From 8f6e0212fdbf3de286e504ed2802111bf7864abe Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@gnu.kitenet.net>
Date: Sat, 8 Aug 2009 12:27:48 -0400
Subject: [PATCH] verify page name is sane

paranoia; I was thinking about XSS attacks specificaly
---
 IkiWiki/Plugin/getsource.pm | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/IkiWiki/Plugin/getsource.pm b/IkiWiki/Plugin/getsource.pm
index 91c4cc1c9..ae9ea3cc7 100644
--- a/IkiWiki/Plugin/getsource.pm
+++ b/IkiWiki/Plugin/getsource.pm
@@ -42,13 +42,17 @@ sub pagetemplate (@) {
 sub cgi_getsource ($) {
 	my $cgi=shift;
 
-	return unless (defined $cgi->param('do') &&
-					$cgi->param("do") eq "getsource");
+	return unless defined $cgi->param('do') &&
+	              $cgi->param("do") eq "getsource";
 
 	IkiWiki::decode_cgi_utf8($cgi);
 
 	my $page=$cgi->param('page');
 
+	if (! defined $page || $page !~ /$config{wiki_file_regexp}/) {
+		error("invalid page parameter");
+	}
+
 	# For %pagesources.
 	IkiWiki::loadindex();
 
-- 
2.26.2