diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/bugs/utf8_svn_log.mdwn | 2 | ||||
-rw-r--r-- | doc/install.mdwn | 3 | ||||
-rw-r--r-- | doc/security.mdwn | 23 |
3 files changed, 19 insertions, 9 deletions
diff --git a/doc/bugs/utf8_svn_log.mdwn b/doc/bugs/utf8_svn_log.mdwn index 7266ab926..abd957719 100644 --- a/doc/bugs/utf8_svn_log.mdwn +++ b/doc/bugs/utf8_svn_log.mdwn @@ -7,3 +7,5 @@ have that locale. Seems that the right fix for this is to use svn log --xml, which is always utf-8 and come up with a parser for that. Also fixes the spoofing issue in [[security]]. + +[[bugs/done]] diff --git a/doc/install.mdwn b/doc/install.mdwn index 0aa55fb0b..f65e1a227 100644 --- a/doc/install.mdwn +++ b/doc/install.mdwn @@ -3,7 +3,8 @@ The easiest way to install ikiwiki is using the Debian package. Ikiwiki requires [[MarkDown]] be installed, and also uses the following perl modules if available: `CGI::Session` `CGI::FormBuilder` (version 3.02.02 or newer) `HTML::Template` `Mail::SendMail` `Time::Duration` -`Date::Parse` (libtimedate-perl), `HTML::Scrubber`, `RPC::XML` +`Date::Parse` (libtimedate-perl), `HTML::Scrubber`, `RPC::XML`, +`XML::Simple` If you want to install from the tarball, you should make sure that the required perl modules are installed, then run: diff --git a/doc/security.mdwn b/doc/security.mdwn index 53000c08e..b294decc8 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -12,17 +12,16 @@ to be kept in mind. _(The list of things to fix.)_ -## svn commit logs +## commit spoofing -Anyone with svn commit access can forge "web commit from foo" and make it -appear on [[RecentChanges]] like foo committed. One way to avoid this would -be to limit web commits to those done by a certian user. +Anyone with direct commit access can forge "web commit from foo" and +make it appear on [[RecentChanges]] like foo committed. One way to avoid +this would be to limit web commits to those done by a certian user. -It's actually possible to force a whole series of svn commits to appear to -have come just before yours, by forging svn log output. This could be -guarded against by using svn log --xml. +## other stuff to look at -ikiwiki escapes any html in svn commit logs to prevent other mischief. +I need to audit the git backend a bit, and have been meaning to +see if any CRLF injection type things can be done. ---- @@ -227,3 +226,11 @@ only render a file with that extension. ikiwiki supports protecting users from their own broken browsers via the [[plugins/htmlscrubber]] plugin, which is enabled by default. + +## svn commit logs + +It's was possible to force a whole series of svn commits to appear to +have come just before yours, by forging svn log output. This was +guarded against by using svn log --xml. + +ikiwiki escapes any html in svn commit logs to prevent other mischief. |