diff options
author | Simon McVittie <smcv@debian.org> | 2016-12-19 21:20:41 +0000 |
---|---|---|
committer | Simon McVittie <smcv@debian.org> | 2016-12-19 21:20:41 +0000 |
commit | fd6b947889733dbe0cc254428a1d3ad0dfdc89b3 (patch) | |
tree | 289a45d281ddd2c4648b2420cddc682fe5a91851 /doc/security.mdwn | |
parent | c96149fa3edd80caf398994294e60c49b4a83beb (diff) | |
download | ikiwiki-fd6b947889733dbe0cc254428a1d3ad0dfdc89b3.tar ikiwiki-fd6b947889733dbe0cc254428a1d3ad0dfdc89b3.tar.gz |
Announce 3.20161219
Diffstat (limited to 'doc/security.mdwn')
-rw-r--r-- | doc/security.mdwn | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn index 9dee6d904..a5db9b410 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -546,3 +546,20 @@ vulnerability to execute arbitrary Perl code. An upgrade is recommended for sites where an untrusted user is able to attach files with arbitrary names and/or run a setuid ikiwiki wrapper with a working directory of their choice. + +## Editing restriction bypass for git revert + +intrigeri discovered that a web or git user could revert a change to a +page they are not allowed to edit, if the change being reverted was made +before the page was moved from a location where that user had permission +to edit it. For example, if a file is moved from `drafts/policy.mdwn` +(editable by less-trusted users) to `policy.mdwn` (only editable +by more-trusted users), a less-trusted user could revert a change +that was made to `drafts/policy.mdwn` prior to that move, and it would +result in `policy.mdwn` being altered. + +This affects sites with the `git` VCS and the `recentchanges` plugin, +which are both used in most ikiwiki installations. + +This bug was reported on 2016-12-17. The fixed version 3.20161219 +was released on 2016-12-19. |