diff options
author | Joey Hess <joey@kitenet.net> | 2011-01-22 10:15:33 -0400 |
---|---|---|
committer | Joey Hess <joey@kitenet.net> | 2011-01-22 10:15:33 -0400 |
commit | dcfeaaad5b6ac478251e37be777de40da4d0909c (patch) | |
tree | a0868ee12139cb9e2a53fee94a9fef0de90ad01c /IkiWiki/Plugin | |
parent | 5d3998555ffbeb1c20b84dd4cdc46c825c07bec8 (diff) | |
download | ikiwiki-dcfeaaad5b6ac478251e37be777de40da4d0909c.tar ikiwiki-dcfeaaad5b6ac478251e37be777de40da4d0909c.tar.gz |
comments: Fix XSS security hole due to missing validation of page name.
Values have to be checked against wiki_file_regexp, not just file_pruned.
Audited the rest of the code base for similar problems, found none.
Diffstat (limited to 'IkiWiki/Plugin')
-rw-r--r-- | IkiWiki/Plugin/comments.pm | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm index 1287590a7..d9183970d 100644 --- a/IkiWiki/Plugin/comments.pm +++ b/IkiWiki/Plugin/comments.pm @@ -364,8 +364,8 @@ sub editcomment ($$) { } # The untaint is OK (as in editpage) because we're about to pass - # it to file_pruned anyway - my $page = $form->field('page'); + # it to file_pruned and wiki_file_regexp anyway. + my $page = $form->field('page')=~/$config{wiki_file_regexp}/; $page = IkiWiki::possibly_foolish_untaint($page); if (! defined $page || ! length $page || IkiWiki::file_pruned($page)) { |