summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjoey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>2006-08-27 20:25:05 +0000
committerjoey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>2006-08-27 20:25:05 +0000
commit4ad7c9d6257ca106b2949d22f6300823190991a0 (patch)
tree9752444cfa70b40ab32627e3feb44781e56f2771
parent3ad4d93e33284ad6d51d2fa5f9abf1943b894d48 (diff)
* Patch from James Westby to add a --sslcookie switch, which forces
cookies to only be sent over ssl connections to avoid interception. * Factor out the cgi header printing code into a new function. * Fix preferences page on anonok wikis; still need to sign in to get to the preferences page.
-rw-r--r--IkiWiki.pm1
-rw-r--r--IkiWiki/CGI.pm24
-rw-r--r--debian/changelog7
-rw-r--r--doc/ikiwiki.setup2
-rw-r--r--doc/patchqueue/use-ssl-for-cookies.mdwn20
-rw-r--r--doc/security.mdwn4
-rw-r--r--doc/usage.mdwn6
-rwxr-xr-xikiwiki.pl1
8 files changed, 37 insertions, 28 deletions
diff --git a/IkiWiki.pm b/IkiWiki.pm
index b6e160ab6..990836f8e 100644
--- a/IkiWiki.pm
+++ b/IkiWiki.pm
@@ -54,6 +54,7 @@ sub defaultconfig () { #{{{
plugin => [qw{mdwn inline htmlscrubber}],
timeformat => '%c',
locale => undef,
+ sslcookie => 0,
} #}}}
sub checkconfig () { #{{{
diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm
index 120e2fdee..8e0339dc5 100644
--- a/IkiWiki/CGI.pm
+++ b/IkiWiki/CGI.pm
@@ -9,6 +9,18 @@ use Encode;
package IkiWiki;
+sub printheader ($) { #{{{
+ my $session=shift;
+
+ if ($config{sslcookie}) {
+ print $session->header(-charset => 'utf-8',
+ -cookie => $session->cookie(-secure => 1));
+ } else {
+ print $session->header(-charset => 'utf-8');
+ }
+
+} #}}}
+
sub redirect ($$) { #{{{
my $q=shift;
my $url=shift;
@@ -72,7 +84,7 @@ sub cgi_recentchanges ($) { #{{{
changelog => [rcs_recentchanges(100)],
baseurl => baseurl(),
);
- print $q->header(-charset=>'utf-8'), $template->output;
+ print $q->header(-charset => 'utf-8'), $template->output;
} #}}}
sub cgi_signin ($$) { #{{{
@@ -204,7 +216,7 @@ sub cgi_signin ($$) { #{{{
$form->field(name => "confirm_password", type => "hidden");
$form->field(name => "email", type => "hidden");
$form->text("Registration successful. Now you can Login.");
- print $session->header(-charset=>'utf-8');
+ printheader($session);
print misctemplate($form->title, $form->render(submit => ["Login"]));
}
else {
@@ -232,12 +244,12 @@ sub cgi_signin ($$) { #{{{
$form->text("Your password has been emailed to you.");
$form->field(name => "name", required => 0);
- print $session->header(-charset=>'utf-8');
+ printheader($session);
print misctemplate($form->title, $form->render(submit => ["Login", "Register", "Mail Password"]));
}
}
else {
- print $session->header(-charset=>'utf-8');
+ printheader($session);
print misctemplate($form->title, $form->render(submit => ["Login", "Register", "Mail Password"]));
}
} #}}}
@@ -314,7 +326,7 @@ sub cgi_prefs ($$) { #{{{
$form->text("Preferences saved.");
}
- print $session->header(-charset=>'utf-8');
+ printheader($session);
print misctemplate($form->title, $form->render(submit => \@buttons));
} #}}}
@@ -596,7 +608,7 @@ sub cgi () { #{{{
umask($oldmask);
# Everything below this point needs the user to be signed in.
- if ((! $config{anonok} &&
+ if (((! $config{anonok} || $do eq 'prefs') &&
(! defined $session->param("name") ||
! userinfo_get($session->param("name"), "regdate"))) || $do eq 'signin') {
cgi_signin($q, $session);
diff --git a/debian/changelog b/debian/changelog
index 7636cd12e..2d1fd3777 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -35,8 +35,13 @@ ikiwiki (1.22) UNRELEASED; urgency=low
* Patch from James Westby to add a template for the search form.
* Cache search form for speedup.
* Added a ddate plugin.
+ * Patch from James Westby to add a --sslcookie switch, which forces
+ cookies to only be sent over ssl connections to avoid interception.
+ * Factor out the cgi header printing code into a new function.
+ * Fix preferences page on anonok wikis; still need to sign in to get
+ to the preferences page.
- -- Joey Hess <joeyh@debian.org> Sat, 26 Aug 2006 23:48:31 -0400
+ -- Joey Hess <joeyh@debian.org> Sun, 27 Aug 2006 16:17:21 -0400
ikiwiki (1.21) unstable; urgency=low
diff --git a/doc/ikiwiki.setup b/doc/ikiwiki.setup
index bf1aa3703..9a4b61ec4 100644
--- a/doc/ikiwiki.setup
+++ b/doc/ikiwiki.setup
@@ -74,6 +74,8 @@ use IkiWiki::Setup::Standard {
#timeformat => '%c',
# Locale to use. Must be a UTF-8 locale.
#locale => 'en_US.UTF-8',
+ # Only send cookies over SSL connections.
+ #sslcookie => 1,
# Logging settings:
verbose => 0,
syslog => 0,
diff --git a/doc/patchqueue/use-ssl-for-cookies.mdwn b/doc/patchqueue/use-ssl-for-cookies.mdwn
deleted file mode 100644
index c2ee63782..000000000
--- a/doc/patchqueue/use-ssl-for-cookies.mdwn
+++ /dev/null
@@ -1,20 +0,0 @@
-It is very easy to stop the password being sniffed, you just use https:// for cgiurl
-(with appropriately configure server of course), and disallow access to the cgiscript
-over http.
-
-However the cookie is still sent for all requests, meaning that it could be stolen.
-I don't know quite how well CGI::Session defends against this, but the best it could
-do is probably tie it to an IP address, but that still leaves room for abuse.
-
-I have created a patch that adds a config option sslcookie, which causes the
-cookie to have it's secure property set. This means that it is only sent over SSL.
-So if you can configure apache to do what you want, you only have to change two options
-(cgiurl and sslcookie) to encrypt all authentication data.
-
-The disadvantage is that if someone were to activate it while using http:// I think it
-would mean they couldn't log in, as the browser would never offer the cookie.
-I think I have made the documentation clear enough on this point.
-
-http://jameswestby.net/scratch/sslcookie.diff
-
--- JamesWestby \ No newline at end of file
diff --git a/doc/security.mdwn b/doc/security.mdwn
index dc763ef40..9d7702dde 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -134,7 +134,9 @@ file not be world readable.
Login to the wiki involves sending a password in cleartext over the net.
Cracking the password only allows editing the wiki as that user though.
-If you care, you can use https, I suppose.
+If you care, you can use https, I suppose. If you do use https either for
+all of the wiki, or just the cgi access, then consider using the sslcookie
+option.
## XSS holes in CGI output
diff --git a/doc/usage.mdwn b/doc/usage.mdwn
index efbc765ac..4456e8c1c 100644
--- a/doc/usage.mdwn
+++ b/doc/usage.mdwn
@@ -227,6 +227,12 @@ configuration options of their own.
Enable [[w3mmode]], which allows w3m to use ikiwiki as a local CGI script,
without a web server.
+* --sslcookie
+
+ Only send cookies over an SSL connection. This should prevent them being
+ intercepted. If you enable this option then you must run at least the
+ CGI portion of ikiwiki over SSL.
+
* --getctime
Pull last changed time for each new page out of the revision control
diff --git a/ikiwiki.pl b/ikiwiki.pl
index c9b53a031..aa0fd136a 100755
--- a/ikiwiki.pl
+++ b/ikiwiki.pl
@@ -45,6 +45,7 @@ sub getconfig () { #{{{
"svnpath" => \$config{svnpath},
"adminemail=s" => \$config{adminemail},
"timeformat=s" => \$config{timeformat},
+ "sslcookie!" => \$config{sslcookie},
"exclude=s@" => sub {
$config{wiki_file_prune_regexp}=qr/$config{wiki_file_prune_regexp}|$_[1]/;
},