diff --git a/IkiWiki/Render.pm b/IkiWiki/Render.pm index fc1bc0c92..ab3ccd7ae 100644 --- a/IkiWiki/Render.pm +++ b/IkiWiki/Render.pm @@ -245,11 +245,11 @@ sub prune ($) { #{{{ } #}}} sub refresh () { #{{{ - # security check, avoid following symlinks in the srcdir path + # security check, avoid following symlinks in the srcdir path by default my $test=$config{srcdir}; while (length $test) { - if (-l $test) { - error("symlink found in srcdir path ($test)"); + if (-l $test && ! $config{allow_symlinks_before_srcdir}) { + error("symlink found in srcdir path ($test) -- set allow_symlinks_before_srcdir to allow this"); } unless ($test=~s/\/+$//) { $test=dirname($test); diff --git a/IkiWiki/Wrapper.pm b/IkiWiki/Wrapper.pm index 79b9eb3e3..6dc25403e 100644 --- a/IkiWiki/Wrapper.pm +++ b/IkiWiki/Wrapper.pm @@ -4,14 +4,14 @@ package IkiWiki; use warnings; use strict; -use Cwd q{abs_path}; +use File::Spec; use Data::Dumper; use IkiWiki; sub gen_wrapper () { #{{{ - $config{srcdir}=abs_path($config{srcdir}); - $config{destdir}=abs_path($config{destdir}); - my $this=abs_path($0); + $config{srcdir}=File::Spec->rel2abs($config{srcdir}); + $config{destdir}=File::Spec->rel2abs($config{destdir}); + my $this=File::Spec->rel2abs($0); if (! -x $this) { error(sprintf(gettext("%s doesn't seem to be executable"), $this)); } diff --git a/debian/changelog b/debian/changelog index 04d4fc662..278e52155 100644 --- a/debian/changelog +++ b/debian/changelog @@ -10,6 +10,10 @@ ikiwiki (2.55) UNRELEASED; urgency=low (Simon McVittie) * Really fix bug with links to pages with names containing colons. Previous fix mised a few cases. + * Avoid troublesome abs_path calls in wrapper setup. + * Add allow_symlinks_before_srcdir config setting that can be used to avoid + a security check that is a good safe default, but problimatic overkill in + some situations. -- Joey Hess Mon, 21 Jul 2008 11:35:46 -0400 diff --git a/doc/forum/Allow_overriding_of_symlink_restriction.mdwn b/doc/bugs/Allow_overriding_of_symlink_restriction.mdwn similarity index 97% rename from doc/forum/Allow_overriding_of_symlink_restriction.mdwn rename to doc/bugs/Allow_overriding_of_symlink_restriction.mdwn index bd94811df..69ea299e8 100644 --- a/doc/forum/Allow_overriding_of_symlink_restriction.mdwn +++ b/doc/bugs/Allow_overriding_of_symlink_restriction.mdwn @@ -80,6 +80,8 @@ Is there a huge objection to this patch? > the `srcdir`. > --[[Joey]] +>> Slightly modified version of patch applied. --[[Joey]] + >> Ok, I'll try to get it cleaned up and documented. There is a second location where this can be an issue. That is in the @@ -132,6 +134,6 @@ like this being accepted before I bothered. >> hrm. I might see if File::Spec->rel2abs( $path ) ; will give absolute an path without expanding symlinks. >>> Patch using rel2abs() works well - it no longer expands symlinks. -> I suppose you could do the same thing with `$this`, but it does not sound -> like it has caused you problems anyway. -> --[[Joey]] +>>>> That patch is applied now. --[[Joey]] + +[[tag done]] diff --git a/doc/todo/Make_example_setup_file_consistent.mdwn b/doc/todo/Make_example_setup_file_consistent.mdwn index c4157816e..1fdff7b0f 100644 --- a/doc/todo/Make_example_setup_file_consistent.mdwn +++ b/doc/todo/Make_example_setup_file_consistent.mdwn @@ -20,3 +20,10 @@ I think things could be improved if a clear decision was made here. Most of the svnpath => "trunk", #default What do others think? + +> I agree, and I'll take a patch. +> +> I may not work on it myself, since I have some +> [[interesting_ideas|online_configuration]] that would let ikiwiki +> generate a setup file for you, rather than having to keep maintain the +> current example. --[[Joey]] diff --git a/doc/todo/cas_authentication.mdwn b/doc/todo/cas_authentication.mdwn index ab523001c..a6b428207 100644 --- a/doc/todo/cas_authentication.mdwn +++ b/doc/todo/cas_authentication.mdwn @@ -14,6 +14,13 @@ follows) ? --[[/users/bbb]] +> Inline here is ok; git-am by mail is ok; a git repo I can pull from also +> ok. +> +> This looks pretty acceptable as-is, but you need to put a copyright and +> license statement at the top. I have a few questions that I'll insert +> inline with the patch below. --[[Joey]] + ------------------------------------------------------------------------------ diff --git a/IkiWiki/Plugin/cas.pm b/IkiWiki/Plugin/cas.pm new file mode 100644 @@ -29,17 +36,31 @@ follows) ? +use strict; +use IkiWiki 2.00; +use AuthCAS; # http://search.cpan.org/~osalaun/AuthCAS-1.3.1/ + +> In ikiwiki we generally deman-load perl modules only when they're used. +> This avoids loading expensive modules when the CGI isn't doing +> authentication. Can you do that with AuthCAS? Something like this before +> the use of it: `eval q{use AuthCAS}; error $@ if $@` + + +sub import { #{{{ + hook(type => "getopt", id => "cas", call => \&getopt); + hook(type => "auth", id => "cas", call => \&auth); + hook(type => "formbuilder_setup", id => "cas", call => \&formbuilder_setup); +} # }}} - + + +> Could you please use tabs for indentation of program flow? + +# FIXME: We should check_config to ensure that : +# * cas_url and ca_file are present + +> Please fix that.. + +# * no other auth plugin are present (at least passwordauth and openid) - + + +> Why would you want to make other auth plugins not work? Could a site not +> legitimatly chose to use this and another auth method? + +sub getopt () { #{{{ + eval q{use Getopt::Long}; + error($@) if $@; @@ -130,13 +151,20 @@ follows) ? +into the wiki. + +The plugin needs the [[!cpan AuthCAS-1.3.1]] perl module. + +> Does it really need that specific version? I think you should lose the +> version part. + + +This plugin has two mandatory configuration option. You **must** set `--cas_url` +to the url of a server offering CAS 2.0 authentication. You must also set the +`--ca_file` to an absolute path to the file containing CA certificates used by +the server (generally, aka under Debian, fixing that value to +`/etc/ssl/certs/ca-certificates.crt` is sufficient). - + + +> It would be good to add commented-out examples of these to +> [[ikiwiki.setup]] as well. + +This plugin is not enabled by default. It can not be used with other +authentication plugin, such as [[passwordauth]] or [[openid]].