check for invalid utf-8, and toss it back to avoid crashes

Since ikiwiki uses open :utf8, perl assumes that files contain valid utf-8.
If it turns out to be malformed it may later crash while processing strings
read from them, with 'Malformed UTF-8 character (fatal)'.

As at least a quick fix, use utf8::valid as soon as data is read, and if
it's not valid, call encode_utf8 on the string, thus clearing the utf-8
flag. This may cause follow-on encoding problems, but will avoid this
crash, and the input file was broken anyway, so GIGO is a reasonable
response. (I looked at calling decode_utf8 after, but it seemed to cause
more trouble than it was worth. BTW, use open ':encoding(utf8)' avaoids
this problem, but the corrupted data later causes Storable to crash when
writing the index.)

This is a quick fix, clearly imperfect:
- It might be better to explicitly call decode_utf8 when reading files,
  rather than using the IO layer.
- Data read other than by readfile() can still sneak in bad utf-8. While
  ikiwiki does very little file input not using it, stdin for the CGI
  would be one way.

1 files changed, 9 insertions, 0 deletions

diff --git a/doc/security.mdwn b/doc/security.mdwn
index 0841abf49..1bc7b9e60 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -407,3 +407,12 @@ discovered on 30 May 2008 and fixed the same day. ([[!cve CVE-2008-0169]])
 
 I recommend upgrading to 2.48 immediatly if your wiki allows both password
 and openid logins.
+
+## Malformed UTF-8 DOS
+
+Feeding ikiwiki page sources containing certian forms of malformed UTF-8
+can cause it to crash. This can potentially be used for a denial of service
+attack.
+
+intrigeri discovered this problem on 12 Nov 2008 and a patch put in place
+later that day.