diff options
-rw-r--r-- | IkiWiki.pm | 4 | ||||
-rw-r--r-- | debian/changelog | 6 | ||||
-rw-r--r-- | doc/security.mdwn | 9 |
3 files changed, 19 insertions, 0 deletions
diff --git a/IkiWiki.pm b/IkiWiki.pm index 5e21e7090..735dc97b1 100644 --- a/IkiWiki.pm +++ b/IkiWiki.pm @@ -721,6 +721,10 @@ sub readfile ($;$$) { #{{{ binmode($in) if ($binary); return \*$in if $wantfd; my $ret=<$in>; + # check for invalid utf-8, and toss it back to avoid crashes + if (! utf8::valid($ret)) { + $ret=encode_utf8($ret); + } close $in || error("failed to read $file: $!"); return $ret; } #}}} diff --git a/debian/changelog b/debian/changelog index 99f35482e..3838a3e90 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +ikiwiki (2.70) UNRELEASED; urgency=low + + * Avoid crash on malformed utf-8 discovered by intrigeri. + + -- Joey Hess <joeyh@debian.org> Wed, 12 Nov 2008 17:30:33 -0500 + ikiwiki (2.69) unstable; urgency=low * Avoid multiple ikiwiki cgi processes piling up, eating all memory, diff --git a/doc/security.mdwn b/doc/security.mdwn index 0841abf49..1bc7b9e60 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -407,3 +407,12 @@ discovered on 30 May 2008 and fixed the same day. ([[!cve CVE-2008-0169]]) I recommend upgrading to 2.48 immediatly if your wiki allows both password and openid logins. + +## Malformed UTF-8 DOS + +Feeding ikiwiki page sources containing certian forms of malformed UTF-8 +can cause it to crash. This can potentially be used for a denial of service +attack. + +intrigeri discovered this problem on 12 Nov 2008 and a patch put in place +later that day. |