make it appear on [[RecentChanges]] like foo committed. One way to avoid
this would be to limit web commits to those done by a certian user.
-## XML::Parser
-
-XML::Parser is used by the aggregation plugin, and has some security holes
-that are still open in Debian unstable as of this writing. #378411 does not
-seem to affect our use, since the data is not encoded as utf-8 at that
-point. #378412 could affect us, although it doesn't seem very exploitable.
-It has a simple fix, which should be NMUed or something..
-
## other stuff to look at
I need to audit the git backend a bit, and have been meaning to
Someone could add bad content to the wiki and hope to exploit ikiwiki.
Note that ikiwiki runs with perl taint checks on, so this is unlikely.
+One fun thing in ikiwiki is its handling of a PageSpec, which involves
+translating it into perl and running the perl. Of course, this is done
+*very* carefully to guard against injecting arbitrary perl code.
+
## publishing cgi scripts
ikiwiki does not allow cgi scripts to be published as part of the wiki. Or
guarded against by using svn log --xml.
ikiwiki escapes any html in svn commit logs to prevent other mischief.
+
+## XML::Parser
+
+XML::Parser is used by the aggregation plugin, and has some security holes.
+#[378411](http://bugs.debian.org/378411) does not
+seem to affect our use, since the data is not encoded as utf-8 at that
+point. #[378412](http://bugs.debian.org/378412) could affect us, although it
+doesn't seem very exploitable. It has a simple fix, and has been fixed in
+Debian unstable.
sipb-www / ikiwiki.git / blobdiff