From b8d3c83ee048100aca2311ad1bd0d190d07ed10e Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 29 Jul 2008 16:02:24 -0400 Subject: [PATCH 01/45] tune --- doc/plugins/autoindex.mdwn | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/plugins/autoindex.mdwn b/doc/plugins/autoindex.mdwn index 66e0163c2..03e2d12f3 100644 --- a/doc/plugins/autoindex.mdwn +++ b/doc/plugins/autoindex.mdwn @@ -2,6 +2,6 @@ [[!tag type/useful]] This plugin searches for [[SubPages|ikiwiki/subpage]] with a missing parent -page, and generates a parent page for them. The generated page content is -controlled by the autoindex [[template|wikitemplates]], which by default, -uses a [[map]] to list the SubPages. +page, and generates the parent pages. The generated page content is +controlled by the `autoindex.tmpl` [[template|wikitemplates]], which by +default, uses a [[map]] to list the SubPages. From e2612c7873a9bbc79e9c250e700d634792570e59 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 29 Jul 2008 16:19:53 -0400 Subject: [PATCH 02/45] on the security of this plugin.. --- doc/plugins/contrib/unixauth/discussion.mdwn | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 doc/plugins/contrib/unixauth/discussion.mdwn diff --git a/doc/plugins/contrib/unixauth/discussion.mdwn b/doc/plugins/contrib/unixauth/discussion.mdwn new file mode 100644 index 000000000..162e5d323 --- /dev/null +++ b/doc/plugins/contrib/unixauth/discussion.mdwn @@ -0,0 +1,17 @@ +The security of this plugin scares me. As noted in the plugin +documentation, you basically have to use it with SSL, since snooping on the +login password doesn't give you an essentially useless account -- it gives +you an actual account on the machine! + +Also, apparently pwauth defers *all* auth attempts if one fails, and it +does this by using a lock file, and sleeping after a failed auth attempt. +Which is needed to avoid brute-forcing, since this is a significant +password.. but how will that interact with ikiwiki? Well, ikiwiki _also_ +uses a lock file. So, at a minimum, someone can not only try to brute-force +the pwauth password, but the ikiwiki processes that stack up due to that +will also keep ikiwiki's lock held. Which basically DOSes the wiki for +everyone else; noone else can try to log in, or log out, or edit a page, +all of which require taking the lock. + +So I don't think I'll be accepting this plugin into ikiwiki itself.. +--[[Joey]] From 17a19994331fcd720698cd72e27293a15d9cb338 Mon Sep 17 00:00:00 2001 From: HenrikBrixAndersen Date: Tue, 29 Jul 2008 16:51:18 -0400 Subject: [PATCH 03/45] Obsolete templates/estseek.conf --- doc/bugs/Obsolete_templates__47__estseek.conf.mdwn | 1 + 1 file changed, 1 insertion(+) create mode 100644 doc/bugs/Obsolete_templates__47__estseek.conf.mdwn diff --git a/doc/bugs/Obsolete_templates__47__estseek.conf.mdwn b/doc/bugs/Obsolete_templates__47__estseek.conf.mdwn new file mode 100644 index 000000000..beee5aa08 --- /dev/null +++ b/doc/bugs/Obsolete_templates__47__estseek.conf.mdwn @@ -0,0 +1 @@ +The templates/estseek.conf file can safely be removed now that ikiwiki has switched to using xapian-omega. From 3b72c23673e858338ad4791d99bacdef7d028608 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 29 Jul 2008 16:55:44 -0400 Subject: [PATCH 04/45] rm --- doc/bugs/Obsolete_templates__47__estseek.conf.mdwn | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/bugs/Obsolete_templates__47__estseek.conf.mdwn b/doc/bugs/Obsolete_templates__47__estseek.conf.mdwn index beee5aa08..99330a115 100644 --- a/doc/bugs/Obsolete_templates__47__estseek.conf.mdwn +++ b/doc/bugs/Obsolete_templates__47__estseek.conf.mdwn @@ -1 +1,3 @@ The templates/estseek.conf file can safely be removed now that ikiwiki has switched to using xapian-omega. + +> Thanks for the reminder, [[done]] --[[Joey]] From 054a98647f208864bf1c14b35280255508c8e1f5 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 29 Jul 2008 16:56:25 -0400 Subject: [PATCH 05/45] really rm ;-) --- templates/estseek.conf | 31 ------------------------------- 1 file changed, 31 deletions(-) delete mode 100644 templates/estseek.conf diff --git a/templates/estseek.conf b/templates/estseek.conf deleted file mode 100644 index 2abf413a9..000000000 --- a/templates/estseek.conf +++ /dev/null @@ -1,31 +0,0 @@ -indexname: -tmplfile: -topfile: /dev/null -logfile: -logformat: -replace: ^file://{{!}} -showreal: false -perpage: 10,20,30,40,50,100 -attrselect: false -showscore: false -extattr: date|Date -snipwwidth: 480 -sniphwidth: 96 -snipawidth: 96 -condgstep: 2 -dotfidf: true -scancheck: false -smplphrase: true -phraseform: 2 -candetail: true -smlrvnum: 0 -smlrtune: 16 1024 4096 -clipview: 2 -relkeynum: 0 -spcache: -wildmax: 256 -qxpndcmd: -helpfile: /usr/share/hyperestraier/estseek.help -deftitle: -attrwidth: 80 -dispproxy: From 6838f9b6e5fb39a307eef3f7eea20497d4398f8b Mon Sep 17 00:00:00 2001 From: "http://schmonz.livejournal.com/" Date: Tue, 29 Jul 2008 21:45:17 -0400 Subject: [PATCH 06/45] --- doc/plugins/contrib/unixauth/discussion.mdwn | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/plugins/contrib/unixauth/discussion.mdwn b/doc/plugins/contrib/unixauth/discussion.mdwn index 162e5d323..5f542745d 100644 --- a/doc/plugins/contrib/unixauth/discussion.mdwn +++ b/doc/plugins/contrib/unixauth/discussion.mdwn @@ -15,3 +15,5 @@ all of which require taking the lock. So I don't think I'll be accepting this plugin into ikiwiki itself.. --[[Joey]] + +Thanks for the comments. That's definitely an undesirable interaction between pwauth and ikiwiki; in my current application it wouldn't be a serious problem, but I'd like this plugin to be general-purpose and safe enough for inclusion in ikiwiki. It's the system-users-are-wiki-users idea I'm married to here, not pwauth itself; can you suggest another approach I might take? From e55c0798441111170d731eb3ec7a4874dadda79b Mon Sep 17 00:00:00 2001 From: "http://schmonz.livejournal.com/" Date: Tue, 29 Jul 2008 21:45:50 -0400 Subject: [PATCH 07/45] --- doc/plugins/contrib/unixauth/discussion.mdwn | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/plugins/contrib/unixauth/discussion.mdwn b/doc/plugins/contrib/unixauth/discussion.mdwn index 5f542745d..7bfdc9665 100644 --- a/doc/plugins/contrib/unixauth/discussion.mdwn +++ b/doc/plugins/contrib/unixauth/discussion.mdwn @@ -17,3 +17,4 @@ So I don't think I'll be accepting this plugin into ikiwiki itself.. --[[Joey]] Thanks for the comments. That's definitely an undesirable interaction between pwauth and ikiwiki; in my current application it wouldn't be a serious problem, but I'd like this plugin to be general-purpose and safe enough for inclusion in ikiwiki. It's the system-users-are-wiki-users idea I'm married to here, not pwauth itself; can you suggest another approach I might take? +-- [[schmonz]] From 2c1e02aa4574f6c264aee6e498da4d0ed6b2ed4b Mon Sep 17 00:00:00 2001 From: "http://www.cse.unsw.edu.au/~willu/" Date: Tue, 29 Jul 2008 23:39:15 -0400 Subject: [PATCH 08/45] alternate suggestion --- doc/plugins/contrib/unixauth/discussion.mdwn | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/plugins/contrib/unixauth/discussion.mdwn b/doc/plugins/contrib/unixauth/discussion.mdwn index 7bfdc9665..91c59ff1d 100644 --- a/doc/plugins/contrib/unixauth/discussion.mdwn +++ b/doc/plugins/contrib/unixauth/discussion.mdwn @@ -18,3 +18,5 @@ So I don't think I'll be accepting this plugin into ikiwiki itself.. Thanks for the comments. That's definitely an undesirable interaction between pwauth and ikiwiki; in my current application it wouldn't be a serious problem, but I'd like this plugin to be general-purpose and safe enough for inclusion in ikiwiki. It's the system-users-are-wiki-users idea I'm married to here, not pwauth itself; can you suggest another approach I might take? -- [[schmonz]] + +> Have you considered using [[plugins/httpauth]] and then the appropriate apache module? There are apache modules like [mod_authnz_external](http://unixpapa.com/mod_auth_external.html) that might help. The advantage of these solutions is that they usually make the security implications explicit. -- Will From ae04ca55467ff3c672a423caedf0daff5a5a8a47 Mon Sep 17 00:00:00 2001 From: "http://www.cse.unsw.edu.au/~willu/" Date: Wed, 30 Jul 2008 00:11:10 -0400 Subject: [PATCH 09/45] --- doc/todo/Allow_change_of_wiki_file_types.mdwn | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 doc/todo/Allow_change_of_wiki_file_types.mdwn diff --git a/doc/todo/Allow_change_of_wiki_file_types.mdwn b/doc/todo/Allow_change_of_wiki_file_types.mdwn new file mode 100644 index 000000000..420651c0a --- /dev/null +++ b/doc/todo/Allow_change_of_wiki_file_types.mdwn @@ -0,0 +1,7 @@ +The new [[plugins/rename]] plugin allows files to be renamed, but doesn't seem to allow changing the page type. It would be nice if there was a way to change page type through the web interface. + +#### Background + +I'm currently moving a couple of projects from [Trac](http://trac.edgewall.org/) to Ikiwiki. I don't want to have to re-do all the wiki formatting at once. Initially I simply imported all the old wiki pages without suffixes. This made them appear on the web as raw un-editable text. I wanted other project members to be able to do the updating to the new markup language, so I then renamed the files to use '.txt' suffixes, and that allows them to be edited. Unfortunately, there is still no way to convert them to '.mdwn' files on the web. + +I was hoping that the [[plugins/rename]] plugin would allow web uses to change the filename suffix, but it doesn't. This means that the page type can be set on page creation using the web interface, but cannot be changed thereafter using the web interface. I was thinking the UI would be something like adding the 'Page type' drop-down menu that appears on the creation page to either the edit or rename pages. From dd25c7c4afa8f57e909fed63fb6bcf1648de531b Mon Sep 17 00:00:00 2001 From: "http://schmonz.livejournal.com/" Date: Wed, 30 Jul 2008 01:25:05 -0400 Subject: [PATCH 10/45] --- doc/plugins/contrib/unixauth/discussion.mdwn | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/plugins/contrib/unixauth/discussion.mdwn b/doc/plugins/contrib/unixauth/discussion.mdwn index 91c59ff1d..863e3c91a 100644 --- a/doc/plugins/contrib/unixauth/discussion.mdwn +++ b/doc/plugins/contrib/unixauth/discussion.mdwn @@ -20,3 +20,6 @@ Thanks for the comments. That's definitely an undesirable interaction between pw -- [[schmonz]] > Have you considered using [[plugins/httpauth]] and then the appropriate apache module? There are apache modules like [mod_authnz_external](http://unixpapa.com/mod_auth_external.html) that might help. The advantage of these solutions is that they usually make the security implications explicit. -- Will + +Actually, yes. That's how I made sure I had pwauth working to begin with. I'm partial to the form-based approach because I'm not aware of any way to reliably "log out" browsers from HTTP authentication. If that *is* reliably possible, then I worked way too hard for no reason. ;-) +-- [[schmonz]] From 85aff81cfe50f677ca0e1c307bd55c336ea73288 Mon Sep 17 00:00:00 2001 From: "http://schmonz.livejournal.com/" Date: Wed, 30 Jul 2008 12:20:58 -0400 Subject: [PATCH 11/45] revamp, so it's vampier --- doc/plugins/contrib/unixauth.mdwn | 47 +++++++++++++++++++++++++------ 1 file changed, 39 insertions(+), 8 deletions(-) diff --git a/doc/plugins/contrib/unixauth.mdwn b/doc/plugins/contrib/unixauth.mdwn index 12f885c33..6cdf87f6a 100644 --- a/doc/plugins/contrib/unixauth.mdwn +++ b/doc/plugins/contrib/unixauth.mdwn @@ -3,9 +3,16 @@ This plugin authenticates users against the Unix user database. It presents a similar UI to [[plugins/passwordauth]], but simpler, as there's no need to be able to register or change one's password. -[pwauth](http://www.unixpapa.com/pwauth/) must be installed and working. In particular, it must be configured to recognize the UID of the calling web server, or authentication will always fail. Set `pwauth_path` to the full path of your pwauth binary. +To authenticate, either [checkpassword](http://cr.yp.to/checkpwd.html) or [pwauth](http://www.unixpapa.com/pwauth/) must be installed and configured. `checkpassword` is strongly preferred. If your web server runs as an unprivileged user -- as it darn well should! -- then `checkpassword` needs to be setuid root. Other checkpassword implementations are available, notably [checkpassword-pam](http://checkpasswd-pam.sourceforge.net/). -As [with passwordauth](/security/#index14h2), be wary of sending usernames and passwords in cleartext. Unlike with passwordauth, sniffing these credentials can get an attacker much further than mere wiki access. SSL with this plugin is a __must__. +Config variables that affect the behavior of `unixauth`: + +* `unixauth_type`: defaults to unset, can be "checkpassword" or "pwauth" +* `unixauth_command`: defaults to unset, should contain the full path and any arguments +* `unixauth_sslrequire`: defaults to 1, can be 0 +* `sslcookie`: needs to be 1 if `unixauth_sslrequire` is 1 (perhaps this should be done automatically?) + +__Security__: [As with passwordauth](/security/#index14h2), be wary of sending usernames and passwords in cleartext. Unlike passwordauth, sniffing `unixauth` credentials can get an attacker much further than mere wiki access. Therefore, this plugin defaults to not even _displaying_ the login form fields unless we're running under SSL. Nobody should be able to do anything remotely dumb until the admin has done at least a little thinking. After that, dumb things are always possible. ;-) [[!toggle id="code" text="unixauth.pm"]] @@ -40,13 +47,26 @@ As [with passwordauth](/security/#index14h2), be wary of sending usernames and p } my $ret=0; - if (! exists $config{pwauth_path}) { - $config{pwauth_path}="/usr/libexec/pwauth"; + if (! exists $config{unixauth_type}) { + # admin needs to carefully think over his configuration + return 0; + } + elsif ($config{unixauth_type} eq "checkpassword") { + open UNIXAUTH, "|$config{unixauth_command} true 3<&0" or die("Could not run $config{unixauth_type}"); + print UNIXAUTH "$user\0$password\0Y123456\0"; + close UNIXAUTH; + $ret=!($?>>8); + } + elsif ($config{unixauth_type} eq "pwauth") { + open UNIXAUTH, "|$config{unixauth_command}" or die("Could not run $config{unixauth_type}"); + print UNIXAUTH "$user\n$password\n"; + close UNIXAUTH; + $ret=!($?>>8); + } + else { + # no such authentication type + return 0; } - open PWAUTH, "|$config{pwauth_path}" or die("Could not run pwauth"); - print PWAUTH "$user\n$password\n"; - close PWAUTH; - $ret=!($?>>8); if ($ret) { my $userinfo=IkiWiki::userinfo_retrieve(); @@ -69,6 +89,16 @@ As [with passwordauth](/security/#index14h2), be wary of sending usernames and p my $session=$params{session}; my $cgi=$params{cgi}; + # if not under SSL, die before even showing a login form, + # unless the admin explicitly says it's fine + if (! exists $config{unixauth_requiressl}) { + $config{unixauth_requiressl} = 1; + } + if ($config{unixauth_requiressl} && \ + (! $config{sslcookie} || ! exists $ENV{'HTTPS'})) { + die("SSL required to login. Contact your administrator."); + } + if ($form->title eq "signin") { $form->field(name => "name", required => 0); $form->field(name => "password", type => "password", required => 0); @@ -93,6 +123,7 @@ As [with passwordauth](/security/#index14h2), be wary of sending usernames and p ); } + # XXX is this reachable? looks like no elsif ($submittype eq "Login") { $form->field( name => "name", From 3b9fe3a1b64b011a72b6c54cb172a27922250d8b Mon Sep 17 00:00:00 2001 From: "http://schmonz.livejournal.com/" Date: Wed, 30 Jul 2008 12:21:55 -0400 Subject: [PATCH 12/45] update --- doc/plugins/contrib/unixauth/discussion.mdwn | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/plugins/contrib/unixauth/discussion.mdwn b/doc/plugins/contrib/unixauth/discussion.mdwn index 863e3c91a..a209b9030 100644 --- a/doc/plugins/contrib/unixauth/discussion.mdwn +++ b/doc/plugins/contrib/unixauth/discussion.mdwn @@ -23,3 +23,6 @@ Thanks for the comments. That's definitely an undesirable interaction between pw Actually, yes. That's how I made sure I had pwauth working to begin with. I'm partial to the form-based approach because I'm not aware of any way to reliably "log out" browsers from HTTP authentication. If that *is* reliably possible, then I worked way too hard for no reason. ;-) -- [[schmonz]] + +I've added support for [checkpassword](http://cr.yp.to/checkpwd/interface.html), since those generally don't have any rate-limiting cleverness to interfere with ikiwiki's, and made a few other changes. Please check out the plugin docs again and let me know if this is closer to being acceptable. +-- [[schmonz]] From e4b096ac411494416d73e344e0aaeaacabf2f266 Mon Sep 17 00:00:00 2001 From: "http://schmonz.livejournal.com/" Date: Wed, 30 Jul 2008 14:27:35 -0400 Subject: [PATCH 13/45] http(oop)s --- doc/plugins/contrib/unixauth.mdwn | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/plugins/contrib/unixauth.mdwn b/doc/plugins/contrib/unixauth.mdwn index 6cdf87f6a..f369cd6ad 100644 --- a/doc/plugins/contrib/unixauth.mdwn +++ b/doc/plugins/contrib/unixauth.mdwn @@ -14,6 +14,8 @@ Config variables that affect the behavior of `unixauth`: __Security__: [As with passwordauth](/security/#index14h2), be wary of sending usernames and passwords in cleartext. Unlike passwordauth, sniffing `unixauth` credentials can get an attacker much further than mere wiki access. Therefore, this plugin defaults to not even _displaying_ the login form fields unless we're running under SSL. Nobody should be able to do anything remotely dumb until the admin has done at least a little thinking. After that, dumb things are always possible. ;-) +_XXX hang on, looks like we don't have the huge CGI environment so testing for ${HTTPS} always fails; need another way to be sure_ + [[!toggle id="code" text="unixauth.pm"]] [[!toggleable id="code" text=""" From bf0483ed96755bb0aee22cf5e10a6f764cd15327 Mon Sep 17 00:00:00 2001 From: "http://schmonz.livejournal.com/" Date: Wed, 30 Jul 2008 14:53:45 -0400 Subject: [PATCH 14/45] okay, tested to really work as advertised --- doc/plugins/contrib/unixauth.mdwn | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/doc/plugins/contrib/unixauth.mdwn b/doc/plugins/contrib/unixauth.mdwn index f369cd6ad..7442b6291 100644 --- a/doc/plugins/contrib/unixauth.mdwn +++ b/doc/plugins/contrib/unixauth.mdwn @@ -14,13 +14,31 @@ Config variables that affect the behavior of `unixauth`: __Security__: [As with passwordauth](/security/#index14h2), be wary of sending usernames and passwords in cleartext. Unlike passwordauth, sniffing `unixauth` credentials can get an attacker much further than mere wiki access. Therefore, this plugin defaults to not even _displaying_ the login form fields unless we're running under SSL. Nobody should be able to do anything remotely dumb until the admin has done at least a little thinking. After that, dumb things are always possible. ;-) -_XXX hang on, looks like we don't have the huge CGI environment so testing for ${HTTPS} always fails; need another way to be sure_ +`unixauth` tests for the presence of the `HTTPS` environment variable. `Wrapper.pm` needs to be tweaked to pass it through; without that, the plugin fails closed. + +[[!toggle id="diff" text="Wrapper.pm.diff"]] + +[[!toggleable id="diff" text=""" + + --- Wrapper.pm.orig 2008-07-29 00:09:10.000000000 -0400 + +++ Wrapper.pm + @@ -28,7 +28,7 @@ sub gen_wrapper () { #{{{ + my @envsave; + push @envsave, qw{REMOTE_ADDR QUERY_STRING REQUEST_METHOD REQUEST_URI + CONTENT_TYPE CONTENT_LENGTH GATEWAY_INTERFACE + - HTTP_COOKIE REMOTE_USER} if $config{cgi}; + + HTTP_COOKIE REMOTE_USER HTTPS} if $config{cgi}; + my $envsave=""; + foreach my $var (@envsave) { + $envsave.=<<"EOF" + +"""]] [[!toggle id="code" text="unixauth.pm"]] [[!toggleable id="code" text=""" - #!/usr/bin/perl + #!/usr//bin/perl # Ikiwiki unixauth authentication. package IkiWiki::Plugin::unixauth; @@ -96,9 +114,10 @@ _XXX hang on, looks like we don't have the huge CGI environment so testing for $ if (! exists $config{unixauth_requiressl}) { $config{unixauth_requiressl} = 1; } - if ($config{unixauth_requiressl} && \ - (! $config{sslcookie} || ! exists $ENV{'HTTPS'})) { - die("SSL required to login. Contact your administrator."); + if ($config{unixauth_requiressl}) { + if ((! $config{sslcookie}) || (! exists $ENV{'HTTPS'})) { + die("SSL required to login. Contact your administrator.
"); + } } if ($form->title eq "signin") { From 7b37c78ad895509a2517e019b954c9ff2bf71549 Mon Sep 17 00:00:00 2001 From: "http://schmonz.livejournal.com/" Date: Wed, 30 Jul 2008 14:55:58 -0400 Subject: [PATCH 15/45] fix cutto --- doc/plugins/contrib/unixauth.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/plugins/contrib/unixauth.mdwn b/doc/plugins/contrib/unixauth.mdwn index 7442b6291..f7019b4b8 100644 --- a/doc/plugins/contrib/unixauth.mdwn +++ b/doc/plugins/contrib/unixauth.mdwn @@ -38,7 +38,7 @@ __Security__: [As with passwordauth](/security/#index14h2), be wary of sending u [[!toggleable id="code" text=""" - #!/usr//bin/perl + #!/usr/bin/perl # Ikiwiki unixauth authentication. package IkiWiki::Plugin::unixauth; From bd5f94d2ac85d6fb5d60400345fe41b91f2d303c Mon Sep 17 00:00:00 2001 From: "http://schmonz.livejournal.com/" Date: Wed, 30 Jul 2008 15:09:44 -0400 Subject: [PATCH 16/45] more suid --- doc/plugins/contrib/unixauth.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/plugins/contrib/unixauth.mdwn b/doc/plugins/contrib/unixauth.mdwn index f7019b4b8..1917a242d 100644 --- a/doc/plugins/contrib/unixauth.mdwn +++ b/doc/plugins/contrib/unixauth.mdwn @@ -3,7 +3,7 @@ This plugin authenticates users against the Unix user database. It presents a similar UI to [[plugins/passwordauth]], but simpler, as there's no need to be able to register or change one's password. -To authenticate, either [checkpassword](http://cr.yp.to/checkpwd.html) or [pwauth](http://www.unixpapa.com/pwauth/) must be installed and configured. `checkpassword` is strongly preferred. If your web server runs as an unprivileged user -- as it darn well should! -- then `checkpassword` needs to be setuid root. Other checkpassword implementations are available, notably [checkpassword-pam](http://checkpasswd-pam.sourceforge.net/). +To authenticate, either [checkpassword](http://cr.yp.to/checkpwd.html) or [pwauth](http://www.unixpapa.com/pwauth/) must be installed and configured. `checkpassword` is strongly preferred. If your web server runs as an unprivileged user -- as it darn well should! -- then `checkpassword` needs to be setuid root. (Or your ikiwiki CGI wrapper, I guess, but don't do that.) Other checkpassword implementations are available, notably [checkpassword-pam](http://checkpasswd-pam.sourceforge.net/). Config variables that affect the behavior of `unixauth`: From fd160168332e90569f0f87b573a39687797c3fcd Mon Sep 17 00:00:00 2001 From: "http://schmonz.livejournal.com/" Date: Wed, 30 Jul 2008 15:11:47 -0400 Subject: [PATCH 17/45] s/sslrequire/requiressl/g --- doc/plugins/contrib/unixauth.mdwn | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/plugins/contrib/unixauth.mdwn b/doc/plugins/contrib/unixauth.mdwn index 1917a242d..2de6fc51f 100644 --- a/doc/plugins/contrib/unixauth.mdwn +++ b/doc/plugins/contrib/unixauth.mdwn @@ -9,8 +9,8 @@ Config variables that affect the behavior of `unixauth`: * `unixauth_type`: defaults to unset, can be "checkpassword" or "pwauth" * `unixauth_command`: defaults to unset, should contain the full path and any arguments -* `unixauth_sslrequire`: defaults to 1, can be 0 -* `sslcookie`: needs to be 1 if `unixauth_sslrequire` is 1 (perhaps this should be done automatically?) +* `unixauth_requiressl`: defaults to 1, can be 0 +* `sslcookie`: needs to be 1 if `unixauth_requiressl` is 1 (perhaps this should be done automatically?) __Security__: [As with passwordauth](/security/#index14h2), be wary of sending usernames and passwords in cleartext. Unlike passwordauth, sniffing `unixauth` credentials can get an attacker much further than mere wiki access. Therefore, this plugin defaults to not even _displaying_ the login form fields unless we're running under SSL. Nobody should be able to do anything remotely dumb until the admin has done at least a little thinking. After that, dumb things are always possible. ;-) From 5e85039dc3a329a064a0d3053bbca2ed066f5292 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 30 Jul 2008 15:47:28 -0400 Subject: [PATCH 18/45] response --- doc/plugins/contrib/unixauth/discussion.mdwn | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/plugins/contrib/unixauth/discussion.mdwn b/doc/plugins/contrib/unixauth/discussion.mdwn index a209b9030..c4f5ff269 100644 --- a/doc/plugins/contrib/unixauth/discussion.mdwn +++ b/doc/plugins/contrib/unixauth/discussion.mdwn @@ -26,3 +26,7 @@ Actually, yes. That's how I made sure I had pwauth working to begin with. I'm pa I've added support for [checkpassword](http://cr.yp.to/checkpwd/interface.html), since those generally don't have any rate-limiting cleverness to interfere with ikiwiki's, and made a few other changes. Please check out the plugin docs again and let me know if this is closer to being acceptable. -- [[schmonz]] + +> I actually think that the rate limiting is a good thing. After all, +> ikiwiki doesn't do its own login rate limiting. Just need to find a way +> to disentangle the two locks. --[[Joey]] From 0a176059bb55acfc201c7ca4705da849831adb8e Mon Sep 17 00:00:00 2001 From: "http://smcv.pseudorandom.co.uk/" Date: Wed, 30 Jul 2008 17:25:36 -0400 Subject: [PATCH 19/45] --- ..._inlined_into_Atom_not_necessarily_well-formed.mdwn | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn diff --git a/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn b/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn new file mode 100644 index 000000000..8bf97910d --- /dev/null +++ b/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn @@ -0,0 +1,10 @@ +If a blog entry contains a HTML named entity, such as the `—` produced by [[plugins/rst]] for blockquote citations, it's pasted into the Atom feed as-is. However, Atom feeds don't have a DTD, so named entities beyond `<`, `>`, `"`, `&` and `'` aren't well-formed XML. + +Possible solutions: + +* Put HTML in Atom feeds as type="html" (and use ESCAPE=HTML) instead + +* Keep HTML in Atom feeds as type="xhtml", but replace named entities with numeric ones, + like in the re-escape-entities branch in my repository: http://git.debian.org/?p=users/smcv/ikiwiki.git;a=commitdiff;h=c0eb041c65d0653bacf0d4acb7a602e9bda8888e + +(Also, the HTML in RSS feeds would probably get better interoperability if it was escaped with ESCAPE=HTML rather than being in a CDATA section?) From fe482079cc2d7f0bd2bad6f21bc91e3ff82308be Mon Sep 17 00:00:00 2001 From: "http://smcv.pseudorandom.co.uk/" Date: Wed, 30 Jul 2008 17:26:30 -0400 Subject: [PATCH 20/45] --- .../HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn b/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn index 8bf97910d..09ff0e335 100644 --- a/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn +++ b/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn @@ -5,6 +5,6 @@ Possible solutions: * Put HTML in Atom feeds as type="html" (and use ESCAPE=HTML) instead * Keep HTML in Atom feeds as type="xhtml", but replace named entities with numeric ones, - like in the re-escape-entities branch in my repository: http://git.debian.org/?p=users/smcv/ikiwiki.git;a=commitdiff;h=c0eb041c65d0653bacf0d4acb7a602e9bda8888e + like in the re-escape-entities branch in my repository ([diff here](http://git.debian.org/?p=users/smcv/ikiwiki.git;a=commitdiff;h=c0eb041c65d0653bacf0d4acb7a602e9bda8888e)) (Also, the HTML in RSS feeds would probably get better interoperability if it was escaped with ESCAPE=HTML rather than being in a CDATA section?) From 52ba1b2e043fa32d0c0bdf3e44614c9b6b495e23 Mon Sep 17 00:00:00 2001 From: "http://smcv.pseudorandom.co.uk/" Date: Wed, 30 Jul 2008 20:43:10 -0400 Subject: [PATCH 21/45] Fix broken link --- doc/todo/search_terms.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/todo/search_terms.mdwn b/doc/todo/search_terms.mdwn index 0e5edb520..cf1708c34 100644 --- a/doc/todo/search_terms.mdwn +++ b/doc/todo/search_terms.mdwn @@ -1,4 +1,4 @@ -The [[plugin/search]] plugin could use xapian terms to allow some special +The [[plugins/search]] plugin could use xapian terms to allow some special searches. For example, "title:foo", or "link:somepage", or "author:foo", or "copyright:GPL". From 094bd8fdb5826fcfd7b66db2b1d2ebcb89f0211e Mon Sep 17 00:00:00 2001 From: "http://smcv.pseudorandom.co.uk/" Date: Wed, 30 Jul 2008 20:46:24 -0400 Subject: [PATCH 22/45] Fix broken link --- doc/plugins/creole.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/plugins/creole.mdwn b/doc/plugins/creole.mdwn index b6861ab26..ed347e2c5 100644 --- a/doc/plugins/creole.mdwn +++ b/doc/plugins/creole.mdwn @@ -12,5 +12,5 @@ wiki markup formats, so should be fairly easy to guess at. There is also a [CheatSheet](http://www.wikicreole.org/wiki/CheatSheet). Links are standard [[WikiLinks|ikiwiki/WikiLink]]. Links and -[[PreProcessorDirectives]] inside `{{{ }}}` blocks are still expanded, +[[ikiwiki/PreProcessorDirectives]] inside `{{{ }}}` blocks are still expanded, since this happens before the creole format is processed. From 490d2c65986abf7359d230d96e74276116083515 Mon Sep 17 00:00:00 2001 From: "http://schmonz.livejournal.com/" Date: Thu, 31 Jul 2008 00:31:47 -0400 Subject: [PATCH 23/45] not working for me --- doc/plugins/creole/discussion.mdwn | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 doc/plugins/creole/discussion.mdwn diff --git a/doc/plugins/creole/discussion.mdwn b/doc/plugins/creole/discussion.mdwn new file mode 100644 index 000000000..4c01915c4 --- /dev/null +++ b/doc/plugins/creole/discussion.mdwn @@ -0,0 +1,2 @@ +I've installed Text::WikiCreole 0.05 and enabled the plugin, but I get an error when rebuilding the wiki: `Undefined subroutine &IkiWiki::Plugin::creole::creole_custombarelinks called at /usr/pkg-20080723/lib/perl5/vendor_perl/5.8.0/IkiWiki/Plugin/creole.pm line 23`. Is there a newer Text::WikiCreole I'm not finding online? +-- [[schmonz]] From f32c16fce733fff24ae6bdbdf67c272613c5f9ca Mon Sep 17 00:00:00 2001 From: hello Date: Thu, 31 Jul 2008 02:49:08 -0400 Subject: [PATCH 24/45] --- doc/sandbox/Try_some_math_formulas.mdwn | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 doc/sandbox/Try_some_math_formulas.mdwn diff --git a/doc/sandbox/Try_some_math_formulas.mdwn b/doc/sandbox/Try_some_math_formulas.mdwn new file mode 100644 index 000000000..31eb10813 --- /dev/null +++ b/doc/sandbox/Try_some_math_formulas.mdwn @@ -0,0 +1,7 @@ +# Title with $\TeX$ + +* How about some math? +* $\frac{1}{2} = \frac{3}{6}$ + + + From 2e0f64ba2112519f02089be43d9472dbfbb080d3 Mon Sep 17 00:00:00 2001 From: hello Date: Thu, 31 Jul 2008 03:04:38 -0400 Subject: [PATCH 25/45] --- doc/sandbox/Teximg.mdwn | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 doc/sandbox/Teximg.mdwn diff --git a/doc/sandbox/Teximg.mdwn b/doc/sandbox/Teximg.mdwn new file mode 100644 index 000000000..8f0bb5514 --- /dev/null +++ b/doc/sandbox/Teximg.mdwn @@ -0,0 +1,3 @@ +[[!teximg code="E = - \frac{Z^2 \cdot \mu \cdot e^4}{32\pi^2 \epsilon_0^2 \hbar^2 n^2}" ]] + +Oops, teximg plugin not installed! From ec9bcdbb6ea563fb1336c6515c1f9ecf6d399672 Mon Sep 17 00:00:00 2001 From: hello Date: Thu, 31 Jul 2008 03:10:49 -0400 Subject: [PATCH 26/45] --- doc/sandbox/Teximg.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/sandbox/Teximg.mdwn b/doc/sandbox/Teximg.mdwn index 8f0bb5514..fc58c4243 100644 --- a/doc/sandbox/Teximg.mdwn +++ b/doc/sandbox/Teximg.mdwn @@ -1,3 +1,3 @@ -[[!teximg code="E = - \frac{Z^2 \cdot \mu \cdot e^4}{32\pi^2 \epsilon_0^2 \hbar^2 n^2}" ]] +[[teximg code="E = - \frac{Z^2 \cdot \mu \cdot e^4}{32\pi^2 \epsilon_0^2 \hbar^2 n^2}" ]] Oops, teximg plugin not installed! From 3b941ae53277d2b8c57280525143d2e6a20b8ed9 Mon Sep 17 00:00:00 2001 From: hello Date: Thu, 31 Jul 2008 05:06:45 -0400 Subject: [PATCH 27/45] Oops, teximg plugin not installed! --- doc/sandbox/Teximg.mdwn | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/doc/sandbox/Teximg.mdwn b/doc/sandbox/Teximg.mdwn index fc58c4243..8483c1489 100644 --- a/doc/sandbox/Teximg.mdwn +++ b/doc/sandbox/Teximg.mdwn @@ -1,3 +1,2 @@ -[[teximg code="E = - \frac{Z^2 \cdot \mu \cdot e^4}{32\pi^2 \epsilon_0^2 \hbar^2 n^2}" ]] +[[!teximg code="E = - \frac{Z^2 \cdot \mu \cdot e^4}{32\pi^2 \epsilon_0^2 \hbar^2 n^2}" ]] -Oops, teximg plugin not installed! From 56459c82e68926746efb6152792a91787731b8f4 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 31 Jul 2008 14:10:36 -0400 Subject: [PATCH 28/45] response --- doc/plugins/creole/discussion.mdwn | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/plugins/creole/discussion.mdwn b/doc/plugins/creole/discussion.mdwn index 4c01915c4..a31f9cf83 100644 --- a/doc/plugins/creole/discussion.mdwn +++ b/doc/plugins/creole/discussion.mdwn @@ -1,2 +1,7 @@ I've installed Text::WikiCreole 0.05 and enabled the plugin, but I get an error when rebuilding the wiki: `Undefined subroutine &IkiWiki::Plugin::creole::creole_custombarelinks called at /usr/pkg-20080723/lib/perl5/vendor_perl/5.8.0/IkiWiki/Plugin/creole.pm line 23`. Is there a newer Text::WikiCreole I'm not finding online? -- [[schmonz]] + +> There's a patch in the debian package of libtext-wikicreole-perl that +> adds that option. I'm not sure what the status of it being released +> upstream is, though IIRC I was assured it would not be a problem. +> --[[Joey]] From 17dd9d6212bce16115519506c39d8ca9fca53d0c Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 31 Jul 2008 15:52:20 -0400 Subject: [PATCH 29/45] rename --- ...not_use_recommended_encoding_of_entities_for_some_fields.mdwn} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename doc/bugs/{HTML-escaped_titles_in_Atom__44___RSS_feeds_don__39__t_validate.mdwn => rss_feeds_do_not_use_recommended_encoding_of_entities_for_some_fields.mdwn} (100%) diff --git a/doc/bugs/HTML-escaped_titles_in_Atom__44___RSS_feeds_don__39__t_validate.mdwn b/doc/bugs/rss_feeds_do_not_use_recommended_encoding_of_entities_for_some_fields.mdwn similarity index 100% rename from doc/bugs/HTML-escaped_titles_in_Atom__44___RSS_feeds_don__39__t_validate.mdwn rename to doc/bugs/rss_feeds_do_not_use_recommended_encoding_of_entities_for_some_fields.mdwn From 33cd89c68b31c443f4683fb9d45e68ddd9a6daa9 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 31 Jul 2008 16:09:26 -0400 Subject: [PATCH 30/45] questions --- .../HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn b/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn index 09ff0e335..d89fe0502 100644 --- a/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn +++ b/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn @@ -4,7 +4,11 @@ Possible solutions: * Put HTML in Atom feeds as type="html" (and use ESCAPE=HTML) instead +> Are there any particular downsides to doing that ..? --[[Joey]] + * Keep HTML in Atom feeds as type="xhtml", but replace named entities with numeric ones, like in the re-escape-entities branch in my repository ([diff here](http://git.debian.org/?p=users/smcv/ikiwiki.git;a=commitdiff;h=c0eb041c65d0653bacf0d4acb7a602e9bda8888e)) (Also, the HTML in RSS feeds would probably get better interoperability if it was escaped with ESCAPE=HTML rather than being in a CDATA section?) + +> Can't see why? --[[Joey]] From ec11400a01743ce9055e78c854519b9baf451c68 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 31 Jul 2008 16:27:32 -0400 Subject: [PATCH 31/45] improve preprocessor docs --- doc/plugins/write.mdwn | 44 +++++++++++++++++++++++++----------------- 1 file changed, 26 insertions(+), 18 deletions(-) diff --git a/doc/plugins/write.mdwn b/doc/plugins/write.mdwn index 7c28088de..58c04d97a 100644 --- a/doc/plugins/write.mdwn +++ b/doc/plugins/write.mdwn @@ -128,26 +128,34 @@ of a plugin. hook(type => "preprocess", id => "foo", call => \&preprocess); -Replace "foo" with the command name that will be used inside brackets for -the preprocessor directive. - -Each time the directive is processed, the referenced function (`preprocess` -in the example above) is called, and is passed named parameters. A "page" -parameter gives the name of the page that embedded the preprocessor -directive, while a "destpage" parameter gives the name of the page the -content is going to (different for inlined pages), and a "preview" -parameter is set to a true value if the page is being previewed. All -parameters included in the directive are included as named parameters as -well. Whatever the function returns goes onto the page in place of the +Replace "foo" with the command name that will be used for the preprocessor directive. -An optional "scan" parameter, if set to a true value, makes the hook be -called during the preliminary scan that ikiwiki makes of updated pages, -before begining to render pages. This parameter should be set to true if -the hook modifies data in `%links`. Note that doing so will make the hook -be run twice per page build, so avoid doing it for expensive hooks. (As an -optimisation, if your preprocessor hook is called in a void contets, you -can assume it's being run in scan mode.) +Each time the directive is processed, the referenced function (`preprocess` +in the example above) is called. Whatever the function returns goes onto +the page in place of the directive. Or, if the function aborts using +`error()`, the directive will be replaced with the error message. + +The function is passed named parameters. First come the parameters set +in the preprocessor directive. These are passed in the same order as +they're in the directive, and if the preprocessor directive contains a bare +parameter (example: `\[[!foo param]]`), that parameter will be passed with +an empty value. + +After the parameters from the preprocessor directive some additional ones +are passed: A "page" parameter gives the name of the page that embedded the +preprocessor directive, while a "destpage" parameter gives the name of the +page the content is going to (different for inlined pages), and a "preview" +parameter is set to a true value if the page is being previewed. + +If `hook` is passed an optional "scan" parameter, set to a true value, this +makes the hook be called during the preliminary scan that ikiwiki makes of +updated pages, before begining to render pages. This should be done if the +hook modifies data in `%links`. Note that doing so will make the hook be +run twice per page build, so avoid doing it for expensive hooks. (As an +optimisation, if your preprocessor hook is called in a void context, you +can assume it's being run in scan mode, and avoid doing expensive things at +that point.) Note that if the [[htmlscrubber]] is enabled, html in [[ikiwiki/PreProcessorDirective]] output is sanitised, which may limit what From 5569f5853d4bfdd4f0cc1d64819aac005a31caf3 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 31 Jul 2008 16:36:56 -0400 Subject: [PATCH 32/45] question --- doc/todo/color_plugin.mdwn | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/todo/color_plugin.mdwn b/doc/todo/color_plugin.mdwn index 1e1fb174e..68370158c 100644 --- a/doc/todo/color_plugin.mdwn +++ b/doc/todo/color_plugin.mdwn @@ -58,6 +58,11 @@ comments are very welcome. --[[Paweł|ptecza]] >> Similar hardcoded method I've found in `img` plugin :) But only one >> argument is not named there (image path). +>>> I think I hadn't realized what you were doing there. The order +>>> for unnamed parameters can in fact be relied on. +>>> +>>> --[[Joey]] + >> Maybe I shouldn't use so simple plugin syntax? For following syntax >> I wouldn't have that problem: @@ -96,6 +101,8 @@ seems to be too enigmatic and it was hard to me to handle unnamed parameters in not hardcoded way. I hope that my changes are acceptable for you. Of course, I'm open for discussion or exchange of ideas :) --[[Paweł|ptecza]] +> One question, why the 2px padding for span.color? --[[Joey]] + --- /dev/null 2008-06-21 02:02:15.000000000 +0200 +++ color.pm 2008-07-27 14:58:12.000000000 +0200 @@ -0,0 +1,69 @@ @@ -146,7 +153,7 @@ Of course, I'm open for discussion or exchange of ideas :) --[[Paweł|ptecza]] + $content =~ s!((color: ([a-z]+|\#[0-9a-f]{3,6})?)?((; )?(background-color: ([a-z]+|\#[0-9a-f]{3,6})?)?)?)!!g; + $content =~ s!!!g; + - + return $content; + + return $content; +} #}}} + +sub preprocess(@) { #{{{ From cbcf52064b893d0078a339963b994edf6b0fb328 Mon Sep 17 00:00:00 2001 From: bremner Date: Thu, 31 Jul 2008 17:04:00 -0400 Subject: [PATCH 33/45] progress report --- doc/todo/mbox.mdwn | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/doc/todo/mbox.mdwn b/doc/todo/mbox.mdwn index 2df7ed877..df7437a65 100644 --- a/doc/todo/mbox.mdwn +++ b/doc/todo/mbox.mdwn @@ -2,11 +2,10 @@ I'd like to be able to drop an unmodified RFC2822 email message into ikiwiki, an > We're discussing doing just that (well, whole mailboxes, really) over in > [[comment_by_mail]] --[[Joey]] - ->> I am going to start putting something simple together, but ->> probably not too quickly. ->> So far I don't see a way to have ikiwiki process directories ->> (i.e. maildirs or mh folders) as a single page. This not that ->> big of a deal, but it means that every mailbox will need ->> something like \[[!mailbox type=maildir path=thedir]] in some ->> "normal" (e.g. markdown) page -- [[DavidBremner]] +>> If you like to read code, you can have a gander at the +>> [mailbox](http://pivot.cs.unb.ca/git/?p=ikimailbox.git;a=summary) +>> plugin. At the moment, it reads all of the messages in a maildir and passes them through +>> a template of your choice. Kinda acts like `cat` at the moment because none of the +>> css is defined yet. Next missions are threading (Email::Thread?) and filtering of headers. +>> also, do something to preserve the bodies of the mail messages. Maybe with Text::Quoted. Or just < pre> :-) +>> To see the (unsurprising) syntax, look at [a trivial example markdown file](http://pivot.cs.unb.ca/git/?p=ikimailbox.git;a=blob;f=test/in/index.mdwn;hb=HEAD) From 9bc2e316b2d96245a9904da4d484f918db39ed07 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 31 Jul 2008 22:12:56 +0100 Subject: [PATCH 34/45] Escape HTML in Atom feeds, rather than relying on it being well-formed XHTML with no named entity references --- templates/atomitem.tmpl | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/templates/atomitem.tmpl b/templates/atomitem.tmpl index 19c557f30..1ff7f4f4e 100644 --- a/templates/atomitem.tmpl +++ b/templates/atomitem.tmpl @@ -10,22 +10,18 @@ - -
+ - - + + - + -
- -
- -
+ + @@ -39,10 +35,8 @@ - -
- -
+ + From 9b901a33647407142038175006f81e773ae5883a Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 31 Jul 2008 22:13:21 +0100 Subject: [PATCH 35/45] Escape HTML in RSS feeds, rather than relying on it being valid to stuff into a CDATA section --- templates/rssitem.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/rssitem.tmpl b/templates/rssitem.tmpl index 1144cd5e2..42936a668 100644 --- a/templates/rssitem.tmpl +++ b/templates/rssitem.tmpl @@ -21,6 +21,6 @@ - ]]> + From a64dca8356754a14ab9a4bcdd9d1a8bdba41d64b Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 31 Jul 2008 22:15:22 +0100 Subject: [PATCH 36/45] Escape HTML in Atom feed metadata rather than treating it as XHTML --- templates/atompage.tmpl | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/templates/atompage.tmpl b/templates/atompage.tmpl index e834d7693..dcb89ab5c 100644 --- a/templates/atompage.tmpl +++ b/templates/atompage.tmpl @@ -12,22 +12,18 @@ - -
+ - + - + -
- -
- -
+ + From 53001f901106ec1846eded1de336083537b7f160 Mon Sep 17 00:00:00 2001 From: "http://smcv.pseudorandom.co.uk/" Date: Thu, 31 Jul 2008 17:26:49 -0400 Subject: [PATCH 37/45] --- .../HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn b/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn index d89fe0502..7ba95fb4b 100644 --- a/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn +++ b/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn @@ -6,9 +6,15 @@ Possible solutions: > Are there any particular downsides to doing that ..? --[[Joey]] +>> It's the usual XHTML/HTML distinction. type="html" will always be interpreted as "tag soup", I believe - this may lead to it being rendered differently in some browsers. In general ikiwiki seems to claim to produce XHTML (at least, the default page.tmpl makes it claim to be XHTML Strict). On the other hand, this is a much simpler solution... see escape-feed-html branch in my repository, which I'm now using instead --[[smcv]] + * Keep HTML in Atom feeds as type="xhtml", but replace named entities with numeric ones, like in the re-escape-entities branch in my repository ([diff here](http://git.debian.org/?p=users/smcv/ikiwiki.git;a=commitdiff;h=c0eb041c65d0653bacf0d4acb7a602e9bda8888e)) +>> I can see why you think this is excessively complex! --[[smcv]] + (Also, the HTML in RSS feeds would probably get better interoperability if it was escaped with ESCAPE=HTML rather than being in a CDATA section?) > Can't see why? --[[Joey]] + +>> For a start, `]]>` in content wouldn't break the feed :-) but I was really thinking of non-XML, non-SGML parsers (more tag soup) that don't understand CDATA (I've suffered from CDATA damage when feeding generated code through gtkdoc, for instance). --[[smcv]] From 9766bb029682a336cddbb7cb3c0bb38e1f00366a Mon Sep 17 00:00:00 2001 From: bremner Date: Thu, 31 Jul 2008 18:12:53 -0400 Subject: [PATCH 38/45] update progress report --- doc/todo/mbox.mdwn | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/doc/todo/mbox.mdwn b/doc/todo/mbox.mdwn index df7437a65..dd0e5756b 100644 --- a/doc/todo/mbox.mdwn +++ b/doc/todo/mbox.mdwn @@ -6,6 +6,5 @@ I'd like to be able to drop an unmodified RFC2822 email message into ikiwiki, an >> [mailbox](http://pivot.cs.unb.ca/git/?p=ikimailbox.git;a=summary) >> plugin. At the moment, it reads all of the messages in a maildir and passes them through >> a template of your choice. Kinda acts like `cat` at the moment because none of the ->> css is defined yet. Next missions are threading (Email::Thread?) and filtering of headers. ->> also, do something to preserve the bodies of the mail messages. Maybe with Text::Quoted. Or just < pre> :-) +>> css is defined yet. Next missions are threading (Email::Thread?), and maybe some simple css. >> To see the (unsurprising) syntax, look at [a trivial example markdown file](http://pivot.cs.unb.ca/git/?p=ikimailbox.git;a=blob;f=test/in/index.mdwn;hb=HEAD) From 973e49e31dac3fc3e6642acac126e4140429b205 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 31 Jul 2008 18:49:40 -0400 Subject: [PATCH 39/45] response --- ...lined_into_Atom_not_necessarily_well-formed.mdwn | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn b/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn index 7ba95fb4b..6c5c79672 100644 --- a/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn +++ b/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn @@ -8,6 +8,10 @@ Possible solutions: >> It's the usual XHTML/HTML distinction. type="html" will always be interpreted as "tag soup", I believe - this may lead to it being rendered differently in some browsers. In general ikiwiki seems to claim to produce XHTML (at least, the default page.tmpl makes it claim to be XHTML Strict). On the other hand, this is a much simpler solution... see escape-feed-html branch in my repository, which I'm now using instead --[[smcv]] +>>> Of course, browsers [probably don't treat xhtml pages as xhtml anyway](http://hixie.ch/advocacy/xhtml). +>>> And the same content will be treated as html (probably as tag soup) if it's +>>> in a rss feed. + * Keep HTML in Atom feeds as type="xhtml", but replace named entities with numeric ones, like in the re-escape-entities branch in my repository ([diff here](http://git.debian.org/?p=users/smcv/ikiwiki.git;a=commitdiff;h=c0eb041c65d0653bacf0d4acb7a602e9bda8888e)) @@ -18,3 +22,12 @@ Possible solutions: > Can't see why? --[[Joey]] >> For a start, `]]>` in content wouldn't break the feed :-) but I was really thinking of non-XML, non-SGML parsers (more tag soup) that don't understand CDATA (I've suffered from CDATA damage when feeding generated code through gtkdoc, for instance). --[[smcv]] + +>>> FWIW, the htmlscrubber escapes the `]]>`. (Wouldn't hurt to make that +>>> more robust tho.) +>>> +>>> ikiwiki has used CDATA from the beginning -- this is the first time +>>> I've heard about rss 2.0 parsers that didn't know about CDATA. +>>> +>>> (IIRC, I used CDATA because the result is more space-efficient and less +>>> craptacular to read manually.) From 71eb56bcac199a31e02301852b210bf99fedfd2c Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 31 Jul 2008 18:52:30 -0400 Subject: [PATCH 40/45] merged --- debian/changelog | 4 ++++ .../HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn | 2 ++ 2 files changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 7fd135700..af94c99c5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,10 @@ ikiwiki (2.56) UNRELEASED; urgency=low * autoindex: New plugin that generates missing index pages. (Sponsored by The TOVA Company.) + * Escape HTML is rss and atom feeds instead of respectively using CDATA and + treating it as XHTML. This avoids problems with escaping the end of the + CDATA when the htmlscrubber is not used, and it avoids problems with atom + XHTML using named entity references that are not in the atom DTD. (Simon McVittie) -- Joey Hess Tue, 29 Jul 2008 15:53:26 -0400 diff --git a/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn b/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn index 6c5c79672..d2f8ca3dc 100644 --- a/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn +++ b/doc/bugs/HTML_inlined_into_Atom_not_necessarily_well-formed.mdwn @@ -12,6 +12,8 @@ Possible solutions: >>> And the same content will be treated as html (probably as tag soup) if it's >>> in a rss feed. +>>> [[merged|done]] + * Keep HTML in Atom feeds as type="xhtml", but replace named entities with numeric ones, like in the re-escape-entities branch in my repository ([diff here](http://git.debian.org/?p=users/smcv/ikiwiki.git;a=commitdiff;h=c0eb041c65d0653bacf0d4acb7a602e9bda8888e)) From 391c5c2cb58719ca6f7a128e23ec387276c53c62 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 31 Jul 2008 19:01:02 -0400 Subject: [PATCH 41/45] increase minimum git version git commit --cleanup=verbatim was first introduced in git 1.5.4. --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 86a8a0fe0..8959bb922 100644 --- a/debian/control +++ b/debian/control @@ -13,7 +13,7 @@ Vcs-Browser: http://git.ikiwiki.info/?p=ikiwiki Package: ikiwiki Architecture: all Depends: ${perl:Depends}, markdown | libtext-markdown-perl, libhtml-scrubber-perl, libhtml-template-perl, libhtml-parser-perl, liburi-perl -Recommends: gcc | c-compiler, libc6-dev | libc-dev, subversion | git-core (>= 1:1.5.0) | tla | bzr (>= 0.91) | mercurial | monotone (>= 0.38), libxml-simple-perl, libnet-openid-consumer-perl, liblwpx-paranoidagent-perl, libtimedate-perl, libcgi-formbuilder-perl (>= 3.05), libcgi-session-perl (>= 4.14-1), libmail-sendmail-perl, libauthen-passphrase-perl +Recommends: gcc | c-compiler, libc6-dev | libc-dev, subversion | git-core (>= 1:1.5.4) | tla | bzr (>= 0.91) | mercurial | monotone (>= 0.38), libxml-simple-perl, libnet-openid-consumer-perl, liblwpx-paranoidagent-perl, libtimedate-perl, libcgi-formbuilder-perl (>= 3.05), libcgi-session-perl (>= 4.14-1), libmail-sendmail-perl, libauthen-passphrase-perl Suggests: viewvc | gitweb | viewcvs, libsearch-xapian-perl, xapian-omega (>= 1.0.5), librpc-xml-perl, libtext-wikiformat-perl, python, python-docutils, polygen, tidy, libxml-feed-perl, libmailtools-perl, perlmagick, libfile-mimeinfo-perl, libcrypt-ssleay-perl, liblocale-gettext-perl (>= 1.05-1), libtext-typography-perl, libtext-csv-perl, libdigest-sha1-perl, graphviz, libnet-amazon-s3-perl, sparkline-php Conflicts: ikiwiki-plugin-table Replaces: ikiwiki-plugin-table From f7b8f2297cf828ffc3b4175959e3c69fc2db93e2 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 31 Jul 2008 19:23:54 -0400 Subject: [PATCH 42/45] Add test for old versions of git that don't support --cleanup=verbatim, and munge empty commit messages. --- IkiWiki/Rcs/git.pm | 18 +++++++++++++++--- debian/changelog | 2 ++ 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/IkiWiki/Rcs/git.pm b/IkiWiki/Rcs/git.pm index ecf560d0b..1fa9188aa 100644 --- a/IkiWiki/Rcs/git.pm +++ b/IkiWiki/Rcs/git.pm @@ -336,11 +336,23 @@ sub rcs_commit_staged ($$$) { $ENV{GIT_AUTHOR_EMAIL}="$u\@web"; } + $message = possibly_foolish_untaint($message); + my @opts; + if ($message !~ /\S/) { + # Force git to allow empty commit messages. + # (If this version of git supports it.) + my ($version)=`git --version` =~ /git version (.*)/; + if ($version ge "1.5.4") { + push @opts, '--cleanup=verbatim'; + } + else { + $message.="."; + } + } + push @opts, '-q'; # git commit returns non-zero if file has not been really changed. # so we should ignore its exit status (hence run_or_non). - $message = possibly_foolish_untaint($message); - if (run_or_non('git', 'commit', '--cleanup=verbatim', - '-q', '-m', $message)) { + if (run_or_non('git', 'commit', @opts, '-m', $message)) { if (length $config{gitorigin_branch}) { run_or_cry('git', 'push', $config{gitorigin_branch}); } diff --git a/debian/changelog b/debian/changelog index af94c99c5..0ad73dd43 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,8 @@ ikiwiki (2.56) UNRELEASED; urgency=low treating it as XHTML. This avoids problems with escaping the end of the CDATA when the htmlscrubber is not used, and it avoids problems with atom XHTML using named entity references that are not in the atom DTD. (Simon McVittie) + * Add test for old versions of git that don't support --cleanup=verbatim, + and munge empty commit messages. -- Joey Hess Tue, 29 Jul 2008 15:53:26 -0400 From d266c4dc45695d3d9570037193d4aef2d345f05e Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 31 Jul 2008 19:24:35 -0400 Subject: [PATCH 43/45] Revert "increase minimum git version" This reverts commit 391c5c2cb58719ca6f7a128e23ec387276c53c62. --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 8959bb922..86a8a0fe0 100644 --- a/debian/control +++ b/debian/control @@ -13,7 +13,7 @@ Vcs-Browser: http://git.ikiwiki.info/?p=ikiwiki Package: ikiwiki Architecture: all Depends: ${perl:Depends}, markdown | libtext-markdown-perl, libhtml-scrubber-perl, libhtml-template-perl, libhtml-parser-perl, liburi-perl -Recommends: gcc | c-compiler, libc6-dev | libc-dev, subversion | git-core (>= 1:1.5.4) | tla | bzr (>= 0.91) | mercurial | monotone (>= 0.38), libxml-simple-perl, libnet-openid-consumer-perl, liblwpx-paranoidagent-perl, libtimedate-perl, libcgi-formbuilder-perl (>= 3.05), libcgi-session-perl (>= 4.14-1), libmail-sendmail-perl, libauthen-passphrase-perl +Recommends: gcc | c-compiler, libc6-dev | libc-dev, subversion | git-core (>= 1:1.5.0) | tla | bzr (>= 0.91) | mercurial | monotone (>= 0.38), libxml-simple-perl, libnet-openid-consumer-perl, liblwpx-paranoidagent-perl, libtimedate-perl, libcgi-formbuilder-perl (>= 3.05), libcgi-session-perl (>= 4.14-1), libmail-sendmail-perl, libauthen-passphrase-perl Suggests: viewvc | gitweb | viewcvs, libsearch-xapian-perl, xapian-omega (>= 1.0.5), librpc-xml-perl, libtext-wikiformat-perl, python, python-docutils, polygen, tidy, libxml-feed-perl, libmailtools-perl, perlmagick, libfile-mimeinfo-perl, libcrypt-ssleay-perl, liblocale-gettext-perl (>= 1.05-1), libtext-typography-perl, libtext-csv-perl, libdigest-sha1-perl, graphviz, libnet-amazon-s3-perl, sparkline-php Conflicts: ikiwiki-plugin-table Replaces: ikiwiki-plugin-table From 0f312d152e5d98d8ea4baf70f2fb15bcd9699da0 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 31 Jul 2008 19:29:29 -0400 Subject: [PATCH 44/45] releasing version 2.56 --- debian/changelog | 4 ++-- po/ikiwiki.pot | 31 +++++++++++++++++++++---------- 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/debian/changelog b/debian/changelog index 0ad73dd43..1290904f8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -ikiwiki (2.56) UNRELEASED; urgency=low +ikiwiki (2.56) unstable; urgency=low * autoindex: New plugin that generates missing index pages. (Sponsored by The TOVA Company.) @@ -9,7 +9,7 @@ ikiwiki (2.56) UNRELEASED; urgency=low * Add test for old versions of git that don't support --cleanup=verbatim, and munge empty commit messages. - -- Joey Hess Tue, 29 Jul 2008 15:53:26 -0400 + -- Joey Hess Thu, 31 Jul 2008 19:25:24 -0400 ikiwiki (2.55) unstable; urgency=low diff --git a/po/ikiwiki.pot b/po/ikiwiki.pot index b6e2dc68c..52ed49d81 100644 --- a/po/ikiwiki.pot +++ b/po/ikiwiki.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2008-07-25 16:16-0400\n" +"POT-Creation-Date: 2008-07-31 19:25-0400\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -71,7 +71,7 @@ msgstr "" msgid "You are banned." msgstr "" -#: ../IkiWiki/CGI.pm:758 ../IkiWiki/CGI.pm:759 ../IkiWiki.pm:788 +#: ../IkiWiki/CGI.pm:758 ../IkiWiki/CGI.pm:759 ../IkiWiki.pm:785 msgid "Error" msgstr "" @@ -190,6 +190,10 @@ msgstr "" msgid "attachment upload" msgstr "" +#: ../IkiWiki/Plugin/autoindex.pm:65 +msgid "automatic index generation" +msgstr "" + #: ../IkiWiki/Plugin/brokenlinks.pm:40 #, perl-format msgid "%s from %s" @@ -199,11 +203,22 @@ msgstr "" msgid "There are no broken links!" msgstr "" -#: ../IkiWiki/Plugin/conditional.pm:18 ../IkiWiki/Plugin/testpagespec.pm:17 +#: ../IkiWiki/Plugin/conditional.pm:18 ../IkiWiki/Plugin/cutpaste.pm:22 +#: ../IkiWiki/Plugin/cutpaste.pm:37 ../IkiWiki/Plugin/cutpaste.pm:53 +#: ../IkiWiki/Plugin/testpagespec.pm:17 #, perl-format msgid "%s parameter is required" msgstr "" +#: ../IkiWiki/Plugin/cutpaste.pm:58 +msgid "no text was copied in this page" +msgstr "" + +#: ../IkiWiki/Plugin/cutpaste.pm:61 +#, perl-format +msgid "no text was copied in this page with id %s" +msgstr "" + #: ../IkiWiki/Plugin/edittemplate.pm:41 msgid "template not specified" msgstr "" @@ -800,15 +815,11 @@ msgstr "" msgid "Must specify url to wiki with --url when using --cgi" msgstr "" -#. translators: The first parameter is a -#. translators: preprocessor directive name, -#. translators: the second a page name, the -#. translators: third a number. -#: ../IkiWiki.pm:771 +#: ../IkiWiki.pm:768 #, perl-format -msgid "%s preprocessing loop detected on %s at depth %i" +msgid "preprocessing loop detected on %s at depth %i" msgstr "" -#: ../IkiWiki.pm:1219 +#: ../IkiWiki.pm:1216 msgid "yes" msgstr "" From 861dea7f1c720ff889ff11ef7b7e925a3c209c5d Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 31 Jul 2008 19:30:21 -0400 Subject: [PATCH 45/45] add news item for ikiwiki 2.56 --- doc/news/version_2.51.mdwn | 33 --------------------------------- doc/news/version_2.56.mdwn | 10 ++++++++++ 2 files changed, 10 insertions(+), 33 deletions(-) delete mode 100644 doc/news/version_2.51.mdwn create mode 100644 doc/news/version_2.56.mdwn diff --git a/doc/news/version_2.51.mdwn b/doc/news/version_2.51.mdwn deleted file mode 100644 index 87d742ba4..000000000 --- a/doc/news/version_2.51.mdwn +++ /dev/null @@ -1,33 +0,0 @@ -ikiwiki 2.51 released with [[!toggle text="these changes"]] -[[!toggleable text=""" - * Improve toplevel parentlink to link directly to index.html when usedirs is - disabled. - * map: Add a "show" parameter. "show=title" can be used to display page - titles, rather than the default page name. Based on a patch from - Jaldhar H. Vyas, Closes: #[484510](http://bugs.debian.org/484510) - * hnb: New plugin, contributed by Axel Beckert. - * meta: Store "description" in pagestate for use by other plugins. - * map: Support show=description. - * textile: The Text::Textile perl module has some regexps that fail if - input is flagged as utf-8, but contains invalid characters such as 0x92. - To prevent it from crashing, re-encode the content before calling it, - which will ensure that it's really utf-8. - * Version the suggests of xapian-omega to a version known to be new enough - to work with ikiwiki. Reportedly, version 0.9.9 is too old to work. - Closes: #[486592](http://bugs.debian.org/486592) - * creole: New plugin from Bernd Zeimetz. Closes: #[486930](http://bugs.debian.org/486930) - * aggregate: Add template parameter. - * Add support for the universal edit button <http://universaleditbutton.org/> - (To get this on all pages of an exiting wiki, rebuild the wiki.) - * txt: New plugin, contributed by Gabriel McManus. - * smiley: Generate links relative to the destpage. (Fixes a reversion from - 2.41.) - * toc: Revert change in 2.45 that made it run at sanitize time. That broke - use of toc in a sidebar. - * Call format hooks when generating page previews, thus fixing toc display - there, as well as fixing inlins to again display in page previews, since - it's started using format hooks. This also allows several other things, - like embed, that use format hooks, to work during page preview time. - * Format hooks should not rely on getting an entire html document, as they - will only get the body during page preview. - * toggle: Deal with preview mode when adding javascript."""]] \ No newline at end of file diff --git a/doc/news/version_2.56.mdwn b/doc/news/version_2.56.mdwn new file mode 100644 index 000000000..b8c069488 --- /dev/null +++ b/doc/news/version_2.56.mdwn @@ -0,0 +1,10 @@ +ikiwiki 2.56 released with [[!toggle text="these changes"]] +[[!toggleable text=""" + * autoindex: New plugin that generates missing index pages. + (Sponsored by The TOVA Company.) + * Escape HTML is rss and atom feeds instead of respectively using CDATA and + treating it as XHTML. This avoids problems with escaping the end of the + CDATA when the htmlscrubber is not used, and it avoids problems with atom + XHTML using named entity references that are not in the atom DTD. (Simon McVittie) + * Add test for old versions of git that don't support --cleanup=verbatim, + and munge empty commit messages."""]] \ No newline at end of file