meta: Security fix; add missing sanitization of author and authorurl. Thanks, Raúl...

diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm
index c33c8b23882f7e23c8114d67c7ecd388666475e3..ef949f22e06f626cbefd6e4f748248792415b601 100644 (file)
--- a/IkiWiki/Plugin/meta.pm
+++ b/IkiWiki/Plugin/meta.pm
@@ -288,12 +288,13 @@ sub pagetemplate (@) {
                $template->param(title_overridden => 1);
        }
 
-       foreach my $field (qw{author authorurl permalink}) {
-               $template->param($field => $pagestate{$page}{meta}{$field})
+       foreach my $field (qw{authorurl permalink}) {
+               $template->param($field => HTML::Entities::encode_entities($pagestate{$page}{meta}{$field}))
                        if exists $pagestate{$page}{meta}{$field} && $template->query(name => $field);
        }
 
-       foreach my $field (qw{description}) {
+       foreach my $field (qw{description author}) {
+               eval q{use HTML::Entities};
                $template->param($field => HTML::Entities::encode_numeric($pagestate{$page}{meta}{$field}))
                        if exists $pagestate{$page}{meta}{$field} && $template->query(name => $field);
        }

diff --git a/debian/changelog b/debian/changelog
index 3dac4c400d684b3221a60adf7e76069ba4c804bf..fbcd6fac11706a6e4e45cd6f5faf0aa5f1525177 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ikiwiki (3.20100815.9) stable-security; urgency=high
+
+  * meta: Security fix; add missing sanitization of author and authorurl.
+    CVE-2012-0220 Thanks, Raúl Benencia
+
+ -- Joey Hess <joeyh@debian.org>  Wed, 16 May 2012 19:51:27 -0400
+
 ikiwiki (3.20100815.8) stable-security; urgency=low
 
   * ikiwiki-mass-rebuild: Fix tty hijacking vulnerability by using su.