summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/bugs/utf8_svn_log.mdwn2
-rw-r--r--doc/install.mdwn3
-rw-r--r--doc/security.mdwn23
3 files changed, 19 insertions, 9 deletions
diff --git a/doc/bugs/utf8_svn_log.mdwn b/doc/bugs/utf8_svn_log.mdwn
index 7266ab926..abd957719 100644
--- a/doc/bugs/utf8_svn_log.mdwn
+++ b/doc/bugs/utf8_svn_log.mdwn
@@ -7,3 +7,5 @@ have that locale.
Seems that the right fix for this is to use svn log --xml, which is
always utf-8 and come up with a parser for that. Also fixes the spoofing
issue in [[security]].
+
+[[bugs/done]]
diff --git a/doc/install.mdwn b/doc/install.mdwn
index 0aa55fb0b..f65e1a227 100644
--- a/doc/install.mdwn
+++ b/doc/install.mdwn
@@ -3,7 +3,8 @@ The easiest way to install ikiwiki is using the Debian package.
Ikiwiki requires [[MarkDown]] be installed, and also uses the following
perl modules if available: `CGI::Session` `CGI::FormBuilder` (version
3.02.02 or newer) `HTML::Template` `Mail::SendMail` `Time::Duration`
-`Date::Parse` (libtimedate-perl), `HTML::Scrubber`, `RPC::XML`
+`Date::Parse` (libtimedate-perl), `HTML::Scrubber`, `RPC::XML`,
+`XML::Simple`
If you want to install from the tarball, you should make sure that the required perl modules are installed, then run:
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 53000c08e..b294decc8 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -12,17 +12,16 @@ to be kept in mind.
_(The list of things to fix.)_
-## svn commit logs
+## commit spoofing
-Anyone with svn commit access can forge "web commit from foo" and make it
-appear on [[RecentChanges]] like foo committed. One way to avoid this would
-be to limit web commits to those done by a certian user.
+Anyone with direct commit access can forge "web commit from foo" and
+make it appear on [[RecentChanges]] like foo committed. One way to avoid
+this would be to limit web commits to those done by a certian user.
-It's actually possible to force a whole series of svn commits to appear to
-have come just before yours, by forging svn log output. This could be
-guarded against by using svn log --xml.
+## other stuff to look at
-ikiwiki escapes any html in svn commit logs to prevent other mischief.
+I need to audit the git backend a bit, and have been meaning to
+see if any CRLF injection type things can be done.
----
@@ -227,3 +226,11 @@ only render a file with that extension.
ikiwiki supports protecting users from their own broken browsers via the
[[plugins/htmlscrubber]] plugin, which is enabled by default.
+
+## svn commit logs
+
+It's was possible to force a whole series of svn commits to appear to
+have come just before yours, by forging svn log output. This was
+guarded against by using svn log --xml.
+
+ikiwiki escapes any html in svn commit logs to prevent other mischief.