* Fix a few bugs around page titles containing html. The worst of these

  is an actual security hole as it allows insertion of html into the title
  element of a page, which is not processed by the htmlscrubber.

diff --git a/debian/changelog b/debian/changelog
index 26aaad53bdc5938e295bb019a02640ae12044f81..5934958ce09b06b21fc2688109bfffc8e6e2164f 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-ikiwiki (1.46) UNRELEASED; urgency=low
+ikiwiki (1.46) unstable; urgency=low
 
   * Fix a bug with inlined create page links, including Discussion links on
     blog post pages. The links will now create pages relative to the page that
@@ -12,8 +12,11 @@ ikiwiki (1.46) UNRELEASED; urgency=low
     same time, and let the second person resolve the conflict.
   * Applied a patch from Michał to make the mercurial backend pass --quiet to
     hg.
+  * Fix a few bugs around page titles containing html. The worst of these
+    is an actual security hole as it allows insertion of html into the title
+    element of a page, which is not processed by the htmlscrubber.
 
- -- Joey Hess <joeyh@debian.org>  Sun, 18 Mar 2007 18:22:12 -0400
+ -- Joey Hess <joeyh@debian.org>  Wed, 21 Mar 2007 01:51:30 -0400
 
 ikiwiki (1.45) unstable; urgency=low
 

diff --git a/doc/security.mdwn b/doc/security.mdwn
index 01a893d2025c252526d7f449b0b7553578e5365c..9b561a13eb80f30592758727f171b9467d082c3e 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -293,3 +293,14 @@ This hole was discovered on 10 Feb 2007 and fixed the same day with the
 release of ikiwiki 1.42. A fix was also backported to Debian etch, as
 version 1.33.1. I recommend upgrading to one of these versions if your wiki
 allows web editing.
+
+## html insertion via title
+
+Missing html escaping of the title contents allowed a web-based editor to
+insert arbitrary html inside the title tag of a page. Since that part of
+the page is not processed by the htmlscrubber, evil html could be injected.
+
+This hole was discovered on 21 March 2007 and fixed the same day (er, hour) 
+with the release of ikiwiki 1.46. A fix was also backported to Debian etch,
+as version 1.33.2. I recommend upgrading to one of these versions if your
+wiki allows web editing or aggregates feeds.

diff --git a/po/ikiwiki.pot b/po/ikiwiki.pot
index f2c3cf4983f42e5ddc5efce3be5581d37cab5892..8f223571b72a75cb23ba44dab60e3b67cade2852 100644 (file)
--- a/po/ikiwiki.pot
+++ b/po/ikiwiki.pot
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2007-03-17 19:21-0400\n"
+"POT-Creation-Date: 2007-03-21 01:50-0400\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -41,17 +41,17 @@ msgstr ""
 msgid "creating %s"
 msgstr ""
 
-#: ../IkiWiki/CGI.pm:481 ../IkiWiki/CGI.pm:496 ../IkiWiki/CGI.pm:518
-#: ../IkiWiki/CGI.pm:562
+#: ../IkiWiki/CGI.pm:481 ../IkiWiki/CGI.pm:496 ../IkiWiki/CGI.pm:507
+#: ../IkiWiki/CGI.pm:533 ../IkiWiki/CGI.pm:577
 #, perl-format
 msgid "editing %s"
 msgstr ""
 
-#: ../IkiWiki/CGI.pm:659
+#: ../IkiWiki/CGI.pm:674
 msgid "You are banned."
 msgstr ""
 
-#: ../IkiWiki/CGI.pm:691
+#: ../IkiWiki/CGI.pm:706
 msgid "login failed, perhaps you need to turn on cookies?"
 msgstr ""
 
@@ -472,15 +472,15 @@ msgstr ""
 msgid "generating wrappers.."
 msgstr ""
 
-#: ../IkiWiki/Setup/Standard.pm:71
+#: ../IkiWiki/Setup/Standard.pm:72
 msgid "rebuilding wiki.."
 msgstr ""
 
-#: ../IkiWiki/Setup/Standard.pm:74
+#: ../IkiWiki/Setup/Standard.pm:75
 msgid "refreshing wiki.."
 msgstr ""
 
-#: ../IkiWiki/Setup/Standard.pm:83
+#: ../IkiWiki/Setup/Standard.pm:84
 msgid "done"
 msgstr ""
 

diff --git a/templates/archivepage.tmpl b/templates/archivepage.tmpl
index 6bc789dfb29cfe241055ac51c4c392df6a6a50a4..7e8b8b8fc7aec12e99af2347f4bd24b3610bf8e8 100644 (file)
--- a/templates/archivepage.tmpl
+++ b/templates/archivepage.tmpl
@@ -1,5 +1,5 @@
 <p>
-<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE></a><br />
+<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE ESCAPE=HTML></a><br />
 <i>
 Posted <TMPL_VAR CTIME>
 </i>

diff --git a/templates/inlinepage.tmpl b/templates/inlinepage.tmpl
index 0317c248ca1086bffc16d8199c53ed8cb12b2166..f1f21d4be4276ed6fbf9c347da465cb4948af719 100644 (file)
--- a/templates/inlinepage.tmpl
+++ b/templates/inlinepage.tmpl
@@ -10,9 +10,9 @@
 </TMPL_IF>
 <span class="header">
 <TMPL_IF NAME="PERMALINK">
-<a href="<TMPL_VAR PERMALINK>"><TMPL_VAR TITLE></a>
+<a href="<TMPL_VAR PERMALINK>"><TMPL_VAR TITLE ESCAPE=HTML></a>
 <TMPL_ELSE>
-<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE></a>
+<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE ESCAPE=HTML></a>
 </TMPL_IF>
 </span>
 <TMPL_VAR CONTENT>

diff --git a/templates/page.tmpl b/templates/page.tmpl
index 471ed1a7d4236922f1f6e8815157571d2fe5df14..2c28a68f5d03b9ed3df777a1485916efef5d32e4 100644 (file)
--- a/templates/page.tmpl
+++ b/templates/page.tmpl
@@ -3,7 +3,7 @@
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-<title><TMPL_VAR TITLE></title>
+<title><TMPL_VAR TITLE ESCAPE=HTML></title>
 <link rel="stylesheet" href="<TMPL_VAR BASEURL>style.css" type="text/css" />
 <link rel="stylesheet" href="<TMPL_VAR BASEURL>local.css" type="text/css" />
 <TMPL_IF NAME="FAVICON">
@@ -19,7 +19,7 @@
 <TMPL_LOOP NAME="PARENTLINKS">
 <a href="<TMPL_VAR NAME=URL>"><TMPL_VAR NAME=PAGE></a>/ 
 </TMPL_LOOP>
-<TMPL_VAR TITLE>
+<TMPL_VAR TITLE ESCAPE=HTML>
 </span>
 <TMPL_IF NAME="SEARCHFORM">
 <TMPL_VAR SEARCHFORM>

diff --git a/templates/titlepage.tmpl b/templates/titlepage.tmpl
index f5cd5bc53e69de301886902e25428cd2ab2c9b94..0676a098e9b0cc7ed4a16549cc81348e093312f5 100644 (file)
--- a/templates/titlepage.tmpl
+++ b/templates/titlepage.tmpl
@@ -1 +1 @@
-<p><a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE></a></p>
+<p><a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE ESCAPE=HTML></a></p>