if (! length $stylesheet) {
error gettext("stylesheet not found")
}
- push @{$metaheaders{$page}}, '<link href="'.urlto($stylesheet, $page).
+ push @{$metaheaders{$page}}, scrub('<link href="'.urlto($stylesheet, $page).
'" rel="'.encode_entities($rel).
'" title="'.encode_entities($title).
- "\" type=\"text/css\" />";
+ "\" type=\"text/css\" />", $page, $destpage);
}
elsif ($key eq 'openid') {
my $delegate=0; # both by default
-ikiwiki (3.20110322) UNRELEASED; urgency=low
+ikiwiki (3.20110328) UNRELEASED; urgency=low
* Yaml formatted setup files are now produced by default.
(Perl formatted setup files can still be used.)
via the web.
* comment: Better fix to avoid showing comments of subpages, while
not breaking manual inlining of comments.
+ * meta: Security fix; don't allow alternative stylesheets to be added
+ on pages where the htmlscrubber is enabled.
-- Joey Hess <joeyh@debian.org> Thu, 24 Mar 2011 13:34:34 -0400
\[[!meta stylesheet=somestyle rel="alternate stylesheet"
title="somestyle"]]
+
+ However, this will be scrubbed away if the
+ [[!iki plugins/htmlscrubber desc=htmlscrubber]] plugin is enabled,
+ since it can be used to insert unsafe content.
* openid
the release of ikiwiki 3.20110122. A fix was backported to Debian squeeze,
as version 3.20100815.5. An upgrade is recommended for sites
with the comments plugin enabled. ([[!cve CVE-2011-0428]])
+
+## possible javascript insertion via insufficient htmlscrubbing of alternate stylesheets
+
+Tango noticed that 'meta stylesheet` directives allowed anyone
+who could upload a malicious stylesheet to a site to add it to a
+page as an alternate stylesheet. In order to be exploited, the user
+would have to select the alternative stylesheet in their browser.
+
+This hole was discovered on 28 Mar 2011 and fixed the same hour with
+the release of ikiwiki 3.20110328. An upgrade is recommended for sites
+that have untrusted committers, or have the attachments plugin enabled.
projects / ikiwiki.git / commitdiff