X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/40959ce76d159cefaf0431ad2cc61ad35a9f99b1..b4f768db713be367d5abf09fba464ee1a5adb711:/IkiWiki/Render.pm
diff --git a/IkiWiki/Render.pm b/IkiWiki/Render.pm
index a95da40d2..35d663a7a 100644
--- a/IkiWiki/Render.pm
+++ b/IkiWiki/Render.pm
@@ -270,34 +270,37 @@ sub refresh () { #{{{
}
},
}, $config{srcdir});
- find({
- no_chdir => 1,
- wanted => sub {
- $_=decode_utf8($_);
- if (file_pruned($_, $config{underlaydir})) {
- $File::Find::prune=1;
- }
- elsif (! -d $_ && ! -l $_) {
- my ($f)=/$config{wiki_file_regexp}/; # untaint
- if (! defined $f) {
- warn(sprintf(gettext("skipping bad filename %s"), $_)."\n");
+ foreach my $dir (@{$config{underlaydirs}}, $config{underlaydir}) {
+ find({
+ no_chdir => 1,
+ wanted => sub {
+ $_=decode_utf8($_);
+ if (file_pruned($_, $dir)) {
+ $File::Find::prune=1;
}
- else {
- # Don't add pages that are in the
- # srcdir.
- $f=~s/^\Q$config{underlaydir}\E\/?//;
- if (! -e "$config{srcdir}/$f" &&
- ! -l "$config{srcdir}/$f") {
- my $page=pagename($f);
- if (! $exists{$page}) {
- push @files, $f;
- $exists{$page}=1;
+ elsif (! -d $_ && ! -l $_) {
+ my ($f)=/$config{wiki_file_regexp}/; # untaint
+ if (! defined $f) {
+ warn(sprintf(gettext("skipping bad filename %s"), $_)."\n");
+ }
+ else {
+ $f=~s/^\Q$dir\E\/?//;
+ # avoid underlaydir
+ # override attacks; see
+ # security.mdwn
+ if (! -e "$config{srcdir}/$f" &&
+ ! -l "$config{srcdir}/$f") {
+ my $page=pagename($f);
+ if (! $exists{$page}) {
+ push @files, $f;
+ $exists{$page}=1;
+ }
}
}
}
- }
- },
- }, $config{underlaydir});
+ },
+ }, $dir);
+ };
my %rendered;
@@ -351,7 +354,7 @@ sub refresh () { #{{{
}
run_hooks(needsbuild => sub { shift->(\@needsbuild) });
- # scan and rendder files
+ # scan and render files
foreach my $file (@needsbuild) {
debug(sprintf(gettext("scanning %s"), $file));
scan($file);