diff options
| -rw-r--r-- | IkiWiki.pm | 26 | ||||
| -rw-r--r-- | IkiWiki/CGI.pm | 4 | ||||
| -rw-r--r-- | IkiWiki/Plugin/recentchanges.pm | 6 | ||||
| -rw-r--r-- | IkiWiki/Plugin/remove.pm | 4 | ||||
| -rw-r--r-- | IkiWiki/Plugin/rename.pm | 4 | ||||
| -rw-r--r-- | IkiWiki/Plugin/search.pm | 4 | ||||
| -rw-r--r-- | IkiWiki/Plugin/websetup.pm | 4 | ||||
| -rw-r--r-- | IkiWiki/Render.pm | 18 | ||||
| -rw-r--r-- | debian/changelog | 1 | ||||
| -rw-r--r-- | po/underlay.setup | 1 | ||||
| -rw-r--r-- | templates/page.tmpl | 2 |
11 files changed, 48 insertions, 26 deletions
diff --git a/IkiWiki.pm b/IkiWiki.pm index 33e4e1d1f..699ad13da 100644 --- a/IkiWiki.pm +++ b/IkiWiki.pm @@ -1745,10 +1745,10 @@ sub misctemplate ($$;@) { run_hooks(pagetemplate => sub { shift->(page => "", destpage => "", template => $template); }); + templateactions($template, ""); $template->param( dynamic => 1, - have_actions => 0, # force off title => $title, wikiname => $config{wikiname}, content => $content, @@ -1756,10 +1756,32 @@ sub misctemplate ($$;@) { html5 => $config{html5}, @_, ); - + return $template->output; } +sub templateactions ($$) { + my $template=shift; + my $page=shift; + + my $have_actions=0; + my @actions; + run_hooks(pageactions => sub { + push @actions, map { { action => $_ } } + grep { defined } shift->(page => $page); + }); + $template->param(actions => \@actions); + + if ($config{cgiurl} && exists $hooks{auth}) { + $template->param(prefsurl => cgiurl(do => "prefs")); + $have_actions=1; + } + + if ($have_actions || @actions) { + $template->param(have_actions => 1); + } +} + sub hook (@) { my %param=@_; diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm index b98e9e0a1..28020b500 100644 --- a/IkiWiki/CGI.pm +++ b/IkiWiki/CGI.pm @@ -247,7 +247,9 @@ sub cgi_prefs ($$) { $form->text(gettext("Preferences saved.")); } - showform($form, $buttons, $session, $q); + showform($form, $buttons, $session, $q, + prefsurl => "", # avoid showing the preferences link + ); } sub cgi_custom_failure ($$$) { diff --git a/IkiWiki/Plugin/recentchanges.pm b/IkiWiki/Plugin/recentchanges.pm index 5c7b71aaa..e546e4702 100644 --- a/IkiWiki/Plugin/recentchanges.pm +++ b/IkiWiki/Plugin/recentchanges.pm @@ -60,15 +60,15 @@ sub refresh ($) { } } -# Enable the recentchanges link on wiki pages. +# Enable the recentchanges link. sub pagetemplate (@) { my %params=@_; my $template=$params{template}; my $page=$params{page}; if (defined $config{recentchangespage} && $config{rcs} && - $page ne $config{recentchangespage} && - $template->query(name => "recentchangesurl")) { + $template->query(name => "recentchangesurl") && + $page ne $config{recentchangespage}) { $template->param(recentchangesurl => urlto($config{recentchangespage}, $page)); $template->param(have_actions => 1); } diff --git a/IkiWiki/Plugin/remove.pm b/IkiWiki/Plugin/remove.pm index a46294e78..d23b2cc10 100644 --- a/IkiWiki/Plugin/remove.pm +++ b/IkiWiki/Plugin/remove.pm @@ -107,6 +107,8 @@ sub confirmation_form ($$) { fields => [qw{do page}], ); + $f->field(name => "sid", type => "hidden", value => $session->id, + force => 1); $f->field(name => "do", type => "hidden", value => "remove", force => 1); return $f, ["Remove", "Cancel"]; @@ -188,6 +190,8 @@ sub sessioncgi ($$) { postremove($session); } elsif ($form->submitted eq 'Remove' && $form->validate) { + IkiWiki::checksessionexpiry($q, $session, $q->param('sid')); + my @pages=$form->field("page"); # Validate removal by checking that the page exists, diff --git a/IkiWiki/Plugin/rename.pm b/IkiWiki/Plugin/rename.pm index 537e91317..0da90a538 100644 --- a/IkiWiki/Plugin/rename.pm +++ b/IkiWiki/Plugin/rename.pm @@ -131,6 +131,8 @@ sub rename_form ($$$) { ); $f->field(name => "do", type => "hidden", value => "rename", force => 1); + $f->field(name => "sid", type => "hidden", value => $session->id, + force => 1); $f->field(name => "page", type => "hidden", value => $page, force => 1); $f->field(name => "new_name", value => pagetitle($page, 1), size => 60); if (!$q->param("attachment")) { @@ -286,6 +288,8 @@ sub sessioncgi ($$) { postrename($session); } elsif ($form->submitted eq 'Rename' && $form->validate) { + IkiWiki::checksessionexpiry($q, $session, $q->param('sid')); + # Queue of rename actions to perfom. my @torename; diff --git a/IkiWiki/Plugin/search.pm b/IkiWiki/Plugin/search.pm index cc26b7ac1..ff5d0ccbe 100644 --- a/IkiWiki/Plugin/search.pm +++ b/IkiWiki/Plugin/search.pm @@ -228,7 +228,9 @@ sub setupfiles () { # Avoid omega interpreting anything in the misctemplate # as an omegascript command. - my $misctemplate=IkiWiki::misctemplate(gettext("search"), "\0"); + my $misctemplate=IkiWiki::misctemplate(gettext("search"), "\0", + searchform => "", # avoid showing the small search form + ); eval q{use HTML::Entities}; error $@ if $@; $misctemplate=encode_entities($misctemplate, '\$'); diff --git a/IkiWiki/Plugin/websetup.pm b/IkiWiki/Plugin/websetup.pm index 9cb5eb13c..c4b75c4b3 100644 --- a/IkiWiki/Plugin/websetup.pm +++ b/IkiWiki/Plugin/websetup.pm @@ -450,8 +450,8 @@ sub showform ($$) { IkiWiki::unlockwiki(); # Print the top part of a standard misctemplate, - # then show the rebuild or refresh. - my $divider="xxx"; + # then show the rebuild or refresh, live. + my $divider="\0"; my $html=IkiWiki::misctemplate("setup", $divider); IkiWiki::printheader($session); my ($head, $tail)=split($divider, $html, 2); diff --git a/IkiWiki/Render.pm b/IkiWiki/Render.pm index 8b1b9aef4..833fcaaff 100644 --- a/IkiWiki/Render.pm +++ b/IkiWiki/Render.pm @@ -84,19 +84,14 @@ sub genpage ($$) { $template=template('page.tmpl', blind_cache => 1); } - my $actions=0; + my $actions=0; if (length $config{cgiurl}) { if (IkiWiki->can("cgi_editpage")) { $template->param(editurl => cgiurl(do => "edit", page => $page)); $actions++; } - if (exists $hooks{auth}) { - $template->param(prefsurl => cgiurl(do => "prefs")); - $actions++; - } } - if (defined $config{historyurl} && length $config{historyurl}) { my $u=$config{historyurl}; $u=~s/\[\[file\]\]/$pagesources{$page}/g; @@ -111,17 +106,10 @@ sub genpage ($$) { $actions++; } } - - my @actions; - run_hooks(pageactions => sub { - push @actions, map { { action => $_ } } - grep { defined } shift->(page => $page); - }); - $template->param(actions => \@actions); - - if ($actions || @actions) { + if ($actions) { $template->param(have_actions => 1); } + templateactions($template, $page); my @backlinks=sort { $a->{page} cmp $b->{page} } backlinks($page); my ($backlinks, $more_backlinks); diff --git a/debian/changelog b/debian/changelog index e6c5e42ae..a09c8e228 100644 --- a/debian/changelog +++ b/debian/changelog @@ -30,6 +30,7 @@ ikiwiki (3.20100505) UNRELEASED; urgency=low (And also negative years.) * calendar: Display year in title of month calendar. * Use xhtml friendly pubdate setting. + * remove, rename: Add guards against XSRF attacks. -- Joey Hess <joeyh@debian.org> Wed, 05 May 2010 18:07:29 -0400 diff --git a/po/underlay.setup b/po/underlay.setup index c34045981..8d3516cff 100644 --- a/po/underlay.setup +++ b/po/underlay.setup @@ -24,6 +24,7 @@ use IkiWiki::Setup::Standard { # we don't want to pull in the normal underlays underlaydirbase => "underlays/empty", underlaydir => "underlays/empty", + disable_plugins => [qw{openid}], # needs special underlay discussion => 0, locale => '', verbose => 1, diff --git a/templates/page.tmpl b/templates/page.tmpl index 3bb7197f0..f7944e40e 100644 --- a/templates/page.tmpl +++ b/templates/page.tmpl @@ -48,11 +48,9 @@ </TMPL_IF> </span> </span> -<TMPL_UNLESS DYNAMIC> <TMPL_IF SEARCHFORM> <TMPL_VAR SEARCHFORM> </TMPL_IF> -</TMPL_UNLESS> <TMPL_IF HTML5></header><TMPL_ELSE></div></TMPL_IF> <TMPL_IF HAVE_ACTIONS> |