From 1c65ca492295e754dfd9986f91b08eb0876d09b9 Mon Sep 17 00:00:00 2001 From: joey Date: Wed, 21 Mar 2007 06:05:21 +0000 Subject: * Fix a few bugs around page titles containing html. The worst of these is an actual security hole as it allows insertion of html into the title element of a page, which is not processed by the htmlscrubber. --- debian/changelog | 7 +++++-- doc/security.mdwn | 11 +++++++++++ po/ikiwiki.pot | 16 ++++++++-------- templates/archivepage.tmpl | 2 +- templates/inlinepage.tmpl | 4 ++-- templates/page.tmpl | 4 ++-- templates/titlepage.tmpl | 2 +- 7 files changed, 30 insertions(+), 16 deletions(-) diff --git a/debian/changelog b/debian/changelog index 26aaad53b..5934958ce 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -ikiwiki (1.46) UNRELEASED; urgency=low +ikiwiki (1.46) unstable; urgency=low * Fix a bug with inlined create page links, including Discussion links on blog post pages. The links will now create pages relative to the page that @@ -12,8 +12,11 @@ ikiwiki (1.46) UNRELEASED; urgency=low same time, and let the second person resolve the conflict. * Applied a patch from MichaƂ to make the mercurial backend pass --quiet to hg. + * Fix a few bugs around page titles containing html. The worst of these + is an actual security hole as it allows insertion of html into the title + element of a page, which is not processed by the htmlscrubber. - -- Joey Hess Sun, 18 Mar 2007 18:22:12 -0400 + -- Joey Hess Wed, 21 Mar 2007 01:51:30 -0400 ikiwiki (1.45) unstable; urgency=low diff --git a/doc/security.mdwn b/doc/security.mdwn index 01a893d20..9b561a13e 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -293,3 +293,14 @@ This hole was discovered on 10 Feb 2007 and fixed the same day with the release of ikiwiki 1.42. A fix was also backported to Debian etch, as version 1.33.1. I recommend upgrading to one of these versions if your wiki allows web editing. + +## html insertion via title + +Missing html escaping of the title contents allowed a web-based editor to +insert arbitrary html inside the title tag of a page. Since that part of +the page is not processed by the htmlscrubber, evil html could be injected. + +This hole was discovered on 21 March 2007 and fixed the same day (er, hour) +with the release of ikiwiki 1.46. A fix was also backported to Debian etch, +as version 1.33.2. I recommend upgrading to one of these versions if your +wiki allows web editing or aggregates feeds. diff --git a/po/ikiwiki.pot b/po/ikiwiki.pot index f2c3cf498..8f223571b 100644 --- a/po/ikiwiki.pot +++ b/po/ikiwiki.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2007-03-17 19:21-0400\n" +"POT-Creation-Date: 2007-03-21 01:50-0400\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -41,17 +41,17 @@ msgstr "" msgid "creating %s" msgstr "" -#: ../IkiWiki/CGI.pm:481 ../IkiWiki/CGI.pm:496 ../IkiWiki/CGI.pm:518 -#: ../IkiWiki/CGI.pm:562 +#: ../IkiWiki/CGI.pm:481 ../IkiWiki/CGI.pm:496 ../IkiWiki/CGI.pm:507 +#: ../IkiWiki/CGI.pm:533 ../IkiWiki/CGI.pm:577 #, perl-format msgid "editing %s" msgstr "" -#: ../IkiWiki/CGI.pm:659 +#: ../IkiWiki/CGI.pm:674 msgid "You are banned." msgstr "" -#: ../IkiWiki/CGI.pm:691 +#: ../IkiWiki/CGI.pm:706 msgid "login failed, perhaps you need to turn on cookies?" msgstr "" @@ -472,15 +472,15 @@ msgstr "" msgid "generating wrappers.." msgstr "" -#: ../IkiWiki/Setup/Standard.pm:71 +#: ../IkiWiki/Setup/Standard.pm:72 msgid "rebuilding wiki.." msgstr "" -#: ../IkiWiki/Setup/Standard.pm:74 +#: ../IkiWiki/Setup/Standard.pm:75 msgid "refreshing wiki.." msgstr "" -#: ../IkiWiki/Setup/Standard.pm:83 +#: ../IkiWiki/Setup/Standard.pm:84 msgid "done" msgstr "" diff --git a/templates/archivepage.tmpl b/templates/archivepage.tmpl index 6bc789dfb..7e8b8b8fc 100644 --- a/templates/archivepage.tmpl +++ b/templates/archivepage.tmpl @@ -1,5 +1,5 @@

-
+
Posted diff --git a/templates/inlinepage.tmpl b/templates/inlinepage.tmpl index 0317c248c..f1f21d4be 100644 --- a/templates/inlinepage.tmpl +++ b/templates/inlinepage.tmpl @@ -10,9 +10,9 @@ - + - + diff --git a/templates/page.tmpl b/templates/page.tmpl index 471ed1a7d..2c28a68f5 100644 --- a/templates/page.tmpl +++ b/templates/page.tmpl @@ -3,7 +3,7 @@ -<TMPL_VAR TITLE> +<TMPL_VAR TITLE ESCAPE=HTML> @@ -19,7 +19,7 @@ / - + diff --git a/templates/titlepage.tmpl b/templates/titlepage.tmpl index f5cd5bc53..0676a098e 100644 --- a/templates/titlepage.tmpl +++ b/templates/titlepage.tmpl @@ -1 +1 @@ -

+

-- cgit v1.2.3