* Patch from James Westby to add a --sslcookie switch, which forces
cookies to only be sent over ssl connections to avoid interception. * Factor out the cgi header printing code into a new function. * Fix preferences page on anonok wikis; still need to sign in to get to the preferences page.master
parent
3ad4d93e33
commit
4ad7c9d625
|
@ -54,6 +54,7 @@ sub defaultconfig () { #{{{
|
|||
plugin => [qw{mdwn inline htmlscrubber}],
|
||||
timeformat => '%c',
|
||||
locale => undef,
|
||||
sslcookie => 0,
|
||||
} #}}}
|
||||
|
||||
sub checkconfig () { #{{{
|
||||
|
|
|
@ -9,6 +9,18 @@ use Encode;
|
|||
|
||||
package IkiWiki;
|
||||
|
||||
sub printheader ($) { #{{{
|
||||
my $session=shift;
|
||||
|
||||
if ($config{sslcookie}) {
|
||||
print $session->header(-charset => 'utf-8',
|
||||
-cookie => $session->cookie(-secure => 1));
|
||||
} else {
|
||||
print $session->header(-charset => 'utf-8');
|
||||
}
|
||||
|
||||
} #}}}
|
||||
|
||||
sub redirect ($$) { #{{{
|
||||
my $q=shift;
|
||||
my $url=shift;
|
||||
|
@ -204,7 +216,7 @@ sub cgi_signin ($$) { #{{{
|
|||
$form->field(name => "confirm_password", type => "hidden");
|
||||
$form->field(name => "email", type => "hidden");
|
||||
$form->text("Registration successful. Now you can Login.");
|
||||
print $session->header(-charset=>'utf-8');
|
||||
printheader($session);
|
||||
print misctemplate($form->title, $form->render(submit => ["Login"]));
|
||||
}
|
||||
else {
|
||||
|
@ -232,12 +244,12 @@ sub cgi_signin ($$) { #{{{
|
|||
|
||||
$form->text("Your password has been emailed to you.");
|
||||
$form->field(name => "name", required => 0);
|
||||
print $session->header(-charset=>'utf-8');
|
||||
printheader($session);
|
||||
print misctemplate($form->title, $form->render(submit => ["Login", "Register", "Mail Password"]));
|
||||
}
|
||||
}
|
||||
else {
|
||||
print $session->header(-charset=>'utf-8');
|
||||
printheader($session);
|
||||
print misctemplate($form->title, $form->render(submit => ["Login", "Register", "Mail Password"]));
|
||||
}
|
||||
} #}}}
|
||||
|
@ -314,7 +326,7 @@ sub cgi_prefs ($$) { #{{{
|
|||
$form->text("Preferences saved.");
|
||||
}
|
||||
|
||||
print $session->header(-charset=>'utf-8');
|
||||
printheader($session);
|
||||
print misctemplate($form->title, $form->render(submit => \@buttons));
|
||||
} #}}}
|
||||
|
||||
|
@ -596,7 +608,7 @@ sub cgi () { #{{{
|
|||
umask($oldmask);
|
||||
|
||||
# Everything below this point needs the user to be signed in.
|
||||
if ((! $config{anonok} &&
|
||||
if (((! $config{anonok} || $do eq 'prefs') &&
|
||||
(! defined $session->param("name") ||
|
||||
! userinfo_get($session->param("name"), "regdate"))) || $do eq 'signin') {
|
||||
cgi_signin($q, $session);
|
||||
|
|
|
@ -35,8 +35,13 @@ ikiwiki (1.22) UNRELEASED; urgency=low
|
|||
* Patch from James Westby to add a template for the search form.
|
||||
* Cache search form for speedup.
|
||||
* Added a ddate plugin.
|
||||
* Patch from James Westby to add a --sslcookie switch, which forces
|
||||
cookies to only be sent over ssl connections to avoid interception.
|
||||
* Factor out the cgi header printing code into a new function.
|
||||
* Fix preferences page on anonok wikis; still need to sign in to get
|
||||
to the preferences page.
|
||||
|
||||
-- Joey Hess <joeyh@debian.org> Sat, 26 Aug 2006 23:48:31 -0400
|
||||
-- Joey Hess <joeyh@debian.org> Sun, 27 Aug 2006 16:17:21 -0400
|
||||
|
||||
ikiwiki (1.21) unstable; urgency=low
|
||||
|
||||
|
|
|
@ -74,6 +74,8 @@ use IkiWiki::Setup::Standard {
|
|||
#timeformat => '%c',
|
||||
# Locale to use. Must be a UTF-8 locale.
|
||||
#locale => 'en_US.UTF-8',
|
||||
# Only send cookies over SSL connections.
|
||||
#sslcookie => 1,
|
||||
# Logging settings:
|
||||
verbose => 0,
|
||||
syslog => 0,
|
||||
|
|
|
@ -1,20 +0,0 @@
|
|||
It is very easy to stop the password being sniffed, you just use https:// for cgiurl
|
||||
(with appropriately configure server of course), and disallow access to the cgiscript
|
||||
over http.
|
||||
|
||||
However the cookie is still sent for all requests, meaning that it could be stolen.
|
||||
I don't know quite how well CGI::Session defends against this, but the best it could
|
||||
do is probably tie it to an IP address, but that still leaves room for abuse.
|
||||
|
||||
I have created a patch that adds a config option sslcookie, which causes the
|
||||
cookie to have it's secure property set. This means that it is only sent over SSL.
|
||||
So if you can configure apache to do what you want, you only have to change two options
|
||||
(cgiurl and sslcookie) to encrypt all authentication data.
|
||||
|
||||
The disadvantage is that if someone were to activate it while using http:// I think it
|
||||
would mean they couldn't log in, as the browser would never offer the cookie.
|
||||
I think I have made the documentation clear enough on this point.
|
||||
|
||||
http://jameswestby.net/scratch/sslcookie.diff
|
||||
|
||||
-- JamesWestby
|
|
@ -134,7 +134,9 @@ file not be world readable.
|
|||
|
||||
Login to the wiki involves sending a password in cleartext over the net.
|
||||
Cracking the password only allows editing the wiki as that user though.
|
||||
If you care, you can use https, I suppose.
|
||||
If you care, you can use https, I suppose. If you do use https either for
|
||||
all of the wiki, or just the cgi access, then consider using the sslcookie
|
||||
option.
|
||||
|
||||
## XSS holes in CGI output
|
||||
|
||||
|
|
|
@ -227,6 +227,12 @@ configuration options of their own.
|
|||
Enable [[w3mmode]], which allows w3m to use ikiwiki as a local CGI script,
|
||||
without a web server.
|
||||
|
||||
* --sslcookie
|
||||
|
||||
Only send cookies over an SSL connection. This should prevent them being
|
||||
intercepted. If you enable this option then you must run at least the
|
||||
CGI portion of ikiwiki over SSL.
|
||||
|
||||
* --getctime
|
||||
|
||||
Pull last changed time for each new page out of the revision control
|
||||
|
|
|
@ -45,6 +45,7 @@ sub getconfig () { #{{{
|
|||
"svnpath" => \$config{svnpath},
|
||||
"adminemail=s" => \$config{adminemail},
|
||||
"timeformat=s" => \$config{timeformat},
|
||||
"sslcookie!" => \$config{sslcookie},
|
||||
"exclude=s@" => sub {
|
||||
$config{wiki_file_prune_regexp}=qr/$config{wiki_file_prune_regexp}|$_[1]/;
|
||||
},
|
||||
|
|
Loading…
Reference in New Issue