Commit Graph

2836 Commits (1653a74475b9986f814e5d536cb9521de9bdd10c)

Author SHA1 Message Date
Simon McVittie a147f5349d Don't send relative redirect URLs when behind a reverse proxy 2018-01-08 10:56:12 +00:00
smcv 9a15b889c9 this is a web server configuration issue rather than a bug in the ikiwiki code 2018-01-08 06:29:59 -04:00
smcv e5a6689a95 failing test (marked TODO) now present 2018-01-08 06:14:10 -04:00
smcv 6806f3cea1 2018-01-08 06:05:58 -04:00
smcv 92f365f798 test case potentially in progress 2018-01-08 06:05:36 -04:00
smcv 8e280df9de I'm not sure this can be solved without web server configuration 2018-01-08 05:26:50 -04:00
Joey Hess f3b469d43a
bug 2018-01-07 13:39:26 -04:00
Joey Hess a79ab9ed18
add and use cgiurl_abs_samescheme
* emailauth: Fix cookie problem when user is on https and the cgiurl
   uses http, by making the emailed login link use https.
 * passwordauth: Use https for emailed password reset link when user
   is on https.

Not entirely happy with this approach, but I don't currently see a
better one.

I have not verified that the passwordauth change fixes any problem,
other than the user getting a http link when they were using https.
The emailauth problem is verified fixed by this commit.

This commit was sponsored by Michael Magin.
2018-01-05 11:59:35 -04:00
Joey Hess 71064e3af6
how to fix? 2018-01-05 11:17:11 -04:00
Joey Hess 76ff547344
think I cracked it 2018-01-05 11:09:43 -04:00
Joey Hess 2fa7f5f66b
update 2018-01-05 09:58:01 -04:00
Joey Hess 4601dabd42
correction; I did not reproduce this
I was manually reloading /ikiwiki.cgi?do=login, and postsignin is not
set when that's done, which is a bug, but not the bug I was after.
2018-01-04 19:17:45 -04:00
Joey Hess 43a9b6b332
bug report 2018-01-04 19:00:33 -04:00
jon+ikiwiki@663db4cb26e845748f3e7e6d51eeb26c6014f1c3 94d358724e 2017-12-08 17:56:58 -04:00
jon+ikiwiki@663db4cb26e845748f3e7e6d51eeb26c6014f1c3 e49149987e possible explanation 2017-12-08 17:56:04 -04:00
jon+ikiwiki@663db4cb26e845748f3e7e6d51eeb26c6014f1c3 b3fdb9374a formatting 2017-12-08 08:01:02 -04:00
jon+ikiwiki@663db4cb26e845748f3e7e6d51eeb26c6014f1c3 d5e3bf092c 2017-12-08 07:59:28 -04:00
jon+ikiwiki@663db4cb26e845748f3e7e6d51eeb26c6014f1c3 e2d7c1e8f4 bug report re http redirect 2017-12-08 07:58:24 -04:00
Edward 354e50112b file bug 2017-10-27 04:34:03 -04:00
Edward 0d0df05040 formatting 2017-10-27 04:27:40 -04:00
Edward f16f326ec1 file bug 2017-10-27 04:23:52 -04:00
Edward ebc5016cbb file bug 2017-10-27 04:16:33 -04:00
Simon McVittie 14344f58f0 Update changelog and close bug 2017-09-28 11:30:13 +01:00
intrigeri 0208305f5c Report bug + merge request: image resize is not deterministic. 2017-09-01 15:38:30 -04:00
Keeh 056349a7f0 removed 2017-08-21 16:02:23 -04:00
Keeh e13f9dbe87 2017-08-21 10:28:51 -04:00
Keeh f0982b1fd4 2017-08-21 10:20:33 -04:00
vpelcak@b216e425210695d731d2673167c7dd45e5e9b1c9 bd7edde9d6 2017-08-07 02:49:07 -04:00
DavidCary 1958cf8af2 answer question, with reference. 2017-07-05 13:51:19 -04:00
Simon McVittie 4fe6dd0551 request more information 2017-06-22 15:37:19 +01:00
Joey Hess 52a9d23e2c
add bug report originally emailed to me by Peter Simons 2017-06-22 09:55:27 -04:00
smcv 8503f8ddaa Suggested syntax does work, and has a test 2017-05-19 09:57:28 -04:00
smcv 1e4e51754e it is (meant to be) possible, just not with that syntax 2017-05-19 09:43:08 -04:00
fmarier 219134beff 2017-05-18 13:33:44 -04:00
Simon McVittie 01f2a84360 color: Use markup for the preserved CSS, not character data
This still smuggles it past the sanitize step, but avoids having
other plugins that want to capture text content without markup
(notably toc) see the CSS as if it was text content.
2017-05-16 12:08:55 +01:00
smcv cad72ecfad close 2017-05-16 04:27:56 -04:00
Simon McVittie 4db4e589e4 mdwn: Enable footnotes by default when using Discount
A new mdwn_footnotes option can be used to disable footnotes in
MultiMarkdown and Discount.
2017-05-14 18:16:53 +01:00
Simon McVittie 81c3258269 mdwn: Don't mangle <style> into <elyts> under some circumstances
We can ask libdiscount not to elide <style> blocks, which means we
don't have to work around them.
2017-05-14 17:45:55 +01:00
Simon McVittie 31c89db246 httpauth: If REMOTE_USER is empty, behave as though it was unset
A frequently cut-and-pasted HTTP basic authentication configuration
for nginx sets it to the empty string when not authenticated, which
is not useful.
2017-05-14 15:37:45 +01:00
smcv 365a930c2c complete last paragraph 2017-05-14 08:31:49 -04:00
smcv f6fc4543fb I have a theory 2017-05-14 08:20:49 -04:00
desci 207666e903 Fixing format 2017-03-29 15:37:02 -04:00
desci 886610d85b As requested 2017-03-29 15:36:28 -04:00
desci 5c9d9b3213 Answering questions and updating links 2017-03-29 15:35:54 -04:00
Simon McVittie 28409cd358 Add CVE references for CVE-2016-10026 2016-12-21 13:03:36 +00:00
intrigeri bec3047aff Replied. 2016-12-20 10:26:22 +00:00
Simon McVittie cde2cc1862 Restrict CSS matches on .header to not affect <tr>
Pandoc generates <tr class="header"> to hold <th> elements, and
we don't want to make those be display: block.

Signed-off-by: Simon McVittie <smcv@debian.org>
2016-12-19 18:21:07 +00:00
Simon McVittie 9cada49ed6 Tell `git revert` not to follow renames
Otherwise, we have an authorization bypass vulnerability: rcs_preprevert
looks at what changed in the commit we are reverting, not at what would
result from reverting it now. In particular, if some files were renamed
since the commit we are reverting, a revert of changes that were within
the designated subdirectory and allowed by check_canchange() might now
affect files that are outside the designated subdirectory or disallowed
by check_canchange().

Signed-off-by: Simon McVittie <smcv@debian.org>
2016-12-19 18:21:07 +00:00
smcv 32493312c8 rename bugs/img_tag_should_support_relative_size.mdwn to todo/img_tag_should_support_relative_size.mdwn 2016-12-19 12:46:46 -04:00
smcv 8395e43099 Not possible as stated, but could be adapted into a valid feature request 2016-12-19 12:46:22 -04:00