X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/4a4c0b626874e9c5db38a54c678689805f790d74..2335443eb6f8c7934984064d92805b4c5ccc8975:/doc/security.mdwn diff --git a/doc/security.mdwn b/doc/security.mdwn index 5cc35b338..154566cd8 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -6,6 +6,8 @@ security issues with this program than with cat(1). If, however, you let others edit pages in your wiki, then some possible security issues do need to be kept in mind. +[[toc levels=2]] + ---- # Probable holes @@ -16,7 +18,7 @@ _(The list of things to fix.)_ Anyone with direct commit access can forge "web commit from foo" and make it appear on [[RecentChanges]] like foo committed. One way to avoid -this would be to limit web commits to those done by a certian user. +this would be to limit web commits to those done by a certain user. ## other stuff to look at @@ -156,6 +158,20 @@ allowed, so that's not a problem.) ---- +# Plugins + +The security of [[plugins]] depends on how well they're written and what +external tools they use. The plugins included in ikiwiki are all held to +the same standards as the rest of ikiwiki, but with that said, here are +some security notes for them. + +* The [[plugins/img]] plugin assumes that imagemagick/perlmagick are secure + from malformed image attacks. Imagemagick has had security holes in the + past. To be able to exploit such a hole, a user would need to be able to + upload images to the wiki. + +---- + # Fixed holes _(Unless otherwise noted, these were discovered and immediately fixed by the