Joey Hess [Thu, 6 Nov 2014 19:02:32 +0000 (15:02 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info
Joey Hess [Thu, 6 Nov 2014 19:00:09 +0000 (15:00 -0400)]
openid: Stop suppressing the email field on the Preferences page.
This is needed for notifyemail, and not all openid providers report an
email address, or necessarily the one the user wants to get email.
Fixes perl-magick link #2
Fixes perl-magick link
spalax [Mon, 27 Oct 2014 09:53:17 +0000 (05:53 -0400)]
typos
http://anastigmatix.net/ [Sat, 25 Oct 2014 16:55:46 +0000 (12:55 -0400)]
How signinview handles the goto leak
spalax [Sat, 25 Oct 2014 16:17:16 +0000 (12:17 -0400)]
Answer
http://anastigmatix.net/ [Fri, 24 Oct 2014 23:45:23 +0000 (19:45 -0400)]
do=goto leaks page existence
http://anastigmatix.net/ [Fri, 24 Oct 2014 23:20:13 +0000 (19:20 -0400)]
Patch submitted for contrib/ymlfront sticky-metadata issue.
fr33domlover [Fri, 24 Oct 2014 10:19:54 +0000 (06:19 -0400)]
Update comment
fr33domlover [Fri, 24 Oct 2014 10:11:56 +0000 (06:11 -0400)]
Command on compile plugin
http://anastigmatix.net/ [Fri, 24 Oct 2014 00:40:35 +0000 (20:40 -0400)]
Feeling out how to present patch for review
Joey Hess [Thu, 23 Oct 2014 17:56:21 +0000 (13:56 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info
Joey Hess [Thu, 23 Oct 2014 17:55:29 +0000 (13:55 -0400)]
file bug
spalax [Thu, 23 Oct 2014 14:40:14 +0000 (10:40 -0400)]
Forgot download link
fr33domlover [Thu, 23 Oct 2014 11:16:26 +0000 (07:16 -0400)]
Typos...
fr33domlover [Thu, 23 Oct 2014 11:15:55 +0000 (07:15 -0400)]
fr33domlover [Thu, 23 Oct 2014 11:15:27 +0000 (07:15 -0400)]
fr33domlover [Thu, 23 Oct 2014 11:14:16 +0000 (07:14 -0400)]
wishlist: ask about using ikiwiki as ML
fr33domlover [Thu, 23 Oct 2014 11:13:19 +0000 (07:13 -0400)]
wishlist
smcv [Thu, 23 Oct 2014 08:06:51 +0000 (04:06 -0400)]
Added a comment
smcv [Thu, 23 Oct 2014 07:57:40 +0000 (03:57 -0400)]
Added a comment
openmedi [Wed, 22 Oct 2014 22:01:43 +0000 (18:01 -0400)]
Added a comment
fr33domlover [Wed, 22 Oct 2014 16:46:02 +0000 (12:46 -0400)]
Added a comment
fr33domlover [Wed, 22 Oct 2014 08:20:00 +0000 (11:20 +0300)]
New wishlist item - put /tags page in the basewiki?
openmedi [Tue, 21 Oct 2014 01:11:53 +0000 (21:11 -0400)]
openmedi [Tue, 21 Oct 2014 01:00:30 +0000 (21:00 -0400)]
http://anastigmatix.net/ [Mon, 20 Oct 2014 23:58:54 +0000 (19:58 -0400)]
Hadn't listed any drawbacks for the FastCGI Authorizer idea.
http://anastigmatix.net/ [Mon, 20 Oct 2014 23:07:13 +0000 (19:07 -0400)]
Review request for: Let plugins influence what environment variables a wrapper will preserve
http://anastigmatix.net/ [Mon, 20 Oct 2014 22:39:55 +0000 (18:39 -0400)]
Fix dangling link to branch I deleted after merge. Link instead to merged commits in ikiwiki repo.
Amitai Schlair [Mon, 20 Oct 2014 18:20:41 +0000 (14:20 -0400)]
Add ikiwiki-comment to shebang_scripts.
Joey Hess [Mon, 20 Oct 2014 16:28:54 +0000 (12:28 -0400)]
Add missing build-depends on libcgi-formbuilder-perl, needed for t/relativity.t
Joey Hess [Mon, 20 Oct 2014 16:08:07 +0000 (12:08 -0400)]
add ikiwiki-comment program
http://anastigmatix.net/ [Sun, 19 Oct 2014 21:48:47 +0000 (17:48 -0400)]
bit on how inlinability isn't only bad
http://anastigmatix.net/ [Sun, 19 Oct 2014 21:37:46 +0000 (17:37 -0400)]
Add link to the proposed wrapper generation patch
http://anastigmatix.net/ [Sun, 19 Oct 2014 21:07:15 +0000 (17:07 -0400)]
initial description of signinview plugin
http://anastigmatix.net/ [Sun, 19 Oct 2014 18:40:02 +0000 (14:40 -0400)]
more on caching behavior
http://anastigmatix.net/ [Sun, 19 Oct 2014 18:17:03 +0000 (14:17 -0400)]
make formatting more consistent
http://anastigmatix.net/ [Sun, 19 Oct 2014 18:12:11 +0000 (14:12 -0400)]
discuss zoned-ikiwiki implementation approaches, including signinview plugin
http://anastigmatix.net/ [Sun, 19 Oct 2014 17:32:52 +0000 (13:32 -0400)]
it helps to distinguish some use cases
Amitai Schlair [Sun, 19 Oct 2014 17:13:07 +0000 (13:13 -0400)]
also search
http://anastigmatix.net/ [Sun, 19 Oct 2014 17:09:33 +0000 (13:09 -0400)]
start fleshing out "things that make zoned ikiwiki hard"
Amitai Schlair [Sun, 19 Oct 2014 17:08:13 +0000 (13:08 -0400)]
sign previous
Amitai Schlair [Sun, 19 Oct 2014 16:59:53 +0000 (12:59 -0400)]
Match word boundary (think "/usr/bin/perl5.18").
[patch], patch
openmedi [Fri, 17 Oct 2014 17:23:13 +0000 (13:23 -0400)]
Added a comment
Amitai Schlair [Fri, 17 Oct 2014 13:05:00 +0000 (09:05 -0400)]
Remove space from perl shebang path.
Amitai Schlair [Fri, 17 Oct 2014 01:51:18 +0000 (21:51 -0400)]
Disambiguate myself a bit (like that's needed).
Simon McVittie [Fri, 17 Oct 2014 00:07:50 +0000 (01:07 +0100)]
reformat
Simon McVittie [Fri, 17 Oct 2014 00:01:53 +0000 (01:01 +0100)]
news
Simon McVittie [Thu, 16 Oct 2014 23:02:33 +0000 (00:02 +0100)]
Merge remote-tracking branch 'refs/remotes/dgit/dgit/sid'
Simon McVittie [Thu, 16 Oct 2014 22:28:35 +0000 (23:28 +0100)]
release
Simon McVittie [Thu, 16 Oct 2014 22:28:23 +0000 (23:28 +0100)]
debian: fix some wrong paths in the copyright file
Simon McVittie [Thu, 16 Oct 2014 22:04:11 +0000 (23:04 +0100)]
debian: rename debian/link to debian/links so the intended symlinks appear
Simon McVittie [Thu, 16 Oct 2014 22:03:48 +0000 (23:03 +0100)]
close a bug
Simon McVittie [Thu, 16 Oct 2014 21:48:09 +0000 (22:48 +0100)]
Drop unused python-support dependency
Simon McVittie [Thu, 16 Oct 2014 21:44:29 +0000 (22:44 +0100)]
changelog so far
Simon McVittie [Thu, 16 Oct 2014 21:40:52 +0000 (22:40 +0100)]
build-depend on libcgi-pm-perl too, for tests
Simon McVittie [Thu, 16 Oct 2014 08:45:36 +0000 (09:45 +0100)]
Explicitly depend on CGI.pm, which is no longer in Perl core
I was going to depend on the version that has CGI->param_fetch,
but that has been supported since 2.37, which is older than oldstable.
Amitai Schlair [Wed, 15 Oct 2014 22:52:43 +0000 (23:52 +0100)]
IkiWiki::Plugin::openid: as a precaution, do not call non-coderefs
We're running under "use strict" here, so if CGI->param's array-context
misbehaviour passes an extra non-ref parameter, it shouldn't be executed
anyway... but it's as well to be safe.
[commit message added by smcv]
Amitai Schlair [Wed, 15 Oct 2014 21:32:02 +0000 (22:32 +0100)]
Call CGI->param_fetch instead of CGI->param in array context
CGI->param has the misfeature that it is context-sensitive, and in
particular can expand to more than one scalar in function calls.
This led to a security vulnerability in Bugzilla, and recent versions
of CGI.pm will warn when it is used in this way.
In the situations where we do want to cope with more than one parameter
of the same name, CGI->param_fetch (which always returns an
array-reference) makes the intention clearer.
[commit message added by smcv]
Simon McVittie [Sat, 11 Oct 2014 08:28:22 +0000 (09:28 +0100)]
Make sure we do not pass multiple CGI parameters in function calls
When CGI->param is called in list context, such as in function
parameters, it expands to all the potentially multiple values
of the parameter: for instance, if we parse query string a=b&a=c&d=e
and call func($cgi->param('a')), that's equivalent to func('b', 'c').
Most of the functions we're calling do not expect that.
I do not believe this is an exploitable security vulnerability in
ikiwiki, but it was exploitable in Bugzilla.
Added a comment: It was an Apache problem...
smcv [Thu, 16 Oct 2014 12:11:52 +0000 (08:11 -0400)]
branch
smcv [Thu, 16 Oct 2014 11:52:05 +0000 (07:52 -0400)]
comment
Simon McVittie [Thu, 16 Oct 2014 10:25:28 +0000 (11:25 +0100)]
Emit vestigial xmlns so people can still pass ikiwiki output through XSLT
Simon McVittie [Thu, 16 Oct 2014 10:25:10 +0000 (11:25 +0100)]
We no longer have a test for DTD-valid XHTML 1.0, but at least check well-formedness
This means that people can do XSLT nonsense if they want to.
The failures are currently marked TODO because not everything in the
docwiki is in fact well-formed.
Simon McVittie [Thu, 16 Oct 2014 10:08:01 +0000 (11:08 +0100)]
Remove now-redundant test-cases for a non-default html5 setting
Simon McVittie [Thu, 16 Oct 2014 10:05:19 +0000 (11:05 +0100)]
Now that we're always using HTML5, <base href> can be relative
Simon McVittie [Thu, 16 Oct 2014 10:04:53 +0000 (11:04 +0100)]
Always produce HTML5 doctype and new attributes, but not new elements
According to caniuse.com, a significant fraction of Web users are
still using Internet Explorer versions that do not support HTML5
sectioning elements. However, claiming we're XHTML 1.0 Strict
means we can't use features invented in the last 12 years, even if
they degrade gracefully in older browsers (like the role and placeholder
attributes).
This means our output is no longer valid according to any particular
DTD. Real browsers and other non-validator user-agents have never
cared about DTD compliance anyway, so I don't think this is a real loss.
Simon McVittie [Wed, 15 Oct 2014 20:56:11 +0000 (21:56 +0100)]
Replace PayPal and Flattr buttons with text links
In particular, this avoids loading third-party resources from the
offline documentation (see
<https://lintian.debian.org/tags/privacy-breach-donation.html>).
http://anastigmatix.net/ [Thu, 16 Oct 2014 02:53:41 +0000 (22:53 -0400)]
mention pagespec_alias patches
smcv [Wed, 15 Oct 2014 23:30:22 +0000 (19:30 -0400)]
Added a comment
smcv [Wed, 15 Oct 2014 23:26:52 +0000 (19:26 -0400)]
Added a comment
openmedi [Wed, 15 Oct 2014 18:49:16 +0000 (14:49 -0400)]
Added a comment
Added a comment
openmedi [Wed, 15 Oct 2014 12:33:40 +0000 (08:33 -0400)]
Added a comment
Amitai Schlair [Tue, 14 Oct 2014 22:46:41 +0000 (18:46 -0400)]
as usual, macports hasn't moved
Added a comment
Added a comment
Amitai Schlair [Tue, 14 Oct 2014 22:19:09 +0000 (18:19 -0400)]
one report suffices; not yet clear there's a bug
Amitai Schlair [Mon, 13 Oct 2014 20:21:15 +0000 (16:21 -0400)]
clarify
Amitai Schlair [Mon, 13 Oct 2014 20:13:11 +0000 (16:13 -0400)]
findings and questions
Simon McVittie [Sat, 11 Oct 2014 08:28:02 +0000 (09:28 +0100)]
Do not pass ignored sid parameter to checksessionexpiry
checksessionexpiry's signature changed from
(CGI::Session, CGI->param('sid')) to (CGI, CGI::Session) in commit
985b229b, but editpage still passed the sid as a useless third
parameter, and this was later cargo-culted into remove, rename and
recentchanges.
Simon McVittie [Sun, 12 Oct 2014 17:03:28 +0000 (18:03 +0100)]
comments: don't log remote IP address for signed-in users
The intention was that signed-in users (for instance via httpauth,
passwordauth or openid) are already adequately identified, but
there's nothing to indicate who an anonymous commenter is unless
their IP address is recorded.
Simon McVittie [Sun, 12 Oct 2014 16:57:14 +0000 (17:57 +0100)]
google search plugin: use https for the search
smcv [Sun, 12 Oct 2014 16:49:24 +0000 (12:49 -0400)]
default User-Agent changed
Simon McVittie [Sat, 11 Oct 2014 08:43:34 +0000 (09:43 +0100)]
Set default User-Agent to something that doesn't mention libwww-perl
It appears that both the open-source and proprietary rulesets for
ModSecurity default to blacklisting requests that say they are
from libwww-perl, presumably because some script kiddies use libwww-perl
and are too inept to set a User-Agent that is "too big to blacklist",
like Chrome or the iPhone browser or something. This seems doomed to
failure but whatever.
smcv [Sun, 12 Oct 2014 16:43:14 +0000 (12:43 -0400)]
removed
smcv [Sun, 12 Oct 2014 16:42:54 +0000 (12:42 -0400)]
Added a comment
Amitai Schlair [Sun, 12 Oct 2014 16:42:13 +0000 (12:42 -0400)]
help Markdown make a list
Added a comment: fixed in a recent release, I think
openmedi [Sun, 12 Oct 2014 16:06:59 +0000 (12:06 -0400)]