aboutsummaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
authorSimon McVittie <smcv@debian.org>2016-12-24 15:03:51 +0000
committerSimon McVittie <smcv@debian.org>2016-12-28 21:32:12 +0000
commitc1120bbbe8fdea20cf64fa12247f4f4a4006c834 (patch)
treef25c576e39811b35933a043496f57dfdd6c67fb6 /debian
parente193c75b7dd67cee731570c321a121cf79cb3c23 (diff)
downloadikiwiki-c1120bbbe8fdea20cf64fa12247f4f4a4006c834.tar
ikiwiki-c1120bbbe8fdea20cf64fa12247f4f4a4006c834.tar.gz
Force CGI::FormBuilder->field to scalar context where necessary
CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature we avoided in f4ec7b0. Force it into scalar context where it is used in an argument list. This prevents two (relatively minor) commit metadata forgery vulnerabilities: * In the comments plugin, an attacker who was able to post a comment could give it a user-specified author and author-URL even if the wiki configuration did not allow for that, by crafting multiple values to other fields. * In the editpage plugin, an attacker who was able to edit a page could potentially forge commit authorship by crafting multiple values for the rcsinfo field. The remaining plugins changed in this commit appear to have been protected by use of explicit scalar prototypes for the called functions, but have been changed anyway to make them more obviously correct. In particular, checkpassword() in passwordauth has a known prototype, so an attacker cannot trick it into treating multiple values of the name field as being the username, password and field to check for. OVE-20161226-0001
Diffstat (limited to 'debian')
-rw-r--r--debian/changelog5
1 files changed, 5 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 86d06bdc6..ccf830b27 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,10 @@
ikiwiki (3.20161220) UNRELEASED; urgency=medium
+ * Security: force CGI::FormBuilder->field to scalar context where
+ necessary, avoiding unintended function argument injection
+ analogous to CVE-2014-1572. In ikiwiki this could be used to
+ forge commit metadata, but thankfully nothing more serious.
+ (OVE-20161226-0001)
* Add CVE references for CVE-2016-10026
* Add missing ikiwiki.setup for the manual test for CVE-2016-10026
* git: don't issue a warning if the rcsinfo CGI parameter is undefined