diff options
| author | joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> | 2007-02-10 20:37:36 +0000 |
|---|---|---|
| committer | joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> | 2007-02-10 20:37:36 +0000 |
| commit | 29e6ff03b078a0c6abb659c9e81343d523d3b13a (patch) | |
| tree | a628793a36bdd921bd1e89ff4318ac243d1dc4fe /IkiWiki | |
| parent | cb7d6a88adef4bec348f0e43fbd3dc98b4c25b05 (diff) | |
| download | ikiwiki-29e6ff03b078a0c6abb659c9e81343d523d3b13a.tar ikiwiki-29e6ff03b078a0c6abb659c9e81343d523d3b13a.tar.gz | |
* Fix a security hole that allowed a web user to edit images and other
non-page format files in the wiki. To exploit this, the file already had
to exist in the wiki, and the web user would need to somehow use the web
based editor to replace it with malicious content.
(Sorry Josh, this means you can't edit style.css directly anymore,
although I do appreciate your fixes, actually..)
Diffstat (limited to 'IkiWiki')
| -rw-r--r-- | IkiWiki/CGI.pm | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm index a8e610e2d..6c489df8d 100644 --- a/IkiWiki/CGI.pm +++ b/IkiWiki/CGI.pm @@ -323,6 +323,9 @@ sub cgi_editpage ($$) { #{{{ if (exists $pagesources{$page}) { $file=$pagesources{$page}; $type=pagetype($file); + if (! defined $type) { + error(sprintf(gettext("%s is not an editable page"), $page)); + } } else { $type=$form->param('type'); |