htmlscrubber: Security fix: In data:image/* uris, only allow a few whitelisted image types. No svg.

author: Joey Hess <joey@gnu.kitenet.net> 2010-03-12 14:49:13 -0500
committer: Joey Hess <joey@gnu.kitenet.net> 2010-03-12 14:50:26 -0500
commit: 2ad3e60ee8272b7cccfd83ae02d5b45e2cec003d (patch)
tree: ac6f6c025cb14790773f8530c6356dfa4c5b1b0c /doc/security.mdwn
parent: 556181d417e3461de56c43445ec9b2b0aefc7141 (diff)
download: ikiwiki-2ad3e60ee8272b7cccfd83ae02d5b45e2cec003d.tar
ikiwiki-2ad3e60ee8272b7cccfd83ae02d5b45e2cec003d.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 3924186c2..21aef316b 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -427,3 +427,15 @@ enabling TeX configuration options that disallow unsafe TeX commands.
 The fix was released on 30 Aug 2009 in version 3.1415926, and was
 backported to stable in version 2.53.4. If you use the teximg plugin,
 I recommend upgrading. ([[!cve CVE-2009-2944]])
+
+## javascript insertion via svg uris
+
+Ivan Shmakov pointed out that the htmlscrubber allowed `data:image/*` urls,
+including `data:image/svg+xml`. But svg can contain javascript, so that is
+unsafe.
+
+This hole was discovered on 12 March 2010 and fixed the same day
+with the release of ikiwiki 3.20100312.
+A fix was also backported to Debian etch, as version 2.53.5. I recommend
+upgrading to one of these versions if your wiki can be edited by third
+parties.
author	Joey Hess <joey@gnu.kitenet.net>	2010-03-12 14:49:13 -0500
committer	Joey Hess <joey@gnu.kitenet.net>	2010-03-12 14:50:26 -0500
commit	2ad3e60ee8272b7cccfd83ae02d5b45e2cec003d (patch)
tree	ac6f6c025cb14790773f8530c6356dfa4c5b1b0c /doc/security.mdwn
parent	556181d417e3461de56c43445ec9b2b0aefc7141 (diff)
download	ikiwiki-2ad3e60ee8272b7cccfd83ae02d5b45e2cec003d.tar ikiwiki-2ad3e60ee8272b7cccfd83ae02d5b45e2cec003d.tar.gz