X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/blobdiff_plain/4e791ed69565eafd3d130528a32a385be3f1686c..ae023f74c3296359c824f4d21d9290278b84e213:/doc/security.mdwn

diff --git a/doc/security.mdwn b/doc/security.mdwn
index d834aa1a5..723daeccc 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -47,6 +47,13 @@ Users with only web commit access are limited to editing pages as ikiwiki
 doesn't support file uploads from browsers (yet), so they can't exploit
 this.
 
+It is possible to embed an image in a page edited over the web, by using
+`img src="data:image/png;"`. Ikiwiki's htmlscrubber only allows `data:`
+urls to be used for `image/*` mime types. It's possible that some broken
+browser might ignore the mime type and if the data provided is not an
+image, instead run it as javascript, or something evil like that. Hopefully
+not many browsers are that broken.
+
 ## multiple accessors of wiki directory
 
 If multiple people can directly write to the source directory ikiwiki is
@@ -349,9 +356,13 @@ allow the security hole to be exploited.
 ## javascript insertion via uris
 
 The htmlscrubber did not block javascript in uris. This was fixed by adding
-a whitelist of valid uri types, which does not include javascript.
+a whitelist of valid uri types, which does not include javascript. 
+([[cve CVE-2008-0809]]) Some urls specifyable by the meta plugin could also
+theoretically have been used to inject javascript; this was also blocked
+([[cve CVE-2008-0808]]).
 
 This hole was discovered on 10 February 2008 and fixed the same day
-with the release of ikiwiki 2.31.1. A fix was also backported to Debian etch,
-as version 1.33.4. I recommend upgrading to one of these versions if your
-wiki can be edited by third parties.
+with the release of ikiwiki 2.31.1. (And a few subsequent versions..)
+A fix was also backported to Debian etch, as version 1.33.4. I recommend
+upgrading to one of these versions if your wiki can be edited by third
+parties.