Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Garbage in wiki pages, preventing MathJax from running plus information leak #12

Closed
ghost opened this issue Mar 26, 2013 · 5 comments
Closed

Garbage in wiki pages, preventing MathJax from running plus information leak #12

ghost opened this issue Mar 26, 2013 · 5 comments

Comments

@ghost
Copy link

ghost commented Mar 26, 2013

Hi,

I have set up a fresh dokuwiki wiki with the latest released version of the MathJax plugin. In short: it does not work. No rendering takes place whatsoever. I had a look at the HTML source and there is something which caught my attention:

[...]

<script type="text/x-mathjax-config">/*

Copy & Paste didn't really work: what I wanted to show you is some kind of binary garbage between <script>....</script>. It includes(!) a directory listing of my dokuwiki home directory!! That's a security problem.

I figured out that this is caused by the following php code in ./lib/plugins/mathjax/action/enable.php:

    // Include config files, if any specified
    $configfiles = $this->getConf('configfile');
    $files = explode(';', $configfiles);
    foreach ($files as $f) {
        $f = trim($f);
        $contents = file_get_contents(DOKU_INC . $f);
        if ($contents) {
            $event->data['script'][] = array(
                'type'    => 'text/x-mathjax-config',
                '_data'   => "\n// " . $f . "\n" . $contents,
            );
        }
    }

When I disable the foreach loop, this binary garbage does NOT appear.

Also, I figured out that when i DO define a mathjax config file, it also works fine. My guess is that the case 'no config file defined' needs some kind of special handling. Because in this case the code will, when $configfiles is empty, try to read the root_directory_of_the_wiki. (On FreeBSD for example you can open and read directories just like files). This will cause a binary-mangled directory listing to be included in the Wiki pages and this prevents the Javascript from running.

Would be great if this could be fixed. I'm not fluent in php at all. Thank you very much!
m.
@ghost
Copy link
Author

ghost commented Mar 26, 2013

Okay.... obviously my < s c r i p t > ..... < / s c r i p t > got stripped away. Sorry for that.

@liffiton
Copy link
Owner

Thanks for reporting that. I think you're exactly right about the cause, and I'll have a fix later today or tomorrow once I find a second.

Just out of curiousity, though, are you running it on FreeBSD? I haven't run into this issue on Linux.

@ghost
Copy link
Author

ghost commented Mar 26, 2013

Great, thanks for the quick response! Yes, I am running it on FreeBSD. I think on Linux you cannot use the read() primitive to read on a file descriptor which is the result of calling open() on a directory. i.e. on Linux you cannot do 'cat $DIRECTORY'. On FreeBSD you can do that! So, my guess is that the quoted php code somehow depends on this Linux-specific behaviour. Thanks,
mel

@liffiton
Copy link
Owner

Yup, sounds right. It was written in a simple way that relied on the OS to work in a certain way. But it's also an easy fix. Thanks.

@liffiton
Copy link
Owner

Alright, fixed in b5f3210. (I keep forgetting to use the automatic commit-message issue closing...)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@liffiton