* Parse svn log as xml for improved utf8 and security. Note that this makes

  ikiwiki depend on XML::Simple. Patch by Faidon Liambotis.

1 files changed, 15 insertions, 8 deletions

diff --git a/doc/security.mdwn b/doc/security.mdwn
index 53000c08e..b294decc8 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -12,17 +12,16 @@ to be kept in mind.
 
 _(The list of things to fix.)_
 
-## svn commit logs
+## commit spoofing
 
-Anyone with svn commit access can forge "web commit from foo" and make it
-appear on [[RecentChanges]] like foo committed. One way to avoid this would
-be to limit web commits to those done by a certian user.
+Anyone with direct commit access can forge "web commit from foo" and
+make it appear on [[RecentChanges]] like foo committed. One way to avoid
+this would be to limit web commits to those done by a certian user.
 
-It's actually possible to force a whole series of svn commits to appear to
-have come just before yours, by forging svn log output. This could be
-guarded against by using svn log --xml.
+## other stuff to look at
 
-ikiwiki escapes any html in svn commit logs to prevent other mischief.
+I need to audit the git backend a bit, and have been meaning to
+see if any CRLF injection type things can be done.
 
 ----
 
@@ -227,3 +226,11 @@ only render a file with that extension.
 
 ikiwiki supports protecting users from their own broken browsers via the
 [[plugins/htmlscrubber]] plugin, which is enabled by default.
+
+## svn commit logs
+
+It's was possible to force a whole series of svn commits to appear to
+have come just before yours, by forging svn log output. This was
+guarded against by using svn log --xml.
+
+ikiwiki escapes any html in svn commit logs to prevent other mischief.