verify page name is sane

paranoia; I was thinking about XSS attacks specificaly

diff --git a/IkiWiki/Plugin/getsource.pm b/IkiWiki/Plugin/getsource.pm
index 91c4cc1c95b9448db01820b88d044e74c7203f45..ae9ea3cc7af4ffe27b46d65528d380420ac5b368 100644 (file)
--- a/IkiWiki/Plugin/getsource.pm
+++ b/IkiWiki/Plugin/getsource.pm
@@ -42,13 +42,17 @@ sub pagetemplate (@) {
 sub cgi_getsource ($) {
        my $cgi=shift;
 
-       return unless (defined $cgi->param('do') &&
-                                       $cgi->param("do") eq "getsource");
+       return unless defined $cgi->param('do') &&
+                     $cgi->param("do") eq "getsource";
 
        IkiWiki::decode_cgi_utf8($cgi);
 
        my $page=$cgi->param('page');
 
+       if (! defined $page || $page !~ /$config{wiki_file_regexp}/) {
+               error("invalid page parameter");
+       }
+
        # For %pagesources.
        IkiWiki::loadindex();