From be02a80b7a19f3c33a8ea42c0750d94e0a91206f Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 28 Mar 2011 12:21:12 -0400 Subject: [PATCH] meta: Security fix; don't allow alternative stylesheets to be added on pages where the htmlscrubber is enabled. --- IkiWiki/Plugin/meta.pm | 4 ++-- debian/changelog | 4 +++- doc/ikiwiki/directive/meta.mdwn | 4 ++++ doc/security.mdwn | 11 +++++++++++ 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm index ad6d1a8e3..1a9f94a12 100644 --- a/IkiWiki/Plugin/meta.pm +++ b/IkiWiki/Plugin/meta.pm @@ -174,10 +174,10 @@ sub preprocess (@) { if (! length $stylesheet) { error gettext("stylesheet not found") } - push @{$metaheaders{$page}}, '"; + "\" type=\"text/css\" />", $page, $destpage); } elsif ($key eq 'openid') { my $delegate=0; # both by default diff --git a/debian/changelog b/debian/changelog index e78ce3e1c..91c4c6d24 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -ikiwiki (3.20110322) UNRELEASED; urgency=low +ikiwiki (3.20110328) UNRELEASED; urgency=low * Yaml formatted setup files are now produced by default. (Perl formatted setup files can still be used.) @@ -6,6 +6,8 @@ ikiwiki (3.20110322) UNRELEASED; urgency=low via the web. * comment: Better fix to avoid showing comments of subpages, while not breaking manual inlining of comments. + * meta: Security fix; don't allow alternative stylesheets to be added + on pages where the htmlscrubber is enabled. -- Joey Hess Thu, 24 Mar 2011 13:34:34 -0400 diff --git a/doc/ikiwiki/directive/meta.mdwn b/doc/ikiwiki/directive/meta.mdwn index d66e26fc4..50aaf66be 100644 --- a/doc/ikiwiki/directive/meta.mdwn +++ b/doc/ikiwiki/directive/meta.mdwn @@ -77,6 +77,10 @@ Supported fields: \[[!meta stylesheet=somestyle rel="alternate stylesheet" title="somestyle"]] + + However, this will be scrubbed away if the + [[!iki plugins/htmlscrubber desc=htmlscrubber]] plugin is enabled, + since it can be used to insert unsafe content. * openid diff --git a/doc/security.mdwn b/doc/security.mdwn index 770927e26..2b387ac23 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -463,3 +463,14 @@ This hole was discovered on 22 Jan 2011 and fixed the same day with the release of ikiwiki 3.20110122. A fix was backported to Debian squeeze, as version 3.20100815.5. An upgrade is recommended for sites with the comments plugin enabled. ([[!cve CVE-2011-0428]]) + +## possible javascript insertion via insufficient htmlscrubbing of alternate stylesheets + +Tango noticed that 'meta stylesheet` directives allowed anyone +who could upload a malicious stylesheet to a site to add it to a +page as an alternate stylesheet. In order to be exploited, the user +would have to select the alternative stylesheet in their browser. + +This hole was discovered on 28 Mar 2011 and fixed the same hour with +the release of ikiwiki 3.20110328. An upgrade is recommended for sites +that have untrusted committers, or have the attachments plugin enabled. -- 2.11.4.GIT