meta: Security fix; don't allow alternative stylesheets to be added on pages where the htmlscrubber is enabled.

author: Joey Hess <joey@kitenet.net> 2011-03-28 12:21:12 -0400
committer: Joey Hess <joey@kitenet.net> 2011-03-28 12:21:12 -0400
commit: be02a80b7a19f3c33a8ea42c0750d94e0a91206f (patch)
tree: 1ffc2ec9905bf2662c9766d95e96430959ef2d2d /doc/security.mdwn
parent: a0e31f38d55f659ed9ef07ce16482308807435f8 (diff)
download: ikiwiki-be02a80b7a19f3c33a8ea42c0750d94e0a91206f.tar
ikiwiki-be02a80b7a19f3c33a8ea42c0750d94e0a91206f.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 770927e26..2b387ac23 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -463,3 +463,14 @@ This hole was discovered on 22 Jan 2011 and fixed the same day with
 the release of ikiwiki 3.20110122. A fix was backported to Debian squeeze,
 as version 3.20100815.5. An upgrade is recommended for sites
 with the comments plugin enabled. ([[!cve CVE-2011-0428]])
+
+## possible javascript insertion via insufficient htmlscrubbing of alternate stylesheets
+
+Tango noticed that 'meta stylesheet` directives allowed anyone
+who could upload a malicious stylesheet to a site to add it to a
+page as an alternate stylesheet. In order to be exploited, the user
+would have to select the alternative stylesheet in their browser.
+
+This hole was discovered on 28 Mar 2011 and fixed the same hour with
+the release of ikiwiki 3.20110328. An upgrade is recommended for sites
+that have untrusted committers, or have the attachments plugin enabled.
author	Joey Hess <joey@kitenet.net>	2011-03-28 12:21:12 -0400
committer	Joey Hess <joey@kitenet.net>	2011-03-28 12:21:12 -0400
commit	be02a80b7a19f3c33a8ea42c0750d94e0a91206f (patch)
tree	1ffc2ec9905bf2662c9766d95e96430959ef2d2d /doc/security.mdwn
parent	a0e31f38d55f659ed9ef07ce16482308807435f8 (diff)
download	ikiwiki-be02a80b7a19f3c33a8ea42c0750d94e0a91206f.tar ikiwiki-be02a80b7a19f3c33a8ea42c0750d94e0a91206f.tar.gz