- We have a
$srcdir/writable/page.mdwnsource file in Git. - ikiwiki is configured to allow edits via the CGI in
writable/*, but nowhere else. - Modify
$srcdir/writable/page.mdwn, commit ⇒ commit$id. git mv $srcdir/writable/page.mdwn $srcdir/read-only/page.mdwn
⇒ The web interface allows reverting commit $id (presumably because
it changes files only in $srcdir/writable). This operation
effectively modifies $srcdir/read-only/page.mdwn, which feels wrong.
My guess is that check_canchange does not take into account that Git
will automatically detect that the file affected by the to-be-reverted
commit has moved, and modify the file in its new location
when reverting.
Working on it. In future please report non-public security vulnerabilities (such as authorization bypass) by private email to the maintainers, so that they are not visible to the general public until we have had a chance to fix the bug. --smcv
Sorry about that, I should clearly know better
--intrigeri
Fixed by using
git revert --strategy=recursive --strategy-option=no-renames. I tried to do something more clever (doing the revert, and checking whether it made changes that aren't allowed) but couldn't get it to work in a reasonable time, so I'm going with the simpler fix. Fix committed, a release will follow later today.CVE-2016-10026 has been assigned to this vulnerability. --smcv
You rock, thanks a lot! --intrigeri