I've fixed a XSS security problem in ikiwiki.
* Fix htmlscrubber_skip to be matched on the source page, not the page it is
inlined into. Should allow setting to "* and !comment(*)" to scrub
comments, but leave your blog posts unscrubbed, etc. CVE-2010-1673
* comments: Make postcomment() pagespec work when previewing a comment,
including during moderation. CVE-2010-1673
* comments: Make comment() pagespec also match comments that are being
posted. CVE-2010-1673
While I was picking those fixes for an upload via t-p-u I noticed several
bugfixes from the past couple months that are a) small and self-contained
b) well tested for at least 1 month each and c) will affect lots of users
or are otherwise pretty serious (data loss, denial of service crashes,
build failures, it's all here!) So I thought I'd include those too:
* openid: Syntax tweak to the javascript code to make it work with MSIE 7
(and MSIE 8 in compat mode). Thanks to Iain McLaren for reporting
the bug and providing access to debug it.
* blogspam: Fix crash when content contained utf-8.
* external: Disable RPC::XML's "smart" encoding, which sent ints
for strings that contained only a number, fixing a longstanding crash
of the rst plugin.
* websetup: Fix saving of advanced mode changes.
* websetup: Fix defaults of checkboxes in advanced mode.
* Fix test suite failure on other side of date line.
* Set isPermaLink="no" for guids in rss feeds.
* sortnaturally: Added missing registration of checkconfig hook.
Total diff is 218 lines, attached. (Or individual patches are in ikiwiki's
debian-testing branch in git.)
--
see shy jo
diff --git a/IkiWiki/Plugin/blogspam.pm b/IkiWiki/Plugin/blogspam.pm index 8db3780..f0b6cb2 100644 --- a/IkiWiki/Plugin/blogspam.pm +++ b/IkiWiki/Plugin/blogspam.pm @@ -4,6 +4,7 @@ package IkiWiki::Plugin::blogspam; use warnings; use strict; use IkiWiki 3.00; +use Encode; my $defaulturl='http://test.blogspam.net:8888/'; @@ -68,6 +69,7 @@ sub checkcontent (@) { my $url=$defaulturl; $url = $config{blogspam_server} if exists $config{blogspam_server}; + my $client = RPC::XML::Client->new($url); my @options = split(",", $config{blogspam_options}) @@ -90,12 +92,12 @@ sub checkcontent (@) { my %req=( ip => $session->remote_addr(), - comment => defined $params{diff} ? $params{diff} : $params{content}, - subject => defined $params{subject} ? $params{subject} : "", - name => defined $params{author} ? $params{author} : "", - link => exists $params{url} ? $params{url} : "", + comment => encode_utf8(defined $params{diff} ? $params{diff} : $params{content}), + subject => encode_utf8(defined $params{subject} ? $params{subject} : ""), + name => encode_utf8(defined $params{author} ? $params{author} : ""), + link => encode_utf8(exists $params{url} ? $params{url} : ""), options => join(",", @options), - site => $config{url}, + site => encode_utf8($config{url}), version => "ikiwiki ".$IkiWiki::version, ); my $res = $client->send_request('testComment', \%req); diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm index 851f486..a39dab3 100644 --- a/IkiWiki/Plugin/comments.pm +++ b/IkiWiki/Plugin/comments.pm @@ -727,6 +727,10 @@ sub previewcomment ($$$) { my $page=shift; my $time=shift; + # Previewing a comment should implicitly enable comment posting mode. + my $oldpostcomment=$postcomment; + $postcomment=1; + my $preview = IkiWiki::htmlize($location, $page, '_comment', IkiWiki::linkify($location, $page, IkiWiki::preprocess($location, $page, @@ -745,6 +749,8 @@ sub previewcomment ($$$) { $template->param(have_actions => 0); + $postcomment=$oldpostcomment; + return $template->output; } @@ -941,14 +947,16 @@ sub match_comment ($$;@) { my $page = shift; my $glob = shift; - # To see if it's a comment, check the source file type. - # Deal with comments that were just deleted. - my $source=exists $IkiWiki::pagesources{$page} ? - $IkiWiki::pagesources{$page} : - $IkiWiki::delpagesources{$page}; - my $type=defined $source ? IkiWiki::pagetype($source) : undef; - if (! defined $type || $type ne "_comment") { - return IkiWiki::FailReason->new("$page is not a comment"); + if (! $postcomment) { + # To see if it's a comment, check the source file type. + # Deal with comments that were just deleted. + my $source=exists $IkiWiki::pagesources{$page} ? + $IkiWiki::pagesources{$page} : + $IkiWiki::delpagesources{$page}; + my $type=defined $source ? IkiWiki::pagetype($source) : undef; + if (! defined $type || $type ne "_comment") { + return IkiWiki::FailReason->new("$page is not a comment"); + } } return match_glob($page, "$glob/*", internal => 1, @_); diff --git a/IkiWiki/Plugin/external.pm b/IkiWiki/Plugin/external.pm index ec91c79..a4cc1dd 100644 --- a/IkiWiki/Plugin/external.pm +++ b/IkiWiki/Plugin/external.pm @@ -28,7 +28,9 @@ sub import { $plugins{$plugin}={in => $plugin_read, out => $plugin_write, pid => $pid, accum => ""}; + $RPC::XML::ENCODING="utf-8"; + $RPC::XML::FORCE_STRING_ENCODING="true"; rpc_call($plugins{$plugin}, "import"); } diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm index 8475181..4a90c6f 100644 --- a/IkiWiki/Plugin/htmlscrubber.pm +++ b/IkiWiki/Plugin/htmlscrubber.pm @@ -57,8 +57,8 @@ sub sanitize (@) { if (exists $config{htmlscrubber_skip} && length $config{htmlscrubber_skip} && - exists $params{destpage} && - pagespec_match($params{destpage}, $config{htmlscrubber_skip})) { + exists $params{page} && + pagespec_match($params{page}, $config{htmlscrubber_skip})) { return $params{content}; } diff --git a/IkiWiki/Plugin/sortnaturally.pm b/IkiWiki/Plugin/sortnaturally.pm index 62e4276..b038b2f 100644 --- a/IkiWiki/Plugin/sortnaturally.pm +++ b/IkiWiki/Plugin/sortnaturally.pm @@ -7,6 +7,7 @@ no warnings; sub import { hook(type => "getsetup", id => "sortnaturally", call => \&getsetup); + hook(type => "checkconfig", id => "sortnaturally", call => \&checkconfig); } sub getsetup { diff --git a/IkiWiki/Plugin/websetup.pm b/IkiWiki/Plugin/websetup.pm index 11b4428..0ab1899 100644 --- a/IkiWiki/Plugin/websetup.pm +++ b/IkiWiki/Plugin/websetup.pm @@ -219,7 +219,8 @@ sub showfields ($$$@) { options => [ [ 1 => $description ] ], fieldset => $section, ); - if (! $form->submitted) { + if (! $form->submitted || + ($info{advanced} && $form->submitted eq 'Advanced Mode')) { $form->field(name => $name, value => $value); } } @@ -295,6 +296,7 @@ sub showform ($$) { $form->field(name => "do", type => "hidden", value => "setup", force => 1); $form->field(name => "rebuild_asked", type => "hidden"); + $form->field(name => "showadvanced", type => "hidden"); if ($form->submitted eq 'Basic Mode') { $form->field(name => "showadvanced", type => "hidden", diff --git a/debian/changelog b/debian/changelog index 98d1337..89d9195 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,28 @@ +ikiwiki (3.20100815.2) UNRELEASED; urgency=low + + * Bugfix-only cherry-pick release for Debian squeeze. + * Fix htmlscrubber_skip to be matched on the source page, not the page it is + inlined into. Should allow setting to "* and !comment(*)" to scrub + comments, but leave your blog posts unscrubbed, etc. + * comments: Make postcomment() pagespec work when previewing a comment, + including during moderation. + * comments: Make comment() pagespec also match comments that are being + posted. + * openid: Syntax tweak to the javascript code to make it work with MSIE 7 + (and MSIE 8 in compat mode). Thanks to Iain McLaren for reporting + the bug and providing access to debug it. + * blogspam: Fix crash when content contained utf-8. + * external: Disable RPC::XML's "smart" encoding, which sent ints + for strings that contained only a number, fixing a longstanding crash + of the rst plugin. + * websetup: Fix saving of advanced mode changes. + * websetup: Fix defaults of checkboxes in advanced mode. + * Fix test suite failure on other side of date line. + * Set isPermaLink="no" for guids in rss feeds. + * sortnaturally: Added missing registration of checkconfig hook. + + -- Joey Hess <jo...@debian.org> Sun, 15 Aug 2010 11:42:55 -0400 + ikiwiki (3.20100815) unstable; urgency=medium * Fix po test suite to not assume ikiwiki's underlay is already installed. diff --git a/t/pagespec_match.t b/t/pagespec_match.t index 97bcc96..2624864 100755 --- a/t/pagespec_match.t +++ b/t/pagespec_match.t @@ -99,6 +99,7 @@ ok(pagespec_match("ook", "link(blog/tags/foo)"), "link internal absolute success ok(pagespec_match("ook", "link(/blog/tags/foo)"), "link explicit absolute success"); ok(pagespec_match("meh", "!link(done)"), "negated failing match is a success"); +$ENV{TZ}="GMT"; $IkiWiki::pagectime{foo}=1154532692; # Wed Aug 2 11:26 EDT 2006 $IkiWiki::pagectime{bar}=1154532695; # after ok(pagespec_match("foo", "created_before(bar)")); diff --git a/templates/rssitem.tmpl b/templates/rssitem.tmpl index a64a4eb..272b340 100644 --- a/templates/rssitem.tmpl +++ b/templates/rssitem.tmpl @@ -8,7 +8,7 @@ <TMPL_IF GUID> <guid isPermaLink="no"><TMPL_VAR GUID></guid> <TMPL_ELSE> - <guid><TMPL_VAR URL></guid> + <guid isPermaLink="no"><TMPL_VAR URL></guid> </TMPL_IF> <link><TMPL_VAR PERMALINK></link> <TMPL_IF CATEGORIES> diff --git a/underlays/openid-selector/ikiwiki/openid/openid-jquery.js b/underlays/openid-selector/ikiwiki/openid/openid-jquery.js index f22f577..c59be1e 100644 --- a/underlays/openid-selector/ikiwiki/openid/openid-jquery.js +++ b/underlays/openid-selector/ikiwiki/openid/openid-jquery.js @@ -21,7 +21,7 @@ var providers_large = { icon: 'wikiicons/openidlogin-bg.gif', label: 'Enter your OpenID:', url: null - }, + } }; var providers_small = { livejournal: { @@ -65,7 +65,7 @@ var providers_small = { icon: 'http://verisign.com/favicon.ico', label: 'Enter your Verisign username:', url: 'http://{username}.pip.verisignlabs.com/' - }, + } }; var providers = $.extend({}, providers_large, providers_small);
signature.asc
Description: Digital signature
