ikiwiki/debian
Joey Hess 72b5ef2c5f Fix CSRF attacks against the preferences and edit forms. Closes: #475445
The fix involved embedding the session id in the forms, and not allowing the
forms to be submitted if the embedded id does not match the session id.

In the case of the preferences form, if the session id is not embedded,
then the CGI parameters are cleared. This avoids a secondary attack where the
link to the preferences form prefills password or other fields, and
the user hits "submit" without noticing these prefilled values.

In the case of the editpage form, the anonok plugin can allow anyone to edit,
and so I chose not to guard against CSRF attacks against users who are not
logged in. Otherwise, it also embeds the session id and checks it.

For page editing, I assume that the user will notice if content or commit
message is changed because of CGI parameters, and won't blndly hit save page.
So I didn't block those CGI paramters. (It's even possible to use those CGI
parameters, for good, not for evil, I guess..)

The only other CSRF attack I can think of in ikiwiki involves the poll plugin.
It's certianly possible to set up a link that causes the user to unknowingly
vote in a poll. However, the poll plugin is not intended to be used for things
that people would want to attack, since anyone can after all edit the poll page
and fill in any values they like. So this "attack" is ignorable.
2008-04-10 16:35:30 -04:00
..
.gitignore Add debian/.gitignore, with ignores for Debian build products 2008-01-26 22:28:44 -08:00
NEWS fix versions 2008-02-10 02:13:09 -05:00
README.Debian Remove trailing whitespace from README.Debian 2008-02-10 22:55:48 -08:00
changelog Fix CSRF attacks against the preferences and edit forms. Closes: #475445 2008-04-10 16:35:30 -04:00
compat debianise 2006-03-15 04:05:53 +00:00
control Time::Duration is no longer used, remove from docs and recommends. 2008-03-19 21:59:40 -04:00
copyright update 2008-03-17 17:17:53 -04:00
postinst merged the recentchanges branch 2008-01-29 17:50:11 -05:00
preinst releasing version 1.3 2006-05-16 15:20:33 +00:00
rules defer po and pot file updating until package build time 2008-03-21 16:32:23 -04:00

README.Debian

It's a good idea, and in some cases a requirement, to rebuild your wikis
when upgrading to a new version of ikiwiki. If you have a lot of different
wikis on a system, this can be a pain to do by hand, and it's a good idea
to automate it anyway.

This Debian package of ikiwiki supports rebuilding wikis on upgrade. It
will run ikiwiki-mass-rebuild if necessary when upgraded. The file
/etc/ikiwiki/wikilist lists the setup files of wikis to rebuild, as well
as the user who owns the wiki. Edit this file and add any wikis you
set up.

You can also allow users to maintain their own list of wikis to rebuild,
by listing their usernames in /etc/ikiwiki/wikilist without corresponding
setup files.  ikiwiki will then read their lists of wikis from
.ikiwiki/wikilist in their home directories.


The examples directory contains the source to some example wiki setups.