From: joey Date: Sat, 10 Feb 2007 20:37:36 +0000 (+0000) Subject: * Fix a security hole that allowed a web user to edit images and other X-Git-Tag: 1.42~1 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=29e6ff03b078a0c6abb659c9e81343d523d3b13a;p=ikiwiki.git * Fix a security hole that allowed a web user to edit images and other non-page format files in the wiki. To exploit this, the file already had to exist in the wiki, and the web user would need to somehow use the web based editor to replace it with malicious content. (Sorry Josh, this means you can't edit style.css directly anymore, although I do appreciate your fixes, actually..) --- diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm index a8e610e2d..6c489df8d 100644 --- a/IkiWiki/CGI.pm +++ b/IkiWiki/CGI.pm @@ -323,6 +323,9 @@ sub cgi_editpage ($$) { #{{{ if (exists $pagesources{$page}) { $file=$pagesources{$page}; $type=pagetype($file); + if (! defined $type) { + error(sprintf(gettext("%s is not an editable page"), $page)); + } } else { $type=$form->param('type'); diff --git a/debian/changelog b/debian/changelog index d3ec481f8..13293d863 100644 --- a/debian/changelog +++ b/debian/changelog @@ -25,8 +25,14 @@ ikiwiki (1.42) UNRELEASED; urgency=low to be used as close to public domain as possible. * viewcvs is now viewvc (in Debian unstable), update everything to use the new name. - - -- Joey Hess Fri, 9 Feb 2007 00:27:59 -0500 + * Fix a security hole that allowed a web user to edit images and other + non-page format files in the wiki. To exploit this, the file already had + to exist in the wiki, and the web user would need to somehow use the web + based editor to replace it with malicious content. + (Sorry Josh, this means you can't edit style.css directly anymore, + although I do appreciate your fixes, actually..) + + -- Joey Hess Sat, 10 Feb 2007 15:09:51 -0500 ikiwiki (1.41) unstable; urgency=low diff --git a/po/bg.po b/po/bg.po index b61ec6ca4..b457f0f82 100644 --- a/po/bg.po +++ b/po/bg.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: ikiwiki-bg\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-02-08 14:47-0500\n" +"POT-Creation-Date: 2007-02-10 15:26-0500\n" "PO-Revision-Date: 2007-01-12 01:19+0200\n" "Last-Translator: Damyan Ivanov \n" "Language-Team: Bulgarian \n" @@ -24,28 +24,33 @@ msgstr "Първо трябва да влезете." msgid "Preferences saved." msgstr "Предпочитанията са запазени." -#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:327 +#, perl-format +msgid "%s is not an editable page" +msgstr "" + +#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97 #: ../IkiWiki/Render.pm:165 msgid "discussion" msgstr "дискусия" -#: ../IkiWiki/CGI.pm:457 +#: ../IkiWiki/CGI.pm:460 #, perl-format msgid "creating %s" msgstr "създаване на %s" -#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517 +#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520 #, perl-format msgid "editing %s" msgstr "промяна на %s" -#: ../IkiWiki/CGI.pm:625 +#: ../IkiWiki/CGI.pm:628 msgid "You are banned." msgstr "Достъпът ви е забранен." -#: ../IkiWiki/CGI.pm:657 +#: ../IkiWiki/CGI.pm:660 msgid "login failed, perhaps you need to turn on cookies?" msgstr "" diff --git a/po/cs.po b/po/cs.po index e19209872..98b912e62 100644 --- a/po/cs.po +++ b/po/cs.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: ikiwiki\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-02-08 14:47-0500\n" +"POT-Creation-Date: 2007-02-10 15:26-0500\n" "PO-Revision-Date: 2007-01-07 11:59+0100\n" "Last-Translator: Miroslav Kure \n" "Language-Team: Czech \n" @@ -23,28 +23,33 @@ msgstr "Nejprve se musíte přihlásit." msgid "Preferences saved." msgstr "Nastavení uloženo." -#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:327 +#, perl-format +msgid "%s is not an editable page" +msgstr "" + +#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97 #: ../IkiWiki/Render.pm:165 msgid "discussion" msgstr "diskuse" -#: ../IkiWiki/CGI.pm:457 +#: ../IkiWiki/CGI.pm:460 #, perl-format msgid "creating %s" msgstr "vytvářím %s" -#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517 +#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520 #, perl-format msgid "editing %s" msgstr "upravuji %s" -#: ../IkiWiki/CGI.pm:625 +#: ../IkiWiki/CGI.pm:628 msgid "You are banned." msgstr "Jste vyhoštěni." -#: ../IkiWiki/CGI.pm:657 +#: ../IkiWiki/CGI.pm:660 msgid "login failed, perhaps you need to turn on cookies?" msgstr "" diff --git a/po/es.po b/po/es.po index 54681f741..cd28bd094 100644 --- a/po/es.po +++ b/po/es.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: ikiwiki\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-02-08 14:47-0500\n" +"POT-Creation-Date: 2007-02-10 15:26-0500\n" "PO-Revision-Date: 2007-01-03 09:37+0100\n" "Last-Translator: Víctor Moral \n" "Language-Team: spanish \n" @@ -24,28 +24,33 @@ msgstr "Antes es necesario identificarse" msgid "Preferences saved." msgstr "Las preferencias se han guardado." -#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:327 +#, perl-format +msgid "%s is not an editable page" +msgstr "" + +#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97 #: ../IkiWiki/Render.pm:165 msgid "discussion" msgstr "comentarios" -#: ../IkiWiki/CGI.pm:457 +#: ../IkiWiki/CGI.pm:460 #, perl-format msgid "creating %s" msgstr "creando página %s" -#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517 +#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520 #, perl-format msgid "editing %s" msgstr "modificando página %s" -#: ../IkiWiki/CGI.pm:625 +#: ../IkiWiki/CGI.pm:628 msgid "You are banned." msgstr "Ha sido expulsado." -#: ../IkiWiki/CGI.pm:657 +#: ../IkiWiki/CGI.pm:660 msgid "login failed, perhaps you need to turn on cookies?" msgstr "" diff --git a/po/fr.po b/po/fr.po index 7651ed9f7..bcf864f9c 100644 --- a/po/fr.po +++ b/po/fr.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: ikiwiki\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-02-08 14:47-0500\n" +"POT-Creation-Date: 2007-02-10 15:26-0500\n" "PO-Revision-Date: 2007-01-22 22:12+0100\n" "Last-Translator: Jean-Luc Coulon (f5ibh) \n" "Language-Team: French \n" @@ -25,28 +25,33 @@ msgstr "Vous devez d'abord vous identifier." msgid "Preferences saved." msgstr "Les préférences ont été enregistrées." -#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:327 +#, perl-format +msgid "%s is not an editable page" +msgstr "" + +#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97 #: ../IkiWiki/Render.pm:165 msgid "discussion" msgstr "Discussion" -#: ../IkiWiki/CGI.pm:457 +#: ../IkiWiki/CGI.pm:460 #, perl-format msgid "creating %s" msgstr "Création de %s" -#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517 +#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520 #, perl-format msgid "editing %s" msgstr "Édition de %s" -#: ../IkiWiki/CGI.pm:625 +#: ../IkiWiki/CGI.pm:628 msgid "You are banned." msgstr "Vous avez été banni." -#: ../IkiWiki/CGI.pm:657 +#: ../IkiWiki/CGI.pm:660 msgid "login failed, perhaps you need to turn on cookies?" msgstr "" "Échec de l'identification, vous devriez peut-être autoriser les cookies." diff --git a/po/gu.po b/po/gu.po index 7c80d1da5..8739a7804 100644 --- a/po/gu.po +++ b/po/gu.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: ikiwiki-gu\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-02-08 14:47-0500\n" +"POT-Creation-Date: 2007-02-10 15:26-0500\n" "PO-Revision-Date: 2007-01-11 16:05+0530\n" "Last-Translator: Kartik Mistry \n" "Language-Team: Gujarati \n" @@ -23,28 +23,33 @@ msgstr "તમારે પ્રથમ લોગ ઇન થવું પડશ msgid "Preferences saved." msgstr "પ્રાથમિકતાઓ સંગ્રહાઇ." -#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:327 +#, perl-format +msgid "%s is not an editable page" +msgstr "" + +#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97 #: ../IkiWiki/Render.pm:165 msgid "discussion" msgstr "ચર્ચા" -#: ../IkiWiki/CGI.pm:457 +#: ../IkiWiki/CGI.pm:460 #, perl-format msgid "creating %s" msgstr "%s બનાવે છે" -#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517 +#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520 #, perl-format msgid "editing %s" msgstr "%s સુધારે છે" -#: ../IkiWiki/CGI.pm:625 +#: ../IkiWiki/CGI.pm:628 msgid "You are banned." msgstr "તમારા પર પ્રતિબંધ છે." -#: ../IkiWiki/CGI.pm:657 +#: ../IkiWiki/CGI.pm:660 msgid "login failed, perhaps you need to turn on cookies?" msgstr "" diff --git a/po/ikiwiki.pot b/po/ikiwiki.pot index 296aab6db..9dfa1dc0c 100644 --- a/po/ikiwiki.pot +++ b/po/ikiwiki.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-02-08 14:47-0500\n" +"POT-Creation-Date: 2007-02-10 15:26-0500\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -24,28 +24,33 @@ msgstr "" msgid "Preferences saved." msgstr "" -#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:327 +#, perl-format +msgid "%s is not an editable page" +msgstr "" + +#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97 #: ../IkiWiki/Render.pm:165 msgid "discussion" msgstr "" -#: ../IkiWiki/CGI.pm:457 +#: ../IkiWiki/CGI.pm:460 #, perl-format msgid "creating %s" msgstr "" -#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517 +#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520 #, perl-format msgid "editing %s" msgstr "" -#: ../IkiWiki/CGI.pm:625 +#: ../IkiWiki/CGI.pm:628 msgid "You are banned." msgstr "" -#: ../IkiWiki/CGI.pm:657 +#: ../IkiWiki/CGI.pm:660 msgid "login failed, perhaps you need to turn on cookies?" msgstr "" diff --git a/po/pl.po b/po/pl.po index 4e23cf434..496a4117e 100644 --- a/po/pl.po +++ b/po/pl.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: ikiwiki 1.37\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-02-08 14:47-0500\n" +"POT-Creation-Date: 2007-02-10 15:26-0500\n" "PO-Revision-Date: 2007-01-05 16:33+100\n" "Last-Translator: Paweł Tęcza \n" "Language-Team: Debian L10n Polish \n" @@ -24,28 +24,33 @@ msgstr "Konieczne jest zalogowanie się." msgid "Preferences saved." msgstr "Ustawienia zostały zapisane." -#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:327 +#, perl-format +msgid "%s is not an editable page" +msgstr "" + +#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97 #: ../IkiWiki/Render.pm:165 msgid "discussion" msgstr "dyskusja" -#: ../IkiWiki/CGI.pm:457 +#: ../IkiWiki/CGI.pm:460 #, perl-format msgid "creating %s" msgstr "tworzenie strony %s" -#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517 +#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520 #, perl-format msgid "editing %s" msgstr "edycja strony %s" -#: ../IkiWiki/CGI.pm:625 +#: ../IkiWiki/CGI.pm:628 msgid "You are banned." msgstr "Dostęp został zabroniony przez administratora." -#: ../IkiWiki/CGI.pm:657 +#: ../IkiWiki/CGI.pm:660 msgid "login failed, perhaps you need to turn on cookies?" msgstr "" diff --git a/po/sv.po b/po/sv.po index 2263152c0..786cbad5e 100644 --- a/po/sv.po +++ b/po/sv.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: ikiwiki\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-02-08 14:47-0500\n" +"POT-Creation-Date: 2007-02-10 15:26-0500\n" "PO-Revision-Date: 2007-01-10 23:47+0100\n" "Last-Translator: Daniel Nylander \n" "Language-Team: Swedish \n" @@ -23,28 +23,33 @@ msgstr "Du måste logga in först." msgid "Preferences saved." msgstr "Inställningar sparades." -#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:327 +#, perl-format +msgid "%s is not an editable page" +msgstr "" + +#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97 #: ../IkiWiki/Render.pm:165 msgid "discussion" msgstr "diskussion" -#: ../IkiWiki/CGI.pm:457 +#: ../IkiWiki/CGI.pm:460 #, perl-format msgid "creating %s" msgstr "skapar %s" -#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517 +#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520 #, perl-format msgid "editing %s" msgstr "redigerar %s" -#: ../IkiWiki/CGI.pm:625 +#: ../IkiWiki/CGI.pm:628 msgid "You are banned." msgstr "Du är bannlyst." -#: ../IkiWiki/CGI.pm:657 +#: ../IkiWiki/CGI.pm:660 msgid "login failed, perhaps you need to turn on cookies?" msgstr "" diff --git a/po/vi.po b/po/vi.po index 3f8741522..e69a161ef 100644 --- a/po/vi.po +++ b/po/vi.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: ikiwiki\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-02-08 14:47-0500\n" +"POT-Creation-Date: 2007-02-10 15:26-0500\n" "PO-Revision-Date: 2007-01-13 15:31+1030\n" "Last-Translator: Clytie Siddall \n" "Language-Team: Vietnamese \n" @@ -24,28 +24,33 @@ msgstr "Trước tiên bạn cần phải đăng nhập." msgid "Preferences saved." msgstr "Tùy thích đã được lưu." -#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:327 +#, perl-format +msgid "%s is not an editable page" +msgstr "" + +#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97 #: ../IkiWiki/Render.pm:165 msgid "discussion" msgstr "thảo luận" -#: ../IkiWiki/CGI.pm:457 +#: ../IkiWiki/CGI.pm:460 #, perl-format msgid "creating %s" msgstr "đang tạo %s" -#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517 +#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520 #, perl-format msgid "editing %s" msgstr "đang sửa %s" -#: ../IkiWiki/CGI.pm:625 +#: ../IkiWiki/CGI.pm:628 msgid "You are banned." msgstr "Bạn bị cấm ra." -#: ../IkiWiki/CGI.pm:657 +#: ../IkiWiki/CGI.pm:660 msgid "login failed, perhaps you need to turn on cookies?" msgstr ""