Commit Graph

2218 Commits (14344f58f08b6868daf7f80eab1b12682f3740f0)

Author SHA1 Message Date
Simon McVittie 14344f58f0 Update changelog and close bug 2017-09-28 11:30:13 +01:00
Simon McVittie 54dc5217ed Update changelog 2017-09-28 11:18:26 +01:00
Joey Hess e3dfb26b90
emailauth, passwordauth: Avoid leaving cgisess_* files in the system temp directory.
Due to the use/abuse of CGI::Session to generate a token for the login
process, a new session database was created for each login, and left behind
afterwards. While each file is small, with many logings this could bloat
the size of /tmp significantly. Fixed by making CGI::Session write to
/dev/null, since there does not seem to be a way to entirely prevent the
writing.

This commit was sponsored by Henrik Riomar on Patreon.
2017-08-23 13:13:23 -04:00
Simon McVittie 3789b385b2 core: Don't decode the result of strftime if already tagged as UTF-8
It wasn't in old Perls, but might be in Perl >= 5.21.1 due to commit
https://perl5.git.perl.org/perl.git/commit/9717af6 (Closes: #869240)
2017-07-23 16:04:57 +01:00
Joey Hess f3beb9cb44
htmlscrubber: Add support for the video tag's loop and muted attributes.
Those were not in the original html5 spec, but have been added in the
whatwg html living standard and have wide browser support.

This commit was sponsored by John Peloquin on Patreon.
2017-07-11 15:51:44 -04:00
Simon McVittie 7de336cbee debian/changelog: Add missing credit for toc fix 2017-06-22 10:53:17 +01:00
Simon McVittie 664f1f1977 3.20170622 2017-06-22 09:25:25 +01:00
Simon McVittie 60d79a6a79 debian: Declare compliance with Debian Policy 4.0.0 2017-06-22 09:24:48 +01:00
Simon McVittie 6508481224 debian: Use preferred https URL for Format of debian/copyright 2017-06-22 09:24:22 +01:00
Simon McVittie ac16c6fc90 debian: Document more past changes 2017-06-22 09:19:53 +01:00
Simon McVittie 5a84cd308d osm: Convert savestate hook into a changes hook
savestate is not the right place to write wiki content, and in particular
this breaks websetup if osm's dependencies are not installed, even if
the osm plugin is not actually enabled. (Closes: #719913)

This is not a full solution: it should be possible to render the PoI files
for only the maps that changed, from the format, changes or rendered
hook. However, getting that right would require more understanding of
this plugin, and this version is enough to not break websetup. This
version is the closest correct hook to the one where this previously
took place.
2017-06-20 23:47:08 +01:00
Simon McVittie c72dc5ddb7 mdwn: Don't enable alphabetically labelled ordered lists by default
This avoids misinterpreting initials ("C. S. Lewis was an author"),
the abbreviation for Monsieur ("M. Descartes was a philosopher") and
German page numbering ("S. 42") as ordered lists if they happen to
begin a line.

This only affects the default Discount implementation: Text::Markdown
and Text::MultiMarkdown do not have this feature anyway. A new
mdwn_alpha_list option can be used to restore the old interpretation.
2017-05-16 08:09:15 +01:00
Simon McVittie 4db4e589e4 mdwn: Enable footnotes by default when using Discount
A new mdwn_footnotes option can be used to disable footnotes in
MultiMarkdown and Discount.
2017-05-14 18:16:53 +01:00
Simon McVittie 81c3258269 mdwn: Don't mangle <style> into <elyts> under some circumstances
We can ask libdiscount not to elide <style> blocks, which means we
don't have to work around them.
2017-05-14 17:45:55 +01:00
Simon McVittie 60cb2ac458 cgierror: When the CGI fails, print the error to stderr, not "Died"
$@ could be clobbered by the "exception handler", and in practice
it seems that it is. This can be seen on stderr of t/git-cgi.t.
2017-05-14 15:39:21 +01:00
Simon McVittie 31c89db246 httpauth: If REMOTE_USER is empty, behave as though it was unset
A frequently cut-and-pasted HTTP basic authentication configuration
for nginx sets it to the empty string when not authenticated, which
is not useful.
2017-05-14 15:37:45 +01:00
Simon McVittie 8b5c729b8b t/git-cgi.t: Wait 1 second before doing a revert that should succeed
This hopefully fixes a race condition in which the test failed
around 6% of the time.

If we don't wait, the mtime (which is rounded down to 1 second precision
in the APIs we use) will not necessarily change, so the update will not
necessarily cause the page to be refreshed.

Bug-Debian: https://bugs.debian.org/862494
2017-05-14 15:35:52 +01:00
Simon McVittie 8b54ba7ad1 Release 3.20170111 2017-01-11 18:18:38 +00:00
Simon McVittie 4d0e525e6a Document the security fix soon to be released in 3.20170111 2017-01-11 18:16:42 +00:00
Simon McVittie c7a4d57772 3.20170110 2017-01-10 13:22:13 +00:00
Simon McVittie 9a05d81d39 Sset libmagickcore-6.q16-3-extra as preferred build-dependency
The virtual package libmagickcore-extra is now merely an alternative,
to help autopkgtest to do the right thing.
2017-01-10 13:21:46 +00:00
Simon McVittie 4b369f0f67 d/ikiwiki.doc-base: register the documentation with doc-base 2017-01-10 12:02:15 +00:00
Simon McVittie bc06a212db d/ikiwiki.lintian-overrides: silence false positive spelling warning for Moin Moin 2017-01-10 12:02:15 +00:00
Simon McVittie 77e155c467 d/ikiwiki.lintian-overrides: override script-not-executable warnings 2017-01-10 11:35:57 +00:00
Simon McVittie 3da4ed6586 docwiki.setup: exclude TourBusStop from offline documentation
It does not make much sense there.
2017-01-10 11:30:56 +00:00
Simon McVittie de26e4ade1 lintian: Override obsolete-url-in-packaging for OpenID Selector
It does not seem to have any more current URL, and in any case our
version is a fork.
2017-01-10 11:27:51 +00:00
Simon McVittie ce29e7ec66 d/copyright: re-order to put more specific stanzas later, to get the intended interpretation 2017-01-10 11:26:46 +00:00
Simon McVittie 93429ca11d Set package format to 3.0 (native) 2017-01-10 11:17:32 +00:00
Simon McVittie 8a7924420f Update changelog 2017-01-09 14:44:38 +00:00
Simon McVittie e0341d0e88 3.20161229.1 2016-12-29 20:47:17 +00:00
Simon McVittie d092b0b777 git: Do not disable commit hook for temporary working tree
We exclude .git/hooks from symlinking into the temporary working tree,
which avoids the commit hook being run for the temporary branch anyway.
This avoids the wiki not being updated if an orthogonal change is
received in process A, while process B prepares a revert that is
subsequently cancelled.
2016-12-29 20:46:38 +00:00
Simon McVittie afda054796 git: Attribute reverts to the user doing the revert, not the wiki itself 2016-12-29 20:43:15 +00:00
Simon McVittie 287bb19883 3.20161229 2016-12-29 17:37:51 +00:00
Simon McVittie cf0166347c Add CVE references for CVE-2016-9646, CVE-2016-9645
Thanks to the Debian security team for allocating these.
2016-12-29 17:36:11 +00:00
Simon McVittie ad04dac19b Add automated test for using the CGI with git, including CVE-2016-10026 2016-12-28 21:32:12 +00:00
Simon McVittie a8a7462382 Try revert operations (on a branch) before approving them
Otherwise, we have a time-of-check/time-of-use vulnerability:
rcs_preprevert previously looked at what changed in the commit we are
reverting, not at what would result from reverting it now. In
particular, if some files were renamed since the commit we are
reverting, a revert of changes that were within the designated
subdirectory and allowed by check_canchange() might now affect
files that are outside the designated subdirectory or disallowed
by check_canchange().

It is not sufficient to disable rename detection, since git older
than 2.8.0rc0 (in particular the version in Debian stable) silently
accepts and ignores the relevant options.

OVE-20161226-0002
2016-12-28 21:32:12 +00:00
Simon McVittie c1120bbbe8 Force CGI::FormBuilder->field to scalar context where necessary
CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in f4ec7b0. Force it into scalar context where it is used
in an argument list.

This prevents two (relatively minor) commit metadata forgery
vulnerabilities:

* In the comments plugin, an attacker who was able to post a comment
  could give it a user-specified author and author-URL even if the wiki
  configuration did not allow for that, by crafting multiple values
  to other fields.
* In the editpage plugin, an attacker who was able to edit a page
  could potentially forge commit authorship by crafting multiple values
  for the rcsinfo field.

The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.

OVE-20161226-0001
2016-12-28 21:32:12 +00:00
Simon McVittie e193c75b7d git: do not fail to commit if committer is anonymous 2016-12-28 21:32:12 +00:00
Simon McVittie a67f4d3944 git: don't issue a warning if rcsinfo is undefined
The intention here seems to be that $prev may be undefined, and the
only way that can legitimately happen is for $params{token} to be
undefined too.
2016-12-28 21:32:12 +00:00
Simon McVittie 7c34df633d git_revert test: reinstate ikiwiki.setup, and make it work uninstalled
Previously it was relying on running with an installed ikiwiki
and being able to copy in recentchanges.mdwn and wikiicons/ from the
underlay in /usr. The underlay in ./underlays/basewiki can't be used
(yet) because ikiwiki doesn't allow following symlinks, even from
underlays.

I'd like to make ikiwiki follow symlinks whose destinations can be
verified to be safe (for example making it willing to expose
/usr/share/javascript to the web, but not /etc/passwd), at least from
underlays, but this is security-sensitive so I'm not going to rush
into it.
2016-12-28 21:32:11 +00:00
Simon McVittie 28409cd358 Add CVE references for CVE-2016-10026 2016-12-21 13:03:36 +00:00
Simon McVittie c96149fa3e Release 3.20161219 2016-12-19 20:35:01 +00:00
Simon McVittie 0fe2ff8579 changelog 2016-12-19 18:21:07 +00:00
Simon McVittie 592c13cc61 Update changelog 2016-12-19 18:21:07 +00:00
Joey Hess 68e2320696
inline: Prevent creating a file named ".mdwn" when the postform is submitted with an empty title. 2016-09-21 13:51:42 -04:00
Simon McVittie 6750fb6f8b 3.20160905 2016-09-05 21:26:32 +01:00
Joey Hess 3f78c41770
changelog for previous commit
Closes https://github.com/joeyh/ikiwiki/pull/19
2016-08-03 15:00:04 -04:00
Simon McVittie 6264e91bac 3.20160728 2016-07-28 10:42:35 +01:00
Simon McVittie 5f6f9a1bea Wrapper: allocate new environment dynamically
Otherwise, if third-party plugins extend newenviron by more than
3 entries, we could overflow the array. It seems unlikely that any
third-party plugin manipulates newenviron in practice, so this
is mostly theoretical. Just in case, I have deliberately avoided
using "i" as the variable name, so that any third-party plugin
that was manipulating newenviron directly will now result in the
wrapper failing to compile.

I have not assumed that realloc(NULL, ...) works as an equivalent of
malloc(...), in case there are still operating systems where that
doesn't work.
2016-05-11 09:18:14 +01:00
Simon McVittie 062dbf1373 3.20160509 2016-05-09 21:59:50 +01:00