From 0e445d62d212d8e6c2cd5d11a38ae8cef914c1cd Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 10 Feb 2008 19:00:26 -0500 Subject: some updates about the recent hole --- doc/security.mdwn | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/doc/security.mdwn b/doc/security.mdwn index d9e0f655b..9259209ee 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -356,9 +356,12 @@ allow the security hole to be exploited. ## javascript insertion via uris The htmlscrubber did not block javascript in uris. This was fixed by adding -a whitelist of valid uri types, which does not include javascript. +a whitelist of valid uri types, which does not include javascript. Some +urls specifyable by the meta plugin could also theoretically have been used +to inject javascript; this was also blocked. This hole was discovered on 10 February 2008 and fixed the same day -with the release of ikiwiki 2.31.1. A fix was also backported to Debian etch, -as version 1.33.4. I recommend upgrading to one of these versions if your -wiki can be edited by third parties. +with the release of ikiwiki 2.31.1. (And a few subsequent versions..) +A fix was also backported to Debian etch, as version 1.33.4. I recommend +upgrading to one of these versions if your wiki can be edited by third +parties. -- cgit v1.2.3