* needsbuild hook interface changed; the hooks should now return
the modified array of things that need built. (Backwards compatability
code keeps plugins using the old interface working.)
+ * Remove PATH overriding code in ikiwiki script that was present to make
+ perl taint checking happy, but taint checking is disabled.
-- Joey Hess <joeyh@debian.org> Tue, 07 Sep 2010 12:08:05 -0400
$ENV{PATH}="$ENV{PATH}:/usr/local/bin:/usr/bin:/bin:/opt/local/bin";
? The alternative is of course to patch ikiwiki as suggested in the bug, but I wanted to ask here first :)
+
+> You can use the ENV setting in your setup file to set any environment
+> variables you like. Since ikiwiki.cgi is run by the web browser, that
+> is the best way to ensure ikiwiki always runs with a given variable set.
+>
+> As a suid program, the ikiwiki wrappers have to sanitize the environment.
+> The ikiwiki script's own sanitization of PATH was done to make perl taint
+> checking happy, but as taint checking is disabled anyway, I have removed
+> that. [[done]] --[[Joey]]
`http://ciffer.net/~svend/ikiwiki.cgi?page=tech%252Fhosts&do=edit`.
I am running ikiwiki 3.20100504~bpo50+1 on Debian Lenny.
+
+
+> But on your page, the Edit link is escaped normally and correctly (using %2F).
+> Look at the page source!
+>
+> The problem is that your web server is forcing a hard (302) redirect
+> to the doubly-escaped url. In wireshark I see your web server send back:
+
+ HTTP/1.1 302 Found\r\n
+ Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
+ Location: http://ciffer.net/~svend/ikiwiki.cgi?page=tech%252Fhosts&do=edit
+
+> You'll need to investigate why your web server is doing that... --[[Joey]]
#!/usr/bin/perl
-$ENV{PATH}="/usr/local/bin:/usr/bin:/bin";
-delete @ENV{qw{IFS CDPATH ENV BASH_ENV}};
-
package IkiWiki;
use warnings;
projects / ikiwiki.git / commitdiff