up

[ikiwiki.git] / doc / security.mdwn

diff --git a/doc/security.mdwn b/doc/security.mdwn
index 1521a5f46a77b9a41ea9d38c77892d6c4969bf82..b726211112e8b710b5914936d145f9eb44d768d8 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -1,4 +1,4 @@
-Let's do an ikiwiki security analysis.. ok
+Let's do an ikiwiki security analysis..
 
 If you are using ikiwiki to render pages that only you can edit, do not
 generate any wrappers, and do not use the cgi, then there are no more
@@ -74,6 +74,12 @@ Even with locking, if an attacker has local write access to the checkout,
 they could still fool ikiwiki using similar races. So it's best if only one
 person can ever write to the checkout that ikiwiki compiles the moo from.
 
+## webserver symlink attacks
+
+If someone checks in a symlink to /etc/passwd, ikiwiki would publish that.
+To aoid this, ikiwiki will need to avoid reading files that are symlinks.
+TODO and note discussion of races above.
+
 ## cgi security
 
 When ikiwiki runs as a cgi to edit a page, it is passed the name of the
@@ -82,4 +88,4 @@ editing of ../../../foo, or editing of files that are not part of the wiki,
 such as subversion dotfiles. This is done by sanitising the filename
 removing unallowed characters, then making sure it doesn't start with "/"
 or contain ".." or "/.svn/". Annoyingly ad-hoc, this kind of code is where
-security holes breed.
+security holes breed. It needs a test suite at the very least.