diff options
| author | Joey Hess <joey@gnu.kitenet.net> | 2009-08-08 12:27:48 -0400 |
|---|---|---|
| committer | Joey Hess <joey@gnu.kitenet.net> | 2009-08-08 12:27:48 -0400 |
| commit | 8f6e0212fdbf3de286e504ed2802111bf7864abe (patch) | |
| tree | 0e199906f0328239b9d2e36573c487f01eafd688 /IkiWiki | |
| parent | 22edaf77c2a4318ebd8ed0881dd6a62cfc2ca2b2 (diff) | |
verify page name is sane
paranoia; I was thinking about XSS attacks specificaly
Diffstat (limited to 'IkiWiki')
| -rw-r--r-- | IkiWiki/Plugin/getsource.pm | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/IkiWiki/Plugin/getsource.pm b/IkiWiki/Plugin/getsource.pm index 91c4cc1c9..ae9ea3cc7 100644 --- a/IkiWiki/Plugin/getsource.pm +++ b/IkiWiki/Plugin/getsource.pm @@ -42,13 +42,17 @@ sub pagetemplate (@) { sub cgi_getsource ($) { my $cgi=shift; - return unless (defined $cgi->param('do') && - $cgi->param("do") eq "getsource"); + return unless defined $cgi->param('do') && + $cgi->param("do") eq "getsource"; IkiWiki::decode_cgi_utf8($cgi); my $page=$cgi->param('page'); + if (! defined $page || $page !~ /$config{wiki_file_regexp}/) { + error("invalid page parameter"); + } + # For %pagesources. IkiWiki::loadindex(); |