instiki/lib
Jacques Distler 5d15e3f39d Security: Instiki 0.16.2
On Webs with file uploads enabled, uploaded files were stored
(in version 0.16.1 and earlier) in the public/ directory.

This was a security threat. A miscreant could upload a .html file.
When a user clicked on the link to the file, it was opened (unsanitized)
in the browser.

As of version 0.16.2, uploaded files are stored in the webs/
directory. Now, when the user clicks on the link, the file is sent
with the

    Content-Disposition: attachment

header set, which causes the file to be downloaded, rather than opened
in the browser. As always, files downloaded from the internets should be
treated with caution. At least, this way, they are not aoutomatically 
opened in the browser.

To move your existing uploaded files to the new location, do a

     rake upgrade_instiki
2009-01-26 00:21:30 -06:00
..
chunks Export XHTML Pages 2009-01-23 11:02:16 -06:00
native/win32 Checkout of Instiki Trunk 1/21/2007. 2007-01-22 07:43:50 -06:00
tasks Security: Instiki 0.16.2 2009-01-26 00:21:30 -06:00
caching_stuff.rb Drop hostname from cache key 2008-12-18 09:21:26 -06:00
instiki_errors.rb Checkout of Instiki Trunk 1/21/2007. 2007-01-22 07:43:50 -06:00
node.rb Rough In New Sanitizer 2008-05-20 17:02:10 -05:00
page_renderer.rb Referring Pages for File List 2009-01-10 00:18:25 -06:00
rdocsupport.rb More Ruby 1.9 Compatibility fixes 2008-11-12 09:47:24 -06:00
redcloth.rb Sync with latest Instiki trunk. Changes: 2007-03-18 11:56:12 -05:00
sanitize.rb Better 2008-12-01 10:29:46 -06:00
sanitizer.rb Add a couple of XSS tests. 2009-01-05 16:25:27 -06:00
stringsupport.rb Add a couple of XSS tests. 2009-01-05 16:25:27 -06:00
url_generator.rb Export XHTML Pages 2009-01-23 11:02:16 -06:00
wiki_content.rb Don't hide equations, except in MarkdownMML and MarkdownPNG 2009-01-16 12:51:43 -06:00
wiki_words.rb Multiple leading capital letters in a WikiWord 2008-12-25 17:41:35 -06:00