diff options
| author | Simon McVittie <smcv@debian.org> | 2016-12-24 15:03:51 +0000 |
|---|---|---|
| committer | Simon McVittie <smcv@debian.org> | 2016-12-28 21:32:12 +0000 |
| commit | c1120bbbe8fdea20cf64fa12247f4f4a4006c834 (patch) | |
| tree | f25c576e39811b35933a043496f57dfdd6c67fb6 /doc/security.mdwn | |
| parent | e193c75b7dd67cee731570c321a121cf79cb3c23 (diff) | |
| download | ikiwiki-c1120bbbe8fdea20cf64fa12247f4f4a4006c834.tar ikiwiki-c1120bbbe8fdea20cf64fa12247f4f4a4006c834.tar.gz | |
Force CGI::FormBuilder->field to scalar context where necessary
CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in f4ec7b0. Force it into scalar context where it is used
in an argument list.
This prevents two (relatively minor) commit metadata forgery
vulnerabilities:
* In the comments plugin, an attacker who was able to post a comment
could give it a user-specified author and author-URL even if the wiki
configuration did not allow for that, by crafting multiple values
to other fields.
* In the editpage plugin, an attacker who was able to edit a page
could potentially forge commit authorship by crafting multiple values
for the rcsinfo field.
The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.
OVE-20161226-0001
Diffstat (limited to 'doc/security.mdwn')
| -rw-r--r-- | doc/security.mdwn | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn index 4f825deba..9818e0c94 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -563,3 +563,25 @@ which are both used in most ikiwiki installations. This bug was reported on 2016-12-17. The fixed version 3.20161219 was released on 2016-12-19. ([[!cve CVE-2016-10026]]) + +## Commit metadata forgery via CGI::FormBuilder context-dependent APIs + +When CGI::FormBuilder->field("foo") is called in list context (and +in particular in the arguments to a subroutine that takes named +arguments), it can return zero or more values for foo from the CGI +request, rather than the expected single value. This breaks the usual +Perl parsing convention for named arguments, similar to CVE-2014-1572 +in Bugzilla (which was caused by a similar API design issue in CGI.pm). + +In ikiwiki, this appears to have been exploitable in two places, both +of them relatively minor: + +* in the comments plugin, an attacker who was able to post a comment + could give it a user-specified author and author-URL even if the wiki + configuration did not allow for that, by crafting multiple values + for other fields +* in the editpage plugin, an attacker who was able to edit a page + could potentially forge commit authorship (attribute their edit to + someone else) by crafting multiple values for the rcsinfo field + +(OVE-20161226-0001) |