diff options
-rw-r--r-- | IkiWiki/Render.pm | 42 | ||||
-rw-r--r-- | debian/control | 4 | ||||
-rw-r--r-- | doc/htmlsanitization.mdwn | 30 | ||||
-rw-r--r-- | doc/ikiwiki.setup | 2 | ||||
-rw-r--r-- | doc/news/sanitization.html | 7 | ||||
-rw-r--r-- | doc/security.mdwn | 19 | ||||
-rw-r--r-- | doc/setup.mdwn | 2 | ||||
-rw-r--r-- | doc/todo/done/1.0_release_blockers.mdwn (renamed from doc/todo/1.0_release_blockers.mdwn) | 0 | ||||
-rw-r--r-- | doc/usage.mdwn | 5 | ||||
-rwxr-xr-x | ikiwiki | 2 |
10 files changed, 100 insertions, 13 deletions
diff --git a/IkiWiki/Render.pm b/IkiWiki/Render.pm index dfa598da0..d0d28e802 100644 --- a/IkiWiki/Render.pm +++ b/IkiWiki/Render.pm @@ -18,6 +18,40 @@ sub linkify ($$) { #{{{ return $content; } #}}} +my $_scrubber; +sub scrubber { #{{{ + return $_scrubber if defined $_scrubber; + + eval q{use HTML::Scrubber}; + # Lists based on http://feedparser.org/docs/html-sanitization.html + $_scrubber = HTML::Scrubber->new( + allow => [qw{ + a abbr acronym address area b big blockquote br + button caption center cite code col colgroup dd del + dfn dir div dl dt em fieldset font form h1 h2 h3 h4 + h5 h6 hr i img input ins kbd label legend li map + menu ol optgroup option p pre q s samp select small + span strike strong sub sup table tbody td textarea + tfoot th thead tr tt u ul var + }], + default => [undef, { map { $_ => 1 } qw{ + abbr accept accept-charset accesskey action + align alt axis border cellpadding cellspacing + char charoff charset checked cite class + clear cols colspan color compact coords + datetime dir disabled enctype for frame + headers height href hreflang hspace id ismap + label lang longdesc maxlength media method + multiple name nohref noshade nowrap prompt + readonly rel rev rows rowspan rules scope + selected shape size span src start summary + tabindex target title type usemap valign + value vspace width + }}], + ); + return $_scrubber; +} # }}} + sub htmlize ($$) { #{{{ my $type=shift; my $content=shift; @@ -30,11 +64,17 @@ sub htmlize ($$) { #{{{ } if ($type eq '.mdwn') { - return Markdown::Markdown($content); + $content=Markdown::Markdown($content); } else { error("htmlization of $type not supported"); } + + if ($config{sanitize}) { + $content=scrubber()->scrub($content); + } + + return $content; } #}}} sub backlinks ($) { #{{{ diff --git a/debian/control b/debian/control index 9d2e0c461..66c21e8a5 100644 --- a/debian/control +++ b/debian/control @@ -1,13 +1,13 @@ Source: ikiwiki Section: web Priority: optional -Build-Depends: debhelper (>= 5), dpkg-dev (>= 1.9.0), markdown, libhtml-template-perl +Build-Depends: debhelper (>= 5), dpkg-dev (>= 1.9.0), markdown, libhtml-template-perl, libhtml-scrubber-perl Maintainer: Joey Hess <joeyh@debian.org> Standards-Version: 3.6.2 Package: ikiwiki Architecture: all -Depends: ${perl:Depends}, markdown, libtimedate-perl, libhtml-template-perl, libcgi-formbuilder-perl (>= 3.02.02), libtime-duration-perl, libcgi-session-perl, libmail-sendmail-perl, gcc | c-compiler +Depends: ${perl:Depends}, markdown, libtimedate-perl, libhtml-template-perl, libhtml-scrubber-perl, libcgi-formbuilder-perl (>= 3.02.02), libtime-duration-perl, libcgi-session-perl, libmail-sendmail-perl, gcc | c-compiler Recommends: subversion, hyperestraier Suggests: viewcvs Description: a wiki compiler diff --git a/doc/htmlsanitization.mdwn b/doc/htmlsanitization.mdwn new file mode 100644 index 000000000..617753e86 --- /dev/null +++ b/doc/htmlsanitization.mdwn @@ -0,0 +1,30 @@ +When run with the --sanitize switch, which is turned on by default (see +[[usage]], ikiwiki sanitizes the html on pages it renders to avoid XSS +attacks and the like. + +ikiwiki excludes all html tags and attributes except for those that are +whitelisted using the same lists as used by Mark Pilgrim's Universal Feed +Parser, documented at <http://feedparser.org/docs/html-sanitization.html>. +Notably it strips `style`, `link`, and the `style` attribute. + +ikiwiki uses the HTML::Scrubber perl module to perform its html +sanitisation, and this perl module also deals with various entity encoding +tricks. + +While I beleive that this makes ikiwiki as resistant to malicious html +content as anything else on the web, I cannot guarantee that it will +actually protect every user of every browser from every browser security +hole, badly designed feature, etc. I can provide NO WARRANTY, like it says +in ikiwiki's [[GPL]] license. + +The web's security model is *fundamntally broken*; ikiwiki's HTML +sanitisation is only a patch on the underlying gaping hole that is your web +browser. + +---- + +Some examples of embedded javascript that won't be let through. + +<span style="background: url(javascript:window.location='http://example.org/')">test</span> +<span style="any: expression(window.location='http://example.org/')">test</span> +<span style="any: expression(window.location='http://example.org/')">test</span> diff --git a/doc/ikiwiki.setup b/doc/ikiwiki.setup index c77385583..9775b3194 100644 --- a/doc/ikiwiki.setup +++ b/doc/ikiwiki.setup @@ -50,4 +50,6 @@ use IkiWiki::Setup::Standard { rss => 1, # Use the Hyper Estraier search engine? #hyperestraier => 1, + # Sanitize html? + sanitize => 1, } diff --git a/doc/news/sanitization.html b/doc/news/sanitization.html new file mode 100644 index 000000000..6ce254157 --- /dev/null +++ b/doc/news/sanitization.html @@ -0,0 +1,7 @@ +ikiwiki's main outstanding security hole, lack of [[HtmlSanitization]] has +now been addressed. ikiwiki now sanitizes html by default. + +If only trusted parties can edit your wiki's content, then you might want +to turn this sanitization back off to allow use of potentially dangerous +tags. To do so, pass --no-sanitize or set "sanitize => 0," in your +[[ikiwiki.setup]]. diff --git a/doc/security.mdwn b/doc/security.mdwn index bc5e318c9..00b8e8824 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -8,21 +8,18 @@ to be kept in mind. # Probable holes -## html attacks +## XSS holes in CGI output -ikiwiki does not attempt to do any santization of the html on the wiki. -[[MarkDown]] allows embedding of arbitrary html into a markdown document. If -you let anyone else edit files on the wiki, then anyone can have fun exploiting -the web browser bug of the day. This type of attack is typically referred -to as an XSS attack ([google](http://www.google.com/search?q=xss+attack)). +ikiwiki has not yet been audited to ensure that all cgi script output is +sanitised to prevent XSS attacks. ## image files etc attacks If it enounters a file type it does not understand, ikiwiki just copies it into place. So if you let users add any kind of file they like, they can -upload images, movies, windows executables, css files, etc. If these files -exploit security holes in the browser of someone who's viewing the wiki, -that can be a security problem. +upload images, movies, windows executables, css files, etc (though not html +files). If these files exploit security holes in the browser of someone +who's viewing the wiki, that can be a security problem. Of course nobody else seems to worry about this in other wikis, so should we? @@ -193,3 +190,7 @@ would still be possible to use this attack to confuse ikiwiki into rendering the wrong thing. This is not currently possible, but must be kept in mind in the future when for example adding support for generating html pages from source with some other extension. + +## XSS attacks in page content + +ikiwiki supports [[HtmlSanitistion]], though it can be turned off. diff --git a/doc/setup.mdwn b/doc/setup.mdwn index 29ce068b8..818335257 100644 --- a/doc/setup.mdwn +++ b/doc/setup.mdwn @@ -9,7 +9,7 @@ optional support for commits from the web. Ikiwiki requires [[MarkDown]] be installed, and also uses the following perl modules: `CGI::Session` `CGI::FormBuilder` (version 3.02.02 or newer) `HTML::Template` `Mail::SendMail` `Time::Duration` `Date::Parse` - (libtimedate-perl) + (libtimedate-perl), `HTML::Scrubber` 2. Create the subversion repository for your wiki. diff --git a/doc/todo/1.0_release_blockers.mdwn b/doc/todo/done/1.0_release_blockers.mdwn index 01ec8193b..01ec8193b 100644 --- a/doc/todo/1.0_release_blockers.mdwn +++ b/doc/todo/done/1.0_release_blockers.mdwn diff --git a/doc/usage.mdwn b/doc/usage.mdwn index ca805ce33..34e6bd1d4 100644 --- a/doc/usage.mdwn +++ b/doc/usage.mdwn @@ -167,6 +167,11 @@ These options configure the wiki. Currently allows locking of any page, other powers may be added later. May be specified multiple times for multiple admins. +* --sanitize + + Enable [[HtmlSanitization]] of wiki content. On by default, disable with + --no-sanitize. + * --hyperestraier Enables use of the [[HyperEstraier]] search engine for full test page @@ -34,6 +34,7 @@ sub getconfig () { #{{{ diffurl => '', anonok => 0, rss => 0, + sanitize => 1, rebuild => 0, refresh => 0, getctime => 0, @@ -66,6 +67,7 @@ sub getconfig () { #{{{ "rss!" => \$config{rss}, "cgi!" => \$config{cgi}, "notify!" => \$config{notify}, + "sanitize!" => \$config{sanitize}, "url=s" => \$config{url}, "cgiurl=s" => \$config{cgiurl}, "historyurl=s" => \$config{historyurl}, |