fix the other half of the filecheck filename bug

[ikiwiki.git] / doc / security.mdwn

diff --git a/doc/security.mdwn b/doc/security.mdwn
index 52ef486e69f425751296a510f4350e8c33ab9051..21aef316bcbddb8773aa335c79bd9ce1c036e4e3 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -6,7 +6,7 @@ security issues with this program than with cat(1). If, however, you let
 others edit pages in your wiki, then some possible security issues do need
 to be kept in mind.
 
 others edit pages in your wiki, then some possible security issues do need
 to be kept in mind.
 

-[[toc levels=2]]
+[[!toc levels=2]]

 
 ----
 
 
 ----
 


@@ -66,8 +66,7 @@ So it's best if only one person can ever directly write to those directories.
 ## setup files
 
 Setup files are not safe to keep in the same revision control repository
 ## setup files
 
 Setup files are not safe to keep in the same revision control repository

-with the rest of the wiki. Just don't do it. [[ikiwiki.setup]] is *not*
-used as the setup file for this wiki, BTW.
+with the rest of the wiki. Just don't do it.

 
 ## page locking can be bypassed via direct commits
 
 
 ## page locking can be bypassed via direct commits
 


@@ -362,9 +361,9 @@ allow the security hole to be exploited.
 
 The htmlscrubber did not block javascript in uris. This was fixed by adding
 a whitelist of valid uri types, which does not include javascript. 
 
 The htmlscrubber did not block javascript in uris. This was fixed by adding
 a whitelist of valid uri types, which does not include javascript. 

-([[cve CVE-2008-0809]]) Some urls specifyable by the meta plugin could also
+([[!cve CVE-2008-0809]]) Some urls specifyable by the meta plugin could also

 theoretically have been used to inject javascript; this was also blocked
 theoretically have been used to inject javascript; this was also blocked

-([[cve CVE-2008-0808]]).
+([[!cve CVE-2008-0808]]).

 
 This hole was discovered on 10 February 2008 and fixed the same day
 with the release of ikiwiki 2.31.1. (And a few subsequent versions..)
 
 This hole was discovered on 10 February 2008 and fixed the same day
 with the release of ikiwiki 2.31.1. (And a few subsequent versions..)


@@ -377,7 +376,7 @@ parties.
 Cross Site Request Forging could be used to constuct a link that would
 change a logged-in user's password or other preferences if they clicked on
 the link. It could also be used to construct a link that would cause a wiki
 Cross Site Request Forging could be used to constuct a link that would
 change a logged-in user's password or other preferences if they clicked on
 the link. It could also be used to construct a link that would cause a wiki

-page to be modified by a logged-in user. ([[cve CVE-2008-0165]])
+page to be modified by a logged-in user. ([[!cve CVE-2008-0165]])

 
 These holes were discovered on 10 April 2008 and fixed the same day with
 the release of ikiwiki 2.42. A fix was also backported to Debian etch, as
 
 These holes were discovered on 10 April 2008 and fixed the same day with
 the release of ikiwiki 2.42. A fix was also backported to Debian etch, as


@@ -391,7 +390,7 @@ pre-emtively guard against that, current versions of ikiwiki store password
 hashes (using Eksblowfish).
 
 If you use the [[plugins/passwordauth]] plugin, I recommend upgrading to
 hashes (using Eksblowfish).
 
 If you use the [[plugins/passwordauth]] plugin, I recommend upgrading to

-ikiwiki 2.48, installing the [[cpan Authen::Passphrase]] perl module, and running
+ikiwiki 2.48, installing the [[!cpan Authen::Passphrase]] perl module, and running

 `ikiwiki-transition hashpassword` to replace all existing cleartext passwords
 with strong blowfish hashes. 
 
 `ikiwiki-transition hashpassword` to replace all existing cleartext passwords
 with strong blowfish hashes. 
 


@@ -404,7 +403,39 @@ passwords in cleartext over the net to log in, either.
 This hole allowed ikiwiki to accept logins using empty passwords, to openid
 accounts that didn't use a password. It was introduced in version 1.34, and
 fixed in version 2.48. The [bug](http://bugs.debian.org/483770) was
 This hole allowed ikiwiki to accept logins using empty passwords, to openid
 accounts that didn't use a password. It was introduced in version 1.34, and
 fixed in version 2.48. The [bug](http://bugs.debian.org/483770) was

-discovered on 30 May 2008 and fixed the same day. ([[cve CVE-2008-0169]])
+discovered on 30 May 2008 and fixed the same day. ([[!cve CVE-2008-0169]])

 
 I recommend upgrading to 2.48 immediatly if your wiki allows both password
 and openid logins.
 
 I recommend upgrading to 2.48 immediatly if your wiki allows both password
 and openid logins.

+
+## Malformed UTF-8 DOS
+
+Feeding ikiwiki page sources containing certian forms of malformed UTF-8
+can cause it to crash. This can potentially be used for a denial of service
+attack.
+
+intrigeri discovered this problem on 12 Nov 2008 and a patch put in place
+later that day, in version 2.70. The fix was backported to testing as version
+2.53.3, and to stable as version 1.33.7.
+
+## Insufficient blacklisting in teximg plugin
+
+Josh Triplett discovered on 28 Aug 2009 that the teximg plugin's
+blacklisting of insecure TeX commands was insufficient; it could be
+bypassed and used to read arbitrary files. This was fixed by
+enabling TeX configuration options that disallow unsafe TeX commands.
+The fix was released on 30 Aug 2009 in version 3.1415926, and was
+backported to stable in version 2.53.4. If you use the teximg plugin,
+I recommend upgrading. ([[!cve CVE-2009-2944]])
+
+## javascript insertion via svg uris
+
+Ivan Shmakov pointed out that the htmlscrubber allowed `data:image/*` urls,
+including `data:image/svg+xml`. But svg can contain javascript, so that is
+unsafe.
+
+This hole was discovered on 12 March 2010 and fixed the same day
+with the release of ikiwiki 3.20100312.
+A fix was also backported to Debian etch, as version 2.53.5. I recommend
+upgrading to one of these versions if your wiki can be edited by third
+parties.