| Commit message (Collapse) | Author | Age | |
|---|---|---|---|
| * | Drop unused python-support dependency | Simon McVittie | 2014-10-16 |
| | | |||
| * | changelog so far | Simon McVittie | 2014-10-16 |
| | | |||
| * | build-depend on libcgi-pm-perl too, for tests | Simon McVittie | 2014-10-16 |
| | | |||
| * | Explicitly depend on CGI.pm, which is no longer in Perl core | Simon McVittie | 2014-10-16 |
| | | | | | | I was going to depend on the version that has CGI->param_fetch, but that has been supported since 2.37, which is older than oldstable. | ||
| * | IkiWiki::Plugin::openid: as a precaution, do not call non-coderefs | Amitai Schlair | 2014-10-16 |
| | | | | | | | | | We're running under "use strict" here, so if CGI->param's array-context misbehaviour passes an extra non-ref parameter, it shouldn't be executed anyway... but it's as well to be safe. [commit message added by smcv] | ||
| * | Call CGI->param_fetch instead of CGI->param in array context | Amitai Schlair | 2014-10-16 |
| | | | | | | | | | | | | | | CGI->param has the misfeature that it is context-sensitive, and in particular can expand to more than one scalar in function calls. This led to a security vulnerability in Bugzilla, and recent versions of CGI.pm will warn when it is used in this way. In the situations where we do want to cope with more than one parameter of the same name, CGI->param_fetch (which always returns an array-reference) makes the intention clearer. [commit message added by smcv] | ||
| * | Make sure we do not pass multiple CGI parameters in function calls | Simon McVittie | 2014-10-16 |
| | | | | | | | | | | | | When CGI->param is called in list context, such as in function parameters, it expands to all the potentially multiple values of the parameter: for instance, if we parse query string a=b&a=c&d=e and call func($cgi->param('a')), that's equivalent to func('b', 'c'). Most of the functions we're calling do not expect that. I do not believe this is an exploitable security vulnerability in ikiwiki, but it was exploitable in Bugzilla. | ||
| * | Added a comment: It was an Apache problem... | https://www.google.com/accounts/o8/id?id=AItOawk8U772S3jDrZJCO0WA5WaDLjJv5mMl6Yw | 2014-10-16 |
| | | |||
| * | branch | smcv | 2014-10-16 |
| | | |||
| * | comment | smcv | 2014-10-16 |
| | | |||
| * | Replace PayPal and Flattr buttons with text links | Simon McVittie | 2014-10-16 |
| | | | | | | | In particular, this avoids loading third-party resources from the offline documentation (see <https://lintian.debian.org/tags/privacy-breach-donation.html>). | ||
| * | mention pagespec_alias patches | http://anastigmatix.net/ | 2014-10-15 |
| | | |||
| * | Added a comment | smcv | 2014-10-15 |
| | | |||
| * | Added a comment | smcv | 2014-10-15 |
| | | |||
| * | Added a comment | openmedi | 2014-10-15 |
| | | |||
| * | Added a comment | https://www.google.com/accounts/o8/id?id=AItOawlcaGfdn9Kye1Gc8aGb67PDVQW4mKbQD7E | 2014-10-15 |
| | | |||
| * | Added a comment | openmedi | 2014-10-15 |
| | | |||
| * | (no commit message) | https://www.google.com/accounts/o8/id?id=AItOawmbuZI4n1RsTe3Yeaqb5F-yhtR7a8BWEIE | 2014-10-15 |
| | | |||
| * | as usual, macports hasn't moved | Amitai Schlair | 2014-10-14 |
| | | |||
| * | Added a comment | https://www.google.com/accounts/o8/id?id=AItOawlcaGfdn9Kye1Gc8aGb67PDVQW4mKbQD7E | 2014-10-14 |
| | | |||
| * | (no commit message) | https://www.google.com/accounts/o8/id?id=AItOawlobQ5j7hQVIGkwMWW3yKB_DWqthJcpnsQ | 2014-10-14 |
| | | |||
| * | Added a comment | https://www.google.com/accounts/o8/id?id=AItOawlcaGfdn9Kye1Gc8aGb67PDVQW4mKbQD7E | 2014-10-14 |
| | | |||
| * | one report suffices; not yet clear there's a bug | Amitai Schlair | 2014-10-14 |
| | | |||
| * | (no commit message) | https://www.google.com/accounts/o8/id?id=AItOawk8U772S3jDrZJCO0WA5WaDLjJv5mMl6Yw | 2014-10-14 |
| | | |||
| * | (no commit message) | https://www.google.com/accounts/o8/id?id=AItOawk8U772S3jDrZJCO0WA5WaDLjJv5mMl6Yw | 2014-10-14 |
| | | |||
| * | clarify | Amitai Schlair | 2014-10-13 |
| | | |||
| * | findings and questions | Amitai Schlair | 2014-10-13 |
| | | |||
| * | Do not pass ignored sid parameter to checksessionexpiry | Simon McVittie | 2014-10-12 |
| | | | | | | | | | checksessionexpiry's signature changed from (CGI::Session, CGI->param('sid')) to (CGI, CGI::Session) in commit 985b229b, but editpage still passed the sid as a useless third parameter, and this was later cargo-culted into remove, rename and recentchanges. | ||
| * | comments: don't log remote IP address for signed-in users | Simon McVittie | 2014-10-12 |
| | | | | | | | | The intention was that signed-in users (for instance via httpauth, passwordauth or openid) are already adequately identified, but there's nothing to indicate who an anonymous commenter is unless their IP address is recorded. | ||
| * | google search plugin: use https for the search | Simon McVittie | 2014-10-12 |
| | | |||
| * | default User-Agent changed | smcv | 2014-10-12 |
| | | |||
| * | Set default User-Agent to something that doesn't mention libwww-perl | Simon McVittie | 2014-10-12 |
| | | | | | | | | | | It appears that both the open-source and proprietary rulesets for ModSecurity default to blacklisting requests that say they are from libwww-perl, presumably because some script kiddies use libwww-perl and are too inept to set a User-Agent that is "too big to blacklist", like Chrome or the iPhone browser or something. This seems doomed to failure but whatever. | ||
| * | removed | smcv | 2014-10-12 |
| | | |||
| * | Added a comment | smcv | 2014-10-12 |
| | | |||
| * | help Markdown make a list | Amitai Schlair | 2014-10-12 |
| | | |||
| * | Added a comment: fixed in a recent release, I think | https://www.google.com/accounts/o8/id?id=AItOawlcaGfdn9Kye1Gc8aGb67PDVQW4mKbQD7E | 2014-10-12 |
| | | |||
| * | (no commit message) | openmedi | 2014-10-12 |
| | | |||
| * | Replace shebang paths with the build-time $(PERL). | Amitai Schlair | 2014-10-12 |
| | | | | | | | On non-Debian systems, /usr/bin/perl might not be the best available Perl interpreter. Use whichever perl was used to run Makefile.PL, unless it was "/usr/bin/perl", in which case there's nothing to do. | ||
| * | Extract test subs for each site. No change meant. | Amitai Schlair | 2014-10-12 |
| | | |||
| * | Extract run_cgi(). No functional change intended. | Amitai Schlair | 2014-10-12 |
| | | |||
| * | Extract check_generated_content(). Same output. | Amitai Schlair | 2014-10-11 |
| | | |||
| * | Extract check_cgi_mode_bits(). No change intended. | Amitai Schlair | 2014-10-10 |
| | | |||
| * | Extract thoroughly_rebuild(), a slight test change. | Amitai Schlair | 2014-10-10 |
| | | | | | | | | I didn't try to parameterize when a test should fail when we can't remove ikiwiki.cgi because there already isn't one. (Hooray, natural language.) Instead, we stop worrying about it and always tolerate ENOENT. | ||
| * | Extract write_setup_file(). No functional change. | Amitai Schlair | 2014-10-10 |
| | | | | | Test output differs only by the line numbers of the TODO items. | ||
| * | (no commit message) | https://www.google.com/accounts/o8/id?id=AItOawmbuZI4n1RsTe3Yeaqb5F-yhtR7a8BWEIE | 2014-10-09 |
| | | |||
| * | clarify further | smcv | 2014-10-09 |
| | | |||
| * | clarify | smcv | 2014-10-09 |
| | | |||
| * | That's not how that directive is used, and if you want to try stuff out ↵ | smcv | 2014-10-09 |
| | | | | | | | please edit the sandbox instead This reverts commit 856819a733d90a2ca259a5a3b03cc5d84f72e931 | ||
| * | (no commit message) | https://www.google.com/accounts/o8/id?id=AItOawnquaJWYPCmQoY-kgn8wH1Ey7WOCB6zcRY | 2014-10-09 |
| | | |||
| * | (no commit message) | tarojiro | 2014-10-08 |
| | | |||