Photos
Blog
Projects
vanrenterghem.biz
projects
/
git.ikiwiki.info.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
d4c7df9
)
yes, not committing the setup file to the same VCS is a security thing
author
smcv
<smcv@web>
Wed, 22 Jun 2016 08:05:32 +0000
(
04:05
-0400)
committer
admin
<admin@branchable.com>
Wed, 22 Jun 2016 08:05:32 +0000
(
04:05
-0400)
doc/setup/byhand/discussion.mdwn
patch
|
blob
|
history
diff --git
a/doc/setup/byhand/discussion.mdwn
b/doc/setup/byhand/discussion.mdwn
index 4d009f20d75a2592574dc839a6160fca64e710f2..6fc931ad3b5b8e04c2d1a79db50eaa42ef50bb25 100644
(file)
--- a/
doc/setup/byhand/discussion.mdwn
+++ b/
doc/setup/byhand/discussion.mdwn
@@
-13,3
+13,8
@@
The page says *"Note that this file should **not** be put in your wiki's directo
One possible thing is security: Is it just a precaution or would anyone with "write" access to wiki be able to replace the file?
--[[Martian]]
One possible thing is security: Is it just a precaution or would anyone with "write" access to wiki be able to replace the file?
--[[Martian]]
+
+> Anyone with the ability to delete/replace attachments via the web UI, or the ability
+> to commit directly to the VCS, would be able to replace it. That breaks ikiwiki's
+> security model, because replacing the setup file is sufficient to achieve
+> arbitrary code execution as the user running the CGI and VCS hooks. --[[smcv]]