From 2ad3e60ee8272b7cccfd83ae02d5b45e2cec003d Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@gnu.kitenet.net>
Date: Fri, 12 Mar 2010 14:49:13 -0500
Subject: htmlscrubber: Security fix: In data:image/* uris, only allow a few
 whitelisted image types. No svg.

---
 IkiWiki/Plugin/htmlscrubber.pm |  6 +++---
 debian/changelog               |  4 +++-
 doc/security.mdwn              | 12 ++++++++++++
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index ee284a45c..26e18ffc7 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -30,9 +30,9 @@ sub import {
 		"msnim", "notes", "rsync", "secondlife", "skype", "ssh",
 		"sftp", "smb", "sms", "snews", "webcal", "ymsgr",
 	);
-	# data is a special case. Allow data:image/*, but
-	# disallow data:text/javascript and everything else.
-	$safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/|[^:]+(?:$|\/))/i;
+	# data is a special case. Allow a few data:image/ types,
+	# but disallow data:text/javascript and everything else.
+	$safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|\/))/i;
 }
 
 sub getsetup () {
diff --git a/debian/changelog b/debian/changelog
index bae0e7ee0..7fdbbcb63 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-ikiwiki (3.20100303) UNRELEASED; urgency=low
+ikiwiki (3.20100312) unstable; urgency=HIGH
 
   * Fix utf8 issues in calls to md5_hex.
   * moderatedcomments: Added moderate_pagespec that can be used
@@ -12,6 +12,8 @@ ikiwiki (3.20100303) UNRELEASED; urgency=low
   * Fix missing span on recentchanges page template.
   * search: Avoid '$' in the wikiname appearing unescaped on omega's
     query template, where it might crash omega.
+  * htmlscrubber: Security fix: In data:image/* uris, only allow a few
+    whitelisted image types. No svg.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 09 Mar 2010 19:46:35 -0500
 
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 3924186c2..21aef316b 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -427,3 +427,15 @@ enabling TeX configuration options that disallow unsafe TeX commands.
 The fix was released on 30 Aug 2009 in version 3.1415926, and was
 backported to stable in version 2.53.4. If you use the teximg plugin,
 I recommend upgrading. ([[!cve CVE-2009-2944]])
+
+## javascript insertion via svg uris
+
+Ivan Shmakov pointed out that the htmlscrubber allowed `data:image/*` urls,
+including `data:image/svg+xml`. But svg can contain javascript, so that is
+unsafe.
+
+This hole was discovered on 12 March 2010 and fixed the same day
+with the release of ikiwiki 3.20100312.
+A fix was also backported to Debian etch, as version 2.53.5. I recommend
+upgrading to one of these versions if your wiki can be edited by third
+parties.
-- 
cgit v1.2.3