aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess <joey@kitenet.net>2011-03-28 12:21:12 -0400
committerJoey Hess <joey@kitenet.net>2011-03-28 12:21:12 -0400
commitbe02a80b7a19f3c33a8ea42c0750d94e0a91206f (patch)
tree1ffc2ec9905bf2662c9766d95e96430959ef2d2d
parenta0e31f38d55f659ed9ef07ce16482308807435f8 (diff)
downloadikiwiki-be02a80b7a19f3c33a8ea42c0750d94e0a91206f.tar
ikiwiki-be02a80b7a19f3c33a8ea42c0750d94e0a91206f.tar.gz
meta: Security fix; don't allow alternative stylesheets to be added on pages where the htmlscrubber is enabled.
-rw-r--r--IkiWiki/Plugin/meta.pm4
-rw-r--r--debian/changelog4
-rw-r--r--doc/ikiwiki/directive/meta.mdwn4
-rw-r--r--doc/security.mdwn11
4 files changed, 20 insertions, 3 deletions
diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm
index ad6d1a8e3..1a9f94a12 100644
--- a/IkiWiki/Plugin/meta.pm
+++ b/IkiWiki/Plugin/meta.pm
@@ -174,10 +174,10 @@ sub preprocess (@) {
if (! length $stylesheet) {
error gettext("stylesheet not found")
}
- push @{$metaheaders{$page}}, '<link href="'.urlto($stylesheet, $page).
+ push @{$metaheaders{$page}}, scrub('<link href="'.urlto($stylesheet, $page).
'" rel="'.encode_entities($rel).
'" title="'.encode_entities($title).
- "\" type=\"text/css\" />";
+ "\" type=\"text/css\" />", $page, $destpage);
}
elsif ($key eq 'openid') {
my $delegate=0; # both by default
diff --git a/debian/changelog b/debian/changelog
index e78ce3e1c..91c4c6d24 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-ikiwiki (3.20110322) UNRELEASED; urgency=low
+ikiwiki (3.20110328) UNRELEASED; urgency=low
* Yaml formatted setup files are now produced by default.
(Perl formatted setup files can still be used.)
@@ -6,6 +6,8 @@ ikiwiki (3.20110322) UNRELEASED; urgency=low
via the web.
* comment: Better fix to avoid showing comments of subpages, while
not breaking manual inlining of comments.
+ * meta: Security fix; don't allow alternative stylesheets to be added
+ on pages where the htmlscrubber is enabled.
-- Joey Hess <joeyh@debian.org> Thu, 24 Mar 2011 13:34:34 -0400
diff --git a/doc/ikiwiki/directive/meta.mdwn b/doc/ikiwiki/directive/meta.mdwn
index d66e26fc4..50aaf66be 100644
--- a/doc/ikiwiki/directive/meta.mdwn
+++ b/doc/ikiwiki/directive/meta.mdwn
@@ -77,6 +77,10 @@ Supported fields:
\[[!meta stylesheet=somestyle rel="alternate stylesheet"
title="somestyle"]]
+
+ However, this will be scrubbed away if the
+ [[!iki plugins/htmlscrubber desc=htmlscrubber]] plugin is enabled,
+ since it can be used to insert unsafe content.
* openid
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 770927e26..2b387ac23 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -463,3 +463,14 @@ This hole was discovered on 22 Jan 2011 and fixed the same day with
the release of ikiwiki 3.20110122. A fix was backported to Debian squeeze,
as version 3.20100815.5. An upgrade is recommended for sites
with the comments plugin enabled. ([[!cve CVE-2011-0428]])
+
+## possible javascript insertion via insufficient htmlscrubbing of alternate stylesheets
+
+Tango noticed that 'meta stylesheet` directives allowed anyone
+who could upload a malicious stylesheet to a site to add it to a
+page as an alternate stylesheet. In order to be exploited, the user
+would have to select the alternative stylesheet in their browser.
+
+This hole was discovered on 28 Mar 2011 and fixed the same hour with
+the release of ikiwiki 3.20110328. An upgrade is recommended for sites
+that have untrusted committers, or have the attachments plugin enabled.