urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Patch from James Westby to add a --sslcookie switch, which forces 

cookies to only be sent over ssl connections to avoid interception.
* Factor out the cgi header printing code into a new function.
* Fix preferences page on anonok wikis; still need to sign in to get
  to the preferences page.
master
joey 2006-08-27 20:25:05 +00:00
parent 3ad4d93e33
commit 4ad7c9d625
8 changed files with 37 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
IkiWiki.pm
View File

@ -54,6 +54,7 @@ sub defaultconfig () { #{{{
plugin => [qw{mdwn inline htmlscrubber}], plugin => [qw{mdwn inline htmlscrubber}],
timeformat => '%c', timeformat => '%c',
locale => undef, locale => undef,
sslcookie => 0,
} #}}} } #}}}
sub checkconfig () { #{{{ sub checkconfig () { #{{{

24
IkiWiki/CGI.pm
View File

@ -9,6 +9,18 @@ use Encode;
package IkiWiki; package IkiWiki;
sub printheader ($) { #{{{
my $session=shift;
if ($config{sslcookie}) {
print $session->header(-charset => 'utf-8',
-cookie => $session->cookie(-secure => 1));
} else {
print $session->header(-charset => 'utf-8');
}
} #}}}
sub redirect ($$) { #{{{ sub redirect ($$) { #{{{
my $q=shift; my $q=shift;
my $url=shift; my $url=shift;
@ -72,7 +84,7 @@ sub cgi_recentchanges ($) { #{{{
changelog => [rcs_recentchanges(100)], changelog => [rcs_recentchanges(100)],
baseurl => baseurl(), baseurl => baseurl(),
); );
print $q->header(-charset=>'utf-8'), $template->output; print $q->header(-charset => 'utf-8'), $template->output;
} #}}} } #}}}
sub cgi_signin ($$) { #{{{ sub cgi_signin ($$) { #{{{
@ -204,7 +216,7 @@ sub cgi_signin ($$) { #{{{
$form->field(name => "confirm_password", type => "hidden"); $form->field(name => "confirm_password", type => "hidden");
$form->field(name => "email", type => "hidden"); $form->field(name => "email", type => "hidden");
$form->text("Registration successful. Now you can Login."); $form->text("Registration successful. Now you can Login.");
print $session->header(-charset=>'utf-8'); printheader($session);
print misctemplate($form->title, $form->render(submit => ["Login"])); print misctemplate($form->title, $form->render(submit => ["Login"]));
} }
else { else {
@ -232,12 +244,12 @@ sub cgi_signin ($$) { #{{{
$form->text("Your password has been emailed to you."); $form->text("Your password has been emailed to you.");
$form->field(name => "name", required => 0); $form->field(name => "name", required => 0);
print $session->header(-charset=>'utf-8'); printheader($session);
print misctemplate($form->title, $form->render(submit => ["Login", "Register", "Mail Password"])); print misctemplate($form->title, $form->render(submit => ["Login", "Register", "Mail Password"]));
} }
} }
else { else {
print $session->header(-charset=>'utf-8'); printheader($session);
print misctemplate($form->title, $form->render(submit => ["Login", "Register", "Mail Password"])); print misctemplate($form->title, $form->render(submit => ["Login", "Register", "Mail Password"]));
} }
} #}}} } #}}}
@ -314,7 +326,7 @@ sub cgi_prefs ($$) { #{{{
$form->text("Preferences saved."); $form->text("Preferences saved.");
} }
print $session->header(-charset=>'utf-8'); printheader($session);
print misctemplate($form->title, $form->render(submit => \@buttons)); print misctemplate($form->title, $form->render(submit => \@buttons));
} #}}} } #}}}
@ -596,7 +608,7 @@ sub cgi () { #{{{
umask($oldmask); umask($oldmask);
# Everything below this point needs the user to be signed in. # Everything below this point needs the user to be signed in.
if ((! $config{anonok} && if (((! $config{anonok} || $do eq 'prefs') &&
(! defined $session->param("name") || (! defined $session->param("name") ||
! userinfo_get($session->param("name"), "regdate"))) || $do eq 'signin') { ! userinfo_get($session->param("name"), "regdate"))) || $do eq 'signin') {
cgi_signin($q, $session); cgi_signin($q, $session);

7
debian/changelog vendored
View File

@ -35,8 +35,13 @@ ikiwiki (1.22) UNRELEASED; urgency=low
* Patch from James Westby to add a template for the search form. * Patch from James Westby to add a template for the search form.
* Cache search form for speedup. * Cache search form for speedup.
* Added a ddate plugin. * Added a ddate plugin.
* Patch from James Westby to add a --sslcookie switch, which forces
cookies to only be sent over ssl connections to avoid interception.
* Factor out the cgi header printing code into a new function.
* Fix preferences page on anonok wikis; still need to sign in to get
to the preferences page.
-- Joey Hess <joeyh@debian.org> Sat, 26 Aug 2006 23:48:31 -0400 -- Joey Hess <joeyh@debian.org> Sun, 27 Aug 2006 16:17:21 -0400
ikiwiki (1.21) unstable; urgency=low ikiwiki (1.21) unstable; urgency=low

2
doc/ikiwiki.setup
View File

@ -74,6 +74,8 @@ use IkiWiki::Setup::Standard {
#timeformat => '%c', #timeformat => '%c',
# Locale to use. Must be a UTF-8 locale. # Locale to use. Must be a UTF-8 locale.
#locale => 'en_US.UTF-8', #locale => 'en_US.UTF-8',
# Only send cookies over SSL connections.
#sslcookie => 1,
# Logging settings: # Logging settings:
verbose => 0, verbose => 0,
syslog => 0, syslog => 0,

20
doc/patchqueue/use-ssl-for-cookies.mdwn
View File

@ -1,20 +0,0 @@
It is very easy to stop the password being sniffed, you just use https:// for cgiurl
(with appropriately configure server of course), and disallow access to the cgiscript
over http.
However the cookie is still sent for all requests, meaning that it could be stolen.
I don't know quite how well CGI::Session defends against this, but the best it could
do is probably tie it to an IP address, but that still leaves room for abuse.
I have created a patch that adds a config option sslcookie, which causes the
cookie to have it's secure property set. This means that it is only sent over SSL.
So if you can configure apache to do what you want, you only have to change two options
(cgiurl and sslcookie) to encrypt all authentication data.
The disadvantage is that if someone were to activate it while using http:// I think it
would mean they couldn't log in, as the browser would never offer the cookie.
I think I have made the documentation clear enough on this point.
http://jameswestby.net/scratch/sslcookie.diff
-- JamesWestby

4
doc/security.mdwn
View File

@ -134,7 +134,9 @@ file not be world readable.
Login to the wiki involves sending a password in cleartext over the net. Login to the wiki involves sending a password in cleartext over the net.
Cracking the password only allows editing the wiki as that user though. Cracking the password only allows editing the wiki as that user though.
If you care, you can use https, I suppose. If you care, you can use https, I suppose. If you do use https either for
all of the wiki, or just the cgi access, then consider using the sslcookie
option.
## XSS holes in CGI output ## XSS holes in CGI output

6
doc/usage.mdwn
View File

@ -227,6 +227,12 @@ configuration options of their own.
Enable [[w3mmode]], which allows w3m to use ikiwiki as a local CGI script, Enable [[w3mmode]], which allows w3m to use ikiwiki as a local CGI script,
without a web server. without a web server.
* --sslcookie
Only send cookies over an SSL connection. This should prevent them being
intercepted. If you enable this option then you must run at least the
CGI portion of ikiwiki over SSL.
* --getctime * --getctime
Pull last changed time for each new page out of the revision control Pull last changed time for each new page out of the revision control

1
ikiwiki.pl
View File

@ -45,6 +45,7 @@ sub getconfig () { #{{{
"svnpath" => \$config{svnpath}, "svnpath" => \$config{svnpath},
"adminemail=s" => \$config{adminemail}, "adminemail=s" => \$config{adminemail},
"timeformat=s" => \$config{timeformat}, "timeformat=s" => \$config{timeformat},
"sslcookie!" => \$config{sslcookie},
"exclude=s@" => sub { "exclude=s@" => sub {
$config{wiki_file_prune_regexp}=qr/$config{wiki_file_prune_regexp}|$_[1]/; $config{wiki_file_prune_regexp}=qr/$config{wiki_file_prune_regexp}|$_[1]/;
}, },