]> sipb.mit.edu Git - ikiwiki.git/commitdiff
verify page name is sane
authorJoey Hess <joey@gnu.kitenet.net>
Sat, 8 Aug 2009 16:27:48 +0000 (12:27 -0400)
committerJoey Hess <joey@gnu.kitenet.net>
Sat, 8 Aug 2009 16:27:48 +0000 (12:27 -0400)
paranoia; I was thinking about XSS attacks specificaly

IkiWiki/Plugin/getsource.pm

index 91c4cc1c95b9448db01820b88d044e74c7203f45..ae9ea3cc7af4ffe27b46d65528d380420ac5b368 100644 (file)
@@ -42,13 +42,17 @@ sub pagetemplate (@) {
 sub cgi_getsource ($) {
        my $cgi=shift;
 
-       return unless (defined $cgi->param('do') &&
-                                       $cgi->param("do") eq "getsource");
+       return unless defined $cgi->param('do') &&
+                     $cgi->param("do") eq "getsource";
 
        IkiWiki::decode_cgi_utf8($cgi);
 
        my $page=$cgi->param('page');
 
+       if (! defined $page || $page !~ /$config{wiki_file_regexp}/) {
+               error("invalid page parameter");
+       }
+
        # For %pagesources.
        IkiWiki::loadindex();