Commit Graph

15 Commits (0e5c8ae806283d31bcfaf63f5af361f97dbe91f0)

Author SHA1 Message Date
Simon McVittie 06fce2b238 pm_filter: use \Q...\E to escape all possible strings pedantically
The current implementation would misbehave for prefixes containing
a single quote.
2016-09-03 23:47:52 +01:00
Sam Hathaway b63aad46c4
Use single-quotes in $installdir value in case prefix includes a string metacharacter. 2016-08-03 14:58:52 -04:00
Simon McVittie 4729ff0812 Exclude working directory from library path (CVE-2016-1238)
Current Perl versions put '.' at the end of the library search path
@INC, although this will be fixed in a future Perl release. This means
that when software loads an optionally-present module, it will be
looked for in the current working directory before giving up. An
attacker could use this to execute arbitrary Perl code from ikiwiki's
current working directory.

Removing '.' from the library search path in Perl is the correct
fix for this vulnerability, but is not trivial to do due to
backwards-compatibility concerns. Mitigate this (even if ikiwiki is run
with a vulnerable Perl version) by explicitly removing '.' from the
search path, and instead looking for ikiwiki's own modules relative
to the absolute path of the executable when run from the source
directory.

In tests that specifically want to use the current working directory,
use "-I".getcwd instead of "-I." so we use its absolute path, which
is immune to the removal of ".".
2016-07-28 09:50:21 +01:00
Amitai Schlair 604d0391ba Squelch regex deprecation warnings from Perl 5.22.
Specifically:

"Unescaped left brace in regex is deprecated, passed through in regex"
2015-06-14 21:35:51 -04:00
Joey Hess 7825960d31 remove -T from ikiwiki.in, add back if NOTAINT=0 2009-05-22 13:46:07 -04:00
Joey Hess df0f9811a3 typo 2009-02-04 13:45:54 -05:00
Joey Hess 3eaa5c91d7 export installdir
For use by Setup/Automator
2009-01-12 18:55:56 -05:00
Joey Hess 2c6f41e59c If PERL5LIB is set to the libdir when building ikiwiki, calculate and hardcode a proper 'use lib' statement anyway. This fixes a gotcha, since PERL5LIB won't work once ikiwiki is running via a wrapper or as a cgi. 2008-05-14 02:42:01 -04:00
Joey Hess 8fdb37d7bc use an elsif
(Not that it really matters..)
2008-04-28 22:13:12 -04:00
Joey Hess dbb5d11196 Deal with different paths to perl when removing -T flag. 2008-04-28 15:37:17 -04:00
Joey Hess 9f02ee8634 Add PREFIX/bin to the hardcoded PATH within ikiwiki. 2008-04-28 13:44:37 -04:00
Joey Hess 2a802c1518 if NOTAINT is not set, disable tainting 2008-02-24 16:01:10 -05:00
joey 34f1c2aee8 * Allow setting NOTAINT=1 when building the wiki to remove taint checking
flags, which can be useful on some hosting providers.
2007-02-20 01:09:48 +00:00
joey 5bc73d7fac * Rename ikiwiki.pl so MakeMaker doesn't see it, and install it.
* Add some code to the build system that tries to determine if the
  lib installation directory is in @INC. If it's not, munge ikiwiki
  to hardcode the path to the lib directory. This should allow installing
  ikiwiki in nonstandard locations, including home directories, by just
  setting PREFIX at build time.
* Fix nested examples directory in deb.
2006-11-20 22:12:43 +00:00
joey f4d99ac1ca * Use DESTDIR and not PREFIX to specify installation prefix for packaging.
* Support running "perl Makefile.PL PREFIX=foo" to build ikiwiki to run
  from a different directory.
2006-08-25 02:12:43 +00:00