Commit message (Collapse) | Author | Age | ||
---|---|---|---|---|
... | ||||
* | test test blah blah | kw_ikiwiki1@64633d204c198f52735247ca119bddbcbfaafdef | 2017-03-07 | |
| | ||||
* | speed up commenting by optionally providing a comment form in static pages | jmtd@d79be1606aba831a3b476d5fff7d99f4b321eab2 | 2017-03-03 | |
| | ||||
* | Added a comment | jmtd@d79be1606aba831a3b476d5fff7d99f4b321eab2 | 2017-03-03 | |
| | ||||
* | Added a comment | jmtd@d79be1606aba831a3b476d5fff7d99f4b321eab2 | 2017-03-03 | |
| | ||||
* | my github mirror of ikiwiki has been deleted due to their horrible ↵ | Joey Hess | 2017-03-01 | |
| | | | | anti-free-software TOS | |||
* | Added a comment | svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 | 2017-02-21 | |
| | ||||
* | +aka use page/index.mdwn source files | svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 | 2017-02-21 | |
| | ||||
* | Added a comment | smcv | 2017-02-21 | |
| | ||||
* | Added a comment | smcv | 2017-02-21 | |
| | ||||
* | Added a comment | svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 | 2017-02-20 | |
| | ||||
* | Added a comment | svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 | 2017-02-20 | |
| | ||||
* | Added a comment | svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 | 2017-02-20 | |
| | ||||
* | Added a comment | openmedi | 2017-02-20 | |
| | ||||
* | Added a comment | svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 | 2017-02-19 | |
| | ||||
* | removed | svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 | 2017-02-19 | |
| | ||||
* | Added a comment | svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 | 2017-02-19 | |
| | ||||
* | Merge branch 'master' of git://ikiwiki.branchable.com | Louis | 2017-02-18 | |
|\ | ||||
| * | (no commit message) | krqt.kndy@eb44788e4eb202f3e68eeb8ba175d3897c3979a9 | 2017-02-17 | |
| | | ||||
* | | Update my (spalax) information | Louis | 2017-02-18 | |
| | | ||||
* | | Apology about the poor choice for the name of the sidebar2 plugin | Louis | 2017-02-18 | |
| | | ||||
* | | New plugin: verboserpc | Louis | 2017-02-18 | |
| | | ||||
* | | New plugin: pageversion | Louis | 2017-02-18 | |
| | | ||||
* | | New plugin: redirect | Louis | 2017-02-18 | |
|/ | ||||
* | Added a comment | vegardv@75ae889e836bda8ce69bc038d8335c398a2f6f40 | 2017-02-10 | |
| | ||||
* | Added a comment | svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 | 2017-02-09 | |
| | ||||
* | Added a comment | smcv | 2017-02-09 | |
| | ||||
* | (no commit message) | svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 | 2017-02-09 | |
| | ||||
* | +update broken uris | svetlana | 2017-02-07 | |
| | ||||
* | (no commit message) | svetlana | 2017-02-07 | |
| | ||||
* | Confuses a map | svetlana | 2017-02-07 | |
| | ||||
* | (no commit message) | svetlana | 2017-02-06 | |
| | ||||
* | removed | svetlana | 2017-02-05 | |
| | ||||
* | (no commit message) | svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 | 2017-02-05 | |
| | ||||
* | change `pwd` to $HOME so assumptions are met even if you cd elsewhere | smcv | 2017-02-03 | |
| | ||||
* | No longer using ikiwiki | me@4eb1b66f86170ba2ff0690b93ad01f46bfc8eac4 | 2017-02-03 | |
| | ||||
* | (no commit message) | smcv | 2017-01-26 | |
| | ||||
* | Does not show up in the setup | svetlana | 2017-01-24 | |
| | ||||
* | * [[guppy|http://guppy.branchable.com]] an internationalized modular Python ↵ | svetlana | 2017-01-18 | |
| | | | | IRC bot | |||
* | Added a comment | smcv | 2017-01-18 | |
| | ||||
* | Added a comment: Do that through your web server, not ikiwiki | smcv | 2017-01-18 | |
| | ||||
* | (no commit message) | openmedi | 2017-01-17 | |
| | ||||
* | Note another Debian 8 backport | Simon McVittie | 2017-01-12 | |
| | ||||
* | Fix typo | Simon McVittie | 2017-01-11 | |
| | ||||
* | Release 3.20170111 | Simon McVittie | 2017-01-11 | |
| | ||||
* | Document the security fix soon to be released in 3.20170111 | Simon McVittie | 2017-01-11 | |
| | ||||
* | remove: make it clearer that repeated page parameter is OK here | Simon McVittie | 2017-01-11 | |
| | | | | | | ikiwiki's web interface does not currently have UI for removing multiple pages simultaneously, but the remove plugin is robust against doing so. Use a clearer idiom to make that obvious. | |||
* | CGI, attachment, passwordauth: harden against repeated parameters | Simon McVittie | 2017-01-11 | |
| | | | | | | | | | | These instances of code similar to OVE-20170111-0001 are not believed to be exploitable, because defined(), length(), setpassword(), userinfo_set() and the binary "." operator all have prototypes that force the relevant argument to be evaluated in scalar context. However, using a safer idiom makes mistakes less likely. (cherry picked from commit 69230a2220f673c66b5ab875bfc759b32a241c0d) | |||
* | passwordauth: avoid userinfo forgery via repeated email parameter | Simon McVittie | 2017-01-11 | |
| | | | | | | OVE-20170111-0001 (cherry picked from commit bffb71d6a7d28f6dd5f0be241f214e79eea7bb91) | |||
* | t/passwordauth.t: new automated test for passwordauth | Simon McVittie | 2017-01-11 | |
| | | | | | | In particular this includes an exploit for OVE-20170111-0001. (cherry picked from commit fbe207212b1f4a395dc297fb274ef07afd7d68f3) | |||
* | passwordauth: prevent authentication bypass via multiple name parameters | Simon McVittie | 2017-01-11 | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Calling CGI::FormBuilder::field with a name argument in list context returns zero or more user-specified values of the named field, even if that field was not declared as supporting multiple values. Passing the result of field as a function parameter counts as list context. This is the same bad behaviour that is now discouraged for CGI::param. In this case we pass the multiple values to CGI::Session::param. That accessor has six possible calling conventions, of which four are documented. If an attacker passes (2*n + 1) values for the 'name' field, for example name=a&name=b&name=c, we end up in one of the undocumented calling conventions for param: # equivalent to: (name => 'a', b => 'c') $session->param('name', 'a', 'b', 'c') and the 'b' session parameter is unexpectedly set to an attacker-specified value. In particular, if an attacker "bob" specifies name=bob&name=name&name=alice, then authentication is carried out for "bob" but the CGI::Session ends up containing {name => 'alice'}, an authentication bypass vulnerability. This vulnerability is tracked as OVE-20170111-0001. (cherry picked from commit e909eb93f4530a175d622360a8433e833ecf0254) |