diff options
author | Joey Hess <joey@kitenet.net> | 2011-03-28 12:21:12 -0400 |
---|---|---|
committer | Joey Hess <joey@kitenet.net> | 2011-03-28 12:21:12 -0400 |
commit | be02a80b7a19f3c33a8ea42c0750d94e0a91206f (patch) | |
tree | 1ffc2ec9905bf2662c9766d95e96430959ef2d2d | |
parent | a0e31f38d55f659ed9ef07ce16482308807435f8 (diff) | |
download | ikiwiki-be02a80b7a19f3c33a8ea42c0750d94e0a91206f.tar ikiwiki-be02a80b7a19f3c33a8ea42c0750d94e0a91206f.tar.gz |
meta: Security fix; don't allow alternative stylesheets to be added on pages where the htmlscrubber is enabled.
-rw-r--r-- | IkiWiki/Plugin/meta.pm | 4 | ||||
-rw-r--r-- | debian/changelog | 4 | ||||
-rw-r--r-- | doc/ikiwiki/directive/meta.mdwn | 4 | ||||
-rw-r--r-- | doc/security.mdwn | 11 |
4 files changed, 20 insertions, 3 deletions
diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm index ad6d1a8e3..1a9f94a12 100644 --- a/IkiWiki/Plugin/meta.pm +++ b/IkiWiki/Plugin/meta.pm @@ -174,10 +174,10 @@ sub preprocess (@) { if (! length $stylesheet) { error gettext("stylesheet not found") } - push @{$metaheaders{$page}}, '<link href="'.urlto($stylesheet, $page). + push @{$metaheaders{$page}}, scrub('<link href="'.urlto($stylesheet, $page). '" rel="'.encode_entities($rel). '" title="'.encode_entities($title). - "\" type=\"text/css\" />"; + "\" type=\"text/css\" />", $page, $destpage); } elsif ($key eq 'openid') { my $delegate=0; # both by default diff --git a/debian/changelog b/debian/changelog index e78ce3e1c..91c4c6d24 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -ikiwiki (3.20110322) UNRELEASED; urgency=low +ikiwiki (3.20110328) UNRELEASED; urgency=low * Yaml formatted setup files are now produced by default. (Perl formatted setup files can still be used.) @@ -6,6 +6,8 @@ ikiwiki (3.20110322) UNRELEASED; urgency=low via the web. * comment: Better fix to avoid showing comments of subpages, while not breaking manual inlining of comments. + * meta: Security fix; don't allow alternative stylesheets to be added + on pages where the htmlscrubber is enabled. -- Joey Hess <joeyh@debian.org> Thu, 24 Mar 2011 13:34:34 -0400 diff --git a/doc/ikiwiki/directive/meta.mdwn b/doc/ikiwiki/directive/meta.mdwn index d66e26fc4..50aaf66be 100644 --- a/doc/ikiwiki/directive/meta.mdwn +++ b/doc/ikiwiki/directive/meta.mdwn @@ -77,6 +77,10 @@ Supported fields: \[[!meta stylesheet=somestyle rel="alternate stylesheet" title="somestyle"]] + + However, this will be scrubbed away if the + [[!iki plugins/htmlscrubber desc=htmlscrubber]] plugin is enabled, + since it can be used to insert unsafe content. * openid diff --git a/doc/security.mdwn b/doc/security.mdwn index 770927e26..2b387ac23 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -463,3 +463,14 @@ This hole was discovered on 22 Jan 2011 and fixed the same day with the release of ikiwiki 3.20110122. A fix was backported to Debian squeeze, as version 3.20100815.5. An upgrade is recommended for sites with the comments plugin enabled. ([[!cve CVE-2011-0428]]) + +## possible javascript insertion via insufficient htmlscrubbing of alternate stylesheets + +Tango noticed that 'meta stylesheet` directives allowed anyone +who could upload a malicious stylesheet to a site to add it to a +page as an alternate stylesheet. In order to be exploited, the user +would have to select the alternative stylesheet in their browser. + +This hole was discovered on 28 Mar 2011 and fixed the same hour with +the release of ikiwiki 3.20110328. An upgrade is recommended for sites +that have untrusted committers, or have the attachments plugin enabled. |