50 lines
2.2 KiB
Markdown
50 lines
2.2 KiB
Markdown
News for ikiwiki 3.20160506:
|
|
|
|
To mitigate [[!cve CVE-2016-3714]] and similar ImageMagick security vulnerabilities,
|
|
the `\[[!img]]` directive is now restricted to these common web formats by
|
|
default:
|
|
|
|
* JPEG (`.jpg`, `.jpeg`)
|
|
* PNG (`.png`)
|
|
* GIF (`.gif`)
|
|
* SVG (`.svg`)
|
|
|
|
(In particular, by default resizing PDF files is no longer allowed.)
|
|
|
|
Additionally, resized SVG files are displayed in the browser as SVG
|
|
instead of being converted to PNG.
|
|
|
|
If all users who can attach images are fully trusted, this restriction
|
|
can be removed with the new img\_allowed\_formats setup option.
|
|
See [[ikiwiki/directive/img]] for more details.
|
|
|
|
ikiwiki 3.20160506 released with [[!toggle text="these changes"]]
|
|
[[!toggleable text="""
|
|
* [ [[Simon McVittie|smcv]] ]
|
|
* HTML-escape error messages, in one case avoiding potential cross-site
|
|
scripting ([[!cve CVE-2016-4561]], OVE-20160505-0012)
|
|
* Mitigate ImageMagick vulnerabilities such as CVE-2016-3714:
|
|
- img: force common Web formats to be interpreted according to extension,
|
|
so that "allowed\_attachments: '*.jpg'" does what one might expect
|
|
- img: restrict to JPEG, PNG and GIF images by default, again mitigating
|
|
CVE-2016-3714 and similar vulnerabilities
|
|
- img: check that the magic number matches what we would expect from
|
|
the extension before giving common formats to ImageMagick
|
|
* d/control: use https for Homepage
|
|
* d/control: add Vcs-Browser
|
|
* [ [[Joey Hess|joey]] ]
|
|
* img: Add back support for SVG images, bypassing ImageMagick and
|
|
simply passing the SVG through to the browser, which is supported by all
|
|
commonly used browsers these days.
|
|
SVG scaling by img directives has subtly changed; where before
|
|
size=wxh would preserve aspect ratio, this cannot be done when passing
|
|
them through and so specifying both a width and height can change
|
|
the SVG's aspect ratio.
|
|
* loginselector: When only openid and emailauth are enabled, but
|
|
passwordauth is not, avoid showing a "Other" box which opens an
|
|
empty form.
|
|
* [ [[Amitai Schlair|schmonz]] ]
|
|
* mdwn: Process .md like .mdwn, but disallow web creation.
|
|
* [ Florian Wagner ]
|
|
* git: Correctly handle filenames starting with a dash in add/rm/mv."""]]
|