}
# The untaint is OK (as in editpage) because we're about to pass
- # it to file_pruned anyway
- my $page = $form->field('page');
+ # it to file_pruned and wiki_file_regexp anyway.
+ my $page = $form->field('page')=~/$config{wiki_file_regexp}/;
$page = IkiWiki::possibly_foolish_untaint($page);
if (! defined $page || ! length $page ||
IkiWiki::file_pruned($page)) {
# This untaint is safe because we check file_pruned and
# wiki_file_regexp.
my ($page)=$form->field('page')=~/$config{wiki_file_regexp}/;
- $page=possibly_foolish_untaint($page);
- my $absolute=($page =~ s#^/+##); # absolute name used to force location
if (! defined $page || ! length $page ||
file_pruned($page)) {
error(gettext("bad page name"));
}
+ $page=possibly_foolish_untaint($page);
+ my $absolute=($page =~ s#^/+##); # absolute name used to force location
my $baseurl = urlto($page);
}
if ($needfix) {
my $file=$pagesources{$page};
+ next unless -e $config{srcdir}."/".$file;
my $oldcontent=readfile($config{srcdir}."/".$file);
my $content=renamepage_hook($page, $rename->{src}, $rename->{dest}, $oldcontent);
if ($oldcontent ne $content) {
to feed links. (Giuseppe Bilotta)
* inline: Use class rather than id for feedlinks and blogform.
(Giuseppe Bilotta)
+ * comments: Fix XSS security hole due to missing validation of page name.
+ (Thanks, Dave B.)
+ * rename: Fix crash when renaming a page that is linked to by a page
+ in an underlay.
-- Joey Hess <joeyh@debian.org> Thu, 06 Jan 2011 14:41:34 -0400
These problems were discovered on 12 November 2010 and fixed the same
hour with the release of ikiwiki 3.20101112. ([[!cve CVE-2010-1673]])
+
+## javascript insertation via insufficient checking in comments
+
+Dave B noticed that attempting to comment on an illegal page name could be
+used for an XSS attack.
+
+This hole was discovered on 22 Jan 2011 and fixed the same day with
+the release of ikiwiki 3.20110122. An upgrade is recommended for sites
+with the comments plugin enabled.