web commit from 81.6.239.119: poll vote

[ikiwiki.git] / doc / security.mdwn

diff --git a/doc/security.mdwn b/doc/security.mdwn
index 5cc35b33866d31892b5c16f3ad932fa8770e27ce..154566cd8709f7b65a479130a1140d73958af6eb 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -6,6 +6,8 @@ security issues with this program than with cat(1). If, however, you let
 others edit pages in your wiki, then some possible security issues do need
 to be kept in mind.
 
 others edit pages in your wiki, then some possible security issues do need
 to be kept in mind.
 

+[[toc levels=2]]
+

 ----
 
 # Probable holes
 ----
 
 # Probable holes


@@ -16,7 +18,7 @@ _(The list of things to fix.)_
 
 Anyone with direct commit access can forge "web commit from foo" and
 make it appear on [[RecentChanges]] like foo committed. One way to avoid
 
 Anyone with direct commit access can forge "web commit from foo" and
 make it appear on [[RecentChanges]] like foo committed. One way to avoid

-this would be to limit web commits to those done by a certian user.
+this would be to limit web commits to those done by a certain user.

 
 ## other stuff to look at
 
 
 ## other stuff to look at
 


@@ -156,6 +158,20 @@ allowed, so that's not a problem.)
 
 ----
 
 
 ----
 

+# Plugins
+
+The security of [[plugins]] depends on how well they're written and what
+external tools they use. The plugins included in ikiwiki are all held to
+the same standards as the rest of ikiwiki, but with that said, here are
+some security notes for them.
+
+* The [[plugins/img]] plugin assumes that imagemagick/perlmagick are secure
+  from malformed image attacks. Imagemagick has had security holes in the
+  past. To be able to exploit such a hole, a user would need to be able to
+  upload images to the wiki.
+
+----
+

 # Fixed holes
 
 _(Unless otherwise noted, these were discovered and immediately fixed by the
 # Fixed holes
 
 _(Unless otherwise noted, these were discovered and immediately fixed by the