aboutsummaryrefslogtreecommitdiff
path: root/IkiWiki.pm
Commit message (Collapse)AuthorAge
* HTML-escape error messages (OVE-20160505-0012)Simon McVittie2016-05-05
| | | | | | | | | | | | The instance in cgierror() is a potential cross-site scripting attack, because an attacker could conceivably cause some module to raise an exception that includes attacker-supplied HTML in its message, for example via a crafted filename. (OVE-20160505-0012) The instances in preprocess() is just correctness. It is not a cross-site scripting attack, because an attacker could equally well write the desired HTML themselves; the sanitize hook is what protects us from cross-site scripting here.
* Don't fail to syslog if the wiki name contains %sSimon McVittie2016-01-21
| | | | This is a corner case spotted while fixing UTF-8 syslogging.
* Force log messages to be bytestringsSimon McVittie2016-01-21
| | | | Sys::Syslog is not UTF-8-literate.
* Add deterministic option and use it for the docwikiSimon McVittie2015-06-09
| | | | It doesn't do anything yet.
* Do not directly enable emailauth by default, only indirectly via openidSimon McVittie2015-05-27
| | | | | | | This avoids nasty surprises on upgrade if a site is using httpauth, or passwordauth with an account_creation_password, and relying on only a select group of users being able to edit the site. We can revisit this for ikiwiki 4.
* allow emailuser to be called when there is no %config setJoey Hess2015-05-19
| | | | ikiwiki-hosting needs to do this
* make cgiurl output deterministicDaniel Kahn Gillmor2015-05-19
| | | | | | | | IkiWiki::cgiurl() currently produces non-deterministic output, because the params hash can be sorted different ways. Sorting keys to params before crafting the string should make the output deterministic.
* cloak user PII when making commits etc, and let cloaked PII be used in ↵Joey Hess2015-05-14
| | | | | | | | | | | | | | banned_users This was needed due to emailauth, but I've also wrapped all IP address exposure in cloak(), although the function doesn't yet cloak IP addresses. (One IP address I didn't cloak is the one that appears on the password reset email template. That is expected to be the user's own IP address, so ok to show it to them.) Thanks to smcv for the pointer to http://xmlns.com/foaf/spec/#term_mbox_sha1sum
* sanitize nickname derived from email addressJoey Hess2015-05-14
|
* avoid showing password prefs for emailauth userJoey Hess2015-05-13
|
* If neither timezone nor TZ is set, set both to :/etc/localtime if we're on a ↵Simon McVittie2015-03-01
| | | | GNU system and that file exists, or GMT otherwise
* Fix getlibdirs when libdirs is unsetSimon McVittie2014-12-16
|
* Simplify libdirs: libdirs must be plural, libdir must be a single stringSimon McVittie2014-12-09
| | | | | This makes the documentation read more sensibly, and matches how we handle underlaydirs and underlaydir.
* Merge remote-tracking branch 'spalax/paternal/libdirs'Simon McVittie2014-12-09
|\
| * Make getlibdirs return an array (or whathever this type is called in perl)Louis2014-12-06
| |
| * Allow several extra library and plugin directories (libdir option)Louis2014-12-06
| |
* | entabAmitai Schlair2014-12-02
| |
* | in debug mode, issue a warning before waiting for a lockMark Jason Dominus (陶敏修)2014-12-02
| |
* | page.tmpl: tell mobile browsers we have a responsive layout, unless told not toSimon McVittie2014-12-01
| | | | | | | | | | | | | | | | | | | | Mobile browsers typically assume that arbitrary web pages are designed for a "desktop-sized" browser window (around 1000px) and display that layout, zoomed out, in order to avoid breaking naive designs that assume nobody will ever look at a website on a phone or something. People who are actually doing "responsive design" need to opt-in to mobile browsers rendering it at a more normal size.
* | Always produce HTML5 doctype and new attributes, but not new elementsSimon McVittie2014-10-16
|/ | | | | | | | | | | | | According to caniuse.com, a significant fraction of Web users are still using Internet Explorer versions that do not support HTML5 sectioning elements. However, claiming we're XHTML 1.0 Strict means we can't use features invented in the last 12 years, even if they degrade gracefully in older browsers (like the role and placeholder attributes). This means our output is no longer valid according to any particular DTD. Real browsers and other non-validator user-agents have never cared about DTD compliance anyway, so I don't think this is a real loss.
* Set default User-Agent to something that doesn't mention libwww-perlSimon McVittie2014-10-12
| | | | | | | | | It appears that both the open-source and proprietary rulesets for ModSecurity default to blacklisting requests that say they are from libwww-perl, presumably because some script kiddies use libwww-perl and are too inept to set a User-Agent that is "too big to blacklist", like Chrome or the iPhone browser or something. This seems doomed to failure but whatever.
* Add reverse_proxy option which hard-codes cgiurl in CGI outputSimon McVittie2014-10-05
| | | | | This solves several people's issues with the CGI trying to be too clever when IkiWiki is placed behind a reverse-proxy.
* Avoid mixed content when cgiurl is https but url is notSimon McVittie2014-10-05
|
* Use protocol-relative URIs if cgiurl and url differ only by authority (hostname)Simon McVittie2014-10-05
|
* Merge branch 'ready/templatebody'Simon McVittie2014-09-15
|\
| * Track whether we're in the scan or render phaseSimon McVittie2014-03-05
| | | | | | | | | | | | | | | | In the scan phase, it's too early to match pagespecs or sort pages; in the render phase, both of those are OK. It would be possible to add phases later, renumbering them if necessary to maintain numerical order.
| * Add templatebody plugin and directive, and enable it by defaultSimon McVittie2014-03-05
| | | | | | | | Also add a regression test for templatebody.
| * add readtemplate hookSimon McVittie2014-03-05
| |
* | add more wording based on what chrysn suggestedSimon McVittie2014-09-15
| |
* | Merge branch 'ready/document-success-reason'Simon McVittie2014-09-15
|\ \
| * | SuccessReason: add some explanatory commentsSimon McVittie2014-03-03
| |/ | | | | | | | | | | | | Whenever I look at dependency calculation, it takes me a while to get my head round the concept of influences. If what I've written here is accurate, maybe the next person to look at this (or my future self) will need less of a run-up.
* | Merge branch 'ready/trail-sort'Simon McVittie2014-09-12
|\ \
| * | trail: don't generate a costly dependency when forcing sort orderSimon McVittie2014-07-11
| |/ | | | | | | | | | | | | | | pagespec_match_list() makes the current page depend on the pagespec being matched, so if you use [[!trailoptions sort="..."]] to force a sort order, the trail ends up depending on internal(*) and is rebuilt whenever anything changes. Add a new sort_pages() and use that instead.
* / Make --no-gettime work in initial build. Closes: #755075Joey Hess2014-08-28
|/
* Allow up to 8 levels of nested directives, rather than previous 3 in ↵Joey Hess2014-02-23
| | | | directive infinite loop guard.
* Merge remote-tracking branch 'anarcat/dev/syslog_utf8'Joey Hess2014-02-23
|\
| * don't edit config setting, but a temporary variable, complete and unbreak testsAntoine Beaupré2013-11-29
| |
| * recover gracefully from syslog failuresAntoine Beaupré2013-11-29
| |
* | Bug#737121: ikiwiki: [PATCH] Implement configuration option to set the user ↵Tuomas Jormola2014-02-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | agent string for outbound HTTP requests Package: ikiwiki Version: 3.20140125 Severity: wishlist By default, LWP::UserAgent used by IkiWiki to perform outbound HTTP requests sends the string "libwww-perl/<version number>" as User-Agent header in HTTP requests. Some blogging platforms have blacklisted the user agent and won't serve any content for clients using this user agent string. With IkiWiki configuration option "useragent" it's now possible to define a custom string that is used for the value of the User-Agent header.
* | Added only_committed_changes config setting, which speeds up wiki refresh by ↵Joey Hess2013-11-16
| | | | | | | | querying git to find the files that were changed, rather than looking at the work tree. Not enabled by default as it can break some setups where not all files get committed to git.
* | Optmised loadindex by caching the page name in the index.Joey Hess2013-11-16
| | | | | | | | | | | | | | | | | | | | | | | | | | I have benchmarked the pagename() call this avoids taking up to 2 seconds for a loadindex in a large wiki. The total loadindex for that wiki was 6.46s, so this is a significant improvment. Even on a smaller site, this reduces the refresh time from 1.69 to 1.52 seconds. The only breakage risk here is that pagename() can change the page name it calculates due to setup changes. But in the case of a setup change, the whole site is rebuilt. So the cached page name is not used in that case.
* | Fixed unncessary tight loop hash copy in saveindex where a pointer can be ↵Joey Hess2013-11-16
|/ | | | | | | | | used instead. Can speed up refreshes by nearly 50% in some circumstances. I *think* this is ok, at least it results in close to the same index being saved as before. The difference is that plugins that have a pagestate of {} have that recorded this way, while with the tight loop, the key for the plugin in not copied in that case. I cannot see how this could matter.
* Fix cookiejar default setting.Joey Hess2013-09-04
|
* cookiejar is now a core config setting.Amitai Schlair2013-08-03
|
* Honor proxy env vars and reliably honor cookiejar.Amitai Schlair2013-07-27
|
* The ip() pagespec can now contain glob characters to match eg, a subnet full ↵Joey Hess2013-07-08
| | | | of spammers.
* Allow dots in parameter key namesGiuseppe Bilotta2013-02-15
| | | | | This allows e.g. the meta command to be used to introduce DublinCore metadata.
* add cgi_overload_messageJoey Hess2012-10-11
|
* add cgi_overload_delay tunableJoey Hess2012-10-09
| | | | | | | | | | | Try to avoid a situation in which so many ikiwiki cgi wrapper programs are running, all waiting on some long-running thing like a site rebuild, that it prevents the web server from doing anything else. The current approach only avoids this problem for GET requests; if multiple cgi's run GETs on a site at the same time, one will display a "please wait" page for a configurable number of seconds, which then redirects to retry. To enable this protection, set cgi_overload_delay to the number of seconds to wait. This is not enabled by default.
* passwordauth: Fix url in password recovery email to be absolute.Joey Hess2012-04-02
| | | | | This got broken when cgiurl began often returning a relative url. Added a cgiurl_abs for the things that need a guaranteed absolute cgiurl.