aboutsummaryrefslogtreecommitdiff
path: root/IkiWiki/CGI.pm
Commit message (Collapse)AuthorAge
* detect sslcookie set and no httpsJoey Hess2009-02-26
| | | | | | | | | This is likely a misconfiguration and can cause login to fail as the browser refuses the send the session cookie back over http. Not entirely happy with putting the check where I did, since users have to try to log in, and fail, to see the misconfiguration explained. But I could not find a better place to put the check.
* factor out IE stupididy workaroundJoey Hess2009-01-31
|
* Split cgi_goto into a goto pluginSimon McVittie2009-01-31
|
* Split apache404 into an independent pluginSimon McVittie2009-01-31
| | | | | Also make it ignore the 'do' parameter at Joey's suggestion, to have one less thing to remember when configuring.
* CGI: pad error responses with 512 bytes of spaces so IE will display themSimon McVittie2009-01-31
| | | | | IE displays its own error responses unless the server's was >= 512 bytes. http://support.microsoft.com/default.aspx?scid=kb;en-us;Q294807
* CGI: set up goto hook so that /ikiwiki.cgi?do=goto can be an Apache ↵Simon McVittie2009-01-31
| | | | ErrorDocument
* CGI: add cgi_page_from_404(), which remaps a path like $REDIRECT_URL to an ↵Simon McVittie2009-01-31
| | | | | | IkiWiki page name Also add a regression test
* CGI: if the page is missing, give the "missing page" a 404 statusSimon McVittie2009-01-31
|
* CGI: document why commenter and recentchanges_link are supportedSimon McVittie2009-01-31
|
* CGI: if the "do" parameter is goto, recentchanges_link or commenter, ↵Simon McVittie2009-01-31
| | | | | | redirect to a page This can replace equivalent functionality in comments and recentchanges.
* CGI: add cgi_goto(CGI, [page])Simon McVittie2009-01-31
| | | | | | This redirects to the given page (or if none is given, the page parameter given to the CGI), or displays an error with a create link if the page doesn't exist.
* remove deprecated admin prefsJoey Hess2008-12-24
| | | | | | | | | | A new ikiwiki-transition moveprefs subcommand can pull the old data out of the userdb and inject it into the setup file. Note that it leaves the old values behind in the userdb too. I did this because I didn't want to lose data if it fails writing the setup file for some reason, and the old data in the userdb will only use a small amount of space. Running the command multiple times will mostly not change anything.
* Coding style change: Remove explcit vim folding markers.Joey Hess2008-12-17
|
* checksessionexpiry: reworkJoey Hess2008-12-17
| | | | | This function as factored out was a bit confusing, I think this makes more sense.
* editpage: factor out checksessionexpiry into IkiWiki::CGISimon McVittie2008-12-11
|
* Fix issue with utf-8 in wikiname breaking session cookies, by ↵Joey Hess2008-10-19
| | | | entity-encoding the wikiname in the session cookie.
* editpage: New core plugin factoring out page editing to allow disabling it ↵Joey Hess2008-09-05
| | | | if desired.
* Set cookies HttpOnly.Joey Hess2008-08-28
|
* typoJoey Hess2008-08-05
|
* relocateJoey Hess2008-08-02
|
* banned_users move to setup file, stage 1Joey Hess2008-08-01
|
* add a rename summaryJoey Hess2008-07-22
|
* Split out error messages from editpage.tmpl into several separate templates.Joey Hess2008-07-22
|
* only htmlize errors when cgi is actually runningJoey Hess2008-07-12
|
* fix use orderingJoey Hess2008-07-11
| | | | | The recent setup revamp exposed some latent bugs in use/package ordering that caused some symbols to not the exported into the correct scope.
* Fixes creation of pages when clicking on WikiLinks starting with "/".Joey Hess2008-07-10
|
* work around CGI::Session constructor issuesJoey Hess2008-07-10
| | | | | | The constructor can fail with a useless error message if module fail to load. Work around this by evaling it, and checking for failures, and printing CGI::Session->errstr to get a more useful message.
* editpage escaping fixesJoey Hess2008-07-06
| | | | | | | | | | | * The editpage form now uses the raw page name, not the page title, in its 'page' cgi parameter. Using the title was ambiguous and made it impossible to tell between some pages, like "foo/bar" and "foo__47__bar", sometimes causing the wrong page to be edited. * This change means that some edit links need to be updated. Force a rebuild on upgrade to this version. * Above change also allowed really fixing escaped slashes from the blogpost form.
* better approach for cgi upload disablingJoey Hess2008-07-01
| | | | | Make it a config setting, this way subtle load order issues don't come into play. (As much?)
* simplificationJoey Hess2008-07-01
|
* disable cgi uploads earlierJoey Hess2008-06-30
| | | | | This allows plugins that want to enable uploads to do so by changing the value of $CGI::DISABLE_UPLOADS at some point before the cgi hook is run.
* remove unused editpage titleJoey Hess2008-06-30
| | | | | The title was set to editpage, but then always changed. And some code tested for this. Remove this dead code.
* Configure CGI.pm to disable file uploads by default.Joey Hess2008-06-30
|
* call format hooks when generating page previewsJoey Hess2008-06-28
| | | | | | | | | | | | * toc: Revert change in 2.45 that made it run at sanitize time. This breaks use of toc in a sidebar. * Call format hooks when generating page previews, thus fixing toc display there, as well as fixing inlins to again display in page previews, since it's started using format hooks. This also allows several other things, like embed, that use format hooks, to work during page preview time. * Format hooks should not rely on getting an entire html document, as they will only get the body during page preview. * toggle: Deal with preview mode when adding javascript.
* Pass a destpage parameter to the sanitize hook.Joey Hess2008-06-04
| | | | | | | | Because the search plugin needed it, also because it's one of the few plugins that didn't already have it. I also considered adding it to htmlize, but I really cannot imagine caring what the destpage is when htmlizing. (I'll probably be poven wrong later.)
* Perls older than 5.10 need to use the old method of decoding utf-8 in CGI ↵Joey Hess2008-05-21
| | | | values. Neither method will work for all versions of perl, so check version number at runtime.
* display an error message if CGI::Session fails to loadJoey Hess2008-05-21
|
* Fixes for behavior changes in perl 5.10's CGIJoey Hess2008-05-12
| | | | | | | | | | | | | | | | | | | | | | | | | | Something has changed in CGI.pm in perl 5.10. It used to not care if STDIN was opened using :utf8, but now it'll mis-encode utf-8 values when used that way by ikiwiki. Now I have to binmode(STDIN) before instantiating the CGI object. In 57bba4dac132a06729eeec809f5e1a5adf829806, I changed from decoding CGI::Formbuilder fields to utf-8, to decoding cgi parameters before setting up the form object. As of perl 5.10, that approach no longer has any effect (reason unknown). To get correctly encoded values in FormBuilder forms, they must once again be decoded after the form is set up. As noted in 57bba4da, this can cause one set of problems for formbuilder_setup hooks if decode_form_utf8 is called before the hooks, and a different set if it's called after. To avoid both sets of problems, call it both before and after. (Only remaining problem is the sheer ugliness and inefficiency of that..) I think that these changes will also work with older perl versions, but I haven't checked. Also, in the case of the poll plugin, the cgi parameter needs to be explcitly decoded before it is used to handle utf-8 values. (This may have always been broken, not sure if it's related to perl 5.10 or not.)
* Fix ugly display when editing a page that has vanished.Joey Hess2008-05-02
| | | | | srcfile now has an optional second parameter to avoid it throwing an error if the source file does not exist.
* Fix CSRF attacks against the preferences and edit forms. Closes: #475445Joey Hess2008-04-10
| | | | | | | | | | | | | | | | | | | | | | | | | The fix involved embedding the session id in the forms, and not allowing the forms to be submitted if the embedded id does not match the session id. In the case of the preferences form, if the session id is not embedded, then the CGI parameters are cleared. This avoids a secondary attack where the link to the preferences form prefills password or other fields, and the user hits "submit" without noticing these prefilled values. In the case of the editpage form, the anonok plugin can allow anyone to edit, and so I chose not to guard against CSRF attacks against users who are not logged in. Otherwise, it also embeds the session id and checks it. For page editing, I assume that the user will notice if content or commit message is changed because of CGI parameters, and won't blndly hit save page. So I didn't block those CGI paramters. (It's even possible to use those CGI parameters, for good, not for evil, I guess..) The only other CSRF attack I can think of in ikiwiki involves the poll plugin. It's certianly possible to set up a link that causes the user to unknowingly vote in a poll. However, the poll plugin is not intended to be used for things that people would want to attack, since anyone can after all edit the poll page and fill in any values they like. So this "attack" is ignorable.
* * Record new pages in %pagesources temporarily when previewing so thatJoey Hess2008-03-17
| | | | | things that need to know the page source or type can query it from there. Fixes previewing of tables when creating a new page.
* * Use forcebaseurl to make page previews be displayed with the html baseJoey Hess2008-03-12
| | | | | | set to the destination page. This avoids need for hacks to munge the urls in preview mode, which fixes several bugs. * Several destpage fixes in plugins.
* Fix links generated by preprocessor directives when previewing.Joey Hess2008-02-24
| | | | | | | | | | As was already done for linkfication, links generated in a prevew page are relative to the top of the wiki, so it has to be told that the destpage is there. I was using "" to indicate this, but that may confuse some preprocessor plugins, which treat parameters with an empry value specially (sparkline is one such). Instead, use "/", which is more accurate anyway and works just as well.
* * Preview limits the page dropdown to what's selected previouslyJoey Hess2008-02-14
| | | | | | | | (as preserving the full list across preview would be tricky). Userdirs were still being offered as an option there, remove them. * Fix a bug where user A created a page concurrently with user B, and when B previewed it would redirect B to A's new page, losing B's work. Instead, don't redirect and let conflict handling resolve it.
* move saveindex call into preview blockJoey Hess2008-02-03
| | | | | This call is only present to handle the case where previewing a page actually causes files to be rendered.
* remove another commit mail mentionJoey Hess2008-02-03
|
* * cgi hooks are now run before ikiwiki state is loaded.Joey Hess2008-02-03
| | | | | * This allows locking the wiki before loading state, which avoids some tricky locking code when saving a web edit.
* non-tabular recentchanges displayJoey Hess2008-01-29
| | | | Doesn't look as good as the old table, but works as a rss feed.
* * Removed support for sending commit notification mails. Along with it wentJoey Hess2008-01-29
| | | | | the svnrepo and notify settings, though both will be ignored if left in setup files.
* support for internal-use page typesJoey Hess2008-01-28
| | | | | | If a page type starts with an underscore, hide it from the list of page types in the edit form, and don't allow editing pages of that type. This allows for plugins to add page types for internal use.