improve fix for symlink attacks to check subdirectories for symlinks too

[ikiwiki.git] / IkiWiki / Render.pm
diff --git a/IkiWiki/Render.pm b/IkiWiki/Render.pm

index 1fc047a62f78ed8b21d2cde47940363a65930d09..9e340c26e162abe5623524d4b4ced32942e6c834 100644 (file)
--- a/IkiWiki/Render.pm
+++ b/IkiWiki/Render.pm
@@ -139,7 +139,7 @@ sub get_inline_content ($$) { #{{{
         my $file=$pagesources{$page};
         my $type=pagetype($file);
         if ($type ne 'unknown') {
-               return htmlize($type, linkify(readfile("$config{srcdir}/$file"), $parentpage));
+               return htmlize($type, linkify(readfile(srcfile($file)), $parentpage));
         }
         else {
                 return "";
@@ -227,6 +227,7 @@ sub genpage ($$$) { #{{{
                 backlinks => [backlinks($page)],
                 discussionlink => htmllink($page, "Discussion", 1, 1),
                 mtime => scalar(gmtime($mtime)),
+               styleurl => styleurl($page),
         );
         
         return $template->output;
@@ -336,7 +337,8 @@ sub render ($) { #{{{
         my $file=shift;
         
         my $type=pagetype($file);
-       my $content=readfile("$config{srcdir}/$file");
+       my $srcfile=srcfile($file);
+       my $content=readfile($srcfile);
         if ($type ne 'unknown') {
                 my $page=pagename($file);
                 
@@ -347,8 +349,8 @@ sub render ($) { #{{{
                 $content=htmlize($type, $content);
                 
                 check_overwrite("$config{destdir}/".htmlpage($page), $page);
-               writefile("$config{destdir}/".htmlpage($page),
-                       genpage($content, $page, mtime("$config{srcdir}/$file")));
+               writefile(htmlpage($page), $config{destdir},
+                       genpage($content, $page, mtime($srcfile)));
                 $oldpagemtime{$page}=time;
                 $renderedfiles{$page}=htmlpage($page);
  
@@ -356,14 +358,14 @@ sub render ($) { #{{{
                 # check_overwrite, as above, but currently renderedfiles
                 # only supports listing one file per page.
                 if ($config{rss} && exists $inlinepages{$page}) {
-                       writefile("$config{destdir}/".rsspage($page),
-                               genrss($content, $page, mtime("$config{srcdir}/$file")));
+                       writefile(rsspage($page), $config{destdir},
+                               genrss($content, $page, mtime($srcfile)));
                 }
         }
         else {
                 $links{$file}=[];
                 check_overwrite("$config{destdir}/$file", $file);
-               writefile("$config{destdir}/$file", $content);
+               writefile($file, $config{destdir}, $content);
                 $oldpagemtime{$file}=time;
                 $renderedfiles{$file}=$file;
         }
@@ -388,9 +390,7 @@ sub refresh () { #{{{
                 no_chdir => 1,
                 wanted => sub {
                         if (/$config{wiki_file_prune_regexp}/) {
-                               no warnings 'once';
                                 $File::Find::prune=1;
-                               use warnings "all";
                         }
                         elsif (! -d $_ && ! -l $_) {
                                 my ($f)=/$config{wiki_file_regexp}/; # untaint
@@ -405,6 +405,30 @@ sub refresh () { #{{{
                         }
                 },
         }, $config{srcdir});
+       find({
+               no_chdir => 1,
+               wanted => sub {
+                       if (/$config{wiki_file_prune_regexp}/) {
+                               $File::Find::prune=1;
+                       }
+                       elsif (! -d $_ && ! -l $_) {
+                               my ($f)=/$config{wiki_file_regexp}/; # untaint
+                               if (! defined $f) {
+                                       warn("skipping bad filename $_\n");
+                               }
+                               else {
+                                       # Don't add files that are in the
+                                       # srcdir.
+                                       $f=~s/^\Q$config{underlaydir}\E\/?//;
+                                       if (! -e "$config{srcdir}/$f" && 
+                                           ! -l "$config{srcdir}/$f") {
+                                               push @files, $f;
+                                               $exists{pagename($f)}=1;
+                                       }
+                               }
+                       }
+               },
+       }, $config{underlaydir});
  
         my %rendered;
  
@@ -417,7 +441,7 @@ sub refresh () { #{{{
                         push @add, $file;
                         $links{$page}=[];
                         $pagesources{$page}=$file;
-                       $pagectime{$page}=mtime("$config{srcdir}/$file") 
+                       $pagectime{$page}=mtime(srcfile($file))
                                 unless exists $pagectime{$page};
                 }
         }
@@ -438,7 +462,7 @@ sub refresh () { #{{{
                 my $page=pagename($file);
                 
                 if (! exists $oldpagemtime{$page} ||
-                   mtime("$config{srcdir}/$file") > $oldpagemtime{$page}) {
+                   mtime(srcfile($file)) > $oldpagemtime{$page}) {
                         debug("rendering changed file $file");
                         render($file);
                         $rendered{$file}=1;