summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/bugs/ikiwiki_ignores_PATH_environment.mdwn6
-rw-r--r--doc/forum/using_svn+ssh_with_ikiwiki.mdwn2
2 files changed, 8 insertions, 0 deletions
diff --git a/doc/bugs/ikiwiki_ignores_PATH_environment.mdwn b/doc/bugs/ikiwiki_ignores_PATH_environment.mdwn
index 5097acaef..6781d4b4b 100644
--- a/doc/bugs/ikiwiki_ignores_PATH_environment.mdwn
+++ b/doc/bugs/ikiwiki_ignores_PATH_environment.mdwn
@@ -16,3 +16,9 @@ This makes it a little hard to specify which specific binaries should be used, e
> The ikiwiki script's own sanitization of PATH was done to make perl taint
> checking happy, but as taint checking is disabled anyway, I have removed
> that. [[done]] --[[Joey]]
+
+Question: Do ikiwiki.cgi and the RCS post-commit script sanitize the $PATH separately from bin/ikiwiki? If not, then bin/ikiwiki is probably right to sanitize the $PATH; otherwise you've created a security hole with access to the account that ikiwiki is SUID to. It'd be nice if /opt/local/bin were earlier in the $PATH, but that can be changed (as noted) in the setup file. [[Glenn|geychaner@mac.com]] (Also the person who started this by filing an issue with MacPorts; I'm experimenting with ikiwiki for collaborative documentation.)
+
+> The suid wrappers remove all environment variables except for a few used
+> for CGI. PATH is not propigated by them, so when they run ikiwiki it will
+> get the system's default path now. --[[Joey]]
diff --git a/doc/forum/using_svn+ssh_with_ikiwiki.mdwn b/doc/forum/using_svn+ssh_with_ikiwiki.mdwn
index ce271722c..8d9c27e46 100644
--- a/doc/forum/using_svn+ssh_with_ikiwiki.mdwn
+++ b/doc/forum/using_svn+ssh_with_ikiwiki.mdwn
@@ -7,3 +7,5 @@ I think this is because, despite a SetEnv directive in the apache configuration,
> That seems likely. You can edit Wrapper.pm and add SVN_SSH to the @envsave list and rebuild your wrappers to test it. --Joey
A better way(?) would be to add a plugin to set the SVN_SSH variable at the appropriate moment (or even to add this to the SVN plugin). What kind of hook should this be; it needs to run just *after* the CGI script cleans its environment? --[[Glenn|geychaner@mac.com]]
+
+Actually, this probably doesn't need to be a plugin; setting SVN_SSH in ENV can probably be done through the setup file. (Right?) --[[Glenn|geychaner@mac.com]]