aboutsummaryrefslogtreecommitdiff
path: root/IkiWiki/CGI.pm
Commit message (Collapse)AuthorAge
* improve error message when postsignin is not setJoey Hess2018-01-04
| | | | | | | This can happen if the user goes directly to /ikiwiki.cgi?do=login and logs in, since nothing redirected them to there, there's no postsignin value set. It can also happen when cookies are disabled, or perhaps other problems.
* cgierror: When the CGI fails, print the error to stderr, not "Died"Simon McVittie2017-05-14
| | | | | $@ could be clobbered by the "exception handler", and in practice it seems that it is. This can be seen on stderr of t/git-cgi.t.
* Defend against empty session namesSimon McVittie2017-05-14
| | | | | If misconfiguration has resulted in an empty session name, treat the session as having not signed in.
* CGI, attachment, passwordauth: harden against repeated parametersSimon McVittie2017-01-11
| | | | | | | | | | These instances of code similar to OVE-20170111-0001 are not believed to be exploitable, because defined(), length(), setpassword(), userinfo_set() and the binary "." operator all have prototypes that force the relevant argument to be evaluated in scalar context. However, using a safer idiom makes mistakes less likely. (cherry picked from commit 69230a2220f673c66b5ab875bfc759b32a241c0d)
* cgitemplate: actually remove dead codeSimon McVittie2016-12-19
| | | | Signed-off-by: Simon McVittie <smcv@debian.org>
* HTML-escape error messages (OVE-20160505-0012)Simon McVittie2016-05-05
| | | | | | | | | | | | The instance in cgierror() is a potential cross-site scripting attack, because an attacker could conceivably cause some module to raise an exception that includes attacker-supplied HTML in its message, for example via a crafted filename. (OVE-20160505-0012) The instances in preprocess() is just correctness. It is not a cross-site scripting attack, because an attacker could equally well write the desired HTML themselves; the sanitize hook is what protects us from cross-site scripting here.
* Silence "used only once: possible typo" warnings for variables that are part ↵Simon McVittie2016-01-19
| | | | of modules' APIs
* cloak user PII when making commits etc, and let cloaked PII be used in ↵Joey Hess2015-05-14
| | | | | | | | | | | | | | banned_users This was needed due to emailauth, but I've also wrapped all IP address exposure in cloak(), although the function doesn't yet cloak IP addresses. (One IP address I didn't cloak is the one that appears on the password reset email template. That is expected to be the user's own IP address, so ok to show it to them.) Thanks to smcv for the pointer to http://xmlns.com/foaf/spec/#term_mbox_sha1sum
* Fix double UTF-8 decode on Perl < 5.20 with upgraded Encode.pmAnders Kaseorg2015-03-01
| | | | | | | | | | | | | | | | | | | | Commit feb21ebfacb341fc34244e1c9b8557fd81d1dfc1 added a safe_decode_utf8 function that avoids double decoding on Perl 5.20. But the Perl behavior change actually happened in Encode.pm 2.53 (https://github.com/dankogai/p5-encode/pull/11). Although Perl 5.20 is the first Perl version to bundle an affected version of Encode.pm, it’s also possible to upgrade Encode.pm independently; for example, Fedora 20 has Perl 5.18.4 with Encode.pm 2.54. On such a system, editing a non-ASCII file still fails with errors like Error: Cannot decode string with wide characters at /usr/lib64/perl5/vendor_perl/Encode.pm line 216. There doesn’t seem to be any reason not to check Encode::is_utf8 on old versions too, so just remove the version check altogether. Signed-off-by: Anders Kaseorg <andersk@mit.edu> Bug-Debian: https://bugs.debian.org/776181
* Merge branch 'ready/html5'Simon McVittie2014-11-26
|\
| * Now that we're always using HTML5, <base href> can be relativeSimon McVittie2014-10-16
| |
* | Call CGI->param_fetch instead of CGI->param in array contextAmitai Schlair2014-10-16
|/ | | | | | | | | | | | | CGI->param has the misfeature that it is context-sensitive, and in particular can expand to more than one scalar in function calls. This led to a security vulnerability in Bugzilla, and recent versions of CGI.pm will warn when it is used in this way. In the situations where we do want to cope with more than one parameter of the same name, CGI->param_fetch (which always returns an array-reference) makes the intention clearer. [commit message added by smcv]
* In html5 mode, generate a host- or protocol-relative <base> for the CGISimon McVittie2014-10-05
| | | | This increases the number of situations in which we do the right thing.
* Add reverse_proxy option which hard-codes cgiurl in CGI outputSimon McVittie2014-10-05
| | | | | This solves several people's issues with the CGI trying to be too clever when IkiWiki is placed behind a reverse-proxy.
* Force use of $config{url} as top URL in w3mmodeSimon McVittie2014-10-05
|
* do not double-decode unicode in CGI formsAntoine Beaupré2014-09-09
| | | | | | | this works around a behavior change introduced in Encode.pm 2.53 shipped with the Perl 5.20 release described here: http://ikiwiki.info/bugs/garbled_non-ascii_characters_in_body_in_web_interface/
* protect $@ whenever a block using $@ is non-trivialSimon McVittie2014-02-21
| | | | | | | | | | | | | | | | | | | | | | | | As noted in the Try::Tiny man page, eval/$@ can be quite awkward in corner cases, because $@ has the same properties and problems as C's errno. While writing a regression test for definetemplate in which it couldn't find an appropriate template, I received <span class="error">Error: failed to process template <span class="createlink">deftmpl</span> </span> instead of the intended <span class="error">Error: failed to process template <span class="createlink">deftmpl</span> template deftmpl not found</span> which turned out to be because the "catch"-analogous block called gettext before it used $@, and gettext can call define_gettext, which uses eval. This commit alters all current "catch"-like blocks that use $@, except those that just do trivial things with $@ (string interpolation, string concatenation) and call a function (die, error, print, etc.)
* save whole form state, not just QUERY_STRING, for postsigninJoey Hess2012-04-08
| | | | | | | | | | Normally, needsignin is called when there is a QUERY_STRING, not when a form is posted. However, it's certianly possible, and should be supported, to make a form that invokes an ikiwiki action that checks needsignin. I encountered this when posting ?do=rename&page=foo. The form is displayed without checking needsignin, for complicated reasons. Posting the form is when the true authentication happens.
* record email of new users in userinfo for userlistJoey Hess2011-06-09
|
* let's assume some web server will think OFF is a good idea..Joey Hess2011-06-03
|
* Support the Hiawatha web server which sets HTTPS=off rather than not setting ↵Joey Hess2011-06-03
| | | | it. (There does not seem to be a standard here.)
* Fix broken baseurl in cgi mode when usedirs is disabled. Bug introduced in ↵Joey Hess2011-02-21
| | | | 3.20101231.
* fix urlto(undef)Joey Hess2011-01-05
|
* add cgitemplateJoey Hess2011-01-05
| | | | | | | | | | | | cgitemplate is a modified misctemplate that takes an optional cgi object and uses it to set the baseurl, and also optionally the forcebaseurl, if a page is provided. If no cgi object is provided, it will fall back to using $config{url}. I expect this will only be needed in exceptional cases where that doesn't much matter, such as cgierror(). showform uses cgitemplate, so there is no more need for showform_preview.
* factored out an urlabs from aggregate and cgiJoey Hess2011-01-05
|
* oopsJoey Hess2011-01-05
|
* typoJoey Hess2011-01-05
|
* Fix redirect to use a full url.Joey Hess2011-01-05
| | | | Was broken (in theory) by baseurl changes in last release.
* Fix base url when previewing. Was broken by urlto changes in last release.Joey Hess2011-01-05
| | | | | Added a showform_preview that is like showform, but sets forcebaseurl to point to the page being previewed.
* Merge remote branch 'smcv/ready/sslcookie-auto'Joey Hess2010-11-29
|\
| * Always set secure cookies if logging in via HTTPSSimon McVittie2010-11-29
| |
* | Use local path for even more CGI URLsSimon McVittie2010-11-23
| |
* | Use local paths for redirection where possibleSimon McVittie2010-11-23
|/
* stop using REMOTE_ADDRJoey Hess2010-06-23
| | | | | | | | | | | Everywhere that REMOTE_ADDR was used, a session object is available, so instead use its remote_addr method. In IkiWiki::Receive, stop setting a dummy REMOTE_ADDR. Note that it's possible for a session cookie to be obtained using one IP address, and then used from another IP. In this case, the first IP will now be used. I think that should be ok.
* allow misctemplate callers to pass params to suppress actions etcJoey Hess2010-05-14
| | | | | Suppress disiplay of small search for on search results page, and of Prefrences link on prefs page.
* moved non-openid signin form into same page as openid selector; show/hide as ↵Joey Hess2010-05-08
| | | | buttons are pressed
* simplify formbuilder stylesheet specificationJoey Hess2010-05-06
| | | | | | Since all forms are wrapped in a template that defines the actual stylesheets, formbuilder just has to be told to turn on stylesheet mode, not what file is the style sheet.
* brace styleJoey Hess2010-01-18
|
* typosJoey Hess2010-01-18
|
* make decode_form_utf8 safe for arraysJoey Hess2010-01-09
|
* 404/goto: Fix 404 display of utf-8 pages.Joey Hess2009-12-14
| | | | | | | Problem here was that no charset http header was being sent. I fixed this globally by making cgi_custom_failure send the header. Required changing its parameters.
* fix url encoding in redirJoey Hess2009-10-29
| | | | | | | | | When redirecting to a page, ie, after editing, ensure that the url is uri-encoded. Most browsers other than MSIE don't care, but it's the right thing to do. The known failure case involved editing a page that had utf-8 in the name using MSIE.
* Expand banned_users; it can now include PageSpecs, which allows banning by ↵Joey Hess2009-09-08
| | | | IP address.
* Fix typo attepting→attemptingJonas Smedegaard2009-07-23
|
* detect sslcookie set and no httpsJoey Hess2009-02-26
| | | | | | | | | This is likely a misconfiguration and can cause login to fail as the browser refuses the send the session cookie back over http. Not entirely happy with putting the check where I did, since users have to try to log in, and fail, to see the misconfiguration explained. But I could not find a better place to put the check.
* factor out IE stupididy workaroundJoey Hess2009-01-31
|
* Split cgi_goto into a goto pluginSimon McVittie2009-01-31
|
* Split apache404 into an independent pluginSimon McVittie2009-01-31
| | | | | Also make it ignore the 'do' parameter at Joey's suggestion, to have one less thing to remember when configuring.
* CGI: pad error responses with 512 bytes of spaces so IE will display themSimon McVittie2009-01-31
| | | | | IE displays its own error responses unless the server's was >= 512 bytes. http://support.microsoft.com/default.aspx?scid=kb;en-us;Q294807
* CGI: set up goto hook so that /ikiwiki.cgi?do=goto can be an Apache ↵Simon McVittie2009-01-31
| | | | ErrorDocument