htmlscrubber: Security fix: In data:image/* uris, only allow a few whitelisted image...

[ikiwiki.git] / doc / security.mdwn

diff --git a/doc/security.mdwn b/doc/security.mdwn
index 200ae29e22831abecec7dfbc2da9c1b07ab07bbf..21aef316bcbddb8773aa335c79bd9ce1c036e4e3 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -426,4 +426,16 @@ bypassed and used to read arbitrary files. This was fixed by
 enabling TeX configuration options that disallow unsafe TeX commands.
 The fix was released on 30 Aug 2009 in version 3.1415926, and was
 backported to stable in version 2.53.4. If you use the teximg plugin,
-I recommend upgrading.
+I recommend upgrading. ([[!cve CVE-2009-2944]])
+
+## javascript insertion via svg uris
+
+Ivan Shmakov pointed out that the htmlscrubber allowed `data:image/*` urls,
+including `data:image/svg+xml`. But svg can contain javascript, so that is
+unsafe.
+
+This hole was discovered on 12 March 2010 and fixed the same day
+with the release of ikiwiki 3.20100312.
+A fix was also backported to Debian etch, as version 2.53.5. I recommend
+upgrading to one of these versions if your wiki can be edited by third
+parties.