diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/ikiwiki/directive/img.mdwn | 35 | ||||
| -rw-r--r-- | doc/ikiwiki/pagespec/attachment.mdwn | 2 | ||||
| -rw-r--r-- | doc/security.mdwn | 22 |
3 files changed, 52 insertions, 7 deletions
diff --git a/doc/ikiwiki/directive/img.mdwn b/doc/ikiwiki/directive/img.mdwn index 08d158987..a940a44b6 100644 --- a/doc/ikiwiki/directive/img.mdwn +++ b/doc/ikiwiki/directive/img.mdwn @@ -12,11 +12,13 @@ providing a link to a full-size version. The image file will be searched for using the same rules as used to find the file pointed to by a [[ikiwiki/WikiLink]]. -The `size` parameter is optional, defaulting to full size. Note that the -original image's aspect ratio is always preserved, even if this means -making the image smaller than the specified size. You can also specify only -the width or the height, and the other value will be calculated based on -it: "200x", "x200" +The `size` parameter is optional, defaulting to full size. +You can specify only the width or the height, and the other value will +be calculated based on it: "200x", "x200". + +If you specify both the width and height, the original image's aspect +ratio will be preserved, even if this means making the image smaller +than the specified size. (However, this is not done for svg images.) You can also pass `alt`, `title`, `class`, `align`, `id`, `hspace`, and `vspace` parameters. @@ -39,4 +41,27 @@ the page, unless overridden. Useful when including many images on a page. \[[!img photo2.jpg]] \[[!img photo3.jpg size=200x600]] +## format support + +By default, the `img` directive only supports a few common web formats: + +* PNG (`.png`) +* JPEG (`.jpg` or `.jpeg`) +* GIF (`.gif`) +* SVG (`.svg`) + +These additional formats can be enabled with the `img_allowed_formats` +[[!iki setup]] option, but are disabled by default for better +[[!iki security]]: + +* PDF (`.pdf`) +* `everything` (accepts any file supported by ImageMagick: make sure + that only completely trusted users can + [[upload attachments|ikiwiki/pagespec/attachment]]) + +For example, a wiki where only `admin()` users can upload attachments might +use: + + img_allowed_formats: [png, jpeg, gif, svg, pdf] + [[!meta robots="noindex, follow"]] diff --git a/doc/ikiwiki/pagespec/attachment.mdwn b/doc/ikiwiki/pagespec/attachment.mdwn index fa2bc5867..868fb2310 100644 --- a/doc/ikiwiki/pagespec/attachment.mdwn +++ b/doc/ikiwiki/pagespec/attachment.mdwn @@ -12,7 +12,7 @@ while allowing larger mp3 files to be uploaded by joey into a specific directory, and check all attachments for viruses, something like this could be used: - virusfree() and ((user(joey) and podcast/*.mp3 and mimetype(audio/mpeg) and maxsize(15mb)) or (mimetype(image/*) and maxsize(50kb))) + virusfree() and ((user(joey) and podcast/*.mp3 and mimetype(audio/mpeg) and maxsize(15mb)) or ((mimetype(image/jpeg) or mimetype(image/png)) and maxsize(50kb))) The regular [[ikiwiki/PageSpec]] syntax is expanded with the following additional tests: diff --git a/doc/security.mdwn b/doc/security.mdwn index d5a0266cd..6d4841fe6 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -178,7 +178,8 @@ the same standards as the rest of ikiwiki, but with that said, here are some security notes for them. * The [[plugins/img]] plugin assumes that imagemagick/perlmagick are secure - from malformed image attacks. Imagemagick has had security holes in the + from malformed image attacks for at least the formats listed in + `img_allowed_formats`. Imagemagick has had security holes in the past. To be able to exploit such a hole, a user would need to be able to upload images to the wiki. @@ -506,3 +507,22 @@ The hole was reported on March 24th, a fix was developed on March 27th, and the fixed version 3.20150329 was released on the 29th. A fix was backported to Debian jessie as version 3.20141016.2 and to Debian wheezy as version 3.20120629.2. An upgrade is recommended for sites using CGI and openid. + +## XSS via error messages + +CGI error messages did not escape HTML meta-characters, potentially +allowing an attacker to carry out cross-site scripting by directing a +user to a URL that would result in a crafted ikiwiki error message. This +was discovered on 4 May by the ikiwiki developers, and the fixed version +3.20160506 was released on 6 May. An upgrade is recommended for sites using +the CGI. + +## ImageMagick CVE-2016–3714 ("ImageTragick") + +ikiwiki 3.20160506 attempts to mitigate [[!cve CVE-2016-3714]] and any +future ImageMagick vulnerabilities that resemble it, by restricting the +image formats that the [[ikiwiki/directive/img]] directive is willing to +resize. An upgrade is recommended for sites where an untrusted user is +able to attach images. Upgrading ImageMagick to a version where +CVE-2016-3714 has been fixed is also recommended, but at the time of +writing no such version is available. |