meta: Security fix; don't allow alternative stylesheets to be added on pages where...

[git.ikiwiki.info.git] / IkiWiki.pm

diff --git a/IkiWiki.pm b/IkiWiki.pm
index 7d5668d74d6899f08019b964517223b693606db5..443c7044796a29947936fd5de57e8e09c14bfec4 100644 (file)
--- a/IkiWiki.pm
+++ b/IkiWiki.pm
@@ -88,6 +88,7 @@ sub defaultconfig () { #{{{
        account_creation_password => "",
        prefix_directives => 0,
        hardlink => 0,
+       cgi_disable_uploads => 1,
 } #}}}
 
 sub checkconfig () { #{{{
@@ -150,7 +151,9 @@ sub loadplugins () { #{{{
                unshift @INC, possibly_foolish_untaint($config{libdir});
        }
 
-       loadplugin($_) foreach @{$config{plugin}};
+       foreach my $plugin (@{$config{plugin}}) {
+               loadplugin($plugin);
+       }
 
        run_hooks(getopt => sub { shift->() });
        if (grep /^-/, @ARGV) {
@@ -331,6 +334,10 @@ sub readfile ($;$$) { #{{{
        binmode($in) if ($binary);
        return \*$in if $wantfd;
        my $ret=<$in>;
+       # check for invalid utf-8, and toss it back to avoid crashes
+       if (! utf8::valid($ret)) {
+               $ret=encode_utf8($ret);
+       }
        close $in || error("failed to read $file: $!");
        return $ret;
 } #}}}
@@ -537,15 +544,21 @@ sub beautify_url ($) { #{{{
        if ($config{usedirs}) {
                $url =~ s!/index.$config{htmlext}$!/!;
        }
-       $url =~ s!^$!./!; # Browsers don't like empty links...
+
+       # Ensure url is not an empty link, and
+       # if it's relative, make that explicit to avoid colon confusion.
+       if ($url !~ /^\//) {
+               $url="./$url";
+       }
 
        return $url;
 } #}}}
 
-sub urlto ($$) { #{{{
+sub urlto ($$;$) { #{{{
        my $to=shift;
        my $from=shift;
-
+       my $absolute=shift;
+       
        if (! length $to) {
                return beautify_url(baseurl($from)."index.$config{htmlext}");
        }
@@ -554,6 +567,10 @@ sub urlto ($$) { #{{{
                $to=htmlpage($to);
        }
 
+       if ($absolute) {
+               return $config{url}.beautify_url("/".$to);
+       }
+
        my $link = abs2rel($to, dirname(htmlpage($from)));
 
        return beautify_url($link);
@@ -595,7 +612,7 @@ sub htmllink ($$$;@) { #{{{
                        return "<span class=\"createlink\"><a href=\"".
                                cgiurl(
                                        do => "create",
-                                       page => pagetitle(lc($link), 1),
+                                       page => lc($link),
                                        from => $lpage
                                ).
                                "\" rel=\"nofollow\">?</a>$linktext</span>"
@@ -712,6 +729,8 @@ sub preprocess ($$$;$$) { #{{{
                my $prefix=shift;
                my $command=shift;
                my $params=shift;
+               $params="" if ! defined $params;
+
                if (length $escape) {
                        return "[[$prefix$command $params]]";
                }
@@ -1289,6 +1308,13 @@ sub pagespec_valid ($) { #{{{
        my $sub=pagespec_translate($spec);
        return ! $@;
 } #}}}
+       
+sub glob2re ($) { #{{{
+       my $re=quotemeta(shift);
+       $re=~s/\\\*/.*/g;
+       $re=~s/\\\?/./g;
+       return $re;
+} #}}}
 
 package IkiWiki::FailReason;
 
@@ -1336,12 +1362,8 @@ sub match_glob ($$;@) { #{{{
                $glob="$from/$glob" if length $from;
        }
 
-       # turn glob into safe regexp
-       $glob=quotemeta($glob);
-       $glob=~s/\\\*/.*/g;
-       $glob=~s/\\\?/./g;
-
-       if ($page=~/^$glob$/i) {
+       my $regexp=IkiWiki::glob2re($glob);
+       if ($page=~/^$regexp$/i) {
                if (! IkiWiki::isinternal($page) || $params{internal}) {
                        return IkiWiki::SuccessReason->new("$glob matches $page");
                }