some notes about the security (or lack thereof) of plugins

author: joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> 2006-10-22 21:12:21 +0000
committer: joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> 2006-10-22 21:12:21 +0000
commit: c49af80ab38f71abcbe9887dde4b76d462595f4a (patch)
tree: 710baa8bbc0a3cb2602f9edf02da53eb8f1c6767 /doc/security.mdwn
parent: 6a75123d7aa3594cb4dd5eb9b3311767ad1738ea (diff)
download: ikiwiki-c49af80ab38f71abcbe9887dde4b76d462595f4a.tar
ikiwiki-c49af80ab38f71abcbe9887dde4b76d462595f4a.tar.gz
1 files changed, 14 insertions, 0 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn
index fea0eb727..723c01863 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -158,6 +158,20 @@ allowed, so that's not a problem.)
 
 ----
 
+# Plugins
+
+The security of [[plugins]] depends on how well they're written and what
+external tools they use. The plugins included in ikiwiki are all held to
+the same standards as the rest of ikiwiki, but with that said, here are
+some security notes for them.
+
+* The [[plugins/img]] plugin assumes that imagemagick/perlmagick are secure
+  from malformed image attacks. Imagemagick has had security holes in the
+  past. To be able to exploit such a hole, a user would need to be able to
+  upload images to the wiki.
+
+----
+
 # Fixed holes
 
 _(Unless otherwise noted, these were discovered and immediately fixed by the
author	joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>	2006-10-22 21:12:21 +0000
committer	joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>	2006-10-22 21:12:21 +0000
commit	c49af80ab38f71abcbe9887dde4b76d462595f4a (patch)
tree	710baa8bbc0a3cb2602f9edf02da53eb8f1c6767 /doc/security.mdwn
parent	6a75123d7aa3594cb4dd5eb9b3311767ad1738ea (diff)
download	ikiwiki-c49af80ab38f71abcbe9887dde4b76d462595f4a.tar ikiwiki-c49af80ab38f71abcbe9887dde4b76d462595f4a.tar.gz