Joey Hess [Tue, 6 May 2008 00:51:26 +0000 (20:51 -0400)]
this was actually released a while ago by the security team
Joey Hess [Fri, 18 Apr 2008 18:27:08 +0000 (14:27 -0400)]
fix version typo
Joey Hess [Thu, 10 Apr 2008 21:04:43 +0000 (17:04 -0400)]
Fix CSRF attacks against the preferences and edit forms. Closes: #475445
The fix involved embedding the session id in the forms, and not allowing the
forms to be submitted if the embedded id does not match the session id.
In the case of the preferences form, if the session id is not embedded,
then the CGI parameters are cleared. This avoids a secondary attack where the
link to the preferences form prefills password or other fields, and
the user hits "submit" without noticing these prefilled values.
In the case of the editpage form, the anonok plugin can allow anyone to edit,
and so I chose not to guard against CSRF attacks against users who are not
logged in. Otherwise, it also embeds the session id and checks it.
For page editing, I assume that the user will notice if content or commit
message is changed because of CGI parameters, and won't blndly hit save page.
So I didn't block those CGI paramters. (It's even possible to use those CGI
parameters, for good, not for evil, I guess..)
The only other CSRF attack I can think of in ikiwiki involves the poll plugin.
It's certianly possible to set up a link that causes the user to unknowingly
vote in a poll. However, the poll plugin is not intended to be used for things
that people would want to attack, since anyone can after all edit the poll page
and fill in any values they like. So this "attack" is ignorable.
(cherry picked from commit
72b5ef2c5fb01751992c9400afe2690da5df611f)
Conflicts:
IkiWiki/CGI.pm
debian/changelog
doc/security.mdwn
po/ikiwiki.pot
Adeodato Simó [Fri, 29 Feb 2008 18:26:53 +0000 (19:26 +0100)]
Allow colons in URLs after the first slash
A new regexp fixes this bug:
http://ikiwiki.info/bugs/No_link_for_blog_items_when_filename_contains_a_colon/
I traced this down to htmlscrubber. If disabled,
it works. If enabled, then $safe_url_regexp
determines the URL unsafe because of the colon and
hence removes the src attribute.
Digging into this, I find that RFC 3986 pretty
much discourages colons in filenames:
"""
A path segment that contains a colon character
(e.g., "this:that") cannot be used as the first
segment of a relative-path reference, as it would
be mistaken for a scheme name. Such a segment must
be preceded by a dot-segment (e.g., "./this:that")
to make a relative- path reference.
"""
on the other hand, with usedirs, any link to
another page will be prepended by ../ anyway, so
that makes them okay again.
The solution still seems not to use colons.
In any case, htmlscrubber should get a new regexp,
courtesy of dato.
I have tested and verified this.
Signed-off-by: martin f. krafft <madduck@madduck.net>
Joey Hess [Sun, 10 Feb 2008 23:39:42 +0000 (18:39 -0500)]
update changelog after cherry-picking all relevent fixes
Joey Hess [Sun, 10 Feb 2008 23:38:41 +0000 (18:38 -0500)]
Allow the smb: URI scheme.
Joey Hess [Sun, 10 Feb 2008 23:37:47 +0000 (18:37 -0500)]
Allow the snews: URI scheme.
Joey Hess [Sun, 10 Feb 2008 23:37:13 +0000 (18:37 -0500)]
Do not allow the steam: URI scheme.
Joey Hess [Sun, 10 Feb 2008 23:36:48 +0000 (18:36 -0500)]
Match literal '.' in URI schemas containing '.', rather than matching any character
Joey Hess [Sun, 10 Feb 2008 23:35:45 +0000 (18:35 -0500)]
* meta: Check that the urls provided for authorurl, permalink, and openid
are safe and can't contain javascript.
Joey Hess [Sun, 10 Feb 2008 23:31:18 +0000 (18:31 -0500)]
Also filter the attributes cite, longdesc, and usemap, which can contain URIs
Joey Hess [Sun, 10 Feb 2008 23:28:41 +0000 (18:28 -0500)]
Do not allow the about: URI scheme
Some browsers interpret about: URIs like a limited version of data:
URIs. In particular, some versions of Internet Explorer interpret
arbitrary HTML content in about: URIs.
Joey Hess [Sun, 10 Feb 2008 23:26:46 +0000 (18:26 -0500)]
export $safe_url_regexp
Joey Hess [Sun, 10 Feb 2008 20:28:48 +0000 (15:28 -0500)]
fix data:image handling
Joey Hess [Sun, 10 Feb 2008 19:58:17 +0000 (14:58 -0500)]
remove conflict marker
Joey Hess [Sun, 10 Feb 2008 18:55:34 +0000 (13:55 -0500)]
fix backport
Joey Hess [Sun, 10 Feb 2008 18:36:17 +0000 (13:36 -0500)]
backport htmlscrubber javascript uri sanitisation fix from master
Joey Hess [Sun, 10 Feb 2008 18:31:48 +0000 (13:31 -0500)]
resecued version 1.33.3, which was not tagged in revision control before
joey [Wed, 15 Nov 2006 23:33:11 +0000 (23:33 +0000)]
releasing version 1.33
joey [Wed, 15 Nov 2006 20:49:10 +0000 (20:49 +0000)]
typos
joey [Tue, 14 Nov 2006 11:19:42 +0000 (11:19 +0000)]
web commit by VictorMoral: New version 0.9
joey [Mon, 13 Nov 2006 20:07:55 +0000 (20:07 +0000)]
* Work with hyperestraier 1.4.9.
joey [Sun, 12 Nov 2006 01:41:40 +0000 (01:41 +0000)]
web commit by JoshTriplett
joey [Sat, 11 Nov 2006 10:50:24 +0000 (10:50 +0000)]
web commit by JoshTriplett
joey [Sat, 11 Nov 2006 10:36:58 +0000 (10:36 +0000)]
web commit by JoshTriplett
joey [Sat, 11 Nov 2006 10:24:49 +0000 (10:24 +0000)]
web commit by JoshTriplett
joey [Fri, 10 Nov 2006 18:15:41 +0000 (18:15 +0000)]
web commit by BradRoberts
joey [Fri, 10 Nov 2006 08:34:21 +0000 (08:34 +0000)]
web commit by EthanGlasserCamp: wikify
joey [Fri, 10 Nov 2006 08:26:38 +0000 (08:26 +0000)]
web commit by BradRoberts
joey [Fri, 10 Nov 2006 08:14:52 +0000 (08:14 +0000)]
web commit by BradRoberts
joey [Fri, 10 Nov 2006 07:51:14 +0000 (07:51 +0000)]
fixes
joey [Fri, 10 Nov 2006 07:46:41 +0000 (07:46 +0000)]
* Work around a strange bug in CGI::FormBuilder 3.0401 that makes
FORM-SUBMIT unusable on customised formbuilder templates. For now,
hardcode the submit buttons in editpage.tmpl instead of using the
template variable, which is ok, since the buttons are static.
joey [Thu, 9 Nov 2006 20:58:24 +0000 (20:58 +0000)]
* Fix img plugin's handling of adding dependencies for images that do not
yet exist.
joey [Wed, 8 Nov 2006 21:06:35 +0000 (21:06 +0000)]
response
joey [Wed, 8 Nov 2006 21:03:33 +0000 (21:03 +0000)]
* Make sure to check for errors from every eval.
joey [Wed, 8 Nov 2006 20:58:07 +0000 (20:58 +0000)]
web commit by joey: responses
joey [Wed, 8 Nov 2006 20:46:20 +0000 (20:46 +0000)]
update
joey [Wed, 8 Nov 2006 20:44:32 +0000 (20:44 +0000)]
this is really a todo item, not a bug
joey [Wed, 8 Nov 2006 20:43:36 +0000 (20:43 +0000)]
response
joey [Wed, 8 Nov 2006 20:39:48 +0000 (20:39 +0000)]
* Patch from Ethan Glasser Camp to add a skip option to the inline plugin.
joey [Wed, 8 Nov 2006 20:19:49 +0000 (20:19 +0000)]
web commit by EthanGlasserCamp: This is probably better.
joey [Wed, 8 Nov 2006 20:13:59 +0000 (20:13 +0000)]
* Enable utf8 file IO in aggregate plugin.
* Fix some issues with the new registration form.
joey [Wed, 8 Nov 2006 20:11:48 +0000 (20:11 +0000)]
web commit by EthanGlasserCamp
joey [Wed, 8 Nov 2006 20:10:44 +0000 (20:10 +0000)]
web commit by EthanGlasserCamp: exactly what it sounds like
joey [Wed, 8 Nov 2006 06:45:05 +0000 (06:45 +0000)]
web commit by EthanGlasserCamp: Oops, this is what the patch actually says!
joey [Wed, 8 Nov 2006 06:42:08 +0000 (06:42 +0000)]
web commit by EthanGlasserCamp: use diff -ur so I can apply this easier in the future
joey [Wed, 8 Nov 2006 06:05:45 +0000 (06:05 +0000)]
web commit by EthanGlasserCamp: use a real patch format rather than just doing svn diff
joey [Mon, 6 Nov 2006 22:44:34 +0000 (22:44 +0000)]
web commit by JoshTriplett: Canonical feed location?
joey [Mon, 6 Nov 2006 22:27:15 +0000 (22:27 +0000)]
web commit by JoshTriplett
joey [Mon, 6 Nov 2006 21:55:06 +0000 (21:55 +0000)]
web commit by JoshTriplett: Fix links which just had [homepage] or [blog] in the text to include the surrounding attribution, and change the ion link from HTML to markdown
joey [Mon, 6 Nov 2006 21:45:55 +0000 (21:45 +0000)]
web commit by JoshTriplett: Add the Sparse wiki.
joey [Mon, 6 Nov 2006 04:27:29 +0000 (04:27 +0000)]
typo
joey [Sun, 5 Nov 2006 23:44:20 +0000 (23:44 +0000)]
* Avoid syntax errors in templates used by the template plugin crashing
ikiwiki.
joey [Sat, 4 Nov 2006 19:20:24 +0000 (19:20 +0000)]
* Fix issue with aggregate plugin updating expired pages.
joey [Fri, 3 Nov 2006 19:49:08 +0000 (19:49 +0000)]
add news item for ikiwiki 1.32
joey [Fri, 3 Nov 2006 19:48:58 +0000 (19:48 +0000)]
releasing version 1.32
joey [Fri, 3 Nov 2006 19:47:27 +0000 (19:47 +0000)]
move :-) to correct location
joey [Thu, 2 Nov 2006 18:03:38 +0000 (18:03 +0000)]
Closes: #396702
joey [Wed, 1 Nov 2006 14:55:17 +0000 (14:55 +0000)]
web commit by KyleMacLea
joey [Wed, 1 Nov 2006 14:53:33 +0000 (14:53 +0000)]
web commit by KyleMacLea
joey [Wed, 1 Nov 2006 06:45:59 +0000 (06:45 +0000)]
* Patch from James Westby to support podcasting, photoblogging, vidcasting,
or what have you, by creating enclosures for non-page items that are
included in feeds.
joey [Wed, 1 Nov 2006 06:07:54 +0000 (06:07 +0000)]
idea
joey [Wed, 1 Nov 2006 06:06:07 +0000 (06:06 +0000)]
update
joey [Wed, 1 Nov 2006 06:05:08 +0000 (06:05 +0000)]
foo
joey [Wed, 1 Nov 2006 06:03:00 +0000 (06:03 +0000)]
done-ish
joey [Wed, 1 Nov 2006 05:41:37 +0000 (05:41 +0000)]
* Implemented expiry options for aggregate plugin.
* Use precalculated backlinks info when determining if files need an update
due to a page they link to being added/removed. Mostly significant if
there are lots of pages.
* Remove duplicate link info when saving index. In some cases it could
pile up rather badly. (Probably not the best way to deal with this
problem.)
joey [Tue, 31 Oct 2006 17:30:50 +0000 (17:30 +0000)]
add pointer to backport
joey [Mon, 30 Oct 2006 23:28:01 +0000 (23:28 +0000)]
* Improve login/register process, the login dialog has only name and
password fields, which allows more web browsers to regognise it as a login
field, and is less confusing.
joey [Mon, 30 Oct 2006 19:31:45 +0000 (19:31 +0000)]
* Add perlmagick to build-depends so syntax check of img plugin works.
joey [Mon, 30 Oct 2006 17:51:46 +0000 (17:51 +0000)]
web commit by jh
joey [Mon, 30 Oct 2006 02:00:38 +0000 (02:00 +0000)]
revamp css market, allow selecting stylesheets on the fly in web browser
joey [Sun, 29 Oct 2006 16:58:19 +0000 (16:58 +0000)]
another update
joey [Sun, 29 Oct 2006 00:24:18 +0000 (00:24 +0000)]
fold
joey [Sat, 28 Oct 2006 23:47:16 +0000 (23:47 +0000)]
update
joey [Sat, 28 Oct 2006 23:46:45 +0000 (23:46 +0000)]
* Install the source of the examples into /usr/share/doc/ikiwiki/examples.
joey [Sat, 28 Oct 2006 23:42:43 +0000 (23:42 +0000)]
update
joey [Sat, 28 Oct 2006 23:41:39 +0000 (23:41 +0000)]
* Add a default stylesheet entry for the pagecloud.
* Add examples page with some examples of things that can be done using
ikiwiki, like a weblog. The examples can be copied into a user's wiki
for a quick start, without needing to learn everything about how to put
them together.
joey [Sat, 28 Oct 2006 22:24:18 +0000 (22:24 +0000)]
fix a bug
joey [Sat, 28 Oct 2006 22:11:09 +0000 (22:11 +0000)]
updated again
joey [Sat, 28 Oct 2006 17:18:50 +0000 (17:18 +0000)]
* Now that links are calculated in a separate pass, it can also
* Stylish update to the ikiwiki logo, thanks to Recai Oktaş and Selçuk
Erdem.
joey [Sat, 28 Oct 2006 05:45:56 +0000 (05:45 +0000)]
update
joey [Sat, 28 Oct 2006 05:10:13 +0000 (05:10 +0000)]
update
joey [Sat, 28 Oct 2006 05:07:56 +0000 (05:07 +0000)]
instead of over and over. Typical speedup is ~4x. Max possible speedup:
8x.
* Add "scan" parameter to hook(), which is used to make the hook be called
during the scanning pass, as well as the render pass. The meta and tag
plugins need to use the new scan parameter, so will any others that modify
%links.
* Now that links are calculated in a separate pass, it can also
precalculate backlinks in one pass, which is O(N^2) instead of the
previous code that was O(N^3). A very nice speedup for wikis with lots
(thousands) of pages.
joey [Sat, 28 Oct 2006 03:27:10 +0000 (03:27 +0000)]
* Add a separate pass to find page links, and only render each page once,
instead of over and over. This is up to 8 times faster than before!
(This could have introduced some subtle bugs, so it needs to be tested
extensively.)
joey [Sat, 28 Oct 2006 03:17:52 +0000 (03:17 +0000)]
add news item for ikiwiki 1.31
joey [Sat, 28 Oct 2006 03:17:35 +0000 (03:17 +0000)]
releasing version 1.31
joey [Sat, 28 Oct 2006 01:20:13 +0000 (01:20 +0000)]
update
joey [Sat, 28 Oct 2006 00:36:34 +0000 (00:36 +0000)]
delete session
joey [Sat, 28 Oct 2006 00:35:33 +0000 (00:35 +0000)]
* Add basic spam fighting tool for admins: An admin's prefs page now allows
editing a list of banned users who are not allowed to log in.
joey [Fri, 27 Oct 2006 23:48:38 +0000 (23:48 +0000)]
revert spammer
joey [Fri, 27 Oct 2006 23:22:36 +0000 (23:22 +0000)]
web commit by shoesorder
joey [Fri, 27 Oct 2006 23:21:39 +0000 (23:21 +0000)]
web commit by shoesorder
joey [Fri, 27 Oct 2006 23:20:24 +0000 (23:20 +0000)]
web commit by shoesorder
joey [Fri, 27 Oct 2006 23:19:07 +0000 (23:19 +0000)]
web commit by shoesorder
joey [Fri, 27 Oct 2006 17:11:30 +0000 (17:11 +0000)]
* Add missing dependency on the URI perl module.
joey [Fri, 27 Oct 2006 02:43:25 +0000 (02:43 +0000)]
web commit by MarkBucciarelli
joey [Wed, 25 Oct 2006 22:39:05 +0000 (22:39 +0000)]
web commit by ScottHenson
joey [Wed, 25 Oct 2006 00:31:06 +0000 (00:31 +0000)]
response
joey [Tue, 24 Oct 2006 17:24:36 +0000 (17:24 +0000)]
web commit by ScottHenson
joey [Tue, 24 Oct 2006 15:47:32 +0000 (15:47 +0000)]
response