Commit Graph

16 Commits (e262621db1fd778fac0fbe74fb8be38dffe956f1)

Author SHA1 Message Date
Simon McVittie 4729ff0812 Exclude working directory from library path (CVE-2016-1238)
Current Perl versions put '.' at the end of the library search path
@INC, although this will be fixed in a future Perl release. This means
that when software loads an optionally-present module, it will be
looked for in the current working directory before giving up. An
attacker could use this to execute arbitrary Perl code from ikiwiki's
current working directory.

Removing '.' from the library search path in Perl is the correct
fix for this vulnerability, but is not trivial to do due to
backwards-compatibility concerns. Mitigate this (even if ikiwiki is run
with a vulnerable Perl version) by explicitly removing '.' from the
search path, and instead looking for ikiwiki's own modules relative
to the absolute path of the executable when run from the source
directory.

In tests that specifically want to use the current working directory,
use "-I".getcwd instead of "-I." so we use its absolute path, which
is immune to the removal of ".".
2016-07-28 09:50:21 +01:00
Simon McVittie a1fda0b516 Standardize on --long-option instead of -long-option
[[forum/refresh_and_setup]] indicates some confusion between --setup
and -setup. Both work, but it's clearer if we stick to one in
documentation and code.

A 2012 commit to [[plugins/theme]] claims that "-setup" is required
and "--setup" won't work, but I cannot find any evidence in ikiwiki's
source code that this has ever been the case.
2015-03-01 16:15:01 +00:00
Joey Hess 35bc56bb66 don't exit sub via next 2011-08-21 17:36:29 -04:00
Joey Hess 4fdeda0e34 ikiwiki-mass-rebuild: Fix tty hijacking vulnerability by using su. (Once su's related bug #628843 is fixed.) Thanks, Ludwig Nussel. (CVE-2011-1408) 2011-06-08 17:42:07 -04:00
Joey Hess 5807f1de04 fix two build bugs
* ikiwiki-mass-rebuild: Make group list comparison more robust.
* search: Work around xapian bug #486138 by only stemming locales
  in a whitelist.
2008-06-13 13:05:44 -04:00
Joey Hess 20ac7c1bf5 sort list for $) so comparison works 2008-06-03 21:38:57 -04:00
Joey Hess 0353882a66 ikiwiki-mass-rebuild: Don't trust $! when setting $)
A better fix, just check that what $) returns is what it was asked to set,
and ignore $! entirely.
2008-05-31 14:46:16 -04:00
Joey Hess c00890a2f0 ikiwiki-mass-rebuild: under $! before setting $) to avoid strange errno issue
This fixes a problem sgran saw on alioth. Apparently nss-db sets errno to
ENOENT as a side effect trying to read an optional file, but succeeds
anyway. Then, somehow, errno remains set across the library calls made by
$).

So unset it first as a workaround; there's probably a nss-db, libc, and/or
perl bug underneath.
2008-05-31 14:37:05 -04:00
Joey Hess 267885009f display if group setting fails 2007-12-07 01:09:48 -05:00
Joey Hess cb80809aec * Add wrappergroup config option, which can be used to cause wrappers
to be created owned by some group other than the default. Useful
  then there's a shared repository with access controlled by a group,
  to let ikiwiki run setgid to that group.
* ikiwiki-mass-rebuild: Run build with the user in all their groups.
2007-11-14 09:27:11 -05:00
Joey Hess 1e1e1f5046 * ikiwiki-mass-rebuild: Patch from HenrikBrixAndersen to fix order
* ikiwiki-mass-rebuild: Don't clear PATH from the environment.
2007-10-25 23:12:23 -04:00
Joey Hess f947f8c4b2 * ikiwiki-mass-rebuild: Patch from HenrikBrixAndersen to fix order
of permissions dropping code to work on FreeBSD.
2007-10-25 07:56:54 -04:00
joey c9983bc7d8 * Allow /etc/ikiwiki/wikilist to list just the names of users, if so then
~user/.ikiwiki/wikilist will be read.
2006-11-28 05:46:13 +00:00
joey ccd3a7e2c2 * Fix ikiwiki-mass-rebuild to work in the way the postinst uses it. 2006-08-19 02:58:47 +00:00
joey c20c406631 * Add -refresh option to ikiwiki-mass-rebuild and use that on upgrades that
do not need a full rebuild, in order to update any basewiki pages.
2006-05-27 19:04:46 +00:00
joey dd7a381471 * Add ikiwiki-mass-rebuild script, ripped out of the postinst.
* Add some new config items to the estseek.conf template, which are needed
  by hyperestraier 1.2.3.
2006-05-05 20:48:20 +00:00