diff options
| -rw-r--r-- | debian/changelog | 2 | ||||
| -rw-r--r-- | doc/bugs/ikiwiki_ignores_PATH_environment.mdwn | 9 | ||||
| -rw-r--r-- | doc/forum/Forward_slashes_being_escaped_as_252F.mdwn | 13 | ||||
| -rwxr-xr-x | ikiwiki.in | 3 |
4 files changed, 24 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog index 430bd302c..a9892938a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,8 @@ ikiwiki (3.20100832) UNRELEASED; urgency=low * needsbuild hook interface changed; the hooks should now return the modified array of things that need built. (Backwards compatability code keeps plugins using the old interface working.) + * Remove PATH overriding code in ikiwiki script that was present to make + perl taint checking happy, but taint checking is disabled. -- Joey Hess <joeyh@debian.org> Tue, 07 Sep 2010 12:08:05 -0400 diff --git a/doc/bugs/ikiwiki_ignores_PATH_environment.mdwn b/doc/bugs/ikiwiki_ignores_PATH_environment.mdwn index 63ac4bc31..5097acaef 100644 --- a/doc/bugs/ikiwiki_ignores_PATH_environment.mdwn +++ b/doc/bugs/ikiwiki_ignores_PATH_environment.mdwn @@ -7,3 +7,12 @@ This makes it a little hard to specify which specific binaries should be used, e $ENV{PATH}="$ENV{PATH}:/usr/local/bin:/usr/bin:/bin:/opt/local/bin"; ? The alternative is of course to patch ikiwiki as suggested in the bug, but I wanted to ask here first :) + +> You can use the ENV setting in your setup file to set any environment +> variables you like. Since ikiwiki.cgi is run by the web browser, that +> is the best way to ensure ikiwiki always runs with a given variable set. +> +> As a suid program, the ikiwiki wrappers have to sanitize the environment. +> The ikiwiki script's own sanitization of PATH was done to make perl taint +> checking happy, but as taint checking is disabled anyway, I have removed +> that. [[done]] --[[Joey]] diff --git a/doc/forum/Forward_slashes_being_escaped_as_252F.mdwn b/doc/forum/Forward_slashes_being_escaped_as_252F.mdwn index b9c5aca07..cabb21b5c 100644 --- a/doc/forum/Forward_slashes_being_escaped_as_252F.mdwn +++ b/doc/forum/Forward_slashes_being_escaped_as_252F.mdwn @@ -7,3 +7,16 @@ I am sent to a page with the URL `http://ciffer.net/~svend/ikiwiki.cgi?page=tech%252Fhosts&do=edit`. I am running ikiwiki 3.20100504~bpo50+1 on Debian Lenny. + + +> But on your page, the Edit link is escaped normally and correctly (using %2F). +> Look at the page source! +> +> The problem is that your web server is forcing a hard (302) redirect +> to the doubly-escaped url. In wireshark I see your web server send back: + + HTTP/1.1 302 Found\r\n + Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch + Location: http://ciffer.net/~svend/ikiwiki.cgi?page=tech%252Fhosts&do=edit + +> You'll need to investigate why your web server is doing that... --[[Joey]] diff --git a/ikiwiki.in b/ikiwiki.in index bcda2469b..339efd37c 100755 --- a/ikiwiki.in +++ b/ikiwiki.in @@ -1,7 +1,4 @@ #!/usr/bin/perl -$ENV{PATH}="/usr/local/bin:/usr/bin:/bin"; -delete @ENV{qw{IFS CDPATH ENV BASH_ENV}}; - package IkiWiki; use warnings; |