they could still fool ikiwiki using similar races. So it's best if only one
person can ever write to the checkout that ikiwiki compiles the moo from.
+## webserver symlink attacks
+
+If someone checks in a symlink to /etc/passwd, ikiwiki would publish that.
+To aoid this, ikiwiki will need to avoid reading files that are symlinks.
+TODO and note discussion of races above.
+
## cgi security
When ikiwiki runs as a cgi to edit a page, it is passed the name of the
such as subversion dotfiles. This is done by sanitising the filename
removing unallowed characters, then making sure it doesn't start with "/"
or contain ".." or "/.svn/". Annoyingly ad-hoc, this kind of code is where
-security holes breed.
+security holes breed. It needs a test suite at the very least.