* Fix a security hole that allowed a web user to edit images and other

[git.ikiwiki.info.git] / IkiWiki / Plugin / rst.pm

diff --git a/IkiWiki/Plugin/rst.pm b/IkiWiki/Plugin/rst.pm
index 6bf11fe36561c516d1bd10b6e58af34396157df5..afd60f6687d5e759321cb42261fb1a48a3241094 100644 (file)
--- a/IkiWiki/Plugin/rst.pm
+++ b/IkiWiki/Plugin/rst.pm
@@ -36,34 +36,34 @@ print html[html.find('<body>')+6:html.find('</body>')].strip();
 ";
 
 sub import { #{{{
-       IkiWiki::hook(type => "htmlize", id => "rst", call => \&htmlize);
+       hook(type => "htmlize", id => "rst", call => \&htmlize);
 } # }}}
 
-sub htmlize ($) { #{{{
-       my $content=shift;
+sub htmlize (@) { #{{{
+       my %params=@_;
+       my $content=$params{content};
 
-       my $tries=10;
-       while (1) {
-               eval {
-                       # Try to call python and run our command
-                       open2(*IN, *OUT, "python", "-c",  $pyCmnd)
-                               or return $content;
-               };
-               last unless $@;
-               $tries--;
-               if ($tries < 1) {
-                       IkiWiki::debug("failed to run python to convert rst: $@");
-                       return $content;
-               }
-       }
+       my $pid;
+       my $sigpipe=0;
+       $SIG{PIPE}=sub { $sigpipe=1 };
+       $pid=open2(*IN, *OUT, "python", "-c",  $pyCmnd);
+       
        # open2 doesn't respect "use open ':utf8'"
        binmode (IN, ':utf8');
        binmode (OUT, ':utf8');
        
        print OUT $content;
        close OUT;
+
        local $/ = undef;
-       return <IN>;
+       my $ret=<IN>;
+       close IN;
+       waitpid $pid, 0;
+
+       return $content if $sigpipe;
+       $SIG{PIPE}="DEFAULT";
+
+       return $ret;
 } # }}}
 
 1