summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjoey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>2007-03-21 06:05:21 +0000
committerjoey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>2007-03-21 06:05:21 +0000
commit1c65ca492295e754dfd9986f91b08eb0876d09b9 (patch)
treef5ef8f767cf58055381e730e88a56f30ffa586b6
parent9bf29d60b2b44c16e9c3aaf1f4ff78a694f3c194 (diff)
* Fix a few bugs around page titles containing html. The worst of these
is an actual security hole as it allows insertion of html into the title element of a page, which is not processed by the htmlscrubber.
-rw-r--r--debian/changelog7
-rw-r--r--doc/security.mdwn11
-rw-r--r--po/ikiwiki.pot16
-rw-r--r--templates/archivepage.tmpl2
-rw-r--r--templates/inlinepage.tmpl4
-rw-r--r--templates/page.tmpl4
-rw-r--r--templates/titlepage.tmpl2
7 files changed, 30 insertions, 16 deletions
diff --git a/debian/changelog b/debian/changelog
index 26aaad53b..5934958ce 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-ikiwiki (1.46) UNRELEASED; urgency=low
+ikiwiki (1.46) unstable; urgency=low
* Fix a bug with inlined create page links, including Discussion links on
blog post pages. The links will now create pages relative to the page that
@@ -12,8 +12,11 @@ ikiwiki (1.46) UNRELEASED; urgency=low
same time, and let the second person resolve the conflict.
* Applied a patch from MichaƂ to make the mercurial backend pass --quiet to
hg.
+ * Fix a few bugs around page titles containing html. The worst of these
+ is an actual security hole as it allows insertion of html into the title
+ element of a page, which is not processed by the htmlscrubber.
- -- Joey Hess <joeyh@debian.org> Sun, 18 Mar 2007 18:22:12 -0400
+ -- Joey Hess <joeyh@debian.org> Wed, 21 Mar 2007 01:51:30 -0400
ikiwiki (1.45) unstable; urgency=low
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 01a893d20..9b561a13e 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -293,3 +293,14 @@ This hole was discovered on 10 Feb 2007 and fixed the same day with the
release of ikiwiki 1.42. A fix was also backported to Debian etch, as
version 1.33.1. I recommend upgrading to one of these versions if your wiki
allows web editing.
+
+## html insertion via title
+
+Missing html escaping of the title contents allowed a web-based editor to
+insert arbitrary html inside the title tag of a page. Since that part of
+the page is not processed by the htmlscrubber, evil html could be injected.
+
+This hole was discovered on 21 March 2007 and fixed the same day (er, hour)
+with the release of ikiwiki 1.46. A fix was also backported to Debian etch,
+as version 1.33.2. I recommend upgrading to one of these versions if your
+wiki allows web editing or aggregates feeds.
diff --git a/po/ikiwiki.pot b/po/ikiwiki.pot
index f2c3cf498..8f223571b 100644
--- a/po/ikiwiki.pot
+++ b/po/ikiwiki.pot
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2007-03-17 19:21-0400\n"
+"POT-Creation-Date: 2007-03-21 01:50-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
@@ -41,17 +41,17 @@ msgstr ""
msgid "creating %s"
msgstr ""
-#: ../IkiWiki/CGI.pm:481 ../IkiWiki/CGI.pm:496 ../IkiWiki/CGI.pm:518
-#: ../IkiWiki/CGI.pm:562
+#: ../IkiWiki/CGI.pm:481 ../IkiWiki/CGI.pm:496 ../IkiWiki/CGI.pm:507
+#: ../IkiWiki/CGI.pm:533 ../IkiWiki/CGI.pm:577
#, perl-format
msgid "editing %s"
msgstr ""
-#: ../IkiWiki/CGI.pm:659
+#: ../IkiWiki/CGI.pm:674
msgid "You are banned."
msgstr ""
-#: ../IkiWiki/CGI.pm:691
+#: ../IkiWiki/CGI.pm:706
msgid "login failed, perhaps you need to turn on cookies?"
msgstr ""
@@ -472,15 +472,15 @@ msgstr ""
msgid "generating wrappers.."
msgstr ""
-#: ../IkiWiki/Setup/Standard.pm:71
+#: ../IkiWiki/Setup/Standard.pm:72
msgid "rebuilding wiki.."
msgstr ""
-#: ../IkiWiki/Setup/Standard.pm:74
+#: ../IkiWiki/Setup/Standard.pm:75
msgid "refreshing wiki.."
msgstr ""
-#: ../IkiWiki/Setup/Standard.pm:83
+#: ../IkiWiki/Setup/Standard.pm:84
msgid "done"
msgstr ""
diff --git a/templates/archivepage.tmpl b/templates/archivepage.tmpl
index 6bc789dfb..7e8b8b8fc 100644
--- a/templates/archivepage.tmpl
+++ b/templates/archivepage.tmpl
@@ -1,5 +1,5 @@
<p>
-<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE></a><br />
+<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE ESCAPE=HTML></a><br />
<i>
Posted <TMPL_VAR CTIME>
</i>
diff --git a/templates/inlinepage.tmpl b/templates/inlinepage.tmpl
index 0317c248c..f1f21d4be 100644
--- a/templates/inlinepage.tmpl
+++ b/templates/inlinepage.tmpl
@@ -10,9 +10,9 @@
</TMPL_IF>
<span class="header">
<TMPL_IF NAME="PERMALINK">
-<a href="<TMPL_VAR PERMALINK>"><TMPL_VAR TITLE></a>
+<a href="<TMPL_VAR PERMALINK>"><TMPL_VAR TITLE ESCAPE=HTML></a>
<TMPL_ELSE>
-<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE></a>
+<a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE ESCAPE=HTML></a>
</TMPL_IF>
</span>
<TMPL_VAR CONTENT>
diff --git a/templates/page.tmpl b/templates/page.tmpl
index 471ed1a7d..2c28a68f5 100644
--- a/templates/page.tmpl
+++ b/templates/page.tmpl
@@ -3,7 +3,7 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-<title><TMPL_VAR TITLE></title>
+<title><TMPL_VAR TITLE ESCAPE=HTML></title>
<link rel="stylesheet" href="<TMPL_VAR BASEURL>style.css" type="text/css" />
<link rel="stylesheet" href="<TMPL_VAR BASEURL>local.css" type="text/css" />
<TMPL_IF NAME="FAVICON">
@@ -19,7 +19,7 @@
<TMPL_LOOP NAME="PARENTLINKS">
<a href="<TMPL_VAR NAME=URL>"><TMPL_VAR NAME=PAGE></a>/
</TMPL_LOOP>
-<TMPL_VAR TITLE>
+<TMPL_VAR TITLE ESCAPE=HTML>
</span>
<TMPL_IF NAME="SEARCHFORM">
<TMPL_VAR SEARCHFORM>
diff --git a/templates/titlepage.tmpl b/templates/titlepage.tmpl
index f5cd5bc53..0676a098e 100644
--- a/templates/titlepage.tmpl
+++ b/templates/titlepage.tmpl
@@ -1 +1 @@
-<p><a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE></a></p>
+<p><a href="<TMPL_VAR PAGEURL>"><TMPL_VAR TITLE ESCAPE=HTML></a></p>