Commit Graph

115 Commits (master)

Author SHA1 Message Date
Simon McVittie d157a97452 CGI, attachment, passwordauth: harden against repeated parameters
These instances of code similar to OVE-20170111-0001 are not believed
to be exploitable, because defined(), length(), setpassword(),
userinfo_set() and the binary "." operator all have prototypes that
force the relevant argument to be evaluated in scalar context. However,
using a safer idiom makes mistakes less likely.

(cherry picked from commit 69230a2220f673c66b5ab875bfc759b32a241c0d)
2017-01-11 18:11:07 +00:00
Simon McVittie c1120bbbe8 Force CGI::FormBuilder->field to scalar context where necessary
CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in f4ec7b0. Force it into scalar context where it is used
in an argument list.

This prevents two (relatively minor) commit metadata forgery
vulnerabilities:

* In the comments plugin, an attacker who was able to post a comment
  could give it a user-specified author and author-URL even if the wiki
  configuration did not allow for that, by crafting multiple values
  to other fields.
* In the editpage plugin, an attacker who was able to edit a page
  could potentially forge commit authorship by crafting multiple values
  for the rcsinfo field.

The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.

OVE-20161226-0001
2016-12-28 21:32:12 +00:00
Simon McVittie 7a52c87a8c Make the attachment plugin work with CGI.pm 4.x (Closes: #786586; workaround for #786587 in libcgi-pm-perl) 2015-06-07 14:51:13 +01:00
Amitai Schlair cfbcbda0ad Call CGI->param_fetch instead of CGI->param in array context
CGI->param has the misfeature that it is context-sensitive, and in
particular can expand to more than one scalar in function calls.
This led to a security vulnerability in Bugzilla, and recent versions
of CGI.pm will warn when it is used in this way.

In the situations where we do want to cope with more than one parameter
of the same name, CGI->param_fetch (which always returns an
array-reference) makes the intention clearer.

[commit message added by smcv]
2014-10-16 22:24:47 +01:00
Simon McVittie f4ec7b06d9 Make sure we do not pass multiple CGI parameters in function calls
When CGI->param is called in list context, such as in function
parameters, it expands to all the potentially multiple values
of the parameter: for instance, if we parse query string a=b&a=c&d=e
and call func($cgi->param('a')), that's equivalent to func('b', 'c').
Most of the functions we're calling do not expect that.

I do not believe this is an exploitable security vulnerability in
ikiwiki, but it was exploitable in Bugzilla.
2014-10-16 22:24:47 +01:00
Simon McVittie bb359796b8 protect $@ whenever a block using $@ is non-trivial
As noted in the Try::Tiny man page, eval/$@ can be quite awkward in
corner cases, because $@ has the same properties and problems as C's
errno. While writing a regression test for definetemplate
in which it couldn't find an appropriate template, I received

    <span class="error">Error: failed to process template
    <span class="createlink">deftmpl</span> </span>

instead of the intended

    <span class="error">Error: failed to process template
    <span class="createlink">deftmpl</span> template deftmpl not
    found</span>

which turned out to be because the "catch"-analogous block called
gettext before it used $@, and gettext can call define_gettext,
which uses eval.

This commit alters all current "catch"-like blocks that use $@, except
those that just do trivial things with $@ (string interpolation, string
concatenation) and call a function (die, error, print, etc.)
2014-02-21 17:06:36 +00:00
Joey Hess 87f46582f5 Fix committing attachments when using svn. 2013-07-10 18:23:09 -04:00
Simon McVittie 5674e7fc12 prune: do not prune beyond an optional base directory, and add a test
Previously, prune("wiki/srcdir/sandbox/test.mdwn") could delete srcdir
or even wiki, if they happened to be empty. This is rarely what you
want: there's usually some base directory (destdir, srcdir, transientdir
or another subdirectory of wikistatedir) beyond which you do not want to
delete.
2012-04-07 17:52:29 +01:00
Joey Hess d134a2a6e9 avoid unnecessary uses of UNIVERSAL
Foo->Bar->can("method") works just as well, even if Foo::Bar is not
loaded. Using UNIVERSAL::can is deprecated.

But, I was unable to easily eliminate conditional.pm's use of UNIVERSAL::can
2012-03-18 14:34:21 -04:00
Joey Hess 1572c3c376 attachment: Fix utf-8 display bug. 2012-01-15 16:39:13 -04:00
Joey Hess d23786cb6c attachment: Bugfix to create directory when moving attachment out of holding area. 2011-07-11 21:35:46 -04:00
Joey Hess 258b75c4f7 attachment: Bugfix to move upload attachments out of holding area when saving. 2011-07-11 18:34:17 -04:00
Joey Hess 9f7d9ab356 Bugfix for trying to attach files to a subpage of the index page. 2011-07-07 20:32:14 -04:00
Joey Hess ace3665f81 improve detection of ajax request
Firefox sent an accept header for application/xml, not application/json,
and also weakened the priority to 0.8. So that stuff is not to be trusted;
instead I found a better way: When an ajax upload is *not* being made,
the Upload Attachment button will be used, so enable ajax if an upload
is being made without that button having been used.

Also, testing with firefox revealed it refused to process a response that
was type application/json, and checking the demo page for the jquery file
upload plugin, it actually returns the json with type text/html. Ugh.
Followed suite.

Now tested with: chromium, chromium (w/o js), firefox, firefox (w/o js),
and w3m.
2011-06-17 15:17:20 -04:00
Joey Hess 6ebb4e262e show ikiwiki error when attachment is rejected 2011-06-16 13:01:23 -04:00
Joey Hess d4a0732752 let thru HTTP_ACCEPT
Needed for attachment to return json when requested.

I think some browsers send Accept: * , so I made sure to check that json
was explicitly listed as to be accepted, as well as having a high
priority.
2011-06-15 20:02:14 -04:00
Joey Hess 54672a3130 bugfixes
Make sure staged attachments sort as earlier, even if they're not really.
2011-06-15 19:48:49 -04:00
Joey Hess b85485aaa2 typo 2011-06-15 19:31:11 -04:00
Joey Hess 8363107a9e use jquery underlay 2011-06-15 19:16:08 -04:00
Joey Hess e2b43578a6 load attachment javascript into template the clean way 2011-06-15 19:08:40 -04:00
Joey Hess f77452b7ca WIP 2011-06-15 18:37:12 -04:00
Joey Hess b66261d08b WIP 2011-06-15 15:21:59 -04:00
Joey Hess 2e086b3263 remove trailing slash from attachment_holding_dir
If it's passed a filename, it should return the filename inside the holding
dir. If passed a page, the directory sans slash. All code adds the slash.
2011-06-14 15:49:33 -04:00
Joey Hess d4254c7f97 more generic interface 2011-06-14 15:31:58 -04:00
Joey Hess 49e7bc2535 bugfixes 2011-06-14 15:19:23 -04:00
Joey Hess a61849e954 bugfix for attachments of non-index pages 2011-06-14 15:07:34 -04:00
Joey Hess 04b2a4d676 fix removal of helf attachments
Left out confirmation of removal for held attachments because
a) they're not in the wiki yet, so confirmation is a bit unnecessary
b) it would be hard
c) eases later integration of jquery file upload interface

Also changed where attachments of index are held (to match where they're
stored in the srcdir).

Note that the attachment formbuilder hook was made to run last, so that
the list of attachments is not generated before removal, in the fast path
w/o confirm.
2011-06-14 14:44:20 -04:00
Joey Hess c55a32d3e1 fixed previewing of attachments from holding area 2011-06-14 14:08:13 -04:00
Joey Hess d4d2327400 fixed saving attachments on page save
Also saved on preview, but previewing is a bit broken, does not see the
newly saved attachment yet.
2011-06-14 13:59:56 -04:00
Joey Hess e2cb19ed9e attachment list includes new attachments in holding area
Note that it's possible for an attachment in the holding area to be older
than an attachemnt in the wiki with the same name. I intentionally
show the one in the holding area in this (unlikely) case, since saving the
page will overwrite the wiki's file with the held attachment. It does not
seem worth the bother of doing something more intelligent, since in this
case two people have basically conflicted with one-another.. and both
attachment contents will be stored in revision control in case it needs to
be sorted out.

I had to remove the hyperlink for attachments in the holding area, since
they're not yet live on the web. This could be annoying/confusing. Added
a moseover notice instead.
2011-06-14 13:49:41 -04:00
Joey Hess 8619faaa8b untaint and linkpage the page name used in attachment holding directory 2011-06-14 13:41:07 -04:00
Joey Hess 1d951583a6 store filename in holding dir in linkpage form
Avoids any unpleasantness with .. or other special chars in the attachment
filename.
2011-06-14 13:38:37 -04:00
Joey Hess e08daac239 store attachments in holding area; commit to wiki on page save
This makes uploading a lot of attachments somewhat faster, because
the user does not need to wait for a long website refresh after each
upload. Still probably somewhat slow, since ikiwiki has to run for each
upload.

More importantly, this opens the door for integration of things like
the jquery file upload interface, which allow drag-n-drop and multiple
file uploads to be queued and then ran.

It uses rcs_commit_staged, which leaves out tla and mercurual which lack
that, but since rename, remove, autoindex, etc also use that, I think it's
fine for attachments to also depend on it.

The attachment list is currently broken; it does not look in the holding
area yet, and its links to the attached files won't work since they're not
yet in the wiki. previewing is also currently broken.

Work sponsored by TOVA.
2011-06-14 13:34:36 -04:00
Joey Hess 4c96fce144 refactor 2011-06-14 13:06:59 -04:00
Joey Hess 69b9fd132d remove second parameter to include_javascript
function used to take a second parameter to control absoluteness, no longer
does
2011-01-02 18:33:05 -04:00
Joey Hess 90bc68589e attachment: Fix attachment file size display. 2010-09-21 15:33:42 -04:00
Joey Hess 7784e0b7b8 don't run check_canedit in nonfatal mode 2010-08-30 15:57:10 -04:00
Joey Hess ecdfd1b864 rcs_commit and rcs_commit_staged api changes
Using named parameters for these is overdue. Passing the session in a
parameter instead of passing username and IP separately will later allow
storing other session info, like username or part of the email.

Note that these functions are not part of the exported API,
and the prototype change will catch (most) skew, so I am not changing
API versions. Any third-party plugins that call them will need updated
though.
2010-06-23 19:04:36 -04:00
Joey Hess 4292802ee5 stop using REMOTE_ADDR
Everywhere that REMOTE_ADDR was used, a session object is available, so
instead use its remote_addr method.

In IkiWiki::Receive, stop setting a dummy REMOTE_ADDR.

Note that it's possible for a session cookie to be obtained using one IP
address, and then used from another IP. In this case, the first IP will now
be used. I think that should be ok.
2010-06-23 16:35:51 -04:00
Joey Hess 69c22fa1ea attachment: Support Windows paths when taking basename of client-supplied file name. 2010-06-16 13:23:32 -04:00
Joey Hess c65658eeb5 attachment: When inserting links, insert img directives for images, if that plugin is enabled. 2010-06-12 23:00:30 -04:00
Joey Hess 9923f5db65 attachment: Show files from underlay in attachments list.
While those files cannot be removed or renamed, this allows easy
downloading of them, and a new version can after all be uploaded.
2010-06-12 14:29:56 -04:00
Joey Hess a97964688b unfinished file_prune revamp
Many calls to file_prune were incorrectly calling it with 2 parameters.
In cases where the filename being checked is relative to the srcdir,
that is not needed.

Made absolute filenames be pruned. (This won't work for the 2 parameter call
style.)
2010-04-17 19:05:40 -04:00
Joey Hess 20ba12802b add section information 2010-02-12 04:22:15 -05:00
Joey Hess cdbdf19c36 attachment: Fix reversion in attachment sorting by age.
Reversion was introduced by over-eager removal of mtime_raw in
2b569f99d9
2009-12-14 17:19:31 -05:00
Joey Hess bb1ce7207d attachment: Fix several utf-8 problems.
Similar to those in the rename plugin, although here we can't use
the form object.
2009-12-14 17:16:40 -05:00
Joey Hess 7ba65e7f4b remove deprecated admin prefs
A new ikiwiki-transition moveprefs subcommand can pull the old data out of
the userdb and inject it into the setup file.

Note that it leaves the old values behind in the userdb too. I did this
because I didn't want to lose data if it fails writing the setup file for
some reason, and the old data in the userdb will only use a small amount of
space. Running the command multiple times will mostly not change anything.
2008-12-24 16:16:03 -05:00
Joey Hess 678d467a40 finalise version 3.00 of the plugin api 2008-12-23 16:34:19 -05:00
Joey Hess bb93fccf06 Coding style change: Remove explcit vim folding markers. 2008-12-17 15:22:16 -05:00
Joey Hess 2b569f99d9 fix relativedate timezone inclusion
The machine parseable date needs to include a timezone.

Also, simplified the interface for date display.
2008-10-19 19:21:44 -04:00