Moin moin security patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey guys,

So we (Mostly Mike :-) gave the wiki the ability to parse restructured
text yesterday which gives the Docs people another tool for working with
wiki content.  However, the restructured text parser was originally
designed for command line tools to statically convert rst into other
formats (html, docbook, etc.)  Using it in a dynamic environment like a
wiki has some security issues that have to be addressed.  The docutils
authors have listed the issues they're aware of with configuration
options to disable the features.  We've placed a config file on the app
servers that do this.

Unfortunately, Moin has reimplemented one of the features (include) in a
safer manner.  But their implementation doesn't process ACLs so any user
can look at pages they lack the ACL for by using an include.  Attached
is a small patch that disables include entirely.  I've submitted a bug
with upstream moin to add ACL support to this function as a longer term
fix.

-Toshio


--- MoinMoin/parser/rst.py.bak	2007-02-24 08:56:22.000000000 -0700
+++ MoinMoin/parser/rst.py	2007-02-24 08:55:43.000000000 -0700
@@ -524,7 +524,8 @@
         self.request = request
 
         # include MoinMoin pages
-        directives.register_directive('include', self.include)
+        # The MoinMoin include has to account for ACLs before this is safe
+        directives.register_directive('include', None)
 
         # used for MoinMoin macros
         directives.register_directive('macro', self.macro)

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux