Simon McVittie
a147f5349d
Don't send relative redirect URLs when behind a reverse proxy
2018-01-08 10:56:12 +00:00
smcv
9a15b889c9
this is a web server configuration issue rather than a bug in the ikiwiki code
2018-01-08 06:29:59 -04:00
smcv
e5a6689a95
failing test (marked TODO) now present
2018-01-08 06:14:10 -04:00
smcv
6806f3cea1
2018-01-08 06:05:58 -04:00
smcv
92f365f798
test case potentially in progress
2018-01-08 06:05:36 -04:00
smcv
8e280df9de
I'm not sure this can be solved without web server configuration
2018-01-08 05:26:50 -04:00
Joey Hess
f3b469d43a
bug
2018-01-07 13:39:26 -04:00
Joey Hess
a79ab9ed18
add and use cgiurl_abs_samescheme
...
* emailauth: Fix cookie problem when user is on https and the cgiurl
uses http, by making the emailed login link use https.
* passwordauth: Use https for emailed password reset link when user
is on https.
Not entirely happy with this approach, but I don't currently see a
better one.
I have not verified that the passwordauth change fixes any problem,
other than the user getting a http link when they were using https.
The emailauth problem is verified fixed by this commit.
This commit was sponsored by Michael Magin.
2018-01-05 11:59:35 -04:00
Joey Hess
71064e3af6
how to fix?
2018-01-05 11:17:11 -04:00
Joey Hess
76ff547344
think I cracked it
2018-01-05 11:09:43 -04:00
Joey Hess
2fa7f5f66b
update
2018-01-05 09:58:01 -04:00
Joey Hess
4601dabd42
correction; I did not reproduce this
...
I was manually reloading /ikiwiki.cgi?do=login, and postsignin is not
set when that's done, which is a bug, but not the bug I was after.
2018-01-04 19:17:45 -04:00
Joey Hess
43a9b6b332
bug report
2018-01-04 19:00:33 -04:00
jon+ikiwiki@663db4cb26e845748f3e7e6d51eeb26c6014f1c3
94d358724e
2017-12-08 17:56:58 -04:00
jon+ikiwiki@663db4cb26e845748f3e7e6d51eeb26c6014f1c3
e49149987e
possible explanation
2017-12-08 17:56:04 -04:00
jon+ikiwiki@663db4cb26e845748f3e7e6d51eeb26c6014f1c3
b3fdb9374a
formatting
2017-12-08 08:01:02 -04:00
jon+ikiwiki@663db4cb26e845748f3e7e6d51eeb26c6014f1c3
d5e3bf092c
2017-12-08 07:59:28 -04:00
jon+ikiwiki@663db4cb26e845748f3e7e6d51eeb26c6014f1c3
e2d7c1e8f4
bug report re http redirect
2017-12-08 07:58:24 -04:00
Edward
354e50112b
file bug
2017-10-27 04:34:03 -04:00
Edward
0d0df05040
formatting
2017-10-27 04:27:40 -04:00
Edward
f16f326ec1
file bug
2017-10-27 04:23:52 -04:00
Edward
ebc5016cbb
file bug
2017-10-27 04:16:33 -04:00
Simon McVittie
14344f58f0
Update changelog and close bug
2017-09-28 11:30:13 +01:00
intrigeri
0208305f5c
Report bug + merge request: image resize is not deterministic.
2017-09-01 15:38:30 -04:00
Keeh
056349a7f0
removed
2017-08-21 16:02:23 -04:00
Keeh
e13f9dbe87
2017-08-21 10:28:51 -04:00
Keeh
f0982b1fd4
2017-08-21 10:20:33 -04:00
vpelcak@b216e425210695d731d2673167c7dd45e5e9b1c9
bd7edde9d6
2017-08-07 02:49:07 -04:00
DavidCary
1958cf8af2
answer question, with reference.
2017-07-05 13:51:19 -04:00
Simon McVittie
4fe6dd0551
request more information
2017-06-22 15:37:19 +01:00
Joey Hess
52a9d23e2c
add bug report originally emailed to me by Peter Simons
2017-06-22 09:55:27 -04:00
smcv
8503f8ddaa
Suggested syntax does work, and has a test
2017-05-19 09:57:28 -04:00
smcv
1e4e51754e
it is (meant to be) possible, just not with that syntax
2017-05-19 09:43:08 -04:00
fmarier
219134beff
2017-05-18 13:33:44 -04:00
Simon McVittie
01f2a84360
color: Use markup for the preserved CSS, not character data
...
This still smuggles it past the sanitize step, but avoids having
other plugins that want to capture text content without markup
(notably toc) see the CSS as if it was text content.
2017-05-16 12:08:55 +01:00
smcv
cad72ecfad
close
2017-05-16 04:27:56 -04:00
Simon McVittie
4db4e589e4
mdwn: Enable footnotes by default when using Discount
...
A new mdwn_footnotes option can be used to disable footnotes in
MultiMarkdown and Discount.
2017-05-14 18:16:53 +01:00
Simon McVittie
81c3258269
mdwn: Don't mangle <style> into <elyts> under some circumstances
...
We can ask libdiscount not to elide <style> blocks, which means we
don't have to work around them.
2017-05-14 17:45:55 +01:00
Simon McVittie
31c89db246
httpauth: If REMOTE_USER is empty, behave as though it was unset
...
A frequently cut-and-pasted HTTP basic authentication configuration
for nginx sets it to the empty string when not authenticated, which
is not useful.
2017-05-14 15:37:45 +01:00
smcv
365a930c2c
complete last paragraph
2017-05-14 08:31:49 -04:00
smcv
f6fc4543fb
I have a theory
2017-05-14 08:20:49 -04:00
desci
207666e903
Fixing format
2017-03-29 15:37:02 -04:00
desci
886610d85b
As requested
2017-03-29 15:36:28 -04:00
desci
5c9d9b3213
Answering questions and updating links
2017-03-29 15:35:54 -04:00
Simon McVittie
28409cd358
Add CVE references for CVE-2016-10026
2016-12-21 13:03:36 +00:00
intrigeri
bec3047aff
Replied.
2016-12-20 10:26:22 +00:00
Simon McVittie
cde2cc1862
Restrict CSS matches on .header to not affect <tr>
...
Pandoc generates <tr class="header"> to hold <th> elements, and
we don't want to make those be display: block.
Signed-off-by: Simon McVittie <smcv@debian.org>
2016-12-19 18:21:07 +00:00
Simon McVittie
9cada49ed6
Tell `git revert` not to follow renames
...
Otherwise, we have an authorization bypass vulnerability: rcs_preprevert
looks at what changed in the commit we are reverting, not at what would
result from reverting it now. In particular, if some files were renamed
since the commit we are reverting, a revert of changes that were within
the designated subdirectory and allowed by check_canchange() might now
affect files that are outside the designated subdirectory or disallowed
by check_canchange().
Signed-off-by: Simon McVittie <smcv@debian.org>
2016-12-19 18:21:07 +00:00
smcv
32493312c8
rename bugs/img_tag_should_support_relative_size.mdwn to todo/img_tag_should_support_relative_size.mdwn
2016-12-19 12:46:46 -04:00
smcv
8395e43099
Not possible as stated, but could be adapted into a valid feature request
2016-12-19 12:46:22 -04:00