]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/commitdiff
projects / git.ikiwiki.info.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a0e31f3)
meta: Security fix; don't allow alternative stylesheets to be added on pages where...
authorJoey Hess <joey@kitenet.net>
Mon, 28 Mar 2011 16:21:12 +0000 (12:21 -0400)
committerJoey Hess <joey@kitenet.net>
Mon, 28 Mar 2011 16:21:12 +0000 (12:21 -0400)
IkiWiki/Plugin/meta.pm patch | blob | history
debian/changelog patch | blob | history
doc/ikiwiki/directive/meta.mdwn patch | blob | history
doc/security.mdwn patch | blob | history

diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm
index ad6d1a8e338895685be79486c5b4dac95f9c21b9..1a9f94a124d766687da1daeac391cf8b479a4cec 100644 (file)
--- a/IkiWiki/Plugin/meta.pm
+++ b/IkiWiki/Plugin/meta.pm
@@ -174,10 +174,10 @@ sub preprocess (@) {
                if (! length $stylesheet) {
                        error gettext("stylesheet not found")
                }
                if (! length $stylesheet) {
                        error gettext("stylesheet not found")
                }
-               push @{$metaheaders{$page}}, '<link href="'.urlto($stylesheet, $page).
+               push @{$metaheaders{$page}}, scrub('<link href="'.urlto($stylesheet, $page).
                        '" rel="'.encode_entities($rel).
                        '" title="'.encode_entities($title).
                        '" rel="'.encode_entities($rel).
                        '" title="'.encode_entities($title).
-                       "\" type=\"text/css\" />";
+                       "\" type=\"text/css\" />", $page, $destpage);
        }
        elsif ($key eq 'openid') {
                my $delegate=0; # both by default
        }
        elsif ($key eq 'openid') {
                my $delegate=0; # both by default
diff --git a/debian/changelog b/debian/changelog
index e78ce3e1c185ae69de25e13bfc15ccabe6f6abc8..91c4c6d2407f9948e0677656afc46abb46a222e4 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-ikiwiki (3.20110322) UNRELEASED; urgency=low
+ikiwiki (3.20110328) UNRELEASED; urgency=low
 
   * Yaml formatted setup files are now produced by default.
     (Perl formatted setup files can still be used.)
 
   * Yaml formatted setup files are now produced by default.
     (Perl formatted setup files can still be used.)
@@ -6,6 +6,8 @@ ikiwiki (3.20110322) UNRELEASED; urgency=low
     via the web.
   * comment: Better fix to avoid showing comments of subpages, while
     not breaking manual inlining of comments.
     via the web.
   * comment: Better fix to avoid showing comments of subpages, while
     not breaking manual inlining of comments.
+  * meta: Security fix; don't allow alternative stylesheets to be added
+    on pages where the htmlscrubber is enabled.
 
  -- Joey Hess <joeyh@debian.org>  Thu, 24 Mar 2011 13:34:34 -0400
 
 
  -- Joey Hess <joeyh@debian.org>  Thu, 24 Mar 2011 13:34:34 -0400
 
diff --git a/doc/ikiwiki/directive/meta.mdwn b/doc/ikiwiki/directive/meta.mdwn
index d66e26fc4e493574a9158f57a49b504beba07021..50aaf66be46244148c7cf6c29e4b9c7e9005c3aa 100644 (file)
--- a/doc/ikiwiki/directive/meta.mdwn
+++ b/doc/ikiwiki/directive/meta.mdwn
@@ -77,6 +77,10 @@ Supported fields:
 
        \[[!meta stylesheet=somestyle rel="alternate stylesheet"
        title="somestyle"]]
 
        \[[!meta stylesheet=somestyle rel="alternate stylesheet"
        title="somestyle"]]
+  
+  However, this will be scrubbed away if the 
+  [[!iki plugins/htmlscrubber desc=htmlscrubber]] plugin is enabled,
+  since it can be used to insert unsafe content.
 
 * openid
 
 
 * openid
 
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 770927e26d1f5b607953132f77ae5ebed6004c05..2b387ac2322c1accdd57b9edca7c6b0f6c36c1b8 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -463,3 +463,14 @@ This hole was discovered on 22 Jan 2011 and fixed the same day with
 the release of ikiwiki 3.20110122. A fix was backported to Debian squeeze,
 as version 3.20100815.5. An upgrade is recommended for sites
 with the comments plugin enabled. ([[!cve CVE-2011-0428]])
 the release of ikiwiki 3.20110122. A fix was backported to Debian squeeze,
 as version 3.20100815.5. An upgrade is recommended for sites
 with the comments plugin enabled. ([[!cve CVE-2011-0428]])
+
+## possible javascript insertion via insufficient htmlscrubbing of alternate stylesheets
+
+Tango noticed that 'meta stylesheet` directives allowed anyone
+who could upload a malicious stylesheet to a site to add it to a
+page as an alternate stylesheet. In order to be exploited, the user
+would have to select the alternative stylesheet in their browser.
+
+This hole was discovered on 28 Mar 2011 and fixed the same hour with
+the release of ikiwiki 3.20110328. An upgrade is recommended for sites
+that have untrusted committers, or have the attachments plugin enabled.
Unnamed repository; edit this file 'description' to name the repository.