Release 5.1.2

Gollum versions from 5.0 up to this release were vulnerable to CVE-2020-35305, a Cross-Site Scripting (XSS) vulnerability. Please update!

NB: this report has arrived late because it took about two years for a CVE to be reserved. 😢 Newer versions of Gollum have been released since, which are all unaffected by this vulnerability.

Description of the vulnerability

• Vulnerability Type: Cross Site Scripting (XSS)
• Affected Component: Gollum wiki's Overview and Pages.
• Result: Run arbitrary JavaScript on Gollum's Overview and Pages pages.
• Attack Vectors: Enter a maliciously crafted filename in the 'New Page' dialog
• Discoverer: Tsubasa Umeuchi (@Szarny)

Reproducing the vulnerability

Filenames of the following form triggered the vulnerability on the Overview and Pages views: '<img src=x onerror=alert(1) />'.

Solution

We now sanitize displayed page names (137728c) and have added regression tests guarding against this and similar vulnerabilities. Thanks to @Szarny for the report!