| Commit message (Expand) | Author | Age |
|---|
| ... | |
| * | let's move the access keys discussion out to the todo item about it | Joey Hess | 2008-04-10 |
| * | correct the command line used to generate the favicon | Joey Hess | 2008-04-10 |
| * | correct utf-8 damage introduced by jblevins's modification of this page | Joey Hess | 2008-04-10 |
| * | change wording | Joey Hess | 2008-04-10 |
| * | response | Joey Hess | 2008-04-10 |
| * | Give the full path to the hyperestraier helpfile in estseek.conf. | Joey Hess | 2008-04-10 |
| * | Use bzr --quiet to avoid it outputting stuff and messing up http headers. (Sc... | Joey Hess | 2008-04-10 |
| * | Fix broken rcs_update for bzr. (Scott Bronson) | Joey Hess | 2008-04-10 |
| * | Fix missing import of escapeHTML in userlink. (Scott Bronson) | Joey Hess | 2008-04-10 |
| * | response | Joey Hess | 2008-04-10 |
| * | add news item for ikiwiki 2.42 | Joey Hess | 2008-04-10 |
| * | releasing version 2.42 | Joey Hess | 2008-04-10 |
| * | Merge branch 'master' of ssh://git.ikiwiki.info/srv/git/ikiwiki.info | Joey Hess | 2008-04-10 |
| |\ |
|
| | * | web commit by http://joey.kitenet.net/: test | Joey Hess | 2008-04-10 |
| * | | perl dumping core is not an ikiwiki bug, sorry | Joey Hess | 2008-04-10 |
| * | | Merge branch 'master' of ssh://git.ikiwiki.info/srv/git/ikiwiki.info | Joey Hess | 2008-04-10 |
| |\| |
|
| | * | web commit by http://joey.kitenet.net/: oops :-) | Joey Hess | 2008-04-10 |
| | * | web commit by http://joey.kitenet.net/ | Joey Hess | 2008-04-10 |
| | * | web commit by ScottSwalwell: Fixed my fix. | Joey Hess | 2008-04-10 |
| | * | web commit by ScottSwalwell: Fixed this link. | Joey Hess | 2008-04-10 |
| | * | web commit by cjb: Fixed URL | Joey Hess | 2008-04-10 |
| | * | web commit by cjb: Tagged | Joey Hess | 2008-04-10 |
| | * | web commit by cjb: Suggested patch for 302 redirect after page creation when ... | Joey Hess | 2008-04-10 |
| * | | Fix CSRF attacks against the preferences and edit forms. Closes: #475445•••The fix involved embedding the session id in the forms, and not allowing the
forms to be submitted if the embedded id does not match the session id.
In the case of the preferences form, if the session id is not embedded,
then the CGI parameters are cleared. This avoids a secondary attack where the
link to the preferences form prefills password or other fields, and
the user hits "submit" without noticing these prefilled values.
In the case of the editpage form, the anonok plugin can allow anyone to edit,
and so I chose not to guard against CSRF attacks against users who are not
logged in. Otherwise, it also embeds the session id and checks it.
For page editing, I assume that the user will notice if content or commit
message is changed because of CGI parameters, and won't blndly hit save page.
So I didn't block those CGI paramters. (It's even possible to use those CGI
parameters, for good, not for evil, I guess..)
The only other CSRF attack I can think of in ikiwiki involves the poll plugin.
It's certianly possible to set up a link that causes the user to unknowingly
vote in a poll. However, the poll plugin is not intended to be used for things
that people would want to attack, since anyone can after all edit the poll page
and fill in any values they like. So this "attack" is ignorable.
| Joey Hess | 2008-04-10 |
| * | | fix what I think is a typo | Joey Hess | 2008-04-10 |
| |/ |
|
| * | web commit by http://sabr.myopenid.com/ | Joey Hess | 2008-04-09 |
| * | web commit by http://sabr.myopenid.com/ | Joey Hess | 2008-04-09 |
| * | web commit by http://sabr.myopenid.com/ | Joey Hess | 2008-04-09 |
| * | web commit by http://sabr.myopenid.com/ | Joey Hess | 2008-04-09 |
| * | web commit by http://sabr.myopenid.com/ | Joey Hess | 2008-04-09 |
| * | web commit by http://sabr.myopenid.com/ | Joey Hess | 2008-04-09 |
| * | web commit by http://sabr.myopenid.com/ | Joey Hess | 2008-04-09 |
| * | web commit by http://sabr.myopenid.com/ | Joey Hess | 2008-04-09 |
| * | web commit by http://sabr.myopenid.com/ | Joey Hess | 2008-04-09 |
| * | web commit by http://sabr.myopenid.com/ | Joey Hess | 2008-04-09 |
| * | web commit by http://sabr.myopenid.com/: poll vote (Accept only OpenID for lo... | Joey Hess | 2008-04-09 |
| * | web commit by http://sabr.myopenid.com/ | Joey Hess | 2008-04-09 |
| * | web commit by http://sabr.myopenid.com/ | Joey Hess | 2008-04-09 |
| * | web commit by http://sabr.myopenid.com/ | Joey Hess | 2008-04-09 |
| * | web commit by http://sabr.myopenid.com/ | Joey Hess | 2008-04-09 |
| * | web commit by http://sabr.myopenid.com/ | Joey Hess | 2008-04-09 |
| * | web commit by ittayd | Joey Hess | 2008-04-08 |
| * | web commit by http://sabr.myopenid.com/ | Joey Hess | 2008-04-08 |
| * | web commit by http://sabr.myopenid.com/ | Joey Hess | 2008-04-08 |
| * | web commit by http://sabr.myopenid.com/ | Joey Hess | 2008-04-08 |
| * | Merge branch 'master' of ssh://git.ikiwiki.info/srv/git/ikiwiki.info | Joey Hess | 2008-04-08 |
| |\ |
|
| | * | web commit by cjb: Trivial syntax bug. | Joey Hess | 2008-04-08 |
| * | | web commit by http://xayk.net/•••(cherry picked from commit 146b3d9ac2754112e7c6c63f7c2e783ac2bf4dbe)
| Joey Hess | 2008-04-08 |
| * | | web commit by http://sabr.myopenid.com/•••(cherry picked from commit 8e4a0640c591df95810fe94ab62521030134823b)
| Joey Hess | 2008-04-08 |
| |/ |
|
| * | web commit by http://cstork.org/: poll vote (Accept only OpenID for logins) | Joey Hess | 2008-04-04 |