Merge branch 'master' of ssh://git.ikiwiki.info/srv/git/ikiwiki.info

[ikiwiki.git] / doc / bugs / Insecure_dependency_in_eval_while_running_with_-T_switch.mdwn

diff --git a/doc/bugs/Insecure_dependency_in_eval_while_running_with_-T_switch.mdwn b/doc/bugs/Insecure_dependency_in_eval_while_running_with_-T_switch.mdwn
index bed5691f3ce9ca72bae6178879381ce01d30ae97..28b48e2c6794cd5792eb39a8d53259b0094b5dc5 100644 (file)
--- a/doc/bugs/Insecure_dependency_in_eval_while_running_with_-T_switch.mdwn
+++ b/doc/bugs/Insecure_dependency_in_eval_while_running_with_-T_switch.mdwn
@@ -15,7 +15,7 @@ Temporarily I've disabled conditional plugin to avoid that bug.
 
 PS. I still use ikiwiki 1.50 backported for Debian 'sarge'.
 
--- Pawel
+--[[Paweł|ptecza]]
 
 ---
 
@@ -67,4 +67,32 @@ because `patch` command fails:
 Could you please fix that patch?  I guess how to do it, but I don't want
 to break the code I distribute in my backport ;)
 
--- Pawel
\ No newline at end of file
+--[[Paweł|ptecza]]
+
+> It's not my patch.. IIRC my suggestion was simply to do this: --[Joey]]
+
+       Index: IkiWiki.pm
+       ===================================================================
+       --- IkiWiki.pm  (revision 3565)
+       +++ IkiWiki.pm  (working copy)
+       @@ -1005,7 +1005,7 @@
+                       unshift @params, "location";
+               }
+        
+       -       my $ret=eval pagespec_translate($spec);
+       +       my $ret=eval possibly_foolish_untaint(pagespec_translate($spec));
+               return IkiWiki::FailReason->new("syntax error") if $@;
+               return $ret;
+        } #}}}
+
+>> Thanks a lot, Joey! It works :)
+>>
+>> BTW, I was quite sure that you sent me the old patch via e-mail long time ago.
+>> Maybe I found it at old ikiwiki home page? I don't remember it now.
+>>
+>> --[[Paweł|ptecza]]
+
+----
+
+I'm marking this [[done]] since it only affects sarge. Sarge users should
+use the patch above. --[[Joey]]