From e15e3202eb04048feb302b39d946f1ae1a15c306 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 26 Nov 2007 15:30:44 -0500 Subject: [PATCH] releasing version 2.14 --- IkiWiki/Render.pm | 11 +++++++ debian/NEWS | 10 +++++++ debian/changelog | 9 ++++-- ...linked_srcdir_requires_trailing_slash.mdwn | 17 ++++++++++- doc/security.mdwn | 30 +++++++++++++++++++ po/ikiwiki.pot | 26 ++++++++-------- 6 files changed, 87 insertions(+), 16 deletions(-) diff --git a/IkiWiki/Render.pm b/IkiWiki/Render.pm index 35d663a7a..e4ff2b39b 100644 --- a/IkiWiki/Render.pm +++ b/IkiWiki/Render.pm @@ -245,6 +245,17 @@ sub prune ($) { #{{{ } #}}} sub refresh () { #{{{ + # security check, avoid following symlinks in the srcdir path + my $test=$config{srcdir}; + while (length $test) { + if (-l $test) { + error("symlink found in srcdir path ($test)"); + } + unless ($test=~s/\/+$//) { + $test=dirname($test); + } + } + # find existing pages my %exists; my @files; diff --git a/debian/NEWS b/debian/NEWS index 1dabd1735..87fcc5e63 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,13 @@ +ikiwiki (2.14) unstable; urgency=low + + This version of ikiwiki is more picky about symlinks in the path leading + to the srcdir, and will refuse to use a srcdir specified by such a path. + This was necessary to avoid some potential exploits, but could potentially + break (semi-)working wikis. If your wiki has a srcdir path containing a + symlink, you should change it to use a path that does not. + + -- Joey Hess Mon, 26 Nov 2007 14:57:57 -0500 + ikiwiki (2.9) unstable; urgency=low Since ikiwiki 2.0 was released, some limitiations have been added to what diff --git a/debian/changelog b/debian/changelog index 456d4b908..299d7d571 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,14 @@ -ikiwiki (2.14) UNRELEASED; urgency=low +ikiwiki (2.14) unstable; urgency=high * Let CC be used to control what compiler is used to build wrappers. * Use 'cc' instead of gcc as the default compiler. + * Security fix: Ensure that there are no symlinks anywhere in the path + to the top of the srcdir. In certian unusual configurations, an attacker + who could commit to one of the parent directories of the srcdir could + use a symlink attack to cause ikiwiki to publish files elsewhere in the + filesystem. More details at - -- Joey Hess Sun, 25 Nov 2007 15:49:49 -0500 + -- Joey Hess Mon, 26 Nov 2007 15:26:06 -0500 ikiwiki (2.13) unstable; urgency=low diff --git a/doc/bugs/Symlinked_srcdir_requires_trailing_slash.mdwn b/doc/bugs/Symlinked_srcdir_requires_trailing_slash.mdwn index 0310c17f3..cd74c2496 100644 --- a/doc/bugs/Symlinked_srcdir_requires_trailing_slash.mdwn +++ b/doc/bugs/Symlinked_srcdir_requires_trailing_slash.mdwn @@ -63,4 +63,19 @@ My output: scanning index.mdwn rendering index.mdwn -Note that index.mdwn was only rendered when srcdir had a trailing slash. \ No newline at end of file +Note that index.mdwn was only rendered when srcdir had a trailing slash. + +> There are potential [[security]] issues with ikiwiki following a symlink, +> even if it's just a symlink at the top level of the srcdir. +> Consider ikiwiki.info's own setup, where the srcdir is ikiwiki/doc, +> checked out of revision control. A malicious committer could convert +> ikiwiki/doc into a symlink to /etc, then ikiwiki would happily publish +> all of /etc to the web. +> +> This kind of attack is why ikiwiki does not let File::Find follow +> symlinks when scanning the srcdir. By appending the slash, you're +> actually bypassing that check. Ikiwiki should not let you set +> up a potentially insecure configuration like that. More discussion of +> this hole [[here|security#index29h2]], and I've had to release +> a version of ikiwiki that explicitly checks for that, and fails to work. +> Sorry, but security trumps convenience. [[done]] --[[Joey]] diff --git a/doc/security.mdwn b/doc/security.mdwn index b1e8d03f6..a1c2120ce 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -315,3 +315,33 @@ This hole was discovered on 21 March 2007 and fixed the same day with the release of ikiwiki 1.47. A fix was also backported to Debian etch, as version 1.33.3. I recommend upgrading to one of these versions if your wiki can be edited by third parties. + +## insufficient checking for symlinks in srcdir path + +Ikiwiki did not check if path to the srcdir to contained a symlink. If an +attacker had commit access to the directories in the path, they could +change it to a symlink, causing ikiwiki to read and publish files that were +not intended to be published. (But not write to them due to other checks.) + +In most configurations, this is not exploitable, because the srcdir is +checked out of revision control, but the directories leading up to it are +not. Or, the srcdir is a single subdirectory of a project in revision +control (ie, `ikiwiki/doc`), and if the subdirectory were a symlink, +ikiwiki would still typically not follow it. + +There are at least two configurations where this is exploitable: + +* If the srcdir is a deeper subdirectory of a project. For example if it is + `project/foo/doc`, an an attacker can replace `foo` with a symlink to a + directory containing a `doc` directory (not a symlink), then ikiwiki + would follow the symlink. +* If the path to the srcdir in ikiwiki's configuration ended in "/", + and the srcdir is a single subdirectory of a project, (ie, + `ikiwiki/doc/`), the srcdir could be a symlink and ikiwiki would not + notice. + +This security hole was discovered on 26 November 2007 and fixed the same +da with the release of ikiwiki 2.14. I recommend upgrading to this version +if your wiki can be committed to by third parties. Alternatively, don't use +a trailing slash in the srcdir, and avoid the (unusual) configurations that +allow the security hole to be exploited. diff --git a/po/ikiwiki.pot b/po/ikiwiki.pot index b1842d546..9dd020f8c 100644 --- a/po/ikiwiki.pot +++ b/po/ikiwiki.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-11-17 16:11-0500\n" +"POT-Creation-Date: 2007-11-26 15:27-0500\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -485,47 +485,47 @@ msgid "" "notifications" msgstr "" -#: ../IkiWiki/Render.pm:263 ../IkiWiki/Render.pm:284 +#: ../IkiWiki/Render.pm:274 ../IkiWiki/Render.pm:295 #, perl-format msgid "skipping bad filename %s" msgstr "" -#: ../IkiWiki/Render.pm:326 +#: ../IkiWiki/Render.pm:337 #, perl-format msgid "removing old page %s" msgstr "" -#: ../IkiWiki/Render.pm:359 +#: ../IkiWiki/Render.pm:370 #, perl-format msgid "scanning %s" msgstr "" -#: ../IkiWiki/Render.pm:364 +#: ../IkiWiki/Render.pm:375 #, perl-format msgid "rendering %s" msgstr "" -#: ../IkiWiki/Render.pm:376 +#: ../IkiWiki/Render.pm:387 #, perl-format msgid "rendering %s, which links to %s" msgstr "" -#: ../IkiWiki/Render.pm:393 +#: ../IkiWiki/Render.pm:404 #, perl-format msgid "rendering %s, which depends on %s" msgstr "" -#: ../IkiWiki/Render.pm:431 +#: ../IkiWiki/Render.pm:442 #, perl-format msgid "rendering %s, to update its backlinks" msgstr "" -#: ../IkiWiki/Render.pm:443 +#: ../IkiWiki/Render.pm:454 #, perl-format msgid "removing %s, no longer rendered by %s" msgstr "" -#: ../IkiWiki/Render.pm:469 +#: ../IkiWiki/Render.pm:480 #, perl-format msgid "ikiwiki: cannot render %s" msgstr "" @@ -583,13 +583,13 @@ msgid "failed to write %s: %s" msgstr "" #. translators: The parameter is a C filename. -#: ../IkiWiki/Wrapper.pm:107 +#: ../IkiWiki/Wrapper.pm:109 #, perl-format msgid "failed to compile %s" msgstr "" #. translators: The parameter is a filename. -#: ../IkiWiki/Wrapper.pm:127 +#: ../IkiWiki/Wrapper.pm:129 #, perl-format msgid "successfully generated %s" msgstr "" @@ -614,7 +614,7 @@ msgstr "" #. translators: preprocessor directive name, #. translators: the second a page name, the #. translators: third a number. -#: ../IkiWiki.pm:711 +#: ../IkiWiki.pm:717 #, perl-format msgid "%s preprocessing loop detected on %s at depth %i" msgstr "" -- 2.26.2