A simple, Git-powered wiki with a local frontend and support for many kinds of markup and content.
A backport of some fixes from the current development branch that make Gollum compatible with Ruby 3.2!
Work on Gollum 6.0 continues steadily, and we hope to be able to release it soon.
Gollum versions from 5.0 up to this release were vulnerable to CVE-2020-35305, a Cross-Site Scripting (XSS) vulnerability. Please update!
NB: this report has arrived late because it took about two years for a CVE to be reserved. 😢 Newer versions of Gollum have been released since, which are all unaffected by this vulnerability.
Filenames of the following form triggered the vulnerability on the Overview and Pages views: '<img src=x onerror=alert(1) />'
.
We now sanitize displayed page names (137728cdabc0f60859fcd30404ad2b8fff6ef715) and have added regression tests guarding against this and similar vulnerabilities. Thanks to @Szarny for the report!