I've fixed a XSS security problem in ikiwiki.
* Fix htmlscrubber_skip to be matched on the source page, not the page it is
inlined into. Should allow setting to "* and !comment(*)" to scrub
comments, but leave your blog posts unscrubbed, etc. CVE-2010-1673
* comments: Make postcomment() pagespec work when previewing a comment,
including during moderation. CVE-2010-1673
* comments: Make comment() pagespec also match comments that are being
posted. CVE-2010-1673
While I was picking those fixes for an upload via t-p-u I noticed several
bugfixes from the past couple months that are a) small and self-contained
b) well tested for at least 1 month each and c) will affect lots of users
or are otherwise pretty serious (data loss, denial of service crashes,
build failures, it's all here!) So I thought I'd include those too:
* openid: Syntax tweak to the javascript code to make it work with MSIE 7
(and MSIE 8 in compat mode). Thanks to Iain McLaren for reporting
the bug and providing access to debug it.
* blogspam: Fix crash when content contained utf-8.
* external: Disable RPC::XML's "smart" encoding, which sent ints
for strings that contained only a number, fixing a longstanding crash
of the rst plugin.
* websetup: Fix saving of advanced mode changes.
* websetup: Fix defaults of checkboxes in advanced mode.
* Fix test suite failure on other side of date line.
* Set isPermaLink="no" for guids in rss feeds.
* sortnaturally: Added missing registration of checkconfig hook.
Total diff is 218 lines, attached. (Or individual patches are in ikiwiki's
debian-testing branch in git.)
--
see shy jo
diff --git a/IkiWiki/Plugin/blogspam.pm b/IkiWiki/Plugin/blogspam.pm
index 8db3780..f0b6cb2 100644
--- a/IkiWiki/Plugin/blogspam.pm
+++ b/IkiWiki/Plugin/blogspam.pm
@@ -4,6 +4,7 @@ package IkiWiki::Plugin::blogspam;
use warnings;
use strict;
use IkiWiki 3.00;
+use Encode;
my $defaulturl='http://test.blogspam.net:8888/';
@@ -68,6 +69,7 @@ sub checkcontent (@) {
my $url=$defaulturl;
$url = $config{blogspam_server} if exists $config{blogspam_server};
+
my $client = RPC::XML::Client->new($url);
my @options = split(",", $config{blogspam_options})
@@ -90,12 +92,12 @@ sub checkcontent (@) {
my %req=(
ip => $session->remote_addr(),
- comment => defined $params{diff} ? $params{diff} : $params{content},
- subject => defined $params{subject} ? $params{subject} : "",
- name => defined $params{author} ? $params{author} : "",
- link => exists $params{url} ? $params{url} : "",
+ comment => encode_utf8(defined $params{diff} ? $params{diff} : $params{content}),
+ subject => encode_utf8(defined $params{subject} ? $params{subject} : ""),
+ name => encode_utf8(defined $params{author} ? $params{author} : ""),
+ link => encode_utf8(exists $params{url} ? $params{url} : ""),
options => join(",", @options),
- site => $config{url},
+ site => encode_utf8($config{url}),
version => "ikiwiki ".$IkiWiki::version,
);
my $res = $client->send_request('testComment', \%req);
diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm
index 851f486..a39dab3 100644
--- a/IkiWiki/Plugin/comments.pm
+++ b/IkiWiki/Plugin/comments.pm
@@ -727,6 +727,10 @@ sub previewcomment ($$$) {
my $page=shift;
my $time=shift;
+ # Previewing a comment should implicitly enable comment posting mode.
+ my $oldpostcomment=$postcomment;
+ $postcomment=1;
+
my $preview = IkiWiki::htmlize($location, $page, '_comment',
IkiWiki::linkify($location, $page,
IkiWiki::preprocess($location, $page,
@@ -745,6 +749,8 @@ sub previewcomment ($$$) {
$template->param(have_actions => 0);
+ $postcomment=$oldpostcomment;
+
return $template->output;
}
@@ -941,14 +947,16 @@ sub match_comment ($$;@) {
my $page = shift;
my $glob = shift;
- # To see if it's a comment, check the source file type.
- # Deal with comments that were just deleted.
- my $source=exists $IkiWiki::pagesources{$page} ?
- $IkiWiki::pagesources{$page} :
- $IkiWiki::delpagesources{$page};
- my $type=defined $source ? IkiWiki::pagetype($source) : undef;
- if (! defined $type || $type ne "_comment") {
- return IkiWiki::FailReason->new("$page is not a comment");
+ if (! $postcomment) {
+ # To see if it's a comment, check the source file type.
+ # Deal with comments that were just deleted.
+ my $source=exists $IkiWiki::pagesources{$page} ?
+ $IkiWiki::pagesources{$page} :
+ $IkiWiki::delpagesources{$page};
+ my $type=defined $source ? IkiWiki::pagetype($source) : undef;
+ if (! defined $type || $type ne "_comment") {
+ return IkiWiki::FailReason->new("$page is not a comment");
+ }
}
return match_glob($page, "$glob/*", internal => 1, @_);
diff --git a/IkiWiki/Plugin/external.pm b/IkiWiki/Plugin/external.pm
index ec91c79..a4cc1dd 100644
--- a/IkiWiki/Plugin/external.pm
+++ b/IkiWiki/Plugin/external.pm
@@ -28,7 +28,9 @@ sub import {
$plugins{$plugin}={in => $plugin_read, out => $plugin_write, pid => $pid,
accum => ""};
+
$RPC::XML::ENCODING="utf-8";
+ $RPC::XML::FORCE_STRING_ENCODING="true";
rpc_call($plugins{$plugin}, "import");
}
diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index 8475181..4a90c6f 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -57,8 +57,8 @@ sub sanitize (@) {
if (exists $config{htmlscrubber_skip} &&
length $config{htmlscrubber_skip} &&
- exists $params{destpage} &&
- pagespec_match($params{destpage}, $config{htmlscrubber_skip})) {
+ exists $params{page} &&
+ pagespec_match($params{page}, $config{htmlscrubber_skip})) {
return $params{content};
}
diff --git a/IkiWiki/Plugin/sortnaturally.pm b/IkiWiki/Plugin/sortnaturally.pm
index 62e4276..b038b2f 100644
--- a/IkiWiki/Plugin/sortnaturally.pm
+++ b/IkiWiki/Plugin/sortnaturally.pm
@@ -7,6 +7,7 @@ no warnings;
sub import {
hook(type => "getsetup", id => "sortnaturally", call => \&getsetup);
+ hook(type => "checkconfig", id => "sortnaturally", call => \&checkconfig);
}
sub getsetup {
diff --git a/IkiWiki/Plugin/websetup.pm b/IkiWiki/Plugin/websetup.pm
index 11b4428..0ab1899 100644
--- a/IkiWiki/Plugin/websetup.pm
+++ b/IkiWiki/Plugin/websetup.pm
@@ -219,7 +219,8 @@ sub showfields ($$$@) {
options => [ [ 1 => $description ] ],
fieldset => $section,
);
- if (! $form->submitted) {
+ if (! $form->submitted ||
+ ($info{advanced} && $form->submitted eq 'Advanced Mode')) {
$form->field(name => $name, value => $value);
}
}
@@ -295,6 +296,7 @@ sub showform ($$) {
$form->field(name => "do", type => "hidden", value => "setup",
force => 1);
$form->field(name => "rebuild_asked", type => "hidden");
+ $form->field(name => "showadvanced", type => "hidden");
if ($form->submitted eq 'Basic Mode') {
$form->field(name => "showadvanced", type => "hidden",
diff --git a/debian/changelog b/debian/changelog
index 98d1337..89d9195 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,28 @@
+ikiwiki (3.20100815.2) UNRELEASED; urgency=low
+
+ * Bugfix-only cherry-pick release for Debian squeeze.
+ * Fix htmlscrubber_skip to be matched on the source page, not the page it is
+ inlined into. Should allow setting to "* and !comment(*)" to scrub
+ comments, but leave your blog posts unscrubbed, etc.
+ * comments: Make postcomment() pagespec work when previewing a comment,
+ including during moderation.
+ * comments: Make comment() pagespec also match comments that are being
+ posted.
+ * openid: Syntax tweak to the javascript code to make it work with MSIE 7
+ (and MSIE 8 in compat mode). Thanks to Iain McLaren for reporting
+ the bug and providing access to debug it.
+ * blogspam: Fix crash when content contained utf-8.
+ * external: Disable RPC::XML's "smart" encoding, which sent ints
+ for strings that contained only a number, fixing a longstanding crash
+ of the rst plugin.
+ * websetup: Fix saving of advanced mode changes.
+ * websetup: Fix defaults of checkboxes in advanced mode.
+ * Fix test suite failure on other side of date line.
+ * Set isPermaLink="no" for guids in rss feeds.
+ * sortnaturally: Added missing registration of checkconfig hook.
+
+ -- Joey Hess <joeyh@debian.org> Sun, 15 Aug 2010 11:42:55 -0400
+
ikiwiki (3.20100815) unstable; urgency=medium
* Fix po test suite to not assume ikiwiki's underlay is already installed.
diff --git a/t/pagespec_match.t b/t/pagespec_match.t
index 97bcc96..2624864 100755
--- a/t/pagespec_match.t
+++ b/t/pagespec_match.t
@@ -99,6 +99,7 @@ ok(pagespec_match("ook", "link(blog/tags/foo)"), "link internal absolute success
ok(pagespec_match("ook", "link(/blog/tags/foo)"), "link explicit absolute success");
ok(pagespec_match("meh", "!link(done)"), "negated failing match is a success");
+$ENV{TZ}="GMT";
$IkiWiki::pagectime{foo}=1154532692; # Wed Aug 2 11:26 EDT 2006
$IkiWiki::pagectime{bar}=1154532695; # after
ok(pagespec_match("foo", "created_before(bar)"));
diff --git a/templates/rssitem.tmpl b/templates/rssitem.tmpl
index a64a4eb..272b340 100644
--- a/templates/rssitem.tmpl
+++ b/templates/rssitem.tmpl
@@ -8,7 +8,7 @@
<TMPL_IF GUID>
<guid isPermaLink="no"><TMPL_VAR GUID></guid>
<TMPL_ELSE>
- <guid><TMPL_VAR URL></guid>
+ <guid isPermaLink="no"><TMPL_VAR URL></guid>
</TMPL_IF>
<link><TMPL_VAR PERMALINK></link>
<TMPL_IF CATEGORIES>
diff --git a/underlays/openid-selector/ikiwiki/openid/openid-jquery.js b/underlays/openid-selector/ikiwiki/openid/openid-jquery.js
index f22f577..c59be1e 100644
--- a/underlays/openid-selector/ikiwiki/openid/openid-jquery.js
+++ b/underlays/openid-selector/ikiwiki/openid/openid-jquery.js
@@ -21,7 +21,7 @@ var providers_large = {
icon: 'wikiicons/openidlogin-bg.gif',
label: 'Enter your OpenID:',
url: null
- },
+ }
};
var providers_small = {
livejournal: {
@@ -65,7 +65,7 @@ var providers_small = {
icon: 'http://verisign.com/favicon.ico',
label: 'Enter your Verisign username:',
url: 'http://{username}.pip.verisignlabs.com/'
- },
+ }
};
var providers = $.extend({}, providers_large, providers_small);
Attachment:
signature.asc
Description: Digital signature