add missing page name sanity check

author Joey Hess <joey@kodama.kitenet.net>

Sun, 21 Sep 2008 02:48:22 +0000 (22:48 -0400)

committer Joey Hess <joey@kodama.kitenet.net>

Sun, 21 Sep 2008 02:48:22 +0000 (22:48 -0400)
author Joey Hess <joey@kodama.kitenet.net>
Sun, 21 Sep 2008 02:48:22 +0000 (22:48 -0400)
committer Joey Hess <joey@kodama.kitenet.net>
Sun, 21 Sep 2008 02:48:22 +0000 (22:48 -0400)
diff --git a/IkiWiki/Plugin/editpage.pm b/IkiWiki/Plugin/editpage.pm

index bb21ed2be486adce4de82dab3076b10a5f8e99ad..68f43bf16614483e9120fe94f45c84890704a0c2 100644 (file)
--- a/IkiWiki/Plugin/editpage.pm
+++ b/IkiWiki/Plugin/editpage.pm
@@ -85,8 +85,9 @@ sub cgi_editpage ($$) { #{{{
         });
         decode_form_utf8($form);
         
-       # This untaint is safe because we check file_pruned.
-       my $page=$form->field('page');
+       # This untaint is safe because we check file_pruned and
+       # wiki_file_regexp.
+       my ($page)=$form->field('page')=~/$config{wiki_file_regexp}/;
         $page=possibly_foolish_untaint($page);
         my $absolute=($page =~ s#^/+##);
         if (! defined $page || ! length $page ||
diff --git a/debian/changelog b/debian/changelog

index 6019e396026a9d23fe8c1c8b3ec73354e36b436a..d67fb73ce0aee3edd39d9ea36cc6ef7e715db1f2 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,8 @@ ikiwiki (2.65) UNRELEASED; urgency=low
      (willu)
    * edittemplate: Add "silent" parameter. (Willu)
    * edittemplate: Link to template, to allow creating it. (Willu)
+  * editpage: Add a missing check that the page name contains only legal
+    characters, in addition to the existing check for pruned filenames.
  
   -- Joey Hess <joeyh@debian.org>  Wed, 17 Sep 2008 14:26:56 -0400
author	Joey Hess <joey@kodama.kitenet.net>
	Sun, 21 Sep 2008 02:48:22 +0000 (22:48 -0400)
committer	Joey Hess <joey@kodama.kitenet.net>
	Sun, 21 Sep 2008 02:48:22 +0000 (22:48 -0400)
IkiWiki/Plugin/editpage.pm		patch \| blob \| history
debian/changelog		patch \| blob \| history