From a74c5efd82cf6d093dde77b2ddaa5394260c6dd9 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 16 May 2012 20:26:20 -0400 Subject: [PATCH] =?utf8?q?meta:=20Security=20fix;=20add=20missing=20saniti?= =?utf8?q?zation=20of=20author=20and=20authorurl.=20Thanks,=20Ra=C3=BAl=20?= =?utf8?q?Benencia?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit --- IkiWiki/Plugin/meta.pm | 7 ++++--- debian/changelog | 7 +++++++ 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm index c33c8b238..ef949f22e 100644 --- a/IkiWiki/Plugin/meta.pm +++ b/IkiWiki/Plugin/meta.pm @@ -288,12 +288,13 @@ sub pagetemplate (@) { $template->param(title_overridden => 1); } - foreach my $field (qw{author authorurl permalink}) { - $template->param($field => $pagestate{$page}{meta}{$field}) + foreach my $field (qw{authorurl permalink}) { + $template->param($field => HTML::Entities::encode_entities($pagestate{$page}{meta}{$field})) if exists $pagestate{$page}{meta}{$field} && $template->query(name => $field); } - foreach my $field (qw{description}) { + foreach my $field (qw{description author}) { + eval q{use HTML::Entities}; $template->param($field => HTML::Entities::encode_numeric($pagestate{$page}{meta}{$field})) if exists $pagestate{$page}{meta}{$field} && $template->query(name => $field); } diff --git a/debian/changelog b/debian/changelog index 3dac4c400..fbcd6fac1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +ikiwiki (3.20100815.9) stable-security; urgency=high + + * meta: Security fix; add missing sanitization of author and authorurl. + CVE-2012-0220 Thanks, Raúl Benencia + + -- Joey Hess Wed, 16 May 2012 19:51:27 -0400 + ikiwiki (3.20100815.8) stable-security; urgency=low * ikiwiki-mass-rebuild: Fix tty hijacking vulnerability by using su. -- 2.39.2