X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/dc355135225f5c61be09401b8828d8e165433c9c..819b31d46c05c00d4183f824f74bfe3836471d78:/doc/security.mdwn?ds=inline

diff --git a/doc/security.mdwn b/doc/security.mdwn
index e72b3fe2b..b3b5b6f3e 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -18,6 +18,14 @@ Anyone with direct commit access can forge "web commit from foo" and
 make it appear on [[RecentChanges]] like foo committed. One way to avoid
 this would be to limit web commits to those done by a certian user.
 
+## XML::Parser
+
+XML::Parser is used by the aggregation plugin, and has some security holes
+that are still open in Debian unstable as of this writing. #378411 does not
+seem to affect our use, since the data is not encoded as utf-8 at that
+point. #378412 could affect us, although it doesn't seem very exploitable.
+It has a simple fix, which should be NMUed or something..
+
 ## other stuff to look at
 
 I need to audit the git backend a bit, and have been meaning to
@@ -83,6 +91,10 @@ _(AKA, the assumptions that will be the root of most security holes...)_
 Someone could add bad content to the wiki and hope to exploit ikiwiki.
 Note that ikiwiki runs with perl taint checks on, so this is unlikely.
 
+One fun thing in ikiwiki is its handling of a PageSpec, which involves
+translating it into perl and running the perl. Of course, this is done
+*very* carefully to guard against injecting arbitrary perl code.
+
 ## publishing cgi scripts
 
 ikiwiki does not allow cgi scripts to be published as part of the wiki. Or