| Commit message (Expand) | Author | Age |
|---|
| * | Prune git remotes that are unreachable or unresponsive | Simon McVittie | 2016-12-29 |
| * | git: Add test coverage for reverting attachments | Simon McVittie | 2016-12-28 |
| * | git: write proposed attachment to temp file without going via system() | Simon McVittie | 2016-12-28 |
| * | git: change calling convention of safe_git to have named arguments | Simon McVittie | 2016-12-28 |
| * | git: Do the revert operation in a secondary working tree•••This avoids leaving the git directory in an inconsistent state if the
host system is rebooted while we are processing a revert.
| Simon McVittie | 2016-12-28 |
| * | git: Turn $git_dir into a stack•••This will be necessary when we use a secondary working tree to do
reverts without leaving the primary working tree in an inconsistent
state.
| Simon McVittie | 2016-12-28 |
| * | Add automated test for using the CGI with git, including CVE-2016-10026 | Simon McVittie | 2016-12-28 |
| * | Try revert operations (on a branch) before approving them•••Otherwise, we have a time-of-check/time-of-use vulnerability:
rcs_preprevert previously looked at what changed in the commit we are
reverting, not at what would result from reverting it now. In
particular, if some files were renamed since the commit we are
reverting, a revert of changes that were within the designated
subdirectory and allowed by check_canchange() might now affect
files that are outside the designated subdirectory or disallowed
by check_canchange().
It is not sufficient to disable rename detection, since git older
than 2.8.0rc0 (in particular the version in Debian stable) silently
accepts and ignores the relevant options.
OVE-20161226-0002
| Simon McVittie | 2016-12-28 |
| * | Revert "Tell `git revert` not to follow renames"•••This doesn't work prior to git 2.8: `git revert` silently ignores the
option and succeeds. We will have to fix CVE-2016-10026 some other way.
This reverts commit 9cada49ed6ad24556dbe9861ad5b0a9f526167f9.
| Simon McVittie | 2016-12-28 |
| * | Force CGI::FormBuilder->field to scalar context where necessary•••CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in f4ec7b0. Force it into scalar context where it is used
in an argument list.
This prevents two (relatively minor) commit metadata forgery
vulnerabilities:
* In the comments plugin, an attacker who was able to post a comment
could give it a user-specified author and author-URL even if the wiki
configuration did not allow for that, by crafting multiple values
to other fields.
* In the editpage plugin, an attacker who was able to edit a page
could potentially forge commit authorship by crafting multiple values
for the rcsinfo field.
The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.
OVE-20161226-0001
| Simon McVittie | 2016-12-28 |
| * | git: do not fail to commit if committer is anonymous | Simon McVittie | 2016-12-28 |
| * | git: don't issue a warning if rcsinfo is undefined•••The intention here seems to be that $prev may be undefined, and the
only way that can legitimately happen is for $params{token} to be
undefined too.
| Simon McVittie | 2016-12-28 |
| * | git_revert test: reinstate ikiwiki.setup, and make it work uninstalled•••Previously it was relying on running with an installed ikiwiki
and being able to copy in recentchanges.mdwn and wikiicons/ from the
underlay in /usr. The underlay in ./underlays/basewiki can't be used
(yet) because ikiwiki doesn't allow following symlinks, even from
underlays.
I'd like to make ikiwiki follow symlinks whose destinations can be
verified to be safe (for example making it willing to expose
/usr/share/javascript to the web, but not /etc/passwd), at least from
underlays, but this is security-sensitive so I'm not going to rush
into it.
| Simon McVittie | 2016-12-28 |
| * | Added a comment | spalax | 2016-12-26 |
| * | Added a comment | smcv | 2016-12-26 |
| * | Question about default timezone ":/etc/localtime" | spalax | 2016-12-25 |
| * | Add CVE references for CVE-2016-10026 | Simon McVittie | 2016-12-21 |
| * | Replied. | intrigeri | 2016-12-20 |
| * | Announce 3.20161219 | Simon McVittie | 2016-12-19 |
| * | Release 3.20161219 | Simon McVittie | 2016-12-19 |
| * | mention security contacts here too | smcv | 2016-12-19 |
| * | Opt in to whatever spam this may bring. | Amitai Schleier | 2016-12-19 |
| * | changelog | Simon McVittie | 2016-12-19 |
| * | Make pagestats output more deterministic.•••Sort in lexical order the pages that have the same number of hits.
| intrigeri | 2016-12-19 |
| * | Update changelog | Simon McVittie | 2016-12-19 |
| * | Restrict CSS matches on .header to not affect <tr>•••Pandoc generates <tr class="header"> to hold <th> elements, and
we don't want to make those be display: block.
Signed-off-by: Simon McVittie <smcv@debian.org>
| Simon McVittie | 2016-12-19 |
| * | List security contacts•••We still don't have a security@ alias; listing personal emails is
unfortunately the next-best thing.
| Simon McVittie | 2016-12-19 |
| * | Add a manual test for reverting git commits•••Signed-off-by: Simon McVittie <smcv@debian.org>
| Simon McVittie | 2016-12-19 |
| * | Tell `git revert` not to follow renames•••Otherwise, we have an authorization bypass vulnerability: rcs_preprevert
looks at what changed in the commit we are reverting, not at what would
result from reverting it now. In particular, if some files were renamed
since the commit we are reverting, a revert of changes that were within
the designated subdirectory and allowed by check_canchange() might now
affect files that are outside the designated subdirectory or disallowed
by check_canchange().
Signed-off-by: Simon McVittie <smcv@debian.org>
| Simon McVittie | 2016-12-19 |
| * | Added a comment: no, not supported | smcv | 2016-12-19 |
| * | rename bugs/img_tag_should_support_relative_size.mdwn to todo/img_tag_should_... | smcv | 2016-12-19 |
| * | Not possible as stated, but could be adapted into a valid feature request | smcv | 2016-12-19 |
| * | (no commit message) | smcv | 2016-12-19 |
| * | cgitemplate: actually remove dead code•••Signed-off-by: Simon McVittie <smcv@debian.org>
| Simon McVittie | 2016-12-19 |
| * | cgitemplate: remove dead code•••blipvert points out in [[bugs/use of $topurl in cgitemplate]] that this
variable has not been used since commit a052771
"Now that we're always using HTML5, <base href> can be relative".
Signed-off-by: Simon McVittie <smcv@debian.org>
| Simon McVittie | 2016-12-19 |
| * | Report authorization bypass via RCS revert. | intrigeri | 2016-12-17 |
| * | (no commit message) | blipvert@b874dc05477cdc0dc8c9c8d9bbe2e39240253a85 | 2016-12-14 |
| * | (no commit message) | blipvert@b874dc05477cdc0dc8c9c8d9bbe2e39240253a85 | 2016-12-14 |
| * | (no commit message) | blipvert@b874dc05477cdc0dc8c9c8d9bbe2e39240253a85 | 2016-12-14 |
| * | (no commit message) | jeff+ikiwiki@b5854f0ab9935492e3dfefa98419b6530c92b049 | 2016-11-26 |
| * | pagestats determinism: report bug + patch. | intrigeri | 2016-11-20 |
| * | svetlana.nfshost | svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 | 2016-11-17 |
| * | Added custom solution | Juego | 2016-11-16 |
| * | rename forum/FastCGI_problem_on_Arch.mdwn to forum/__91__Solved__93__FastCGI_... | Juego | 2016-11-16 |
| * | Update my personal site URL. | Amitai Schleier | 2016-11-12 |
| * | update my site links. | james@2468840dc8f314e837e1fde99a5fb1b884fa993a | 2016-11-12 |
| * | Added a comment | openmedi | 2016-11-10 |
| * | Added a comment | openmedi | 2016-11-10 |
| * | (no commit message) | openmedi | 2016-11-10 |
| * | Added a comment | openmedi | 2016-11-06 |