urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ikiwiki/doc/bugs/Symlinked_srcdir_requires_t...

82 lines
3.2 KiB
Markdown
Raw Blame History

If the srcdir is a symlink, Ikiwiki will not render the pages unless the srcdir has a trailing slash.
For example:
#!/bin/sh
set -x
REALSRCDIR=~/tmp/ikiwiki/wikiwc2
SRCDIR=~/tmp/ikiwiki/wikiwc
DESTDIR=~/tmp/ikiwiki/public_html/wiki/
echo "*** Testing without trailing slash."
rm -rf $REALSRCDIR $SRCDIR $DESTDIR
# Create the real srcdir and link the srcdir to it
mkdir -p $REALSRCDIR
ln -s $REALSRCDIR $SRCDIR
mkdir -p $DESTDIR
echo Test > $SRCDIR/index.mdwn
# No trailing slash after $SRCDIR
ikiwiki --verbose $SRCDIR $DESTDIR --url=http://example.org/~you/wiki/ --underlaydir /dev/null
echo "*** Testing with trailing slash."
rm -rf $REALSRCDIR $SRCDIR $DESTDIR
# Create the real srcdir and link the srcdir to it
mkdir -p $REALSRCDIR
ln -s $REALSRCDIR $SRCDIR
mkdir -p $DESTDIR
echo Test > $SRCDIR/index.mdwn
# Trailing slash after $SRCDIR
ikiwiki --verbose $SRCDIR/ $DESTDIR --url=http://example.org/~you/wiki/ --underlaydir /dev/null
My output:
+ REALSRCDIR=/home/svend/tmp/ikiwiki/wikiwc2
+ SRCDIR=/home/svend/tmp/ikiwiki/wikiwc
+ DESTDIR=/home/svend/tmp/ikiwiki/public_html/wiki/
+ echo '*** Testing without trailing slash.'
*** Testing without trailing slash.
+ rm -rf /home/svend/tmp/ikiwiki/wikiwc2 /home/svend/tmp/ikiwiki/wikiwc /home/svend/tmp/ikiwiki/public_html/wiki/
+ mkdir -p /home/svend/tmp/ikiwiki/wikiwc2
+ ln -s /home/svend/tmp/ikiwiki/wikiwc2 /home/svend/tmp/ikiwiki/wikiwc
+ mkdir -p /home/svend/tmp/ikiwiki/public_html/wiki/
+ echo Test
+ ikiwiki --verbose /home/svend/tmp/ikiwiki/wikiwc /home/svend/tmp/ikiwiki/public_html/wiki/ --url=http://example.org/~you/wiki/ --underlaydir /dev/null
+ echo '*** Testing with trailing slash.'
*** Testing with trailing slash.
+ rm -rf /home/svend/tmp/ikiwiki/wikiwc2 /home/svend/tmp/ikiwiki/wikiwc /home/svend/tmp/ikiwiki/public_html/wiki/
+ mkdir -p /home/svend/tmp/ikiwiki/wikiwc2
+ ln -s /home/svend/tmp/ikiwiki/wikiwc2 /home/svend/tmp/ikiwiki/wikiwc
+ mkdir -p /home/svend/tmp/ikiwiki/public_html/wiki/
+ echo Test
+ ikiwiki --verbose /home/svend/tmp/ikiwiki/wikiwc/ /home/svend/tmp/ikiwiki/public_html/wiki/ --url=http://example.org/~you/wiki/ --underlaydir /dev/null
scanning index.mdwn
rendering index.mdwn
Note that index.mdwn was only rendered when srcdir had a trailing slash.
> There are potential [[security]] issues with ikiwiki following a symlink,
> even if it's just a symlink at the top level of the srcdir.
> Consider ikiwiki.info's own setup, where the srcdir is ikiwiki/doc,
> checked out of revision control. A malicious committer could convert
> ikiwiki/doc into a symlink to /etc, then ikiwiki would happily publish
> all of /etc to the web.
>
> This kind of attack is why ikiwiki does not let File::Find follow
> symlinks when scanning the srcdir. By appending the slash, you're
> actually bypassing that check. Ikiwiki should not let you set
> up a potentially insecure configuration like that. More discussion of
> this hole [[here|security#index29h2]], and I've had to release
> a version of ikiwiki that explicitly checks for that, and fails to work.
> Sorry, but security trumps convenience. [[done]] --[[Joey]]
Reference in New Issue View Git Blame Copy Permalink