]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blobdiff - IkiWiki/Plugin/comments.pm
CGI, attachment, passwordauth: harden against repeated parameters
[git.ikiwiki.info.git] / IkiWiki / Plugin / comments.pm
index d7666c8526f831b4f147a1aa880e53d4ee7a1906..46e1b268f1c2f503890ef17194728935112faef4 100644 (file)
@@ -126,7 +126,7 @@ sub htmlize {
 sub htmlize_pending {
        my %params = @_;
        return sprintf(gettext("this comment needs %s"),
-               '<a href="'.
+               '<a rel="nofollow" href="'.
                IkiWiki::cgiurl(do => "commentmoderation").'">'.
                gettext("moderation").'</a>');
 }
@@ -198,7 +198,6 @@ sub preprocess {
                $commentuser = $params{username};
 
                my $oiduser = eval { IkiWiki::openiduser($commentuser) };
-
                if (defined $oiduser) {
                        # looks like an OpenID
                        $commentauthorurl = $commentuser;
@@ -206,10 +205,17 @@ sub preprocess {
                        $commentopenid = $commentuser;
                }
                else {
-                       $commentauthorurl = IkiWiki::cgiurl(
-                               do => 'goto',
-                               page => IkiWiki::userpage($commentuser)
-                       );
+                       my $emailuser = IkiWiki::emailuser($commentuser);
+                       if (defined $emailuser) {
+                               $commentuser=$emailuser;
+                       }
+
+                       if (length $config{cgiurl}) {
+                               $commentauthorurl = IkiWiki::cgiurl(
+                                       do => 'goto',
+                                       page => IkiWiki::userpage($commentuser)
+                               );
+                       }
 
                        $commentauthor = $commentuser;
                }
@@ -221,22 +227,9 @@ sub preprocess {
                $commentauthor = gettext("Anonymous");
        }
 
-       $commentstate{$page}{commentuser} = $commentuser;
-       $commentstate{$page}{commentopenid} = $commentopenid;
-       $commentstate{$page}{commentip} = $commentip;
-       $commentstate{$page}{commentauthor} = $commentauthor;
-       $commentstate{$page}{commentauthorurl} = $commentauthorurl;
-       $commentstate{$page}{commentauthoravatar} = $params{avatar};
-       if (! defined $pagestate{$page}{meta}{author}) {
-               $pagestate{$page}{meta}{author} = $commentauthor;
-       }
-       if (! defined $pagestate{$page}{meta}{authorurl}) {
-               $pagestate{$page}{meta}{authorurl} = $commentauthorurl;
-       }
-
        if ($config{comments_allowauthor}) {
                if (defined $params{claimedauthor}) {
-                       $pagestate{$page}{meta}{author} = $params{claimedauthor};
+                       $commentauthor = $params{claimedauthor};
                }
 
                if (defined $params{url}) {
@@ -248,12 +241,21 @@ sub preprocess {
                        }
 
                        if (safeurl($url)) {
-                               $pagestate{$page}{meta}{authorurl} = $url;
+                               $commentauthorurl = $url;
                        }
                }
        }
-       else {
+
+       $commentstate{$page}{commentuser} = $commentuser;
+       $commentstate{$page}{commentopenid} = $commentopenid;
+       $commentstate{$page}{commentip} = $commentip;
+       $commentstate{$page}{commentauthor} = $commentauthor;
+       $commentstate{$page}{commentauthorurl} = $commentauthorurl;
+       $commentstate{$page}{commentauthoravatar} = $params{avatar};
+       if (! defined $pagestate{$page}{meta}{author}) {
                $pagestate{$page}{meta}{author} = $commentauthor;
+       }
+       if (! defined $pagestate{$page}{meta}{authorurl}) {
                $pagestate{$page}{meta}{authorurl} = $commentauthorurl;
        }
 
@@ -284,7 +286,7 @@ sub preprocess_moderation {
                unless defined $params{desc};
 
        if (length $config{cgiurl}) {
-               return '<a href="'.
+               return '<a rel="nofollow" href="'.
                        IkiWiki::cgiurl(do => 'commentmoderation').
                        '">'.$params{desc}.'</a>';
        }
@@ -354,7 +356,8 @@ sub editcomment ($$) {
        my @page_types;
        if (exists $IkiWiki::hooks{htmlize}) {
                foreach my $key (grep { !/^_/ && isallowed($_) } keys %{$IkiWiki::hooks{htmlize}}) {
-                       push @page_types, [$key, $IkiWiki::hooks{htmlize}{$key}{longname} || $key];
+                       push @page_types, [$key, $IkiWiki::hooks{htmlize}{$key}{longname} || $key]
+                               unless $IkiWiki::hooks{htmlize}{$key}{nocreate};
                }
        }
        @page_types=sort @page_types;
@@ -464,7 +467,7 @@ sub editcomment ($$) {
        my $content = "[[!comment format=$type\n";
 
        if (defined $session->param('name')) {
-               my $username = $session->param('name');
+               my $username = IkiWiki::cloak($session->param('name'));
                $username =~ s/"/&quot;/g;
                $content .= " username=\"$username\"\n";
        }
@@ -477,7 +480,7 @@ sub editcomment ($$) {
 
        if (!(defined $session->param('name') || defined $session->param('nickname')) &&
                defined $session->remote_addr()) {
-               $content .= " ip=\"".$session->remote_addr()."\"\n";
+               $content .= " ip=\"".IkiWiki::cloak($session->remote_addr())."\"\n";
        }
 
        if ($config{comments_allowauthor}) {
@@ -507,7 +510,7 @@ sub editcomment ($$) {
                $subject = "comment ".(num_comments($page, $config{srcdir}) + 1);
        }
        $content .= " subject=\"$subject\"\n";
-       $content .= " " . commentdate() . "\n";
+       $content .= " date=\"" . commentdate() . "\"\n";
 
        my $editcontent = $form->field('editcontent');
        $editcontent="" if ! defined $editcontent;
@@ -554,11 +557,12 @@ sub editcomment ($$) {
                }
                
                $postcomment=1;
-               my $ok=IkiWiki::check_content(content => $form->field('editcontent'),
-                       subject => $form->field('subject'),
+               my $ok=IkiWiki::check_content(
+                       content => scalar $form->field('editcontent'),
+                       subject => scalar $form->field('subject'),
                        $config{comments_allowauthor} ? (
-                               author => $form->field('author'),
-                               url => $form->field('url'),
+                               author => scalar $form->field('author'),
+                               url => scalar $form->field('url'),
                        ) : (),
                        page => $location,
                        cgi => $cgi,
@@ -598,7 +602,7 @@ sub editcomment ($$) {
                                length $form->field('subject')) {
                                $message = sprintf(
                                        gettext("Added a comment: %s"),
-                                       $form->field('subject'));
+                                       scalar $form->field('subject'));
                        }
 
                        IkiWiki::rcs_add($file);
@@ -636,7 +640,7 @@ sub editcomment ($$) {
 }
 
 sub commentdate () {
-       "date=\"" . strftime_utf8('%Y-%m-%dT%H:%M:%SZ', gmtime) . "\"";
+       strftime_utf8('%Y-%m-%dT%H:%M:%SZ', gmtime);
 }
 
 sub getavatar ($) {
@@ -917,16 +921,18 @@ sub pagetemplate (@) {
        }
 
        if ($shown) {
+               my $absolute = $template->param('wants_absolute_urls');
+
                if ($template->query(name => 'commentsurl')) {
                        $template->param(commentsurl =>
-                               urlto($page).'#comments');
+                               urlto($page, undef, $absolute).'#comments');
                }
 
                if ($template->query(name => 'atomcommentsurl') && $config{usedirs}) {
                        # This will 404 until there are some comments, but I
                        # think that's probably OK...
                        $template->param(atomcommentsurl =>
-                               urlto($page).'comments.atom');
+                               urlto($page, undef, $absolute).'comments.atom');
                }
 
                if ($template->query(name => 'commentslink')) {
@@ -940,7 +946,7 @@ sub pagetemplate (@) {
                                );
                        }
                        elsif (commentsopen($page)) {
-                               $link = "<a href=\"".addcommenturl($page)."\">".
+                               $link = "<a rel=\"nofollow\" href=\"".addcommenturl($page)."\">".
                                        #translators: Here "Comment" is a verb;
                                        #translators: the user clicks on it to
                                        #translators: post a comment.