* Patch from James Westby to add a --sslcookie switch, which forces

cookies to only be sent over ssl connections to avoid interception.
* Factor out the cgi header printing code into a new function.
* Fix preferences page on anonok wikis; still need to sign in to get
  to the preferences page.
master
joey 2006-08-27 20:25:05 +00:00
parent 3ad4d93e33
commit 4ad7c9d625
8 changed files with 37 additions and 28 deletions

View File

@ -54,6 +54,7 @@ sub defaultconfig () { #{{{
plugin => [qw{mdwn inline htmlscrubber}],
timeformat => '%c',
locale => undef,
sslcookie => 0,
} #}}}
sub checkconfig () { #{{{

View File

@ -9,6 +9,18 @@ use Encode;
package IkiWiki;
sub printheader ($) { #{{{
my $session=shift;
if ($config{sslcookie}) {
print $session->header(-charset => 'utf-8',
-cookie => $session->cookie(-secure => 1));
} else {
print $session->header(-charset => 'utf-8');
}
} #}}}
sub redirect ($$) { #{{{
my $q=shift;
my $url=shift;
@ -204,7 +216,7 @@ sub cgi_signin ($$) { #{{{
$form->field(name => "confirm_password", type => "hidden");
$form->field(name => "email", type => "hidden");
$form->text("Registration successful. Now you can Login.");
print $session->header(-charset=>'utf-8');
printheader($session);
print misctemplate($form->title, $form->render(submit => ["Login"]));
}
else {
@ -232,12 +244,12 @@ sub cgi_signin ($$) { #{{{
$form->text("Your password has been emailed to you.");
$form->field(name => "name", required => 0);
print $session->header(-charset=>'utf-8');
printheader($session);
print misctemplate($form->title, $form->render(submit => ["Login", "Register", "Mail Password"]));
}
}
else {
print $session->header(-charset=>'utf-8');
printheader($session);
print misctemplate($form->title, $form->render(submit => ["Login", "Register", "Mail Password"]));
}
} #}}}
@ -314,7 +326,7 @@ sub cgi_prefs ($$) { #{{{
$form->text("Preferences saved.");
}
print $session->header(-charset=>'utf-8');
printheader($session);
print misctemplate($form->title, $form->render(submit => \@buttons));
} #}}}
@ -596,7 +608,7 @@ sub cgi () { #{{{
umask($oldmask);
# Everything below this point needs the user to be signed in.
if ((! $config{anonok} &&
if (((! $config{anonok} || $do eq 'prefs') &&
(! defined $session->param("name") ||
! userinfo_get($session->param("name"), "regdate"))) || $do eq 'signin') {
cgi_signin($q, $session);

7
debian/changelog vendored
View File

@ -35,8 +35,13 @@ ikiwiki (1.22) UNRELEASED; urgency=low
* Patch from James Westby to add a template for the search form.
* Cache search form for speedup.
* Added a ddate plugin.
* Patch from James Westby to add a --sslcookie switch, which forces
cookies to only be sent over ssl connections to avoid interception.
* Factor out the cgi header printing code into a new function.
* Fix preferences page on anonok wikis; still need to sign in to get
to the preferences page.
-- Joey Hess <joeyh@debian.org> Sat, 26 Aug 2006 23:48:31 -0400
-- Joey Hess <joeyh@debian.org> Sun, 27 Aug 2006 16:17:21 -0400
ikiwiki (1.21) unstable; urgency=low

View File

@ -74,6 +74,8 @@ use IkiWiki::Setup::Standard {
#timeformat => '%c',
# Locale to use. Must be a UTF-8 locale.
#locale => 'en_US.UTF-8',
# Only send cookies over SSL connections.
#sslcookie => 1,
# Logging settings:
verbose => 0,
syslog => 0,

View File

@ -1,20 +0,0 @@
It is very easy to stop the password being sniffed, you just use https:// for cgiurl
(with appropriately configure server of course), and disallow access to the cgiscript
over http.
However the cookie is still sent for all requests, meaning that it could be stolen.
I don't know quite how well CGI::Session defends against this, but the best it could
do is probably tie it to an IP address, but that still leaves room for abuse.
I have created a patch that adds a config option sslcookie, which causes the
cookie to have it's secure property set. This means that it is only sent over SSL.
So if you can configure apache to do what you want, you only have to change two options
(cgiurl and sslcookie) to encrypt all authentication data.
The disadvantage is that if someone were to activate it while using http:// I think it
would mean they couldn't log in, as the browser would never offer the cookie.
I think I have made the documentation clear enough on this point.
http://jameswestby.net/scratch/sslcookie.diff
-- JamesWestby

View File

@ -134,7 +134,9 @@ file not be world readable.
Login to the wiki involves sending a password in cleartext over the net.
Cracking the password only allows editing the wiki as that user though.
If you care, you can use https, I suppose.
If you care, you can use https, I suppose. If you do use https either for
all of the wiki, or just the cgi access, then consider using the sslcookie
option.
## XSS holes in CGI output

View File

@ -227,6 +227,12 @@ configuration options of their own.
Enable [[w3mmode]], which allows w3m to use ikiwiki as a local CGI script,
without a web server.
* --sslcookie
Only send cookies over an SSL connection. This should prevent them being
intercepted. If you enable this option then you must run at least the
CGI portion of ikiwiki over SSL.
* --getctime
Pull last changed time for each new page out of the revision control

View File

@ -45,6 +45,7 @@ sub getconfig () { #{{{
"svnpath" => \$config{svnpath},
"adminemail=s" => \$config{adminemail},
"timeformat=s" => \$config{timeformat},
"sslcookie!" => \$config{sslcookie},
"exclude=s@" => sub {
$config{wiki_file_prune_regexp}=qr/$config{wiki_file_prune_regexp}|$_[1]/;
},