aboutsummaryrefslogtreecommitdiff
path: root/t
Commit message (Collapse)AuthorAge
* t/img.t: Give better diagnostics if we can't load an imageSimon McVittie2017-06-22
|
* color, toc: Fix `make test`Simon McVittie2017-05-16
|
* color: Use markup for the preserved CSS, not character dataSimon McVittie2017-05-16
| | | | | | This still smuggles it past the sanitize step, but avoids having other plugins that want to capture text content without markup (notably toc) see the CSS as if it was text content.
* color: Add a unit testSimon McVittie2017-05-16
|
* Add a simple unit test for [[!toc]]Simon McVittie2017-05-16
|
* Add a test-case for Markdown optionsSimon McVittie2017-05-16
|
* t/git-cgi.t: Wait 1 second before doing a revert that should succeedSimon McVittie2017-05-14
| | | | | | | | | | | This hopefully fixes a race condition in which the test failed around 6% of the time. If we don't wait, the mtime (which is rounded down to 1 second precision in the APIs we use) will not necessarily change, so the update will not necessarily cause the page to be refreshed. Bug-Debian: https://bugs.debian.org/862494
* t/passwordauth.t: new automated test for passwordauthSimon McVittie2017-01-11
| | | | | | In particular this includes an exploit for OVE-20170111-0001. (cherry picked from commit fbe207212b1f4a395dc297fb274ef07afd7d68f3)
* git-cgi.t: when committing directly, make sure we have a valid authorSimon McVittie2017-01-09
| | | | | In the environment used on ci.debian.net, we have neither a name nor an email address.
* t/git-cgi.t: fix race conditionSimon McVittie2017-01-09
| | | | | We need the changes to take place at least 1 second after the first rebuild, so that the changed files are seen to have changed.
* git: Add test coverage for reverting attachmentsSimon McVittie2016-12-28
|
* Add automated test for using the CGI with git, including CVE-2016-10026Simon McVittie2016-12-28
|
* git_revert test: reinstate ikiwiki.setup, and make it work uninstalledSimon McVittie2016-12-28
| | | | | | | | | | | | | | Previously it was relying on running with an installed ikiwiki and being able to copy in recentchanges.mdwn and wikiicons/ from the underlay in /usr. The underlay in ./underlays/basewiki can't be used (yet) because ikiwiki doesn't allow following symlinks, even from underlays. I'd like to make ikiwiki follow symlinks whose destinations can be verified to be safe (for example making it willing to expose /usr/share/javascript to the web, but not /etc/passwd), at least from underlays, but this is security-sensitive so I'm not going to rush into it.
* Add a manual test for reverting git commitsSimon McVittie2016-12-19
| | | | Signed-off-by: Simon McVittie <smcv@debian.org>
* Exclude working directory from library path (CVE-2016-1238)Simon McVittie2016-07-28
| | | | | | | | | | | | | | | | | | | | | Current Perl versions put '.' at the end of the library search path @INC, although this will be fixed in a future Perl release. This means that when software loads an optionally-present module, it will be looked for in the current working directory before giving up. An attacker could use this to execute arbitrary Perl code from ikiwiki's current working directory. Removing '.' from the library search path in Perl is the correct fix for this vulnerability, but is not trivial to do due to backwards-compatibility concerns. Mitigate this (even if ikiwiki is run with a vulnerable Perl version) by explicitly removing '.' from the search path, and instead looking for ikiwiki's own modules relative to the absolute path of the executable when run from the source directory. In tests that specifically want to use the current working directory, use "-I".getcwd instead of "-I." so we use its absolute path, which is immune to the removal of ".".
* Wrapper: allocate new environment dynamicallySimon McVittie2016-05-11
| | | | | | | | | | | | | | Otherwise, if third-party plugins extend newenviron by more than 3 entries, we could overflow the array. It seems unlikely that any third-party plugin manipulates newenviron in practice, so this is mostly theoretical. Just in case, I have deliberately avoided using "i" as the variable name, so that any third-party plugin that was manipulating newenviron directly will now result in the wrapper failing to compile. I have not assumed that realloc(NULL, ...) works as an equivalent of malloc(...), in case there are still operating systems where that doesn't work.
* img test: exercise upper-case extensions for image filesSimon McVittie2016-05-09
|
* Fix spelling of "ratio" in test.Amitai Schlair2016-05-08
|
* img: make img_allowed_formats case-insensitiveSimon McVittie2016-05-07
|
* update test suite for svg passthrough by img directiveJoey Hess2016-05-06
| | | | | Remove build dependency libmagickcore-6.q16-2-extra which was only there for this test.
* img: check magic number before giving common formats to ImageMagickSimon McVittie2016-05-05
| | | | | This mitigates CVE-2016-3714 and similar vulnerabilities by avoiding passing obviously-wrong input to ImageMagick decoders.
* img: restrict to JPEG, PNG and GIF images by defaultSimon McVittie2016-05-05
| | | | | | This mitigates CVE-2016-3714. Wiki administrators who know that they have prevented arbitrary code execution via other formats can re-enable the other formats if desired.
* Fix CVS tests by uninverting $installed (cdfb4ab).Amitai Schlair2016-02-18
|
* Compose relative URLs in RSS feeds correctlySimon McVittie2016-01-21
| | | | | | | If the relative link from the (page generating the) RSS to the target would start with "./" or "../", just concatenating it with the URL to the directory containing the RSS is not sufficient. Go via URI::new_abs to fix this.
* Don't fail to syslog if the wiki name contains %sSimon McVittie2016-01-21
| | | | This is a corner case spotted while fixing UTF-8 syslogging.
* Force log messages to be bytestringsSimon McVittie2016-01-21
| | | | Sys::Syslog is not UTF-8-literate.
* img test: use the right filenames when testing that deletion occursSimon McVittie2016-01-19
| | | | | Also use a less misleading name for the sample SVG: it is no longer empty. Since commit 105f285a it has contained a blue square.
* img test: skip testing PDFs if unsupportedSimon McVittie2016-01-19
|
* Merge remote-tracking branch 'smcv/ready/limit'Simon McVittie2015-11-30
|\
| * Rename show parameter of [[!inline]] and [[!pagestats]] to limitSimon McVittie2014-09-14
| | | | | | | | | | | | | | The old name still works, if its value is numeric. This name allows a non-numeric "show" to mean the same thing it does for [[!map]] (show title, show description, etc.).
* | Add a test for unconfigured git identitySimon McVittie2015-11-30
| |
* | tests: consistently use done_testing instead of no_planSimon McVittie2015-11-30
| |
* | t/img.t: do not spuriously skipSimon McVittie2015-11-30
| |
* | Run autopkgtest tests using autodep8 and the pkg-perl team's infrastructureSimon McVittie2015-11-30
| |
* | Fix [[!meta name=foo]] by closing the open quote.Amitai Schlair2015-08-22
| |
* | Sans ImageMagick, bail gracefully.Amitai Schlair2015-08-22
| |
* | Mark a few straggling test scripts +x.Amitai Schlair2015-08-18
| |
* | Test many behaviors of the meta directive.Amitai Schlair2015-08-15
| |
* | Squelch regex deprecation warnings from Perl 5.22.Amitai Schlair2015-06-14
| | | | | | | | | | | | Specifically: "Unescaped left brace in regex is deprecated, passed through in regex"
* | img test: set old timestamp on source file that will changeSimon McVittie2015-06-14
| | | | | | | | This is so that the test will pass even if it takes less than 1 second.
* | img: stop ImageMagick trying to be clever if filenames contain a colonSimon McVittie2015-06-13
| | | | | | | | | | | | | | | | | | | | $im->Read() takes a filename-like argument with several sets of special syntax. Most of the possible metacharacters are escaped by the default `wiki_file_chars` (and in any case not particularly disruptive), but the colon ":" is not. It seems the way to force ImageMagick to treat colons within the filename as literal is to prepend a colon, so do that.
* | t/inline.t: accept translations of "Add a new post titled:" (Closes: #779365)Simon McVittie2015-03-01
| |
* | Standardize on --long-option instead of -long-optionSimon McVittie2015-03-01
| | | | | | | | | | | | | | | | | | | | [[forum/refresh_and_setup]] indicates some confusion between --setup and -setup. Both work, but it's clearer if we stick to one in documentation and code. A 2012 commit to [[plugins/theme]] claims that "-setup" is required and "--setup" won't work, but I cannot find any evidence in ikiwiki's source code that this has ever been the case.
* | textile-double-escape-bug.t: tolerate any valid encodingSimon McVittie2015-01-06
| | | | | | | | | | | | | | | | | | | | Discount in current Debian unstable turns the IURI href into a URI by encoding the Unicode as UTF-8 and %-escaping each byte. That is valid, and matches Wikipedia's expectations, but was breaking this test for me. It would also be entirely valid (and lead to equivalent parsing) if the ö was represented as &ouml;, &#246; or &#xf6 in the text and/or the href.
* | Turn positive test for wrong behaviour into a TODO test for right behaviourSimon McVittie2015-01-06
| | | | | | | | | | We don't want ikiwiki's tests to stop passing when Text::Textile is fixed.
* | Document an annoying Text::Textile encoding bug.Amitai Schlair2014-12-22
| |
* | Add regression test for libdir/libdirsSimon McVittie2014-12-09
| |
* | Merge branch 'ready/html5'Simon McVittie2014-11-26
|\ \
| * | We no longer have a test for DTD-valid XHTML 1.0, but at least check ↵Simon McVittie2014-10-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | well-formedness This means that people can do XSLT nonsense if they want to. The failures are currently marked TODO because not everything in the docwiki is in fact well-formed.
| * | Remove now-redundant test-cases for a non-default html5 settingSimon McVittie2014-10-16
| | |