aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* img: make img_allowed_formats case-insensitiveSimon McVittie2016-05-07
|
* inline: expand show=N backwards compatibility to negative NSimon McVittie2016-05-06
| | | | | [[plugins/contrib]] uses show=-1 to show the post-creation widget without actually inlining anything.
* Add CVE referenceSimon McVittie2016-05-06
|
* respondsmcv2016-05-06
|
* use intended filenameSimon McVittie2016-05-06
|
* escape directive properly; add paragraph breakssmcv2016-05-06
|
* rename ↵smcv2016-05-06
| | | | todo/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn to bugs/Correctly_handle_filenames_starting_with_a_dash_in_add/rm/mv.mdwn
* already fixedsmcv2016-05-06
|
* Announce 3.20160506Simon McVittie2016-05-06
|
* Merge remote-tracking branch 'origin/master'Simon McVittie2016-05-06
|\
| * (no commit message)florian@883672f3f4dbd3c6bb430afc661484a58a3a12962016-05-06
| |
* | 3.20160506Simon McVittie2016-05-06
| |
* | Exclude users/* from the HTML documentationSimon McVittie2016-05-06
| |
* | Do not recommend mimetype(image/*)Simon McVittie2016-05-06
| | | | | | | | | | | | Not all image file types are safe for general use: in particular, image/svg+xml is known to be vulnerable to CVE-2016-3714 under some ImageMagick configurations.
* | Document the security fixes in this releaseSimon McVittie2016-05-06
| |
* | update test suite for svg passthrough by img directiveJoey Hess2016-05-06
| | | | | | | | | | Remove build dependency libmagickcore-6.q16-2-extra which was only there for this test.
* | img: Add back support for SVG images, bypassing ImageMagick and simply ↵Simon McVittie2016-05-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | passing the SVG through to the browser SVG scaling by img directives has subtly changed; where before size=wxh would preserve aspect ratio, this cannot be done when passing them through and so specifying both a width and height can change the SVG's aspect ratio. (This patch looks significantly more complex than it was, because a large block of code had to be indented.) [smcv: drop trailing whitespace, fix some spelling]
* | changelog for smcv's security fixesJoey Hess2016-05-06
| | | | | | | | [smcv: omit a change that was already in 3.20160514]
* | img: check magic number before giving common formats to ImageMagickSimon McVittie2016-05-05
| | | | | | | | | | This mitigates CVE-2016-3714 and similar vulnerabilities by avoiding passing obviously-wrong input to ImageMagick decoders.
* | img: restrict to JPEG, PNG and GIF images by defaultSimon McVittie2016-05-05
| | | | | | | | | | | | This mitigates CVE-2016-3714. Wiki administrators who know that they have prevented arbitrary code execution via other formats can re-enable the other formats if desired.
* | img: force common Web formats to be interpreted according to extensionSimon McVittie2016-05-05
| | | | | | | | | | | | | | | | A site administrator might unwisely set allowed_attachments to something like '*.jpg or *.png'; if they do, an attacker could attach, for example, a SVG file named attachment.jpg. This mitigates CVE-2016-3714.
* | HTML-escape error messages (OVE-20160505-0012)Simon McVittie2016-05-05
|/ | | | | | | | | | | | The instance in cgierror() is a potential cross-site scripting attack, because an attacker could conceivably cause some module to raise an exception that includes attacker-supplied HTML in its message, for example via a crafted filename. (OVE-20160505-0012) The instances in preprocess() is just correctness. It is not a cross-site scripting attack, because an attacker could equally well write the desired HTML themselves; the sanitize hook is what protects us from cross-site scripting here.
* all goodhttps://id.koumbit.net/anarcat2016-05-04
|
* (no commit message)smcv2016-05-04
|
* response: confirmation it's a bug in MMD and Discount doesn't have ↵https://id.koumbit.net/anarcat2016-05-04
| | | | footnotes, and request for workaround
* discount (as used on this wiki) can do footnotes, but they aren't enabled by ↵smcv2016-05-04
| | | | ikiwiki
* responsesmcv2016-05-04
|
* responseJoey Hess2016-05-02
|
* (no commit message)https://id.koumbit.net/anarcat2016-04-29
|
* responsehttps://id.koumbit.net/anarcat2016-04-28
|
* Merge branch 'master' of ssh://git.ikiwiki.infoJoey Hess2016-04-28
|\
| * (no commit message)https://id.koumbit.net/anarcat2016-04-28
| |
| * http/https issuehttps://id.koumbit.net/anarcat2016-04-28
| |
* | responseJoey Hess2016-04-28
| |
* | Merge remote-tracking branch 'origin/master'Joey Hess2016-04-28
|\|
| * smaller is too small for large blocksAntoine Beaupré2016-04-26
| |
| * fix typo and commentAntoine Beaupré2016-04-26
| |
| * new CSS bugAntoine Beaupré2016-04-26
| |
| * explain footnoteshttps://id.koumbit.net/anarcat2016-04-26
| |
| * Changed the expired domain and added questiondesci2016-04-18
| |
| * Fixed dead link.RickHanson2016-04-17
| |
| * add screenshotAntoine Beaupré2016-04-15
| |
| * fix typosAntoine Beaupré2016-04-15
| |
| * announce the admonition pluginAntoine Beaupré2016-04-15
| |
| * elaborate copyright investigation. ugh.Antoine Beaupré2016-04-15
| |
| * responseAntoine Beaupré2016-04-15
| |
| * can't login againAntoine Beaupré2016-04-15
| |
| * escapesmcv2016-04-15
| |
| * templates are another way to do thissmcv2016-04-15
| |
| * (no commit message)smcv2016-04-15
| |