https://id.koumbit.net/anarcat [Tue, 31 May 2016 14:41:15 +0000 (10:41 -0400)]
small security review and suggestions
https://id.koumbit.net/anarcat [Tue, 31 May 2016 14:11:26 +0000 (10:11 -0400)]
more home pages
spalax [Tue, 31 May 2016 06:33:42 +0000 (02:33 -0400)]
Remark on anarcat's remark
https://id.koumbit.net/anarcat [Tue, 31 May 2016 04:06:34 +0000 (00:06 -0400)]
compile could have done this as well
https://id.koumbit.net/anarcat [Tue, 31 May 2016 03:59:42 +0000 (23:59 -0400)]
oops, forgot some changes
https://id.koumbit.net/anarcat [Tue, 31 May 2016 03:56:12 +0000 (23:56 -0400)]
bibtex2html plugin
pdurbin [Mon, 30 May 2016 11:24:44 +0000 (07:24 -0400)]
Added a comment
Joey Hess [Sun, 29 May 2016 19:35:28 +0000 (15:35 -0400)]
comment
pdurbin [Sun, 29 May 2016 18:57:23 +0000 (14:57 -0400)]
start discussion on table plugin and Markdown side effects on data
shivams [Mon, 23 May 2016 08:47:22 +0000 (04:47 -0400)]
shivams [Mon, 23 May 2016 08:43:18 +0000 (04:43 -0400)]
https://launchpad.net/~eliasson [Fri, 20 May 2016 08:22:18 +0000 (04:22 -0400)]
https://launchpad.net/~eliasson [Fri, 20 May 2016 08:22:00 +0000 (04:22 -0400)]
https://launchpad.net/~eliasson [Fri, 20 May 2016 08:15:49 +0000 (04:15 -0400)]
https://launchpad.net/~eliasson [Fri, 20 May 2016 08:08:49 +0000 (04:08 -0400)]
https://launchpad.net/~eliasson [Fri, 20 May 2016 08:02:03 +0000 (04:02 -0400)]
https://launchpad.net/~eliasson [Fri, 20 May 2016 07:55:41 +0000 (03:55 -0400)]
https://id.koumbit.net/anarcat [Thu, 19 May 2016 23:57:03 +0000 (19:57 -0400)]
fix system calls
smcv [Wed, 18 May 2016 17:56:35 +0000 (13:56 -0400)]
No, this page is not C++ source code.
This reverts commit
c35ab1e75394bd15788bd2479ad11f70c543ce78
smcv [Wed, 18 May 2016 17:55:48 +0000 (13:55 -0400)]
rename bugs/garbled_non-ascii_characters_in_body_in_web_interface.mdwn to bugs/garbled_non-ascii_characters_in_body_in_web_interface.cpp
rename index.mdwn to index.c
https://id.koumbit.net/anarcat [Tue, 17 May 2016 15:10:46 +0000 (11:10 -0400)]
smcv [Tue, 17 May 2016 15:09:03 +0000 (11:09 -0400)]
testtt [Tue, 17 May 2016 13:56:10 +0000 (09:56 -0400)]
Simon McVittie [Tue, 17 May 2016 09:10:49 +0000 (10:10 +0100)]
Revert vandalism
CRAZYBATMAN [Tue, 17 May 2016 06:26:20 +0000 (02:26 -0400)]
CRAZYBATMAN [Tue, 17 May 2016 06:25:31 +0000 (02:25 -0400)]
CRAZYBATMAN [Tue, 17 May 2016 06:24:42 +0000 (02:24 -0400)]
CRAZYBATMAN [Tue, 17 May 2016 06:24:15 +0000 (02:24 -0400)]
https://id.koumbit.net/anarcat [Tue, 17 May 2016 02:41:42 +0000 (22:41 -0400)]
and we have a bot
https://id.koumbit.net/anarcat [Tue, 17 May 2016 02:40:50 +0000 (22:40 -0400)]
little irc integration plugin
https://id.koumbit.net/anarcat [Mon, 16 May 2016 21:40:24 +0000 (17:40 -0400)]
add details on bot setup
Simon McVittie [Wed, 11 May 2016 08:18:14 +0000 (09:18 +0100)]
Wrapper: allocate new environment dynamically
Otherwise, if third-party plugins extend newenviron by more than
3 entries, we could overflow the array. It seems unlikely that any
third-party plugin manipulates newenviron in practice, so this
is mostly theoretical. Just in case, I have deliberately avoided
using "i" as the variable name, so that any third-party plugin
that was manipulating newenviron directly will now result in the
wrapper failing to compile.
I have not assumed that realloc(NULL, ...) works as an equivalent of
malloc(...), in case there are still operating systems where that
doesn't work.
Simon McVittie [Mon, 9 May 2016 20:59:50 +0000 (21:59 +0100)]
Simon McVittie [Mon, 9 May 2016 20:57:34 +0000 (21:57 +0100)]
Reference CVE-2016-4561 in 3.
20160506 changelog
Simon McVittie [Mon, 9 May 2016 20:53:10 +0000 (21:53 +0100)]
img test: exercise upper-case extensions for image files
Simon McVittie [Mon, 9 May 2016 20:12:41 +0000 (21:12 +0100)]
Remove spurious changelog entry
This change was new in 3.
20141016.3, but was applied to the master
branch several releases ago, so it is not new in 3.
20160506.
smcv [Mon, 9 May 2016 12:24:35 +0000 (08:24 -0400)]
mention that the CVE-2016-4561 fix was backported
desci [Mon, 9 May 2016 01:54:17 +0000 (21:54 -0400)]
Clarifying
desci [Mon, 9 May 2016 01:53:14 +0000 (21:53 -0400)]
Adding info regarding bootstrap classes
desci [Mon, 9 May 2016 01:42:54 +0000 (21:42 -0400)]
Adding sites
Amitai Schlair [Sun, 8 May 2016 22:26:15 +0000 (18:26 -0400)]
Detect image type from .JPG just like .jpg (etc.).
Amitai Schlair [Sun, 8 May 2016 22:25:46 +0000 (18:25 -0400)]
Fix spelling of "ratio" in test.
https://id.koumbit.net/anarcat [Sun, 8 May 2016 21:10:50 +0000 (17:10 -0400)]
thanks!
smcv [Sun, 8 May 2016 20:44:56 +0000 (16:44 -0400)]
tag added
https://id.koumbit.net/anarcat [Sun, 8 May 2016 20:40:13 +0000 (16:40 -0400)]
thanks!
smcv [Sun, 8 May 2016 20:37:34 +0000 (16:37 -0400)]
sorry, one day I'll review this, but this is not that day
https://id.koumbit.net/anarcat [Sun, 8 May 2016 18:59:12 +0000 (14:59 -0400)]
still using this in production, would welcome feedback
https://id.koumbit.net/anarcat [Sun, 8 May 2016 18:57:28 +0000 (14:57 -0400)]
dropping this.
https://id.koumbit.net/anarcat [Sun, 8 May 2016 18:56:26 +0000 (14:56 -0400)]
Simon McVittie [Fri, 6 May 2016 06:32:17 +0000 (07:32 +0100)]
img: make img_allowed_formats case-insensitive
Simon McVittie [Fri, 6 May 2016 21:51:02 +0000 (22:51 +0100)]
inline: expand show=N backwards compatibility to negative N
[[plugins/contrib]] uses show=-1 to show the post-creation widget
without actually inlining anything.
Simon McVittie [Fri, 6 May 2016 20:35:14 +0000 (21:35 +0100)]
Add CVE reference
smcv [Fri, 6 May 2016 19:29:51 +0000 (15:29 -0400)]
respond
Simon McVittie [Fri, 6 May 2016 19:16:58 +0000 (20:16 +0100)]
use intended filename
smcv [Fri, 6 May 2016 19:14:09 +0000 (15:14 -0400)]
escape directive properly; add paragraph breaks
smcv [Fri, 6 May 2016 19:12:49 +0000 (15:12 -0400)]
rename todo/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn to bugs/Correctly_handle_filenames_starting_with_a_dash_in_add/rm/mv.mdwn
smcv [Fri, 6 May 2016 19:12:29 +0000 (15:12 -0400)]
already fixed
Simon McVittie [Fri, 6 May 2016 19:10:19 +0000 (20:10 +0100)]
Simon McVittie [Fri, 6 May 2016 19:05:45 +0000 (20:05 +0100)]
Merge remote-tracking branch 'origin/master'
Simon McVittie [Fri, 6 May 2016 06:54:47 +0000 (07:54 +0100)]
Simon McVittie [Fri, 6 May 2016 06:53:53 +0000 (07:53 +0100)]
Exclude users/* from the HTML documentation
Simon McVittie [Fri, 6 May 2016 06:46:58 +0000 (07:46 +0100)]
Do not recommend mimetype(image/*)
Not all image file types are safe for general use: in particular,
image/svg+xml is known to be vulnerable to CVE-2016-3714 under some
ImageMagick configurations.
Simon McVittie [Fri, 6 May 2016 06:49:45 +0000 (07:49 +0100)]
Document the security fixes in this release
Joey Hess [Fri, 6 May 2016 00:44:11 +0000 (20:44 -0400)]
update test suite for svg passthrough by img directive
Remove build dependency libmagickcore-6.q16-2-extra which was only there
for this test.
Simon McVittie [Fri, 6 May 2016 05:57:12 +0000 (06:57 +0100)]
img: Add back support for SVG images, bypassing ImageMagick and simply passing the SVG through to the browser
SVG scaling by img directives has subtly changed; where before size=wxh
would preserve aspect ratio, this cannot be done when passing them through
and so specifying both a width and height can change the SVG's aspect
ratio.
(This patch looks significantly more complex than it was, because a large
block of code had to be indented.)
[smcv: drop trailing whitespace, fix some spelling]
Joey Hess [Fri, 6 May 2016 00:18:38 +0000 (20:18 -0400)]
changelog for smcv's security fixes
[smcv: omit a change that was already in 3.
20160514]
Simon McVittie [Thu, 5 May 2016 22:17:45 +0000 (23:17 +0100)]
img: check magic number before giving common formats to ImageMagick
This mitigates CVE-2016-3714 and similar vulnerabilities by
avoiding passing obviously-wrong input to ImageMagick decoders.
Simon McVittie [Wed, 4 May 2016 07:54:19 +0000 (08:54 +0100)]
img: restrict to JPEG, PNG and GIF images by default
This mitigates CVE-2016-3714. Wiki administrators who know that they
have prevented arbitrary code execution via other formats can re-enable
the other formats if desired.
Simon McVittie [Wed, 4 May 2016 07:52:40 +0000 (08:52 +0100)]
img: force common Web formats to be interpreted according to extension
A site administrator might unwisely set allowed_attachments to
something like '*.jpg or *.png'; if they do, an attacker could attach,
for example, a SVG file named attachment.jpg.
This mitigates CVE-2016-3714.
Simon McVittie [Wed, 4 May 2016 07:46:02 +0000 (08:46 +0100)]
HTML-escape error messages (OVE-
20160505-0012)
The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-
20160505-0012)
The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.
https://id.koumbit.net/anarcat [Wed, 4 May 2016 22:53:24 +0000 (18:53 -0400)]
all good
smcv [Wed, 4 May 2016 22:35:33 +0000 (18:35 -0400)]
https://id.koumbit.net/anarcat [Wed, 4 May 2016 13:45:25 +0000 (09:45 -0400)]
response: confirmation it's a bug in MMD and Discount doesn't have footnotes, and request for workaround
smcv [Wed, 4 May 2016 09:48:01 +0000 (05:48 -0400)]
discount (as used on this wiki) can do footnotes, but they aren't enabled by ikiwiki
smcv [Wed, 4 May 2016 09:38:27 +0000 (05:38 -0400)]
response
Joey Hess [Mon, 2 May 2016 13:33:59 +0000 (09:33 -0400)]
response
https://id.koumbit.net/anarcat [Fri, 29 Apr 2016 04:32:02 +0000 (00:32 -0400)]
https://id.koumbit.net/anarcat [Fri, 29 Apr 2016 00:13:05 +0000 (20:13 -0400)]
response
Joey Hess [Thu, 28 Apr 2016 23:34:51 +0000 (19:34 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info
Joey Hess [Thu, 28 Apr 2016 23:32:58 +0000 (19:32 -0400)]
response
Joey Hess [Thu, 28 Apr 2016 23:06:01 +0000 (19:06 -0400)]
Merge remote-tracking branch 'origin/master'
https://id.koumbit.net/anarcat [Thu, 28 Apr 2016 14:12:52 +0000 (10:12 -0400)]
https://id.koumbit.net/anarcat [Thu, 28 Apr 2016 14:08:05 +0000 (10:08 -0400)]
http/https issue
Antoine Beaupré [Tue, 26 Apr 2016 22:52:25 +0000 (18:52 -0400)]
smaller is too small for large blocks
Antoine Beaupré [Tue, 26 Apr 2016 22:50:47 +0000 (18:50 -0400)]
fix typo and comment
Antoine Beaupré [Tue, 26 Apr 2016 22:46:52 +0000 (18:46 -0400)]
new CSS bug
https://id.koumbit.net/anarcat [Tue, 26 Apr 2016 22:35:20 +0000 (18:35 -0400)]
explain footnotes
desci [Tue, 19 Apr 2016 02:08:50 +0000 (22:08 -0400)]
Changed the expired domain and added question
RickHanson [Sun, 17 Apr 2016 23:38:12 +0000 (19:38 -0400)]
Fixed dead link.
Antoine Beaupré [Fri, 15 Apr 2016 22:11:29 +0000 (18:11 -0400)]
add screenshot
Antoine Beaupré [Fri, 15 Apr 2016 21:31:53 +0000 (17:31 -0400)]
fix typos
Antoine Beaupré [Fri, 15 Apr 2016 21:29:44 +0000 (17:29 -0400)]
announce the admonition plugin
Antoine Beaupré [Fri, 15 Apr 2016 16:29:25 +0000 (12:29 -0400)]
elaborate copyright investigation. ugh.
Antoine Beaupré [Fri, 15 Apr 2016 15:17:02 +0000 (11:17 -0400)]
response
Antoine Beaupré [Fri, 15 Apr 2016 15:07:14 +0000 (11:07 -0400)]
can't login again
smcv [Fri, 15 Apr 2016 14:38:11 +0000 (10:38 -0400)]
escape
smcv [Fri, 15 Apr 2016 14:37:43 +0000 (10:37 -0400)]
templates are another way to do this