diff -Nru didiwiki-0.5/debian/changelog didiwiki-0.5/debian/changelog --- didiwiki-0.5/debian/changelog 2012-06-28 21:19:20.000000000 +0000 +++ didiwiki-0.5/debian/changelog 2016-02-18 23:30:02.000000000 +0000 @@ -1,3 +1,19 @@ +didiwiki (0.5-12) unstable; urgency=medium + + * debian/patches: + - 91_check_page_path.patch: new patch that correct a major security issue + allowing didiwiki to display any file on the filesystem. Thank you + Alexander Izmailov for providing this patch! + (Closes: #815111) + - 40_spelling.patch: corrected spelling mistakes. + * debian/control: + - Removed deprecated field Dm-Upload-Allowed. + - Bumped standards-version to 3.9.6. + * debian/copyright: + - Corrected minor typo. + + -- Ignace Mouzannar Thu, 18 Feb 2016 18:29:40 -0500 + didiwiki (0.5-11) unstable; urgency=low * debian/didiwiki.preinst: diff -Nru didiwiki-0.5/debian/control didiwiki-0.5/debian/control --- didiwiki-0.5/debian/control 2012-04-08 07:20:00.000000000 +0000 +++ didiwiki-0.5/debian/control 2016-02-18 03:24:34.000000000 +0000 @@ -2,9 +2,8 @@ Section: web Priority: optional Maintainer: Ignace Mouzannar -DM-Upload-Allowed: yes Build-Depends: debhelper (>= 9) -Standards-Version: 3.9.3 +Standards-Version: 3.9.6 Package: didiwiki Architecture: any diff -Nru didiwiki-0.5/debian/copyright didiwiki-0.5/debian/copyright --- didiwiki-0.5/debian/copyright 2012-04-08 13:38:26.000000000 +0000 +++ didiwiki-0.5/debian/copyright 2016-02-18 03:31:47.000000000 +0000 @@ -3,7 +3,7 @@ It was downloaded from http://didiwiki.org/ -Note: The upstream URL is not availabe anymore, now it's a spam-site. +Note: The upstream URL is not available anymore, now it's a spam-site. Upstream Authors: Matthew Allum Carsten Graeser diff -Nru didiwiki-0.5/debian/patches/40_spelling.patch didiwiki-0.5/debian/patches/40_spelling.patch --- didiwiki-0.5/debian/patches/40_spelling.patch 2012-03-14 02:39:29.000000000 +0000 +++ didiwiki-0.5/debian/patches/40_spelling.patch 2016-02-18 03:28:53.000000000 +0000 @@ -2,10 +2,11 @@ Subject: Corrects spelling errors (seperated -> separated) in README file Corrects minor typo in src/wiki.c -diff -urNad didiwiki-0.5~/README didiwiki-0.5/README ---- didiwiki-0.5~/README 2009-10-06 23:12:56.000000000 +0200 -+++ didiwiki-0.5/README 2009-10-06 23:14:06.000000000 +0200 -@@ -45,7 +45,7 @@ +Index: didiwiki-0.5/README +=================================================================== +--- didiwiki-0.5.orig/README ++++ didiwiki-0.5/README +@@ -45,7 +45,7 @@ http://didiwiki/api/page/delete?page=XXX http://didiwiki/api/pages @@ -14,10 +15,11 @@ title,TAB,modified date) of wiki pages with the most recently modified first. -diff -urNad didiwiki-0.5~/src/wiki.c didiwiki-0.5/src/wiki.c ---- didiwiki-0.5~/src/wiki.c 2009-10-06 23:14:06.000000000 +0200 -+++ didiwiki-0.5/src/wiki.c 2009-10-06 23:15:58.000000000 +0200 -@@ -730,7 +730,7 @@ +Index: didiwiki-0.5/src/wiki.c +=================================================================== +--- didiwiki-0.5.orig/src/wiki.c ++++ didiwiki-0.5/src/wiki.c +@@ -730,7 +730,7 @@ wiki_show_search_results_page(HttpRespon if (expr == NULL || strlen(expr) == 0) { wiki_show_header(res, "Search", FALSE); @@ -26,9 +28,19 @@ wiki_show_footer(res); http_response_send(res); exit(0); -diff -urNad didiwiki-0.5~/src/wikitext.h didiwiki-0.5/src/wikitext.h ---- didiwiki-0.5~/src/wikitext.h 2009-10-06 23:14:06.000000000 +0200 -+++ didiwiki-0.5/src/wikitext.h 2009-10-06 23:14:06.000000000 +0200 +Index: didiwiki-0.5/src/wikitext.h +=================================================================== +--- didiwiki-0.5.orig/src/wikitext.h ++++ didiwiki-0.5/src/wikitext.h +@@ -74,7 +74,7 @@ + "\n" \ + "To learn more about what a [http://www.c2.com/cgi/wiki?WikiWikiWeb WikiWikiWeb] is, read about [http://www.c2.com/cgi/wiki?WhyWikiWorks WhyWikiWorks] and the [http://www.c2.com/cgi/wiki?WikiNature WikiNature]. Also, consult the [http://www.c2.com/cgi/wiki?WikiWikiWebFaq WikiWikiWebFaq].\n" \ + "\n" \ +-"For an example of how a !DidiWiki entry looks in text form you can [?edit edit] this page. Also see WikiHelp for infomation on usage and formatting rules. Use The WikiSandbox to experiment.\n" \ ++"For an example of how a !DidiWiki entry looks in text form you can [?edit edit] this page. Also see WikiHelp for information on usage and formatting rules. Use The WikiSandbox to experiment.\n" \ + "\n" \ + "/!DidiWiki / is written by [mailto://mallum@o-hand.com Matthew Allum] in C and is free software, released under the [http://www.gnu.org GNU] [http://www.gnu.org/copyleft/gpl.html GPL]. It uses a formatting style similar to that of [http://www.kwiki.org kwiki] and some webserver code from [http://www.cvstrac.org cvstrac].\n" + @@ -108,7 +108,7 @@ " ---- Horizonal line\n" \ "----\n" \ diff -Nru didiwiki-0.5/debian/patches/91_check_page_path.patch didiwiki-0.5/debian/patches/91_check_page_path.patch --- didiwiki-0.5/debian/patches/91_check_page_path.patch 1970-01-01 00:00:00.000000000 +0000 +++ didiwiki-0.5/debian/patches/91_check_page_path.patch 2016-02-18 03:21:15.000000000 +0000 @@ -0,0 +1,85 @@ +From: Alexander Izmailov +Subject: Correct a major security issue allowing didiwiki to + display any file on the filesystem +Index: didiwiki-0.5/src/wiki.c +=================================================================== +--- didiwiki-0.5.orig/src/wiki.c ++++ didiwiki-0.5/src/wiki.c +@@ -812,6 +812,25 @@ wiki_show_footer(HttpResponse *res) + ); + } + ++int page_name_is_good(char* page_name) ++{ ++/* We should give access only to subdirs of didiwiki root. ++ I guess that check for absense of '/' is enough. ++ ++ TODO: Use realpath() ++*/ ++ if (!page_name) ++ return FALSE; ++ ++ if (!isalnum(page_name[0])) ++ return FALSE; ++ ++ if (strstr(page_name, "..")) ++ return FALSE; ++ ++ return TRUE; ++} ++ + void + wiki_handle_rest_call(HttpRequest *req, + HttpResponse *res, +@@ -827,7 +846,7 @@ wiki_handle_rest_call(HttpRequest *req, + if (page == NULL) + page = http_request_get_query_string(req); + +- if (page && (access(page, R_OK) == 0)) ++ if (page && page_name_is_good(page) && (access(page, R_OK) == 0)) + { + http_response_printf(res, "%s", file_read(page)); + http_response_send(res); +@@ -840,11 +859,14 @@ wiki_handle_rest_call(HttpRequest *req, + if( ( (wikitext = http_request_param_get(req, "text")) != NULL) + && ( (page = http_request_param_get(req, "page")) != NULL)) + { +- file_write(page, wikitext); ++ if (page_name_is_good(page)) ++ { ++ file_write(page, wikitext); + http_response_printf(res, "success"); + http_response_send(res); + return; + } ++ } + } + else if (!strcmp(func, "page/delete")) + { +@@ -853,7 +875,7 @@ wiki_handle_rest_call(HttpRequest *req, + if (page == NULL) + page = http_request_get_query_string(req); + +- if (page && (unlink(page) > 0)) ++ if (page && page_name_is_good(page) && (unlink(page) > 0)) + { + http_response_printf(res, "success"); + http_response_send(res); +@@ -867,7 +889,7 @@ wiki_handle_rest_call(HttpRequest *req, + if (page == NULL) + page = http_request_get_query_string(req); + +- if (page && (access(page, R_OK) == 0)) ++ if (page && page_name_is_good(page) && (access(page, R_OK) == 0)) + { + http_response_printf(res, "success"); + http_response_send(res); +@@ -966,7 +988,7 @@ wiki_handle_http_request(HttpRequest *re + /* A little safety. issue a malformed request for any paths, + * There shouldn't need to be any.. + */ +- if (strchr(page, '/')) ++ if (!page_name_is_good(page)) + { + http_response_set_status(res, 404, "Not Found"); + http_response_printf(res, "404 Not Found\n"); diff -Nru didiwiki-0.5/debian/patches/series didiwiki-0.5/debian/patches/series --- didiwiki-0.5/debian/patches/series 2012-03-14 02:55:56.000000000 +0000 +++ didiwiki-0.5/debian/patches/series 2016-02-18 03:04:26.000000000 +0000 @@ -7,3 +7,4 @@ 70_usage.patch 80_sigint_sigterm.patch 90_search_engine.patch +91_check_page_path.patch