4729ff0812
Current Perl versions put '.' at the end of the library search path @INC, although this will be fixed in a future Perl release. This means that when software loads an optionally-present module, it will be looked for in the current working directory before giving up. An attacker could use this to execute arbitrary Perl code from ikiwiki's current working directory. Removing '.' from the library search path in Perl is the correct fix for this vulnerability, but is not trivial to do due to backwards-compatibility concerns. Mitigate this (even if ikiwiki is run with a vulnerable Perl version) by explicitly removing '.' from the search path, and instead looking for ikiwiki's own modules relative to the absolute path of the executable when run from the source directory. In tests that specifically want to use the current working directory, use "-I".getcwd instead of "-I." so we use its absolute path, which is immune to the removal of ".". |
||
|---|---|---|
| Bundle | ||
| IkiWiki | ||
| cpan | ||
| debian | ||
| doc | ||
| icons | ||
| plugins | ||
| po | ||
| t | ||
| templates | ||
| themes | ||
| underlays | ||
| .gitattributes | ||
| .gitignore | ||
| .perlcriticrc | ||
| CHANGELOG | ||
| IkiWiki.pm | ||
| Makefile.PL | ||
| NEWS | ||
| README | ||
| auto-blog.setup | ||
| auto.setup | ||
| docwiki.setup | ||
| gitremotes | ||
| ikiwiki-calendar.in | ||
| ikiwiki-comment.in | ||
| ikiwiki-makerepo | ||
| ikiwiki-mass-rebuild | ||
| ikiwiki-transition.in | ||
| ikiwiki-update-wikilist | ||
| ikiwiki-w3m.cgi | ||
| ikiwiki.in | ||
| ikiwiki.spec | ||
| mdwn2man | ||
| pm_filter | ||
| wikilist | ||
README
Use ./Makefile.PL to generate a Makefile, "make" will build the documentation wiki and a man page, and "make install" will install ikiwiki. All other documentation is in the ikiwiki documentation wiki, which is also available online at <http://ikiwiki.info/> A few special variables you can set while using the Makefile.PL: PROFILE=1 turns on profiling for the build of the doc wiki. (Uses Devel::NYTProf) NOTAINT=0 turns on the taint flag in the ikiwiki program. (Not recommended unless your perl is less buggy than mine -- see http://bugs.debian.org/411786) MAKE, FIND, and SED can be used to specify where you have the GNU versions of those tools installed, if the normal make, find, and sed are not GNU. There are also other variables supported by MakeMaker, including PREFIX, INSTALL_BASE, and DESTDIR. See ExtUtils::MakeMaker(3). In particular, INSTALL_BASE is very useful if you want to install ikiwiki to some other location, as it configures it to see the perl libraries there. See `doc/tips/nearlyfreespeech.mdwn` for an example of using this to install ikiwiki and its dependencies in a home directory.