From: joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>
Date: Wed, 21 Mar 2007 06:05:21 +0000 (+0000)
Subject: * Fix a few bugs around page titles containing html. The worst of these
X-Git-Tag: 1.46~4
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/1c65ca492295e754dfd9986f91b08eb0876d09b9?ds=inline

* Fix a few bugs around page titles containing html. The worst of these
  is an actual security hole as it allows insertion of html into the title
  element of a page, which is not processed by the htmlscrubber.
---

diff --git a/debian/changelog b/debian/changelog
index 26aaad53b..5934958ce 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-ikiwiki (1.46) UNRELEASED; urgency=low
+ikiwiki (1.46) unstable; urgency=low
 
   * Fix a bug with inlined create page links, including Discussion links on
     blog post pages. The links will now create pages relative to the page that
@@ -12,8 +12,11 @@ ikiwiki (1.46) UNRELEASED; urgency=low
     same time, and let the second person resolve the conflict.
   * Applied a patch from Michał to make the mercurial backend pass --quiet to
     hg.
+  * Fix a few bugs around page titles containing html. The worst of these
+    is an actual security hole as it allows insertion of html into the title
+    element of a page, which is not processed by the htmlscrubber.
 
- -- Joey Hess <joeyh@debian.org>  Sun, 18 Mar 2007 18:22:12 -0400
+ -- Joey Hess <joeyh@debian.org>  Wed, 21 Mar 2007 01:51:30 -0400
 
 ikiwiki (1.45) unstable; urgency=low
 
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 01a893d20..9b561a13e 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -293,3 +293,14 @@ This hole was discovered on 10 Feb 2007 and fixed the same day with the
 release of ikiwiki 1.42. A fix was also backported to Debian etch, as
 version 1.33.1. I recommend upgrading to one of these versions if your wiki
 allows web editing.
+
+## html insertion via title
+
+Missing html escaping of the title contents allowed a web-based editor to
+insert arbitrary html inside the title tag of a page. Since that part of
+the page is not processed by the htmlscrubber, evil html could be injected.
+
+This hole was discovered on 21 March 2007 and fixed the same day (er, hour) 
+with the release of ikiwiki 1.46. A fix was also backported to Debian etch,
+as version 1.33.2. I recommend upgrading to one of these versions if your
+wiki allows web editing or aggregates feeds.
diff --git a/po/ikiwiki.pot b/po/ikiwiki.pot
index f2c3cf498..8f223571b 100644
--- a/po/ikiwiki.pot
+++ b/po/ikiwiki.pot
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2007-03-17 19:21-0400\n"
+"POT-Creation-Date: 2007-03-21 01:50-0400\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -41,17 +41,17 @@ msgstr ""
 msgid "creating %s"
 msgstr ""
 
-#: ../IkiWiki/CGI.pm:481 ../IkiWiki/CGI.pm:496 ../IkiWiki/CGI.pm:518
-#: ../IkiWiki/CGI.pm:562
+#: ../IkiWiki/CGI.pm:481 ../IkiWiki/CGI.pm:496 ../IkiWiki/CGI.pm:507
+#: ../IkiWiki/CGI.pm:533 ../IkiWiki/CGI.pm:577
 #, perl-format
 msgid "editing %s"
 msgstr ""
 
-#: ../IkiWiki/CGI.pm:659
+#: ../IkiWiki/CGI.pm:674
 msgid "You are banned."
 msgstr ""
 
-#: ../IkiWiki/CGI.pm:691
+#: ../IkiWiki/CGI.pm:706
 msgid "login failed, perhaps you need to turn on cookies?"
 msgstr ""
 
@@ -472,15 +472,15 @@ msgstr ""
 msgid "generating wrappers.."
 msgstr ""
 
-#: ../IkiWiki/Setup/Standard.pm:71
+#: ../IkiWiki/Setup/Standard.pm:72
 msgid "rebuilding wiki.."
 msgstr ""
 
-#: ../IkiWiki/Setup/Standard.pm:74
+#: ../IkiWiki/Setup/Standard.pm:75
 msgid "refreshing wiki.."
 msgstr ""
 
-#: ../IkiWiki/Setup/Standard.pm:83
+#: ../IkiWiki/Setup/Standard.pm:84
 msgid "done"
 msgstr ""
 
diff --git a/templates/archivepage.tmpl b/templates/archivepage.tmpl
index 6bc789dfb..7e8b8b8fc 100644
--- a/templates/archivepage.tmpl
+++ b/templates/archivepage.tmpl
@@ -1,5 +1,5 @@
 <p>
-<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE></a><br />
+<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE ESCAPE=HTML></a><br />
 <i>
 Posted <TMPL_VAR CTIME>
 </i>
diff --git a/templates/inlinepage.tmpl b/templates/inlinepage.tmpl
index 0317c248c..f1f21d4be 100644
--- a/templates/inlinepage.tmpl
+++ b/templates/inlinepage.tmpl
@@ -10,9 +10,9 @@
 </TMPL_IF>
 <span class="header">
 <TMPL_IF NAME="PERMALINK">
-<a href="<TMPL_VAR PERMALINK>"><TMPL_VAR TITLE></a>
+<a href="<TMPL_VAR PERMALINK>"><TMPL_VAR TITLE ESCAPE=HTML></a>
 <TMPL_ELSE>
-<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE></a>
+<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE ESCAPE=HTML></a>
 </TMPL_IF>
 </span>
 <TMPL_VAR CONTENT>
diff --git a/templates/page.tmpl b/templates/page.tmpl
index 471ed1a7d..2c28a68f5 100644
--- a/templates/page.tmpl
+++ b/templates/page.tmpl
@@ -3,7 +3,7 @@
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-<title><TMPL_VAR TITLE></title>
+<title><TMPL_VAR TITLE ESCAPE=HTML></title>
 <link rel="stylesheet" href="<TMPL_VAR BASEURL>style.css" type="text/css" />
 <link rel="stylesheet" href="<TMPL_VAR BASEURL>local.css" type="text/css" />
 <TMPL_IF NAME="FAVICON">
@@ -19,7 +19,7 @@
 <TMPL_LOOP NAME="PARENTLINKS">
 <a href="<TMPL_VAR NAME=URL>"><TMPL_VAR NAME=PAGE></a>/ 
 </TMPL_LOOP>
-<TMPL_VAR TITLE>
+<TMPL_VAR TITLE ESCAPE=HTML>
 </span>
 <TMPL_IF NAME="SEARCHFORM">
 <TMPL_VAR SEARCHFORM>
diff --git a/templates/titlepage.tmpl b/templates/titlepage.tmpl
index f5cd5bc53..0676a098e 100644
--- a/templates/titlepage.tmpl
+++ b/templates/titlepage.tmpl
@@ -1 +1 @@
-<p><a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE></a></p>
+<p><a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE ESCAPE=HTML></a></p>