diff options
| author | Joey Hess <joey@gnu.kitenet.net> | 2010-04-02 16:05:14 -0400 |
|---|---|---|
| committer | Joey Hess <joey@gnu.kitenet.net> | 2010-04-02 16:05:14 -0400 |
| commit | 104919ee07b70b166c6c6be13b4f6e5bc5225179 (patch) | |
| tree | dce9764b1d1bf6f608294dd75502198413efcafb /IkiWiki/Plugin/htmlscrubber.pm | |
| parent | 05b6e8ceee2bec4442727e2475abf8a8861d5e0a (diff) | |
| download | ikiwiki-104919ee07b70b166c6c6be13b4f6e5bc5225179.tar ikiwiki-104919ee07b70b166c6c6be13b4f6e5bc5225179.tar.gz | |
htmlscrubber: Allow colons in url fragments after '?'
Colons are not allowed at the start of urls, because it can be interpreted
as a protocol, and allowing arbitrary protocols can be unsafe
(CVE-2008-0809). However, this check was too restrictive, not allowing
use of eg, "video.ogv?t=0:03:00/0:04:00" to seek to a given place in a
video, or "somecgi?foo=bar:baz" to pass parameters with colons.
It's still not allowed to have a filename with a colon in it (ie
"foo:bar.png") -- to link to such a file, a fully qualified url must be
used.
Diffstat (limited to 'IkiWiki/Plugin/htmlscrubber.pm')
| -rw-r--r-- | IkiWiki/Plugin/htmlscrubber.pm | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm index 26e18ffc7..9f40c752f 100644 --- a/IkiWiki/Plugin/htmlscrubber.pm +++ b/IkiWiki/Plugin/htmlscrubber.pm @@ -32,7 +32,7 @@ sub import { ); # data is a special case. Allow a few data:image/ types, # but disallow data:text/javascript and everything else. - $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|\/))/i; + $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|[\/\?]))/i; } sub getsetup () { |