Joey Hess
235b6d18b6
change wording
2008-04-10 17:59:11 -04:00
Joey Hess
04d601f419
response
2008-04-10 17:53:24 -04:00
Joey Hess
2beb279806
Give the full path to the hyperestraier helpfile in estseek.conf.
2008-04-10 17:50:43 -04:00
Joey Hess
b698bf2408
Use bzr --quiet to avoid it outputting stuff and messing up http headers. (Scott Bronson)
2008-04-10 17:44:40 -04:00
Joey Hess
e4395a567b
Fix broken rcs_update for bzr. (Scott Bronson)
2008-04-10 17:41:43 -04:00
Joey Hess
e1d456a86f
Fix missing import of escapeHTML in userlink. (Scott Bronson)
2008-04-10 17:39:51 -04:00
Joey Hess
15237c74fc
response
2008-04-10 17:31:39 -04:00
Joey Hess
a91f044044
add news item for ikiwiki 2.42
2008-04-10 17:24:24 -04:00
Joey Hess
7f51c69491
releasing version 2.42
2008-04-10 17:24:08 -04:00
Joey Hess
d5c964508f
Merge branch 'master' of ssh://git.ikiwiki.info/srv/git/ikiwiki.info
2008-04-10 17:12:55 -04:00
Joey Hess
ab0e0e807a
perl dumping core is not an ikiwiki bug, sorry
2008-04-10 17:09:58 -04:00
Joey Hess
555f1d0512
web commit by http://joey.kitenet.net/ : test
2008-04-10 16:46:23 -04:00
Joey Hess
243739e1c3
Merge branch 'master' of ssh://git.ikiwiki.info/srv/git/ikiwiki.info
2008-04-10 16:35:50 -04:00
Joey Hess
72b5ef2c5f
Fix CSRF attacks against the preferences and edit forms. Closes : #475445
...
The fix involved embedding the session id in the forms, and not allowing the
forms to be submitted if the embedded id does not match the session id.
In the case of the preferences form, if the session id is not embedded,
then the CGI parameters are cleared. This avoids a secondary attack where the
link to the preferences form prefills password or other fields, and
the user hits "submit" without noticing these prefilled values.
In the case of the editpage form, the anonok plugin can allow anyone to edit,
and so I chose not to guard against CSRF attacks against users who are not
logged in. Otherwise, it also embeds the session id and checks it.
For page editing, I assume that the user will notice if content or commit
message is changed because of CGI parameters, and won't blndly hit save page.
So I didn't block those CGI paramters. (It's even possible to use those CGI
parameters, for good, not for evil, I guess..)
The only other CSRF attack I can think of in ikiwiki involves the poll plugin.
It's certianly possible to set up a link that causes the user to unknowingly
vote in a poll. However, the poll plugin is not intended to be used for things
that people would want to attack, since anyone can after all edit the poll page
and fill in any values they like. So this "attack" is ignorable.
2008-04-10 16:35:30 -04:00
Joey Hess
609e74bbd8
fix what I think is a typo
2008-04-10 16:08:59 -04:00
Joey Hess
c69c811d64
web commit by http://joey.kitenet.net/ : oops :-)
2008-04-10 14:45:00 -04:00
Joey Hess
ff363cf9a0
web commit by http://joey.kitenet.net/
2008-04-10 14:43:58 -04:00
Joey Hess
5647448501
web commit by ScottSwalwell: Fixed my fix.
2008-04-10 13:01:27 -04:00
Joey Hess
7921d9456c
web commit by ScottSwalwell: Fixed this link.
2008-04-10 13:00:36 -04:00
Joey Hess
04528ba259
web commit by cjb: Fixed URL
2008-04-10 01:06:21 -04:00
Joey Hess
e8728aa894
web commit by cjb: Tagged
2008-04-10 00:09:07 -04:00
Joey Hess
675236d251
web commit by cjb: Suggested patch for 302 redirect after page creation when using bzr
2008-04-10 00:07:59 -04:00
Joey Hess
914a5645a5
web commit by http://sabr.myopenid.com/
2008-04-09 22:34:44 -04:00
Joey Hess
61012a1e8d
web commit by http://sabr.myopenid.com/
2008-04-09 21:56:41 -04:00
Joey Hess
beea66a711
web commit by http://sabr.myopenid.com/
2008-04-09 21:55:32 -04:00
Joey Hess
50d653ad11
web commit by http://sabr.myopenid.com/
2008-04-09 21:33:30 -04:00
Joey Hess
eb42df0767
web commit by http://sabr.myopenid.com/
2008-04-09 19:34:08 -04:00
Joey Hess
cf7fb618f3
web commit by http://sabr.myopenid.com/
2008-04-09 17:45:06 -04:00
Joey Hess
18de75c462
web commit by http://sabr.myopenid.com/
2008-04-09 17:39:22 -04:00
Joey Hess
c104351f51
web commit by http://sabr.myopenid.com/
2008-04-09 17:37:22 -04:00
Joey Hess
0c353121f5
web commit by http://sabr.myopenid.com/
2008-04-09 17:29:53 -04:00
Joey Hess
6e065626cd
web commit by http://sabr.myopenid.com/
2008-04-09 17:29:19 -04:00
Joey Hess
bad216bf1f
web commit by http://sabr.myopenid.com/ : poll vote (Accept only OpenID for logins)
2008-04-09 16:58:29 -04:00
Joey Hess
623c1aa34f
web commit by http://sabr.myopenid.com/
2008-04-09 02:45:14 -04:00
Joey Hess
109abb1f2b
web commit by http://sabr.myopenid.com/
2008-04-09 02:43:19 -04:00
Joey Hess
1080635372
web commit by http://sabr.myopenid.com/
2008-04-09 02:42:29 -04:00
Joey Hess
1ed60084d3
web commit by http://sabr.myopenid.com/
2008-04-09 02:41:29 -04:00
Joey Hess
7822606010
web commit by http://sabr.myopenid.com/
2008-04-09 02:36:12 -04:00
Joey Hess
dd464e4ca8
web commit by ittayd
2008-04-08 15:37:11 -04:00
Joey Hess
9e6b7ba79a
web commit by http://sabr.myopenid.com/
2008-04-08 14:37:31 -04:00
Joey Hess
8ea8f21c20
web commit by http://sabr.myopenid.com/
2008-04-08 14:33:13 -04:00
Joey Hess
16338ed771
web commit by http://sabr.myopenid.com/
2008-04-08 13:18:35 -04:00
Joey Hess
7c7dba8a71
Merge branch 'master' of ssh://git.ikiwiki.info/srv/git/ikiwiki.info
2008-04-08 12:52:48 -04:00
Joey Hess
3d8e767c36
web commit by http://xayk.net/
...
(cherry picked from commit 146b3d9ac2754112e7c6c63f7c2e783ac2bf4dbe)
2008-04-08 12:51:46 -04:00
Joey Hess
c381ec666b
web commit by http://sabr.myopenid.com/
...
(cherry picked from commit 8e4a0640c591df95810fe94ab62521030134823b)
2008-04-08 12:50:55 -04:00
Joey Hess
af3367eb4e
web commit by cjb: Trivial syntax bug.
2008-04-08 09:49:37 -04:00
Joey Hess
1b4493802f
web commit by http://cstork.org/ : poll vote (Accept only OpenID for logins)
2008-04-04 06:49:43 -04:00
Joey Hess
93d833da83
web commit by http://inthemedium.myopenid.com/ : poll vote (Accept only OpenID for logins)
2008-04-02 22:52:46 -04:00
Joey Hess
abb432ff4c
many thanks to madduck for his donation
2008-04-02 15:04:58 -04:00
Joey Hess
614d97063c
web commit by http://montyz.livejournal.com/ : more make woes
2008-04-02 13:51:12 -04:00