use Test::More tests => 106; use Test::More tests => 106;
my $installed = $ENV{INSTALLED_TESTS}; my $installed = $ENV{INSTALLED_TESTS};
@ -13,10 +14,10 @@ if ($installed) {
} }
else { else {
ok(! system("make -s ikiwiki.out")); ok(! system("make -s ikiwiki.out"));
@command = qw(perl -I. ./ikiwiki.out @command = ("perl", "-I".getcwd, qw(./ikiwiki.out
--underlaydir=underlays/basewiki --underlaydir=underlays/basewiki
--set underlaydirbase=underlays --set underlaydirbase=underlays
--templatedir=templates); --templatedir=templates));
} }
# setup # setup

5
t/img.t
View File

@ -13,6 +13,7 @@ package IkiWiki;
use warnings; use warnings;
use strict; use strict;
use Cwd qw(getcwd);
use Test::More; use Test::More;
plan(skip_all => "Image::Magick not available") plan(skip_all => "Image::Magick not available")
unless eval q{use Image::Magick; 1}; unless eval q{use Image::Magick; 1};
@ -27,10 +28,10 @@ if ($installed) {
} }
else { else {
ok(! system("make -s ikiwiki.out")); ok(! system("make -s ikiwiki.out"));
@command = qw(perl -I. ./ikiwiki.out @command = ("perl", "-I".getcwd, qw(./ikiwiki.out
--underlaydir=underlays/basewiki --underlaydir=underlays/basewiki
--set underlaydirbase=underlays --set underlaydirbase=underlays
--templatedir=templates); --templatedir=templates));
} }
push @command, qw(--set usedirs=0 --plugin img t/tmp/in t/tmp/out --verbose); push @command, qw(--set usedirs=0 --plugin img t/tmp/in t/tmp/out --verbose);

5
t/inline.t
View File

@ -1,6 +1,7 @@
#!/usr/bin/perl #!/usr/bin/perl
use warnings; use warnings;
use strict; use strict;
use Cwd qw(getcwd);
use Test::More; use Test::More;
use IkiWiki; use IkiWiki;
@ -12,10 +13,10 @@ if ($installed) {
} }
else { else {
ok(! system("make -s ikiwiki.out")); ok(! system("make -s ikiwiki.out"));
@command = qw(perl -I. ./ikiwiki.out @command = ("perl", "-I".getcwd, qw(./ikiwiki.out
--underlaydir=underlays/basewiki --underlaydir=underlays/basewiki
--set underlaydirbase=underlays --set underlaydirbase=underlays
--templatedir=templates); --templatedir=templates));
} }
push @command, qw(--set usedirs=0 --plugin inline push @command, qw(--set usedirs=0 --plugin inline

5
t/meta.t
View File

@ -1,6 +1,7 @@
#!/usr/bin/perl #!/usr/bin/perl
use warnings; use warnings;
use strict; use strict;
use Cwd qw(getcwd);
use Test::More; use Test::More;
use IkiWiki; use IkiWiki;
@ -16,10 +17,10 @@ if ($installed) {
} }
else { else {
ok(! system("make -s ikiwiki.out")); ok(! system("make -s ikiwiki.out"));
@command = qw(perl -I. ./ikiwiki.out @command = ("perl", "-I".getcwd, qw(./ikiwiki.out
--underlaydir=underlays/basewiki --underlaydir=underlays/basewiki
--set underlaydirbase=underlays --set underlaydirbase=underlays
--templatedir=templates); --templatedir=templates));
} }
push @command, qw(--plugin meta --disable-plugin htmlscrubber); push @command, qw(--plugin meta --disable-plugin htmlscrubber);

5
t/permalink.t
View File

@ -1,6 +1,7 @@
#!/usr/bin/perl #!/usr/bin/perl
use warnings; use warnings;
use strict; use strict;
use Cwd qw(getcwd);
use Test::More; use Test::More;
my $installed = $ENV{INSTALLED_TESTS}; my $installed = $ENV{INSTALLED_TESTS};
@ -11,10 +12,10 @@ if ($installed) {
} }
else { else {
ok(! system("make -s ikiwiki.out")); ok(! system("make -s ikiwiki.out"));
@command = qw(perl -I. ./ikiwiki.out @command = ("perl", "-I".getcwd, qw(./ikiwiki.out
--underlaydir=underlays/basewiki --underlaydir=underlays/basewiki
--set underlaydirbase=underlays --set underlaydirbase=underlays
--templatedir=templates); --templatedir=templates));
} }
ok(! system("rm -rf t/tmp")); ok(! system("rm -rf t/tmp"));

4
t/podcast.t
View File

@ -25,10 +25,10 @@ if ($installed) {
} }
else { else {
ok(! system("make -s ikiwiki.out")); ok(! system("make -s ikiwiki.out"));
@base_command = qw(perl -I. ./ikiwiki.out @base_command = ("perl", "-I".getcwd, qw(./ikiwiki.out
--underlaydir=underlays/basewiki --underlaydir=underlays/basewiki
--set underlaydirbase=underlays --set underlaydirbase=underlays
--templatedir=templates); --templatedir=templates));
} }
my $tmp = 't/tmp'; my $tmp = 't/tmp';

4
t/relativity.t
View File

@ -24,10 +24,10 @@ if ($installed) {
} }
else { else {
ok(! system("make -s ikiwiki.out")); ok(! system("make -s ikiwiki.out"));
@command = qw(perl -I. ./ikiwiki.out @command = ("perl", "-I".getcwd, qw(./ikiwiki.out
--underlaydir=underlays/basewiki --underlaydir=underlays/basewiki
--set underlaydirbase=underlays --set underlaydirbase=underlays
--templatedir=templates); --templatedir=templates));
} }
sub parse_cgi_content { sub parse_cgi_content {

5
t/trail.t
View File

@ -1,6 +1,7 @@
#!/usr/bin/perl #!/usr/bin/perl
use warnings; use warnings;
use strict; use strict;
use Cwd qw(getcwd);
use Test::More; use Test::More;
use IkiWiki; use IkiWiki;
@ -35,10 +36,10 @@ if ($installed) {
} }
else { else {
ok(! system("make -s ikiwiki.out")); ok(! system("make -s ikiwiki.out"));
@command = qw(perl -I. ./ikiwiki.out @command = ("perl", "-I".getcwd, qw(./ikiwiki.out
--underlaydir=underlays/basewiki --underlaydir=underlays/basewiki
--set underlaydirbase=underlays --set underlaydirbase=underlays
--templatedir=templates); --templatedir=templates));
} }
push @command, qw(--set usedirs=0 --plugin trail --plugin inline push @command, qw(--set usedirs=0 --plugin trail --plugin inline

5
t/wrapper-environ.t
View File

@ -22,10 +22,11 @@ if ($installed) {
} }
else { else {
ok(! system("make -s ikiwiki.out")); ok(! system("make -s ikiwiki.out"));
@command = qw(env PERL5LIB=t/tmp:blib/lib:blib/arch perl -I. ./ikiwiki.out @command = (qw(env PERL5LIB=t/tmp:blib/lib:blib/arch perl),
"-I".getcwd, qw(./ikiwiki.out
--underlaydir=underlays/basewiki --underlaydir=underlays/basewiki
--set underlaydirbase=underlays --set underlaydirbase=underlays
--templatedir=templates); --templatedir=templates));
} }
writefile("test.setup", "t/tmp", <<EOF writefile("test.setup", "t/tmp", <<EOF