From 29e6ff03b078a0c6abb659c9e81343d523d3b13a Mon Sep 17 00:00:00 2001
From: joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>
Date: Sat, 10 Feb 2007 20:37:36 +0000
Subject: [PATCH] * Fix a security hole that allowed a web user to edit images
 and other   non-page format files in the wiki. To exploit this, the file
 already had   to exist in the wiki, and the web user would need to somehow
 use the web   based editor to replace it with malicious content.   (Sorry
 Josh, this means you can't edit style.css directly anymore,   although I do
 appreciate your fixes, actually..)

---
 IkiWiki/CGI.pm   |  3 +++
 debian/changelog | 10 ++++++++--
 po/bg.po         | 17 +++++++++++------
 po/cs.po         | 17 +++++++++++------
 po/es.po         | 17 +++++++++++------
 po/fr.po         | 17 +++++++++++------
 po/gu.po         | 17 +++++++++++------
 po/ikiwiki.pot   | 17 +++++++++++------
 po/pl.po         | 17 +++++++++++------
 po/sv.po         | 17 +++++++++++------
 po/vi.po         | 17 +++++++++++------
 11 files changed, 110 insertions(+), 56 deletions(-)

diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm
index a8e610e2d..6c489df8d 100644
--- a/IkiWiki/CGI.pm
+++ b/IkiWiki/CGI.pm
@@ -323,6 +323,9 @@ sub cgi_editpage ($$) { #{{{
 	if (exists $pagesources{$page}) {
 		$file=$pagesources{$page};
 		$type=pagetype($file);
+		if (! defined $type) {
+			error(sprintf(gettext("%s is not an editable page"), $page));
+		}
 	}
 	else {
 		$type=$form->param('type');
diff --git a/debian/changelog b/debian/changelog
index d3ec481f8..13293d863 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -25,8 +25,14 @@ ikiwiki (1.42) UNRELEASED; urgency=low
     to be used as close to public domain as possible.
   * viewcvs is now viewvc (in Debian unstable), update everything to use the
     new name.
-
- -- Joey Hess <joeyh@debian.org>  Fri,  9 Feb 2007 00:27:59 -0500
+  * Fix a security hole that allowed a web user to edit images and other
+    non-page format files in the wiki. To exploit this, the file already had
+    to exist in the wiki, and the web user would need to somehow use the web
+    based editor to replace it with malicious content.
+    (Sorry Josh, this means you can't edit style.css directly anymore,
+    although I do appreciate your fixes, actually..)
+
+ -- Joey Hess <joeyh@debian.org>  Sat, 10 Feb 2007 15:09:51 -0500
 
 ikiwiki (1.41) unstable; urgency=low
 
diff --git a/po/bg.po b/po/bg.po
index b61ec6ca4..b457f0f82 100644
--- a/po/bg.po
+++ b/po/bg.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: ikiwiki-bg\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2007-02-08 14:47-0500\n"
+"POT-Creation-Date: 2007-02-10 15:26-0500\n"
 "PO-Revision-Date: 2007-01-12 01:19+0200\n"
 "Last-Translator: Damyan Ivanov <dam@modsodtsys.com>\n"
 "Language-Team: Bulgarian <dict@fsa-bg.org>\n"
@@ -24,28 +24,33 @@ msgstr "Първо трябва да влезете."
 msgid "Preferences saved."
 msgstr "Предпочитанията са запазени."
 
-#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24
+#: ../IkiWiki/CGI.pm:327
+#, perl-format
+msgid "%s is not an editable page"
+msgstr ""
+
+#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24
 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17
 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97
 #: ../IkiWiki/Render.pm:165
 msgid "discussion"
 msgstr "дискусия"
 
-#: ../IkiWiki/CGI.pm:457
+#: ../IkiWiki/CGI.pm:460
 #, perl-format
 msgid "creating %s"
 msgstr "създаване на %s"
 
-#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517
+#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520
 #, perl-format
 msgid "editing %s"
 msgstr "промяна на %s"
 
-#: ../IkiWiki/CGI.pm:625
+#: ../IkiWiki/CGI.pm:628
 msgid "You are banned."
 msgstr "Достъпът ви е забранен."
 
-#: ../IkiWiki/CGI.pm:657
+#: ../IkiWiki/CGI.pm:660
 msgid "login failed, perhaps you need to turn on cookies?"
 msgstr ""
 
diff --git a/po/cs.po b/po/cs.po
index e19209872..98b912e62 100644
--- a/po/cs.po
+++ b/po/cs.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: ikiwiki\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2007-02-08 14:47-0500\n"
+"POT-Creation-Date: 2007-02-10 15:26-0500\n"
 "PO-Revision-Date: 2007-01-07 11:59+0100\n"
 "Last-Translator: Miroslav Kure <kurem@debian.cz>\n"
 "Language-Team: Czech <debian-l10n-czech@lists.debian.org>\n"
@@ -23,28 +23,33 @@ msgstr "Nejprve se musíte přihlásit."
 msgid "Preferences saved."
 msgstr "Nastavení uloženo."
 
-#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24
+#: ../IkiWiki/CGI.pm:327
+#, perl-format
+msgid "%s is not an editable page"
+msgstr ""
+
+#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24
 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17
 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97
 #: ../IkiWiki/Render.pm:165
 msgid "discussion"
 msgstr "diskuse"
 
-#: ../IkiWiki/CGI.pm:457
+#: ../IkiWiki/CGI.pm:460
 #, perl-format
 msgid "creating %s"
 msgstr "vytvářím %s"
 
-#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517
+#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520
 #, perl-format
 msgid "editing %s"
 msgstr "upravuji %s"
 
-#: ../IkiWiki/CGI.pm:625
+#: ../IkiWiki/CGI.pm:628
 msgid "You are banned."
 msgstr "Jste vyhoštěni."
 
-#: ../IkiWiki/CGI.pm:657
+#: ../IkiWiki/CGI.pm:660
 msgid "login failed, perhaps you need to turn on cookies?"
 msgstr ""
 
diff --git a/po/es.po b/po/es.po
index 54681f741..cd28bd094 100644
--- a/po/es.po
+++ b/po/es.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: ikiwiki\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2007-02-08 14:47-0500\n"
+"POT-Creation-Date: 2007-02-10 15:26-0500\n"
 "PO-Revision-Date: 2007-01-03 09:37+0100\n"
 "Last-Translator: Víctor Moral <victor@taquiones.net>\n"
 "Language-Team: spanish <es@li.org>\n"
@@ -24,28 +24,33 @@ msgstr "Antes es necesario identificarse"
 msgid "Preferences saved."
 msgstr "Las preferencias se han guardado."
 
-#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24
+#: ../IkiWiki/CGI.pm:327
+#, perl-format
+msgid "%s is not an editable page"
+msgstr ""
+
+#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24
 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17
 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97
 #: ../IkiWiki/Render.pm:165
 msgid "discussion"
 msgstr "comentarios"
 
-#: ../IkiWiki/CGI.pm:457
+#: ../IkiWiki/CGI.pm:460
 #, perl-format
 msgid "creating %s"
 msgstr "creando página %s"
 
-#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517
+#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520
 #, perl-format
 msgid "editing %s"
 msgstr "modificando página %s"
 
-#: ../IkiWiki/CGI.pm:625
+#: ../IkiWiki/CGI.pm:628
 msgid "You are banned."
 msgstr "Ha sido expulsado."
 
-#: ../IkiWiki/CGI.pm:657
+#: ../IkiWiki/CGI.pm:660
 msgid "login failed, perhaps you need to turn on cookies?"
 msgstr ""
 
diff --git a/po/fr.po b/po/fr.po
index 7651ed9f7..bcf864f9c 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: ikiwiki\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2007-02-08 14:47-0500\n"
+"POT-Creation-Date: 2007-02-10 15:26-0500\n"
 "PO-Revision-Date: 2007-01-22 22:12+0100\n"
 "Last-Translator: Jean-Luc Coulon (f5ibh) <jean-luc.coulon@wanadoo.fr>\n"
 "Language-Team: French <debian-l10n-french@lists.debian.org>\n"
@@ -25,28 +25,33 @@ msgstr "Vous devez d'abord vous identifier."
 msgid "Preferences saved."
 msgstr "Les préférences ont été enregistrées."
 
-#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24
+#: ../IkiWiki/CGI.pm:327
+#, perl-format
+msgid "%s is not an editable page"
+msgstr ""
+
+#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24
 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17
 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97
 #: ../IkiWiki/Render.pm:165
 msgid "discussion"
 msgstr "Discussion"
 
-#: ../IkiWiki/CGI.pm:457
+#: ../IkiWiki/CGI.pm:460
 #, perl-format
 msgid "creating %s"
 msgstr "Création de %s"
 
-#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517
+#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520
 #, perl-format
 msgid "editing %s"
 msgstr "Édition de %s"
 
-#: ../IkiWiki/CGI.pm:625
+#: ../IkiWiki/CGI.pm:628
 msgid "You are banned."
 msgstr "Vous avez été banni."
 
-#: ../IkiWiki/CGI.pm:657
+#: ../IkiWiki/CGI.pm:660
 msgid "login failed, perhaps you need to turn on cookies?"
 msgstr ""
 "Échec de l'identification, vous devriez peut-être autoriser les cookies."
diff --git a/po/gu.po b/po/gu.po
index 7c80d1da5..8739a7804 100644
--- a/po/gu.po
+++ b/po/gu.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: ikiwiki-gu\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2007-02-08 14:47-0500\n"
+"POT-Creation-Date: 2007-02-10 15:26-0500\n"
 "PO-Revision-Date: 2007-01-11 16:05+0530\n"
 "Last-Translator: Kartik Mistry <kartik.mistry@gmail.com>\n"
 "Language-Team: Gujarati <team@utkarsh.org>\n"
@@ -23,28 +23,33 @@ msgstr "તમારે પ્રથમ લોગ ઇન થવું પડશ
 msgid "Preferences saved."
 msgstr "પ્રાથમિકતાઓ સંગ્રહાઇ."
 
-#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24
+#: ../IkiWiki/CGI.pm:327
+#, perl-format
+msgid "%s is not an editable page"
+msgstr ""
+
+#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24
 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17
 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97
 #: ../IkiWiki/Render.pm:165
 msgid "discussion"
 msgstr "ચર્ચા"
 
-#: ../IkiWiki/CGI.pm:457
+#: ../IkiWiki/CGI.pm:460
 #, perl-format
 msgid "creating %s"
 msgstr "%s બનાવે છે"
 
-#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517
+#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520
 #, perl-format
 msgid "editing %s"
 msgstr "%s સુધારે છે"
 
-#: ../IkiWiki/CGI.pm:625
+#: ../IkiWiki/CGI.pm:628
 msgid "You are banned."
 msgstr "તમારા પર પ્રતિબંધ છે."
 
-#: ../IkiWiki/CGI.pm:657
+#: ../IkiWiki/CGI.pm:660
 msgid "login failed, perhaps you need to turn on cookies?"
 msgstr ""
 
diff --git a/po/ikiwiki.pot b/po/ikiwiki.pot
index 296aab6db..9dfa1dc0c 100644
--- a/po/ikiwiki.pot
+++ b/po/ikiwiki.pot
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2007-02-08 14:47-0500\n"
+"POT-Creation-Date: 2007-02-10 15:26-0500\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -24,28 +24,33 @@ msgstr ""
 msgid "Preferences saved."
 msgstr ""
 
-#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24
+#: ../IkiWiki/CGI.pm:327
+#, perl-format
+msgid "%s is not an editable page"
+msgstr ""
+
+#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24
 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17
 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97
 #: ../IkiWiki/Render.pm:165
 msgid "discussion"
 msgstr ""
 
-#: ../IkiWiki/CGI.pm:457
+#: ../IkiWiki/CGI.pm:460
 #, perl-format
 msgid "creating %s"
 msgstr ""
 
-#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517
+#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520
 #, perl-format
 msgid "editing %s"
 msgstr ""
 
-#: ../IkiWiki/CGI.pm:625
+#: ../IkiWiki/CGI.pm:628
 msgid "You are banned."
 msgstr ""
 
-#: ../IkiWiki/CGI.pm:657
+#: ../IkiWiki/CGI.pm:660
 msgid "login failed, perhaps you need to turn on cookies?"
 msgstr ""
 
diff --git a/po/pl.po b/po/pl.po
index 4e23cf434..496a4117e 100644
--- a/po/pl.po
+++ b/po/pl.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: ikiwiki 1.37\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2007-02-08 14:47-0500\n"
+"POT-Creation-Date: 2007-02-10 15:26-0500\n"
 "PO-Revision-Date: 2007-01-05 16:33+100\n"
 "Last-Translator: Paweł Tęcza <ptecza@net.icm.edu.pl>\n"
 "Language-Team: Debian L10n Polish <debian-l10n-polish@lists.debian.org>\n"
@@ -24,28 +24,33 @@ msgstr "Konieczne jest zalogowanie się."
 msgid "Preferences saved."
 msgstr "Ustawienia zostały zapisane."
 
-#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24
+#: ../IkiWiki/CGI.pm:327
+#, perl-format
+msgid "%s is not an editable page"
+msgstr ""
+
+#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24
 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17
 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97
 #: ../IkiWiki/Render.pm:165
 msgid "discussion"
 msgstr "dyskusja"
 
-#: ../IkiWiki/CGI.pm:457
+#: ../IkiWiki/CGI.pm:460
 #, perl-format
 msgid "creating %s"
 msgstr "tworzenie strony %s"
 
-#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517
+#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520
 #, perl-format
 msgid "editing %s"
 msgstr "edycja strony %s"
 
-#: ../IkiWiki/CGI.pm:625
+#: ../IkiWiki/CGI.pm:628
 msgid "You are banned."
 msgstr "Dostęp został zabroniony przez administratora."
 
-#: ../IkiWiki/CGI.pm:657
+#: ../IkiWiki/CGI.pm:660
 msgid "login failed, perhaps you need to turn on cookies?"
 msgstr ""
 
diff --git a/po/sv.po b/po/sv.po
index 2263152c0..786cbad5e 100644
--- a/po/sv.po
+++ b/po/sv.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: ikiwiki\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2007-02-08 14:47-0500\n"
+"POT-Creation-Date: 2007-02-10 15:26-0500\n"
 "PO-Revision-Date: 2007-01-10 23:47+0100\n"
 "Last-Translator: Daniel Nylander <po@danielnylander.se>\n"
 "Language-Team: Swedish <tp-sv@listor.tp-sv.se>\n"
@@ -23,28 +23,33 @@ msgstr "Du måste logga in först."
 msgid "Preferences saved."
 msgstr "Inställningar sparades."
 
-#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24
+#: ../IkiWiki/CGI.pm:327
+#, perl-format
+msgid "%s is not an editable page"
+msgstr ""
+
+#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24
 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17
 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97
 #: ../IkiWiki/Render.pm:165
 msgid "discussion"
 msgstr "diskussion"
 
-#: ../IkiWiki/CGI.pm:457
+#: ../IkiWiki/CGI.pm:460
 #, perl-format
 msgid "creating %s"
 msgstr "skapar %s"
 
-#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517
+#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520
 #, perl-format
 msgid "editing %s"
 msgstr "redigerar %s"
 
-#: ../IkiWiki/CGI.pm:625
+#: ../IkiWiki/CGI.pm:628
 msgid "You are banned."
 msgstr "Du är bannlyst."
 
-#: ../IkiWiki/CGI.pm:657
+#: ../IkiWiki/CGI.pm:660
 msgid "login failed, perhaps you need to turn on cookies?"
 msgstr ""
 
diff --git a/po/vi.po b/po/vi.po
index 3f8741522..e69a161ef 100644
--- a/po/vi.po
+++ b/po/vi.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: ikiwiki\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2007-02-08 14:47-0500\n"
+"POT-Creation-Date: 2007-02-10 15:26-0500\n"
 "PO-Revision-Date: 2007-01-13 15:31+1030\n"
 "Last-Translator: Clytie Siddall <clytie@riverland.net.au>\n"
 "Language-Team: Vietnamese <vi-VN@googlegroups.com>\n"
@@ -24,28 +24,33 @@ msgstr "Trước tiên bạn cần phải đăng nhập."
 msgid "Preferences saved."
 msgstr "Tùy thích đã được lưu."
 
-#: ../IkiWiki/CGI.pm:412 ../IkiWiki/Plugin/brokenlinks.pm:24
+#: ../IkiWiki/CGI.pm:327
+#, perl-format
+msgid "%s is not an editable page"
+msgstr ""
+
+#: ../IkiWiki/CGI.pm:415 ../IkiWiki/Plugin/brokenlinks.pm:24
 #: ../IkiWiki/Plugin/inline.pm:164 ../IkiWiki/Plugin/opendiscussion.pm:17
 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:97
 #: ../IkiWiki/Render.pm:165
 msgid "discussion"
 msgstr "thảo luận"
 
-#: ../IkiWiki/CGI.pm:457
+#: ../IkiWiki/CGI.pm:460
 #, perl-format
 msgid "creating %s"
 msgstr "đang tạo %s"
 
-#: ../IkiWiki/CGI.pm:474 ../IkiWiki/CGI.pm:517
+#: ../IkiWiki/CGI.pm:477 ../IkiWiki/CGI.pm:520
 #, perl-format
 msgid "editing %s"
 msgstr "đang sửa %s"
 
-#: ../IkiWiki/CGI.pm:625
+#: ../IkiWiki/CGI.pm:628
 msgid "You are banned."
 msgstr "Bạn bị cấm ra."
 
-#: ../IkiWiki/CGI.pm:657
+#: ../IkiWiki/CGI.pm:660
 msgid "login failed, perhaps you need to turn on cookies?"
 msgstr ""
 
-- 
2.26.2