diff options
| author | Joey Hess <joey@kodama.kitenet.net> | 2008-07-06 15:52:04 -0400 |
|---|---|---|
| committer | Joey Hess <joey@kodama.kitenet.net> | 2008-07-06 15:52:04 -0400 |
| commit | 05124f9a86dadca50c693d57f8fc8398fb5d8be9 (patch) | |
| tree | 65c81b6a7a0c3dbf850782b4b8320b458f95ff0a | |
| parent | badfb9a5c91b92d0e6a61f331bcaff6683ee11bc (diff) | |
| download | ikiwiki-05124f9a86dadca50c693d57f8fc8398fb5d8be9.tar ikiwiki-05124f9a86dadca50c693d57f8fc8398fb5d8be9.tar.gz | |
editpage escaping fixes
* The editpage form now uses the raw page name, not the page title, in its
'page' cgi parameter. Using the title was ambiguous and made it
impossible to tell between some pages, like "foo/bar" and "foo__47__bar",
sometimes causing the wrong page to be edited.
* This change means that some edit links need to be updated.
Force a rebuild on upgrade to this version.
* Above change also allowed really fixing escaped slashes from the blogpost
form.
| -rw-r--r-- | IkiWiki.pm | 2 | ||||
| -rw-r--r-- | IkiWiki/CGI.pm | 11 | ||||
| -rw-r--r-- | IkiWiki/Plugin/editdiff.pm | 2 | ||||
| -rw-r--r-- | IkiWiki/Plugin/inline.pm | 8 | ||||
| -rw-r--r-- | IkiWiki/Render.pm | 2 | ||||
| -rw-r--r-- | debian/NEWS | 8 | ||||
| -rw-r--r-- | debian/changelog | 8 | ||||
| -rwxr-xr-x | debian/postinst | 2 | ||||
| -rw-r--r-- | doc/bugs/CGI_edit_and_slash_in_page_title.mdwn | 2 | ||||
| -rw-r--r-- | po/ikiwiki.pot | 16 |
10 files changed, 39 insertions, 22 deletions
diff --git a/IkiWiki.pm b/IkiWiki.pm index 03b4b666e..0b420e824 100644 --- a/IkiWiki.pm +++ b/IkiWiki.pm @@ -596,7 +596,7 @@ sub htmllink ($$$;@) { #{{{ return "<span class=\"createlink\"><a href=\"". cgiurl( do => "create", - page => pagetitle(lc($link), 1), + page => lc($link), from => $lpage ). "\" rel=\"nofollow\">?</a>$linktext</span>" diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm index 07e92322f..99cead64f 100644 --- a/IkiWiki/CGI.pm +++ b/IkiWiki/CGI.pm @@ -301,10 +301,9 @@ sub cgi_editpage ($$) { #{{{ }); decode_form_utf8($form); - # This untaint is safe because titlepage removes any problematic - # characters. + # This untaint is safe because we check file_pruned. my $page=$form->field('page'); - $page=titlepage(possibly_foolish_untaint($page)); + $page=possibly_foolish_untaint($page); if (! defined $page || ! length $page || file_pruned($page, $config{srcdir}) || $page=~/^\//) { error("bad page name"); @@ -354,7 +353,7 @@ sub cgi_editpage ($$) { #{{{ $form->field(name => "from", type => 'hidden'); $form->field(name => "rcsinfo", type => 'hidden'); $form->field(name => "subpage", type => 'hidden'); - $form->field(name => "page", value => pagetitle($page, 1), force => 1); + $form->field(name => "page", value => $page, force => 1); $form->field(name => "type", value => $type, force => 1); $form->field(name => "comments", type => "text", size => 80); $form->field(name => "editcontent", type => "textarea", rows => 20, @@ -486,8 +485,8 @@ sub cgi_editpage ($$) { #{{{ $form->tmpl_param("page_select", 1); $form->field(name => "page", type => 'select', - options => [ map { pagetitle($_, 1) } @editable_locs ], - value => pagetitle($best_loc, 1)); + options => [ map { [ $_, pagetitle($_, 1) ] } @editable_locs ], + value => $best_loc); $form->field(name => "type", type => 'select', options => \@page_types); $form->title(sprintf(gettext("creating %s"), pagetitle($page))); diff --git a/IkiWiki/Plugin/editdiff.pm b/IkiWiki/Plugin/editdiff.pm index b8ecaa3d7..d45c73e8f 100644 --- a/IkiWiki/Plugin/editdiff.pm +++ b/IkiWiki/Plugin/editdiff.pm @@ -50,7 +50,7 @@ sub formbuilder_setup { #{{{ return if $form->field("do") ne "edit"; - $page = IkiWiki::titlepage(IkiWiki::possibly_foolish_untaint($page)); + $page = IkiWiki::possibly_foolish_untaint($page); return unless exists $pagesources{$page}; push @{$params{buttons}}, "Diff"; diff --git a/IkiWiki/Plugin/inline.pm b/IkiWiki/Plugin/inline.pm index 344620ebe..8890e5ed0 100644 --- a/IkiWiki/Plugin/inline.pm +++ b/IkiWiki/Plugin/inline.pm @@ -70,12 +70,12 @@ sub sessioncgi () { #{{{ my $session=shift; if ($q->param('do') eq 'blog') { - my $page=decode_utf8($q->param('title')); - $page=~s/\///g; # no slashes in blog posts + my $page=IkiWiki::titlepage(decode_utf8($q->param('title'))); + $page=~s/(\/)/"__".ord($1)."__"/eg; # don't create subdirs # if the page already exists, munge it to be unique my $from=$q->param('from'); my $add=""; - while (exists $IkiWiki::pagecase{lc($from."/".IkiWiki::titlepage($page).$add)}) { + while (exists $IkiWiki::pagecase{lc($from."/".$page.$add)}) { $add=1 unless length $add; $add++; } @@ -278,7 +278,7 @@ sub preprocess_inline (@) { #{{{ } if (length $config{cgiurl} && defined $type) { $template->param(have_actions => 1); - $template->param(editurl => cgiurl(do => "edit", page => pagetitle($page, 1))); + $template->param(editurl => cgiurl(do => "edit", page => $page)); } } diff --git a/IkiWiki/Render.pm b/IkiWiki/Render.pm index 5184be2df..c241fd40b 100644 --- a/IkiWiki/Render.pm +++ b/IkiWiki/Render.pm @@ -80,7 +80,7 @@ sub genpage ($$) { #{{{ my $actions=0; if (length $config{cgiurl}) { - $template->param(editurl => cgiurl(do => "edit", page => pagetitle($page, 1))); + $template->param(editurl => cgiurl(do => "edit", page => $page)); $template->param(prefsurl => cgiurl(do => "prefs")); $actions++; } diff --git a/debian/NEWS b/debian/NEWS index 80da496fb..4aac33b80 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,11 @@ +ikiwiki (2.52) unstable; urgency=low + + All wikis need to be rebuilt on upgrade to this version. If you listed your + wiki in /etc/ikiwiki/wikilist this will be done automatically when the + Debian package is upgraded. Or use ikiwiki-mass-rebuild to force a rebuild. + + -- Joey Hess <joeyh@debian.org> Sun, 06 Jul 2008 15:10:05 -0400 + ikiwiki (2.49) unstable; urgency=low The search plugin no longer uses hyperestraier. Instead, to use it you diff --git a/debian/changelog b/debian/changelog index e6ffa17de..1e82ee70c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,6 +8,14 @@ ikiwiki (2.52) UNRELEASED; urgency=low * toggle: Fix to work in preview mode. * toggle: Add javascript to top of page, not to end. This avoids flicker since closed toggles will not be displayed as the page is loading. + * The editpage form now uses the raw page name, not the page title, in its + 'page' cgi parameter. Using the title was ambiguous and made it + impossible to tell between some pages, like "foo/bar" and "foo__47__bar", + sometimes causing the wrong page to be edited. + * This change means that some edit links need to be updated. + Force a rebuild on upgrade to this version. + * Above change also allowed really fixing escaped slashes from the blogpost + form. -- Joey Hess <joeyh@debian.org> Mon, 30 Jun 2008 19:56:28 -0400 diff --git a/debian/postinst b/debian/postinst index 26c44a88b..0a836a0b2 100755 --- a/debian/postinst +++ b/debian/postinst @@ -4,7 +4,7 @@ set -e # Change this when some incompatible change is made that requires # rebuilding all wikis. -firstcompat=2.30 +firstcompat=2.52 if [ "$1" = configure ] && \ dpkg --compare-versions "$2" lt "$firstcompat"; then diff --git a/doc/bugs/CGI_edit_and_slash_in_page_title.mdwn b/doc/bugs/CGI_edit_and_slash_in_page_title.mdwn index 9947a7cda..ec5763924 100644 --- a/doc/bugs/CGI_edit_and_slash_in_page_title.mdwn +++ b/doc/bugs/CGI_edit_and_slash_in_page_title.mdwn @@ -14,3 +14,5 @@ editing need to get in agreement on just how they're going to escape slashes in a page title. --Chapman Flack + +> bleh. [[Fixed|done]] --[[joey]] diff --git a/po/ikiwiki.pot b/po/ikiwiki.pot index 8f64da8f7..d052f0b98 100644 --- a/po/ikiwiki.pot +++ b/po/ikiwiki.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2008-07-02 18:08-0400\n" +"POT-Creation-Date: 2008-07-06 15:30-0400\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <LL@li.org>\n" @@ -24,7 +24,7 @@ msgstr "" msgid "login failed, perhaps you need to turn on cookies?" msgstr "" -#: ../IkiWiki/CGI.pm:190 ../IkiWiki/CGI.pm:526 +#: ../IkiWiki/CGI.pm:190 ../IkiWiki/CGI.pm:525 msgid "Your login session has expired." msgstr "" @@ -44,30 +44,30 @@ msgstr "" msgid "Preferences saved." msgstr "" -#: ../IkiWiki/CGI.pm:326 +#: ../IkiWiki/CGI.pm:325 #, perl-format msgid "%s is not an editable page" msgstr "" -#: ../IkiWiki/CGI.pm:437 ../IkiWiki/Plugin/brokenlinks.pm:24 +#: ../IkiWiki/CGI.pm:436 ../IkiWiki/Plugin/brokenlinks.pm:24 #: ../IkiWiki/Plugin/inline.pm:266 ../IkiWiki/Plugin/opendiscussion.pm:17 #: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:95 #: ../IkiWiki/Render.pm:162 msgid "discussion" msgstr "" -#: ../IkiWiki/CGI.pm:493 +#: ../IkiWiki/CGI.pm:492 #, perl-format msgid "creating %s" msgstr "" -#: ../IkiWiki/CGI.pm:511 ../IkiWiki/CGI.pm:539 ../IkiWiki/CGI.pm:549 -#: ../IkiWiki/CGI.pm:583 ../IkiWiki/CGI.pm:628 +#: ../IkiWiki/CGI.pm:510 ../IkiWiki/CGI.pm:538 ../IkiWiki/CGI.pm:548 +#: ../IkiWiki/CGI.pm:582 ../IkiWiki/CGI.pm:627 #, perl-format msgid "editing %s" msgstr "" -#: ../IkiWiki/CGI.pm:722 +#: ../IkiWiki/CGI.pm:721 msgid "You are banned." msgstr "" |