From dcfeaaad5b6ac478251e37be777de40da4d0909c Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kitenet.net>
Date: Sat, 22 Jan 2011 10:15:33 -0400
Subject: comments: Fix XSS security hole due to missing validation of page
 name.

Values have to be checked against wiki_file_regexp, not just file_pruned.
Audited the rest of the code base for similar problems, found none.
---
 IkiWiki/Plugin/comments.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'IkiWiki/Plugin')

diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm
index 1287590a7..d9183970d 100644
--- a/IkiWiki/Plugin/comments.pm
+++ b/IkiWiki/Plugin/comments.pm
@@ -364,8 +364,8 @@ sub editcomment ($$) {
 	}
 
 	# The untaint is OK (as in editpage) because we're about to pass
-	# it to file_pruned anyway
-	my $page = $form->field('page');
+	# it to file_pruned and wiki_file_regexp anyway.
+	my $page = $form->field('page')=~/$config{wiki_file_regexp}/;
 	$page = IkiWiki::possibly_foolish_untaint($page);
 	if (! defined $page || ! length $page ||
 		IkiWiki::file_pruned($page)) {
-- 
cgit v1.2.3