X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/d8ec77a3cd00df02b08663d4be1fd117ea2fe57b..7977fe382a3c8829f7abfd4aacd3155e204273a6:/doc/security.mdwn

diff --git a/doc/security.mdwn b/doc/security.mdwn
index b2e076ec4..52ef486e6 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -41,11 +41,12 @@ who's viewing the wiki, that can be a security problem.
 
 Of course nobody else seems to worry about this in other wikis, so should we?
 
-Currently only people with direct commit access can upload such files
+People with direct commit access can upload such files
 (and if you wanted to you could block that with a pre-commit hook).
-Users with only web commit access are limited to editing pages as ikiwiki
-doesn't support file uploads from browsers (yet), so they can't exploit
-this.
+
+The attachments plugin is not enabled by default. If you choose to
+enable it, you should make use of its powerful abilities to filter allowed
+types of attachments, and only let trusted users upload.
 
 It is possible to embed an image in a page edited over the web, by using
 `img src="data:image/png;"`. Ikiwiki's htmlscrubber only allows `data:`
@@ -403,7 +404,7 @@ passwords in cleartext over the net to log in, either.
 This hole allowed ikiwiki to accept logins using empty passwords, to openid
 accounts that didn't use a password. It was introduced in version 1.34, and
 fixed in version 2.48. The [bug](http://bugs.debian.org/483770) was
-discovered on 30 May 2008 and fixed the same day.
+discovered on 30 May 2008 and fixed the same day. ([[cve CVE-2008-0169]])
 
 I recommend upgrading to 2.48 immediatly if your wiki allows both password
 and openid logins.