]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blobdiff - IkiWiki/Render.pm
meta: Security fix; don't allow alternative stylesheets to be added on pages where...
[git.ikiwiki.info.git] / IkiWiki / Render.pm
index 833fcaaff0d0412ce97faca6405a406c26fd4807..a653ab2da02e542828349c3d9f3ac200340608f4 100644 (file)
@@ -292,12 +292,17 @@ sub find_src_files () {
        eval q{use File::Find};
        error($@) if $@;
 
-       my ($page, $dir, $underlay);
+       eval q{use Cwd};
+       die $@ if $@;
+       my $origdir=getcwd();
+       my $abssrcdir=Cwd::abs_path($config{srcdir});
+
+       my ($page, $underlay);
        my $helper=sub {
                my $file=decode_utf8($_);
 
                return if -l $file || -d _;
-               $file=~s/^\Q$dir\E\/?//;
+               $file=~s/^\.\///;
                return if ! length $file;
                $page = pagename($file);
                if (! exists $pagesources{$page} &&
@@ -314,7 +319,7 @@ sub find_src_files () {
        
                if ($underlay) {
                        # avoid underlaydir override attacks; see security.mdwn
-                       if (! -l "$config{srcdir}/$f" && ! -e _) {
+                       if (! -l "$abssrcdir/$f" && ! -e _) {
                                if (! $pages{$page}) {
                                        push @files, $f;
                                        $pages{$page}=1;
@@ -330,17 +335,24 @@ sub find_src_files () {
                }
        };
 
+       chdir($config{srcdir}) || die "chdir $config{srcdir}: $!";
        find({
                no_chdir => 1,
                wanted => $helper,
-       }, $dir=$config{srcdir});
+       }, '.');
+       chdir($origdir) || die "chdir $origdir: $!";
+
        $underlay=1;
        foreach (@{$config{underlaydirs}}, $config{underlaydir}) {
-               find({
-                       no_chdir => 1,
-                       wanted => $helper,
-               }, $dir=$_);
+               if (chdir($_)) {
+                       find({
+                               no_chdir => 1,
+                               wanted => $helper,
+                       }, '.');
+                       chdir($origdir) || die "chdir: $!";
+               }
        };
+
        return \@files, \%pages;
 }
 
@@ -353,6 +365,35 @@ sub find_new_files ($) {
 
        foreach my $file (@$files) {
                my $page=pagename($file);
+
+               if ($config{rcs} && $config{gettime} &&
+                   -e "$config{srcdir}/$file") {
+                       if (! $times_noted) {
+                               debug(sprintf(gettext("querying %s for file creation and modification times.."), $config{rcs}));
+                               $times_noted=1;
+                       }
+
+                       eval {
+                               my $ctime=rcs_getctime($file);
+                               if ($ctime > 0) {
+                                       $pagectime{$page}=$ctime;
+                               }
+                       };
+                       if ($@) {
+                               print STDERR $@;
+                       }
+                       my $mtime;
+                       eval {
+                               $mtime=rcs_getmtime($file);
+                       };
+                       if ($@) {
+                               print STDERR $@;
+                       }
+                       elsif ($mtime > 0) {
+                               utime($mtime, $mtime, "$config{srcdir}/$file");
+                       }
+               }
+
                if (exists $pagesources{$page} && $pagesources{$page} ne $file) {
                        # the page has changed its type
                        $forcerebuild{$page}=1;
@@ -362,34 +403,8 @@ sub find_new_files ($) {
                        if (isinternal($page)) {
                                push @internal_new, $file;
                        }
-                       elsif ($config{rcs}) {
+                       else {
                                push @new, $file;
-                               if ($config{gettime} && -e "$config{srcdir}/$file") {
-                                       if (! $times_noted) {
-                                               debug(sprintf(gettext("querying %s for file creation and modification times.."), $config{rcs}));
-                                               $times_noted=1;
-                                       }
-
-                                       eval {
-                                               my $ctime=rcs_getctime("$config{srcdir}/$file");
-                                               if ($ctime > 0) {
-                                                       $pagectime{$page}=$ctime;
-                                               }
-                                       };
-                                       if ($@) {
-                                               print STDERR $@;
-                                       }
-                                       my $mtime;
-                                       eval {
-                                               $mtime=rcs_getmtime("$config{srcdir}/$file");
-                                       };
-                                       if ($@) {
-                                               print STDERR $@;
-                                       }
-                                       elsif ($mtime > 0) {
-                                               utime($mtime, $mtime, "$config{srcdir}/$file");
-                                       }
-                               }
                        }
                        $pagecase{lc $page}=$page;
                        if (! exists $pagectime{$page}) {
@@ -442,6 +457,7 @@ sub remove_del (@) {
                }
        
                delete $pagecase{lc $page};
+               $delpagesources{$page}=$pagesources{$page};
                delete $pagesources{$page};
        }
 }