diff options
| -rw-r--r-- | IkiWiki/Plugin/editpage.pm | 5 | ||||
| -rw-r--r-- | debian/changelog | 2 |
2 files changed, 5 insertions, 2 deletions
diff --git a/IkiWiki/Plugin/editpage.pm b/IkiWiki/Plugin/editpage.pm index bb21ed2be..68f43bf16 100644 --- a/IkiWiki/Plugin/editpage.pm +++ b/IkiWiki/Plugin/editpage.pm @@ -85,8 +85,9 @@ sub cgi_editpage ($$) { #{{{ }); decode_form_utf8($form); - # This untaint is safe because we check file_pruned. - my $page=$form->field('page'); + # This untaint is safe because we check file_pruned and + # wiki_file_regexp. + my ($page)=$form->field('page')=~/$config{wiki_file_regexp}/; $page=possibly_foolish_untaint($page); my $absolute=($page =~ s#^/+##); if (! defined $page || ! length $page || diff --git a/debian/changelog b/debian/changelog index 6019e3960..d67fb73ce 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,6 +14,8 @@ ikiwiki (2.65) UNRELEASED; urgency=low (willu) * edittemplate: Add "silent" parameter. (Willu) * edittemplate: Link to template, to allow creating it. (Willu) + * editpage: Add a missing check that the page name contains only legal + characters, in addition to the existing check for pruned filenames. -- Joey Hess <joeyh@debian.org> Wed, 17 Sep 2008 14:26:56 -0400 |