]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blobdiff - IkiWiki/Render.pm
meta: Security fix; don't allow alternative stylesheets to be added on pages where...
[git.ikiwiki.info.git] / IkiWiki / Render.pm
index b0bd8dee08f1f605f80526a5c72b71fa08928f27..a653ab2da02e542828349c3d9f3ac200340608f4 100644 (file)
@@ -84,19 +84,14 @@ sub genpage ($$) {
                $template=template('page.tmpl', 
                        blind_cache => 1);
        }
-       my $actions=0;
 
+       my $actions=0;
        if (length $config{cgiurl}) {
                if (IkiWiki->can("cgi_editpage")) {
                        $template->param(editurl => cgiurl(do => "edit", page => $page));
                        $actions++;
                }
-               if (exists $hooks{auth}) {
-                       $template->param(prefsurl => cgiurl(do => "prefs"));
-                       $actions++;
-               }
        }
-               
        if (defined $config{historyurl} && length $config{historyurl}) {
                my $u=$config{historyurl};
                $u=~s/\[\[file\]\]/$pagesources{$page}/g;
@@ -111,17 +106,10 @@ sub genpage ($$) {
                        $actions++;
                }
        }
-
-       my @actions;
-       run_hooks(pageactions => sub {
-               push @actions, map { { action => $_ } } 
-                       grep { defined } shift->(page => $page);
-       });
-       $template->param(actions => \@actions);
-
-       if ($actions || @actions) {
+       if ($actions) {
                $template->param(have_actions => 1);
        }
+       templateactions($template, $page);
 
        my @backlinks=sort { $a->{page} cmp $b->{page} } backlinks($page);
        my ($backlinks, $more_backlinks);
@@ -304,12 +292,17 @@ sub find_src_files () {
        eval q{use File::Find};
        error($@) if $@;
 
-       my ($page, $dir, $underlay);
+       eval q{use Cwd};
+       die $@ if $@;
+       my $origdir=getcwd();
+       my $abssrcdir=Cwd::abs_path($config{srcdir});
+
+       my ($page, $underlay);
        my $helper=sub {
                my $file=decode_utf8($_);
 
                return if -l $file || -d _;
-               $file=~s/^\Q$dir\E\/?//;
+               $file=~s/^\.\///;
                return if ! length $file;
                $page = pagename($file);
                if (! exists $pagesources{$page} &&
@@ -326,7 +319,7 @@ sub find_src_files () {
        
                if ($underlay) {
                        # avoid underlaydir override attacks; see security.mdwn
-                       if (! -l "$config{srcdir}/$f" && ! -e _) {
+                       if (! -l "$abssrcdir/$f" && ! -e _) {
                                if (! $pages{$page}) {
                                        push @files, $f;
                                        $pages{$page}=1;
@@ -342,17 +335,24 @@ sub find_src_files () {
                }
        };
 
+       chdir($config{srcdir}) || die "chdir $config{srcdir}: $!";
        find({
                no_chdir => 1,
                wanted => $helper,
-       }, $dir=$config{srcdir});
+       }, '.');
+       chdir($origdir) || die "chdir $origdir: $!";
+
        $underlay=1;
        foreach (@{$config{underlaydirs}}, $config{underlaydir}) {
-               find({
-                       no_chdir => 1,
-                       wanted => $helper,
-               }, $dir=$_);
+               if (chdir($_)) {
+                       find({
+                               no_chdir => 1,
+                               wanted => $helper,
+                       }, '.');
+                       chdir($origdir) || die "chdir: $!";
+               }
        };
+
        return \@files, \%pages;
 }
 
@@ -365,6 +365,35 @@ sub find_new_files ($) {
 
        foreach my $file (@$files) {
                my $page=pagename($file);
+
+               if ($config{rcs} && $config{gettime} &&
+                   -e "$config{srcdir}/$file") {
+                       if (! $times_noted) {
+                               debug(sprintf(gettext("querying %s for file creation and modification times.."), $config{rcs}));
+                               $times_noted=1;
+                       }
+
+                       eval {
+                               my $ctime=rcs_getctime($file);
+                               if ($ctime > 0) {
+                                       $pagectime{$page}=$ctime;
+                               }
+                       };
+                       if ($@) {
+                               print STDERR $@;
+                       }
+                       my $mtime;
+                       eval {
+                               $mtime=rcs_getmtime($file);
+                       };
+                       if ($@) {
+                               print STDERR $@;
+                       }
+                       elsif ($mtime > 0) {
+                               utime($mtime, $mtime, "$config{srcdir}/$file");
+                       }
+               }
+
                if (exists $pagesources{$page} && $pagesources{$page} ne $file) {
                        # the page has changed its type
                        $forcerebuild{$page}=1;
@@ -374,34 +403,8 @@ sub find_new_files ($) {
                        if (isinternal($page)) {
                                push @internal_new, $file;
                        }
-                       elsif ($config{rcs}) {
+                       else {
                                push @new, $file;
-                               if ($config{gettime} && -e "$config{srcdir}/$file") {
-                                       if (! $times_noted) {
-                                               debug(sprintf(gettext("querying %s for file creation and modification times.."), $config{rcs}));
-                                               $times_noted=1;
-                                       }
-
-                                       eval {
-                                               my $ctime=rcs_getctime("$config{srcdir}/$file");
-                                               if ($ctime > 0) {
-                                                       $pagectime{$page}=$ctime;
-                                               }
-                                       };
-                                       if ($@) {
-                                               print STDERR $@;
-                                       }
-                                       my $mtime;
-                                       eval {
-                                               $mtime=rcs_getmtime("$config{srcdir}/$file");
-                                       };
-                                       if ($@) {
-                                               print STDERR $@;
-                                       }
-                                       elsif ($mtime > 0) {
-                                               utime($mtime, $mtime, "$config{srcdir}/$file");
-                                       }
-                               }
                        }
                        $pagecase{lc $page}=$page;
                        if (! exists $pagectime{$page}) {
@@ -454,6 +457,7 @@ sub remove_del (@) {
                }
        
                delete $pagecase{lc $page};
+               $delpagesources{$page}=$pagesources{$page};
                delete $pagesources{$page};
        }
 }
@@ -641,7 +645,7 @@ sub render_dependent ($$$$$$$) {
                                # only consider internal files
                                # if the page explicitly depends
                                # on such files
-                               my $internal_dep=$dep =~ /internal\(/;
+                               my $internal_dep=$dep =~ /(?:internal|comment|comment_pending)\(/;
 
                                my $in=sub {
                                        my $list=shift;
@@ -800,8 +804,8 @@ sub refresh () {
        render_backlinks($backlinkchanged);
        remove_unrendered();
 
-       if (@$del) {
-               run_hooks(delete => sub { shift->(@$del) });
+       if (@$del || @$internal_del) {
+               run_hooks(delete => sub { shift->(@$del, @$internal_del) });
        }
        if (%rendered) {
                run_hooks(change => sub { shift->(keys %rendered) });