X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/blobdiff_plain/3a1c0c04602f4c017af20f7e13df1e231271a0d0..d4101ad64f801f862cceab51f91a2a66e51b73d8:/doc/bugs/Insecure_dependency_in_eval_while_running_with_-T_switch.mdwn

diff --git a/doc/bugs/Insecure_dependency_in_eval_while_running_with_-T_switch.mdwn b/doc/bugs/Insecure_dependency_in_eval_while_running_with_-T_switch.mdwn
index bed5691f3..c3beb8219 100644
--- a/doc/bugs/Insecure_dependency_in_eval_while_running_with_-T_switch.mdwn
+++ b/doc/bugs/Insecure_dependency_in_eval_while_running_with_-T_switch.mdwn
@@ -15,7 +15,7 @@ Temporarily I've disabled conditional plugin to avoid that bug.
 
 PS. I still use ikiwiki 1.50 backported for Debian 'sarge'.
 
--- Pawel
+--[[Paweł|ptecza]]
 
 ---
 
@@ -53,7 +53,7 @@ I didn't apply your following old patch against `Ikiwiki.pm` file:
     +   }
     +
     +   return eval $newpagespec;
-     } #}}}
+     }
  
      package IkiWiki::PageSpec;
 
@@ -67,4 +67,32 @@ because `patch` command fails:
 Could you please fix that patch?  I guess how to do it, but I don't want
 to break the code I distribute in my backport ;)
 
--- Pawel
\ No newline at end of file
+--[[Paweł|ptecza]]
+
+> It's not my patch.. IIRC my suggestion was simply to do this: --[Joey]]
+
+	Index: IkiWiki.pm
+	===================================================================
+	--- IkiWiki.pm	(revision 3565)
+	+++ IkiWiki.pm	(working copy)
+	@@ -1005,7 +1005,7 @@
+ 			unshift @params, "location";
+	 	}
+	 
+	-	my $ret=eval pagespec_translate($spec);
+	+	my $ret=eval possibly_foolish_untaint(pagespec_translate($spec));
+	 	return IkiWiki::FailReason->new("syntax error") if $@;
+	 	return $ret;
+	 }
+
+>> Thanks a lot, Joey! It works :)
+>>
+>> BTW, I was quite sure that you sent me the old patch via e-mail long time ago.
+>> Maybe I found it at old ikiwiki home page? I don't remember it now.
+>>
+>> --[[Paweł|ptecza]]
+
+----
+
+I'm marking this [[done]] since it only affects sarge. Sarge users should
+use the patch above. --[[Joey]]