From: Joey Hess Date: Sun, 10 Feb 2008 18:31:48 +0000 (-0500) Subject: resecued version 1.33.3, which was not tagged in revision control before X-Git-Tag: 1.33.3 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=d641b275b2616253ad38c1c9974fda40eb4666da;p=ikiwiki.git resecued version 1.33.3, which was not tagged in revision control before --- diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm index ce4b6ada1..1e0ee01eb 100644 --- a/IkiWiki/CGI.pm +++ b/IkiWiki/CGI.pm @@ -439,6 +439,9 @@ sub cgi_editpage ($$) { #{{{ if (exists $pagesources{$page}) { $file=$pagesources{$page}; $type=pagetype($file); + if (! defined $type) { + error("$page is not an editable page"); + } } else { $type=$form->param('type'); diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm index 2e5fd7e76..5223d8ff6 100644 --- a/IkiWiki/Plugin/meta.pm +++ b/IkiWiki/Plugin/meta.pm @@ -26,6 +26,15 @@ sub filter (@) { #{{{ return $params{content}; } # }}} +sub scrub ($) { #{{{ + if (IkiWiki::Plugin::htmlscrubber->can("sanitize")) { + return IkiWiki::Plugin::htmlscrubber::sanitize(content => shift); + } + else { + return shift; + } +} #}}} + sub preprocess (@) { #{{{ if (! @_) { return ""; @@ -45,9 +54,9 @@ sub preprocess (@) { #{{{ if ($key eq 'link') { if (%params) { - $meta{$page}.="\n"; + " />\n"); } else { # hidden WikiLink @@ -55,15 +64,37 @@ sub preprocess (@) { #{{{ } } elsif ($key eq 'title') { - $title{$page}=$value; + $title{$page}=encode_entities($value); } elsif ($key eq 'permalink') { $permalink{$page}=$value; - $meta{$page}.="\n"; + $meta{$page}.=scrub("\n"); + } + elsif ($key eq 'stylesheet') { + my $rel=exists $params{rel} ? $params{rel} : "alternate stylesheet"; + my $title=exists $params{title} ? $params{title} : $value; + # adding .css to the value prevents using any old web + # editable page as a stylesheet + my $stylesheet=bestlink($page, $value.".css"); + if (! length $stylesheet) { + return "[[meta ".gettext("stylesheet not found")."]]"; + } + $meta{$page}.='\n"; + } + elsif ($key eq 'openid') { + if (exists $params{server}) { + $meta{$page}.='\n"; + } + $meta{$page}.='\n"; } else { - $meta{$page}.="\n"; + $meta{$page}.=scrub("\n"); if ($key eq 'author') { $author{$page}=$value; } diff --git a/debian/NEWS b/debian/NEWS index 781a32f59..b671e28e3 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,13 @@ +ikiwiki (1.32.3) unstable; urgency=low + + Due to a security fix, wikis that have the htmlscrubber enabled can no + longer use the meta plugin to insert html link and meta tags. + + Some special case methods have been added for safely including stylesheets, + and for doing openid delegation. See the meta plugin docs for details. + + -- Joey Hess Wed, 21 Mar 2007 14:56:30 -0400 + ikiwiki (1.32) unstable; urgency=low There is a change to the plugin interface in this version. Any plugins that diff --git a/debian/changelog b/debian/changelog index afa0d9228..027785277 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,34 @@ +ikiwiki (1.33.3) testing-proposed-updates; urgency=medium + + * Fix a security hole that allowed insertion of unsafe content via the meta + plugins's support for inserting html link and meta tags. Now such content + is passed through the htmlscrubber like everything else. + * Unfortunatly, that means that some valid uses of those tags are no longer + usable, and special case methods needed to be added for including + stylesheets, and for doing openid delegation. If you use either of these + in your wiki, it will need to be modified. See the meta plugin docs + for details. + + -- Joey Hess Wed, 21 Mar 2007 14:56:48 -0400 + +ikiwiki (1.33.2) testing-proposed-updates; urgency=medium + + * Backport fix for a security hole that allowed a web user to insert + arbitrary html in the title of a page due to missing escaping of + titles in the meta plugin. + * Fix examples directory location. + + -- Joey Hess Wed, 21 Mar 2007 01:55:02 -0400 + +ikiwiki (1.33.1) testing-proposed-updates; urgency=medium + + * Backport fix for a security hole that allowed a web user to edit images + and other non-page format files in the wiki. To exploit this, the file + already had to exist in the wiki, and the web user would need to somehow + use the web based editor to replace it with malicious content. + + -- Joey Hess Sat, 10 Feb 2007 15:30:12 -0500 + ikiwiki (1.33) unstable; urgency=low * Fix issue with aggregate plugin updating expired pages. diff --git a/debian/rules b/debian/rules index 4e14b5ca3..f9a5be823 100755 --- a/debian/rules +++ b/debian/rules @@ -26,7 +26,7 @@ binary-indep: build DESTDIR=$(shell pwd)/debian/ikiwiki dh_install wikilist etc/ikiwiki dh_installdocs html - dh_installexamples doc/examples + dh_installexamples doc/examples/* dh_link usr/share/common-licenses/GPL usr/share/doc/ikiwiki/html/GPL dh_installchangelogs dh_compress -X html diff --git a/doc/css_market.mdwn b/doc/css_market.mdwn index 418d8e191..baf579b71 100644 --- a/doc/css_market.mdwn +++ b/doc/css_market.mdwn @@ -5,13 +5,13 @@ files..) * **[[css_market/zack.css]]**, contributed by [[StefanoZacchiroli]], customized mostly for *blogging purposes*, can be seen in action on [zack's blog](http://www.bononia.it/~zack/blog/) - [[meta link="css_market/zack.css" rel="alternate stylesheet" title="zack" type="text/css"]] + [[meta stylesheet="zack"]] * **[[css_market/kirkambar.css]]**, contributed by [[Roktas]]. This far from perfect stylesheet follows a [Gitweb](http://www.kernel.org/git/?p=git/git.git;a=tree;f=gitweb) like theme, so it may provide a consistent look'n feel along with the [[git]] backend. ;-) You can see it in action on [kirkambar](http://kirkambar.net/) (Turkish content). - [[meta link="css_market/kirkambar.css" rel="alternate stylesheet" title="kirkambar" type="text/css"]] + [[meta stylesheet="kirkambar"]] If your web browser allows selecting between multiple stylesheets, this page can be viewed using any of the stylesheets above. For example, if diff --git a/doc/plugins/meta.mdwn b/doc/plugins/meta.mdwn index f30efb873..9eaf38aec 100644 --- a/doc/plugins/meta.mdwn +++ b/doc/plugins/meta.mdwn @@ -10,21 +10,25 @@ Enter the metadata as follows: The first form sets a given field to a given value, while the second form also specifies some additional sub-parameters. +The field values are treated as HTML entity-escaped text, so you can include +a quote in the text by writing `"` and so on. + You can use any field names you like, but here are some predefined ones: * link - Specifies a link to another page. This is used to generate a html - <link> tag, and also as a way to make the wiki treat one page as - linking to another without displaying a user-visible link. The latter - can be useful when using links to categorise pages. A html link tag - would look like this: + Specifies a link to another page. This can be used as a way to make the + wiki treat one page as linking to another without displaying a user-visible + [[WikiLink]]: + + \[[meta link=otherpage]] - \[[meta link="foo.css" rel="stylesheet" type="text/css"]] + It can also be used to insert a html <link> tag. For example: - A non-user-visible [[WikiLink]] would instead look like this: + \[[meta link="http://joeyh.myopenid.com/" rel="openid.delegate"]] - \[[meta link=otherpage]] + However, this latter syntax won't be allowed if the [[htmlscrubber]] is + enabled, since it can be used to insert unsafe content. * title @@ -48,12 +52,27 @@ You can use any field names you like, but here are some predefined ones: Specifies a permanent link to the page, if different than the page generated by ikiwiki. -If the field is not treated specially (as the link and title fields are), -the metadata will be written to the generated html page as a <meta> -header. +* stylesheet -The field value is treated as HTML entity-escaped text, so you can include -a quote in the text by writing `"` and so on. + Adds a stylesheet to a page. The stylesheet is treated as a wiki link to + a `.css` file in the wiki, so it cannot be used to add links to external + stylesheets. Example: + + \[[meta stylesheet=somestyle rel="alternate stylesheet" + title="somestyle"]] + +* openid + + Adds html <link> tags to perform OpenID delegation to an external + OpenID server. This lets you use an ikiwiki page as your OpenID. Example: + + \\[[meta openid="http://joeyh.myopenid.com/" + server="http://www.myopenid.com/server"]] + +If the field is not one of the above predefined fields, the metadata will be +written to the generated html page as a <meta> header. However, this +won't be allowed if the [[htmlscrubber]] is enabled, since it can be used to +insert unsafe content. If this plugin is enabled, the title of this page will say that it is. [[meta title="meta plugin (enabled)"]]