From 4e791ed69565eafd3d130528a32a385be3f1686c Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 10 Feb 2008 14:00:00 -0500 Subject: [PATCH] document security fix The backported fix for stable is tagged and waiting for the security team to upload. --- doc/security.mdwn | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/doc/security.mdwn b/doc/security.mdwn index c51cd5b95..d834aa1a5 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -345,3 +345,13 @@ day with the release of ikiwiki 2.14. I recommend upgrading to this version if your wiki can be committed to by third parties. Alternatively, don't use a trailing slash in the srcdir, and avoid the (unusual) configurations that allow the security hole to be exploited. + +## javascript insertion via uris + +The htmlscrubber did not block javascript in uris. This was fixed by adding +a whitelist of valid uri types, which does not include javascript. + +This hole was discovered on 10 February 2008 and fixed the same day +with the release of ikiwiki 2.31.1. A fix was also backported to Debian etch, +as version 1.33.4. I recommend upgrading to one of these versions if your +wiki can be edited by third parties. -- 2.32.0.93.g670b81a890