From: Joey Hess <joey@kitenet.net>
Date: Mon, 28 Mar 2011 16:21:12 +0000 (-0400)
Subject: meta: Security fix; don't allow alternative stylesheets to be added on pages where... 
X-Git-Tag: 3.20110328~1
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/be02a80b7a19f3c33a8ea42c0750d94e0a91206f?hp=--cc

meta: Security fix; don't allow alternative stylesheets to be added on pages where the htmlscrubber is enabled.
---

be02a80b7a19f3c33a8ea42c0750d94e0a91206f
diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm
index ad6d1a8e3..1a9f94a12 100644
--- a/IkiWiki/Plugin/meta.pm
+++ b/IkiWiki/Plugin/meta.pm
@@ -174,10 +174,10 @@ sub preprocess (@) {
 		if (! length $stylesheet) {
 			error gettext("stylesheet not found")
 		}
-		push @{$metaheaders{$page}}, '<link href="'.urlto($stylesheet, $page).
+		push @{$metaheaders{$page}}, scrub('<link href="'.urlto($stylesheet, $page).
 			'" rel="'.encode_entities($rel).
 			'" title="'.encode_entities($title).
-			"\" type=\"text/css\" />";
+			"\" type=\"text/css\" />", $page, $destpage);
 	}
 	elsif ($key eq 'openid') {
 		my $delegate=0; # both by default
diff --git a/debian/changelog b/debian/changelog
index e78ce3e1c..91c4c6d24 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-ikiwiki (3.20110322) UNRELEASED; urgency=low
+ikiwiki (3.20110328) UNRELEASED; urgency=low
 
   * Yaml formatted setup files are now produced by default.
     (Perl formatted setup files can still be used.)
@@ -6,6 +6,8 @@ ikiwiki (3.20110322) UNRELEASED; urgency=low
     via the web.
   * comment: Better fix to avoid showing comments of subpages, while
     not breaking manual inlining of comments.
+  * meta: Security fix; don't allow alternative stylesheets to be added
+    on pages where the htmlscrubber is enabled.
 
  -- Joey Hess <joeyh@debian.org>  Thu, 24 Mar 2011 13:34:34 -0400
 
diff --git a/doc/ikiwiki/directive/meta.mdwn b/doc/ikiwiki/directive/meta.mdwn
index d66e26fc4..50aaf66be 100644
--- a/doc/ikiwiki/directive/meta.mdwn
+++ b/doc/ikiwiki/directive/meta.mdwn
@@ -77,6 +77,10 @@ Supported fields:
 
 	\[[!meta stylesheet=somestyle rel="alternate stylesheet"
 	title="somestyle"]]
+  
+  However, this will be scrubbed away if the 
+  [[!iki plugins/htmlscrubber desc=htmlscrubber]] plugin is enabled,
+  since it can be used to insert unsafe content.
 
 * openid
 
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 770927e26..2b387ac23 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -463,3 +463,14 @@ This hole was discovered on 22 Jan 2011 and fixed the same day with
 the release of ikiwiki 3.20110122. A fix was backported to Debian squeeze,
 as version 3.20100815.5. An upgrade is recommended for sites
 with the comments plugin enabled. ([[!cve CVE-2011-0428]])
+
+## possible javascript insertion via insufficient htmlscrubbing of alternate stylesheets
+
+Tango noticed that 'meta stylesheet` directives allowed anyone
+who could upload a malicious stylesheet to a site to add it to a
+page as an alternate stylesheet. In order to be exploited, the user
+would have to select the alternative stylesheet in their browser.
+
+This hole was discovered on 28 Mar 2011 and fixed the same hour with
+the release of ikiwiki 3.20110328. An upgrade is recommended for sites
+that have untrusted committers, or have the attachments plugin enabled.