3 files changed, 32 insertions, 27 deletions

diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm
index 82b619592..c785e31de 100644
--- a/IkiWiki/CGI.pm
+++ b/IkiWiki/CGI.pm
@@ -335,7 +335,8 @@ sub cgi_editpage ($$) { #{{{
 	# characters.
 	my ($page)=$form->field('page');
 	$page=titlepage(possibly_foolish_untaint($page));
-	if (! defined $page || ! length $page || file_pruned($page, $config{srcdir}) || $page=~/^\//) {
+	if (! defined $page || ! length $page ||
+	    file_pruned($page, $config{srcdir}) || $page=~/^\//) {
 		error("bad page name");
 	}
 	
@@ -512,8 +513,8 @@ sub cgi_editpage ($$) { #{{{
 
 		my $exists=-e "$config{srcdir}/$file";
 
-		if ($form->field("do") ne "create" &&
-		    ! $exists && ! -e "$config{underlaydir}/$file") {
+		if ($form->field("do") ne "create" && ! $exists &&
+		    ! eval { srcfile($file) }) {
 			$form->tmpl_param("page_gone", 1);
 			$form->field(name => "do", value => "create", force => 1);
 			$form->tmpl_param("page_select", 0);
diff --git a/IkiWiki/Plugin/smiley.pm b/IkiWiki/Plugin/smiley.pm
index 96e714d3d..932c2c4fe 100644
--- a/IkiWiki/Plugin/smiley.pm
+++ b/IkiWiki/Plugin/smiley.pm
@@ -9,6 +9,7 @@ my %smileys;
 my $smiley_regexp;
 
 sub import { #{{{
+	add_underlay("smiley");
 	hook(type => "filter", id => "smiley", call => \&filter);
 } # }}}
 
diff --git a/IkiWiki/Render.pm b/IkiWiki/Render.pm
index 5fd0dea0d..35d663a7a 100644
--- a/IkiWiki/Render.pm
+++ b/IkiWiki/Render.pm
@@ -270,34 +270,37 @@ sub refresh () { #{{{
 			}
 		},
 	}, $config{srcdir});
-	find({
-		no_chdir => 1,
-		wanted => sub {
-			$_=decode_utf8($_);
-			if (file_pruned($_, $config{underlaydir})) {
-				$File::Find::prune=1;
-			}
-			elsif (! -d $_ && ! -l $_) {
-				my ($f)=/$config{wiki_file_regexp}/; # untaint
-				if (! defined $f) {
-					warn(sprintf(gettext("skipping bad filename %s"), $_)."\n");
+	foreach my $dir (@{$config{underlaydirs}}, $config{underlaydir}) {
+		find({
+			no_chdir => 1,
+			wanted => sub {
+				$_=decode_utf8($_);
+				if (file_pruned($_, $dir)) {
+					$File::Find::prune=1;
 				}
-				else {
-					# Don't add pages that are in the
-					# srcdir.
-					$f=~s/^\Q$config{underlaydir}\E\/?//;
-					if (! -e "$config{srcdir}/$f" && 
-					    ! -l "$config{srcdir}/$f") {
-					    	my $page=pagename($f);
-						if (! $exists{$page}) {
-							push @files, $f;
-							$exists{$page}=1;
+				elsif (! -d $_ && ! -l $_) {
+					my ($f)=/$config{wiki_file_regexp}/; # untaint
+					if (! defined $f) {
+						warn(sprintf(gettext("skipping bad filename %s"), $_)."\n");
+					}
+					else {
+						$f=~s/^\Q$dir\E\/?//;
+						# avoid underlaydir
+						# override attacks; see
+						# security.mdwn
+						if (! -e "$config{srcdir}/$f" && 
+						    ! -l "$config{srcdir}/$f") {
+						    	my $page=pagename($f);
+							if (! $exists{$page}) {
+								push @files, $f;
+								$exists{$page}=1;
+							}
 						}
 					}
 				}
-			}
-		},
-	}, $config{underlaydir});
+			},
+		}, $dir);
+	};
 
 	my %rendered;