diff options
author | joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> | 2006-07-02 02:18:31 +0000 |
---|---|---|
committer | joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> | 2006-07-02 02:18:31 +0000 |
commit | 0bb605baf8702d1a5d1ee16f52b07840d88616e7 (patch) | |
tree | 192707c5e7d90b68de123e6fe3e233fc8511aa0a /doc/security.mdwn | |
parent | 25b35c3c7403202aae19c4a328f6af4d2aae2e68 (diff) | |
download | ikiwiki-0bb605baf8702d1a5d1ee16f52b07840d88616e7.tar ikiwiki-0bb605baf8702d1a5d1ee16f52b07840d88616e7.tar.gz |
* Parse svn log as xml for improved utf8 and security. Note that this makes
ikiwiki depend on XML::Simple. Patch by Faidon Liambotis.
Diffstat (limited to 'doc/security.mdwn')
-rw-r--r-- | doc/security.mdwn | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn index 53000c08e..b294decc8 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -12,17 +12,16 @@ to be kept in mind. _(The list of things to fix.)_ -## svn commit logs +## commit spoofing -Anyone with svn commit access can forge "web commit from foo" and make it -appear on [[RecentChanges]] like foo committed. One way to avoid this would -be to limit web commits to those done by a certian user. +Anyone with direct commit access can forge "web commit from foo" and +make it appear on [[RecentChanges]] like foo committed. One way to avoid +this would be to limit web commits to those done by a certian user. -It's actually possible to force a whole series of svn commits to appear to -have come just before yours, by forging svn log output. This could be -guarded against by using svn log --xml. +## other stuff to look at -ikiwiki escapes any html in svn commit logs to prevent other mischief. +I need to audit the git backend a bit, and have been meaning to +see if any CRLF injection type things can be done. ---- @@ -227,3 +226,11 @@ only render a file with that extension. ikiwiki supports protecting users from their own broken browsers via the [[plugins/htmlscrubber]] plugin, which is enabled by default. + +## svn commit logs + +It's was possible to force a whole series of svn commits to appear to +have come just before yours, by forging svn log output. This was +guarded against by using svn log --xml. + +ikiwiki escapes any html in svn commit logs to prevent other mischief. |