]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/log
git.ikiwiki.info.git
10 years agobuild-depend on libcgi-pm-perl too, for tests
Simon McVittie [Thu, 16 Oct 2014 21:40:52 +0000 (22:40 +0100)]
build-depend on libcgi-pm-perl too, for tests

10 years agoExplicitly depend on CGI.pm, which is no longer in Perl core
Simon McVittie [Thu, 16 Oct 2014 08:45:36 +0000 (09:45 +0100)]
Explicitly depend on CGI.pm, which is no longer in Perl core

I was going to depend on the version that has CGI->param_fetch,
but that has been supported since 2.37, which is older than oldstable.

10 years agoIkiWiki::Plugin::openid: as a precaution, do not call non-coderefs
Amitai Schlair [Wed, 15 Oct 2014 22:52:43 +0000 (23:52 +0100)]
IkiWiki::Plugin::openid: as a precaution, do not call non-coderefs

We're running under "use strict" here, so if CGI->param's array-context
misbehaviour passes an extra non-ref parameter, it shouldn't be executed
anyway... but it's as well to be safe.

[commit message added by smcv]

10 years agoCall CGI->param_fetch instead of CGI->param in array context
Amitai Schlair [Wed, 15 Oct 2014 21:32:02 +0000 (22:32 +0100)]
Call CGI->param_fetch instead of CGI->param in array context

CGI->param has the misfeature that it is context-sensitive, and in
particular can expand to more than one scalar in function calls.
This led to a security vulnerability in Bugzilla, and recent versions
of CGI.pm will warn when it is used in this way.

In the situations where we do want to cope with more than one parameter
of the same name, CGI->param_fetch (which always returns an
array-reference) makes the intention clearer.

[commit message added by smcv]

10 years agoMake sure we do not pass multiple CGI parameters in function calls
Simon McVittie [Sat, 11 Oct 2014 08:28:22 +0000 (09:28 +0100)]
Make sure we do not pass multiple CGI parameters in function calls

When CGI->param is called in list context, such as in function
parameters, it expands to all the potentially multiple values
of the parameter: for instance, if we parse query string a=b&a=c&d=e
and call func($cgi->param('a')), that's equivalent to func('b', 'c').
Most of the functions we're calling do not expect that.

I do not believe this is an exploitable security vulnerability in
ikiwiki, but it was exploitable in Bugzilla.

10 years agoAdded a comment: It was an Apache problem...
https://www.google.com/accounts/o8/id?id=AItOawk8U772S3jDrZJCO0WA5WaDLjJv5mMl6Yw [Thu, 16 Oct 2014 14:57:26 +0000 (10:57 -0400)]
Added a comment: It was an Apache problem...

10 years agobranch
smcv [Thu, 16 Oct 2014 12:11:52 +0000 (08:11 -0400)]
branch

10 years agocomment
smcv [Thu, 16 Oct 2014 11:52:05 +0000 (07:52 -0400)]
comment

10 years agoReplace PayPal and Flattr buttons with text links
Simon McVittie [Wed, 15 Oct 2014 20:56:11 +0000 (21:56 +0100)]
Replace PayPal and Flattr buttons with text links

In particular, this avoids loading third-party resources from the
offline documentation (see
<https://lintian.debian.org/tags/privacy-breach-donation.html>).

10 years agomention pagespec_alias patches
http://anastigmatix.net/ [Thu, 16 Oct 2014 02:53:41 +0000 (22:53 -0400)]
mention pagespec_alias patches

10 years agoAdded a comment
smcv [Wed, 15 Oct 2014 23:30:22 +0000 (19:30 -0400)]
Added a comment

10 years agoAdded a comment
smcv [Wed, 15 Oct 2014 23:26:52 +0000 (19:26 -0400)]
Added a comment

10 years agoAdded a comment
openmedi [Wed, 15 Oct 2014 18:49:16 +0000 (14:49 -0400)]
Added a comment

10 years agoAdded a comment
https://www.google.com/accounts/o8/id?id=AItOawlcaGfdn9Kye1Gc8aGb67PDVQW4mKbQD7E [Wed, 15 Oct 2014 13:43:25 +0000 (09:43 -0400)]
Added a comment

10 years agoAdded a comment
openmedi [Wed, 15 Oct 2014 12:33:40 +0000 (08:33 -0400)]
Added a comment

10 years ago(no commit message)
https://www.google.com/accounts/o8/id?id=AItOawmbuZI4n1RsTe3Yeaqb5F-yhtR7a8BWEIE [Wed, 15 Oct 2014 04:18:10 +0000 (00:18 -0400)]

10 years agoas usual, macports hasn't moved
Amitai Schlair [Tue, 14 Oct 2014 22:46:41 +0000 (18:46 -0400)]
as usual, macports hasn't moved

10 years agoAdded a comment
https://www.google.com/accounts/o8/id?id=AItOawlcaGfdn9Kye1Gc8aGb67PDVQW4mKbQD7E [Tue, 14 Oct 2014 22:41:59 +0000 (18:41 -0400)]
Added a comment

10 years ago(no commit message)
https://www.google.com/accounts/o8/id?id=AItOawlobQ5j7hQVIGkwMWW3yKB_DWqthJcpnsQ [Tue, 14 Oct 2014 22:31:11 +0000 (18:31 -0400)]

10 years agoAdded a comment
https://www.google.com/accounts/o8/id?id=AItOawlcaGfdn9Kye1Gc8aGb67PDVQW4mKbQD7E [Tue, 14 Oct 2014 22:25:13 +0000 (18:25 -0400)]
Added a comment

10 years agoone report suffices; not yet clear there's a bug
Amitai Schlair [Tue, 14 Oct 2014 22:19:09 +0000 (18:19 -0400)]
one report suffices; not yet clear there's a bug

10 years ago(no commit message)
https://www.google.com/accounts/o8/id?id=AItOawk8U772S3jDrZJCO0WA5WaDLjJv5mMl6Yw [Tue, 14 Oct 2014 13:46:55 +0000 (09:46 -0400)]

10 years ago(no commit message)
https://www.google.com/accounts/o8/id?id=AItOawk8U772S3jDrZJCO0WA5WaDLjJv5mMl6Yw [Tue, 14 Oct 2014 13:20:24 +0000 (09:20 -0400)]

10 years agoclarify
Amitai Schlair [Mon, 13 Oct 2014 20:21:15 +0000 (16:21 -0400)]
clarify

10 years agofindings and questions
Amitai Schlair [Mon, 13 Oct 2014 20:13:11 +0000 (16:13 -0400)]
findings and questions

10 years agoDo not pass ignored sid parameter to checksessionexpiry
Simon McVittie [Sat, 11 Oct 2014 08:28:02 +0000 (09:28 +0100)]
Do not pass ignored sid parameter to checksessionexpiry

checksessionexpiry's signature changed from
(CGI::Session, CGI->param('sid')) to (CGI, CGI::Session) in commit
985b229b, but editpage still passed the sid as a useless third
parameter, and this was later cargo-culted into remove, rename and
recentchanges.

10 years agocomments: don't log remote IP address for signed-in users
Simon McVittie [Sun, 12 Oct 2014 17:03:28 +0000 (18:03 +0100)]
comments: don't log remote IP address for signed-in users

The intention was that signed-in users (for instance via httpauth,
passwordauth or openid) are already adequately identified, but
there's nothing to indicate who an anonymous commenter is unless
their IP address is recorded.

10 years agogoogle search plugin: use https for the search
Simon McVittie [Sun, 12 Oct 2014 16:57:14 +0000 (17:57 +0100)]
google search plugin: use https for the search

10 years agodefault User-Agent changed
smcv [Sun, 12 Oct 2014 16:49:24 +0000 (12:49 -0400)]
default User-Agent changed

10 years agoSet default User-Agent to something that doesn't mention libwww-perl
Simon McVittie [Sat, 11 Oct 2014 08:43:34 +0000 (09:43 +0100)]
Set default User-Agent to something that doesn't mention libwww-perl

It appears that both the open-source and proprietary rulesets for
ModSecurity default to blacklisting requests that say they are
from libwww-perl, presumably because some script kiddies use libwww-perl
and are too inept to set a User-Agent that is "too big to blacklist",
like Chrome or the iPhone browser or something. This seems doomed to
failure but whatever.

10 years agoremoved
smcv [Sun, 12 Oct 2014 16:43:14 +0000 (12:43 -0400)]
removed

10 years agoAdded a comment
smcv [Sun, 12 Oct 2014 16:42:54 +0000 (12:42 -0400)]
Added a comment

10 years agohelp Markdown make a list
Amitai Schlair [Sun, 12 Oct 2014 16:42:13 +0000 (12:42 -0400)]
help Markdown make a list

10 years agoAdded a comment: fixed in a recent release, I think
https://www.google.com/accounts/o8/id?id=AItOawlcaGfdn9Kye1Gc8aGb67PDVQW4mKbQD7E [Sun, 12 Oct 2014 16:40:18 +0000 (12:40 -0400)]
Added a comment: fixed in a recent release, I think

10 years ago(no commit message)
openmedi [Sun, 12 Oct 2014 16:06:59 +0000 (12:06 -0400)]

10 years agoReplace shebang paths with the build-time $(PERL).
Amitai Schlair [Sun, 12 Oct 2014 15:08:13 +0000 (11:08 -0400)]
Replace shebang paths with the build-time $(PERL).

On non-Debian systems, /usr/bin/perl might not be the best available
Perl interpreter. Use whichever perl was used to run Makefile.PL,
unless it was "/usr/bin/perl", in which case there's nothing to do.

10 years agoExtract test subs for each site. No change meant.
Amitai Schlair [Sun, 12 Oct 2014 13:30:31 +0000 (09:30 -0400)]
Extract test subs for each site. No change meant.

10 years agoExtract run_cgi(). No functional change intended.
Amitai Schlair [Sun, 12 Oct 2014 04:01:09 +0000 (00:01 -0400)]
Extract run_cgi(). No functional change intended.

10 years agoExtract check_generated_content(). Same output.
Amitai Schlair [Sat, 11 Oct 2014 13:52:21 +0000 (09:52 -0400)]
Extract check_generated_content(). Same output.

10 years agoExtract check_cgi_mode_bits(). No change intended.
Amitai Schlair [Sat, 11 Oct 2014 01:17:39 +0000 (21:17 -0400)]
Extract check_cgi_mode_bits(). No change intended.

10 years agoExtract thoroughly_rebuild(), a slight test change.
Amitai Schlair [Sat, 11 Oct 2014 00:40:24 +0000 (20:40 -0400)]
Extract thoroughly_rebuild(), a slight test change.

I didn't try to parameterize when a test should fail when we can't
remove ikiwiki.cgi because there already isn't one. (Hooray, natural
language.) Instead, we stop worrying about it and always tolerate
ENOENT.

10 years agoExtract write_setup_file(). No functional change.
Amitai Schlair [Sat, 11 Oct 2014 00:25:54 +0000 (20:25 -0400)]
Extract write_setup_file(). No functional change.

Test output differs only by the line numbers of the TODO items.

10 years ago(no commit message)
https://www.google.com/accounts/o8/id?id=AItOawmbuZI4n1RsTe3Yeaqb5F-yhtR7a8BWEIE [Fri, 10 Oct 2014 03:47:44 +0000 (23:47 -0400)]

10 years agoclarify further
smcv [Thu, 9 Oct 2014 18:50:00 +0000 (14:50 -0400)]
clarify further

10 years agoclarify
smcv [Thu, 9 Oct 2014 18:36:13 +0000 (14:36 -0400)]
clarify

10 years agoThat's not how that directive is used, and if you want to try stuff out please edit...
smcv [Thu, 9 Oct 2014 18:31:33 +0000 (14:31 -0400)]
That's not how that directive is used, and if you want to try stuff out please edit the sandbox instead

This reverts commit 856819a733d90a2ca259a5a3b03cc5d84f72e931

10 years ago(no commit message)
https://www.google.com/accounts/o8/id?id=AItOawnquaJWYPCmQoY-kgn8wH1Ey7WOCB6zcRY [Thu, 9 Oct 2014 18:10:16 +0000 (14:10 -0400)]

10 years ago(no commit message)
tarojiro [Wed, 8 Oct 2014 11:38:46 +0000 (07:38 -0400)]

10 years agoalternative plan
smcv [Mon, 6 Oct 2014 21:00:24 +0000 (17:00 -0400)]
alternative plan

10 years agosimplify IPC::Run check (same behavior)
Amitai Schlair [Mon, 6 Oct 2014 20:31:52 +0000 (16:31 -0400)]
simplify IPC::Run check (same behavior)

10 years agoexclude openid/troubleshooting
Amitai Schlair [Mon, 6 Oct 2014 17:06:02 +0000 (13:06 -0400)]
exclude openid/troubleshooting

10 years ago(no commit message)
smcv [Sun, 5 Oct 2014 22:58:56 +0000 (18:58 -0400)]

10 years agoAdded a comment
smcv [Sun, 5 Oct 2014 22:56:57 +0000 (18:56 -0400)]
Added a comment

10 years agoAdded a comment
smcv [Sun, 5 Oct 2014 22:55:02 +0000 (18:55 -0400)]
Added a comment

10 years agoAdded a comment
smcv [Sun, 5 Oct 2014 22:54:07 +0000 (18:54 -0400)]
Added a comment

10 years agomore fixes
Simon McVittie [Sun, 5 Oct 2014 22:50:57 +0000 (23:50 +0100)]
more fixes

10 years agoDocument another fix
Simon McVittie [Sun, 5 Oct 2014 22:49:25 +0000 (23:49 +0100)]
Document another fix

10 years agoIn html5 mode, generate a host- or protocol-relative <base> for the CGI
Simon McVittie [Sun, 5 Oct 2014 22:49:17 +0000 (23:49 +0100)]
In html5 mode, generate a host- or protocol-relative <base> for the CGI

This increases the number of situations in which we do the right thing.

10 years agoAdd reverse_proxy option which hard-codes cgiurl in CGI output
Simon McVittie [Sun, 5 Oct 2014 22:06:48 +0000 (23:06 +0100)]
Add reverse_proxy option which hard-codes cgiurl in CGI output

This solves several people's issues with the CGI trying to be
too clever when IkiWiki is placed behind a reverse-proxy.

10 years agoAvoid mixed content when cgiurl is https but url is not
Simon McVittie [Sun, 5 Oct 2014 21:56:55 +0000 (22:56 +0100)]
Avoid mixed content when cgiurl is https but url is not

10 years agooffer myself to the ravenous consulting market
Amitai Schlair [Sun, 5 Oct 2014 20:37:55 +0000 (16:37 -0400)]
offer myself to the ravenous consulting market

10 years agoremaining bugs after fixing some of the easier situations
smcv [Sun, 5 Oct 2014 15:09:27 +0000 (11:09 -0400)]
remaining bugs after fixing some of the easier situations

10 years agoUse protocol-relative URIs if cgiurl and url differ only by authority (hostname)
Simon McVittie [Sun, 5 Oct 2014 14:56:19 +0000 (15:56 +0100)]
Use protocol-relative URIs if cgiurl and url differ only by authority (hostname)

10 years agoFix a test-case that actually just repeated the previous one instead
Simon McVittie [Sun, 5 Oct 2014 14:48:13 +0000 (15:48 +0100)]
Fix a test-case that actually just repeated the previous one instead

10 years agoForce use of $config{url} as top URL in w3mmode
Simon McVittie [Sun, 5 Oct 2014 14:19:55 +0000 (15:19 +0100)]
Force use of $config{url} as top URL in w3mmode

10 years agorelative URLs test: pass an appropriate PERL5LIB through
Simon McVittie [Sun, 5 Oct 2014 14:19:12 +0000 (15:19 +0100)]
relative URLs test: pass an appropriate PERL5LIB through

We were previously using the system copy of IkiWiki, because the CGI
resets its environment.

10 years agoAdd WAI-ARIA roles to #main, #comments and #footer when in HTML5 mode
Simon McVittie [Sun, 5 Oct 2014 13:34:10 +0000 (14:34 +0100)]
Add WAI-ARIA roles to #main, #comments and #footer when in HTML5 mode

Based on a patch from Patrick.

10 years agoadd the beginnings of a test for CGI/static URL interactions
Simon McVittie [Sun, 5 Oct 2014 13:29:32 +0000 (14:29 +0100)]
add the beginnings of a test for CGI/static URL interactions

10 years agoreview
smcv [Sun, 5 Oct 2014 13:23:30 +0000 (09:23 -0400)]
review

10 years agonew
smcv [Sun, 5 Oct 2014 13:06:20 +0000 (09:06 -0400)]
new

10 years agoclarify
smcv [Sun, 5 Oct 2014 12:43:03 +0000 (08:43 -0400)]
clarify

10 years agomix markdown with HTML more correctly
smcv [Sun, 5 Oct 2014 12:41:16 +0000 (08:41 -0400)]
mix markdown with HTML more correctly

10 years agonew bug report
smcv [Sun, 5 Oct 2014 12:40:27 +0000 (08:40 -0400)]
new bug report

10 years agoamend comment
Louis [Sat, 4 Oct 2014 10:45:23 +0000 (12:45 +0200)]
amend comment

10 years agoAdded a comment: Plugin compile
spalax [Sat, 4 Oct 2014 10:37:19 +0000 (06:37 -0400)]
Added a comment: Plugin compile

10 years agoNew contrib plugin: compile
Louis [Sat, 4 Oct 2014 10:28:02 +0000 (12:28 +0200)]
New contrib plugin: compile

10 years agod and r aren't even on the same row
http://anastigmatix.net/ [Sat, 4 Oct 2014 05:03:54 +0000 (01:03 -0400)]
d and r aren't even on the same row

10 years agoGoogle stay of execution no comfort if you're already dead
http://anastigmatix.net/ [Sat, 4 Oct 2014 05:02:38 +0000 (01:02 -0400)]
Google stay of execution no comfort if you're already dead

10 years agomany people grok "static site generator" nowadays
Amitai Schlair [Fri, 3 Oct 2014 19:24:43 +0000 (15:24 -0400)]
many people grok "static site generator" nowadays

10 years agotesting the sandbox
https://www.google.com/accounts/o8/id?id=AItOawmBsHp8c_GstgdRN0W3BXo-ALfwpGRfBfk [Thu, 2 Oct 2014 03:23:22 +0000 (23:23 -0400)]
testing the sandbox

10 years agorecap of yamlfront issue opened on github
http://anastigmatix.net/ [Thu, 2 Oct 2014 00:45:38 +0000 (20:45 -0400)]
recap of yamlfront issue opened on github

10 years agoSearch $PATH for "validate", since the test does.
Amitai Schlair [Wed, 1 Oct 2014 19:06:24 +0000 (15:06 -0400)]
Search $PATH for "validate", since the test does.

"validate" is a very generic command name, and it validates against
an old standard, so the value of this test is questionable.

10 years agoI'm not really anti-vowel
http://anastigmatix.net/ [Tue, 30 Sep 2014 20:18:05 +0000 (16:18 -0400)]
I'm not really anti-vowel

10 years agoa wish for more from pagetemplate
http://anastigmatix.net/ [Tue, 30 Sep 2014 20:16:31 +0000 (16:16 -0400)]
a wish for more from pagetemplate

10 years agotypo
smcv [Tue, 30 Sep 2014 13:46:42 +0000 (09:46 -0400)]
typo

10 years agonon-review
smcv [Tue, 30 Sep 2014 13:46:19 +0000 (09:46 -0400)]
non-review

10 years agofix patch formatting
smcv [Tue, 30 Sep 2014 13:44:13 +0000 (09:44 -0400)]
fix patch formatting

10 years ago(no commit message)
https://www.google.com/accounts/o8/id?id=AItOawlnBLXDQbzD3OCcqZshcmExPNwlgD0tJ7A [Tue, 30 Sep 2014 13:37:18 +0000 (09:37 -0400)]

10 years agoAdding ARIA landmarks allows for example screen readers users to move directly to...
https://www.google.com/accounts/o8/id?id=AItOawlnBLXDQbzD3OCcqZshcmExPNwlgD0tJ7A [Tue, 30 Sep 2014 13:35:18 +0000 (09:35 -0400)]
Adding ARIA landmarks allows for example screen readers users to move directly to the page main content

10 years agoAdded a comment: Apache redirection
spalax [Sat, 27 Sep 2014 06:20:09 +0000 (02:20 -0400)]
Added a comment: Apache redirection

10 years agoAdded a comment: Several .setup files
spalax [Sat, 27 Sep 2014 06:18:30 +0000 (02:18 -0400)]
Added a comment: Several .setup files

10 years agoMerge branch 'master' of ssh://git.ikiwiki.info
Joey Hess [Fri, 26 Sep 2014 23:16:51 +0000 (19:16 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info

10 years agotypos
openmedi [Fri, 26 Sep 2014 23:12:33 +0000 (19:12 -0400)]
typos

10 years ago(no commit message)
openmedi [Fri, 26 Sep 2014 23:07:23 +0000 (19:07 -0400)]

10 years agoFix crash that can occur when only_committed_changes is set and a file is deleted...
Joey Hess [Fri, 26 Sep 2014 22:55:09 +0000 (18:55 -0400)]
Fix crash that can occur when only_committed_changes is set and a file is deleted from the underlay.

srcfile_stat got called on a file from the underlay that no longer existed.

I am not 100% sure of the circumstances of that; I was able to reproduce
the bug but neglected to snapshot the tree, and then accidentially
got it to stop crashing. I know that a transient tag page got deleted using
the web interface to trigger the crash.

It seems that process_changed_files must have returned the file, despite it
being deleted. And since the file was not checked into git, it seems it
must have not been included in @IkiWiki::underlayfiles, which would have
caused process_changed_files to not return it.

I do not know why a transient tag page would not be in
@IkiWiki::underlayfiles. There is a bug here that I don't understand.

This is just a workaround -- run srcfile_stat such that it won't crash,
and if it is unable to stat a file, find_changed knows it's not changed,
so it's ok to skip it.

Also made find_new_files run srcfile_stat such that it won't crash, just
because I was there.

10 years ago(no commit message)
http://abhidg.pip.verisignlabs.com/ [Wed, 24 Sep 2014 16:58:48 +0000 (12:58 -0400)]

10 years ago(no commit message)
smcv [Wed, 24 Sep 2014 13:52:37 +0000 (09:52 -0400)]

10 years ago(no commit message)
https://id.koumbit.net/anarcat [Wed, 24 Sep 2014 13:45:10 +0000 (09:45 -0400)]

10 years agoAdded a comment
openmedi [Wed, 24 Sep 2014 13:19:58 +0000 (09:19 -0400)]
Added a comment

10 years agoAdded a comment
smcv [Wed, 24 Sep 2014 07:27:39 +0000 (03:27 -0400)]
Added a comment