aboutsummaryrefslogtreecommitdiff
path: root/IkiWiki
diff options
context:
space:
mode:
authorJoey Hess <joey@gnu.kitenet.net>2009-08-08 12:27:48 -0400
committerJoey Hess <joey@gnu.kitenet.net>2009-08-08 12:27:48 -0400
commit8f6e0212fdbf3de286e504ed2802111bf7864abe (patch)
tree0e199906f0328239b9d2e36573c487f01eafd688 /IkiWiki
parent22edaf77c2a4318ebd8ed0881dd6a62cfc2ca2b2 (diff)
downloadikiwiki-8f6e0212fdbf3de286e504ed2802111bf7864abe.tar
ikiwiki-8f6e0212fdbf3de286e504ed2802111bf7864abe.tar.gz
verify page name is sane
paranoia; I was thinking about XSS attacks specificaly
Diffstat (limited to 'IkiWiki')
-rw-r--r--IkiWiki/Plugin/getsource.pm8
1 files changed, 6 insertions, 2 deletions
diff --git a/IkiWiki/Plugin/getsource.pm b/IkiWiki/Plugin/getsource.pm
index 91c4cc1c9..ae9ea3cc7 100644
--- a/IkiWiki/Plugin/getsource.pm
+++ b/IkiWiki/Plugin/getsource.pm
@@ -42,13 +42,17 @@ sub pagetemplate (@) {
sub cgi_getsource ($) {
my $cgi=shift;
- return unless (defined $cgi->param('do') &&
- $cgi->param("do") eq "getsource");
+ return unless defined $cgi->param('do') &&
+ $cgi->param("do") eq "getsource";
IkiWiki::decode_cgi_utf8($cgi);
my $page=$cgi->param('page');
+ if (! defined $page || $page !~ /$config{wiki_file_regexp}/) {
+ error("invalid page parameter");
+ }
+
# For %pagesources.
IkiWiki::loadindex();