editpage escaping fixes
* The editpage form now uses the raw page name, not the page title, in its 'page' cgi parameter. Using the title was ambiguous and made it impossible to tell between some pages, like "foo/bar" and "foo__47__bar", sometimes causing the wrong page to be edited. * This change means that some edit links need to be updated. Force a rebuild on upgrade to this version. * Above change also allowed really fixing escaped slashes from the blogpost form.master
parent
badfb9a5c9
commit
05124f9a86
|
@ -596,7 +596,7 @@ sub htmllink ($$$;@) { #{{{
|
|||
return "<span class=\"createlink\"><a href=\"".
|
||||
cgiurl(
|
||||
do => "create",
|
||||
page => pagetitle(lc($link), 1),
|
||||
page => lc($link),
|
||||
from => $lpage
|
||||
).
|
||||
"\" rel=\"nofollow\">?</a>$linktext</span>"
|
||||
|
|
|
@ -301,10 +301,9 @@ sub cgi_editpage ($$) { #{{{
|
|||
});
|
||||
decode_form_utf8($form);
|
||||
|
||||
# This untaint is safe because titlepage removes any problematic
|
||||
# characters.
|
||||
# This untaint is safe because we check file_pruned.
|
||||
my $page=$form->field('page');
|
||||
$page=titlepage(possibly_foolish_untaint($page));
|
||||
$page=possibly_foolish_untaint($page);
|
||||
if (! defined $page || ! length $page ||
|
||||
file_pruned($page, $config{srcdir}) || $page=~/^\//) {
|
||||
error("bad page name");
|
||||
|
@ -354,7 +353,7 @@ sub cgi_editpage ($$) { #{{{
|
|||
$form->field(name => "from", type => 'hidden');
|
||||
$form->field(name => "rcsinfo", type => 'hidden');
|
||||
$form->field(name => "subpage", type => 'hidden');
|
||||
$form->field(name => "page", value => pagetitle($page, 1), force => 1);
|
||||
$form->field(name => "page", value => $page, force => 1);
|
||||
$form->field(name => "type", value => $type, force => 1);
|
||||
$form->field(name => "comments", type => "text", size => 80);
|
||||
$form->field(name => "editcontent", type => "textarea", rows => 20,
|
||||
|
@ -486,8 +485,8 @@ sub cgi_editpage ($$) { #{{{
|
|||
|
||||
$form->tmpl_param("page_select", 1);
|
||||
$form->field(name => "page", type => 'select',
|
||||
options => [ map { pagetitle($_, 1) } @editable_locs ],
|
||||
value => pagetitle($best_loc, 1));
|
||||
options => [ map { [ $_, pagetitle($_, 1) ] } @editable_locs ],
|
||||
value => $best_loc);
|
||||
$form->field(name => "type", type => 'select',
|
||||
options => \@page_types);
|
||||
$form->title(sprintf(gettext("creating %s"), pagetitle($page)));
|
||||
|
|
|
@ -50,7 +50,7 @@ sub formbuilder_setup { #{{{
|
|||
|
||||
return if $form->field("do") ne "edit";
|
||||
|
||||
$page = IkiWiki::titlepage(IkiWiki::possibly_foolish_untaint($page));
|
||||
$page = IkiWiki::possibly_foolish_untaint($page);
|
||||
return unless exists $pagesources{$page};
|
||||
|
||||
push @{$params{buttons}}, "Diff";
|
||||
|
|
|
@ -70,12 +70,12 @@ sub sessioncgi () { #{{{
|
|||
my $session=shift;
|
||||
|
||||
if ($q->param('do') eq 'blog') {
|
||||
my $page=decode_utf8($q->param('title'));
|
||||
$page=~s/\///g; # no slashes in blog posts
|
||||
my $page=IkiWiki::titlepage(decode_utf8($q->param('title')));
|
||||
$page=~s/(\/)/"__".ord($1)."__"/eg; # don't create subdirs
|
||||
# if the page already exists, munge it to be unique
|
||||
my $from=$q->param('from');
|
||||
my $add="";
|
||||
while (exists $IkiWiki::pagecase{lc($from."/".IkiWiki::titlepage($page).$add)}) {
|
||||
while (exists $IkiWiki::pagecase{lc($from."/".$page.$add)}) {
|
||||
$add=1 unless length $add;
|
||||
$add++;
|
||||
}
|
||||
|
@ -278,7 +278,7 @@ sub preprocess_inline (@) { #{{{
|
|||
}
|
||||
if (length $config{cgiurl} && defined $type) {
|
||||
$template->param(have_actions => 1);
|
||||
$template->param(editurl => cgiurl(do => "edit", page => pagetitle($page, 1)));
|
||||
$template->param(editurl => cgiurl(do => "edit", page => $page));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -80,7 +80,7 @@ sub genpage ($$) { #{{{
|
|||
my $actions=0;
|
||||
|
||||
if (length $config{cgiurl}) {
|
||||
$template->param(editurl => cgiurl(do => "edit", page => pagetitle($page, 1)));
|
||||
$template->param(editurl => cgiurl(do => "edit", page => $page));
|
||||
$template->param(prefsurl => cgiurl(do => "prefs"));
|
||||
$actions++;
|
||||
}
|
||||
|
|
|
@ -1,3 +1,11 @@
|
|||
ikiwiki (2.52) unstable; urgency=low
|
||||
|
||||
All wikis need to be rebuilt on upgrade to this version. If you listed your
|
||||
wiki in /etc/ikiwiki/wikilist this will be done automatically when the
|
||||
Debian package is upgraded. Or use ikiwiki-mass-rebuild to force a rebuild.
|
||||
|
||||
-- Joey Hess <joeyh@debian.org> Sun, 06 Jul 2008 15:10:05 -0400
|
||||
|
||||
ikiwiki (2.49) unstable; urgency=low
|
||||
|
||||
The search plugin no longer uses hyperestraier. Instead, to use it you
|
||||
|
|
|
@ -8,6 +8,14 @@ ikiwiki (2.52) UNRELEASED; urgency=low
|
|||
* toggle: Fix to work in preview mode.
|
||||
* toggle: Add javascript to top of page, not to end. This avoids flicker
|
||||
since closed toggles will not be displayed as the page is loading.
|
||||
* The editpage form now uses the raw page name, not the page title, in its
|
||||
'page' cgi parameter. Using the title was ambiguous and made it
|
||||
impossible to tell between some pages, like "foo/bar" and "foo__47__bar",
|
||||
sometimes causing the wrong page to be edited.
|
||||
* This change means that some edit links need to be updated.
|
||||
Force a rebuild on upgrade to this version.
|
||||
* Above change also allowed really fixing escaped slashes from the blogpost
|
||||
form.
|
||||
|
||||
-- Joey Hess <joeyh@debian.org> Mon, 30 Jun 2008 19:56:28 -0400
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@ set -e
|
|||
|
||||
# Change this when some incompatible change is made that requires
|
||||
# rebuilding all wikis.
|
||||
firstcompat=2.30
|
||||
firstcompat=2.52
|
||||
|
||||
if [ "$1" = configure ] && \
|
||||
dpkg --compare-versions "$2" lt "$firstcompat"; then
|
||||
|
|
|
@ -14,3 +14,5 @@ editing need to get in agreement on just how they're going to
|
|||
escape slashes in a page title.
|
||||
|
||||
--Chapman Flack
|
||||
|
||||
> bleh. [[Fixed|done]] --[[joey]]
|
||||
|
|
|
@ -8,7 +8,7 @@ msgid ""
|
|||
msgstr ""
|
||||
"Project-Id-Version: PACKAGE VERSION\n"
|
||||
"Report-Msgid-Bugs-To: \n"
|
||||
"POT-Creation-Date: 2008-07-02 18:08-0400\n"
|
||||
"POT-Creation-Date: 2008-07-06 15:30-0400\n"
|
||||
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
|
||||
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
|
||||
"Language-Team: LANGUAGE <LL@li.org>\n"
|
||||
|
@ -24,7 +24,7 @@ msgstr ""
|
|||
msgid "login failed, perhaps you need to turn on cookies?"
|
||||
msgstr ""
|
||||
|
||||
#: ../IkiWiki/CGI.pm:190 ../IkiWiki/CGI.pm:526
|
||||
#: ../IkiWiki/CGI.pm:190 ../IkiWiki/CGI.pm:525
|
||||
msgid "Your login session has expired."
|
||||
msgstr ""
|
||||
|
||||
|
@ -44,30 +44,30 @@ msgstr ""
|
|||
msgid "Preferences saved."
|
||||
msgstr ""
|
||||
|
||||
#: ../IkiWiki/CGI.pm:326
|
||||
#: ../IkiWiki/CGI.pm:325
|
||||
#, perl-format
|
||||
msgid "%s is not an editable page"
|
||||
msgstr ""
|
||||
|
||||
#: ../IkiWiki/CGI.pm:437 ../IkiWiki/Plugin/brokenlinks.pm:24
|
||||
#: ../IkiWiki/CGI.pm:436 ../IkiWiki/Plugin/brokenlinks.pm:24
|
||||
#: ../IkiWiki/Plugin/inline.pm:266 ../IkiWiki/Plugin/opendiscussion.pm:17
|
||||
#: ../IkiWiki/Plugin/orphans.pm:28 ../IkiWiki/Render.pm:95
|
||||
#: ../IkiWiki/Render.pm:162
|
||||
msgid "discussion"
|
||||
msgstr ""
|
||||
|
||||
#: ../IkiWiki/CGI.pm:493
|
||||
#: ../IkiWiki/CGI.pm:492
|
||||
#, perl-format
|
||||
msgid "creating %s"
|
||||
msgstr ""
|
||||
|
||||
#: ../IkiWiki/CGI.pm:511 ../IkiWiki/CGI.pm:539 ../IkiWiki/CGI.pm:549
|
||||
#: ../IkiWiki/CGI.pm:583 ../IkiWiki/CGI.pm:628
|
||||
#: ../IkiWiki/CGI.pm:510 ../IkiWiki/CGI.pm:538 ../IkiWiki/CGI.pm:548
|
||||
#: ../IkiWiki/CGI.pm:582 ../IkiWiki/CGI.pm:627
|
||||
#, perl-format
|
||||
msgid "editing %s"
|
||||
msgstr ""
|
||||
|
||||
#: ../IkiWiki/CGI.pm:722
|
||||
#: ../IkiWiki/CGI.pm:721
|
||||
msgid "You are banned."
|
||||
msgstr ""
|
||||
|
||||
|
|
Loading…
Reference in New Issue