| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
| |
This implements the previously documented hashed password support.
While implementing that, I noticed a security hole, which this commit
also fixes..
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
stuck on shared hosting without cron. (Sheesh.) Enabled via the `aggregate_webtrigger` configuration optiom.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
* Add a Bundle::Ikiwiki to the source for use with CPAN to install *all*
the modules ikiwiki can use.
* Add a cpan directory containing a CPAN::MyConfig that can ease use of
CPAN to install in a home directory on shared hosting providers.
* With these changes, it's pretty easy to install onto nearlyfreespeech.net
and probably other shared hosting providers like dreamhost. Added
a tip page documentng the process for nearlyfreespeech.
|
| |
|
|
|
| |
srcfile now has an optional second parameter to avoid it throwing an error
if the source file does not exist.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The fix involved embedding the session id in the forms, and not allowing the
forms to be submitted if the embedded id does not match the session id.
In the case of the preferences form, if the session id is not embedded,
then the CGI parameters are cleared. This avoids a secondary attack where the
link to the preferences form prefills password or other fields, and
the user hits "submit" without noticing these prefilled values.
In the case of the editpage form, the anonok plugin can allow anyone to edit,
and so I chose not to guard against CSRF attacks against users who are not
logged in. Otherwise, it also embeds the session id and checks it.
For page editing, I assume that the user will notice if content or commit
message is changed because of CGI parameters, and won't blndly hit save page.
So I didn't block those CGI paramters. (It's even possible to use those CGI
parameters, for good, not for evil, I guess..)
The only other CSRF attack I can think of in ikiwiki involves the poll plugin.
It's certianly possible to set up a link that causes the user to unknowingly
vote in a poll. However, the poll plugin is not intended to be used for things
that people would want to attack, since anyone can after all edit the poll page
and fill in any values they like. So this "attack" is ignorable.
|
| |
|
|
| |
on the same filesystem and the wiki includes large media files, which would normally be copied, wasting time and space.
|
| |
|
|
|
| |
This allows make to be run without polluting the tree with lots of po file
changes.
|
| | |
|
| |
|
|
|
|
|
| |
This works around a perl crasher bug, and also avoids bloating pages
with enormous diffs.
rcs_recentchanges modified to return a list in an array context.
|
| |
|
|
|
|
| |
set to the destination page. This avoids need for hacks to munge the urls
in preview mode, which fixes several bugs.
* Several destpage fixes in plugins.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
* rcs_diff is a new function that rcs modules should implement.
* Implemented rcs_diff for git, svn, and tla (tla version untested).
Mercurial and monotone still todo.
|
| |
|
|
|
|
|
|
|
|
| |
As was already done for linkfication, links generated in a prevew page
are relative to the top of the wiki, so it has to be told that the destpage
is there.
I was using "" to indicate this, but that may confuse some preprocessor
plugins, which treat parameters with an empry value specially (sparkline is one
such). Instead, use "/", which is more accurate anyway and works just as well.
|
| |
|
|
| |
and since all versions of perl seem to be hopelessly broken.
|
| |
|
|
| |
hack.
|
| |
|
|
|
|
| |
custom, first-class types of wikilinks.
* Move standard wikilink implementation to a new wikilink plugin, which
will of course be enabled by default.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Now aggregation will not lock the wiki. Any changes made during aggregaton are
merged in with the changed state accumulated while aggregating. A separate
lock file prevents multiple concurrent aggregators. Garbage collection
of orphaned guids is much improved. loadstate() is only called once
per process, so tricky support for reloading wiki state is not needed.
(Tested fairly thuroughly.)
|
| | |
|
| | |
|
| |
|
|
| |
misc fixes
|
| |
|
|
|
|
|
| |
license, and copyright. This can be used to create custom RecentChanges.
* meta: To support the pagespec functions, metadata about pages has to be
retained as pagestate.
* Fix encoding bug when pagestate values contained spaces.
|
| |
|
|
|
|
|
|
| |
I kept it to a simple global configuration, rather than using the
preprocessor directive for recentchanges, because that had chicken and egg
problems and seemed overcomplicated. This should work reasonably well,
though it would be good to add some more metadata so that more customised
recentchanges pages can be made.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
remove the enclosing paragraph and newline markdown wraps it in.
This allows removing several hacks around this markdown behavior from
other plugins that htmlize fragements of pages.
|
| |
|
|
|
| |
* template: Htmlize template variables, but also provide a raw version
via `<TMPL_VAR raw_variable>`.
|
| | |
|
| |
|
|
|
|
|
| |
returned (and not run in some cases) rather than the plugins directly
forcing a user to log in.
* opendiscussion: allow editing of the toplevel discussion page,
and, indirectly, allow creating new discussion pages.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
the needsbuild hook. This resulted in feeds not being removed when pages
were updated, and probably other bugs.
* aggregate: Avoid uninitialised value warning when removing a feed that
has an expired guid.
|
| | |
|
| |
|
|
| |
ikiwiki.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
by default.
|