diff options
| -rw-r--r-- | IkiWiki/Plugin/comments.pm | 2 | ||||
| -rw-r--r-- | IkiWiki/Plugin/htmlscrubber.pm | 6 | ||||
| -rw-r--r-- | debian/changelog | 8 | ||||
| -rw-r--r-- | doc/security.mdwn | 12 | ||||
| -rw-r--r-- | doc/todo/mercurial.mdwn | 8 | ||||
| -rw-r--r-- | doc/todo/svg.mdwn | 10 | ||||
| -rw-r--r-- | ikiwiki.spec | 2 | ||||
| -rwxr-xr-x | mdwn2man | 2 | ||||
| -rw-r--r-- | po/ikiwiki.pot | 12 |
9 files changed, 47 insertions, 15 deletions
diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm index ceb7c7836..98786f432 100644 --- a/IkiWiki/Plugin/comments.pm +++ b/IkiWiki/Plugin/comments.pm @@ -862,7 +862,7 @@ sub page_to_id ($) { eval q{use Digest::MD5 'md5_hex'}; error($@) if $@; - return "comment-".md5_hex(Encode::encode_utf8(($page)); + return "comment-".md5_hex(Encode::encode_utf8(($page))); } package IkiWiki::PageSpec; diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm index ee284a45c..26e18ffc7 100644 --- a/IkiWiki/Plugin/htmlscrubber.pm +++ b/IkiWiki/Plugin/htmlscrubber.pm @@ -30,9 +30,9 @@ sub import { "msnim", "notes", "rsync", "secondlife", "skype", "ssh", "sftp", "smb", "sms", "snews", "webcal", "ymsgr", ); - # data is a special case. Allow data:image/*, but - # disallow data:text/javascript and everything else. - $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/|[^:]+(?:$|\/))/i; + # data is a special case. Allow a few data:image/ types, + # but disallow data:text/javascript and everything else. + $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|\/))/i; } sub getsetup () { diff --git a/debian/changelog b/debian/changelog index 6828e6b3f..7fdbbcb63 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,17 +1,19 @@ -ikiwiki (3.20100303) UNRELEASED; urgency=low +ikiwiki (3.20100312) unstable; urgency=HIGH * Fix utf8 issues in calls to md5_hex. * moderatedcomments: Added moderate_pagespec that can be used to control which users or comment locations are moderated. - This can be used, just for example, to moderate http://myopenid.com/* + This can be used, just for example, to moderate "user(http://myopenid.com/*)" if you're getting a lot of spammers from one particular openid provider (who should perhaps answer your emails about them), while not moderating other users. * moderatedcomments: The moderate_users setting is deprecated. Instead, - set moderate_pagespec to "!admin()" or "user(*)" instead. + set moderate_pagespec to "!admin()" or "user(*)". * Fix missing span on recentchanges page template. * search: Avoid '$' in the wikiname appearing unescaped on omega's query template, where it might crash omega. + * htmlscrubber: Security fix: In data:image/* uris, only allow a few + whitelisted image types. No svg. -- Joey Hess <joeyh@debian.org> Tue, 09 Mar 2010 19:46:35 -0500 diff --git a/doc/security.mdwn b/doc/security.mdwn index 3924186c2..21aef316b 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -427,3 +427,15 @@ enabling TeX configuration options that disallow unsafe TeX commands. The fix was released on 30 Aug 2009 in version 3.1415926, and was backported to stable in version 2.53.4. If you use the teximg plugin, I recommend upgrading. ([[!cve CVE-2009-2944]]) + +## javascript insertion via svg uris + +Ivan Shmakov pointed out that the htmlscrubber allowed `data:image/*` urls, +including `data:image/svg+xml`. But svg can contain javascript, so that is +unsafe. + +This hole was discovered on 12 March 2010 and fixed the same day +with the release of ikiwiki 3.20100312. +A fix was also backported to Debian etch, as version 2.53.5. I recommend +upgrading to one of these versions if your wiki can be edited by third +parties. diff --git a/doc/todo/mercurial.mdwn b/doc/todo/mercurial.mdwn index e71c8106a..de1f148e5 100644 --- a/doc/todo/mercurial.mdwn +++ b/doc/todo/mercurial.mdwn @@ -119,3 +119,11 @@ I have a few notes on mercurial usage after trying it out for a while: >> I think the ideal solution would be to build `$destdir/recentchanges/*` directly from the output of `hg log`. --[[buo]] >>>> That would be 100 times as slow, so I chose not to do that. --[[Joey]] + +>>>> Since this is confusing people, allow me to clarify: Ikiwiki's +>>>> recentchanges generation pulls log information directly out of the VCS as +>>>> needed. It caches it in recentchanges/* in the `scrdir`. These cache +>>>> files need not be preserved, should never be checked into VCS, and if +>>>> you want to you can configure your VCSignore file to ignore them, +>>>> just as you can configure it to ignore the `.ikiwiki` directory in the +>>>> `scrdir`. --[[Joey]] diff --git a/doc/todo/svg.mdwn b/doc/todo/svg.mdwn index 2099751e3..274ebf3e3 100644 --- a/doc/todo/svg.mdwn +++ b/doc/todo/svg.mdwn @@ -58,6 +58,8 @@ in the trunk if other people think it's useful. [htmlscrubber.pm]:http://xbeta.org/gitweb/?p=xbeta/ikiwiki.git;a=blob;f=IkiWiki/Plugin/htmlscrubber.pm;h=3c0ddc8f25bd8cb863634a9d54b40e299e60f7df;hb=fe333c8e5b4a5f374a059596ee698dacd755182d [diff]: http://xbeta.org/gitweb/?p=xbeta/ikiwiki.git;a=blobdiff;f=IkiWiki/Plugin/htmlscrubber.pm;h=3c0ddc8f25bd8cb863634a9d54b40e299e60f7df;hp=3bdaccea119ec0e1b289a0da2f6d90e2219b8d66;hb=fe333c8e5b4a5f374a059596ee698dacd755182d;hpb=be0b4f603f918444b906e42825908ddac78b7073 +> Unfortuantly these links are broken. --[[Joey]] + * * * Actually, there's a way to embed SVG into MarkDown sources using the [data: URI scheme][rfc2397], [like this](data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8c3ZnIHdpZHRoPSIxOTIiIGhlaWdodD0iMTkyIiB4bWxuczp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KIDwhLS0gQ3JlYXRlZCB3aXRoIFNWRy1lZGl0IC0gaHR0cDovL3N2Zy1lZGl0Lmdvb2dsZWNvZGUuY29tLyAtLT4KIDx0aXRsZT5IZWxsbywgd29ybGQhPC90aXRsZT4KIDxnPgogIDx0aXRsZT5MYXllciAxPC90aXRsZT4KICA8ZyB0cmFuc2Zvcm09InJvdGF0ZSgtNDUsIDk3LjY3MTksIDk3LjY2OCkiIGlkPSJzdmdfNyI+CiAgIDxyZWN0IHN0cm9rZS13aWR0aD0iNSIgc3Ryb2tlPSIjMDAwMDAwIiBmaWxsPSIjRkYwMDAwIiBpZD0ic3ZnXzUiIGhlaWdodD0iNTYuMDAwMDAzIiB3aWR0aD0iMTc1IiB5PSI2OS42Njc5NjkiIHg9IjEwLjE3MTg3NSIvPgogICA8dGV4dCB4bWw6c3BhY2U9InByZXNlcnZlIiB0ZXh0LWFuY2hvcj0ibWlkZGxlIiBmb250LWZhbWlseT0ic2VyaWYiIGZvbnQtc2l6ZT0iMjQiIHN0cm9rZS13aWR0aD0iMCIgc3Ryb2tlPSIjMDAwMDAwIiBmaWxsPSIjZmZmZjAwIiBpZD0ic3ZnXzYiIHk9IjEwNS42NjgiIHg9Ijk5LjY3MTkiPkhlbGxvLCB3b3JsZCE8L3RleHQ+CiAgPC9nPgogPC9nPgo8L3N2Zz4=). @@ -65,3 +67,11 @@ Of course, this way to display an image one needs to click a link, but it may be — [[Ivan_Shmakov]], 2010-03-12Z. [rfc2397]: http://tools.ietf.org/html/rfc2397 + +> You can do the same with img src actually. +> +> If svg markup allows unsafe elements (ie, javascript), +> which it appears to, +> then this is a security hole, and the htmlscrubber +> needs to lock it down more. Darn, now I have to spend my afternoon making +> security releases! --[[Joey]] diff --git a/ikiwiki.spec b/ikiwiki.spec index 73ea7a9c6..2bb87724d 100644 --- a/ikiwiki.spec +++ b/ikiwiki.spec @@ -1,5 +1,5 @@ Name: ikiwiki -Version: 3.20100302 +Version: 3.20100312 Release: 1%{?dist} Summary: A wiki compiler @@ -9,7 +9,7 @@ print ".TH $prog $section\n"; while (<>) { s{(\\?)\[\[([^\s\|\]]+)(\|[^\s\]]+)?\]\]}{$1 ? "[[$2]]" : $2}eg; s/\`//g; - s/^\./\\&./g; + s/^\s*\./\\&./g; if (/^#\s/) { s/^#\s/.SH /; <>; # blank; diff --git a/po/ikiwiki.pot b/po/ikiwiki.pot index 11af9e4cd..df3000feb 100644 --- a/po/ikiwiki.pot +++ b/po/ikiwiki.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2010-03-02 22:18-0500\n" +"POT-Creation-Date: 2010-03-12 15:02-0500\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <LL@li.org>\n" @@ -494,7 +494,7 @@ msgstr "" msgid "Mirror" msgstr "" -#: ../IkiWiki/Plugin/moderatedcomments.pm:42 +#: ../IkiWiki/Plugin/moderatedcomments.pm:57 msgid "comment needs moderation" msgstr "" @@ -864,12 +864,12 @@ msgstr "" msgid "rsync_command exited %d" msgstr "" -#: ../IkiWiki/Plugin/search.pm:183 +#: ../IkiWiki/Plugin/search.pm:184 #, perl-format msgid "need Digest::SHA1 to index %s" msgstr "" -#: ../IkiWiki/Plugin/search.pm:218 +#: ../IkiWiki/Plugin/search.pm:221 msgid "search" msgstr "" @@ -960,11 +960,11 @@ msgstr "" msgid "failed to process:" msgstr "" -#: ../IkiWiki/Plugin/teximg.pm:71 +#: ../IkiWiki/Plugin/teximg.pm:72 msgid "missing tex code" msgstr "" -#: ../IkiWiki/Plugin/teximg.pm:123 +#: ../IkiWiki/Plugin/teximg.pm:124 msgid "failed to generate image from code" msgstr "" |