resecued version 1.33.3, which was not tagged in revision control before

diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm
index ce4b6ada18ebd486a4ed12c2ae9f2e0b55097fb4..1e0ee01eb0a0129230b72fb7bd5111c35e5c9873 100644 (file)
--- a/IkiWiki/CGI.pm
+++ b/IkiWiki/CGI.pm
@@ -439,6 +439,9 @@ sub cgi_editpage ($$) { #{{{
        if (exists $pagesources{$page}) {
                $file=$pagesources{$page};
                $type=pagetype($file);
        if (exists $pagesources{$page}) {
                $file=$pagesources{$page};
                $type=pagetype($file);

+               if (! defined $type) {
+                       error("$page is not an editable page");
+               }

        }
        else {
                $type=$form->param('type');
        }
        else {
                $type=$form->param('type');

diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm
index 2e5fd7e76959deaa7aed03445284c2b8bb4fb59c..5223d8ff6d1ca81ec0d2eb7cb576fcbf48cfaa12 100644 (file)
--- a/IkiWiki/Plugin/meta.pm
+++ b/IkiWiki/Plugin/meta.pm
@@ -26,6 +26,15 @@ sub filter (@) { #{{{
        return $params{content};
 } # }}}
 
        return $params{content};
 } # }}}
 

+sub scrub ($) { #{{{
+       if (IkiWiki::Plugin::htmlscrubber->can("sanitize")) {
+               return IkiWiki::Plugin::htmlscrubber::sanitize(content => shift);
+       }
+       else {
+               return shift;
+       }
+} #}}}
+

 sub preprocess (@) { #{{{
        if (! @_) {
                return "";
 sub preprocess (@) { #{{{
        if (! @_) {
                return "";


@@ -45,9 +54,9 @@ sub preprocess (@) { #{{{
 
        if ($key eq 'link') {
                if (%params) {
 
        if ($key eq 'link') {
                if (%params) {

-                       $meta{$page}.="<link href=\"".encode_entities($value)."\" ".
+                       $meta{$page}.=scrub("<link href=\"".encode_entities($value)."\" ".

                                join(" ", map { encode_entities($_)."=\"".encode_entities(decode_entities($params{$_}))."\"" } keys %params).
                                join(" ", map { encode_entities($_)."=\"".encode_entities(decode_entities($params{$_}))."\"" } keys %params).

-                               " />\n";
+                               " />\n");

                }
                else {
                        # hidden WikiLink
                }
                else {
                        # hidden WikiLink


@@ -55,15 +64,37 @@ sub preprocess (@) { #{{{
                }
        }
        elsif ($key eq 'title') {
                }
        }
        elsif ($key eq 'title') {

-               $title{$page}=$value;
+               $title{$page}=encode_entities($value);

        }
        elsif ($key eq 'permalink') {
                $permalink{$page}=$value;
        }
        elsif ($key eq 'permalink') {
                $permalink{$page}=$value;

-               $meta{$page}.="<link rel=\"bookmark\" href=\"".encode_entities($value)."\" />\n";
+               $meta{$page}.=scrub("<link rel=\"bookmark\" href=\"".encode_entities($value)."\" />\n");
+       }
+       elsif ($key eq 'stylesheet') {
+               my $rel=exists $params{rel} ? $params{rel} : "alternate stylesheet";
+               my $title=exists $params{title} ? $params{title} : $value;
+               # adding .css to the value prevents using any old web
+               # editable page as a stylesheet
+               my $stylesheet=bestlink($page, $value.".css");
+               if (! length $stylesheet) {
+                       return "[[meta ".gettext("stylesheet not found")."]]";
+               }
+               $meta{$page}.='<link href="'.$stylesheet.
+                       '" rel="'.encode_entities($rel).
+                       '" title="'.encode_entities($title).
+                       "\" style=\"text/css\" />\n";
+       }
+       elsif ($key eq 'openid') {
+               if (exists $params{server}) {
+                       $meta{$page}.='<link href="'.encode_entities($params{server}).
+                               "\" rel=\"openid.server\" />\n";
+               }
+               $meta{$page}.='<link href="'.encode_entities($value).
+                       "\" rel=\"openid.delegate\" />\n";

        }
        else {
        }
        else {

-               $meta{$page}.="<meta name=\"".encode_entities($key).
-                       "\" content=\"".encode_entities($value)."\" />\n";
+               $meta{$page}.=scrub("<meta name=\"".encode_entities($key).
+                       "\" content=\"".encode_entities($value)."\" />\n");

                if ($key eq 'author') {
                        $author{$page}=$value;
                }
                if ($key eq 'author') {
                        $author{$page}=$value;
                }

diff --git a/debian/NEWS b/debian/NEWS
index 781a32f590dad2cb6a8a8b2c242ff355fcd07640..b671e28e35c9f29ee7f8d2aec388dbf89b32bad1 100644 (file)
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+ikiwiki (1.32.3) unstable; urgency=low
+
+  Due to a security fix, wikis that have the htmlscrubber enabled can no
+  longer use the meta plugin to insert html link and meta tags.
+
+  Some special case methods have been added for safely including stylesheets,
+  and for doing openid delegation. See the meta plugin docs for details.
+
+ -- Joey Hess <joeyh@debian.org>  Wed, 21 Mar 2007 14:56:30 -0400
+

 ikiwiki (1.32) unstable; urgency=low
 
   There is a change to the plugin interface in this version. Any plugins that
 ikiwiki (1.32) unstable; urgency=low
 
   There is a change to the plugin interface in this version. Any plugins that

diff --git a/debian/changelog b/debian/changelog
index afa0d9228c83dcca955907fb60b51292afe78644..027785277e4da79e620ddbe079b9b98443d5ea8e 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,34 @@
+ikiwiki (1.33.3) testing-proposed-updates; urgency=medium
+
+  * Fix a security hole that allowed insertion of unsafe content via the meta
+    plugins's support for inserting html link and meta tags. Now such content
+    is passed through the htmlscrubber like everything else.
+  * Unfortunatly, that means that some valid uses of those tags are no longer
+    usable, and special case methods needed to be added for including
+    stylesheets, and for doing openid delegation. If you use either of these
+    in your wiki, it will need to be modified. See the meta plugin docs
+    for details.
+
+ -- Joey Hess <joeyh@debian.org>  Wed, 21 Mar 2007 14:56:48 -0400
+
+ikiwiki (1.33.2) testing-proposed-updates; urgency=medium
+
+  * Backport fix for a security hole that allowed a web user to insert
+    arbitrary html in the title of a page due to missing escaping of
+    titles in the meta plugin.
+  * Fix examples directory location.
+
+ -- Joey Hess <joeyh@debian.org>  Wed, 21 Mar 2007 01:55:02 -0400
+
+ikiwiki (1.33.1) testing-proposed-updates; urgency=medium
+
+  * Backport fix for a security hole that allowed a web user to edit images
+    and other non-page format files in the wiki. To exploit this, the file
+    already had to exist in the wiki, and the web user would need to somehow
+    use the web based editor to replace it with malicious content.
+
+ -- Joey Hess <joeyh@debian.org>  Sat, 10 Feb 2007 15:30:12 -0500
+

 ikiwiki (1.33) unstable; urgency=low
 
   * Fix issue with aggregate plugin updating expired pages.
 ikiwiki (1.33) unstable; urgency=low
 
   * Fix issue with aggregate plugin updating expired pages.

diff --git a/debian/rules b/debian/rules
index 4e14b5ca34cb11f4580d116d1f65aa9b85f89e0e..f9a5be82396ffadaf141e29b0b9906cdb29e4b46 100755 (executable)
--- a/debian/rules
+++ b/debian/rules
@@ -26,7 +26,7 @@ binary-indep: build
                DESTDIR=$(shell pwd)/debian/ikiwiki
        dh_install wikilist etc/ikiwiki
        dh_installdocs html
                DESTDIR=$(shell pwd)/debian/ikiwiki
        dh_install wikilist etc/ikiwiki
        dh_installdocs html

-       dh_installexamples doc/examples
+       dh_installexamples doc/examples/*

        dh_link usr/share/common-licenses/GPL usr/share/doc/ikiwiki/html/GPL
        dh_installchangelogs
        dh_compress -X html
        dh_link usr/share/common-licenses/GPL usr/share/doc/ikiwiki/html/GPL
        dh_installchangelogs
        dh_compress -X html

diff --git a/doc/css_market.mdwn b/doc/css_market.mdwn
index 418d8e19190a80ee6b06cd118f87b9bdc1d01913..baf579b717a818384c0bc75782ca953efe75fd62 100644 (file)
--- a/doc/css_market.mdwn
+++ b/doc/css_market.mdwn
@@ -5,13 +5,13 @@ files..)
 * **[[css_market/zack.css]]**, contributed by [[StefanoZacchiroli]],
   customized mostly for *blogging purposes*, can be seen in action on 
   [zack's blog](http://www.bononia.it/~zack/blog/)
 * **[[css_market/zack.css]]**, contributed by [[StefanoZacchiroli]],
   customized mostly for *blogging purposes*, can be seen in action on 
   [zack's blog](http://www.bononia.it/~zack/blog/)

-  [[meta link="css_market/zack.css" rel="alternate stylesheet" title="zack" type="text/css"]]
+  [[meta stylesheet="zack"]]

 
 * **[[css_market/kirkambar.css]]**, contributed by [[Roktas]].  This far from perfect
   stylesheet follows a [Gitweb](http://www.kernel.org/git/?p=git/git.git;a=tree;f=gitweb)
   like theme, so it may provide a consistent look'n feel along with the [[git]] backend. ;-)
   You can see it in action on [kirkambar](http://kirkambar.net/) (Turkish content).
 
 * **[[css_market/kirkambar.css]]**, contributed by [[Roktas]].  This far from perfect
   stylesheet follows a [Gitweb](http://www.kernel.org/git/?p=git/git.git;a=tree;f=gitweb)
   like theme, so it may provide a consistent look'n feel along with the [[git]] backend. ;-)
   You can see it in action on [kirkambar](http://kirkambar.net/) (Turkish content).

-  [[meta link="css_market/kirkambar.css" rel="alternate stylesheet" title="kirkambar" type="text/css"]]
+  [[meta stylesheet="kirkambar"]]

 
 If your web browser allows selecting between multiple stylesheets, this
 page can be viewed using any of the stylesheets above. For example, if
 
 If your web browser allows selecting between multiple stylesheets, this
 page can be viewed using any of the stylesheets above. For example, if

diff --git a/doc/plugins/meta.mdwn b/doc/plugins/meta.mdwn
index f30efb873c47af286497746b4c2072a4f82ca188..9eaf38aece739301602e0c8f264c9a6a4b2b36cf 100644 (file)
--- a/doc/plugins/meta.mdwn
+++ b/doc/plugins/meta.mdwn
@@ -10,21 +10,25 @@ Enter the metadata as follows:
 The first form sets a given field to a given value, while the second form
 also specifies some additional sub-parameters.
 
 The first form sets a given field to a given value, while the second form
 also specifies some additional sub-parameters.
 

+The field values are treated as HTML entity-escaped text, so you can include
+a quote in the text by writing `"` and so on.
+

 You can use any field names you like, but here are some predefined ones:
 
 * link
 
 You can use any field names you like, but here are some predefined ones:
 
 * link
 

-  Specifies a link to another page. This is used to generate a html
-  <link> tag, and also as a way to make the wiki treat one page as
-  linking to another without displaying a user-visible link. The latter 
-  can be useful when using links to categorise pages. A html link tag
-  would look like this:
+  Specifies a link to another page. This can be used as a way to make the
+  wiki treat one page as linking to another without displaying a user-visible
+  [[WikiLink]]:
+
+       \[[meta link=otherpage]]

 
 

-       \[[meta link="foo.css" rel="stylesheet" type="text/css"]]
+  It can also be used to insert a html <link> tag. For example:

 
 

-  A non-user-visible [[WikiLink]] would instead look like this:
+       \[[meta link="http://joeyh.myopenid.com/" rel="openid.delegate"]]

 
 

-       \[[meta link=otherpage]]
+  However, this latter syntax won't be allowed if the [[htmlscrubber]] is
+  enabled, since it can be used to insert unsafe content.

 
 * title
 
 
 * title
 


@@ -48,12 +52,27 @@ You can use any field names you like, but here are some predefined ones:
   Specifies a permanent link to the page, if different than the page
   generated by ikiwiki.
 
   Specifies a permanent link to the page, if different than the page
   generated by ikiwiki.
 

-If the field is not treated specially (as the link and title fields are),
-the metadata will be written to the generated html page as a <meta>
-header.
+* stylesheet

 
 

-The field value is treated as HTML entity-escaped text, so you can include
-a quote in the text by writing `"` and so on.
+  Adds a stylesheet to a page. The stylesheet is treated as a wiki link to
+  a `.css` file in the wiki, so it cannot be used to add links to external
+  stylesheets. Example:
+
+       \[[meta stylesheet=somestyle rel="alternate stylesheet"
+       title="somestyle"]]
+
+* openid
+
+  Adds html <link> tags to perform OpenID delegation to an external
+  OpenID server. This lets you use an ikiwiki page as your OpenID. Example:
+
+       \\[[meta openid="http://joeyh.myopenid.com/"
+       server="http://www.myopenid.com/server"]]
+
+If the field is not one of the above predefined fields, the metadata will be
+written to the generated html page as a <meta> header. However, this
+won't be allowed if the [[htmlscrubber]] is enabled, since it can be used to
+insert unsafe content.

 
 If this plugin is enabled, the title of this page will say that it is.
 [[meta title="meta plugin (enabled)"]]
 
 If this plugin is enabled, the title of this page will say that it is.
 [[meta title="meta plugin (enabled)"]]