Simon McVittie [Sun, 8 May 2016 14:41:35 +0000 (15:41 +0100)]
Add t/img.t regression test also taken from version 3.
20160506
(chrysn, joeyh, schmonz, smcv)
Simon McVittie [Wed, 4 May 2016 07:52:40 +0000 (08:52 +0100)]
Update img plugin to version 3.
20160506
* Update img plugin to version 3.
20160506 to mitigate ImageMagick
vulnerabilities, including remote code execution (CVE-2016-3714):
- Never convert SVG images to PNG; simply pass them through to the
browser. This prevents exploitation of any ImageMagick SVG coder
vulnerabilities. (joeyh)
- Do not resize image formats other than JPEG, PNG, GIF unless
specifically configured to do so. This prevents exploitation
of any vulnerabilities in less common coders, such as MVG. (smcv)
- Do not resize JPEG, PNG, GIF, PDF images if their extensions do
not match their "magic numbers", because wiki admins might try to
restrict attachments by extension, but ImageMagick can base its
choice of coder on the magic number. Explicitly force the
obvious ImageMagick coder to be used. (smcv)
* Minor non-security changes resulting from that update, since
reverting them seems higher-risk than keeping them:
- Add PDF support, disabled by the above changes unless specifically
configured (chrysn)
- Only render one frame or page from animated GIF or multi-page PDF
(chrysn)
- Do not distort aspect ratio when resizing small images (chrysn)
- Use data: URLs to embed images in page previews (chrysn)
- Raise an error if the image's size cannot be determined (chrysn)
- Handle filenames containing a colon correctly (smcv)
Simon McVittie [Wed, 4 May 2016 07:46:02 +0000 (08:46 +0100)]
HTML-escape error messages (CVE-2016-4561)
The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-
20160505-0012, CVE-2016-4561)
The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.
Simon McVittie [Mon, 6 Apr 2015 19:37:07 +0000 (20:37 +0100)]
Joey Hess [Fri, 27 Mar 2015 16:17:39 +0000 (12:17 -0400)]
Fix XSS in openid selector. Thanks, Raghav Bisht.
Conflicts:
debian/changelog
doc/bugs/XSS_Alert...__33____33____33__.html
Simon McVittie [Sat, 17 Jan 2015 11:53:49 +0000 (11:53 +0000)]
correct double-negative
Simon McVittie [Wed, 14 Jan 2015 22:11:05 +0000 (22:11 +0000)]
wheezy release candidate
Joey Hess [Fri, 2 Jan 2015 20:45:26 +0000 (16:45 -0400)]
close debian bug I opened about blogspam
Conflicts:
debian/changelog
Amitai Schlair [Sat, 3 Jan 2015 15:02:20 +0000 (10:02 -0500)]
blogspam uses JSON instead of RPC::XML now.
Amitai Schlair [Fri, 2 Jan 2015 18:55:10 +0000 (13:55 -0500)]
Update blogspam to the 2.0 API.
[backport to Debian wheezy, open-coding a simple version of useragent() -smcv]
Conflicts:
IkiWiki/Plugin/blogspam.pm
debian/changelog
Joey Hess [Sat, 8 Nov 2014 04:08:33 +0000 (00:08 -0400)]
Set Debian package maintainer to Simon McVittie as I'm retiring from Debian.
Conflicts:
debian/changelog
debian/control
Joey Hess [Fri, 29 Jun 2012 17:43:09 +0000 (13:43 -0400)]
releasing version 3.
20120629
Joey Hess [Sun, 17 Jun 2012 19:12:53 +0000 (15:12 -0400)]
cleanup
ikitest [Sun, 17 Jun 2012 19:05:09 +0000 (15:05 -0400)]
http://openid.ppke.hu/cstamas [Sun, 17 Jun 2012 00:16:22 +0000 (20:16 -0400)]
add signature
http://openid.ppke.hu/cstamas [Sun, 17 Jun 2012 00:14:19 +0000 (20:14 -0400)]
add
Question re: google search missing results
Joey Hess [Mon, 11 Jun 2012 04:47:15 +0000 (00:47 -0400)]
bug on trail plugin
spalax [Fri, 8 Jun 2012 00:56:07 +0000 (20:56 -0400)]
Added a comment: Popup listing multiple entries per day
spalax [Fri, 8 Jun 2012 00:00:58 +0000 (20:00 -0400)]
Contrib plugin created_in_future
spalax [Thu, 7 Jun 2012 23:47:45 +0000 (19:47 -0400)]
Contrib plugin monthcalendar
spalax [Thu, 7 Jun 2012 23:38:12 +0000 (19:38 -0400)]
Contrib plugin jscalendar : a javascript calendar
spalax [Thu, 7 Jun 2012 23:31:07 +0000 (19:31 -0400)]
spalax [Thu, 7 Jun 2012 23:27:38 +0000 (19:27 -0400)]
rename contrib/jscalendar.mdwn to plugins/contrib/jscalendar.mdwn
spalax [Thu, 7 Jun 2012 23:26:57 +0000 (19:26 -0400)]
rename todo/Javascript_calendar.mdwn to contrib/jscalendar.mdwn
mathdesc [Thu, 7 Jun 2012 11:11:29 +0000 (07:11 -0400)]
will put in in the forum, sry
This reverts commit
f2b421b26b9ceb68b19a11140936537353da51de
comment removal question
mathdesc [Wed, 6 Jun 2012 09:51:28 +0000 (05:51 -0400)]
mathdesc [Wed, 6 Jun 2012 09:25:35 +0000 (05:25 -0400)]
pdurbin [Tue, 5 Jun 2012 15:24:26 +0000 (11:24 -0400)]
created page: Can not advance past first page of results using search plugin
pdurbin [Tue, 5 Jun 2012 15:02:20 +0000 (11:02 -0400)]
created user page
Joey Hess [Sun, 3 Jun 2012 17:17:03 +0000 (13:17 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info
Joey Hess [Sun, 3 Jun 2012 17:16:31 +0000 (13:16 -0400)]
mirrorlist: Add mirrorlist_use_cgi setting that avoids usedirs or other config differences by linking to the mirror's CGI. (intrigeri)
Joey Hess [Sun, 3 Jun 2012 17:15:19 +0000 (13:15 -0400)]
Merge remote-tracking branch 'intrigeri/mirrorlist'
http://joeyh.name/ [Sun, 3 Jun 2012 17:11:12 +0000 (13:11 -0400)]
Added a comment
Joey Hess [Sun, 3 Jun 2012 17:06:45 +0000 (13:06 -0400)]
sadly still lost
Joey Hess [Sat, 2 Jun 2012 01:32:51 +0000 (21:32 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info
Joey Hess [Tue, 29 May 2012 17:43:37 +0000 (13:43 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info
intrigeri [Mon, 28 May 2012 09:38:28 +0000 (11:38 +0200)]
Ping'ing Joey.
Franek [Sat, 26 May 2012 19:31:19 +0000 (15:31 -0400)]
Added a comment: kind of solved, but another problem comes up
Joey Hess [Thu, 24 May 2012 20:33:15 +0000 (16:33 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info
damien [Thu, 24 May 2012 11:44:02 +0000 (07:44 -0400)]
removed
damien [Thu, 24 May 2012 11:43:16 +0000 (07:43 -0400)]
Added a comment: ceci est un test
http://ismael.olea.org/ [Wed, 23 May 2012 12:31:34 +0000 (08:31 -0400)]
update for rename of todo/Olea.mdwn to users/Olea.mdwn
http://ismael.olea.org/ [Wed, 23 May 2012 12:31:33 +0000 (08:31 -0400)]
update for rename of todo/Olea.mdwn to users/Olea.mdwn
http://ismael.olea.org/ [Wed, 23 May 2012 12:31:32 +0000 (08:31 -0400)]
rename todo/Olea.mdwn to users/Olea.mdwn
http://ismael.olea.org/ [Tue, 22 May 2012 23:31:09 +0000 (19:31 -0400)]
Added a comment
http://ismael.olea.org/ [Tue, 22 May 2012 21:24:37 +0000 (17:24 -0400)]
Added a comment
Joey Hess [Tue, 22 May 2012 19:21:17 +0000 (15:21 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info
http://smcv.pseudorandom.co.uk/ [Tue, 22 May 2012 13:46:20 +0000 (09:46 -0400)]
Added a comment
http://ismael.olea.org/ [Tue, 22 May 2012 10:32:26 +0000 (06:32 -0400)]
http://ismael.olea.org/ [Tue, 22 May 2012 10:30:49 +0000 (06:30 -0400)]
http://ismael.olea.org/ [Sun, 20 May 2012 11:28:07 +0000 (07:28 -0400)]
I think this is the same WMD, but not sure.
Franek [Sun, 20 May 2012 10:46:07 +0000 (06:46 -0400)]
Added a comment: Further enquiries
Joey Hess [Sun, 20 May 2012 00:35:21 +0000 (20:35 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info
Franek [Sat, 19 May 2012 14:51:42 +0000 (10:51 -0400)]
Added a comment: [[!meta author="...
Franek [Sat, 19 May 2012 14:44:48 +0000 (10:44 -0400)]
http://ismael.olea.org/ [Fri, 18 May 2012 18:36:08 +0000 (14:36 -0400)]
I think this is the same WMD, but not sure.
http://ismael.olea.org/ [Fri, 18 May 2012 16:34:22 +0000 (12:34 -0400)]
http://ismael.olea.org/ [Fri, 18 May 2012 16:32:42 +0000 (12:32 -0400)]
http://ismael.olea.org/ [Fri, 18 May 2012 16:30:58 +0000 (12:30 -0400)]
fixed formatting
added workaround.
Added request.
Joey Hess [Thu, 17 May 2012 17:20:55 +0000 (13:20 -0400)]
some details about past security hole
Joey Hess [Thu, 17 May 2012 03:49:23 +0000 (23:49 -0400)]
typo
Joey Hess [Thu, 17 May 2012 02:13:23 +0000 (22:13 -0400)]
ensure HTML::Entities is always loaded
(Worked ok in my tests w/o this, but not sure I tested every case,
and this is correct.)
Joey Hess [Thu, 17 May 2012 01:18:40 +0000 (21:18 -0400)]
cve
Joey Hess [Thu, 17 May 2012 00:14:03 +0000 (20:14 -0400)]
add news item for ikiwiki 3.
20120516
Joey Hess [Thu, 17 May 2012 00:13:21 +0000 (20:13 -0400)]
releasing version 3.
20120516
Joey Hess [Wed, 16 May 2012 23:54:41 +0000 (19:54 -0400)]
meta: Security fix; add missing sanitization of author and authorurl. Thanks, Raúl Benencia
Joey Hess [Mon, 14 May 2012 18:14:39 +0000 (14:14 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info
https://id.koumbit.net/anarcat [Sat, 12 May 2012 15:04:08 +0000 (11:04 -0400)]
https://id.koumbit.net/anarcat [Sat, 12 May 2012 15:00:47 +0000 (11:00 -0400)]
fix url
http://christian.amsuess.com/chrysn [Fri, 11 May 2012 17:50:36 +0000 (13:50 -0400)]
maybe [[|that page]]?
Joey Hess [Fri, 11 May 2012 04:19:06 +0000 (00:19 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info
Giuseppe Bilotta [Thu, 10 May 2012 16:42:21 +0000 (18:42 +0200)]
Get started on my user page, fix name spelling, link branches to username
Giuseppe Bilotta [Thu, 10 May 2012 16:11:30 +0000 (18:11 +0200)]
Introduce my linkbase branch
Giuseppe Bilotta [Wed, 9 May 2012 05:56:46 +0000 (07:56 +0200)]
po/Makefile: missing one semicolon still
simonraven [Tue, 8 May 2012 23:13:32 +0000 (19:13 -0400)]
http://tonybaldwin.dreamwidth.org/ [Tue, 8 May 2012 13:59:56 +0000 (09:59 -0400)]
created, asked a question
Adam [Mon, 7 May 2012 21:40:31 +0000 (17:40 -0400)]
Giuseppe Bilotta [Sat, 5 May 2012 09:40:25 +0000 (11:40 +0200)]
Fix po Makefile
In the complex 'if' chain when merging ikiwiki.pot with .po files, make
sure line-endings, shell-muting and semi-colons don't cause the shell to
bomb out with syntax errors and commands not found.
Puck [Mon, 30 Apr 2012 21:20:58 +0000 (17:20 -0400)]
The blog Puckspage.org added.