Simon McVittie [Sat, 11 Oct 2014 08:28:22 +0000 (09:28 +0100)]
Make sure we do not pass multiple CGI parameters in function calls
When CGI->param is called in list context, such as in function
parameters, it expands to all the potentially multiple values
of the parameter: for instance, if we parse query string a=b&a=c&d=e
and call func($cgi->param('a')), that's equivalent to func('b', 'c').
Most of the functions we're calling do not expect that.
I do not believe this is an exploitable security vulnerability in
ikiwiki, but it was exploitable in Bugzilla.
Added a comment: It was an Apache problem...
smcv [Thu, 16 Oct 2014 12:11:52 +0000 (08:11 -0400)]
branch
smcv [Thu, 16 Oct 2014 11:52:05 +0000 (07:52 -0400)]
comment
Simon McVittie [Wed, 15 Oct 2014 20:56:11 +0000 (21:56 +0100)]
Replace PayPal and Flattr buttons with text links
In particular, this avoids loading third-party resources from the
offline documentation (see
<https://lintian.debian.org/tags/privacy-breach-donation.html>).
http://anastigmatix.net/ [Thu, 16 Oct 2014 02:53:41 +0000 (22:53 -0400)]
mention pagespec_alias patches
smcv [Wed, 15 Oct 2014 23:30:22 +0000 (19:30 -0400)]
Added a comment
smcv [Wed, 15 Oct 2014 23:26:52 +0000 (19:26 -0400)]
Added a comment
openmedi [Wed, 15 Oct 2014 18:49:16 +0000 (14:49 -0400)]
Added a comment
Added a comment
openmedi [Wed, 15 Oct 2014 12:33:40 +0000 (08:33 -0400)]
Added a comment
Amitai Schlair [Tue, 14 Oct 2014 22:46:41 +0000 (18:46 -0400)]
as usual, macports hasn't moved
Added a comment
Added a comment
Amitai Schlair [Tue, 14 Oct 2014 22:19:09 +0000 (18:19 -0400)]
one report suffices; not yet clear there's a bug
Amitai Schlair [Mon, 13 Oct 2014 20:21:15 +0000 (16:21 -0400)]
clarify
Amitai Schlair [Mon, 13 Oct 2014 20:13:11 +0000 (16:13 -0400)]
findings and questions
Simon McVittie [Sat, 11 Oct 2014 08:28:02 +0000 (09:28 +0100)]
Do not pass ignored sid parameter to checksessionexpiry
checksessionexpiry's signature changed from
(CGI::Session, CGI->param('sid')) to (CGI, CGI::Session) in commit
985b229b, but editpage still passed the sid as a useless third
parameter, and this was later cargo-culted into remove, rename and
recentchanges.
Simon McVittie [Sun, 12 Oct 2014 17:03:28 +0000 (18:03 +0100)]
comments: don't log remote IP address for signed-in users
The intention was that signed-in users (for instance via httpauth,
passwordauth or openid) are already adequately identified, but
there's nothing to indicate who an anonymous commenter is unless
their IP address is recorded.
Simon McVittie [Sun, 12 Oct 2014 16:57:14 +0000 (17:57 +0100)]
google search plugin: use https for the search
smcv [Sun, 12 Oct 2014 16:49:24 +0000 (12:49 -0400)]
default User-Agent changed
Simon McVittie [Sat, 11 Oct 2014 08:43:34 +0000 (09:43 +0100)]
Set default User-Agent to something that doesn't mention libwww-perl
It appears that both the open-source and proprietary rulesets for
ModSecurity default to blacklisting requests that say they are
from libwww-perl, presumably because some script kiddies use libwww-perl
and are too inept to set a User-Agent that is "too big to blacklist",
like Chrome or the iPhone browser or something. This seems doomed to
failure but whatever.
smcv [Sun, 12 Oct 2014 16:43:14 +0000 (12:43 -0400)]
removed
smcv [Sun, 12 Oct 2014 16:42:54 +0000 (12:42 -0400)]
Added a comment
Amitai Schlair [Sun, 12 Oct 2014 16:42:13 +0000 (12:42 -0400)]
help Markdown make a list
Added a comment: fixed in a recent release, I think
openmedi [Sun, 12 Oct 2014 16:06:59 +0000 (12:06 -0400)]
Amitai Schlair [Sun, 12 Oct 2014 15:08:13 +0000 (11:08 -0400)]
Replace shebang paths with the build-time $(PERL).
On non-Debian systems, /usr/bin/perl might not be the best available
Perl interpreter. Use whichever perl was used to run Makefile.PL,
unless it was "/usr/bin/perl", in which case there's nothing to do.
Amitai Schlair [Sun, 12 Oct 2014 13:30:31 +0000 (09:30 -0400)]
Extract test subs for each site. No change meant.
Amitai Schlair [Sun, 12 Oct 2014 04:01:09 +0000 (00:01 -0400)]
Extract run_cgi(). No functional change intended.
Amitai Schlair [Sat, 11 Oct 2014 13:52:21 +0000 (09:52 -0400)]
Extract check_generated_content(). Same output.
Amitai Schlair [Sat, 11 Oct 2014 01:17:39 +0000 (21:17 -0400)]
Extract check_cgi_mode_bits(). No change intended.
Amitai Schlair [Sat, 11 Oct 2014 00:40:24 +0000 (20:40 -0400)]
Extract thoroughly_rebuild(), a slight test change.
I didn't try to parameterize when a test should fail when we can't
remove ikiwiki.cgi because there already isn't one. (Hooray, natural
language.) Instead, we stop worrying about it and always tolerate
ENOENT.
Amitai Schlair [Sat, 11 Oct 2014 00:25:54 +0000 (20:25 -0400)]
Extract write_setup_file(). No functional change.
Test output differs only by the line numbers of the TODO items.
smcv [Thu, 9 Oct 2014 18:50:00 +0000 (14:50 -0400)]
clarify further
smcv [Thu, 9 Oct 2014 18:36:13 +0000 (14:36 -0400)]
clarify
smcv [Thu, 9 Oct 2014 18:31:33 +0000 (14:31 -0400)]
That's not how that directive is used, and if you want to try stuff out please edit the sandbox instead
This reverts commit
856819a733d90a2ca259a5a3b03cc5d84f72e931
tarojiro [Wed, 8 Oct 2014 11:38:46 +0000 (07:38 -0400)]
smcv [Mon, 6 Oct 2014 21:00:24 +0000 (17:00 -0400)]
alternative plan
Amitai Schlair [Mon, 6 Oct 2014 20:31:52 +0000 (16:31 -0400)]
simplify IPC::Run check (same behavior)
Amitai Schlair [Mon, 6 Oct 2014 17:06:02 +0000 (13:06 -0400)]
exclude openid/troubleshooting
smcv [Sun, 5 Oct 2014 22:58:56 +0000 (18:58 -0400)]
smcv [Sun, 5 Oct 2014 22:56:57 +0000 (18:56 -0400)]
Added a comment
smcv [Sun, 5 Oct 2014 22:55:02 +0000 (18:55 -0400)]
Added a comment
smcv [Sun, 5 Oct 2014 22:54:07 +0000 (18:54 -0400)]
Added a comment
Simon McVittie [Sun, 5 Oct 2014 22:50:57 +0000 (23:50 +0100)]
more fixes
Simon McVittie [Sun, 5 Oct 2014 22:49:25 +0000 (23:49 +0100)]
Document another fix
Simon McVittie [Sun, 5 Oct 2014 22:49:17 +0000 (23:49 +0100)]
In html5 mode, generate a host- or protocol-relative <base> for the CGI
This increases the number of situations in which we do the right thing.
Simon McVittie [Sun, 5 Oct 2014 22:06:48 +0000 (23:06 +0100)]
Add reverse_proxy option which hard-codes cgiurl in CGI output
This solves several people's issues with the CGI trying to be
too clever when IkiWiki is placed behind a reverse-proxy.
Simon McVittie [Sun, 5 Oct 2014 21:56:55 +0000 (22:56 +0100)]
Avoid mixed content when cgiurl is https but url is not
Amitai Schlair [Sun, 5 Oct 2014 20:37:55 +0000 (16:37 -0400)]
offer myself to the ravenous consulting market
smcv [Sun, 5 Oct 2014 15:09:27 +0000 (11:09 -0400)]
remaining bugs after fixing some of the easier situations
Simon McVittie [Sun, 5 Oct 2014 14:56:19 +0000 (15:56 +0100)]
Use protocol-relative URIs if cgiurl and url differ only by authority (hostname)
Simon McVittie [Sun, 5 Oct 2014 14:48:13 +0000 (15:48 +0100)]
Fix a test-case that actually just repeated the previous one instead
Simon McVittie [Sun, 5 Oct 2014 14:19:55 +0000 (15:19 +0100)]
Force use of $config{url} as top URL in w3mmode
Simon McVittie [Sun, 5 Oct 2014 14:19:12 +0000 (15:19 +0100)]
relative URLs test: pass an appropriate PERL5LIB through
We were previously using the system copy of IkiWiki, because the CGI
resets its environment.
Simon McVittie [Sun, 5 Oct 2014 13:34:10 +0000 (14:34 +0100)]
Add WAI-ARIA roles to #main, #comments and #footer when in HTML5 mode
Based on a patch from Patrick.
Simon McVittie [Sun, 5 Oct 2014 13:29:32 +0000 (14:29 +0100)]
add the beginnings of a test for CGI/static URL interactions
smcv [Sun, 5 Oct 2014 13:23:30 +0000 (09:23 -0400)]
review
smcv [Sun, 5 Oct 2014 13:06:20 +0000 (09:06 -0400)]
new
smcv [Sun, 5 Oct 2014 12:43:03 +0000 (08:43 -0400)]
clarify
smcv [Sun, 5 Oct 2014 12:41:16 +0000 (08:41 -0400)]
mix markdown with HTML more correctly
smcv [Sun, 5 Oct 2014 12:40:27 +0000 (08:40 -0400)]
new bug report
Louis [Sat, 4 Oct 2014 10:45:23 +0000 (12:45 +0200)]
amend comment
spalax [Sat, 4 Oct 2014 10:37:19 +0000 (06:37 -0400)]
Added a comment: Plugin compile
Louis [Sat, 4 Oct 2014 10:28:02 +0000 (12:28 +0200)]
New contrib plugin: compile
http://anastigmatix.net/ [Sat, 4 Oct 2014 05:03:54 +0000 (01:03 -0400)]
d and r aren't even on the same row
http://anastigmatix.net/ [Sat, 4 Oct 2014 05:02:38 +0000 (01:02 -0400)]
Google stay of execution no comfort if you're already dead
Amitai Schlair [Fri, 3 Oct 2014 19:24:43 +0000 (15:24 -0400)]
many people grok "static site generator" nowadays
testing the sandbox
http://anastigmatix.net/ [Thu, 2 Oct 2014 00:45:38 +0000 (20:45 -0400)]
recap of yamlfront issue opened on github
Amitai Schlair [Wed, 1 Oct 2014 19:06:24 +0000 (15:06 -0400)]
Search $PATH for "validate", since the test does.
"validate" is a very generic command name, and it validates against
an old standard, so the value of this test is questionable.
http://anastigmatix.net/ [Tue, 30 Sep 2014 20:18:05 +0000 (16:18 -0400)]
I'm not really anti-vowel
http://anastigmatix.net/ [Tue, 30 Sep 2014 20:16:31 +0000 (16:16 -0400)]
a wish for more from pagetemplate
smcv [Tue, 30 Sep 2014 13:46:42 +0000 (09:46 -0400)]
typo
smcv [Tue, 30 Sep 2014 13:46:19 +0000 (09:46 -0400)]
non-review
smcv [Tue, 30 Sep 2014 13:44:13 +0000 (09:44 -0400)]
fix patch formatting
Adding ARIA landmarks allows for example screen readers users to move directly to the page main content
spalax [Sat, 27 Sep 2014 06:20:09 +0000 (02:20 -0400)]
Added a comment: Apache redirection
spalax [Sat, 27 Sep 2014 06:18:30 +0000 (02:18 -0400)]
Added a comment: Several .setup files
Joey Hess [Fri, 26 Sep 2014 23:16:51 +0000 (19:16 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info
openmedi [Fri, 26 Sep 2014 23:12:33 +0000 (19:12 -0400)]
typos
openmedi [Fri, 26 Sep 2014 23:07:23 +0000 (19:07 -0400)]
Joey Hess [Fri, 26 Sep 2014 22:55:09 +0000 (18:55 -0400)]
Fix crash that can occur when only_committed_changes is set and a file is deleted from the underlay.
srcfile_stat got called on a file from the underlay that no longer existed.
I am not 100% sure of the circumstances of that; I was able to reproduce
the bug but neglected to snapshot the tree, and then accidentially
got it to stop crashing. I know that a transient tag page got deleted using
the web interface to trigger the crash.
It seems that process_changed_files must have returned the file, despite it
being deleted. And since the file was not checked into git, it seems it
must have not been included in @IkiWiki::underlayfiles, which would have
caused process_changed_files to not return it.
I do not know why a transient tag page would not be in
@IkiWiki::underlayfiles. There is a bug here that I don't understand.
This is just a workaround -- run srcfile_stat such that it won't crash,
and if it is unable to stat a file, find_changed knows it's not changed,
so it's ok to skip it.
Also made find_new_files run srcfile_stat such that it won't crash, just
because I was there.
http://abhidg.pip.verisignlabs.com/ [Wed, 24 Sep 2014 16:58:48 +0000 (12:58 -0400)]
smcv [Wed, 24 Sep 2014 13:52:37 +0000 (09:52 -0400)]
https://id.koumbit.net/anarcat [Wed, 24 Sep 2014 13:45:10 +0000 (09:45 -0400)]
openmedi [Wed, 24 Sep 2014 13:19:58 +0000 (09:19 -0400)]
Added a comment
smcv [Wed, 24 Sep 2014 07:27:39 +0000 (03:27 -0400)]
Added a comment
openmedi [Wed, 24 Sep 2014 01:47:25 +0000 (21:47 -0400)]
smcv [Tue, 23 Sep 2014 08:13:16 +0000 (04:13 -0400)]
%W is not as weird as it looks at first glance
smcv [Tue, 23 Sep 2014 07:55:26 +0000 (03:55 -0400)]
Added a comment
smcv [Tue, 23 Sep 2014 07:54:53 +0000 (03:54 -0400)]
fix destsources documentation, and mention how attachments appear