comments: Fix XSS security hole due to missing validation of page name.

Values have to be checked against wiki_file_regexp, not just file_pruned.
Audited the rest of the code base for similar problems, found none.

diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm
index 1287590a77ecb833a8a80f2b4d5a48ec12de971e..d9183970d8b1525c34a69a68dcec57fa88eaf58e 100644 (file)
--- a/IkiWiki/Plugin/comments.pm
+++ b/IkiWiki/Plugin/comments.pm
@@ -364,8 +364,8 @@ sub editcomment ($$) {
        }
 
        # The untaint is OK (as in editpage) because we're about to pass
-       # it to file_pruned anyway
-       my $page = $form->field('page');
+       # it to file_pruned and wiki_file_regexp anyway.
+       my $page = $form->field('page')=~/$config{wiki_file_regexp}/;
        $page = IkiWiki::possibly_foolish_untaint($page);
        if (! defined $page || ! length $page ||
                IkiWiki::file_pruned($page)) {

diff --git a/debian/changelog b/debian/changelog
index 36e4a957686a3449a176dacd676a83d0431ec9ad..0165a240bb0dc85d69387c197e682945573f7bc9 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ ikiwiki (3.20110106) UNRELEASED; urgency=low
     to feed links. (Giuseppe Bilotta)
   * inline: Use class rather than id for feedlinks and blogform.
     (Giuseppe Bilotta)
+  * comments: Fix XSS security hole due to missing validation of page name.
 
  -- Joey Hess <joeyh@debian.org>  Thu, 06 Jan 2011 14:41:34 -0400