diff options
-rw-r--r-- | doc/news/version_3.20150614.mdwn | 8 | ||||
-rw-r--r-- | doc/news/version_3.20161219.mdwn | 14 | ||||
-rw-r--r-- | doc/security.mdwn | 17 |
3 files changed, 31 insertions, 8 deletions
diff --git a/doc/news/version_3.20150614.mdwn b/doc/news/version_3.20150614.mdwn deleted file mode 100644 index 1b08f5a79..000000000 --- a/doc/news/version_3.20150614.mdwn +++ /dev/null @@ -1,8 +0,0 @@ -ikiwiki 3.20150614 released with [[!toggle text="these changes"]] -[[!toggleable text=""" - * inline: change default sort order from age to "age title" for - determinism, partially fixing deterministic build for git-annex, - ikiwiki-hosting etc. (Closes: #[785757](http://bugs.debian.org/785757)) - * img: avoid ImageMagick misinterpreting filenames containing a colon - * img test: set old timestamp on source file that will change, so that - the test will pass even if it takes less than 1 second"""]]
\ No newline at end of file diff --git a/doc/news/version_3.20161219.mdwn b/doc/news/version_3.20161219.mdwn new file mode 100644 index 000000000..3b64cb8a8 --- /dev/null +++ b/doc/news/version_3.20161219.mdwn @@ -0,0 +1,14 @@ +ikiwiki 3.20161219 released with [[!toggle text="these changes"]] +[[!toggleable text=""" + * [ Joey Hess ] + * inline: Prevent creating a file named ".mdwn" when the + postform is submitted with an empty title. + * [ Simon McVittie ] + * Security: tell `git revert` not to follow renames. If it does, then + renaming a file can result in a revert writing outside the wiki srcdir + or altering a file that the reverting user should not be able to alter, + an authorization bypass. Thanks, intrigeri + * cgitemplate: remove some dead code. Thanks, blipvert + * Restrict CSS matches against header class to not break + Pandoc tables with header rows. Thanks, karsk + * Make pagestats output more deterministic. Thanks, intrigeri"""]]
\ No newline at end of file diff --git a/doc/security.mdwn b/doc/security.mdwn index 9dee6d904..a5db9b410 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -546,3 +546,20 @@ vulnerability to execute arbitrary Perl code. An upgrade is recommended for sites where an untrusted user is able to attach files with arbitrary names and/or run a setuid ikiwiki wrapper with a working directory of their choice. + +## Editing restriction bypass for git revert + +intrigeri discovered that a web or git user could revert a change to a +page they are not allowed to edit, if the change being reverted was made +before the page was moved from a location where that user had permission +to edit it. For example, if a file is moved from `drafts/policy.mdwn` +(editable by less-trusted users) to `policy.mdwn` (only editable +by more-trusted users), a less-trusted user could revert a change +that was made to `drafts/policy.mdwn` prior to that move, and it would +result in `policy.mdwn` being altered. + +This affects sites with the `git` VCS and the `recentchanges` plugin, +which are both used in most ikiwiki installations. + +This bug was reported on 2016-12-17. The fixed version 3.20161219 +was released on 2016-12-19. |