| Commit message (Expand) | Author | Age |
|---|
| ... | |
| * | git: change calling convention of safe_git to have named arguments | Simon McVittie | 2016-12-28 |
| * | git: Do the revert operation in a secondary working tree•••This avoids leaving the git directory in an inconsistent state if the
host system is rebooted while we are processing a revert.
| Simon McVittie | 2016-12-28 |
| * | git: Turn $git_dir into a stack•••This will be necessary when we use a secondary working tree to do
reverts without leaving the primary working tree in an inconsistent
state.
| Simon McVittie | 2016-12-28 |
| * | Try revert operations (on a branch) before approving them•••Otherwise, we have a time-of-check/time-of-use vulnerability:
rcs_preprevert previously looked at what changed in the commit we are
reverting, not at what would result from reverting it now. In
particular, if some files were renamed since the commit we are
reverting, a revert of changes that were within the designated
subdirectory and allowed by check_canchange() might now affect
files that are outside the designated subdirectory or disallowed
by check_canchange().
It is not sufficient to disable rename detection, since git older
than 2.8.0rc0 (in particular the version in Debian stable) silently
accepts and ignores the relevant options.
OVE-20161226-0002
| Simon McVittie | 2016-12-28 |
| * | Revert "Tell `git revert` not to follow renames"•••This doesn't work prior to git 2.8: `git revert` silently ignores the
option and succeeds. We will have to fix CVE-2016-10026 some other way.
This reverts commit 9cada49ed6ad24556dbe9861ad5b0a9f526167f9.
| Simon McVittie | 2016-12-28 |
| * | Force CGI::FormBuilder->field to scalar context where necessary•••CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in f4ec7b0. Force it into scalar context where it is used
in an argument list.
This prevents two (relatively minor) commit metadata forgery
vulnerabilities:
* In the comments plugin, an attacker who was able to post a comment
could give it a user-specified author and author-URL even if the wiki
configuration did not allow for that, by crafting multiple values
to other fields.
* In the editpage plugin, an attacker who was able to edit a page
could potentially forge commit authorship by crafting multiple values
for the rcsinfo field.
The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.
OVE-20161226-0001
| Simon McVittie | 2016-12-28 |
| * | git: do not fail to commit if committer is anonymous | Simon McVittie | 2016-12-28 |
| * | git: don't issue a warning if rcsinfo is undefined•••The intention here seems to be that $prev may be undefined, and the
only way that can legitimately happen is for $params{token} to be
undefined too.
| Simon McVittie | 2016-12-28 |
| * | Make pagestats output more deterministic.•••Sort in lexical order the pages that have the same number of hits.
| intrigeri | 2016-12-19 |
| * | Tell `git revert` not to follow renames•••Otherwise, we have an authorization bypass vulnerability: rcs_preprevert
looks at what changed in the commit we are reverting, not at what would
result from reverting it now. In particular, if some files were renamed
since the commit we are reverting, a revert of changes that were within
the designated subdirectory and allowed by check_canchange() might now
affect files that are outside the designated subdirectory or disallowed
by check_canchange().
Signed-off-by: Simon McVittie <smcv@debian.org>
| Simon McVittie | 2016-12-19 |
| * | inline: Prevent creating a file named ".mdwn" when the postform is submitted ... | Joey Hess | 2016-09-21 |
| * | Update my surname to its new legal spelling. | Amitai Schlair | 2016-09-14 |
| * | Use git log --no-renames for recentchanges•••Otherwise, recent git releases show renames as renames, and we do not
see that newdir/test5 was affected.
Bug-Debian: https://bugs.debian.org/835612
| Simon McVittie | 2016-09-03 |
| * | Detect image type from .JPG just like .jpg (etc.). | Amitai Schlair | 2016-05-08 |
| * | img: make img_allowed_formats case-insensitive | Simon McVittie | 2016-05-07 |
| * | inline: expand show=N backwards compatibility to negative N•••[[plugins/contrib]] uses show=-1 to show the post-creation widget
without actually inlining anything.
| Simon McVittie | 2016-05-06 |
| * | img: Add back support for SVG images, bypassing ImageMagick and simply passin...•••SVG scaling by img directives has subtly changed; where before size=wxh
would preserve aspect ratio, this cannot be done when passing them through
and so specifying both a width and height can change the SVG's aspect
ratio.
(This patch looks significantly more complex than it was, because a large
block of code had to be indented.)
[smcv: drop trailing whitespace, fix some spelling]
| Simon McVittie | 2016-05-06 |
| * | img: check magic number before giving common formats to ImageMagick•••This mitigates CVE-2016-3714 and similar vulnerabilities by
avoiding passing obviously-wrong input to ImageMagick decoders.
| Simon McVittie | 2016-05-05 |
| * | img: restrict to JPEG, PNG and GIF images by default•••This mitigates CVE-2016-3714. Wiki administrators who know that they
have prevented arbitrary code execution via other formats can re-enable
the other formats if desired.
| Simon McVittie | 2016-05-05 |
| * | img: force common Web formats to be interpreted according to extension•••A site administrator might unwisely set allowed_attachments to
something like '*.jpg or *.png'; if they do, an attacker could attach,
for example, a SVG file named attachment.jpg.
This mitigates CVE-2016-3714.
| Simon McVittie | 2016-05-05 |
| * | Correctly handle filenames starting with a dash in add/rm/mv. | Florian Wagner | 2016-03-17 |
| * | Process .md like .mdwn, but disallow web creation. | Amitai Schlair | 2016-03-08 |
| * | loginselector: When only openid and emailauth are enabled, but passwordauth i... | Joey Hess | 2016-03-02 |
| * | Fix typo. | Amitai Schlair | 2016-02-20 |
| * | Compose relative URLs in RSS feeds correctly•••If the relative link from the (page generating the) RSS to the target
would start with "./" or "../", just concatenating it with the URL to
the directory containing the RSS is not sufficient. Go via
URI::new_abs to fix this.
| Simon McVittie | 2016-01-21 |
| * | Force comments URL in RSS feeds to be absolute•••Now I'm going to get bug reports about wanting the URLs to be
protocol-relative, but we can't win there as long as we generate RSS,
because RSS doesn't have well-defined semantics for relative URLs
(and the W3C's validator complains about them). If absolute URLs are
a problem for you, please use Atom feeds.
| Simon McVittie | 2016-01-21 |
| * | Silence "used only once: possible typo" warnings for variables that are part ... | Simon McVittie | 2016-01-19 |
| * | Merge remote-tracking branch 'smcv/pagestats-show' | Simon McVittie | 2015-11-30 |
| |\ |
|
| | * | pagestats: rename disp to show, and document it | Simon McVittie | 2014-09-14 |
| | * | pagestats: consistent indentation | Simon McVittie | 2014-09-14 |
| | * | pagestats: add disp parameter | Louis | 2014-09-14 |
| * | | Merge remote-tracking branch 'smcv/ready/limit' | Simon McVittie | 2015-11-30 |
| |\| |
|
| | * | Rename show parameter of [[!inline]] and [[!pagestats]] to limit•••The old name still works, if its value is numeric.
This name allows a non-numeric "show" to mean the same thing
it does for [[!map]] (show title, show description, etc.).
| Simon McVittie | 2014-09-14 |
| * | | ensure_committer: don't do anything if we have the environment variables | Simon McVittie | 2015-11-30 |
| * | | Don't memoize ensure_committer•••This makes it harder to test, and if we're invoking git anyway,
a couple of extra subprocesses are no big deal.
| Simon McVittie | 2015-11-30 |
| * | | git: if no committer identity is known, set it to "IkiWiki <ikiwiki.info>" in...•••This resolves commit errors in versions of git that require a non-trivial
committer identity.
| Simon McVittie | 2015-11-30 |
| * | | emailauth: Added emailauth_sender config. | Joey Hess | 2015-10-02 |
| * | | Fix [[!meta name=foo]] by closing the open quote. | Amitai Schlair | 2015-08-22 |
| * | | Squelch regex deprecation warnings from Perl 5.22.•••Specifically:
"Unescaped left brace in regex is deprecated, passed through in regex"
| Amitai Schlair | 2015-06-14 |
| * | | img: stop ImageMagick trying to be clever if filenames contain a colon•••$im->Read() takes a filename-like argument with several sets of special
syntax. Most of the possible metacharacters are escaped by the
default `wiki_file_chars` (and in any case not particularly disruptive),
but the colon ":" is not.
It seems the way to force ImageMagick to treat colons within the
filename as literal is to prepend a colon, so do that.
| Simon McVittie | 2015-06-13 |
| * | | inline: change default sort order from age to "age title" for determinism | Simon McVittie | 2015-06-13 |
| * | | polygen: if deterministic build is requested, use a well-known random seed | Simon McVittie | 2015-06-09 |
| * | | haiku: if deterministic build is requested, return a hard-coded haiku | Simon McVittie | 2015-06-09 |
| * | | brokenlinks: sort the pages that link to the missing page, for better reprodu... | Simon McVittie | 2015-06-09 |
| * | | Make the attachment plugin work with CGI.pm 4.x (Closes: #786586; workaround ... | Simon McVittie | 2015-06-07 |
| * | | Do not directly enable emailauth by default, only indirectly via openid•••This avoids nasty surprises on upgrade if a site is using httpauth,
or passwordauth with an account_creation_password, and relying on
only a select group of users being able to edit the site. We can revisit
this for ikiwiki 4.
| Simon McVittie | 2015-05-27 |
| * | | sohrten url in subject | Joey Hess | 2015-05-19 |
| * | | nicer layout of subject | Joey Hess | 2015-05-19 |
| * | | add url to subject of email•••The wikiname can be pretty un-helpful, the user will probably regognise the
url since they were just at it.
| Joey Hess | 2015-05-19 |
| * | | cloak user PII when making commits etc, and let cloaked PII be used in banned...•••This was needed due to emailauth, but I've also wrapped all IP address
exposure in cloak(), although the function doesn't yet cloak IP addresses.
(One IP address I didn't cloak is the one that appears on the password
reset email template. That is expected to be the user's own IP address,
so ok to show it to them.)
Thanks to smcv for the pointer to
http://xmlns.com/foaf/spec/#term_mbox_sha1sum
| Joey Hess | 2015-05-14 |