urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security note

master
joey 2006-07-30 06:08:56 +00:00
parent b9693d13ef
commit 8a5f9f6e00
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
doc/security.mdwn
View File

@ -18,6 +18,14 @@ Anyone with direct commit access can forge "web commit from foo" and
make it appear on [[RecentChanges]] like foo committed. One way to avoid
this would be to limit web commits to those done by a certian user.
## XML::Parser
XML::Parser is used by the aggregation plugin, and has some security holes
that are still open in Debian unstable as of this writing. #378411 does not
seem to affect our use, since the data is not encoded as utf-8 at that
point. #378412 could affect us, although it doesn't seem very exploitable.
It has a simple fix, which should be NMUed or something..
## other stuff to look at
I need to audit the git backend a bit, and have been meaning to