* meta: Check that the urls provided for authorurl, permalink, and openid

author Joey Hess <joey@kodama.kitenet.net>

Sun, 10 Feb 2008 22:17:44 +0000 (17:17 -0500)

committer Joey Hess <joey@kodama.kitenet.net>

Sun, 10 Feb 2008 22:17:44 +0000 (17:17 -0500)
author Joey Hess <joey@kodama.kitenet.net>
Sun, 10 Feb 2008 22:17:44 +0000 (17:17 -0500)
committer Joey Hess <joey@kodama.kitenet.net>
Sun, 10 Feb 2008 22:17:44 +0000 (17:17 -0500)
diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm

index 621e876741b288466112360b96290bac01235e52..74b630afc27c5c355973ba5aa6bb398122508816 100644 (file)
--- a/IkiWiki/Plugin/meta.pm
+++ b/IkiWiki/Plugin/meta.pm
@@ -38,6 +38,17 @@ sub scrub ($) { #{{{
         }
  } #}}}
  
+sub safeurl ($) { #{{{
+       my $url=shift;
+       if (exists $IkiWiki::Plugin::htmlscrubber::{safe_url_regexp} &&
+           defined $IkiWiki::Plugin::htmlscrubber::safe_url_regexp) {
+               return $url=~/$IkiWiki::Plugin::htmlscrubber::safe_url_regexp/;
+       }
+       else {
+               return 1;
+       }
+} #}}}
+
  sub htmlize ($$$) { #{{{
         my $page = shift;
         my $destpage = shift;
@@ -88,7 +99,7 @@ sub preprocess (@) { #{{{
                 # fallthorough
         }
         elsif ($key eq 'authorurl') {
-               $pagestate{$page}{meta}{authorurl}=$value;
+               $pagestate{$page}{meta}{authorurl}=$value if safeurl($value);
                 # fallthrough
         }
  
@@ -106,8 +117,10 @@ sub preprocess (@) { #{{{
                 }
         }
         elsif ($key eq 'permalink') {
-               $pagestate{$page}{meta}{permalink}=$value;
-               push @{$metaheaders{$page}}, scrub('<link rel="bookmark" href="'.encode_entities($value).'" />');
+               if (safeurl($value)) {
+                       $pagestate{$page}{meta}{permalink}=$value;
+                       push @{$metaheaders{$page}}, scrub('<link rel="bookmark" href="'.encode_entities($value).'" />');
+               }
         }
         elsif ($key eq 'stylesheet') {
                 my $rel=exists $params{rel} ? $params{rel} : "alternate stylesheet";
@@ -124,12 +137,14 @@ sub preprocess (@) { #{{{
                         "\" type=\"text/css\" />";
         }
         elsif ($key eq 'openid') {
-               if (exists $params{server}) {
+               if (exists $params{server} && safeurl($params{server})) {
                         push @{$metaheaders{$page}}, '<link href="'.encode_entities($params{server}).
                                 '" rel="openid.server" />';
                 }
-               push @{$metaheaders{$page}}, '<link href="'.encode_entities($value).
-                       '" rel="openid.delegate" />';
+               if (safeurl($value)) {
+                       push @{$metaheaders{$page}}, '<link href="'.encode_entities($value).
+                               '" rel="openid.delegate" />';
+               }
         }
         elsif ($key eq 'redir') {
                 return "" if $page ne $destpage;
diff --git a/debian/changelog b/debian/changelog

index 1b4b70d8c74749cad9d06b67988b76ba9d47f145..719150ee6daab7e8d9ce88fe1ed08a8c48c53821 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,7 @@ ikiwiki (2.40) UNRELEASED; urgency=low
  
  ikiwiki (2.31.3) unstable; urgency=high
  
+  [ Josh Triplett ]
    * Do not allow the about: URI scheme; some browsers interpret about:
      URIs like a limited version of data: URIs.  In particular, some
      versions of Internet Explorer interpret arbitrary HTML content in
@@ -18,6 +19,10 @@ ikiwiki (2.31.3) unstable; urgency=high
    * Also filter the attributes cite, longdesc, and usemap, which can contain
      URIs.
  
+  [ Joey Hess ]
+  * meta: Check that the urls provided for authorurl, permalink, and openid
+    are safe and can't contain javascript.
+
   -- Josh Triplett <josh@freedesktop.org>  Sun, 10 Feb 2008 13:59:00 -0800
  
  ikiwiki (2.31.2) unstable; urgency=high
author	Joey Hess <joey@kodama.kitenet.net>
	Sun, 10 Feb 2008 22:17:44 +0000 (17:17 -0500)
committer	Joey Hess <joey@kodama.kitenet.net>
	Sun, 10 Feb 2008 22:17:44 +0000 (17:17 -0500)
IkiWiki/Plugin/meta.pm		patch \| blob \| history
debian/changelog		patch \| blob \| history