"msnim", "notes", "rsync", "secondlife", "skype", "ssh",
"sftp", "smb", "sms", "snews", "webcal", "ymsgr",
);
- # data is a special case. Allow data:image/*, but
- # disallow data:text/javascript and everything else.
- $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/|[^:]+(?:$|\/))/i;
+ # data is a special case. Allow a few data:image/ types,
+ # but disallow data:text/javascript and everything else.
+ $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|\/))/i;
}
sub getsetup () {
-ikiwiki (3.20100303) UNRELEASED; urgency=low
+ikiwiki (3.20100312) unstable; urgency=HIGH
* Fix utf8 issues in calls to md5_hex.
* moderatedcomments: Added moderate_pagespec that can be used
* Fix missing span on recentchanges page template.
* search: Avoid '$' in the wikiname appearing unescaped on omega's
query template, where it might crash omega.
+ * htmlscrubber: Security fix: In data:image/* uris, only allow a few
+ whitelisted image types. No svg.
-- Joey Hess <joeyh@debian.org> Tue, 09 Mar 2010 19:46:35 -0500
The fix was released on 30 Aug 2009 in version 3.1415926, and was
backported to stable in version 2.53.4. If you use the teximg plugin,
I recommend upgrading. ([[!cve CVE-2009-2944]])
+
+## javascript insertion via svg uris
+
+Ivan Shmakov pointed out that the htmlscrubber allowed `data:image/*` urls,
+including `data:image/svg+xml`. But svg can contain javascript, so that is
+unsafe.
+
+This hole was discovered on 12 March 2010 and fixed the same day
+with the release of ikiwiki 3.20100312.
+A fix was also backported to Debian etch, as version 2.53.5. I recommend
+upgrading to one of these versions if your wiki can be edited by third
+parties.