some updates about the recent hole

author: Joey Hess <joey@kodama.kitenet.net> 2008-02-10 19:00:26 -0500
committer: Joey Hess <joey@kodama.kitenet.net> 2008-02-10 19:00:26 -0500
commit: 0e445d62d212d8e6c2cd5d11a38ae8cef914c1cd (patch)
tree: 9374777067d49fd826455c49d828e172e968e501 /doc/security.mdwn
parent: 886adf9f9fea74560202fafcb4742ce26cd76416 (diff)
download: ikiwiki-0e445d62d212d8e6c2cd5d11a38ae8cef914c1cd.tar
ikiwiki-0e445d62d212d8e6c2cd5d11a38ae8cef914c1cd.tar.gz
1 files changed, 7 insertions, 4 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn
index d9e0f655b..9259209ee 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -356,9 +356,12 @@ allow the security hole to be exploited.
 ## javascript insertion via uris
 
 The htmlscrubber did not block javascript in uris. This was fixed by adding
-a whitelist of valid uri types, which does not include javascript.
+a whitelist of valid uri types, which does not include javascript. Some
+urls specifyable by the meta plugin could also theoretically have been used
+to inject javascript; this was also blocked.
 
 This hole was discovered on 10 February 2008 and fixed the same day
-with the release of ikiwiki 2.31.1. A fix was also backported to Debian etch,
-as version 1.33.4. I recommend upgrading to one of these versions if your
-wiki can be edited by third parties.
+with the release of ikiwiki 2.31.1. (And a few subsequent versions..)
+A fix was also backported to Debian etch, as version 1.33.4. I recommend
+upgrading to one of these versions if your wiki can be edited by third
+parties.
author	Joey Hess <joey@kodama.kitenet.net>	2008-02-10 19:00:26 -0500
committer	Joey Hess <joey@kodama.kitenet.net>	2008-02-10 19:00:26 -0500
commit	0e445d62d212d8e6c2cd5d11a38ae8cef914c1cd (patch)
tree	9374777067d49fd826455c49d828e172e968e501 /doc/security.mdwn
parent	886adf9f9fea74560202fafcb4742ce26cd76416 (diff)
download	ikiwiki-0e445d62d212d8e6c2cd5d11a38ae8cef914c1cd.tar ikiwiki-0e445d62d212d8e6c2cd5d11a38ae8cef914c1cd.tar.gz