summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess <joey@kitenet.net>2007-11-26 15:30:44 -0500
committerJoey Hess <joey@kitenet.net>2007-11-26 15:30:44 -0500
commite15e3202eb04048feb302b39d946f1ae1a15c306 (patch)
treeaf286f69e186483a5179e97939fbc2b01fc6932c
parent8df24a447d9bcae138873bc076432e6a69946d7f (diff)
releasing version 2.14
-rw-r--r--IkiWiki/Render.pm11
-rw-r--r--debian/NEWS10
-rw-r--r--debian/changelog9
-rw-r--r--doc/bugs/Symlinked_srcdir_requires_trailing_slash.mdwn17
-rw-r--r--doc/security.mdwn30
-rw-r--r--po/ikiwiki.pot26
6 files changed, 87 insertions, 16 deletions
diff --git a/IkiWiki/Render.pm b/IkiWiki/Render.pm
index 35d663a7a..e4ff2b39b 100644
--- a/IkiWiki/Render.pm
+++ b/IkiWiki/Render.pm
@@ -245,6 +245,17 @@ sub prune ($) { #{{{
} #}}}
sub refresh () { #{{{
+ # security check, avoid following symlinks in the srcdir path
+ my $test=$config{srcdir};
+ while (length $test) {
+ if (-l $test) {
+ error("symlink found in srcdir path ($test)");
+ }
+ unless ($test=~s/\/+$//) {
+ $test=dirname($test);
+ }
+ }
+
# find existing pages
my %exists;
my @files;
diff --git a/debian/NEWS b/debian/NEWS
index 1dabd1735..87fcc5e63 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+ikiwiki (2.14) unstable; urgency=low
+
+ This version of ikiwiki is more picky about symlinks in the path leading
+ to the srcdir, and will refuse to use a srcdir specified by such a path.
+ This was necessary to avoid some potential exploits, but could potentially
+ break (semi-)working wikis. If your wiki has a srcdir path containing a
+ symlink, you should change it to use a path that does not.
+
+ -- Joey Hess <joeyh@debian.org> Mon, 26 Nov 2007 14:57:57 -0500
+
ikiwiki (2.9) unstable; urgency=low
Since ikiwiki 2.0 was released, some limitiations have been added to what
diff --git a/debian/changelog b/debian/changelog
index 456d4b908..299d7d571 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,14 @@
-ikiwiki (2.14) UNRELEASED; urgency=low
+ikiwiki (2.14) unstable; urgency=high
* Let CC be used to control what compiler is used to build wrappers.
* Use 'cc' instead of gcc as the default compiler.
+ * Security fix: Ensure that there are no symlinks anywhere in the path
+ to the top of the srcdir. In certian unusual configurations, an attacker
+ who could commit to one of the parent directories of the srcdir could
+ use a symlink attack to cause ikiwiki to publish files elsewhere in the
+ filesystem. More details at <http://ikiwiki.info/security/#index29h2>
- -- Joey Hess <joeyh@debian.org> Sun, 25 Nov 2007 15:49:49 -0500
+ -- Joey Hess <joeyh@debian.org> Mon, 26 Nov 2007 15:26:06 -0500
ikiwiki (2.13) unstable; urgency=low
diff --git a/doc/bugs/Symlinked_srcdir_requires_trailing_slash.mdwn b/doc/bugs/Symlinked_srcdir_requires_trailing_slash.mdwn
index 0310c17f3..cd74c2496 100644
--- a/doc/bugs/Symlinked_srcdir_requires_trailing_slash.mdwn
+++ b/doc/bugs/Symlinked_srcdir_requires_trailing_slash.mdwn
@@ -63,4 +63,19 @@ My output:
scanning index.mdwn
rendering index.mdwn
-Note that index.mdwn was only rendered when srcdir had a trailing slash. \ No newline at end of file
+Note that index.mdwn was only rendered when srcdir had a trailing slash.
+
+> There are potential [[security]] issues with ikiwiki following a symlink,
+> even if it's just a symlink at the top level of the srcdir.
+> Consider ikiwiki.info's own setup, where the srcdir is ikiwiki/doc,
+> checked out of revision control. A malicious committer could convert
+> ikiwiki/doc into a symlink to /etc, then ikiwiki would happily publish
+> all of /etc to the web.
+>
+> This kind of attack is why ikiwiki does not let File::Find follow
+> symlinks when scanning the srcdir. By appending the slash, you're
+> actually bypassing that check. Ikiwiki should not let you set
+> up a potentially insecure configuration like that. More discussion of
+> this hole [[here|security#index29h2]], and I've had to release
+> a version of ikiwiki that explicitly checks for that, and fails to work.
+> Sorry, but security trumps convenience. [[done]] --[[Joey]]
diff --git a/doc/security.mdwn b/doc/security.mdwn
index b1e8d03f6..a1c2120ce 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -315,3 +315,33 @@ This hole was discovered on 21 March 2007 and fixed the same day
with the release of ikiwiki 1.47. A fix was also backported to Debian etch,
as version 1.33.3. I recommend upgrading to one of these versions if your
wiki can be edited by third parties.
+
+## insufficient checking for symlinks in srcdir path
+
+Ikiwiki did not check if path to the srcdir to contained a symlink. If an
+attacker had commit access to the directories in the path, they could
+change it to a symlink, causing ikiwiki to read and publish files that were
+not intended to be published. (But not write to them due to other checks.)
+
+In most configurations, this is not exploitable, because the srcdir is
+checked out of revision control, but the directories leading up to it are
+not. Or, the srcdir is a single subdirectory of a project in revision
+control (ie, `ikiwiki/doc`), and if the subdirectory were a symlink,
+ikiwiki would still typically not follow it.
+
+There are at least two configurations where this is exploitable:
+
+* If the srcdir is a deeper subdirectory of a project. For example if it is
+ `project/foo/doc`, an an attacker can replace `foo` with a symlink to a
+ directory containing a `doc` directory (not a symlink), then ikiwiki
+ would follow the symlink.
+* If the path to the srcdir in ikiwiki's configuration ended in "/",
+ and the srcdir is a single subdirectory of a project, (ie,
+ `ikiwiki/doc/`), the srcdir could be a symlink and ikiwiki would not
+ notice.
+
+This security hole was discovered on 26 November 2007 and fixed the same
+da with the release of ikiwiki 2.14. I recommend upgrading to this version
+if your wiki can be committed to by third parties. Alternatively, don't use
+a trailing slash in the srcdir, and avoid the (unusual) configurations that
+allow the security hole to be exploited.
diff --git a/po/ikiwiki.pot b/po/ikiwiki.pot
index b1842d546..9dd020f8c 100644
--- a/po/ikiwiki.pot
+++ b/po/ikiwiki.pot
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2007-11-17 16:11-0500\n"
+"POT-Creation-Date: 2007-11-26 15:27-0500\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
@@ -485,47 +485,47 @@ msgid ""
"notifications"
msgstr ""
-#: ../IkiWiki/Render.pm:263 ../IkiWiki/Render.pm:284
+#: ../IkiWiki/Render.pm:274 ../IkiWiki/Render.pm:295
#, perl-format
msgid "skipping bad filename %s"
msgstr ""
-#: ../IkiWiki/Render.pm:326
+#: ../IkiWiki/Render.pm:337
#, perl-format
msgid "removing old page %s"
msgstr ""
-#: ../IkiWiki/Render.pm:359
+#: ../IkiWiki/Render.pm:370
#, perl-format
msgid "scanning %s"
msgstr ""
-#: ../IkiWiki/Render.pm:364
+#: ../IkiWiki/Render.pm:375
#, perl-format
msgid "rendering %s"
msgstr ""
-#: ../IkiWiki/Render.pm:376
+#: ../IkiWiki/Render.pm:387
#, perl-format
msgid "rendering %s, which links to %s"
msgstr ""
-#: ../IkiWiki/Render.pm:393
+#: ../IkiWiki/Render.pm:404
#, perl-format
msgid "rendering %s, which depends on %s"
msgstr ""
-#: ../IkiWiki/Render.pm:431
+#: ../IkiWiki/Render.pm:442
#, perl-format
msgid "rendering %s, to update its backlinks"
msgstr ""
-#: ../IkiWiki/Render.pm:443
+#: ../IkiWiki/Render.pm:454
#, perl-format
msgid "removing %s, no longer rendered by %s"
msgstr ""
-#: ../IkiWiki/Render.pm:469
+#: ../IkiWiki/Render.pm:480
#, perl-format
msgid "ikiwiki: cannot render %s"
msgstr ""
@@ -583,13 +583,13 @@ msgid "failed to write %s: %s"
msgstr ""
#. translators: The parameter is a C filename.
-#: ../IkiWiki/Wrapper.pm:107
+#: ../IkiWiki/Wrapper.pm:109
#, perl-format
msgid "failed to compile %s"
msgstr ""
#. translators: The parameter is a filename.
-#: ../IkiWiki/Wrapper.pm:127
+#: ../IkiWiki/Wrapper.pm:129
#, perl-format
msgid "successfully generated %s"
msgstr ""
@@ -614,7 +614,7 @@ msgstr ""
#. translators: preprocessor directive name,
#. translators: the second a page name, the
#. translators: third a number.
-#: ../IkiWiki.pm:711
+#: ../IkiWiki.pm:717
#, perl-format
msgid "%s preprocessing loop detected on %s at depth %i"
msgstr ""