summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess <joey@kodama.kitenet.net>2008-02-10 17:17:44 -0500
committerJoey Hess <joey@kodama.kitenet.net>2008-02-10 17:17:44 -0500
commitbbcf878f75ee5468c062b0a1569177b66be8001b (patch)
treeef515e0031aefadf5b65aaca9e0a066eed5ab8ef
parent4bfdbd4858bc7842df97902e0bc9bd5d2bef861e (diff)
* meta: Check that the urls provided for authorurl, permalink, and openid
are safe and can't contain javascript.
-rw-r--r--IkiWiki/Plugin/meta.pm27
-rw-r--r--debian/changelog5
2 files changed, 26 insertions, 6 deletions
diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm
index 621e87674..74b630afc 100644
--- a/IkiWiki/Plugin/meta.pm
+++ b/IkiWiki/Plugin/meta.pm
@@ -38,6 +38,17 @@ sub scrub ($) { #{{{
}
} #}}}
+sub safeurl ($) { #{{{
+ my $url=shift;
+ if (exists $IkiWiki::Plugin::htmlscrubber::{safe_url_regexp} &&
+ defined $IkiWiki::Plugin::htmlscrubber::safe_url_regexp) {
+ return $url=~/$IkiWiki::Plugin::htmlscrubber::safe_url_regexp/;
+ }
+ else {
+ return 1;
+ }
+} #}}}
+
sub htmlize ($$$) { #{{{
my $page = shift;
my $destpage = shift;
@@ -88,7 +99,7 @@ sub preprocess (@) { #{{{
# fallthorough
}
elsif ($key eq 'authorurl') {
- $pagestate{$page}{meta}{authorurl}=$value;
+ $pagestate{$page}{meta}{authorurl}=$value if safeurl($value);
# fallthrough
}
@@ -106,8 +117,10 @@ sub preprocess (@) { #{{{
}
}
elsif ($key eq 'permalink') {
- $pagestate{$page}{meta}{permalink}=$value;
- push @{$metaheaders{$page}}, scrub('<link rel="bookmark" href="'.encode_entities($value).'" />');
+ if (safeurl($value)) {
+ $pagestate{$page}{meta}{permalink}=$value;
+ push @{$metaheaders{$page}}, scrub('<link rel="bookmark" href="'.encode_entities($value).'" />');
+ }
}
elsif ($key eq 'stylesheet') {
my $rel=exists $params{rel} ? $params{rel} : "alternate stylesheet";
@@ -124,12 +137,14 @@ sub preprocess (@) { #{{{
"\" type=\"text/css\" />";
}
elsif ($key eq 'openid') {
- if (exists $params{server}) {
+ if (exists $params{server} && safeurl($params{server})) {
push @{$metaheaders{$page}}, '<link href="'.encode_entities($params{server}).
'" rel="openid.server" />';
}
- push @{$metaheaders{$page}}, '<link href="'.encode_entities($value).
- '" rel="openid.delegate" />';
+ if (safeurl($value)) {
+ push @{$metaheaders{$page}}, '<link href="'.encode_entities($value).
+ '" rel="openid.delegate" />';
+ }
}
elsif ($key eq 'redir') {
return "" if $page ne $destpage;
diff --git a/debian/changelog b/debian/changelog
index 1b4b70d8c..719150ee6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,7 @@ ikiwiki (2.40) UNRELEASED; urgency=low
ikiwiki (2.31.3) unstable; urgency=high
+ [ Josh Triplett ]
* Do not allow the about: URI scheme; some browsers interpret about:
URIs like a limited version of data: URIs. In particular, some
versions of Internet Explorer interpret arbitrary HTML content in
@@ -18,6 +19,10 @@ ikiwiki (2.31.3) unstable; urgency=high
* Also filter the attributes cite, longdesc, and usemap, which can contain
URIs.
+ [ Joey Hess ]
+ * meta: Check that the urls provided for authorurl, permalink, and openid
+ are safe and can't contain javascript.
+
-- Josh Triplett <josh@freedesktop.org> Sun, 10 Feb 2008 13:59:00 -0800
ikiwiki (2.31.2) unstable; urgency=high