X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/blobdiff_plain/903db5e5d5c476228b9ceed18757e93846d58766..2ecb2171c6eb445716fc09367eed728e524ecddf:/doc/security.mdwn diff --git a/doc/security.mdwn b/doc/security.mdwn index e514223e3..f02576dc4 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -10,20 +10,7 @@ to be kept in mind. # Probable holes -## XSS holes in CGI output - -ikiwiki has not yet been audited to ensure that all cgi script input/output is -sanitised to prevent XSS attacks. - -## image file etc attacks - -If it enounters a file type it does not understand, ikiwiki just copies it -into place. So if you let users add any kind of file they like, they can -upload images, movies, windows executables, css files, etc (though not html -files). If these files exploit security holes in the browser of someone -who's viewing the wiki, that can be a security problem. - -Of course nobody else seems to worry about this in other wikis, so should we? +_(The list of things to fix.)_ ## svn commit logs @@ -43,6 +30,22 @@ ikiwiki escapes any html in svn commit logs to prevent other mischief. _(Things not to do.)_ +## image file etc attacks + +If it enounters a file type it does not understand, ikiwiki just copies it +into place. So if you let users add any kind of file they like, they can +upload images, movies, windows executables, css files, etc (though not html +files). If these files exploit security holes in the browser of someone +who's viewing the wiki, that can be a security problem. + +Of course nobody else seems to worry about this in other wikis, so should we? + +Currently only people with direct svn commit access can upload such files +(and if you wanted to you could block that with a svn pre-commit hook). +Wsers with only web commit access are limited to editing pages as ikiwiki +doesn't support file uploads from browsers (yet), so they can't exploit +this. + ## multiple accessors of wiki directory If multiple people can write to the source directory ikiwiki is using, or @@ -59,7 +62,7 @@ this wiki, BTW. ## page locking can be bypassed via direct svn commits -A [[lock]]ed page can only be edited on the web by an admin, but +A locked page can only be edited on the web by an admin, but anyone who is allowed to commit direct to svn can bypass this. This is by design, although a subversion pre-commit hook could be used to prevent editing of locked pages when using subversion, if you really need to. @@ -130,11 +133,20 @@ Login to the wiki involves sending a password in cleartext over the net. Cracking the password only allows editing the wiki as that user though. If you care, you can use https, I suppose. +## XSS holes in CGI output + +ikiwiki has not yet been audited to ensure that all cgi script input/output +is sanitised to prevent XSS attacks. For example, a user can't register +with a username containing html code (anymore). + +It's difficult to know for sure if all such avenues have really been +closed though. + ---- # Fixed holes -_(Unless otherwise noted, these were discovered and immediatey fixed by the +_(Unless otherwise noted, these were discovered and immediately fixed by the ikiwiki developers.)_ ## destination directory file replacement @@ -203,4 +215,5 @@ pages from source with some other extension. ## XSS attacks in page content -ikiwiki supports [[HtmlSanitistion]], though it can be turned off. +ikiwiki supports protecting users from their own broken browsers via the +[[plugins/htmlscrubber]] plugin, which is enabled by default.