Simon McVittie [Sat, 24 Dec 2016 15:03:51 +0000 (15:03 +0000)]
Force CGI::FormBuilder->field to scalar context where necessary
CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in
f4ec7b0. Force it into scalar context where it is used
in an argument list.
This prevents two (relatively minor) commit metadata forgery
vulnerabilities:
* In the comments plugin, an attacker who was able to post a comment
could give it a user-specified author and author-URL even if the wiki
configuration did not allow for that, by crafting multiple values
to other fields.
* In the editpage plugin, an attacker who was able to edit a page
could potentially forge commit authorship by crafting multiple values
for the rcsinfo field.
The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.
OVE-
20161226-0001
(cherry picked from commit
c1120bbbe8fdea20cf64fa12247f4f4a4006c834)
Simon McVittie [Wed, 11 Jan 2017 13:19:13 +0000 (13:19 +0000)]
passwordauth: avoid userinfo forgery via repeated email parameter
OVE-
20170111-0001
Simon McVittie [Wed, 11 Jan 2017 13:16:37 +0000 (13:16 +0000)]
t/passwordauth.t: new automated test for passwordauth
In particular this includes an exploit for OVE-
20170111-0001.
Simon McVittie [Wed, 11 Jan 2017 13:12:50 +0000 (13:12 +0000)]
passwordauth: prevent authentication bypass via multiple name parameters
Calling CGI::FormBuilder::field with a name argument in list context
returns zero or more user-specified values of the named field, even
if that field was not declared as supporting multiple values.
Passing the result of field as a function parameter counts as list
context. This is the same bad behaviour that is now discouraged
for CGI::param.
In this case we pass the multiple values to CGI::Session::param.
That accessor has six possible calling conventions, of which four are
documented. If an attacker passes (2*n + 1) values for the 'name'
field, for example name=a&name=b&name=c, we end up in one of the
undocumented calling conventions for param:
# equivalent to: (name => 'a', b => 'c')
$session->param('name', 'a', 'b', 'c')
and the 'b' session parameter is unexpectedly set to an
attacker-specified value.
In particular, if an attacker "bob" specifies
name=bob&name=name&name=alice, then authentication is carried out
for "bob" but the CGI::Session ends up containing {name => 'alice'},
an authentication bypass vulnerability.
This vulnerability is tracked as OVE-
20170111-0001.
Simon McVittie [Mon, 9 May 2016 21:34:58 +0000 (22:34 +0100)]
Reference CVE-2016-4561 in 3.
20141016.3 changelog
Simon McVittie [Fri, 6 May 2016 06:57:45 +0000 (07:57 +0100)]
3.
20141016.3 (for jessie-security)
Simon McVittie [Fri, 6 May 2016 06:46:58 +0000 (07:46 +0100)]
Do not recommend mimetype(image/*)
Not all image file types are safe for general use: in particular,
image/svg+xml is known to be vulnerable to CVE-2016-3714 under some
ImageMagick configurations.
Simon McVittie [Fri, 6 May 2016 06:45:26 +0000 (07:45 +0100)]
Document the security fixes in this release
smcv [Tue, 14 Apr 2015 17:38:13 +0000 (13:38 -0400)]
add more details of CVE-2015-2793
Joey Hess [Mon, 30 Mar 2015 15:31:59 +0000 (11:31 -0400)]
update for recent XSS
Simon McVittie [Fri, 6 May 2016 06:32:17 +0000 (07:32 +0100)]
img: make img_allowed_formats case-insensitive
Joey Hess [Fri, 6 May 2016 00:44:11 +0000 (20:44 -0400)]
update test suite for svg passthrough by img directive
Remove build dependency libmagickcore-6.q16-2-extra which was only there
for this test.
Simon McVittie [Fri, 6 May 2016 05:57:12 +0000 (06:57 +0100)]
img: Add back support for SVG images, bypassing ImageMagick and simply passing the SVG through to the browser
SVG scaling by img directives has subtly changed; where before size=wxh
would preserve aspect ratio, this cannot be done when passing them through
and so specifying both a width and height can change the SVG's aspect
ratio.
(This patch looks significantly more complex than it was, because a large
block of code had to be indented.)
[smcv: drop trailing whitespace, fix some spelling]
Simon McVittie [Thu, 5 May 2016 22:45:16 +0000 (23:45 +0100)]
Changelog
Simon McVittie [Thu, 5 May 2016 22:17:45 +0000 (23:17 +0100)]
img: check magic number before giving common formats to ImageMagick
This mitigates CVE-2016-3714 and similar vulnerabilities by
avoiding passing obviously-wrong input to ImageMagick decoders.
Simon McVittie [Wed, 4 May 2016 07:54:19 +0000 (08:54 +0100)]
img: restrict to JPEG, PNG and GIF images by default
This mitigates CVE-2016-3714. Wiki administrators who know that they
have prevented arbitrary code execution via other formats can re-enable
the other formats if desired.
Simon McVittie [Mon, 30 Nov 2015 17:33:00 +0000 (17:33 +0000)]
Update structure of img test from master
Originally from commit
cdfb4ab "Run autopkgtest tests using autodep8 and
the pkg-perl team's infrastructure", cherry-picked here to be able to
apply subsequent test coverage extensions in this test.
Simon McVittie [Sun, 14 Jun 2015 17:13:17 +0000 (18:13 +0100)]
img test: set old timestamp on source file that will change
This is so that the test will pass even if it takes less than 1 second.
Simon McVittie [Mon, 18 Jan 2016 09:19:42 +0000 (09:19 +0000)]
img test: skip testing PDFs if unsupported
Simon McVittie [Thu, 5 May 2016 22:24:17 +0000 (23:24 +0100)]
img test: use the right filenames when testing that deletion occurs
Also use a less misleading name for the sample SVG: it is no longer empty.
Since commit
105f285a it has contained a blue square.
Simon McVittie [Wed, 4 May 2016 07:52:40 +0000 (08:52 +0100)]
img: force common Web formats to be interpreted according to extension
A site administrator might unwisely set allowed_attachments to
something like '*.jpg or *.png'; if they do, an attacker could attach,
for example, a SVG file named attachment.jpg.
This mitigates CVE-2016-3714.
Simon McVittie [Wed, 4 May 2016 07:46:02 +0000 (08:46 +0100)]
HTML-escape error messages (OVE-
20160505-0012)
The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-
20160505-0012)
The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.
Simon McVittie [Sat, 13 Jun 2015 19:00:08 +0000 (20:00 +0100)]
img: stop ImageMagick trying to be clever if filenames contain a colon
$im->Read() takes a filename-like argument with several sets of special
syntax. Most of the possible metacharacters are escaped by the
default `wiki_file_chars` (and in any case not particularly disruptive),
but the colon ":" is not.
It seems the way to force ImageMagick to treat colons within the
filename as literal is to prepend a colon, so do that.
Simon McVittie [Sun, 29 Mar 2015 21:29:32 +0000 (22:29 +0100)]
Joey Hess [Fri, 27 Mar 2015 16:17:39 +0000 (12:17 -0400)]
Fix XSS in openid selector. Thanks, Raghav Bisht.
Conflicts:
debian/changelog
doc/bugs/XSS_Alert...__33____33____33__.html
Simon McVittie [Wed, 7 Jan 2015 11:32:37 +0000 (11:32 +0000)]
note that the two potential FTBFSs do not actually affect buildds
The relevant tests are skipped on buildds because they don't have
libipc-run-perl or inkscape.
Simon McVittie [Wed, 7 Jan 2015 11:10:32 +0000 (11:10 +0000)]
release candidate
Simon McVittie [Wed, 7 Jan 2015 11:08:31 +0000 (11:08 +0000)]
Work around Debian #771047: use a non-blank SVG for the regression test
Inkscape loses the bounding box of a SVG with no content when it
converts it to EPS, and ImageMagick does not have a special case for
converting SVG to PNG with Inkscape in one step (which Inkscape can do);
it prefers to convert SVG to EPS with Inkscape, then EPS to whatever.
Joey Hess [Fri, 2 Jan 2015 20:45:26 +0000 (16:45 -0400)]
close debian bug I opened about blogspam
Amitai Schlair [Sat, 3 Jan 2015 15:02:20 +0000 (10:02 -0500)]
blogspam uses JSON instead of RPC::XML now.
Amitai Schlair [Fri, 2 Jan 2015 18:55:10 +0000 (13:55 -0500)]
Update blogspam to the 2.0 API.
Joey Hess [Sat, 8 Nov 2014 04:08:33 +0000 (00:08 -0400)]
Set Debian package maintainer to Simon McVittie as I'm retiring from Debian.
Joey Hess [Mon, 20 Oct 2014 16:28:54 +0000 (12:28 -0400)]
Add missing build-depends on libcgi-formbuilder-perl, needed for t/relativity.t
Simon McVittie [Thu, 16 Oct 2014 23:02:33 +0000 (00:02 +0100)]
Merge remote-tracking branch 'refs/remotes/dgit/dgit/sid'
Simon McVittie [Thu, 16 Oct 2014 22:28:35 +0000 (23:28 +0100)]
release
Simon McVittie [Thu, 16 Oct 2014 22:28:23 +0000 (23:28 +0100)]
debian: fix some wrong paths in the copyright file
Simon McVittie [Thu, 16 Oct 2014 22:04:11 +0000 (23:04 +0100)]
debian: rename debian/link to debian/links so the intended symlinks appear
Simon McVittie [Thu, 16 Oct 2014 22:03:48 +0000 (23:03 +0100)]
close a bug
Simon McVittie [Thu, 16 Oct 2014 21:48:09 +0000 (22:48 +0100)]
Drop unused python-support dependency
Simon McVittie [Thu, 16 Oct 2014 21:44:29 +0000 (22:44 +0100)]
changelog so far
Simon McVittie [Thu, 16 Oct 2014 21:40:52 +0000 (22:40 +0100)]
build-depend on libcgi-pm-perl too, for tests
Simon McVittie [Thu, 16 Oct 2014 08:45:36 +0000 (09:45 +0100)]
Explicitly depend on CGI.pm, which is no longer in Perl core
I was going to depend on the version that has CGI->param_fetch,
but that has been supported since 2.37, which is older than oldstable.
Amitai Schlair [Wed, 15 Oct 2014 22:52:43 +0000 (23:52 +0100)]
IkiWiki::Plugin::openid: as a precaution, do not call non-coderefs
We're running under "use strict" here, so if CGI->param's array-context
misbehaviour passes an extra non-ref parameter, it shouldn't be executed
anyway... but it's as well to be safe.
[commit message added by smcv]
Amitai Schlair [Wed, 15 Oct 2014 21:32:02 +0000 (22:32 +0100)]
Call CGI->param_fetch instead of CGI->param in array context
CGI->param has the misfeature that it is context-sensitive, and in
particular can expand to more than one scalar in function calls.
This led to a security vulnerability in Bugzilla, and recent versions
of CGI.pm will warn when it is used in this way.
In the situations where we do want to cope with more than one parameter
of the same name, CGI->param_fetch (which always returns an
array-reference) makes the intention clearer.
[commit message added by smcv]
Simon McVittie [Sat, 11 Oct 2014 08:28:22 +0000 (09:28 +0100)]
Make sure we do not pass multiple CGI parameters in function calls
When CGI->param is called in list context, such as in function
parameters, it expands to all the potentially multiple values
of the parameter: for instance, if we parse query string a=b&a=c&d=e
and call func($cgi->param('a')), that's equivalent to func('b', 'c').
Most of the functions we're calling do not expect that.
I do not believe this is an exploitable security vulnerability in
ikiwiki, but it was exploitable in Bugzilla.
Added a comment: It was an Apache problem...
smcv [Thu, 16 Oct 2014 12:11:52 +0000 (08:11 -0400)]
branch
smcv [Thu, 16 Oct 2014 11:52:05 +0000 (07:52 -0400)]
comment
Simon McVittie [Wed, 15 Oct 2014 20:56:11 +0000 (21:56 +0100)]
Replace PayPal and Flattr buttons with text links
In particular, this avoids loading third-party resources from the
offline documentation (see
<https://lintian.debian.org/tags/privacy-breach-donation.html>).
http://anastigmatix.net/ [Thu, 16 Oct 2014 02:53:41 +0000 (22:53 -0400)]
mention pagespec_alias patches
smcv [Wed, 15 Oct 2014 23:30:22 +0000 (19:30 -0400)]
Added a comment
smcv [Wed, 15 Oct 2014 23:26:52 +0000 (19:26 -0400)]
Added a comment
openmedi [Wed, 15 Oct 2014 18:49:16 +0000 (14:49 -0400)]
Added a comment
Added a comment
openmedi [Wed, 15 Oct 2014 12:33:40 +0000 (08:33 -0400)]
Added a comment
Amitai Schlair [Tue, 14 Oct 2014 22:46:41 +0000 (18:46 -0400)]
as usual, macports hasn't moved
Added a comment
Added a comment
Amitai Schlair [Tue, 14 Oct 2014 22:19:09 +0000 (18:19 -0400)]
one report suffices; not yet clear there's a bug
Amitai Schlair [Mon, 13 Oct 2014 20:21:15 +0000 (16:21 -0400)]
clarify
Amitai Schlair [Mon, 13 Oct 2014 20:13:11 +0000 (16:13 -0400)]
findings and questions
Simon McVittie [Sat, 11 Oct 2014 08:28:02 +0000 (09:28 +0100)]
Do not pass ignored sid parameter to checksessionexpiry
checksessionexpiry's signature changed from
(CGI::Session, CGI->param('sid')) to (CGI, CGI::Session) in commit
985b229b, but editpage still passed the sid as a useless third
parameter, and this was later cargo-culted into remove, rename and
recentchanges.
Simon McVittie [Sun, 12 Oct 2014 17:03:28 +0000 (18:03 +0100)]
comments: don't log remote IP address for signed-in users
The intention was that signed-in users (for instance via httpauth,
passwordauth or openid) are already adequately identified, but
there's nothing to indicate who an anonymous commenter is unless
their IP address is recorded.
Simon McVittie [Sun, 12 Oct 2014 16:57:14 +0000 (17:57 +0100)]
google search plugin: use https for the search
smcv [Sun, 12 Oct 2014 16:49:24 +0000 (12:49 -0400)]
default User-Agent changed
Simon McVittie [Sat, 11 Oct 2014 08:43:34 +0000 (09:43 +0100)]
Set default User-Agent to something that doesn't mention libwww-perl
It appears that both the open-source and proprietary rulesets for
ModSecurity default to blacklisting requests that say they are
from libwww-perl, presumably because some script kiddies use libwww-perl
and are too inept to set a User-Agent that is "too big to blacklist",
like Chrome or the iPhone browser or something. This seems doomed to
failure but whatever.
smcv [Sun, 12 Oct 2014 16:43:14 +0000 (12:43 -0400)]
removed
smcv [Sun, 12 Oct 2014 16:42:54 +0000 (12:42 -0400)]
Added a comment
Amitai Schlair [Sun, 12 Oct 2014 16:42:13 +0000 (12:42 -0400)]
help Markdown make a list
Added a comment: fixed in a recent release, I think
openmedi [Sun, 12 Oct 2014 16:06:59 +0000 (12:06 -0400)]
Amitai Schlair [Sun, 12 Oct 2014 15:08:13 +0000 (11:08 -0400)]
Replace shebang paths with the build-time $(PERL).
On non-Debian systems, /usr/bin/perl might not be the best available
Perl interpreter. Use whichever perl was used to run Makefile.PL,
unless it was "/usr/bin/perl", in which case there's nothing to do.
Amitai Schlair [Sun, 12 Oct 2014 13:30:31 +0000 (09:30 -0400)]
Extract test subs for each site. No change meant.
Amitai Schlair [Sun, 12 Oct 2014 04:01:09 +0000 (00:01 -0400)]
Extract run_cgi(). No functional change intended.
Amitai Schlair [Sat, 11 Oct 2014 13:52:21 +0000 (09:52 -0400)]
Extract check_generated_content(). Same output.
Amitai Schlair [Sat, 11 Oct 2014 01:17:39 +0000 (21:17 -0400)]
Extract check_cgi_mode_bits(). No change intended.
Amitai Schlair [Sat, 11 Oct 2014 00:40:24 +0000 (20:40 -0400)]
Extract thoroughly_rebuild(), a slight test change.
I didn't try to parameterize when a test should fail when we can't
remove ikiwiki.cgi because there already isn't one. (Hooray, natural
language.) Instead, we stop worrying about it and always tolerate
ENOENT.
Amitai Schlair [Sat, 11 Oct 2014 00:25:54 +0000 (20:25 -0400)]
Extract write_setup_file(). No functional change.
Test output differs only by the line numbers of the TODO items.
smcv [Thu, 9 Oct 2014 18:50:00 +0000 (14:50 -0400)]
clarify further
smcv [Thu, 9 Oct 2014 18:36:13 +0000 (14:36 -0400)]
clarify
smcv [Thu, 9 Oct 2014 18:31:33 +0000 (14:31 -0400)]
That's not how that directive is used, and if you want to try stuff out please edit the sandbox instead
This reverts commit
856819a733d90a2ca259a5a3b03cc5d84f72e931
tarojiro [Wed, 8 Oct 2014 11:38:46 +0000 (07:38 -0400)]
smcv [Mon, 6 Oct 2014 21:00:24 +0000 (17:00 -0400)]
alternative plan
Amitai Schlair [Mon, 6 Oct 2014 20:31:52 +0000 (16:31 -0400)]
simplify IPC::Run check (same behavior)
Amitai Schlair [Mon, 6 Oct 2014 17:06:02 +0000 (13:06 -0400)]
exclude openid/troubleshooting
smcv [Sun, 5 Oct 2014 22:58:56 +0000 (18:58 -0400)]
smcv [Sun, 5 Oct 2014 22:56:57 +0000 (18:56 -0400)]
Added a comment
smcv [Sun, 5 Oct 2014 22:55:02 +0000 (18:55 -0400)]
Added a comment
smcv [Sun, 5 Oct 2014 22:54:07 +0000 (18:54 -0400)]
Added a comment
Simon McVittie [Sun, 5 Oct 2014 22:50:57 +0000 (23:50 +0100)]
more fixes
Simon McVittie [Sun, 5 Oct 2014 22:49:25 +0000 (23:49 +0100)]
Document another fix
Simon McVittie [Sun, 5 Oct 2014 22:49:17 +0000 (23:49 +0100)]
In html5 mode, generate a host- or protocol-relative <base> for the CGI
This increases the number of situations in which we do the right thing.
Simon McVittie [Sun, 5 Oct 2014 22:06:48 +0000 (23:06 +0100)]
Add reverse_proxy option which hard-codes cgiurl in CGI output
This solves several people's issues with the CGI trying to be
too clever when IkiWiki is placed behind a reverse-proxy.
Simon McVittie [Sun, 5 Oct 2014 21:56:55 +0000 (22:56 +0100)]
Avoid mixed content when cgiurl is https but url is not