urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make sure we do not pass multiple CGI parameters in function calls 

When CGI->param is called in list context, such as in function
parameters, it expands to all the potentially multiple values
of the parameter: for instance, if we parse query string a=b&a=c&d=e
and call func($cgi->param('a')), that's equivalent to func('b', 'c').
Most of the functions we're calling do not expect that.

I do not believe this is an exploitable security vulnerability in
ikiwiki, but it was exploitable in Bugzilla.
master
Simon McVittie 2014-10-11 09:28:22 +01:00
parent d8943d8668
commit f4ec7b06d9
6 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
IkiWiki/Plugin/attachment.pm
View File

@ -132,7 +132,7 @@ sub formbuilder (@) {
return if ! defined $form->field("do") || ($form->field("do") ne "edit" && $form->field("do") ne "create") ; return if ! defined $form->field("do") || ($form->field("do") ne "edit" && $form->field("do") ne "create") ;
my $filename=Encode::decode_utf8($q->param('attachment')); my $filename=Encode::decode_utf8(scalar $q->param('attachment'));
if (defined $filename && length $filename) { if (defined $filename && length $filename) {
attachment_store($filename, $form, $q, $params{session}); attachment_store($filename, $form, $q, $params{session});
} }
@ -142,7 +142,7 @@ sub formbuilder (@) {
} }
if ($form->submitted eq "Insert Links") { if ($form->submitted eq "Insert Links") {
my $page=quotemeta(Encode::decode_utf8($q->param("page"))); my $page=quotemeta(Encode::decode_utf8(scalar $q->param("page")));
my $add=""; my $add="";
foreach my $f ($q->param("attachment_select")) { foreach my $f ($q->param("attachment_select")) {
$f=Encode::decode_utf8($f); $f=Encode::decode_utf8($f);

2
IkiWiki/Plugin/goto.pm
View File

@ -27,7 +27,7 @@ sub cgi_goto ($;$) {
my $page = shift; my $page = shift;
if (!defined $page) { if (!defined $page) {
$page = IkiWiki::decode_utf8($q->param("page")); $page = IkiWiki::decode_utf8(scalar $q->param("page"));
if (!defined $page) { if (!defined $page) {
error("missing page parameter"); error("missing page parameter");

2
IkiWiki/Plugin/inline.pm
View File

@ -119,7 +119,7 @@ sub sessioncgi ($$) {
my $session=shift; my $session=shift;
if ($q->param('do') eq 'blog') { if ($q->param('do') eq 'blog') {
my $page=titlepage(decode_utf8($q->param('title'))); my $page=titlepage(decode_utf8(scalar $q->param('title')));
$page=~s/(\/)/"__".ord($1)."__"/eg; # don't create subdirs $page=~s/(\/)/"__".ord($1)."__"/eg; # don't create subdirs
# if the page already exists, munge it to be unique # if the page already exists, munge it to be unique
my $from=$q->param('from'); my $from=$q->param('from');

2
IkiWiki/Plugin/openid.pm
View File

@ -223,7 +223,7 @@ sub auth ($$) {
} }
elsif (defined $q->param('openid_identifier')) { elsif (defined $q->param('openid_identifier')) {
# myopenid.com affiliate support # myopenid.com affiliate support
validate($q, $session, $q->param('openid_identifier')); validate($q, $session, scalar $q->param('openid_identifier'));
} }
} }

2
IkiWiki/Plugin/poll.pm
View File

@ -99,7 +99,7 @@ sub sessioncgi ($$) {
my $cgi=shift; my $cgi=shift;
my $session=shift; my $session=shift;
if (defined $cgi->param('do') && $cgi->param('do') eq "poll") { if (defined $cgi->param('do') && $cgi->param('do') eq "poll") {
my $choice=decode_utf8($cgi->param('choice')); my $choice=decode_utf8(scalar $cgi->param('choice'));
if (! defined $choice || not length $choice) { if (! defined $choice || not length $choice) {
error("no choice specified"); error("no choice specified");
} }

8
IkiWiki/Plugin/rename.pm
View File

@ -237,7 +237,7 @@ sub postrename ($$$;$$) {
# on it. # on it.
$oldcgi->param("editcontent", $oldcgi->param("editcontent",
renamepage_hook($dest, $src, $dest, renamepage_hook($dest, $src, $dest,
$oldcgi->param("editcontent"))); scalar $oldcgi->param("editcontent")));
# Get a new edit token; old was likely invalidated. # Get a new edit token; old was likely invalidated.
$oldcgi->param("rcsinfo", $oldcgi->param("rcsinfo",
@ -297,7 +297,7 @@ sub sessioncgi ($$) {
if ($q->param("do") eq 'rename') { if ($q->param("do") eq 'rename') {
my $session=shift; my $session=shift;
my ($form, $buttons)=rename_form($q, $session, Encode::decode_utf8($q->param("page"))); my ($form, $buttons)=rename_form($q, $session, Encode::decode_utf8(scalar $q->param("page")));
IkiWiki::decode_form_utf8($form); IkiWiki::decode_form_utf8($form);
my $src=$form->field("page"); my $src=$form->field("page");
@ -332,7 +332,7 @@ sub sessioncgi ($$) {
IkiWiki::Plugin::attachment::is_held_attachment($src); IkiWiki::Plugin::attachment::is_held_attachment($src);
if ($held) { if ($held) {
rename($held, IkiWiki::Plugin::attachment::attachment_holding_location($dest)); rename($held, IkiWiki::Plugin::attachment::attachment_holding_location($dest));
postrename($q, $session, $src, $dest, $q->param("attachment")) postrename($q, $session, $src, $dest, scalar $q->param("attachment"))
unless defined $srcfile; unless defined $srcfile;
} }
@ -438,7 +438,7 @@ sub sessioncgi ($$) {
$renamesummary.=$template->output; $renamesummary.=$template->output;
} }
postrename($q, $session, $src, $dest, $q->param("attachment")); postrename($q, $session, $src, $dest, scalar $q->param("attachment"));
} }
else { else {
IkiWiki::showform($form, $buttons, $session, $q); IkiWiki::showform($form, $buttons, $session, $q);