summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--IkiWiki.pm4
-rw-r--r--debian/changelog6
-rw-r--r--doc/security.mdwn9
3 files changed, 19 insertions, 0 deletions
diff --git a/IkiWiki.pm b/IkiWiki.pm
index 5e21e7090..735dc97b1 100644
--- a/IkiWiki.pm
+++ b/IkiWiki.pm
@@ -721,6 +721,10 @@ sub readfile ($;$$) { #{{{
binmode($in) if ($binary);
return \*$in if $wantfd;
my $ret=<$in>;
+ # check for invalid utf-8, and toss it back to avoid crashes
+ if (! utf8::valid($ret)) {
+ $ret=encode_utf8($ret);
+ }
close $in || error("failed to read $file: $!");
return $ret;
} #}}}
diff --git a/debian/changelog b/debian/changelog
index 99f35482e..3838a3e90 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+ikiwiki (2.70) UNRELEASED; urgency=low
+
+ * Avoid crash on malformed utf-8 discovered by intrigeri.
+
+ -- Joey Hess <joeyh@debian.org> Wed, 12 Nov 2008 17:30:33 -0500
+
ikiwiki (2.69) unstable; urgency=low
* Avoid multiple ikiwiki cgi processes piling up, eating all memory,
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 0841abf49..1bc7b9e60 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -407,3 +407,12 @@ discovered on 30 May 2008 and fixed the same day. ([[!cve CVE-2008-0169]])
I recommend upgrading to 2.48 immediatly if your wiki allows both password
and openid logins.
+
+## Malformed UTF-8 DOS
+
+Feeding ikiwiki page sources containing certian forms of malformed UTF-8
+can cause it to crash. This can potentially be used for a denial of service
+attack.
+
+intrigeri discovered this problem on 12 Nov 2008 and a patch put in place
+later that day.