Commit Graph

20696 Commits (041e3c3c5dd3333304c21c0a8145986014544a7d)

Author SHA1 Message Date
Simon McVittie 8d7a1e8d9c Add an anchor for /security/#cve-2019-9187 2019-02-28 14:11:20 +00:00
Simon McVittie 25c69da42c Prepare 3.20190228 for future release 2019-02-26 23:01:54 +00:00
Simon McVittie 9a275b2f18 doc: Document security issues involving LWP::UserAgent
Recommend the LWPx::ParanoidAgent module where appropriate.
It is particularly important for openid, since unauthenticated users
can control which URLs that plugin will contact. Conversely, it is
non-critical for blogspam, since the URL to be contacted is under
the wiki administrator's control.

Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-26 22:21:31 +00:00
Simon McVittie d283e4ca1a useragent: Automatically choose whether to use LWPx::ParanoidAgent
The simple implementation of this, which I'd prefer to use, would be:
if we can import LWPx::ParanoidAgent, use it; otherwise, use
LWP::UserAgent.

However, aggregate has historically worked with proxies, and
LWPx::ParanoidAgent quite reasonably refuses to work with proxies
(because it can't know whether those proxies are going to do the same
filtering that LWPx::ParanoidAgent would).

Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-26 22:21:27 +00:00
Simon McVittie 67543ce1d6 useragent: Don't allow non-HTTP protocols to be used
This prevents the aggregate plugin from being used to read the contents
of local files via file:/// URLs.

Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-26 21:44:07 +00:00
anarcat 812491d764 This reverts commit 727147aa6e 2019-02-26 01:35:32 -04:00
machine_brain 727147aa6e 2019-02-25 20:01:58 -04:00
Simon McVittie e7b0d4a0ff useragent: Raise an exception if the LWP module can't be loaded
Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-24 18:49:58 +00:00
Simon McVittie 824cf7db1b po: Always filter .po files
The input to filter hooks is meant to be the content of a source file
on disk. If we only filter once per (page, destpage) pair, and a page
is inlined into the same destpage more than once, then the second
occurrence will render as the result of htmlizing .po source as if
it was Markdown (or whatever the type of the corresponding master page
is), which is never going to end well.

The alreadyfiltered mechanism was added in commit 1e874b3f to avoid
preprocessing loops, but I'm not sure where it could lead to a loop:
filter hooks are only called from IkiWiki::filter, which is only called
on page content from disk or on proposed content being previewed.
According to <https://bugs.debian.org/911356#41>, deleting the
alreadyfiltered mechanism resolves the problem, as well as simplifying
the code.

Closes: #911356
Tested-by: intrigeri
2019-02-24 17:23:34 +00:00
Amitai Schleier 9448685117 Recommend against cvsps3 (haven't tried it). 2019-02-13 23:59:32 -05:00
Simon McVittie c0cd1b3abe Announce v3.20190207
Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-07 11:32:21 +00:00
Simon McVittie abaaee4af3 Prepare new release
Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-07 11:08:41 +00:00
Simon McVittie 324ee23b9b review 2019-02-03 19:22:07 +00:00
Simon McVittie 79131ddb1a comment 2019-02-03 18:53:23 +00:00
smcv f976e37a79 tag as reviewed 2019-02-03 14:40:29 -04:00
smcv 5ffe09e616 respond 2019-02-03 14:39:51 -04:00
smcv d9a018160f Exclude reviewed patches from this list 2019-02-03 14:28:21 -04:00
Simon McVittie 53cbfb4b5a close 2019-02-03 17:10:45 +00:00
Antoine Beaupré d16e34c736 append javascript after CSS
Javascript resources should be presented to browsers after CSS, and
"after the fold" (ATF) according to the best practices:

https://developers.google.com/speed/docs/insights/mobile#PutStylesBeforeScripts

This change allows the browser to download Javascript files in
parallel, by including Javascript on the *closing* </body> tag instead
of the opening tag.

We also improve the regex to tolerate spaces before the body tag, as
some templates have (proper) indentation for the tag.
2019-02-03 17:01:55 +00:00
Simon McVittie aa063aeb33 Remove unreachable git repositories
Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-03 16:59:07 +00:00
Simon McVittie 1094c6ecbf Mark as applied
Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-03 16:55:14 +00:00
Antoine Beaupré b760b8f171 remove the "add comment" button from printed media 2019-02-03 16:55:14 +00:00
Amitai Schleier d7777f12df Add a missing changelog entry. 2019-02-03 10:34:43 -06:00
Simon McVittie 58fed0178c Update changelog
Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-03 16:27:38 +00:00
Jelmer Vernooij a79bce4e66 Allow Breezy as alternative to Bazaar.
(cherry picked from commit a07f048d9fc99928ebbb74b34f5d1932ff3d7884)
2019-02-03 16:21:38 +00:00
Simon McVittie 278678b42f comments.t: Assert that comments get permalink metadata
Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-03 16:18:18 +00:00
Simon McVittie 4ac930380b comments.t: Exercise post-2009 comment naming
Since commit 6af6c89d, comments are in files whose names contain a hash.

Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-03 16:18:18 +00:00
smcv fe4e7cd3f7 old regexp would have failed for old comment page names 2019-02-03 11:55:34 -04:00
Simon McVittie 4ba3c11592 git-cgi.t: Exercise an alphanumeric, but non-ASCII, root page
My previous attempt to reproduce this bug used a non-alphanumeric
ASCII character. This is not currently considered to be a valid
value for rootpage, although for a "do what I mean" approach, perhaps
we should accept it and pass it through titlepage() or linkpage().

Using Chinese characters (which are considered to match [[:alnum:]]
even though the Chinese script is not, strictly speaking, an alphabet),
as in the original bug report, reproduces the bug.

Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-03 13:27:00 +00:00
Feng Shu e8dea1b924 Fix inline plugin for non-ASCII rootpage 2019-02-03 13:15:35 +00:00
Simon McVittie 67c7542672 t: Exercise Chinese and Cyrillic page titles
Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-03 13:07:01 +00:00
Simon McVittie 15ddbb1c70 trail: Allow unescaped punctuation in pagenames
By processing the pagenames through linkpage, we let users specify
page names that contain non-alphanumerics in a more natural way.

Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-03 12:52:42 +00:00
Simon McVittie fae4cce06a trail.t: Exercise numeric escapes in pagenames parameter
Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-03 12:49:05 +00:00
Simon McVittie 9d1c88adf8 linkpage.t: Assert we can link to pages with literal underscore
Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-03 12:49:05 +00:00
Simon McVittie 2bde54c9dc t: Consistently remove temp directory before testing, not after
When a test fails, it's useful to be able to inspect the output.

Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-03 12:34:46 +00:00
Simon McVittie 3fe5d0acbf build: Add `make reset-generated`
Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-03 12:34:46 +00:00
Simon McVittie 73cfa618b4 pagetitle.t, linkpage.t, titlepage.t: Exercise Unicode more
Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-03 12:10:50 +00:00
smcv cfac01cb41 link to recently-added tests 2019-01-31 16:41:17 -04:00
smcv dbf9a36297 I'm confused about what the bug is, and what's being fixed. Can you give a complete test or example? 2019-01-31 16:38:04 -04:00
Simon McVittie f3103c9d09 close bug 2019-01-31 20:37:07 +00:00
Simon McVittie f12815571a Update changelog 2019-01-31 20:37:07 +00:00
Simon McVittie db54e632f4 Add a simple test for non-ASCII in tables
Signed-off-by: Simon McVittie <smcv@debian.org>
2019-01-31 20:37:07 +00:00
Feng Shu 2965846ef2 Fix table plugin can handle UTF-8 csv format 2019-01-31 20:37:06 +00:00
Simon McVittie 3c66dca6ea respond 2019-01-31 20:37:06 +00:00
Simon McVittie 0c2cea7dac Fix syntax and escaping 2019-01-31 20:37:06 +00:00
Simon McVittie 2bd72cd0e0 git-cgi.t: Add a failing test for a blog with a non-ASCII rootpage
This is one of several possible bug reports on
"doc/bugs/About %2F problem" (I'm not sure what the actual bug being
reported is).

Signed-off-by: Simon McVittie <smcv@debian.org>
2019-01-31 20:37:06 +00:00
Simon McVittie 9c0694b14c git-cgi.t: Add a simple test for blog posts from a root page
This is the working base case for "doc/bugs/About %2F problem".

Signed-off-by: Simon McVittie <smcv@debian.org>
2019-01-31 20:37:06 +00:00
Simon McVittie a10d86bbae git-cgi.t: Print query string as a TAP diagnostic
Signed-off-by: Simon McVittie <smcv@debian.org>
2019-01-31 20:37:06 +00:00
smcv 3e671d1afa Reset example
This reverts commit 0b53772b99
2019-01-31 15:32:03 -04:00
anarcat 409ba8f0f5 inline is another option of course 2019-01-30 12:33:15 -04:00