CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in
f4ec7b0. Force it into scalar context where it is used
in an argument list.
This prevents two (relatively minor) commit metadata forgery
vulnerabilities:
* In the comments plugin, an attacker who was able to post a comment
could give it a user-specified author and author-URL even if the wiki
configuration did not allow for that, by crafting multiple values
to other fields.
* In the editpage plugin, an attacker who was able to edit a page
could potentially forge commit authorship by crafting multiple values
for the rcsinfo field.
The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.
OVE-
20161226-0001
(cherry picked from commit
c1120bbbe8fdea20cf64fa12247f4f4a4006c834)
# Generate the attachment list only after having added any new
# attachments.
- $form->tmpl_param("attachment_list" => [attachment_list($form->field('page'))]);
+ $form->tmpl_param("attachment_list" => [attachment_list(scalar $form->field('page'))]);
}
sub attachment_holding_location {
}
$postcomment=1;
- my $ok=IkiWiki::check_content(content => $form->field('editcontent'),
- subject => $form->field('subject'),
+ my $ok=IkiWiki::check_content(
+ content => scalar $form->field('editcontent'),
+ subject => scalar $form->field('subject'),
$config{comments_allowauthor} ? (
- author => $form->field('author'),
- url => $form->field('url'),
+ author => scalar $form->field('author'),
+ url => scalar $form->field('url'),
) : (),
page => $location,
cgi => $cgi,
length $form->field('subject')) {
$message = sprintf(
gettext("Added a comment: %s"),
- $form->field('subject'));
+ scalar $form->field('subject'));
}
IkiWiki::rcs_add($file);
$conflict=rcs_commit(
file => $file,
message => $message,
- token => $form->field("rcsinfo"),
+ token => scalar $form->field("rcsinfo"),
session => $session,
);
enable_commit_hook();
}
elsif ($form->submitted eq "Save Preferences" && $form->validate &&
defined $form->field("subscriptions")) {
- setsubscriptions($username, $form->field('subscriptions'));
+ setsubscriptions($username, scalar $form->field('subscriptions'));
}
}
$form->field(
name => "password",
validate => sub {
- checkpassword($form->field("name"), shift);
+ checkpassword(scalar $form->field("name"), shift);
},
);
}
if ($form->submitted eq "Save Preferences" && $form->validate) {
my $user_name=$form->field('name');
if (defined $form->field("password") && length $form->field("password")) {
- setpassword($user_name, $form->field('password'));
+ setpassword($user_name, scalar $form->field('password'));
}
}
}
# their buttons, which is why this hook must be run last.
# The canrename/canremove hooks already ensure this is forbidden
# at the backend level, so this is only UI sugar.
- if (istranslation($form->field("page"))) {
+ if (istranslation(scalar $form->field("page"))) {
map {
for (my $i = 0; $i < @{$params{buttons}}; $i++) {
if (@{$params{buttons}}[$i] eq $_) {
my $session=$params{session};
if ($form->submitted eq "Rename" && $form->field("do") eq "edit") {
- rename_start($q, $session, 0, $form->field("page"));
+ rename_start($q, $session, 0, scalar $form->field("page"));
}
elsif ($form->submitted eq "Rename Attachment") {
my @selected=map { Encode::decode_utf8($_) } $q->param("attachment_select");
# performed in check_canrename later.
my $srcfile=IkiWiki::possibly_foolish_untaint($pagesources{$src})
if exists $pagesources{$src};
- my $dest=IkiWiki::possibly_foolish_untaint(titlepage($form->field("new_name")));
+ my $dest=IkiWiki::possibly_foolish_untaint(titlepage(scalar $form->field("new_name")));
my $destfile=$dest;
if (! $q->param("attachment")) {
my $type=$q->param('type');