From a97964688b73d0a3237c798dce3fb064ff29ff11 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 17 Apr 2010 19:05:40 -0400 Subject: [PATCH 01/11] unfinished file_prune revamp Many calls to file_prune were incorrectly calling it with 2 parameters. In cases where the filename being checked is relative to the srcdir, that is not needed. Made absolute filenames be pruned. (This won't work for the 2 parameter call style.) --- IkiWiki.pm | 2 +- IkiWiki/Plugin/attachment.pm | 2 +- IkiWiki/Plugin/comments.pm | 4 ++-- IkiWiki/Plugin/editpage.pm | 4 ++-- IkiWiki/Plugin/rename.pm | 5 ++--- IkiWiki/Receive.pm | 2 +- t/file_pruned.t | 40 +++++++++++++++++++++++++++++++++--- 7 files changed, 46 insertions(+), 13 deletions(-) diff --git a/IkiWiki.pm b/IkiWiki.pm index b37b1f344..a5f83ac7a 100644 --- a/IkiWiki.pm +++ b/IkiWiki.pm @@ -355,7 +355,7 @@ sub getsetup () { }, wiki_file_prune_regexps => { type => "internal", - default => [qr/(^|\/)\.\.(\/|$)/, qr/^\./, qr/\/\./, + default => [qr/(^|\/)\.\.(\/|$)/, qr/^\//, qr/^\./, qr/\/\./, qr/\.x?html?$/, qr/\.ikiwiki-new$/, qr/(^|\/).svn\//, qr/.arch-ids\//, qr/{arch}\//, qr/(^|\/)_MTN\//, qr/(^|\/)_darcs\//, diff --git a/IkiWiki/Plugin/attachment.pm b/IkiWiki/Plugin/attachment.pm index ad1dd9bca..8c3ff887a 100644 --- a/IkiWiki/Plugin/attachment.pm +++ b/IkiWiki/Plugin/attachment.pm @@ -137,7 +137,7 @@ sub formbuilder (@) { $filename=linkpage(IkiWiki::possibly_foolish_untaint( attachment_location($form->field('page')). IkiWiki::basename($filename))); - if (IkiWiki::file_pruned($filename, $config{srcdir})) { + if (IkiWiki::file_pruned($filename)) { error(gettext("bad attachment filename")); } diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm index 0aa043215..1c219b6c6 100644 --- a/IkiWiki/Plugin/comments.pm +++ b/IkiWiki/Plugin/comments.pm @@ -338,7 +338,7 @@ sub editcomment ($$) { my $page = $form->field('page'); $page = IkiWiki::possibly_foolish_untaint($page); if (! defined $page || ! length $page || - IkiWiki::file_pruned($page, $config{srcdir})) { + IkiWiki::file_pruned($page)) { error(gettext("bad page name")); } @@ -548,7 +548,7 @@ sub commentmoderation ($$) { # pending comment before untainting. my ($f)= $id =~ /$config{wiki_file_regexp}/; if (! defined $f || ! length $f || - IkiWiki::file_pruned($f, $config{srcdir})) { + IkiWiki::file_pruned($f)) { error("illegal file"); } diff --git a/IkiWiki/Plugin/editpage.pm b/IkiWiki/Plugin/editpage.pm index 44fe5514a..ee1de8eaa 100644 --- a/IkiWiki/Plugin/editpage.pm +++ b/IkiWiki/Plugin/editpage.pm @@ -94,7 +94,7 @@ sub cgi_editpage ($$) { $page=possibly_foolish_untaint($page); my $absolute=($page =~ s#^/+##); if (! defined $page || ! length $page || - file_pruned($page, $config{srcdir})) { + file_pruned($page)) { error(gettext("bad page name")); } @@ -220,7 +220,7 @@ sub cgi_editpage ($$) { my $best_loc; if (! defined $from || ! length $from || $from ne $form->field('from') || - file_pruned($from, $config{srcdir}) || + file_pruned($from) || $from=~/^\// || $absolute || $form->submitted) { diff --git a/IkiWiki/Plugin/rename.pm b/IkiWiki/Plugin/rename.pm index 1a9da6363..69e615ead 100644 --- a/IkiWiki/Plugin/rename.pm +++ b/IkiWiki/Plugin/rename.pm @@ -63,9 +63,8 @@ sub check_canrename ($$$$$$) { error(gettext("no change to the file name was specified")); } - # Must be a legal filename, and not absolute. - if (IkiWiki::file_pruned($destfile, $config{srcdir}) || - $destfile=~/^\//) { + # Must be a legal filename. + if (IkiWiki::file_pruned($destfile)) { error(sprintf(gettext("illegal name"))); } diff --git a/IkiWiki/Receive.pm b/IkiWiki/Receive.pm index cd94d0938..ae1bd8bef 100644 --- a/IkiWiki/Receive.pm +++ b/IkiWiki/Receive.pm @@ -82,7 +82,7 @@ sub test () { my ($file)=$change->{file}=~/$config{wiki_file_regexp}/; $file=IkiWiki::possibly_foolish_untaint($file); if (! defined $file || ! length $file || - IkiWiki::file_pruned($file, $config{srcdir})) { + IkiWiki::file_pruned($file)) { error(gettext("bad file name %s"), $file); } diff --git a/t/file_pruned.t b/t/file_pruned.t index f9c1c257e..4335ed917 100755 --- a/t/file_pruned.t +++ b/t/file_pruned.t @@ -1,41 +1,75 @@ #!/usr/bin/perl use warnings; use strict; -use Test::More tests => 27; +use Test::More tests => 54; BEGIN { use_ok("IkiWiki"); } %config=IkiWiki::defaultconfig(); ok(IkiWiki::file_pruned("src/.htaccess", "src")); +ok(IkiWiki::file_pruned(".htaccess")); ok(IkiWiki::file_pruned("src/.ikiwiki/", "src")); +ok(IkiWiki::file_pruned(".ikiwiki/")); ok(IkiWiki::file_pruned("src/.ikiwiki/index", "src")); +ok(IkiWiki::file_pruned(".ikiwiki/index")); ok(IkiWiki::file_pruned("src/CVS/foo", "src")); +ok(IkiWiki::file_pruned("CVS/foo")); ok(IkiWiki::file_pruned("src/subdir/CVS/foo", "src")); +ok(IkiWiki::file_pruned("subdir/CVS/foo")); ok(IkiWiki::file_pruned("src/.svn", "src")); +ok(IkiWiki::file_pruned(".svn")); ok(IkiWiki::file_pruned("src/subdir/.svn", "src")); +ok(IkiWiki::file_pruned("subdir/.svn")); ok(IkiWiki::file_pruned("src/subdir/.svn/foo", "src")); +ok(IkiWiki::file_pruned("subdir/.svn/foo")); ok(IkiWiki::file_pruned("src/.git", "src")); +ok(IkiWiki::file_pruned(".git")); ok(IkiWiki::file_pruned("src/subdir/.git", "src")); +ok(IkiWiki::file_pruned("subdir/.git")); ok(IkiWiki::file_pruned("src/subdir/.git/foo", "src")); +ok(IkiWiki::file_pruned("subdir/.git/foo")); ok(! IkiWiki::file_pruned("src/svn/fo", "src")); +ok(! IkiWiki::file_pruned("svn/fo")); ok(! IkiWiki::file_pruned("src/git", "src")); +ok(! IkiWiki::file_pruned("git")); ok(! IkiWiki::file_pruned("src/index.mdwn", "src")); +ok(! IkiWiki::file_pruned("index.mdwn")); ok(! IkiWiki::file_pruned("src/index.", "src")); +ok(! IkiWiki::file_pruned("index.")); # these are ok because while the filename starts with ".", the canonpathed # version does not ok(! IkiWiki::file_pruned("src/.", "src")); ok(! IkiWiki::file_pruned("src/./", "src")); +# OTOH, without a srcdir, no canonpath, so they're not allowed. +ok(IkiWiki::file_pruned(".")); +ok(IkiWiki::file_pruned("./")); + +# Without a srcdir, absolute filenames are not allowed. +ok(IkiWiki::file_pruned("/etc/passwd")); +ok(IkiWiki::file_pruned("//etc/passwd")); +ok(IkiWiki::file_pruned("/")); +ok(IkiWiki::file_pruned("//")); +ok(IkiWiki::file_pruned("///")); + ok(IkiWiki::file_pruned("src/..", "src")); +ok(IkiWiki::file_pruned("..")); ok(IkiWiki::file_pruned("src/../", "src")); +ok(IkiWiki::file_pruned("../")); ok(IkiWiki::file_pruned("src/../", "src")); +ok(IkiWiki::file_pruned("../")); +# This is perhaps counterintuitive. ok(! IkiWiki::file_pruned("src", "src")); + +# Dots, etc, in the srcdir are ok. ok(! IkiWiki::file_pruned("/.foo/src", "/.foo/src")); ok(IkiWiki::file_pruned("/.foo/src/.foo/src", "/.foo/src")); ok(! IkiWiki::file_pruned("/.foo/src/index.mdwn", "/.foo/src/index.mdwn")); -ok(IkiWiki::file_pruned("x/y/foo.dpkg-tmp", "src")); -ok(IkiWiki::file_pruned("x/y/foo.ikiwiki-new", "src")); +ok(IkiWiki::file_pruned("src/y/foo.dpkg-tmp", "src")); +ok(IkiWiki::file_pruned("y/foo.dpkg-tmp")); +ok(IkiWiki::file_pruned("src/y/foo.ikiwiki-new", "src")); +ok(IkiWiki::file_pruned("y/foo.ikiwiki-new")); From 7a92c0aa4aea1bffc9090d982c4b55af9e0b0c02 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 20 Apr 2010 13:49:46 -0400 Subject: [PATCH 02/11] clarify why absolute is tested & stripped here file_prune also fails on absolute filenames now --- IkiWiki/Plugin/editpage.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/IkiWiki/Plugin/editpage.pm b/IkiWiki/Plugin/editpage.pm index ee1de8eaa..dff777138 100644 --- a/IkiWiki/Plugin/editpage.pm +++ b/IkiWiki/Plugin/editpage.pm @@ -92,7 +92,7 @@ sub cgi_editpage ($$) { # wiki_file_regexp. my ($page)=$form->field('page')=~/$config{wiki_file_regexp}/; $page=possibly_foolish_untaint($page); - my $absolute=($page =~ s#^/+##); + my $absolute=($page =~ s#^/+##); # absolute name used for force location if (! defined $page || ! length $page || file_pruned($page)) { error(gettext("bad page name")); From 5d3f7877299942cbec4fde6054761635d90a089a Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 20 Apr 2010 13:54:24 -0400 Subject: [PATCH 03/11] use one parameter form of file_pruned here too In File::Find, $_ is relative to the current directory, so that is ok. Also, the directory name doesn't need to be stripped from $_. --- IkiWiki/Plugin/comments.pm | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm index 1c219b6c6..32e4d0937 100644 --- a/IkiWiki/Plugin/comments.pm +++ b/IkiWiki/Plugin/comments.pm @@ -645,7 +645,7 @@ sub comments_pending () { no_chdir => 1, wanted => sub { $_=decode_utf8($_); - if (IkiWiki::file_pruned($_, $dir)) { + if (IkiWiki::file_pruned($_)) { $File::Find::prune=1; } elsif (! -l $_ && ! -d _) { @@ -653,7 +653,6 @@ sub comments_pending () { my ($f)=/$config{wiki_file_regexp}/; # untaint if (defined $f && $f =~ /\Q._comment\E$/) { my $ctime=(stat($f))[10]; - $f=~s/^\Q$dir\E\/?//; push @ret, [$f, $ctime]; } } From 230a8b22a471c018c8ec48cd07427c42238a4970 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 20 Apr 2010 13:59:17 -0400 Subject: [PATCH 04/11] remove explicit absolute test file_pruned now tests for that --- IkiWiki/Plugin/editpage.pm | 1 - 1 file changed, 1 deletion(-) diff --git a/IkiWiki/Plugin/editpage.pm b/IkiWiki/Plugin/editpage.pm index dff777138..2130a8402 100644 --- a/IkiWiki/Plugin/editpage.pm +++ b/IkiWiki/Plugin/editpage.pm @@ -221,7 +221,6 @@ sub cgi_editpage ($$) { if (! defined $from || ! length $from || $from ne $form->field('from') || file_pruned($from) || - $from=~/^\// || $absolute || $form->submitted) { @page_locs=$best_loc=$page; From 6d063a6698ad72476d9243956b0f13ec33a09dbd Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 20 Apr 2010 14:06:00 -0400 Subject: [PATCH 05/11] switch to 1 parameter version of file_pruned Another bit of code that didn't realize that File::Find sets $_ to the relative filename. --- IkiWiki/Plugin/autoindex.pm | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/IkiWiki/Plugin/autoindex.pm b/IkiWiki/Plugin/autoindex.pm index c71d73349..1d0612e84 100644 --- a/IkiWiki/Plugin/autoindex.pm +++ b/IkiWiki/Plugin/autoindex.pm @@ -40,14 +40,12 @@ sub refresh () { no_chdir => 1, wanted => sub { $_=decode_utf8($_); - if (IkiWiki::file_pruned($_, $dir)) { + if (IkiWiki::file_pruned($_)) { $File::Find::prune=1; } elsif (! -l $_) { my ($f)=/$config{wiki_file_regexp}/; # untaint return unless defined $f; - $f=~s/^\Q$dir\E\/?//; - return unless length $f; return if $f =~ /\._([^.]+)$/; # skip internal page if (! -d _) { $pages{pagename($f)}=1; From cff3937b681a6c2505eb52b43b2e3e7086f99c45 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 20 Apr 2010 14:08:29 -0400 Subject: [PATCH 06/11] remove 2 argument form of file_pruned --- IkiWiki.pm | 9 +-------- t/file_pruned.t | 39 ++------------------------------------- 2 files changed, 3 insertions(+), 45 deletions(-) diff --git a/IkiWiki.pm b/IkiWiki.pm index a5f83ac7a..6d3b6c606 100644 --- a/IkiWiki.pm +++ b/IkiWiki.pm @@ -1843,15 +1843,8 @@ sub deptype (@) { } my $file_prune_regexp; -sub file_pruned ($;$) { +sub file_pruned ($) { my $file=shift; - if (@_) { - require File::Spec; - $file=File::Spec->canonpath($file); - my $base=File::Spec->canonpath(shift); - return if $file eq $base; - $file =~ s#^\Q$base\E/+##; - } if (defined $config{include} && length $config{include}) { return 0 if $file =~ m/$config{include}/; diff --git a/t/file_pruned.t b/t/file_pruned.t index 4335ed917..34f366610 100755 --- a/t/file_pruned.t +++ b/t/file_pruned.t @@ -1,52 +1,31 @@ #!/usr/bin/perl use warnings; use strict; -use Test::More tests => 54; +use Test::More tests => 27; BEGIN { use_ok("IkiWiki"); } %config=IkiWiki::defaultconfig(); -ok(IkiWiki::file_pruned("src/.htaccess", "src")); ok(IkiWiki::file_pruned(".htaccess")); -ok(IkiWiki::file_pruned("src/.ikiwiki/", "src")); ok(IkiWiki::file_pruned(".ikiwiki/")); -ok(IkiWiki::file_pruned("src/.ikiwiki/index", "src")); ok(IkiWiki::file_pruned(".ikiwiki/index")); -ok(IkiWiki::file_pruned("src/CVS/foo", "src")); ok(IkiWiki::file_pruned("CVS/foo")); -ok(IkiWiki::file_pruned("src/subdir/CVS/foo", "src")); ok(IkiWiki::file_pruned("subdir/CVS/foo")); -ok(IkiWiki::file_pruned("src/.svn", "src")); ok(IkiWiki::file_pruned(".svn")); -ok(IkiWiki::file_pruned("src/subdir/.svn", "src")); ok(IkiWiki::file_pruned("subdir/.svn")); -ok(IkiWiki::file_pruned("src/subdir/.svn/foo", "src")); ok(IkiWiki::file_pruned("subdir/.svn/foo")); -ok(IkiWiki::file_pruned("src/.git", "src")); ok(IkiWiki::file_pruned(".git")); -ok(IkiWiki::file_pruned("src/subdir/.git", "src")); ok(IkiWiki::file_pruned("subdir/.git")); -ok(IkiWiki::file_pruned("src/subdir/.git/foo", "src")); ok(IkiWiki::file_pruned("subdir/.git/foo")); -ok(! IkiWiki::file_pruned("src/svn/fo", "src")); ok(! IkiWiki::file_pruned("svn/fo")); -ok(! IkiWiki::file_pruned("src/git", "src")); ok(! IkiWiki::file_pruned("git")); -ok(! IkiWiki::file_pruned("src/index.mdwn", "src")); ok(! IkiWiki::file_pruned("index.mdwn")); -ok(! IkiWiki::file_pruned("src/index.", "src")); ok(! IkiWiki::file_pruned("index.")); - -# these are ok because while the filename starts with ".", the canonpathed -# version does not -ok(! IkiWiki::file_pruned("src/.", "src")); -ok(! IkiWiki::file_pruned("src/./", "src")); -# OTOH, without a srcdir, no canonpath, so they're not allowed. ok(IkiWiki::file_pruned(".")); ok(IkiWiki::file_pruned("./")); -# Without a srcdir, absolute filenames are not allowed. +# absolute filenames are not allowed. ok(IkiWiki::file_pruned("/etc/passwd")); ok(IkiWiki::file_pruned("//etc/passwd")); ok(IkiWiki::file_pruned("/")); @@ -54,22 +33,8 @@ ok(IkiWiki::file_pruned("//")); ok(IkiWiki::file_pruned("///")); -ok(IkiWiki::file_pruned("src/..", "src")); ok(IkiWiki::file_pruned("..")); -ok(IkiWiki::file_pruned("src/../", "src")); -ok(IkiWiki::file_pruned("../")); -ok(IkiWiki::file_pruned("src/../", "src")); ok(IkiWiki::file_pruned("../")); -# This is perhaps counterintuitive. -ok(! IkiWiki::file_pruned("src", "src")); - -# Dots, etc, in the srcdir are ok. -ok(! IkiWiki::file_pruned("/.foo/src", "/.foo/src")); -ok(IkiWiki::file_pruned("/.foo/src/.foo/src", "/.foo/src")); -ok(! IkiWiki::file_pruned("/.foo/src/index.mdwn", "/.foo/src/index.mdwn")); - -ok(IkiWiki::file_pruned("src/y/foo.dpkg-tmp", "src")); ok(IkiWiki::file_pruned("y/foo.dpkg-tmp")); -ok(IkiWiki::file_pruned("src/y/foo.ikiwiki-new", "src")); ok(IkiWiki::file_pruned("y/foo.ikiwiki-new")); From 1f56dead00ee1188d9ed9650b9b2483b69c4d525 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 20 Apr 2010 14:13:46 -0400 Subject: [PATCH 07/11] oops, fix for no_chdir mode $_ will be absolute then --- IkiWiki/Plugin/autoindex.pm | 6 ++++-- IkiWiki/Plugin/comments.pm | 7 ++++--- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/IkiWiki/Plugin/autoindex.pm b/IkiWiki/Plugin/autoindex.pm index 1d0612e84..23a17d4e9 100644 --- a/IkiWiki/Plugin/autoindex.pm +++ b/IkiWiki/Plugin/autoindex.pm @@ -39,12 +39,14 @@ sub refresh () { find({ no_chdir => 1, wanted => sub { - $_=decode_utf8($_); + my $file=decode_utf8($_); + $file=~s/^\Q$dir\E\/?//; + return unless length $file; if (IkiWiki::file_pruned($_)) { $File::Find::prune=1; } elsif (! -l $_) { - my ($f)=/$config{wiki_file_regexp}/; # untaint + my ($f) = $file =~ /$config{wiki_file_regexp}/; # untaint return unless defined $f; return if $f =~ /\._([^.]+)$/; # skip internal page if (! -d _) { diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm index 32e4d0937..03ca19c98 100644 --- a/IkiWiki/Plugin/comments.pm +++ b/IkiWiki/Plugin/comments.pm @@ -644,13 +644,14 @@ sub comments_pending () { find({ no_chdir => 1, wanted => sub { - $_=decode_utf8($_); + my $file=decode_utf8($_); + $file=~s/^\Q$dir\E\/?//; + return unless length $file; if (IkiWiki::file_pruned($_)) { $File::Find::prune=1; } elsif (! -l $_ && ! -d _) { - $File::Find::prune=0; - my ($f)=/$config{wiki_file_regexp}/; # untaint + my ($f) = $file =~ /$config{wiki_file_regexp}/; # untaint if (defined $f && $f =~ /\Q._comment\E$/) { my $ctime=(stat($f))[10]; push @ret, [$f, $ctime]; From 59bb1f1db37d8b8170e5dd8e5a857df7742bffb9 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 20 Apr 2010 14:23:48 -0400 Subject: [PATCH 08/11] fix stat to use unmunged filename --- IkiWiki/Plugin/comments.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm index 03ca19c98..ccc9e1068 100644 --- a/IkiWiki/Plugin/comments.pm +++ b/IkiWiki/Plugin/comments.pm @@ -653,7 +653,7 @@ sub comments_pending () { elsif (! -l $_ && ! -d _) { my ($f) = $file =~ /$config{wiki_file_regexp}/; # untaint if (defined $f && $f =~ /\Q._comment\E$/) { - my $ctime=(stat($f))[10]; + my $ctime=(stat($_))[10]; push @ret, [$f, $ctime]; } } From 81eae1a531ab6e538985a8531b39ef3c5f865bdc Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 20 Apr 2010 14:25:17 -0400 Subject: [PATCH 09/11] typo --- IkiWiki/Plugin/editpage.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/IkiWiki/Plugin/editpage.pm b/IkiWiki/Plugin/editpage.pm index 2130a8402..26e38abc1 100644 --- a/IkiWiki/Plugin/editpage.pm +++ b/IkiWiki/Plugin/editpage.pm @@ -92,7 +92,7 @@ sub cgi_editpage ($$) { # wiki_file_regexp. my ($page)=$form->field('page')=~/$config{wiki_file_regexp}/; $page=possibly_foolish_untaint($page); - my $absolute=($page =~ s#^/+##); # absolute name used for force location + my $absolute=($page =~ s#^/+##); # absolute name used to force location if (! defined $page || ! length $page || file_pruned($page)) { error(gettext("bad page name")); From bfca8345ea7d49df6a4f6521f1db416d28671f35 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 20 Apr 2010 17:42:36 -0400 Subject: [PATCH 10/11] bugfix Avoid file_pruned triggering on absolute paths causing the whole comments_pending directory being pruned. Simplify code. --- IkiWiki/Plugin/comments.pm | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm index ccc9e1068..58bd4b851 100644 --- a/IkiWiki/Plugin/comments.pm +++ b/IkiWiki/Plugin/comments.pm @@ -646,16 +646,12 @@ sub comments_pending () { wanted => sub { my $file=decode_utf8($_); $file=~s/^\Q$dir\E\/?//; - return unless length $file; - if (IkiWiki::file_pruned($_)) { - $File::Find::prune=1; - } - elsif (! -l $_ && ! -d _) { - my ($f) = $file =~ /$config{wiki_file_regexp}/; # untaint - if (defined $f && $f =~ /\Q._comment\E$/) { - my $ctime=(stat($_))[10]; - push @ret, [$f, $ctime]; - } + return if ! length $file || IkiWiki::file_pruned($file) + || -l $_ || -d _ || $file !~ /\Q._comment\E$/; + my ($f) = $file =~ /$config{wiki_file_regexp}/; # untaint + if (defined $f) { + my $ctime=(stat($_))[10]; + push @ret, [$f, $ctime]; } } }, $dir); From 511f7f9cb94ebdd8ea33973a0ca74d2f8249aa3f Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 20 Apr 2010 18:16:40 -0400 Subject: [PATCH 11/11] bugfix So this is the one place that does need to canonpath and compare, as two argument file_pruned used to. --- IkiWiki/Plugin/autoindex.pm | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/IkiWiki/Plugin/autoindex.pm b/IkiWiki/Plugin/autoindex.pm index 23a17d4e9..0dd76259e 100644 --- a/IkiWiki/Plugin/autoindex.pm +++ b/IkiWiki/Plugin/autoindex.pm @@ -36,13 +36,17 @@ sub refresh () { my (%pages, %dirs); foreach my $dir ($config{srcdir}, @{$config{underlaydirs}}, $config{underlaydir}) { + require File::Spec; + $dir=File::Spec->canonpath($dir); + find({ no_chdir => 1, wanted => sub { - my $file=decode_utf8($_); + my $file=File::Spec->canonpath(decode_utf8($_)); + return if $file eq $dir; $file=~s/^\Q$dir\E\/?//; return unless length $file; - if (IkiWiki::file_pruned($_)) { + if (IkiWiki::file_pruned($file)) { $File::Find::prune=1; } elsif (! -l $_) {