diff options
author | Joey Hess <joey@kodama.kitenet.net> | 2008-02-10 17:17:44 -0500 |
---|---|---|
committer | Joey Hess <joey@kodama.kitenet.net> | 2008-02-10 17:17:44 -0500 |
commit | bbcf878f75ee5468c062b0a1569177b66be8001b (patch) | |
tree | ef515e0031aefadf5b65aaca9e0a066eed5ab8ef | |
parent | 4bfdbd4858bc7842df97902e0bc9bd5d2bef861e (diff) |
* meta: Check that the urls provided for authorurl, permalink, and openid
are safe and can't contain javascript.
-rw-r--r-- | IkiWiki/Plugin/meta.pm | 27 | ||||
-rw-r--r-- | debian/changelog | 5 |
2 files changed, 26 insertions, 6 deletions
diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm index 621e87674..74b630afc 100644 --- a/IkiWiki/Plugin/meta.pm +++ b/IkiWiki/Plugin/meta.pm @@ -38,6 +38,17 @@ sub scrub ($) { #{{{ } } #}}} +sub safeurl ($) { #{{{ + my $url=shift; + if (exists $IkiWiki::Plugin::htmlscrubber::{safe_url_regexp} && + defined $IkiWiki::Plugin::htmlscrubber::safe_url_regexp) { + return $url=~/$IkiWiki::Plugin::htmlscrubber::safe_url_regexp/; + } + else { + return 1; + } +} #}}} + sub htmlize ($$$) { #{{{ my $page = shift; my $destpage = shift; @@ -88,7 +99,7 @@ sub preprocess (@) { #{{{ # fallthorough } elsif ($key eq 'authorurl') { - $pagestate{$page}{meta}{authorurl}=$value; + $pagestate{$page}{meta}{authorurl}=$value if safeurl($value); # fallthrough } @@ -106,8 +117,10 @@ sub preprocess (@) { #{{{ } } elsif ($key eq 'permalink') { - $pagestate{$page}{meta}{permalink}=$value; - push @{$metaheaders{$page}}, scrub('<link rel="bookmark" href="'.encode_entities($value).'" />'); + if (safeurl($value)) { + $pagestate{$page}{meta}{permalink}=$value; + push @{$metaheaders{$page}}, scrub('<link rel="bookmark" href="'.encode_entities($value).'" />'); + } } elsif ($key eq 'stylesheet') { my $rel=exists $params{rel} ? $params{rel} : "alternate stylesheet"; @@ -124,12 +137,14 @@ sub preprocess (@) { #{{{ "\" type=\"text/css\" />"; } elsif ($key eq 'openid') { - if (exists $params{server}) { + if (exists $params{server} && safeurl($params{server})) { push @{$metaheaders{$page}}, '<link href="'.encode_entities($params{server}). '" rel="openid.server" />'; } - push @{$metaheaders{$page}}, '<link href="'.encode_entities($value). - '" rel="openid.delegate" />'; + if (safeurl($value)) { + push @{$metaheaders{$page}}, '<link href="'.encode_entities($value). + '" rel="openid.delegate" />'; + } } elsif ($key eq 'redir') { return "" if $page ne $destpage; diff --git a/debian/changelog b/debian/changelog index 1b4b70d8c..719150ee6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,6 +11,7 @@ ikiwiki (2.40) UNRELEASED; urgency=low ikiwiki (2.31.3) unstable; urgency=high + [ Josh Triplett ] * Do not allow the about: URI scheme; some browsers interpret about: URIs like a limited version of data: URIs. In particular, some versions of Internet Explorer interpret arbitrary HTML content in @@ -18,6 +19,10 @@ ikiwiki (2.31.3) unstable; urgency=high * Also filter the attributes cite, longdesc, and usemap, which can contain URIs. + [ Joey Hess ] + * meta: Check that the urls provided for authorurl, permalink, and openid + are safe and can't contain javascript. + -- Josh Triplett <josh@freedesktop.org> Sun, 10 Feb 2008 13:59:00 -0800 ikiwiki (2.31.2) unstable; urgency=high |