aboutsummaryrefslogtreecommitdiff
path: root/IkiWiki
diff options
context:
space:
mode:
authorJoey Hess <joey@kitenet.net>2010-06-15 17:41:26 -0400
committerJoey Hess <joey@kitenet.net>2010-06-15 17:41:26 -0400
commita2989598884807ace2a9efd248b7c32824cf6c6f (patch)
treedc962057feec01a8e8745c166acbee12654551bf /IkiWiki
parent69383fb6b0820360ad54122d79a3c64909d01a9d (diff)
parent86a43aefb4f4c79a2044caf847622d0a00cd5356 (diff)
downloadikiwiki-a2989598884807ace2a9efd248b7c32824cf6c6f.tar
ikiwiki-a2989598884807ace2a9efd248b7c32824cf6c6f.tar.gz
fix other cases of unicode mixing issue
and fix underlaydir override attack guard when srcdir is non-absolute
Diffstat (limited to 'IkiWiki')
-rw-r--r--IkiWiki/Plugin/autoindex.pm15
-rw-r--r--IkiWiki/Plugin/comments.pm12
-rw-r--r--IkiWiki/Render.pm13
3 files changed, 26 insertions, 14 deletions
diff --git a/IkiWiki/Plugin/autoindex.pm b/IkiWiki/Plugin/autoindex.pm
index 0dd76259e..5e8a9e0a3 100644
--- a/IkiWiki/Plugin/autoindex.pm
+++ b/IkiWiki/Plugin/autoindex.pm
@@ -33,18 +33,19 @@ sub genindex ($) {
sub refresh () {
eval q{use File::Find};
error($@) if $@;
+ eval q{use Cwd};
+ error($@) if $@;
+ my $origdir=getcwd();
my (%pages, %dirs);
foreach my $dir ($config{srcdir}, @{$config{underlaydirs}}, $config{underlaydir}) {
- require File::Spec;
- $dir=File::Spec->canonpath($dir);
+ chdir($dir) || die "chdir: $!";
find({
no_chdir => 1,
wanted => sub {
- my $file=File::Spec->canonpath(decode_utf8($_));
- return if $file eq $dir;
- $file=~s/^\Q$dir\E\/?//;
+ my $file=decode_utf8($_);
+ $file=~s/^\.\/?//;
return unless length $file;
if (IkiWiki::file_pruned($file)) {
$File::Find::prune=1;
@@ -61,7 +62,9 @@ sub refresh () {
}
}
}
- }, $dir);
+ }, '.');
+
+ chdir($origdir) || die "chdir: $!";
}
my %deleted;
diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm
index d204a7737..17cd99c3b 100644
--- a/IkiWiki/Plugin/comments.pm
+++ b/IkiWiki/Plugin/comments.pm
@@ -660,16 +660,22 @@ sub comments_pending () {
eval q{use File::Find};
error($@) if $@;
+ eval q{use Cwd};
+ error($@) if $@;
+ my $origdir=getcwd();
my $find_comments=sub {
my $dir=shift;
my $extension=shift;
return unless -d $dir;
+
+ chdir($dir) || die "chdir: $!";
+
find({
no_chdir => 1,
wanted => sub {
my $file=decode_utf8($_);
- $file=~s/^\Q$dir\E\/?//;
+ $file=~s/^\.\///;
return if ! length $file || IkiWiki::file_pruned($file)
|| -l $_ || -d _ || $file !~ /\Q$extension\E$/;
my ($f) = $file =~ /$config{wiki_file_regexp}/; # untaint
@@ -678,7 +684,9 @@ sub comments_pending () {
push @ret, [$f, $dir, $ctime];
}
}
- }, $dir);
+ }, ".");
+
+ chdir($origdir) || die "chdir: $!";
};
$find_comments->($config{srcdir}, "._comment_pending");
diff --git a/IkiWiki/Render.pm b/IkiWiki/Render.pm
index 0e7aa9a48..740bb52b0 100644
--- a/IkiWiki/Render.pm
+++ b/IkiWiki/Render.pm
@@ -292,11 +292,16 @@ sub find_src_files () {
eval q{use File::Find};
error($@) if $@;
+ eval q{use Cwd};
+ die $@ if $@;
+ my $origdir=getcwd();
+ my $abssrcdir=Cwd::abs_path($config{srcdir});
+
my ($page, $underlay);
my $helper=sub {
my $file=decode_utf8($_);
return if -l $file || -d _;
- $file=~s/^\Q.\/\E//;
+ $file=~s/^\.\///;
return if ! length $file;
$page = pagename($file);
if (! exists $pagesources{$page} &&
@@ -313,7 +318,7 @@ sub find_src_files () {
if ($underlay) {
# avoid underlaydir override attacks; see security.mdwn
- if (! -l "$config{srcdir}/$f" && ! -e _) {
+ if (! -l "$abssrcdir/$f" && ! -e _) {
if (! $pages{$page}) {
push @files, $f;
$pages{$page}=1;
@@ -329,10 +334,6 @@ sub find_src_files () {
}
};
- eval q{use Cwd};
- die $@ if $@;
- my $origdir=getcwd();
-
chdir($config{srcdir}) || die "chdir: $!";
find({
no_chdir => 1,