aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
...
* test test blah blahkw_ikiwiki1@64633d204c198f52735247ca119bddbcbfaafdef2017-03-07
|
* speed up commenting by optionally providing a comment form in static pagesjmtd@d79be1606aba831a3b476d5fff7d99f4b321eab22017-03-03
|
* Added a commentjmtd@d79be1606aba831a3b476d5fff7d99f4b321eab22017-03-03
|
* Added a commentjmtd@d79be1606aba831a3b476d5fff7d99f4b321eab22017-03-03
|
* my github mirror of ikiwiki has been deleted due to their horrible ↵Joey Hess2017-03-01
| | | | anti-free-software TOS
* Added a commentsvetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b92017-02-21
|
* +aka use page/index.mdwn source filessvetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b92017-02-21
|
* Added a commentsmcv2017-02-21
|
* Added a commentsmcv2017-02-21
|
* Added a commentsvetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b92017-02-20
|
* Added a commentsvetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b92017-02-20
|
* Added a commentsvetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b92017-02-20
|
* Added a commentopenmedi2017-02-20
|
* Added a commentsvetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b92017-02-19
|
* removedsvetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b92017-02-19
|
* Added a commentsvetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b92017-02-19
|
* Merge branch 'master' of git://ikiwiki.branchable.comLouis2017-02-18
|\
| * (no commit message)krqt.kndy@eb44788e4eb202f3e68eeb8ba175d3897c3979a92017-02-17
| |
* | Update my (spalax) informationLouis2017-02-18
| |
* | Apology about the poor choice for the name of the sidebar2 pluginLouis2017-02-18
| |
* | New plugin: verboserpcLouis2017-02-18
| |
* | New plugin: pageversionLouis2017-02-18
| |
* | New plugin: redirectLouis2017-02-18
|/
* Added a commentvegardv@75ae889e836bda8ce69bc038d8335c398a2f6f402017-02-10
|
* Added a commentsvetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b92017-02-09
|
* Added a commentsmcv2017-02-09
|
* (no commit message)svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b92017-02-09
|
* +update broken urissvetlana2017-02-07
|
* (no commit message)svetlana2017-02-07
|
* Confuses a mapsvetlana2017-02-07
|
* (no commit message)svetlana2017-02-06
|
* removedsvetlana2017-02-05
|
* (no commit message)svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b92017-02-05
|
* change `pwd` to $HOME so assumptions are met even if you cd elsewheresmcv2017-02-03
|
* No longer using ikiwikime@4eb1b66f86170ba2ff0690b93ad01f46bfc8eac42017-02-03
|
* (no commit message)smcv2017-01-26
|
* Does not show up in the setupsvetlana2017-01-24
|
* * [[guppy|http://guppy.branchable.com]] an internationalized modular Python ↵svetlana2017-01-18
| | | | IRC bot
* Added a commentsmcv2017-01-18
|
* Added a comment: Do that through your web server, not ikiwikismcv2017-01-18
|
* (no commit message)openmedi2017-01-17
|
* Note another Debian 8 backportSimon McVittie2017-01-12
|
* Fix typoSimon McVittie2017-01-11
|
* Release 3.20170111Simon McVittie2017-01-11
|
* Document the security fix soon to be released in 3.20170111Simon McVittie2017-01-11
|
* remove: make it clearer that repeated page parameter is OK hereSimon McVittie2017-01-11
| | | | | | ikiwiki's web interface does not currently have UI for removing multiple pages simultaneously, but the remove plugin is robust against doing so. Use a clearer idiom to make that obvious.
* CGI, attachment, passwordauth: harden against repeated parametersSimon McVittie2017-01-11
| | | | | | | | | | These instances of code similar to OVE-20170111-0001 are not believed to be exploitable, because defined(), length(), setpassword(), userinfo_set() and the binary "." operator all have prototypes that force the relevant argument to be evaluated in scalar context. However, using a safer idiom makes mistakes less likely. (cherry picked from commit 69230a2220f673c66b5ab875bfc759b32a241c0d)
* passwordauth: avoid userinfo forgery via repeated email parameterSimon McVittie2017-01-11
| | | | | | OVE-20170111-0001 (cherry picked from commit bffb71d6a7d28f6dd5f0be241f214e79eea7bb91)
* t/passwordauth.t: new automated test for passwordauthSimon McVittie2017-01-11
| | | | | | In particular this includes an exploit for OVE-20170111-0001. (cherry picked from commit fbe207212b1f4a395dc297fb274ef07afd7d68f3)
* passwordauth: prevent authentication bypass via multiple name parametersSimon McVittie2017-01-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Calling CGI::FormBuilder::field with a name argument in list context returns zero or more user-specified values of the named field, even if that field was not declared as supporting multiple values. Passing the result of field as a function parameter counts as list context. This is the same bad behaviour that is now discouraged for CGI::param. In this case we pass the multiple values to CGI::Session::param. That accessor has six possible calling conventions, of which four are documented. If an attacker passes (2*n + 1) values for the 'name' field, for example name=a&name=b&name=c, we end up in one of the undocumented calling conventions for param: # equivalent to: (name => 'a', b => 'c') $session->param('name', 'a', 'b', 'c') and the 'b' session parameter is unexpectedly set to an attacker-specified value. In particular, if an attacker "bob" specifies name=bob&name=name&name=alice, then authentication is carried out for "bob" but the CGI::Session ends up containing {name => 'alice'}, an authentication bypass vulnerability. This vulnerability is tracked as OVE-20170111-0001. (cherry picked from commit e909eb93f4530a175d622360a8433e833ecf0254)