Moin moin security patch

Toshio Kuratomi a.badger at gmail.com
Sat Feb 24 19:34:15 UTC 2007


Hey guys,

So we (Mostly Mike :-) gave the wiki the ability to parse restructured
text yesterday which gives the Docs people another tool for working with
wiki content.  However, the restructured text parser was originally
designed for command line tools to statically convert rst into other
formats (html, docbook, etc.)  Using it in a dynamic environment like a
wiki has some security issues that have to be addressed.  The docutils
authors have listed the issues they're aware of with configuration
options to disable the features.  We've placed a config file on the app
servers that do this.

Unfortunately, Moin has reimplemented one of the features (include) in a
safer manner.  But their implementation doesn't process ACLs so any user
can look at pages they lack the ACL for by using an include.  Attached
is a small patch that disables include entirely.  I've submitted a bug
with upstream moin to add ACL support to this function as a longer term
fix.

-Toshio


-------------- next part --------------
A non-text attachment was scrubbed...
Name: MoinMoin-rst-include.patch
Type: text/x-patch
Size: 524 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20070224/865de791/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20070224/865de791/attachment-0001.bin 


More information about the infrastructure mailing list