| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in f4ec7b0. Force it into scalar context where it is used
in an argument list.
This prevents two (relatively minor) commit metadata forgery
vulnerabilities:
* In the comments plugin, an attacker who was able to post a comment
could give it a user-specified author and author-URL even if the wiki
configuration did not allow for that, by crafting multiple values
to other fields.
* In the editpage plugin, an attacker who was able to edit a page
could potentially forge commit authorship by crafting multiple values
for the rcsinfo field.
The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.
OVE-20161226-0001
|
| |
|
|
| |
but don't let this problem crash ikiwiki entirely.
|
| | |
|
| |
|
|
|
|
|
|
| |
Previously, prune("wiki/srcdir/sandbox/test.mdwn") could delete srcdir
or even wiki, if they happened to be empty. This is rarely what you
want: there's usually some base directory (destdir, srcdir, transientdir
or another subdirectory of wikistatedir) beyond which you do not want to
delete.
|
| |
|
|
| |
the old hook name is called for now for back-compat.
|
| |
|
|
|
|
|
| |
Foo->Bar->can("method") works just as well, even if Foo::Bar is not
loaded. Using UNIVERSAL::can is deprecated.
But, I was unable to easily eliminate conditional.pm's use of UNIVERSAL::can
|
| | |
|
| |\ |
|
| | | |
|
| |/
|
|
| |
... additionally to the previously supported two-letters codes.
|
| |
|
|
|
|
| |
Oddly, this hadn't caused any visible breakage. Possibly inline,
which is the only thing to use targetpage, resolves the function
to the "real" one before po gets loaded?
|
| |
|
|
|
|
|
| |
If the inline plugin is not being loaded, or is perhaps loaded after po
(when IkiWiki::Setup::getsetup loads all the plugins, for example),
po should not inject its custom rootpage sub, as that will lead to a
redefinition error message when inline loads.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
The lack of $from will probably hurt setups using po_link_to = current,
but at least we can fix the blocker bug that prevents any wiki using the po
plugin to build.
|
| | |
|
| | |
|
| |
|
|
| |
This could happen if checkconfig was run twice, I think.
|
| | |
|
| |
|
|
| |
be configured via the web.
|
| |
|
|
|
| |
The only unsafe thing should be that enabling it with some languages will
generate po files.
|
| |
|
|
| |
array of things that need built. (Backwards compatability code keeps plugins using the old interface working.)
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The po rescan hook re-runs the scan hooks, and runs the preprocess ones in scan
mode, both on the po-to-markup converted content. This way, plugins such as meta
are given a chance to gather correct information, rather than ugly/buggy escaped
data it did gather from unconverted PO files.
|
| |\ |
|
| | | |
|
| |/
|
|
|
| |
No need to use "keys %{$config{po_slave_languages}}" repeatedly:
the slave languages codes list is already cached in @slavelanguages.
|
| |
|
|
| |
Backward compatibility is still supported.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 4cf185e781a5f94373b30ec9a0e10dfb626b6d86.
That commit broke t/po.t (probably the test case only is testing too
close the the old implementation and needs correcting).
Also, we have not decided how to want to represent it yet, so I'm not
ready for this change.
Conflicts:
IkiWiki/Plugin/po.pm
doc/plugins/po.mdwn
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This reverts commits dcd57dd5c9f3265bb7a78a5696b90976698c43aa,
d4136aea8aa8968d2cd87b40e8d85301a3549323 and
d877b9644bcfbbfc5eaf3f7fc13cb96ecda946c9.
|
| |\
| |
| |
| |
| |
| | |
Conflicts:
IkiWiki/Plugin/po.pm
doc/plugins/po.mdwn
|
| | |
| |
| |
| |
| |
| |
| | |
... after having audited the po4a Xml and Xhtml modules for security issues.
Signed-off-by: intrigeri <intrigeri@boum.org>
(cherry picked from commit a128c256a51392fcf752bf612d83a90e8c68027e)
|
| | |
| |
| |
| | |
(cherry picked from commit 4f44534d72c9a9a947bc38a3cb4987705c25bea5)
|
| | |
| |
| |
| | |
Minor wording fix; changelog; etc.
|
| | |
| |
| |
| | |
(cherry picked from commit b225fdc44d4b3d2853db622d59aed7b59788aeec)
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
Set it to true every time IkiWiki::filter is called on a full page's content.
This is a much nicer solution, for the po plugin, than previous whitelisting
using caller().
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
... after having audited the po4a Xml and Xhtml modules for security issues.
Signed-off-by: intrigeri <intrigeri@boum.org>
|
| | | |
|
| | | |
|