diff options
author | Joey Hess <joey@kitenet.net> | 2010-06-15 17:41:26 -0400 |
---|---|---|
committer | Joey Hess <joey@kitenet.net> | 2010-06-15 17:41:26 -0400 |
commit | a2989598884807ace2a9efd248b7c32824cf6c6f (patch) | |
tree | dc962057feec01a8e8745c166acbee12654551bf | |
parent | 69383fb6b0820360ad54122d79a3c64909d01a9d (diff) | |
parent | 86a43aefb4f4c79a2044caf847622d0a00cd5356 (diff) |
fix other cases of unicode mixing issue
and fix underlaydir override attack guard when srcdir is non-absolute
-rw-r--r-- | IkiWiki/Plugin/autoindex.pm | 15 | ||||
-rw-r--r-- | IkiWiki/Plugin/comments.pm | 12 | ||||
-rw-r--r-- | IkiWiki/Render.pm | 13 |
3 files changed, 26 insertions, 14 deletions
diff --git a/IkiWiki/Plugin/autoindex.pm b/IkiWiki/Plugin/autoindex.pm index 0dd76259e..5e8a9e0a3 100644 --- a/IkiWiki/Plugin/autoindex.pm +++ b/IkiWiki/Plugin/autoindex.pm @@ -33,18 +33,19 @@ sub genindex ($) { sub refresh () { eval q{use File::Find}; error($@) if $@; + eval q{use Cwd}; + error($@) if $@; + my $origdir=getcwd(); my (%pages, %dirs); foreach my $dir ($config{srcdir}, @{$config{underlaydirs}}, $config{underlaydir}) { - require File::Spec; - $dir=File::Spec->canonpath($dir); + chdir($dir) || die "chdir: $!"; find({ no_chdir => 1, wanted => sub { - my $file=File::Spec->canonpath(decode_utf8($_)); - return if $file eq $dir; - $file=~s/^\Q$dir\E\/?//; + my $file=decode_utf8($_); + $file=~s/^\.\/?//; return unless length $file; if (IkiWiki::file_pruned($file)) { $File::Find::prune=1; @@ -61,7 +62,9 @@ sub refresh () { } } } - }, $dir); + }, '.'); + + chdir($origdir) || die "chdir: $!"; } my %deleted; diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm index d204a7737..17cd99c3b 100644 --- a/IkiWiki/Plugin/comments.pm +++ b/IkiWiki/Plugin/comments.pm @@ -660,16 +660,22 @@ sub comments_pending () { eval q{use File::Find}; error($@) if $@; + eval q{use Cwd}; + error($@) if $@; + my $origdir=getcwd(); my $find_comments=sub { my $dir=shift; my $extension=shift; return unless -d $dir; + + chdir($dir) || die "chdir: $!"; + find({ no_chdir => 1, wanted => sub { my $file=decode_utf8($_); - $file=~s/^\Q$dir\E\/?//; + $file=~s/^\.\///; return if ! length $file || IkiWiki::file_pruned($file) || -l $_ || -d _ || $file !~ /\Q$extension\E$/; my ($f) = $file =~ /$config{wiki_file_regexp}/; # untaint @@ -678,7 +684,9 @@ sub comments_pending () { push @ret, [$f, $dir, $ctime]; } } - }, $dir); + }, "."); + + chdir($origdir) || die "chdir: $!"; }; $find_comments->($config{srcdir}, "._comment_pending"); diff --git a/IkiWiki/Render.pm b/IkiWiki/Render.pm index 0e7aa9a48..740bb52b0 100644 --- a/IkiWiki/Render.pm +++ b/IkiWiki/Render.pm @@ -292,11 +292,16 @@ sub find_src_files () { eval q{use File::Find}; error($@) if $@; + eval q{use Cwd}; + die $@ if $@; + my $origdir=getcwd(); + my $abssrcdir=Cwd::abs_path($config{srcdir}); + my ($page, $underlay); my $helper=sub { my $file=decode_utf8($_); return if -l $file || -d _; - $file=~s/^\Q.\/\E//; + $file=~s/^\.\///; return if ! length $file; $page = pagename($file); if (! exists $pagesources{$page} && @@ -313,7 +318,7 @@ sub find_src_files () { if ($underlay) { # avoid underlaydir override attacks; see security.mdwn - if (! -l "$config{srcdir}/$f" && ! -e _) { + if (! -l "$abssrcdir/$f" && ! -e _) { if (! $pages{$page}) { push @files, $f; $pages{$page}=1; @@ -329,10 +334,6 @@ sub find_src_files () { } }; - eval q{use Cwd}; - die $@ if $@; - my $origdir=getcwd(); - chdir($config{srcdir}) || die "chdir: $!"; find({ no_chdir => 1, |