From: Joey Hess <joey@kitenet.net>
Date: Thu, 17 May 2012 00:26:20 +0000 (-0400)
Subject: meta: Security fix; add missing sanitization of author and authorurl. Thanks, Raúl... 
X-Git-Tag: 3.20100815.9~7
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/a74c5efd82cf6d093dde77b2ddaa5394260c6dd9

meta: Security fix; add missing sanitization of author and authorurl. Thanks, Raúl Benencia
---

diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm
index c33c8b238..ef949f22e 100644
--- a/IkiWiki/Plugin/meta.pm
+++ b/IkiWiki/Plugin/meta.pm
@@ -288,12 +288,13 @@ sub pagetemplate (@) {
 		$template->param(title_overridden => 1);
 	}
 
-	foreach my $field (qw{author authorurl permalink}) {
-		$template->param($field => $pagestate{$page}{meta}{$field})
+	foreach my $field (qw{authorurl permalink}) {
+		$template->param($field => HTML::Entities::encode_entities($pagestate{$page}{meta}{$field}))
 			if exists $pagestate{$page}{meta}{$field} && $template->query(name => $field);
 	}
 
-	foreach my $field (qw{description}) {
+	foreach my $field (qw{description author}) {
+		eval q{use HTML::Entities};
 		$template->param($field => HTML::Entities::encode_numeric($pagestate{$page}{meta}{$field}))
 			if exists $pagestate{$page}{meta}{$field} && $template->query(name => $field);
 	}
diff --git a/debian/changelog b/debian/changelog
index 3dac4c400..fbcd6fac1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ikiwiki (3.20100815.9) stable-security; urgency=high
+
+  * meta: Security fix; add missing sanitization of author and authorurl.
+    CVE-2012-0220 Thanks, Raúl Benencia
+
+ -- Joey Hess <joeyh@debian.org>  Wed, 16 May 2012 19:51:27 -0400
+
 ikiwiki (3.20100815.8) stable-security; urgency=low
 
   * ikiwiki-mass-rebuild: Fix tty hijacking vulnerability by using su.