Simon McVittie [Mon, 9 Jan 2017 13:02:43 +0000 (13:02 +0000)]
t/git-cgi.t: fix race condition
We need the changes to take place at least 1 second after the first
rebuild, so that the changed files are seen to have changed.
(cherry picked from commit
62c9df67212c7c42eb03ad9e36891afe4bc2d9a2)
Simon McVittie [Wed, 11 Jan 2017 15:33:21 +0000 (15:33 +0000)]
git: Do not disable commit hook for temporary working tree
We exclude .git/hooks from symlinking into the temporary working tree,
which avoids the commit hook being run for the temporary branch anyway.
This avoids the wiki not being updated if an orthogonal change is
received in process A, while process B prepares a revert that is
subsequently cancelled.
(cherry picked from commit
d092b0b77701a4c5cd9c8464b774a6a1da1f02cd)
Simon McVittie [Thu, 29 Dec 2016 20:35:46 +0000 (20:35 +0000)]
git: Attribute reverts to the user doing the revert, not the wiki itself
(cherry picked from commit
afda05479645ccf64bc2cb534d023c5a8cb0a5ae)
Simon McVittie [Wed, 28 Dec 2016 21:03:01 +0000 (21:03 +0000)]
git: Add test coverage for reverting attachments
(cherry picked from commit
29b91c970bdc7a8856c0b4f8dbcd915614a46006)
Simon McVittie [Wed, 28 Dec 2016 19:35:14 +0000 (19:35 +0000)]
git: write proposed attachment to temp file without going via system()
(cherry picked from commit
4ad4fc33b52c7a2636eec810ca280efe65497fc9)
Simon McVittie [Wed, 28 Dec 2016 19:26:33 +0000 (19:26 +0000)]
git: change calling convention of safe_git to have named arguments
(cherry picked from commit
7f2235478d4331b8738e9a9dc8d6d6c08461cd5c)
Simon McVittie [Wed, 28 Dec 2016 18:04:34 +0000 (18:04 +0000)]
git: Do the revert operation in a secondary working tree
This avoids leaving the git directory in an inconsistent state if the
host system is rebooted while we are processing a revert.
(cherry picked from commit
7e84a1f9d88a1f546188a28524fedbdf53bb8729)
Simon McVittie [Wed, 28 Dec 2016 18:02:59 +0000 (18:02 +0000)]
git: Turn $git_dir into a stack
This will be necessary when we use a secondary working tree to do
reverts without leaving the primary working tree in an inconsistent
state.
(cherry picked from commit
39b8931ad31fe6b48afdc570caa459a0996c2092)
Simon McVittie [Mon, 26 Dec 2016 18:24:19 +0000 (18:24 +0000)]
Add automated test for using the CGI with git, including CVE-2016-10026
(cherry picked from commit
fa64672d40f877f3bf9cf245cda0cc3f3837c50c)
Simon McVittie [Mon, 26 Dec 2016 18:45:02 +0000 (18:45 +0000)]
Try revert operations (on a branch) before approving them
Otherwise, we have a time-of-check/time-of-use vulnerability:
rcs_preprevert previously looked at what changed in the commit we are
reverting, not at what would result from reverting it now. In
particular, if some files were renamed since the commit we are
reverting, a revert of changes that were within the designated
subdirectory and allowed by check_canchange() might now affect
files that are outside the designated subdirectory or disallowed
by check_canchange().
OVE-
20161226-0002
Simon McVittie [Mon, 26 Dec 2016 18:21:37 +0000 (18:21 +0000)]
git: do not fail to commit if committer is anonymous
(cherry picked from commit
c86046090e1dc31035e4db12e4f29562634d621e)
Simon McVittie [Mon, 26 Dec 2016 18:20:41 +0000 (18:20 +0000)]
git: don't issue a warning if rcsinfo is undefined
The intention here seems to be that $prev may be undefined, and the
only way that can legitimately happen is for $params{token} to be
undefined too.
(cherry picked from commit
fd14cd2a4355684951bb40a1e72e8b0960a674fd)
Simon McVittie [Sat, 3 Sep 2016 22:29:37 +0000 (23:29 +0100)]
Use git log --no-renames for recentchanges
Otherwise, recent git releases show renames as renames, and we do not
see that newdir/test5 was affected.
Bug-Debian: https://bugs.debian.org/835612
(cherry picked from commit
276f0cf57861418fae5b4db8446d3d1098130cdf)
Florian Wagner [Thu, 17 Mar 2016 11:20:30 +0000 (12:20 +0100)]
Correctly handle filenames starting with a dash in add/rm/mv.
(cherry picked from commit
bbdba8d770b73bc44f55219615b360484b7d240f)
Simon McVittie [Mon, 30 Nov 2015 20:46:12 +0000 (20:46 +0000)]
ensure_committer: don't do anything if we have the environment variables
(cherry picked from commit
1f635c6dcaeff8f869f874f659da875c4e7f1863)
Simon McVittie [Mon, 30 Nov 2015 20:45:38 +0000 (20:45 +0000)]
Don't memoize ensure_committer
This makes it harder to test, and if we're invoking git anyway,
a couple of extra subprocesses are no big deal.
(cherry picked from commit
8550c397016bd66095f24de64b077526e08bbab2)
Simon McVittie [Mon, 26 Dec 2016 18:19:52 +0000 (18:19 +0000)]
git: if no committer identity is known, set it to "IkiWiki <ikiwiki.info>" in .git/config
This resolves commit errors in versions of git that require a non-trivial
committer identity.
(cherry picked from commit
ed1e1ebe70c8aec06a759d8cd0168f242d28ac17)
Simon McVittie [Mon, 26 Dec 2016 18:18:45 +0000 (18:18 +0000)]
Revert "Tell `git revert` not to follow renames (CVE-2016-10026)"
This doesn't work prior to git 2.8: `git revert` silently ignores the
option and succeeds. We will have to fix CVE-2016-10026 some other way.
This reverts commit
bb5cf4a0940b8fd2750c6175adb15382b84c71e2.
Simon McVittie [Mon, 19 Dec 2016 13:48:56 +0000 (13:48 +0000)]
Tell `git revert` not to follow renames (CVE-2016-10026)
Otherwise, we have an authorization bypass vulnerability: rcs_preprevert
looks at what changed in the commit we are reverting, not at what would
result from reverting it now. In particular, if some files were renamed
since the commit we are reverting, a revert of changes that were within
the designated subdirectory and allowed by check_canchange() might now
affect files that are outside the designated subdirectory or disallowed
by check_canchange().
Signed-off-by: Simon McVittie <smcv@debian.org>
Simon McVittie [Wed, 11 Jan 2017 13:22:03 +0000 (13:22 +0000)]
CGI, attachment, passwordauth: harden against repeated parameters
These instances of code similar to OVE-
20170111-0001 are not believed
to be exploitable, because defined(), length(), setpassword(),
userinfo_set() and the binary "." operator all have prototypes that
force the relevant argument to be evaluated in scalar context. However,
using a safer idiom makes mistakes less likely.
Simon McVittie [Sat, 24 Dec 2016 15:03:51 +0000 (15:03 +0000)]
Force CGI::FormBuilder->field to scalar context where necessary
CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in
f4ec7b0. Force it into scalar context where it is used
in an argument list.
This prevents two (relatively minor) commit metadata forgery
vulnerabilities:
* In the comments plugin, an attacker who was able to post a comment
could give it a user-specified author and author-URL even if the wiki
configuration did not allow for that, by crafting multiple values
to other fields.
* In the editpage plugin, an attacker who was able to edit a page
could potentially forge commit authorship by crafting multiple values
for the rcsinfo field.
The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.
OVE-
20161226-0001
(cherry picked from commit
c1120bbbe8fdea20cf64fa12247f4f4a4006c834)
Simon McVittie [Wed, 11 Jan 2017 13:19:13 +0000 (13:19 +0000)]
passwordauth: avoid userinfo forgery via repeated email parameter
OVE-
20170111-0001
Simon McVittie [Wed, 11 Jan 2017 13:16:37 +0000 (13:16 +0000)]
t/passwordauth.t: new automated test for passwordauth
In particular this includes an exploit for OVE-
20170111-0001.
Simon McVittie [Wed, 11 Jan 2017 13:12:50 +0000 (13:12 +0000)]
passwordauth: prevent authentication bypass via multiple name parameters
Calling CGI::FormBuilder::field with a name argument in list context
returns zero or more user-specified values of the named field, even
if that field was not declared as supporting multiple values.
Passing the result of field as a function parameter counts as list
context. This is the same bad behaviour that is now discouraged
for CGI::param.
In this case we pass the multiple values to CGI::Session::param.
That accessor has six possible calling conventions, of which four are
documented. If an attacker passes (2*n + 1) values for the 'name'
field, for example name=a&name=b&name=c, we end up in one of the
undocumented calling conventions for param:
# equivalent to: (name => 'a', b => 'c')
$session->param('name', 'a', 'b', 'c')
and the 'b' session parameter is unexpectedly set to an
attacker-specified value.
In particular, if an attacker "bob" specifies
name=bob&name=name&name=alice, then authentication is carried out
for "bob" but the CGI::Session ends up containing {name => 'alice'},
an authentication bypass vulnerability.
This vulnerability is tracked as OVE-
20170111-0001.
Simon McVittie [Wed, 11 Jan 2017 19:28:48 +0000 (19:28 +0000)]
Update git plugin to version 3.
20141016.3 (Debian jessie)
This adds some new hooks that are never actually called in this
version, but that's harmless.
commit
59cfb9b6d0f5f60516d17c79365318711a92fb04
Author: Joey Hess <joey@kitenet.net>
Date: 2014-04-05 19:09:05 -0400
only_committed_changes could fail in a git repository merged with git merge -s ours.
commit
c1fbd66c031980f89e6b28862fe90813b1074c2e
Merge:
b5b8c5cec be3483fe9
Author: Joey Hess <joey@kitenet.net>
Date: 2014-02-23 14:19:39 -0400
Merge remote-tracking branch 'remotes/smcv/ready/git-push-origin-master'
commit
be3483fe9be559a62dd88577b3a374d55b7262f3
Author: Simon McVittie <smcv@debian.org>
Date: 2014-02-21 11:23:17 +0000
git: explicitly specify the branch to push to origin
git's behaviour when doing "git push origin" is configurable, and the
default is going to change in 2.0. In particular, if you've set
push.default to "nothing", the regression test will warn:
fatal: You didn't specify any refspecs to push, and push.default
is "nothing".
'git push origin' failed: at .../lib/IkiWiki/Plugin/git.pm line 220.
commit
d52774dd458059ba1442fdac1daf648dc4f228de
Author: intrigeri <intrigeri@boum.org>
Date: 2013-12-31 01:27:21 +0000
Do not UTF8-escape "/" in Git's diffurl: cgit does not support this.
commit
441002e3e6b7f979eb4ef1d2525add2ea308ba6a
Author: Joey Hess <joey@kitenet.net>
Date: 2013-11-16 20:48:23 -0400
deal with the case where oldrev is the same as newrev
commit
727d39b92a90619027badbd4fd28d37a51c25d16
Author: Joey Hess <joey@kitenet.net>
Date: 2013-11-16 18:56:39 -0400
fix eq
commit
654530fa8bb0937123ed526e3093170ef23f5295
Author: Joey Hess <joey@kitenet.net>
Date: 2013-11-16 17:26:20 -0400
Added only_committed_changes config setting, which speeds up wiki refresh by querying git to find the files that were changed, rather than looking at the work tree. Not enabled by default as it can break some setups where not all files get committed to git.
commit
946af13ae60da6a8688e66bbe17dd1a012e5d747
Author: Joey Hess <joey@kitenet.net>
Date: 2013-07-10 21:52:43 -0400
Pass --no-edit when used with git 1.7.8 and newer.
Not sure if this is needed to avoid it trying to run an editor. Probably
there is never a controlling terminal and probably git notices and does
nothing. But I'm just copying what I have in git-annex assistant here.
(Although with a much worse git version comparion, that only really works due
to luck.)
commit
b162563dc1c6126953e66cdcc508f389b9d39d8e
Author: Joey Hess <joey@kitenet.net>
Date: 2013-07-10 21:48:16 -0400
Deal with git behavior change in 1.7.8 and newer that broke support for commits with an empty commit message.
commit
12c9219d671c672fedcf9e9ab7f9187b23b8f7f4
Author: Shlomi Fish <shlomif@shlomifish.org>
Date: 2012-12-17 22:44:54 +0200
Fix some warnigns in recent perls.
All existing tests pass.
Simon McVittie [Mon, 9 May 2016 21:39:24 +0000 (22:39 +0100)]
Second try at 3.
20120629.2+deb7u1
Simon McVittie [Mon, 9 May 2016 20:53:10 +0000 (21:53 +0100)]
img test: exercise upper-case extensions for image files
Amitai Schlair [Sun, 8 May 2016 22:26:15 +0000 (18:26 -0400)]
Detect image type from .JPG just like .jpg (etc.).
Simon McVittie [Sun, 8 May 2016 15:31:08 +0000 (16:31 +0100)]
Simon McVittie [Sun, 8 May 2016 15:30:51 +0000 (16:30 +0100)]
debian/tests: add metadata to run the img test as an autopkgtest
Simon McVittie [Sun, 8 May 2016 14:41:35 +0000 (15:41 +0100)]
Add t/img.t regression test also taken from version 3.
20160506
(chrysn, joeyh, schmonz, smcv)
Simon McVittie [Wed, 4 May 2016 07:52:40 +0000 (08:52 +0100)]
Update img plugin to version 3.
20160506
* Update img plugin to version 3.
20160506 to mitigate ImageMagick
vulnerabilities, including remote code execution (CVE-2016-3714):
- Never convert SVG images to PNG; simply pass them through to the
browser. This prevents exploitation of any ImageMagick SVG coder
vulnerabilities. (joeyh)
- Do not resize image formats other than JPEG, PNG, GIF unless
specifically configured to do so. This prevents exploitation
of any vulnerabilities in less common coders, such as MVG. (smcv)
- Do not resize JPEG, PNG, GIF, PDF images if their extensions do
not match their "magic numbers", because wiki admins might try to
restrict attachments by extension, but ImageMagick can base its
choice of coder on the magic number. Explicitly force the
obvious ImageMagick coder to be used. (smcv)
* Minor non-security changes resulting from that update, since
reverting them seems higher-risk than keeping them:
- Add PDF support, disabled by the above changes unless specifically
configured (chrysn)
- Only render one frame or page from animated GIF or multi-page PDF
(chrysn)
- Do not distort aspect ratio when resizing small images (chrysn)
- Use data: URLs to embed images in page previews (chrysn)
- Raise an error if the image's size cannot be determined (chrysn)
- Handle filenames containing a colon correctly (smcv)
Simon McVittie [Wed, 4 May 2016 07:46:02 +0000 (08:46 +0100)]
HTML-escape error messages (CVE-2016-4561)
The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-
20160505-0012, CVE-2016-4561)
The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.
Simon McVittie [Mon, 6 Apr 2015 19:37:07 +0000 (20:37 +0100)]
Joey Hess [Fri, 27 Mar 2015 16:17:39 +0000 (12:17 -0400)]
Fix XSS in openid selector. Thanks, Raghav Bisht.
Conflicts:
debian/changelog
doc/bugs/XSS_Alert...__33____33____33__.html
Simon McVittie [Sat, 17 Jan 2015 11:53:49 +0000 (11:53 +0000)]
correct double-negative
Simon McVittie [Wed, 14 Jan 2015 22:11:05 +0000 (22:11 +0000)]
wheezy release candidate
Joey Hess [Fri, 2 Jan 2015 20:45:26 +0000 (16:45 -0400)]
close debian bug I opened about blogspam
Conflicts:
debian/changelog
Amitai Schlair [Sat, 3 Jan 2015 15:02:20 +0000 (10:02 -0500)]
blogspam uses JSON instead of RPC::XML now.
Amitai Schlair [Fri, 2 Jan 2015 18:55:10 +0000 (13:55 -0500)]
Update blogspam to the 2.0 API.
[backport to Debian wheezy, open-coding a simple version of useragent() -smcv]
Conflicts:
IkiWiki/Plugin/blogspam.pm
debian/changelog
Joey Hess [Sat, 8 Nov 2014 04:08:33 +0000 (00:08 -0400)]
Set Debian package maintainer to Simon McVittie as I'm retiring from Debian.
Conflicts:
debian/changelog
debian/control
Joey Hess [Fri, 29 Jun 2012 17:43:09 +0000 (13:43 -0400)]
releasing version 3.
20120629
Joey Hess [Sun, 17 Jun 2012 19:12:53 +0000 (15:12 -0400)]
cleanup
ikitest [Sun, 17 Jun 2012 19:05:09 +0000 (15:05 -0400)]
http://openid.ppke.hu/cstamas [Sun, 17 Jun 2012 00:16:22 +0000 (20:16 -0400)]
add signature
http://openid.ppke.hu/cstamas [Sun, 17 Jun 2012 00:14:19 +0000 (20:14 -0400)]
add
Question re: google search missing results
Joey Hess [Mon, 11 Jun 2012 04:47:15 +0000 (00:47 -0400)]
bug on trail plugin
spalax [Fri, 8 Jun 2012 00:56:07 +0000 (20:56 -0400)]
Added a comment: Popup listing multiple entries per day
spalax [Fri, 8 Jun 2012 00:00:58 +0000 (20:00 -0400)]
Contrib plugin created_in_future
spalax [Thu, 7 Jun 2012 23:47:45 +0000 (19:47 -0400)]
Contrib plugin monthcalendar
spalax [Thu, 7 Jun 2012 23:38:12 +0000 (19:38 -0400)]
Contrib plugin jscalendar : a javascript calendar
spalax [Thu, 7 Jun 2012 23:31:07 +0000 (19:31 -0400)]
spalax [Thu, 7 Jun 2012 23:27:38 +0000 (19:27 -0400)]
rename contrib/jscalendar.mdwn to plugins/contrib/jscalendar.mdwn
spalax [Thu, 7 Jun 2012 23:26:57 +0000 (19:26 -0400)]
rename todo/Javascript_calendar.mdwn to contrib/jscalendar.mdwn
mathdesc [Thu, 7 Jun 2012 11:11:29 +0000 (07:11 -0400)]
will put in in the forum, sry
This reverts commit
f2b421b26b9ceb68b19a11140936537353da51de
comment removal question
mathdesc [Wed, 6 Jun 2012 09:51:28 +0000 (05:51 -0400)]
mathdesc [Wed, 6 Jun 2012 09:25:35 +0000 (05:25 -0400)]
pdurbin [Tue, 5 Jun 2012 15:24:26 +0000 (11:24 -0400)]
created page: Can not advance past first page of results using search plugin
pdurbin [Tue, 5 Jun 2012 15:02:20 +0000 (11:02 -0400)]
created user page
Joey Hess [Sun, 3 Jun 2012 17:17:03 +0000 (13:17 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info
Joey Hess [Sun, 3 Jun 2012 17:16:31 +0000 (13:16 -0400)]
mirrorlist: Add mirrorlist_use_cgi setting that avoids usedirs or other config differences by linking to the mirror's CGI. (intrigeri)
Joey Hess [Sun, 3 Jun 2012 17:15:19 +0000 (13:15 -0400)]
Merge remote-tracking branch 'intrigeri/mirrorlist'
http://joeyh.name/ [Sun, 3 Jun 2012 17:11:12 +0000 (13:11 -0400)]
Added a comment
Joey Hess [Sun, 3 Jun 2012 17:06:45 +0000 (13:06 -0400)]
sadly still lost
Joey Hess [Sat, 2 Jun 2012 01:32:51 +0000 (21:32 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info
Joey Hess [Tue, 29 May 2012 17:43:37 +0000 (13:43 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info
intrigeri [Mon, 28 May 2012 09:38:28 +0000 (11:38 +0200)]
Ping'ing Joey.
Franek [Sat, 26 May 2012 19:31:19 +0000 (15:31 -0400)]
Added a comment: kind of solved, but another problem comes up
Joey Hess [Thu, 24 May 2012 20:33:15 +0000 (16:33 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info
damien [Thu, 24 May 2012 11:44:02 +0000 (07:44 -0400)]
removed
damien [Thu, 24 May 2012 11:43:16 +0000 (07:43 -0400)]
Added a comment: ceci est un test
http://ismael.olea.org/ [Wed, 23 May 2012 12:31:34 +0000 (08:31 -0400)]
update for rename of todo/Olea.mdwn to users/Olea.mdwn
http://ismael.olea.org/ [Wed, 23 May 2012 12:31:33 +0000 (08:31 -0400)]
update for rename of todo/Olea.mdwn to users/Olea.mdwn
http://ismael.olea.org/ [Wed, 23 May 2012 12:31:32 +0000 (08:31 -0400)]
rename todo/Olea.mdwn to users/Olea.mdwn
http://ismael.olea.org/ [Tue, 22 May 2012 23:31:09 +0000 (19:31 -0400)]
Added a comment
http://ismael.olea.org/ [Tue, 22 May 2012 21:24:37 +0000 (17:24 -0400)]
Added a comment
Joey Hess [Tue, 22 May 2012 19:21:17 +0000 (15:21 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info
http://smcv.pseudorandom.co.uk/ [Tue, 22 May 2012 13:46:20 +0000 (09:46 -0400)]
Added a comment
http://ismael.olea.org/ [Tue, 22 May 2012 10:32:26 +0000 (06:32 -0400)]
http://ismael.olea.org/ [Tue, 22 May 2012 10:30:49 +0000 (06:30 -0400)]
http://ismael.olea.org/ [Sun, 20 May 2012 11:28:07 +0000 (07:28 -0400)]
I think this is the same WMD, but not sure.
Franek [Sun, 20 May 2012 10:46:07 +0000 (06:46 -0400)]
Added a comment: Further enquiries
Joey Hess [Sun, 20 May 2012 00:35:21 +0000 (20:35 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info
Franek [Sat, 19 May 2012 14:51:42 +0000 (10:51 -0400)]
Added a comment: [[!meta author="...
Franek [Sat, 19 May 2012 14:44:48 +0000 (10:44 -0400)]
http://ismael.olea.org/ [Fri, 18 May 2012 18:36:08 +0000 (14:36 -0400)]
I think this is the same WMD, but not sure.
http://ismael.olea.org/ [Fri, 18 May 2012 16:34:22 +0000 (12:34 -0400)]