aboutsummaryrefslogtreecommitdiff
path: root/IkiWiki
Commit message (Collapse)AuthorAge
* Fix CSRF attacks against the preferences and edit forms. Closes: #475445Joey Hess2008-04-10
| | | | | | | | | | | | | | | | | | | | | | | | | The fix involved embedding the session id in the forms, and not allowing the forms to be submitted if the embedded id does not match the session id. In the case of the preferences form, if the session id is not embedded, then the CGI parameters are cleared. This avoids a secondary attack where the link to the preferences form prefills password or other fields, and the user hits "submit" without noticing these prefilled values. In the case of the editpage form, the anonok plugin can allow anyone to edit, and so I chose not to guard against CSRF attacks against users who are not logged in. Otherwise, it also embeds the session id and checks it. For page editing, I assume that the user will notice if content or commit message is changed because of CGI parameters, and won't blndly hit save page. So I didn't block those CGI paramters. (It's even possible to use those CGI parameters, for good, not for evil, I guess..) The only other CSRF attack I can think of in ikiwiki involves the poll plugin. It's certianly possible to set up a link that causes the user to unknowingly vote in a poll. However, the poll plugin is not intended to be used for things that people would want to attack, since anyone can after all edit the poll page and fill in any values they like. So this "attack" is ignorable.
* need to handle urls to images the sameJoey Hess2008-04-03
| | | | Also, simplified finding the url to the top of the site.
* Bug#473987: [PATCH] Links relative to baseurl mangled in atom/rss feedsManoj Srivastava2008-04-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | tag 473987 +patch thanks Hi, The issue is that we need to convert relative links to absolute ones for atom and rss feeds -- but there are two types of relative links. The first kind, relative to the current document ( href="some/path") is handled correctly. The second kind of relative url is is relative to the http server base (href="/semi-abs/path"), and that broke. It broke because we just prepended the url of the current document to the href (http://host/path/to/this-doc/ + link), which gave us, in the first place: http://host/path/to/this-doc/some/path [correct], and http://host/path/to/this-doc//semi-abs/path [wrong] The fix is to calculate the base for the http server (the base of the wiki does not help, since the base of the wiki can be different from the base of the http server -- I have, for example, "url => http://host.name.mine/blog/manoj/"), and prepend that to the relative references that start with a /. This has been tested. Signed-off-by: Manoj Srivastava <srivasta@debian.org>
* aggregate: Correct a mistake in the code that dummy up a guid for feeds ↵Joey Hess2008-04-03
| | | | lacking one.
* Added a hardlink option in the setup file, useful if the source and dest are ↵Joey Hess2008-03-29
| | | | on the same filesystem and the wiki includes large media files, which would normally be copied, wasting time and space.
* revert destpage part of f7bdc2385Joey Hess2008-03-23
| | | | | | | | destpage does not normally need to be worried about when creating other files as part of the process of rendering a page. Using destpage results in inlined pages creating two copies of such files. It works to not use destpage in this case because the inlining page depends on the source page, so if the source page is modified or deleted the inlining page will be updated.
* inline: Allow the "feedshow" parameter to take values greater than the value ↵Joey Hess2008-03-23
| | | | for "show".
* typosJoey Hess2008-03-21
|
* Allow external plugins to return no valuemartin f. krafft2008-03-21
| | | | | | | | | | | | | Instead of using the XML-RPC v2 extension <nil/>, which Perl's XML::RPC::Parser does not (yet) support (Joey's patch is pending), we agreed on a sentinel: {'null':''}, that is, a hash with a single key "null" pointing to the empty string. The Python proxy automatically converts None appropriately and raises an exception if a hook function should, by weird coincidence, attempt to return {'null':''}. Signed-off-by: martin f. krafft <madduck@madduck.net>
* work around perl warningJoey Hess2008-03-21
|
* delete inline data after it's usedJoey Hess2008-03-21
|
* crazy optimisation to work around slow markdownJoey Hess2008-03-21
| | | | | | | | | | | | | | | | | | Markdown is slow. Especially if it has to process an enormous page. The most common enormous page is currently the recentchanges page, which gets processed a lot, and contains very little actual markdown. Most of it is a big <div>, which markdown skips ... slowly. This is a rather sick optimisation to work around markdown's speed issues. Now inline inserts a small, dummy div, allows markdown to quickly render the actual page content, then replaces the dummy with the actual inlined pages later. Results: Rendering just a recentchanges page, with diffs included, dropped from 4.5 seconds to 2.7 seconds on my laptop. Building the entire wiki dropped from 46.6 seconds to 39.5 seconds. (It would be better if inline were a *post*-processor directive.)
* process smilies in a sanitize hookJoey Hess2008-03-21
| | | | | I had to move it to sanitize so all the markup is htmlized, so it can scan for <pre> and <code>.
* another fixJoey Hess2008-03-21
| | | | | I'm suprised that the second m//g didn't seem to clobber @-, but I don't want to rely on that, so preserve it beforehand.
* various fixes and simplificationsJoey Hess2008-03-21
|
* smiley: Detect smileys inside pre and tags, and do not expand.Joey Hess2008-03-21
|
* Close meta tag for redir properly.Joey Hess2008-03-21
|
* Store userinfo in network byte order for easy portability. (Old files will ↵Joey Hess2008-03-19
| | | | be automatically converted.)
* optimisation, only load openid module when signing inJoey Hess2008-03-19
| | | | This makes the CGI about .2 seconds faster when editing pages etc.
* fix setstateJoey Hess2008-03-19
| | | | Same fix as in d7f1292c3134fd9464ca4005f48b9274be861c10
* make setargv take an arrayJoey Hess2008-03-19
| | | | for consistentcy with getargv, which returns one
* fix setvarJoey Hess2008-03-19
| | | | | It was incorrectly setting the value to the number of items in @_, ie, always 1.
* getargv needs to return a list referenceJoey Hess2008-03-19
| | | | | | xml rpc only allows functions to return a single value, no lists. So getargv needs to return a list reference, which means that the caller will see an xml rpc array.
* * Record new pages in %pagesources temporarily when previewing so thatJoey Hess2008-03-17
| | | | | things that need to know the page source or type can query it from there. Fixes previewing of tables when creating a new page.
* * external: Add getargv and setargv methods to allow access to ikiwiki'sJoey Hess2008-03-15
| | | | @ARGV.
* * htmltidy: Pass --markup yes, in case tidy's config file disabled it.Joey Hess2008-03-15
|
* * external: Fix support of XML::RPC::fault.Joey Hess2008-03-15
|
* * Fix expiry of old recentchanges changeset pages.Joey Hess2008-03-14
|
* load HTML::Entities at topJoey Hess2008-03-14
| | | | Used in several subs, not all of which load it on demand, this seems simpler.
* no need to use HTML::Entities, as it's loaded on demand by code belowJoey Hess2008-03-12
|
* * Use absolute url for feedurl when filling out the feed templates.Joey Hess2008-03-12
| | | | Closes: #470530
* truncate recentchangesdiffs after 200 linesJoey Hess2008-03-12
| | | | | | | This works around a perl crasher bug, and also avoids bloating pages with enormous diffs. rcs_recentchanges modified to return a list in an array context.
* use git show to get the diffJoey Hess2008-03-12
| | | | | If a diff of the firsst commit in a git repo was requested, it would fail and print to stderr since first^ isn't valid. Using git show will always work.
* * Use forcebaseurl to make page previews be displayed with the html baseJoey Hess2008-03-12
| | | | | | set to the destination page. This avoids need for hacks to munge the urls in preview mode, which fixes several bugs. * Several destpage fixes in plugins.
* * monotone: Require version 0.38 or greater, and stop using the mtnmergercJoey Hess2008-03-12
| | | | option. (Brian May)
* fix syntax errorJoey Hess2008-03-12
|
* Correct meta.robots attribute value->contentmartin f. krafft2008-03-11
| | | | | | | This was a silly typo, sorry. <meta ...> takes an attribute content, not value. Signed-off-by: martin f. krafft <madduck@madduck.net>
* Generate openid2 headers as wellmartin f. krafft2008-03-11
| | | | | | This causes meta.openid to also generate the openid2 headers. Signed-off-by: martin f. krafft <madduck@madduck.net>
* Let meta.openid set X-XRDS-Location headermartin f. krafft2008-03-11
| | | | | | | | | | Adds an optional xrds-location parameter to the openid meta handler, which allows for XRDS delegation. A good document on XRDS is http://www.windley.com/archives/2007/05/using_xrds.shtml Signed-off-by: martin f. krafft <madduck@madduck.net>
* * Remove locking code in git rcs_commit. I'm not sure if this was everJoey Hess2008-03-07
| | | | | | correct, and it's certianly not correct now, since the wiki is locked before rcs_commit is ever called, and should not be unlocked by rcs_commit either.
* test for Text::Markdown::[Mm]arkdown and use the available oneJoey Hess2008-03-04
| | | | | | | | | | Markdown is such a splintered mess.. The current debian package provides only Text::Markdown::Markdown, while all versions of Text::Markdown support Text::Markdown::markdown, and old versions also support the capitalised version, while new ones don't. It's getting to the point where `grep /markdown/i %symbol_table` is the only sane way to figure out what function to call..
* * Use Text::Markdown::markdown, since version 1.0.16 of Text::MarkdownJoey Hess2008-03-04
| | | | | no longer supports Text::Markdown::Markdown. All old versions of Text::Markdown also support the lower-case version.
* * Add recentchangesdiff plugin that adds diffs to the recentchanges feeds.Joey Hess2008-03-03
| | | | | | * rcs_diff is a new function that rcs modules should implement. * Implemented rcs_diff for git, svn, and tla (tla version untested). Mercurial and monotone still todo.
* Add robots tag to meta pluginmartin f. krafft2008-03-02
| | | | | | | | Add special handling for <meta name="robots" ...> which needs not be scrubbed as it's harmless. Signed-off-by: martin f. krafft <madduck@madduck.net> (cherry picked from commit b15d0299a7f7b147e89d8a202d6cca1c21491af2)
* Make directives generated by shortcuts accept a `desc` parameter.Adeodato Simó2008-03-02
| | | | (cherry picked from commit 252da396bfa728b99af7c9bb304a7b5f3f6d94e6)
* Allow colons in URLs after the first slashAdeodato Simó2008-02-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A new regexp fixes this bug: http://ikiwiki.info/bugs/No_link_for_blog_items_when_filename_contains_a_colon/ I traced this down to htmlscrubber. If disabled, it works. If enabled, then $safe_url_regexp determines the URL unsafe because of the colon and hence removes the src attribute. Digging into this, I find that RFC 3986 pretty much discourages colons in filenames: """ A path segment that contains a colon character (e.g., "this:that") cannot be used as the first segment of a relative-path reference, as it would be mistaken for a scheme name. Such a segment must be preceded by a dot-segment (e.g., "./this:that") to make a relative- path reference. """ on the other hand, with usedirs, any link to another page will be prepended by ../ anyway, so that makes them okay again. The solution still seems not to use colons. In any case, htmlscrubber should get a new regexp, courtesy of dato. I have tested and verified this. Signed-off-by: martin f. krafft <madduck@madduck.net>
* avoid calling getctime on internal pagesJoey Hess2008-02-24
| | | | internal pages won't be in revision control so this avoids some ugly noise
* * inline: When forcing urls absolute for rss feeds, skip mailto and otherJoey Hess2008-02-24
| | | | such urls.
* Fix links generated by preprocessor directives when previewing.Joey Hess2008-02-24
| | | | | | | | | | As was already done for linkfication, links generated in a prevew page are relative to the top of the wiki, so it has to be told that the destpage is there. I was using "" to indicate this, but that may confuse some preprocessor plugins, which treat parameters with an empry value specially (sparkline is one such). Instead, use "/", which is more accurate anyway and works just as well.
* * Fix another preview will_render bug. This one involved inline,Joey Hess2008-02-24
| | | | | | | | which forced a scan of the page to make available metadata that appeared after the inline directive. Problem is that scan made it forget about any other files rendered due to the page. The scan also turns out to be unnecessary now, since meta persistently stores state and it's always available. So it was just removed.