Thanks Sergio for your review and input. Here is the patch I will be uploading.
+if (page_name[0] == '/')
+return FALSE;
+
+if (strncmp(page_name, "../", 3) == 0)
+return FALSE;
+
+if (strstr(page_name, "/../"))
+return FALSE;
Cheers,
Ignace M
* Ignace Mouzannar [2016-03-30 22:09:42 -0400]:
> Thank you for reporting this issue. Here is the fix I intend to push
> in src/wiki.c. I have tested the solution on my didiwiki installation,
> and it seems to be working fine.
It still feels somewhat hit-and-miss.
> if (strncmp(page_name,
Hi Sergio,
Thank you for reporting this issue. Here is the fix I intend to push
in src/wiki.c. I have tested the solution on my didiwiki installation,
and it seems to be working fine.
int page_name_is_good(char* page_name)
{
/* We should give access only to subdirs of didiwiki root.
I
Package: didiwiki
Version: 0.5-11+deb8u1
Severity: important
In its attempt to prevent escape from /var/lib/didiwiki, patch
91_check_page_path.patch goes way too far and renders a large class of
reasonable and previously valid page names inaccessible.
The main culprit is the check for
4 matches
Mail list logo