From: Joey Hess <joey@kodama.kitenet.net>
Date: Sun, 21 Sep 2008 02:48:22 +0000 (-0400)
Subject: add missing page name sanity check
X-Git-Tag: 2.65~41
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/12eb585353660d121e48d5796d35354b66c7e522?ds=sidebyside;hp=-c

add missing page name sanity check
---

12eb585353660d121e48d5796d35354b66c7e522
diff --git a/IkiWiki/Plugin/editpage.pm b/IkiWiki/Plugin/editpage.pm
index bb21ed2be..68f43bf16 100644
--- a/IkiWiki/Plugin/editpage.pm
+++ b/IkiWiki/Plugin/editpage.pm
@@ -85,8 +85,9 @@ sub cgi_editpage ($$) { #{{{
 	});
 	decode_form_utf8($form);
 	
-	# This untaint is safe because we check file_pruned.
-	my $page=$form->field('page');
+	# This untaint is safe because we check file_pruned and
+	# wiki_file_regexp.
+	my ($page)=$form->field('page')=~/$config{wiki_file_regexp}/;
 	$page=possibly_foolish_untaint($page);
 	my $absolute=($page =~ s#^/+##);
 	if (! defined $page || ! length $page ||
diff --git a/debian/changelog b/debian/changelog
index 6019e3960..d67fb73ce 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,8 @@ ikiwiki (2.65) UNRELEASED; urgency=low
     (willu)
   * edittemplate: Add "silent" parameter. (Willu)
   * edittemplate: Link to template, to allow creating it. (Willu)
+  * editpage: Add a missing check that the page name contains only legal
+    characters, in addition to the existing check for pruned filenames.
 
  -- Joey Hess <joeyh@debian.org>  Wed, 17 Sep 2008 14:26:56 -0400