From: Joey Hess Date: Fri, 2 Apr 2010 20:05:14 +0000 (-0400) Subject: htmlscrubber: Allow colons in url fragments after '?' X-Git-Tag: 3.20100403~21 X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/104919ee07b70b166c6c6be13b4f6e5bc5225179 htmlscrubber: Allow colons in url fragments after '?' Colons are not allowed at the start of urls, because it can be interpreted as a protocol, and allowing arbitrary protocols can be unsafe (CVE-2008-0809). However, this check was too restrictive, not allowing use of eg, "video.ogv?t=0:03:00/0:04:00" to seek to a given place in a video, or "somecgi?foo=bar:baz" to pass parameters with colons. It's still not allowed to have a filename with a colon in it (ie "foo:bar.png") -- to link to such a file, a fully qualified url must be used. --- diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm index 26e18ffc7..9f40c752f 100644 --- a/IkiWiki/Plugin/htmlscrubber.pm +++ b/IkiWiki/Plugin/htmlscrubber.pm @@ -32,7 +32,7 @@ sub import { ); # data is a special case. Allow a few data:image/ types, # but disallow data:text/javascript and everything else. - $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|\/))/i; + $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|[\/\?]))/i; } sub getsetup () { diff --git a/debian/changelog b/debian/changelog index bbca7cffe..adf0dfed6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -25,6 +25,7 @@ ikiwiki (3.20100324) UNRELEASED; urgency=low used, but they are available in the session object now.) * page.tmpl: Add Cache-Control must-revalidate to ensure that users (especially of Firefox) see fresh page content. + * htmlscrubber: Allow colons in urls after '?' -- Joey Hess Sat, 13 Mar 2010 14:48:10 -0500