From 29e6ff03b078a0c6abb659c9e81343d523d3b13a Mon Sep 17 00:00:00 2001 From: joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> Date: Sat, 10 Feb 2007 20:37:36 +0000 Subject: [PATCH] * Fix a security hole that allowed a web user to edit images and other non-page format files in the wiki. To exploit this, the file already had to exist in the wiki, and the web user would need to somehow use the web based editor to replace it with malicious content. (Sorry Josh, this means you can't edit style.css directly anymore, although I do appreciate your fixes, actually..) --- IkiWiki/CGI.pm | 3 +++ debian/changelog | 10 ++++++++-- po/bg.po | 17 +++++++++++------ po/cs.po | 17 +++++++++++------ po/es.po | 17 +++++++++++------ po/fr.po | 17 +++++++++++------ po/gu.po | 17 +++++++++++------ po/ikiwiki.pot | 17 +++++++++++------ po/pl.po | 17 +++++++++++------ po/sv.po | 17 +++++++++++------ po/vi.po | 17 +++++++++++------ 11 files changed, 110 insertions(+), 56 deletions(-) diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm index a8e610e2d..6c489df8d 100644 --- a/IkiWiki/CGI.pm +++ b/IkiWiki/CGI.pm @@ -323,6 +323,9 @@ sub cgi_editpage ($$) { #{{{ if (exists $pagesources{$page}) { $file=$pagesources{$page}; $type=pagetype($file); + if (! defined $type) { + error(sprintf(gettext("%s is not an editable page"), $page)); + } } else { $type=$form->param('type'); diff --git a/debian/changelog b/debian/changelog index d3ec481f8..13293d863 100644 --- a/debian/changelog +++ b/debian/changelog @@ -25,8 +25,14 @@ ikiwiki (1.42) UNRELEASED; urgency=low to be used as close to public domain as possible. * viewcvs is now viewvc (in Debian unstable), update everything to use the new name. - - -- Joey Hess <joeyh@debian.org> Fri, 9 Feb 2007 00:27:59 -0500 + * Fix a security hole that allowed a web user to edit images and other + non-page format files in the wiki. To exploit this, the file already had + to exist in the wiki, and the web user would need to somehow use the web + based editor to replace it with malicious content. + (Sorry Josh, this means you can't edit style.css directly anymore, + although I do appreciate your fixes, actually..) + + -- Joey Hess <joeyh@debian.org> Sat, 10 Feb 2007 15:09:51 -0500 ikiwiki (1.41) unstable; urgency=low diff --git a/po/bg.po b/po/bg.po index b61ec6ca4..b457f0f82 100644 --- a/po/bg.po +++ b/po/bg.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: ikiwiki-bg\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-02-08 14:47-0500\n" +"POT-Creation-Date: 2007-02-10 15:26-0500\n" "PO-Revision-Date: 2007-01-12 01:19+0200\n" "Last-Translator: Damyan Ivanov <dam@modsodtsys.com>\n" "Language-Team: Bulgarian <dict@fsa-bg.org>\n" @@ -24,28 +24,33 @@ msgstr "ÐÑÑво ÑÑÑбва да влезеÑе." msgid "Preferences saved." msgstr "ÐÑедпоÑиÑаниÑÑа Ñа запазени." -#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:327 +#, perl-format +msgid "%s is not an editable page" +msgstr "" + +#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97 #: ../IkiWiki/Render.pm:165 msgid "discussion" msgstr "диÑкÑÑиÑ" -#: ../IkiWiki/CGI.pm:457 +#: ../IkiWiki/CGI.pm:460 #, perl-format msgid "creating %s" msgstr "ÑÑздаване на %s" -#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517 +#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520 #, perl-format msgid "editing %s" msgstr "пÑомÑна на %s" -#: ../IkiWiki/CGI.pm:625 +#: ../IkiWiki/CGI.pm:628 msgid "You are banned." msgstr "ÐоÑÑÑпÑÑ Ð²Ð¸ е забÑанен." -#: ../IkiWiki/CGI.pm:657 +#: ../IkiWiki/CGI.pm:660 msgid "login failed, perhaps you need to turn on cookies?" msgstr "" diff --git a/po/cs.po b/po/cs.po index e19209872..98b912e62 100644 --- a/po/cs.po +++ b/po/cs.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: ikiwiki\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-02-08 14:47-0500\n" +"POT-Creation-Date: 2007-02-10 15:26-0500\n" "PO-Revision-Date: 2007-01-07 11:59+0100\n" "Last-Translator: Miroslav Kure <kurem@debian.cz>\n" "Language-Team: Czech <debian-l10n-czech@lists.debian.org>\n" @@ -23,28 +23,33 @@ msgstr "Nejprve se musÃte pÅihlásit." msgid "Preferences saved." msgstr "Nastavenà uloženo." -#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:327 +#, perl-format +msgid "%s is not an editable page" +msgstr "" + +#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97 #: ../IkiWiki/Render.pm:165 msgid "discussion" msgstr "diskuse" -#: ../IkiWiki/CGI.pm:457 +#: ../IkiWiki/CGI.pm:460 #, perl-format msgid "creating %s" msgstr "vytváÅÃm %s" -#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517 +#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520 #, perl-format msgid "editing %s" msgstr "upravuji %s" -#: ../IkiWiki/CGI.pm:625 +#: ../IkiWiki/CGI.pm:628 msgid "You are banned." msgstr "Jste vyhoÅ¡tÄni." -#: ../IkiWiki/CGI.pm:657 +#: ../IkiWiki/CGI.pm:660 msgid "login failed, perhaps you need to turn on cookies?" msgstr "" diff --git a/po/es.po b/po/es.po index 54681f741..cd28bd094 100644 --- a/po/es.po +++ b/po/es.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: ikiwiki\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-02-08 14:47-0500\n" +"POT-Creation-Date: 2007-02-10 15:26-0500\n" "PO-Revision-Date: 2007-01-03 09:37+0100\n" "Last-Translator: VÃctor Moral <victor@taquiones.net>\n" "Language-Team: spanish <es@li.org>\n" @@ -24,28 +24,33 @@ msgstr "Antes es necesario identificarse" msgid "Preferences saved." msgstr "Las preferencias se han guardado." -#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:327 +#, perl-format +msgid "%s is not an editable page" +msgstr "" + +#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97 #: ../IkiWiki/Render.pm:165 msgid "discussion" msgstr "comentarios" -#: ../IkiWiki/CGI.pm:457 +#: ../IkiWiki/CGI.pm:460 #, perl-format msgid "creating %s" msgstr "creando página %s" -#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517 +#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520 #, perl-format msgid "editing %s" msgstr "modificando página %s" -#: ../IkiWiki/CGI.pm:625 +#: ../IkiWiki/CGI.pm:628 msgid "You are banned." msgstr "Ha sido expulsado." -#: ../IkiWiki/CGI.pm:657 +#: ../IkiWiki/CGI.pm:660 msgid "login failed, perhaps you need to turn on cookies?" msgstr "" diff --git a/po/fr.po b/po/fr.po index 7651ed9f7..bcf864f9c 100644 --- a/po/fr.po +++ b/po/fr.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: ikiwiki\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-02-08 14:47-0500\n" +"POT-Creation-Date: 2007-02-10 15:26-0500\n" "PO-Revision-Date: 2007-01-22 22:12+0100\n" "Last-Translator: Jean-Luc Coulon (f5ibh) <jean-luc.coulon@wanadoo.fr>\n" "Language-Team: French <debian-l10n-french@lists.debian.org>\n" @@ -25,28 +25,33 @@ msgstr "Vous devez d'abord vous identifier." msgid "Preferences saved." msgstr "Les préférences ont été enregistrées." -#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:327 +#, perl-format +msgid "%s is not an editable page" +msgstr "" + +#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97 #: ../IkiWiki/Render.pm:165 msgid "discussion" msgstr "Discussion" -#: ../IkiWiki/CGI.pm:457 +#: ../IkiWiki/CGI.pm:460 #, perl-format msgid "creating %s" msgstr "Création de %s" -#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517 +#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520 #, perl-format msgid "editing %s" msgstr "Ãdition de %s" -#: ../IkiWiki/CGI.pm:625 +#: ../IkiWiki/CGI.pm:628 msgid "You are banned." msgstr "Vous avez été banni." -#: ../IkiWiki/CGI.pm:657 +#: ../IkiWiki/CGI.pm:660 msgid "login failed, perhaps you need to turn on cookies?" msgstr "" "Ãchec de l'identification, vous devriez peut-être autoriser les cookies." diff --git a/po/gu.po b/po/gu.po index 7c80d1da5..8739a7804 100644 --- a/po/gu.po +++ b/po/gu.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: ikiwiki-gu\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-02-08 14:47-0500\n" +"POT-Creation-Date: 2007-02-10 15:26-0500\n" "PO-Revision-Date: 2007-01-11 16:05+0530\n" "Last-Translator: Kartik Mistry <kartik.mistry@gmail.com>\n" "Language-Team: Gujarati <team@utkarsh.org>\n" @@ -23,28 +23,33 @@ msgstr "તમારૠપà«àª°àª¥àª® લà«àª àªàª¨ થવà«àª પડશ msgid "Preferences saved." msgstr "પà«àª°àª¾àª¥àª®àª¿àªàª¤àª¾àª સàªàªà«àª°àª¹àª¾àª." -#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:327 +#, perl-format +msgid "%s is not an editable page" +msgstr "" + +#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97 #: ../IkiWiki/Render.pm:165 msgid "discussion" msgstr "àªàª°à«àªàª¾" -#: ../IkiWiki/CGI.pm:457 +#: ../IkiWiki/CGI.pm:460 #, perl-format msgid "creating %s" msgstr "%s બનાવૠàªà«" -#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517 +#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520 #, perl-format msgid "editing %s" msgstr "%s સà«àª§àª¾àª°à« àªà«" -#: ../IkiWiki/CGI.pm:625 +#: ../IkiWiki/CGI.pm:628 msgid "You are banned." msgstr "તમારા પર પà«àª°àª¤àª¿àª¬àªàª§ àªà«." -#: ../IkiWiki/CGI.pm:657 +#: ../IkiWiki/CGI.pm:660 msgid "login failed, perhaps you need to turn on cookies?" msgstr "" diff --git a/po/ikiwiki.pot b/po/ikiwiki.pot index 296aab6db..9dfa1dc0c 100644 --- a/po/ikiwiki.pot +++ b/po/ikiwiki.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-02-08 14:47-0500\n" +"POT-Creation-Date: 2007-02-10 15:26-0500\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <LL@li.org>\n" @@ -24,28 +24,33 @@ msgstr "" msgid "Preferences saved." msgstr "" -#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:327 +#, perl-format +msgid "%s is not an editable page" +msgstr "" + +#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97 #: ../IkiWiki/Render.pm:165 msgid "discussion" msgstr "" -#: ../IkiWiki/CGI.pm:457 +#: ../IkiWiki/CGI.pm:460 #, perl-format msgid "creating %s" msgstr "" -#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517 +#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520 #, perl-format msgid "editing %s" msgstr "" -#: ../IkiWiki/CGI.pm:625 +#: ../IkiWiki/CGI.pm:628 msgid "You are banned." msgstr "" -#: ../IkiWiki/CGI.pm:657 +#: ../IkiWiki/CGI.pm:660 msgid "login failed, perhaps you need to turn on cookies?" msgstr "" diff --git a/po/pl.po b/po/pl.po index 4e23cf434..496a4117e 100644 --- a/po/pl.po +++ b/po/pl.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: ikiwiki 1.37\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-02-08 14:47-0500\n" +"POT-Creation-Date: 2007-02-10 15:26-0500\n" "PO-Revision-Date: 2007-01-05 16:33+100\n" "Last-Translator: PaweÅ TÄcza <ptecza@net.icm.edu.pl>\n" "Language-Team: Debian L10n Polish <debian-l10n-polish@lists.debian.org>\n" @@ -24,28 +24,33 @@ msgstr "Konieczne jest zalogowanie siÄ." msgid "Preferences saved." msgstr "Ustawienia zostaÅy zapisane." -#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:327 +#, perl-format +msgid "%s is not an editable page" +msgstr "" + +#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97 #: ../IkiWiki/Render.pm:165 msgid "discussion" msgstr "dyskusja" -#: ../IkiWiki/CGI.pm:457 +#: ../IkiWiki/CGI.pm:460 #, perl-format msgid "creating %s" msgstr "tworzenie strony %s" -#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517 +#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520 #, perl-format msgid "editing %s" msgstr "edycja strony %s" -#: ../IkiWiki/CGI.pm:625 +#: ../IkiWiki/CGI.pm:628 msgid "You are banned." msgstr "DostÄp zostaÅ zabroniony przez administratora." -#: ../IkiWiki/CGI.pm:657 +#: ../IkiWiki/CGI.pm:660 msgid "login failed, perhaps you need to turn on cookies?" msgstr "" diff --git a/po/sv.po b/po/sv.po index 2263152c0..786cbad5e 100644 --- a/po/sv.po +++ b/po/sv.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: ikiwiki\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-02-08 14:47-0500\n" +"POT-Creation-Date: 2007-02-10 15:26-0500\n" "PO-Revision-Date: 2007-01-10 23:47+0100\n" "Last-Translator: Daniel Nylander <po@danielnylander.se>\n" "Language-Team: Swedish <tp-sv@listor.tp-sv.se>\n" @@ -23,28 +23,33 @@ msgstr "Du mÃ¥ste logga in först." msgid "Preferences saved." msgstr "Inställningar sparades." -#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:327 +#, perl-format +msgid "%s is not an editable page" +msgstr "" + +#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97 #: ../IkiWiki/Render.pm:165 msgid "discussion" msgstr "diskussion" -#: ../IkiWiki/CGI.pm:457 +#: ../IkiWiki/CGI.pm:460 #, perl-format msgid "creating %s" msgstr "skapar %s" -#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517 +#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520 #, perl-format msgid "editing %s" msgstr "redigerar %s" -#: ../IkiWiki/CGI.pm:625 +#: ../IkiWiki/CGI.pm:628 msgid "You are banned." msgstr "Du är bannlyst." -#: ../IkiWiki/CGI.pm:657 +#: ../IkiWiki/CGI.pm:660 msgid "login failed, perhaps you need to turn on cookies?" msgstr "" diff --git a/po/vi.po b/po/vi.po index 3f8741522..e69a161ef 100644 --- a/po/vi.po +++ b/po/vi.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: ikiwiki\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-02-08 14:47-0500\n" +"POT-Creation-Date: 2007-02-10 15:26-0500\n" "PO-Revision-Date: 2007-01-13 15:31+1030\n" "Last-Translator: Clytie Siddall <clytie@riverland.net.au>\n" "Language-Team: Vietnamese <vi-VN@googlegroups.com>\n" @@ -24,28 +24,33 @@ msgstr "TrÆ°á»c tiên bạn cần phải ÄÄng nháºp." msgid "Preferences saved." msgstr "Tùy thÃch Äã Äược lÆ°u." -#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:327 +#, perl-format +msgid "%s is not an editable page" +msgstr "" + +#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97 #: ../IkiWiki/Render.pm:165 msgid "discussion" msgstr "thảo luáºn" -#: ../IkiWiki/CGI.pm:457 +#: ../IkiWiki/CGI.pm:460 #, perl-format msgid "creating %s" msgstr "Äang tạo %s" -#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517 +#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520 #, perl-format msgid "editing %s" msgstr "Äang sá»a %s" -#: ../IkiWiki/CGI.pm:625 +#: ../IkiWiki/CGI.pm:628 msgid "You are banned." msgstr "Bạn bá» cấm ra." -#: ../IkiWiki/CGI.pm:657 +#: ../IkiWiki/CGI.pm:660 msgid "login failed, perhaps you need to turn on cookies?" msgstr "" -- 2.26.2