X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/cb777df0415cfad80a3725387b5fdbf5c95b8941..19a7752021249eb8984e523fd6ed5a3730dc9be7:/doc/security.mdwn?ds=inline diff --git a/doc/security.mdwn b/doc/security.mdwn index 34f820f6e..c51cd5b95 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -41,8 +41,8 @@ who's viewing the wiki, that can be a security problem. Of course nobody else seems to worry about this in other wikis, so should we? -Currently only people with direct svn commit access can upload such files -(and if you wanted to you could block that with a svn pre-commit hook). +Currently only people with direct commit access can upload such files +(and if you wanted to you could block that with a pre-commit hook). Users with only web commit access are limited to editing pages as ikiwiki doesn't support file uploads from browsers (yet), so they can't exploit this. @@ -57,16 +57,16 @@ So it's best if only one person can ever directly write to those directories. ## setup files -Setup files are not safe to keep in subversion with the rest of the wiki. -Just don't do it. [[ikiwiki.setup]] is *not* used as the setup file for -this wiki, BTW. +Setup files are not safe to keep in the same revision control repository +with the rest of the wiki. Just don't do it. [[ikiwiki.setup]] is *not* +used as the setup file for this wiki, BTW. -## page locking can be bypassed via direct svn commits +## page locking can be bypassed via direct commits -A locked page can only be edited on the web by an admin, but -anyone who is allowed to commit direct to svn can bypass this. This is by -design, although a subversion pre-commit hook could be used to prevent -editing of locked pages when using subversion, if you really need to. +A locked page can only be edited on the web by an admin, but anyone who is +allowed to commit directly to the repository can bypass this. This is by +design, although a pre-commit hook could be used to prevent editing of +locked pages, if you really need to. ## web server attacks @@ -122,8 +122,8 @@ page to edit. It has to make sure to sanitise this page, to prevent eg, editing of ../../../foo, or editing of files that are not part of the wiki, such as subversion dotfiles. This is done by sanitising the filename removing unallowed characters, then making sure it doesn't start with "/" -or contain ".." or "/.svn/". Annoyingly ad-hoc, this kind of code is where -security holes breed. It needs a test suite at the very least. +or contain ".." or "/.svn/", etc. Annoyingly ad-hoc, this kind of code is +where security holes breed. It needs a test suite at the very least. ## CGI::Session security @@ -204,13 +204,13 @@ wouldn't see. To avoid this, ikiwiki will skip over symlinks when scanning for pages, and uses locking to prevent more than one instance running at a time. The lock -prevents one ikiwiki from running a svn up at the wrong time to race -another ikiwiki. So only attackers who can write to the working copy on -their own can race it. +prevents one ikiwiki from running a svn up/git pull/etc at the wrong time +to race another ikiwiki. So only attackers who can write to the working +copy on their own can race it. ## symlink + cgi attacks -Similarly, a svn commit of a symlink could be made, ikiwiki ignores it +Similarly, a commit of a symlink could be made, ikiwiki ignores it because of the above, but the symlink is still there, and then you edit the page from the web, which follows the symlink when reading the page (exposing the content), and again when saving the changed page (changing @@ -341,7 +341,7 @@ There are at least two configurations where this is exploitable: notice. This security hole was discovered on 26 November 2007 and fixed the same -da with the release of ikiwiki 2.14. I recommend upgrading to this version +day with the release of ikiwiki 2.14. I recommend upgrading to this version if your wiki can be committed to by third parties. Alternatively, don't use a trailing slash in the srcdir, and avoid the (unusual) configurations that allow the security hole to be exploited.