diff options
-rw-r--r-- | IkiWiki/CGI.pm | 35 | ||||
-rw-r--r-- | debian/changelog | 3 | ||||
-rw-r--r-- | doc/security.mdwn | 13 | ||||
-rw-r--r-- | po/ikiwiki.pot | 28 | ||||
-rw-r--r-- | templates/editpage.tmpl | 1 |
5 files changed, 62 insertions, 18 deletions
diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm index 470677088..65136a269 100644 --- a/IkiWiki/CGI.pm +++ b/IkiWiki/CGI.pm @@ -161,8 +161,18 @@ sub cgi_prefs ($$) { #{{{ my $session=shift; needsignin($q, $session); - decode_cgi_utf8($q); + + # The session id is stored on the form and checked to + # guard against CSRF. + my $sid=$q->param('sid'); + if (! defined $sid) { + $q->delete_all; + } + elsif ($sid ne $session->id) { + error(gettext("Your login session has expired.")); + } + eval q{use CGI::FormBuilder}; error($@) if $@; my $form = CGI::FormBuilder->new( @@ -193,7 +203,10 @@ sub cgi_prefs ($$) { #{{{ buttons => $buttons); }); - $form->field(name => "do", type => "hidden"); + $form->field(name => "do", type => "hidden", value => "prefs", + force => 1); + $form->field(name => "sid", type => "hidden", value => $session->id, + force => 1); $form->field(name => "email", size => 50, fieldset => "preferences"); $form->field(name => "banned_users", size => 50, fieldset => "admin"); @@ -241,11 +254,11 @@ sub cgi_prefs ($$) { #{{{ sub cgi_editpage ($$) { #{{{ my $q=shift; my $session=shift; - - my @fields=qw(do rcsinfo subpage from page type editcontent comments); - my @buttons=("Save Page", "Preview", "Cancel"); decode_cgi_utf8($q); + + my @fields=qw(do rcsinfo subpage from page type editcontent comments); + my @buttons=("Save Page", "Preview", "Cancel"); eval q{use CGI::FormBuilder}; error($@) if $@; my $form = CGI::FormBuilder->new( @@ -316,6 +329,8 @@ sub cgi_editpage ($$) { #{{{ } $form->field(name => "do", type => 'hidden'); + $form->field(name => "sid", type => "hidden", value => $session->id, + force => 1); $form->field(name => "from", type => 'hidden'); $form->field(name => "rcsinfo", type => 'hidden'); $form->field(name => "subpage", type => 'hidden'); @@ -474,6 +489,16 @@ sub cgi_editpage ($$) { #{{{ else { # save page check_canedit($page, $q, $session); + + # The session id is stored on the form and checked to + # guard against CSRF. But only if the user is logged in, + # as anonok can allow anonymous edits. + if (defined $session->param("name")) { + my $sid=$q->param('sid'); + if (! defined $sid || $sid ne $session->id) { + error(gettext("Your login session has expired.")); + } + } my $exists=-e "$config{srcdir}/$file"; diff --git a/debian/changelog b/debian/changelog index 613640f60..9085d97cb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,9 @@ ikiwiki (2.42) UNRELEASED; urgency=low * aggregate: Correct a mistake in the code that dummy up a guid for feeds lacking one. * inline: Correct handling of urls relative to baseurl in feeds. + * Fix CSRF attacks against the preferences and edit forms. The fix involved + embedding the session id in the forms, and not allowing the forms to be + submitted if the embedded id does not match the session id. Closes: #475445 -- Joey Hess <joeyh@debian.org> Thu, 03 Apr 2008 02:35:39 -0400 diff --git a/doc/security.mdwn b/doc/security.mdwn index 723daeccc..29ae7d4b3 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -149,7 +149,7 @@ option. ## XSS holes in CGI output -ikiwiki has not yet been audited to ensure that all cgi script input/output +ikiwiki has been audited to ensure that all cgi script input/output is sanitised to prevent XSS attacks. For example, a user can't register with a username containing html code (anymore). @@ -366,3 +366,14 @@ with the release of ikiwiki 2.31.1. (And a few subsequent versions..) A fix was also backported to Debian etch, as version 1.33.4. I recommend upgrading to one of these versions if your wiki can be edited by third parties. + +## Cross Site Request Forging + +Cross Site Request Forging could be used to constuct a link that would +change a logged-in user's password or other preferences if they clicked on +the link. It could also be used to construct a link that would cause a wiki +page to be modified by a logged-in user. + +These holes were discovered on 10 April 2008 and fixed the same day with +the release of ikiwiki 2.42. A fix was also backported to Debian etch, as +version 1.33.4. I recommend upgrading to one of these versions. diff --git a/po/ikiwiki.pot b/po/ikiwiki.pot index a3f7cafcb..5e7e4b4d4 100644 --- a/po/ikiwiki.pot +++ b/po/ikiwiki.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2008-03-29 21:01-0400\n" +"POT-Creation-Date: 2008-04-10 16:18-0400\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <LL@li.org>\n" @@ -24,46 +24,50 @@ msgstr "" msgid "login failed, perhaps you need to turn on cookies?" msgstr "" -#: ../IkiWiki/CGI.pm:184 +#: ../IkiWiki/CGI.pm:173 ../IkiWiki/CGI.pm:499 +msgid "Your login session has expired." +msgstr "" + +#: ../IkiWiki/CGI.pm:194 msgid "Login" msgstr "" -#: ../IkiWiki/CGI.pm:185 +#: ../IkiWiki/CGI.pm:195 msgid "Preferences" msgstr "" -#: ../IkiWiki/CGI.pm:186 +#: ../IkiWiki/CGI.pm:196 msgid "Admin" msgstr "" -#: ../IkiWiki/CGI.pm:235 +#: ../IkiWiki/CGI.pm:248 msgid "Preferences saved." msgstr "" -#: ../IkiWiki/CGI.pm:293 +#: ../IkiWiki/CGI.pm:306 #, perl-format msgid "%s is not an editable page" msgstr "" -#: ../IkiWiki/CGI.pm:395 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:410 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:265 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:95 #: ../IkiWiki/Render.pm:172 msgid "discussion" msgstr "" -#: ../IkiWiki/CGI.pm:451 +#: ../IkiWiki/CGI.pm:466 #, perl-format msgid "creating %s" msgstr "" -#: ../IkiWiki/CGI.pm:469 ../IkiWiki/CGI.pm:487 ../IkiWiki/CGI.pm:497 -#: ../IkiWiki/CGI.pm:531 ../IkiWiki/CGI.pm:576 +#: ../IkiWiki/CGI.pm:484 ../IkiWiki/CGI.pm:512 ../IkiWiki/CGI.pm:522 +#: ../IkiWiki/CGI.pm:556 ../IkiWiki/CGI.pm:601 #, perl-format msgid "editing %s" msgstr "" -#: ../IkiWiki/CGI.pm:666 +#: ../IkiWiki/CGI.pm:691 msgid "You are banned." msgstr "" @@ -222,7 +226,7 @@ msgstr "" msgid "Discussion" msgstr "" -#: ../IkiWiki/Plugin/inline.pm:491 +#: ../IkiWiki/Plugin/inline.pm:500 msgid "RPC::XML::Client not found, not pinging" msgstr "" diff --git a/templates/editpage.tmpl b/templates/editpage.tmpl index cf4950ead..b0bb0ecb9 100644 --- a/templates/editpage.tmpl +++ b/templates/editpage.tmpl @@ -41,6 +41,7 @@ together before saving. </TMPL_IF> <TMPL_VAR FORM-START> <TMPL_VAR FIELD-DO> +<TMPL_VAR FIELD-SID> <TMPL_VAR FIELD-FROM> <TMPL_VAR FIELD-RCSINFO> <TMPL_VAR FIELD-NEWFILE> |