| Commit message (Expand) | Author | Age |
|---|
| * | Exclude working directory from library path (CVE-2016-1238)•••Current Perl versions put '.' at the end of the library search path
@INC, although this will be fixed in a future Perl release. This means
that when software loads an optionally-present module, it will be
looked for in the current working directory before giving up. An
attacker could use this to execute arbitrary Perl code from ikiwiki's
current working directory.
Removing '.' from the library search path in Perl is the correct
fix for this vulnerability, but is not trivial to do due to
backwards-compatibility concerns. Mitigate this (even if ikiwiki is run
with a vulnerable Perl version) by explicitly removing '.' from the
search path, and instead looking for ikiwiki's own modules relative
to the absolute path of the executable when run from the source
directory.
In tests that specifically want to use the current working directory,
use "-I".getcwd instead of "-I." so we use its absolute path, which
is immune to the removal of ".".
| Simon McVittie | 2016-07-28 |
| * | Run autopkgtest tests using autodep8 and the pkg-perl team's infrastructure | Simon McVittie | 2015-11-30 |
| * | Remove now-redundant test-cases for a non-default html5 setting | Simon McVittie | 2014-10-16 |
| * | Now that we're always using HTML5, <base href> can be relative | Simon McVittie | 2014-10-16 |
| * | Extract test subs for each site. No change meant. | Amitai Schlair | 2014-10-12 |
| * | Extract run_cgi(). No functional change intended. | Amitai Schlair | 2014-10-12 |
| * | Extract check_generated_content(). Same output. | Amitai Schlair | 2014-10-11 |
| * | Extract check_cgi_mode_bits(). No change intended. | Amitai Schlair | 2014-10-10 |
| * | Extract thoroughly_rebuild(), a slight test change.•••I didn't try to parameterize when a test should fail when we can't
remove ikiwiki.cgi because there already isn't one. (Hooray, natural
language.) Instead, we stop worrying about it and always tolerate
ENOENT.
| Amitai Schlair | 2014-10-10 |
| * | Extract write_setup_file(). No functional change.•••Test output differs only by the line numbers of the TODO items.
| Amitai Schlair | 2014-10-10 |
| * | simplify IPC::Run check (same behavior) | Amitai Schlair | 2014-10-06 |
| * | In html5 mode, generate a host- or protocol-relative <base> for the CGI•••This increases the number of situations in which we do the right thing.
| Simon McVittie | 2014-10-05 |
| * | Add reverse_proxy option which hard-codes cgiurl in CGI output•••This solves several people's issues with the CGI trying to be
too clever when IkiWiki is placed behind a reverse-proxy.
| Simon McVittie | 2014-10-05 |
| * | Avoid mixed content when cgiurl is https but url is not | Simon McVittie | 2014-10-05 |
| * | Use protocol-relative URIs if cgiurl and url differ only by authority (hostname) | Simon McVittie | 2014-10-05 |
| * | Fix a test-case that actually just repeated the previous one instead | Simon McVittie | 2014-10-05 |
| * | Force use of $config{url} as top URL in w3mmode | Simon McVittie | 2014-10-05 |
| * | relative URLs test: pass an appropriate PERL5LIB through•••We were previously using the system copy of IkiWiki, because the CGI
resets its environment.
| Simon McVittie | 2014-10-05 |
| * | add the beginnings of a test for CGI/static URL interactions | Simon McVittie | 2014-10-05 |