diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/security/discussion.mdwn | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/doc/security/discussion.mdwn b/doc/security/discussion.mdwn new file mode 100644 index 000000000..ddf61c5f8 --- /dev/null +++ b/doc/security/discussion.mdwn @@ -0,0 +1,33 @@ +Copied from an email I sent --[[Joey]] + +> Apart from restricting escape characters and characters with special +> meanings to the filesystem (such as '/') or the version control system +> (which may not cope with \n), why limit filenames at all? + +Suppose that git-add and git-commit a shell scripts: + + #!/bin/sh + /opt/git/git commit $1 + + #!/bin/sh + /opt/git/git add $1 + +Ok, that's crappy code, but git add and commit are only run by a trusted +user at the command line, so it's hardly a security hole. (And frankly, +I'm not all too impressed with the real shell code I've seen in git-* +..) + +But there's no security problem until ikiwiki calls it on a filename +that a web user made up. Now, suppose that ikiwiki decided to allow +spaces in filenames. Nothing else new, just spaces. Of course, the above +bad code will fail to add and commit such files. + +But it won't just fail, it can even expose private data. Suppose that $1 +is "foo.mdwn .ikiwiki/userdb foo.mdwn". Then the userdb, with its +passwords and emails is committed, along with foo.mdwn. + +Moral: ikiwiki interfaces with code that was not necessarily written for the +security context that ikiwiki runs in. Even the most innocuous filenames can do +very unexpected things if you let the shell get ahold of them. Ikiwiki needs to +sanitize the hell out of user inputted data before letting it anywhere near the +shell. |