fix other cases of unicode mixing issue

and fix underlaydir override attack guard when srcdir is non-absolute

diff --git a/IkiWiki/Plugin/autoindex.pm b/IkiWiki/Plugin/autoindex.pm
index 0dd76259e0e74483f408eaec88e1d213aae45f79..5e8a9e0a32954cdbbaad64a81ead00e9ea802bc0 100644 (file)
--- a/IkiWiki/Plugin/autoindex.pm
+++ b/IkiWiki/Plugin/autoindex.pm
@@ -33,18 +33,19 @@ sub genindex ($) {
 sub refresh () {
        eval q{use File::Find};
        error($@) if $@;
+       eval q{use Cwd};
+       error($@) if $@;
+       my $origdir=getcwd();
 
        my (%pages, %dirs);
        foreach my $dir ($config{srcdir}, @{$config{underlaydirs}}, $config{underlaydir}) {
-               require File::Spec;
-               $dir=File::Spec->canonpath($dir);
+               chdir($dir) || die "chdir: $!";
 
                find({
                        no_chdir => 1,
                        wanted => sub {
-                               my $file=File::Spec->canonpath(decode_utf8($_));
-                               return if $file eq $dir;
-                               $file=~s/^\Q$dir\E\/?//;
+                               my $file=decode_utf8($_);
+                               $file=~s/^\.\/?//;
                                return unless length $file;
                                if (IkiWiki::file_pruned($file)) {
                                        $File::Find::prune=1;
@@ -61,7 +62,9 @@ sub refresh () {
                                        }
                                }
                        }
-               }, $dir);
+               }, '.');
+
+               chdir($origdir) || die "chdir: $!";
        }
        
        my %deleted;

diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm
index d204a7737c4c5e1d69447404dc788d325d52b1b2..17cd99c3b92008b0ee4f35c4ca8f3aaaabe2df7d 100644 (file)
--- a/IkiWiki/Plugin/comments.pm
+++ b/IkiWiki/Plugin/comments.pm
@@ -660,16 +660,22 @@ sub comments_pending () {
 
        eval q{use File::Find};
        error($@) if $@;
+       eval q{use Cwd};
+       error($@) if $@;
+       my $origdir=getcwd();
 
        my $find_comments=sub {
                my $dir=shift;
                my $extension=shift;
                return unless -d $dir;
+
+               chdir($dir) || die "chdir: $!";
+
                find({
                        no_chdir => 1,
                        wanted => sub {
                                my $file=decode_utf8($_);
-                               $file=~s/^\Q$dir\E\/?//;
+                               $file=~s/^\.\///;
                                return if ! length $file || IkiWiki::file_pruned($file)
                                        || -l $_ || -d _ || $file !~ /\Q$extension\E$/;
                                my ($f) = $file =~ /$config{wiki_file_regexp}/; # untaint
@@ -678,7 +684,9 @@ sub comments_pending () {
                                        push @ret, [$f, $dir, $ctime];
                                }
                        }
-               }, $dir);
+               }, ".");
+
+               chdir($origdir) || die "chdir: $!";
        };
        
        $find_comments->($config{srcdir}, "._comment_pending");

diff --git a/IkiWiki/Render.pm b/IkiWiki/Render.pm
index 0e7aa9a48a2bd5ddb4267ca948e3f6eba6ba121a..740bb52b0fc6d9ea1797a08080a273f5fb3701f6 100644 (file)
--- a/IkiWiki/Render.pm
+++ b/IkiWiki/Render.pm
@@ -292,11 +292,16 @@ sub find_src_files () {
        eval q{use File::Find};
        error($@) if $@;
 
+       eval q{use Cwd};
+       die $@ if $@;
+       my $origdir=getcwd();
+       my $abssrcdir=Cwd::abs_path($config{srcdir});
+
        my ($page, $underlay);
        my $helper=sub {
                my $file=decode_utf8($_);
                return if -l $file || -d _;
-               $file=~s/^\Q.\/\E//;
+               $file=~s/^\.\///;
                return if ! length $file;
                $page = pagename($file);
                if (! exists $pagesources{$page} &&
@@ -313,7 +318,7 @@ sub find_src_files () {
        
                if ($underlay) {
                        # avoid underlaydir override attacks; see security.mdwn
-                       if (! -l "$config{srcdir}/$f" && ! -e _) {
+                       if (! -l "$abssrcdir/$f" && ! -e _) {
                                if (! $pages{$page}) {
                                        push @files, $f;
                                        $pages{$page}=1;
@@ -329,10 +334,6 @@ sub find_src_files () {
                }
        };
 
-       eval q{use Cwd};
-       die $@ if $@;
-       my $origdir=getcwd();
-
        chdir($config{srcdir}) || die "chdir: $!";
        find({
                no_chdir => 1,