Commit Graph

20014 Commits (02b4fb50c956e0474498b20e79728bd5c2748d14)

Author SHA1 Message Date
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 8c4408900c removed 2017-02-19 17:52:54 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 3b19cc0ddd Added a comment 2017-02-19 17:48:23 -04:00
Louis 37056e736a Merge branch 'master' of git://ikiwiki.branchable.com 2017-02-18 22:56:06 +01:00
Louis ff784524b4 Update my (spalax) information 2017-02-18 21:11:47 +01:00
Louis e66912e677 Apology about the poor choice for the name of the sidebar2 plugin 2017-02-18 21:08:48 +01:00
Louis d9f6141cd7 New plugin: verboserpc 2017-02-18 21:08:48 +01:00
Louis 7bb8226987 New plugin: pageversion 2017-02-18 21:08:48 +01:00
Louis d2c4047282 New plugin: redirect 2017-02-18 20:43:52 +01:00
krqt.kndy@eb44788e4eb202f3e68eeb8ba175d3897c3979a9 b92b8caf11 2017-02-17 17:15:00 -04:00
vegardv@75ae889e836bda8ce69bc038d8335c398a2f6f40 c0fcd409fa Added a comment 2017-02-10 04:33:42 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 e748e0016d Added a comment 2017-02-09 17:48:06 -04:00
smcv 8502eb47fa Added a comment 2017-02-09 08:13:03 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 3d177313d6 2017-02-09 07:22:48 -04:00
svetlana 40d3bdac4c +update broken uris 2017-02-07 20:36:02 -04:00
svetlana 139197d823 2017-02-07 19:15:02 -04:00
svetlana 4f9a8d10de Confuses a map 2017-02-07 19:11:17 -04:00
svetlana 7b664f4151 2017-02-06 01:39:02 -04:00
svetlana 7c0292edc5 removed 2017-02-05 22:37:01 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 4c96c9decd 2017-02-05 15:31:24 -04:00
smcv 7744b4d849 change `pwd` to $HOME so assumptions are met even if you cd elsewhere 2017-02-03 16:48:48 -04:00
me@4eb1b66f86170ba2ff0690b93ad01f46bfc8eac4 c72fbbe21d No longer using ikiwiki 2017-02-03 12:54:47 -04:00
smcv 47b12458ae 2017-01-26 07:38:48 -04:00
svetlana 2265aef4e6 Does not show up in the setup 2017-01-24 00:59:27 -04:00
svetlana 9581c039e8 * [[guppy|http://guppy.branchable.com]] an internationalized modular Python IRC bot 2017-01-18 19:27:48 -04:00
smcv 1c8c0ccf59 Added a comment 2017-01-18 17:46:14 -04:00
smcv 0acf3b6d0c Added a comment: Do that through your web server, not ikiwiki 2017-01-18 17:45:30 -04:00
openmedi 6d0f460b12 2017-01-17 08:44:20 -04:00
Simon McVittie 12b4618228 Note another Debian 8 backport 2017-01-12 00:31:10 +00:00
Simon McVittie 666d87a50c Fix typo 2017-01-11 19:02:10 +00:00
Simon McVittie 8b54ba7ad1 Release 3.20170111 2017-01-11 18:18:38 +00:00
Simon McVittie 4d0e525e6a Document the security fix soon to be released in 3.20170111 2017-01-11 18:16:42 +00:00
Simon McVittie 2486d83706 remove: make it clearer that repeated page parameter is OK here
ikiwiki's web interface does not currently have UI for removing
multiple pages simultaneously, but the remove plugin is robust
against doing so. Use a clearer idiom to make that obvious.
2017-01-11 18:11:21 +00:00
Simon McVittie d157a97452 CGI, attachment, passwordauth: harden against repeated parameters
These instances of code similar to OVE-20170111-0001 are not believed
to be exploitable, because defined(), length(), setpassword(),
userinfo_set() and the binary "." operator all have prototypes that
force the relevant argument to be evaluated in scalar context. However,
using a safer idiom makes mistakes less likely.

(cherry picked from commit 69230a2220f673c66b5ab875bfc759b32a241c0d)
2017-01-11 18:11:07 +00:00
Simon McVittie b642cbef80 passwordauth: avoid userinfo forgery via repeated email parameter
OVE-20170111-0001

(cherry picked from commit bffb71d6a7d28f6dd5f0be241f214e79eea7bb91)
2017-01-11 18:11:07 +00:00
Simon McVittie 3964787238 t/passwordauth.t: new automated test for passwordauth
In particular this includes an exploit for OVE-20170111-0001.

(cherry picked from commit fbe207212b1f4a395dc297fb274ef07afd7d68f3)
2017-01-11 18:11:06 +00:00
Simon McVittie f357856448 passwordauth: prevent authentication bypass via multiple name parameters
Calling CGI::FormBuilder::field with a name argument in list context
returns zero or more user-specified values of the named field, even
if that field was not declared as supporting multiple values.
Passing the result of field as a function parameter counts as list
context. This is the same bad behaviour that is now discouraged
for CGI::param.

In this case we pass the multiple values to CGI::Session::param.
That accessor has six possible calling conventions, of which four are
documented. If an attacker passes (2*n + 1) values for the 'name'
field, for example name=a&name=b&name=c, we end up in one of the
undocumented calling conventions for param:

    # equivalent to: (name => 'a', b => 'c')
    $session->param('name', 'a', 'b', 'c')

and the 'b' session parameter is unexpectedly set to an
attacker-specified value.

In particular, if an attacker "bob" specifies
name=bob&name=name&name=alice, then authentication is carried out
for "bob" but the CGI::Session ends up containing {name => 'alice'},
an authentication bypass vulnerability.

This vulnerability is tracked as OVE-20170111-0001.

(cherry picked from commit e909eb93f4530a175d622360a8433e833ecf0254)
2017-01-11 18:11:06 +00:00
Simon McVittie c7a4d57772 3.20170110 2017-01-10 13:22:13 +00:00
Simon McVittie 9a05d81d39 Sset libmagickcore-6.q16-3-extra as preferred build-dependency
The virtual package libmagickcore-extra is now merely an alternative,
to help autopkgtest to do the right thing.
2017-01-10 13:21:46 +00:00
Simon McVittie 4b369f0f67 d/ikiwiki.doc-base: register the documentation with doc-base 2017-01-10 12:02:15 +00:00
Simon McVittie bc06a212db d/ikiwiki.lintian-overrides: silence false positive spelling warning for Moin Moin 2017-01-10 12:02:15 +00:00
Simon McVittie 77e155c467 d/ikiwiki.lintian-overrides: override script-not-executable warnings 2017-01-10 11:35:57 +00:00
Simon McVittie 3da4ed6586 docwiki.setup: exclude TourBusStop from offline documentation
It does not make much sense there.
2017-01-10 11:30:56 +00:00
Simon McVittie de26e4ade1 lintian: Override obsolete-url-in-packaging for OpenID Selector
It does not seem to have any more current URL, and in any case our
version is a fork.
2017-01-10 11:27:51 +00:00
Simon McVittie ce29e7ec66 d/copyright: re-order to put more specific stanzas later, to get the intended interpretation 2017-01-10 11:26:46 +00:00
Simon McVittie 93429ca11d Set package format to 3.0 (native) 2017-01-10 11:17:32 +00:00
Simon McVittie 8a7924420f Update changelog 2017-01-09 14:44:38 +00:00
Simon McVittie 88da55c5d1 check_canchange: report invalid filenames as intended
Instead of logging "bad file name %s" and attempting to call the
(string) filename as a subroutine, actually do the intended
sprintf operation.
2017-01-09 14:27:56 +00:00
Simon McVittie 7586f5165e news: Use Debian security tracker instead of MITRE for CVE references
The Debian security tracker gets timely updates, whereas the official
CVE pages hosted by MITRE tend to show up as "RESERVED" for several
weeks or months after assignment.
2017-01-09 14:11:18 +00:00
Simon McVittie 9e03c00202 shortcuts: Use security-tracker.debian.org for [[!debcve]]
security.debian.org currently rejects HTTPS connections.
2017-01-09 14:09:35 +00:00
Simon McVittie 0463357392 git: don't redundantly pass "--" to git_sha1
git_sha1 already puts "--" before its arguments, so

    git_sha1_file($dir, 'doc/index.mdwn')

would have incorrectly invoked

    git rev-list --max-count=1 HEAD -- -- doc/index.mdwn

If there is no file in the wiki named "--", that's harmless, because
it merely names the latest revision in which either "--" or
"doc/index.mdwn" changed. However, it could return incorrect results
if there is somehow a file named "--".
2017-01-09 13:58:58 +00:00