aboutsummaryrefslogtreecommitdiff
path: root/doc
Commit message (Collapse)AuthorAge
...
* web commit by http://sabr.myopenid.com/: add a toc to test it appearing in ↵Joey Hess2008-04-13
| | | | preview... it doesn't.
* web commit by http://sabr.myopenid.com/Joey Hess2008-04-13
|
* web commit by http://sabr.myopenid.com/Joey Hess2008-04-12
|
* web commit by http://sabr.myopenid.com/Joey Hess2008-04-12
|
* web commit by http://sabr.myopenid.com/Joey Hess2008-04-12
|
* web commit by http://sabr.myopenid.com/Joey Hess2008-04-12
|
* web commit by http://sabr.myopenid.com/Joey Hess2008-04-12
|
* web commit by http://sabr.myopenid.com/Joey Hess2008-04-12
|
* web commit by http://sabr.myopenid.com/Joey Hess2008-04-12
|
* web commit by http://sabr.myopenid.com/Joey Hess2008-04-12
|
* web commit by http://sabr.myopenid.com/Joey Hess2008-04-12
|
* web commit by tschwinge: Modify.Joey Hess2008-04-12
|
* web commit by http://sabr.myopenid.com/Joey Hess2008-04-12
|
* patch, thoughtsJoey Hess2008-04-12
|
* web commit by http://sabr.myopenid.com/Joey Hess2008-04-12
|
* web commit by cjb: Added wiktionary shortcutJoey Hess2008-04-10
|
* web commit by http://sabr.myopenid.com/Joey Hess2008-04-10
|
* responseJoey Hess2008-04-10
|
* cannot reproduceJoey Hess2008-04-10
|
* responseJoey Hess2008-04-10
|
* let's move the access keys discussion out to the todo item about itJoey Hess2008-04-10
|
* correct the command line used to generate the faviconJoey Hess2008-04-10
|
* correct utf-8 damage introduced by jblevins's modification of this pageJoey Hess2008-04-10
|
* change wordingJoey Hess2008-04-10
|
* responseJoey Hess2008-04-10
|
* Give the full path to the hyperestraier helpfile in estseek.conf.Joey Hess2008-04-10
|
* Use bzr --quiet to avoid it outputting stuff and messing up http headers. ↵Joey Hess2008-04-10
| | | | (Scott Bronson)
* Fix broken rcs_update for bzr. (Scott Bronson)Joey Hess2008-04-10
|
* Fix missing import of escapeHTML in userlink. (Scott Bronson)Joey Hess2008-04-10
|
* responseJoey Hess2008-04-10
|
* add news item for ikiwiki 2.42Joey Hess2008-04-10
|
* releasing version 2.42Joey Hess2008-04-10
|
* Merge branch 'master' of ssh://git.ikiwiki.info/srv/git/ikiwiki.infoJoey Hess2008-04-10
|\
| * web commit by http://joey.kitenet.net/: testJoey Hess2008-04-10
| |
* | perl dumping core is not an ikiwiki bug, sorryJoey Hess2008-04-10
| |
* | Merge branch 'master' of ssh://git.ikiwiki.info/srv/git/ikiwiki.infoJoey Hess2008-04-10
|\|
| * web commit by http://joey.kitenet.net/: oops :-)Joey Hess2008-04-10
| |
| * web commit by http://joey.kitenet.net/Joey Hess2008-04-10
| |
| * web commit by ScottSwalwell: Fixed my fix.Joey Hess2008-04-10
| |
| * web commit by ScottSwalwell: Fixed this link.Joey Hess2008-04-10
| |
| * web commit by cjb: Fixed URLJoey Hess2008-04-10
| |
| * web commit by cjb: TaggedJoey Hess2008-04-10
| |
| * web commit by cjb: Suggested patch for 302 redirect after page creation when ↵Joey Hess2008-04-10
| | | | | | | | using bzr
* | Fix CSRF attacks against the preferences and edit forms. Closes: #475445Joey Hess2008-04-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The fix involved embedding the session id in the forms, and not allowing the forms to be submitted if the embedded id does not match the session id. In the case of the preferences form, if the session id is not embedded, then the CGI parameters are cleared. This avoids a secondary attack where the link to the preferences form prefills password or other fields, and the user hits "submit" without noticing these prefilled values. In the case of the editpage form, the anonok plugin can allow anyone to edit, and so I chose not to guard against CSRF attacks against users who are not logged in. Otherwise, it also embeds the session id and checks it. For page editing, I assume that the user will notice if content or commit message is changed because of CGI parameters, and won't blndly hit save page. So I didn't block those CGI paramters. (It's even possible to use those CGI parameters, for good, not for evil, I guess..) The only other CSRF attack I can think of in ikiwiki involves the poll plugin. It's certianly possible to set up a link that causes the user to unknowingly vote in a poll. However, the poll plugin is not intended to be used for things that people would want to attack, since anyone can after all edit the poll page and fill in any values they like. So this "attack" is ignorable.
* | fix what I think is a typoJoey Hess2008-04-10
|/
* web commit by http://sabr.myopenid.com/Joey Hess2008-04-09
|
* web commit by http://sabr.myopenid.com/Joey Hess2008-04-09
|
* web commit by http://sabr.myopenid.com/Joey Hess2008-04-09
|
* web commit by http://sabr.myopenid.com/Joey Hess2008-04-09
|
* web commit by http://sabr.myopenid.com/Joey Hess2008-04-09
|