| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The simple implementation of this, which I'd prefer to use, would be:
if we can import LWPx::ParanoidAgent, use it; otherwise, use
LWP::UserAgent.
However, aggregate has historically worked with proxies, and
LWPx::ParanoidAgent quite reasonably refuses to work with proxies
(because it can't know whether those proxies are going to do the same
filtering that LWPx::ParanoidAgent would).
Signed-off-by: Simon McVittie <smcv@debian.org>
|
|
|
|
|
|
|
| |
This avoids nasty surprises on upgrade if a site is using httpauth,
or passwordauth with an account_creation_password, and relying on
only a select group of users being able to edit the site. We can revisit
this for ikiwiki 4.
|
|
|
|
|
| |
Still some work to do since the user name is an email address and should
not be leaked.
|
| |
|
| |
|
|
|
|
| |
Now template variables can be set to control which login methods are shown
|
|
|
|
|
|
|
|
|
| |
This includes some CSS changes to names of elements.
Also, added Email login button (doesn't work yet of course),
and brought back the small openid login buttons. Demoted yahoo and verison
to small buttons. This makes the big buttons be the main login types, and
the small buttons be provider-specific helpers.
|
|
|
|
| |
openid selector display "Password" instead of "Other", so users are more likely to click on it when they don't have an openid.
|
|
|
|
|
| |
This is needed for notifyemail, and not all openid providers report an
email address, or necessarily the one the user wants to get email.
|
|
|
|
|
|
|
|
| |
We're running under "use strict" here, so if CGI->param's array-context
misbehaviour passes an extra non-ref parameter, it shouldn't be executed
anyway... but it's as well to be safe.
[commit message added by smcv]
|
|
|
|
|
|
|
|
|
|
|
| |
When CGI->param is called in list context, such as in function
parameters, it expands to all the potentially multiple values
of the parameter: for instance, if we parse query string a=b&a=c&d=e
and call func($cgi->param('a')), that's equivalent to func('b', 'c').
Most of the functions we're calling do not expect that.
I do not believe this is an exploitable security vulnerability in
ikiwiki, but it was exploitable in Bugzilla.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
agent string for outbound HTTP requests
Package: ikiwiki
Version: 3.20140125
Severity: wishlist
By default, LWP::UserAgent used by IkiWiki to perform outbound HTTP
requests sends the string "libwww-perl/<version number>" as User-Agent
header in HTTP requests. Some blogging platforms have blacklisted the
user agent and won't serve any content for clients using this user agent
string. With IkiWiki configuration option "useragent" it's now possible
to define a custom string that is used for the value of the User-Agent
header.
|
| |
|
| |
|
|
|
|
| |
selected in all browsers.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Probably best to store it unsanitized and sanitize as needed on use.
And it already was for comments, leaving only the need to sanitize the
nickname when git committing, to ensure the email address is legal.
|
| |
|
|
|
|
|
|
|
| |
Renamed usershort => nickname.
Note that this means existing user login sessions will not have the nickname
recorded, and so it won't be used for those.
|
| |
|
| |
|
|
|
|
| |
a few edge case setups.
|
|
|
|
| |
buttons are pressed
|
| |
|
| |
|
|
|
|
| |
Always load IkiWiki::CGI so its cgi_signin is present, so we replace it.
|
| |
|
| |
|
|
|
|
|
|
|
| |
* openid: Incorporated a fancy openid-selector signin form.
(http://code.google.com/p/openid-selector/)
* openid: Use "openid_identifier" as the form field, as required
by OpenID Authentication v2.0 spec.
|
|
|
|
| |
Fixes http://code.google.com/p/openid-selector/issues/detail?id=11#c3
|
|
|
|
| |
Debian stable's Net::OpenID does not support getting extension fields.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the user's email address and username.
The info is stored in the session database, not the user database.
There should be no reason to need it when a user is not logged in.
Also, hide the email field in the preferences page for openid users.
Note that the email and username are not yet actually used for anything.
The email will be useful for gravatar, while the username might be used
for a more pretty display of the openid.
|
|
|
|
| |
plugins from the setup file.
|
|
|
|
| |
other authentication methods (like openid or anonok). Rather than always redirect to the cgiauthurl for authentication, there is now a button on the login form to use it.
|
|
|
|
|
|
|
|
|
| |
Now that openiduser is in IkiWiki core, it's ok to have passwordauth check
for it, and avoid displaying useless password fields when showing
preferences for an openid.
Also improved the styling of the display of the openid in the preferneces
page.
|
|
|
|
|
|
|
|
| |
On various sites I have two IkiWiki instances running from the same
repository: one accessible via http and only accepting openid logins,
and one accessible via authenticated https and only accepting httpauth.
The https version should still pretty-print OpenIDs seen in git history,
even though it does not itself accept OpenID logins.
|
|
|
|
|
|
|
| |
openiduser previously used a constructor that no longer works in 2.x.
However, all we actually want is the (undocumented) DisplayOfURL function
that is invoked by the display method, so try to use that.
(cherry picked from commit c3dd0ff5c7c10743107f203a5b456fdcd1b171df)
|
| |
|
|
|
|
|
| |
This improves the display of OpenIDs like 'http://id.mayfirst.org/jamie/'
(taking an example from the IkiWiki commit log).
|
|
|
|
|
|
|
|
| |
subdomains
This leads to better display for OpenIDs like smcv.pseudorandom.co.uk
and thm.id.fedoraproject.org (to take a couple of examples from the
IkiWiki commit history).
|
| |
|
|
|
|
|
| |
it may be some other module missing, this way you can tell by reading the
log
|
|
|
|
| |
(brain.. melting..)
|