]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blobdiff - IkiWiki/Plugin/comments.pm
meta: Security fix; don't allow alternative stylesheets to be added on pages where...
[git.ikiwiki.info.git] / IkiWiki / Plugin / comments.pm
index 68ac4cfae4844dd7de3b44e7af9956d00ab3ac75..8d46ed57983e6a0d0e7cac3c568a6cb368ec34a6 100644 (file)
@@ -364,18 +364,16 @@ sub editcomment ($$) {
        }
 
        # The untaint is OK (as in editpage) because we're about to pass
        }
 
        # The untaint is OK (as in editpage) because we're about to pass
-       # it to file_pruned anyway
-       my $page = $form->field('page');
+       # it to file_pruned and wiki_file_regexp anyway.
+       my ($page) = $form->field('page')=~/$config{wiki_file_regexp}/;
        $page = IkiWiki::possibly_foolish_untaint($page);
        if (! defined $page || ! length $page ||
                IkiWiki::file_pruned($page)) {
                error(gettext("bad page name"));
        }
 
        $page = IkiWiki::possibly_foolish_untaint($page);
        if (! defined $page || ! length $page ||
                IkiWiki::file_pruned($page)) {
                error(gettext("bad page name"));
        }
 
-       my $baseurl = urlto($page);
-
        $form->title(sprintf(gettext("commenting on %s"),
        $form->title(sprintf(gettext("commenting on %s"),
-                       IkiWiki::pagetitle($page)));
+                       IkiWiki::pagetitle(IkiWiki::basename($page))));
 
        $form->tmpl_param('helponformattinglink',
                htmllink($page, $page, 'ikiwiki/formatting',
 
        $form->tmpl_param('helponformattinglink',
                htmllink($page, $page, 'ikiwiki/formatting',
@@ -385,7 +383,7 @@ sub editcomment ($$) {
 
        if ($form->submitted eq CANCEL) {
                # bounce back to the page they wanted to comment on, and exit.
 
        if ($form->submitted eq CANCEL) {
                # bounce back to the page they wanted to comment on, and exit.
-               IkiWiki::redirect($cgi, $baseurl);
+               IkiWiki::redirect($cgi, urlto($page));
                exit;
        }
 
                exit;
        }
 
@@ -506,7 +504,7 @@ sub editcomment ($$) {
                        IkiWiki::saveindex();
 
                        IkiWiki::printheader($session);
                        IkiWiki::saveindex();
 
                        IkiWiki::printheader($session);
-                       print IkiWiki::misctemplate(gettext(gettext("comment stored for moderation")),
+                       print IkiWiki::cgitemplate($cgi, gettext(gettext("comment stored for moderation")),
                                "<p>".
                                gettext("Your comment will be posted after moderator review").
                                "</p>");
                                "<p>".
                                gettext("Your comment will be posted after moderator review").
                                "</p>");
@@ -556,8 +554,8 @@ sub editcomment ($$) {
 
        }
        else {
 
        }
        else {
-               IkiWiki::showform ($form, \@buttons, $session, $cgi,
-                       forcebaseurl => $baseurl, page => $page);
+               IkiWiki::showform($form, \@buttons, $session, $cgi,
+                       page => $page);
        }
 
        exit;
        }
 
        exit;
@@ -662,7 +660,7 @@ sub commentmoderation ($$) {
        IkiWiki::run_hooks(format => sub {
                $out = shift->(page => "", content => $out);
        });
        IkiWiki::run_hooks(format => sub {
                $out = shift->(page => "", content => $out);
        });
-       print IkiWiki::misctemplate(gettext("comment moderation"), $out);
+       print IkiWiki::cgitemplate($cgi, gettext("comment moderation"), $out);
        exit;
 }
 
        exit;
 }
 
@@ -757,10 +755,8 @@ sub previewcomment ($$$) {
 sub commentsshown ($) {
        my $page=shift;
 
 sub commentsshown ($) {
        my $page=shift;
 
-       return ! pagespec_match($page, "comment(*)",
-                               location => $page) &&
-              pagespec_match($page, $config{comments_pagespec},
-                             location => $page);
+       return pagespec_match($page, $config{comments_pagespec},
+               location => $page);
 }
 
 sub commentsopen ($) {
 }
 
 sub commentsopen ($) {
@@ -787,7 +783,7 @@ sub pagetemplate (@) {
                my $comments = undef;
                if ($shown) {
                        $comments = IkiWiki::preprocess_inline(
                my $comments = undef;
                if ($shown) {
                        $comments = IkiWiki::preprocess_inline(
-                               pages => "comment($page)",
+                               pages => "comment($page) and !comment($page/*)",
                                template => 'comment',
                                show => 0,
                                reverse => 'yes',
                                template => 'comment',
                                show => 0,
                                reverse => 'yes',