From dcfeaaad5b6ac478251e37be777de40da4d0909c Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 22 Jan 2011 10:15:33 -0400 Subject: comments: Fix XSS security hole due to missing validation of page name. Values have to be checked against wiki_file_regexp, not just file_pruned. Audited the rest of the code base for similar problems, found none. --- IkiWiki/Plugin/comments.pm | 4 ++-- debian/changelog | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm index 1287590a7..d9183970d 100644 --- a/IkiWiki/Plugin/comments.pm +++ b/IkiWiki/Plugin/comments.pm @@ -364,8 +364,8 @@ sub editcomment ($$) { } # The untaint is OK (as in editpage) because we're about to pass - # it to file_pruned anyway - my $page = $form->field('page'); + # it to file_pruned and wiki_file_regexp anyway. + my $page = $form->field('page')=~/$config{wiki_file_regexp}/; $page = IkiWiki::possibly_foolish_untaint($page); if (! defined $page || ! length $page || IkiWiki::file_pruned($page)) { diff --git a/debian/changelog b/debian/changelog index 36e4a9576..0165a240b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,7 @@ ikiwiki (3.20110106) UNRELEASED; urgency=low to feed links. (Giuseppe Bilotta) * inline: Use class rather than id for feedlinks and blogform. (Giuseppe Bilotta) + * comments: Fix XSS security hole due to missing validation of page name. -- Joey Hess Thu, 06 Jan 2011 14:41:34 -0400 -- cgit v1.2.3