aboutsummaryrefslogtreecommitdiff
path: root/IkiWiki
Commit message (Collapse)AuthorAge
* don't let emailauth user's email address be changed on preferences pageJoey Hess2015-05-13
| | | | | | There's no real problem if they do change it, except they may get confused and expect to be able to log in with the changed email and get the same user account.
* when an emailauth user posts a comment, use the username only, not the full ↵Joey Hess2015-05-13
| | | | | | | | | | | email address This makes the email not be displayed on the wiki, so spammers won't find it there. Note that the full email address is still put into the comment template. The email is also used as the username of the git commit message (when posting comments or page edits). May want to revisit this later.
* avoid showing password prefs for emailauth userJoey Hess2015-05-13
|
* allow adminuser to be an email addressJoey Hess2015-05-13
|
* fix up session cookieJoey Hess2015-05-13
|
* emailauth link sent and verified; user login worksJoey Hess2015-05-13
| | | | | Still some work to do since the user name is an email address and should not be leaked.
* move stub auth hook to loginselectorJoey Hess2015-05-13
|
* email auth plugin now works through email address entryJoey Hess2015-05-13
|
* Converted openid-selector into a more generic loginselector helper plugin.Joey Hess2015-05-13
|
* rename openid selector files to login-selectorJoey Hess2015-05-13
|
* further generalization of openid selectorJoey Hess2015-05-13
| | | | Now template variables can be set to control which login methods are shown
* generalized the openid selector to a login selectorJoey Hess2015-05-13
| | | | | | | | | This includes some CSS changes to names of elements. Also, added Email login button (doesn't work yet of course), and brought back the small openid login buttons. Demoted yahoo and verison to small buttons. This makes the big buttons be the main login types, and the small buttons be provider-specific helpers.
* When openid and passwordauth are the only enabled auth plugins, make the ↵Joey Hess2015-05-13
| | | | openid selector display "Password" instead of "Other", so users are more likely to click on it when they don't have an openid.
* Standardize on --long-option instead of -long-optionSimon McVittie2015-03-01
| | | | | | | | | | [[forum/refresh_and_setup]] indicates some confusion between --setup and -setup. Both work, but it's clearer if we stick to one in documentation and code. A 2012 commit to [[plugins/theme]] claims that "-setup" is required and "--setup" won't work, but I cannot find any evidence in ikiwiki's source code that this has ever been the case.
* Fix double UTF-8 decode on Perl < 5.20 with upgraded Encode.pmAnders Kaseorg2015-03-01
| | | | | | | | | | | | | | | | | | | | Commit feb21ebfacb341fc34244e1c9b8557fd81d1dfc1 added a safe_decode_utf8 function that avoids double decoding on Perl 5.20. But the Perl behavior change actually happened in Encode.pm 2.53 (https://github.com/dankogai/p5-encode/pull/11). Although Perl 5.20 is the first Perl version to bundle an affected version of Encode.pm, it’s also possible to upgrade Encode.pm independently; for example, Fedora 20 has Perl 5.18.4 with Encode.pm 2.54. On such a system, editing a non-ASCII file still fails with errors like Error: Cannot decode string with wide characters at /usr/lib64/perl5/vendor_perl/Encode.pm line 216. There doesn’t seem to be any reason not to check Encode::is_utf8 on old versions too, so just remove the version check altogether. Signed-off-by: Anders Kaseorg <andersk@mit.edu> Bug-Debian: https://bugs.debian.org/776181
* fix another unchecked mallocJoey Hess2015-01-25
| | | | | | <joeyh> any parrticular reason 12? <igli> well maximum a 32-bit can go is 10 chars <igli> so one for \0 and round up to 4
* Fix NULL ptr deref on ENOMOM in wrapper. (Thanks, igli)Joey Hess2015-01-25
| | | | Probably not exploitable, but who knows..
* In VCS-committed anonymous comments, link to url.Amitai Schlair2015-01-08
|
* Update blogspam to the 2.0 API.Amitai Schlair2015-01-02
|
* po: If msgmerge falls over on a problem po file, print a warning message, ↵Joey Hess2014-12-30
| | | | but don't let this problem crash ikiwiki entirely.
* Avoid uninitialized warnings with comments+no CGI.Amitai Schlair2014-12-28
|
* ikiwiki-comment: optionally override parameters.Amitai Schlair2014-12-27
|
* Squelch "keys on reference is experimental".Amitai Schlair2014-12-27
|
* page.tmpl: tell mobile browsers we have a responsive layout, unless told not toSimon McVittie2014-12-01
| | | | | | | | | | Mobile browsers typically assume that arbitrary web pages are designed for a "desktop-sized" browser window (around 1000px) and display that layout, zoomed out, in order to avoid breaking naive designs that assume nobody will ever look at a website on a phone or something. People who are actually doing "responsive design" need to opt-in to mobile browsers rendering it at a more normal size.
* Merge branch 'ready/html5'Simon McVittie2014-11-26
|\
| * Now that we're always using HTML5, <base href> can be relativeSimon McVittie2014-10-16
| |
| * Always produce HTML5 doctype and new attributes, but not new elementsSimon McVittie2014-10-16
| | | | | | | | | | | | | | | | | | | | | | | | | | According to caniuse.com, a significant fraction of Web users are still using Internet Explorer versions that do not support HTML5 sectioning elements. However, claiming we're XHTML 1.0 Strict means we can't use features invented in the last 12 years, even if they degrade gracefully in older browsers (like the role and placeholder attributes). This means our output is no longer valid according to any particular DTD. Real browsers and other non-validator user-agents have never cared about DTD compliance anyway, so I don't think this is a real loss.
* | Fix numeric comparisons with undefSimon McVittie2014-11-26
| |
* | fix some typosSimon McVittie2014-11-26
| |
* | Merge remote-tracking branch 'spalax/calendar-autocreate'Simon McVittie2014-11-26
|\ \
| * | Corrected error: month pages were created even without calendar_autocreate ↵Louis2014-11-14
| | | | | | | | | | | | config option
| * | Deleted unnecessary codeLouis2014-11-14
| | |
| * | IndentationLouis2014-11-14
| | |
| * | Calendar pages are now rebuilt when previous or next page have changedLouis2014-07-07
| | |
| * | Making use of the transient pluginLouis2014-07-07
| | |
| * | Added option `calendar_fill_gaps`Louis2014-07-05
| | |
| * | Simplifying codeLouis2014-07-05
| | | | | | | | | | | | Thanks to review from http://ikiwiki.info/todo/calendar_autocreate/
| * | calendar plugin: Autocreate archive pages if neededLouis2014-06-24
| | |
* | | openid: Stop suppressing the email field on the Preferences page.Joey Hess2014-11-06
| | | | | | | | | | | | | | | This is needed for notifyemail, and not all openid providers report an email address, or necessarily the one the user wants to get email.
* | | add ikiwiki-comment programJoey Hess2014-10-20
| | |
* | | Remove space from perl shebang path.Amitai Schlair2014-10-17
| | |
* | | IkiWiki::Plugin::openid: as a precaution, do not call non-coderefsAmitai Schlair2014-10-16
| | | | | | | | | | | | | | | | | | | | | | | | We're running under "use strict" here, so if CGI->param's array-context misbehaviour passes an extra non-ref parameter, it shouldn't be executed anyway... but it's as well to be safe. [commit message added by smcv]
* | | Call CGI->param_fetch instead of CGI->param in array contextAmitai Schlair2014-10-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CGI->param has the misfeature that it is context-sensitive, and in particular can expand to more than one scalar in function calls. This led to a security vulnerability in Bugzilla, and recent versions of CGI.pm will warn when it is used in this way. In the situations where we do want to cope with more than one parameter of the same name, CGI->param_fetch (which always returns an array-reference) makes the intention clearer. [commit message added by smcv]
* | | Make sure we do not pass multiple CGI parameters in function callsSimon McVittie2014-10-16
| |/ |/| | | | | | | | | | | | | | | | | | | When CGI->param is called in list context, such as in function parameters, it expands to all the potentially multiple values of the parameter: for instance, if we parse query string a=b&a=c&d=e and call func($cgi->param('a')), that's equivalent to func('b', 'c'). Most of the functions we're calling do not expect that. I do not believe this is an exploitable security vulnerability in ikiwiki, but it was exploitable in Bugzilla.
* | Do not pass ignored sid parameter to checksessionexpirySimon McVittie2014-10-12
| | | | | | | | | | | | | | | | checksessionexpiry's signature changed from (CGI::Session, CGI->param('sid')) to (CGI, CGI::Session) in commit 985b229b, but editpage still passed the sid as a useless third parameter, and this was later cargo-culted into remove, rename and recentchanges.
* | comments: don't log remote IP address for signed-in usersSimon McVittie2014-10-12
| | | | | | | | | | | | | | The intention was that signed-in users (for instance via httpauth, passwordauth or openid) are already adequately identified, but there's nothing to indicate who an anonymous commenter is unless their IP address is recorded.
* | In html5 mode, generate a host- or protocol-relative <base> for the CGISimon McVittie2014-10-05
| | | | | | | | This increases the number of situations in which we do the right thing.
* | Add reverse_proxy option which hard-codes cgiurl in CGI outputSimon McVittie2014-10-05
| | | | | | | | | | This solves several people's issues with the CGI trying to be too clever when IkiWiki is placed behind a reverse-proxy.
* | Force use of $config{url} as top URL in w3mmodeSimon McVittie2014-10-05
| |
* | Fix crash that can occur when only_committed_changes is set and a file is ↵Joey Hess2014-09-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | deleted from the underlay. srcfile_stat got called on a file from the underlay that no longer existed. I am not 100% sure of the circumstances of that; I was able to reproduce the bug but neglected to snapshot the tree, and then accidentially got it to stop crashing. I know that a transient tag page got deleted using the web interface to trigger the crash. It seems that process_changed_files must have returned the file, despite it being deleted. And since the file was not checked into git, it seems it must have not been included in @IkiWiki::underlayfiles, which would have caused process_changed_files to not return it. I do not know why a transient tag page would not be in @IkiWiki::underlayfiles. There is a bug here that I don't understand. This is just a workaround -- run srcfile_stat such that it won't crash, and if it is unable to stat a file, find_changed knows it's not changed, so it's ok to skip it. Also made find_new_files run srcfile_stat such that it won't crash, just because I was there.
generated by cgit v1.2.3 (git 2.25.4) at 2024-05-28 19:28:16 +0000