-Let's do an ikiwiki security analysis..
+Let's do an ikiwiki security analysis.
If you are using ikiwiki to render pages that only you can edit, do not
generate any wrappers, and do not use the cgi, then there are no more
make it appear on [[RecentChanges]] like foo committed. One way to avoid
this would be to limit web commits to those done by a certian user.
+## XML::Parser
+
+XML::Parser is used by the aggregation plugin, and has some security holes
+that are still open in Debian unstable as of this writing. #378411 does not
+seem to affect our use, since the data is not encoded as utf-8 at that
+point. #378412 could affect us, although it doesn't seem very exploitable.
+It has a simple fix, which should be NMUed or something..
+
## other stuff to look at
I need to audit the git backend a bit, and have been meaning to
Currently only people with direct svn commit access can upload such files
(and if you wanted to you could block that with a svn pre-commit hook).
-Wsers with only web commit access are limited to editing pages as ikiwiki
+Users with only web commit access are limited to editing pages as ikiwiki
doesn't support file uploads from browsers (yet), so they can't exploit
this.