X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/4e791ed69565eafd3d130528a32a385be3f1686c..968b4bec195e498daf3aaaeafc9e5ee31a0b4bf0:/doc/security.mdwn?ds=inline diff --git a/doc/security.mdwn b/doc/security.mdwn index d834aa1a5..723daeccc 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -47,6 +47,13 @@ Users with only web commit access are limited to editing pages as ikiwiki doesn't support file uploads from browsers (yet), so they can't exploit this. +It is possible to embed an image in a page edited over the web, by using +`img src="data:image/png;"`. Ikiwiki's htmlscrubber only allows `data:` +urls to be used for `image/*` mime types. It's possible that some broken +browser might ignore the mime type and if the data provided is not an +image, instead run it as javascript, or something evil like that. Hopefully +not many browsers are that broken. + ## multiple accessors of wiki directory If multiple people can directly write to the source directory ikiwiki is @@ -349,9 +356,13 @@ allow the security hole to be exploited. ## javascript insertion via uris The htmlscrubber did not block javascript in uris. This was fixed by adding -a whitelist of valid uri types, which does not include javascript. +a whitelist of valid uri types, which does not include javascript. +([[cve CVE-2008-0809]]) Some urls specifyable by the meta plugin could also +theoretically have been used to inject javascript; this was also blocked +([[cve CVE-2008-0808]]). This hole was discovered on 10 February 2008 and fixed the same day -with the release of ikiwiki 2.31.1. A fix was also backported to Debian etch, -as version 1.33.4. I recommend upgrading to one of these versions if your -wiki can be edited by third parties. +with the release of ikiwiki 2.31.1. (And a few subsequent versions..) +A fix was also backported to Debian etch, as version 1.33.4. I recommend +upgrading to one of these versions if your wiki can be edited by third +parties.