From a6df94501699453bd4b560c57df81134edd75262 Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kitenet.net>
Date: Sat, 22 Jan 2011 11:04:00 -0400
Subject: [PATCH] comments: Fix XSS security hole due to missing validation of
 page name. CVE-2011-0428 (Thanks, Dave B.)

---
 IkiWiki/Plugin/comments.pm | 4 ++--
 debian/changelog           | 7 +++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm
index a39dab36c..6bacd26c7 100644
--- a/IkiWiki/Plugin/comments.pm
+++ b/IkiWiki/Plugin/comments.pm
@@ -364,8 +364,8 @@ sub editcomment ($$) {
 	}
 
 	# The untaint is OK (as in editpage) because we're about to pass
-	# it to file_pruned anyway
-	my $page = $form->field('page');
+	# it to file_pruned and wiki_file_regexp anyway.
+	my $page = $form->field('page')=~/$config{wiki_file_regexp}/;
 	$page = IkiWiki::possibly_foolish_untaint($page);
 	if (! defined $page || ! length $page ||
 		IkiWiki::file_pruned($page)) {
diff --git a/debian/changelog b/debian/changelog
index 734e2471d..4f9b06d29 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ikiwiki (3.20100815.5) testing; urgency=low
+
+  * comments: Fix XSS security hole due to missing validation of page name.
+    CVE-2011-0428 (Thanks, Dave B.)
+
+ -- Joey Hess <joeyh@debian.org>  Sat, 22 Jan 2011 11:02:59 -0400
+
 ikiwiki (3.20100815.4) testing; urgency=low
 
   * meta: Fix calling of htmlscrubber to pass the page parameter.
-- 
2.39.5