Joey Hess
243739e1c3
Merge branch 'master' of ssh://git.ikiwiki.info/srv/git/ikiwiki.info
2008-04-10 16:35:50 -04:00
Joey Hess
72b5ef2c5f
Fix CSRF attacks against the preferences and edit forms. Closes : #475445
...
The fix involved embedding the session id in the forms, and not allowing the
forms to be submitted if the embedded id does not match the session id.
In the case of the preferences form, if the session id is not embedded,
then the CGI parameters are cleared. This avoids a secondary attack where the
link to the preferences form prefills password or other fields, and
the user hits "submit" without noticing these prefilled values.
In the case of the editpage form, the anonok plugin can allow anyone to edit,
and so I chose not to guard against CSRF attacks against users who are not
logged in. Otherwise, it also embeds the session id and checks it.
For page editing, I assume that the user will notice if content or commit
message is changed because of CGI parameters, and won't blndly hit save page.
So I didn't block those CGI paramters. (It's even possible to use those CGI
parameters, for good, not for evil, I guess..)
The only other CSRF attack I can think of in ikiwiki involves the poll plugin.
It's certianly possible to set up a link that causes the user to unknowingly
vote in a poll. However, the poll plugin is not intended to be used for things
that people would want to attack, since anyone can after all edit the poll page
and fill in any values they like. So this "attack" is ignorable.
2008-04-10 16:35:30 -04:00
Joey Hess
609e74bbd8
fix what I think is a typo
2008-04-10 16:08:59 -04:00
Joey Hess
c69c811d64
web commit by http://joey.kitenet.net/ : oops :-)
2008-04-10 14:45:00 -04:00
Joey Hess
ff363cf9a0
web commit by http://joey.kitenet.net/
2008-04-10 14:43:58 -04:00
Joey Hess
5647448501
web commit by ScottSwalwell: Fixed my fix.
2008-04-10 13:01:27 -04:00
Joey Hess
7921d9456c
web commit by ScottSwalwell: Fixed this link.
2008-04-10 13:00:36 -04:00
Joey Hess
04528ba259
web commit by cjb: Fixed URL
2008-04-10 01:06:21 -04:00
Joey Hess
e8728aa894
web commit by cjb: Tagged
2008-04-10 00:09:07 -04:00
Joey Hess
675236d251
web commit by cjb: Suggested patch for 302 redirect after page creation when using bzr
2008-04-10 00:07:59 -04:00
Joey Hess
914a5645a5
web commit by http://sabr.myopenid.com/
2008-04-09 22:34:44 -04:00
Joey Hess
61012a1e8d
web commit by http://sabr.myopenid.com/
2008-04-09 21:56:41 -04:00
Joey Hess
beea66a711
web commit by http://sabr.myopenid.com/
2008-04-09 21:55:32 -04:00
Joey Hess
50d653ad11
web commit by http://sabr.myopenid.com/
2008-04-09 21:33:30 -04:00
Joey Hess
eb42df0767
web commit by http://sabr.myopenid.com/
2008-04-09 19:34:08 -04:00
Joey Hess
cf7fb618f3
web commit by http://sabr.myopenid.com/
2008-04-09 17:45:06 -04:00
Joey Hess
18de75c462
web commit by http://sabr.myopenid.com/
2008-04-09 17:39:22 -04:00
Joey Hess
c104351f51
web commit by http://sabr.myopenid.com/
2008-04-09 17:37:22 -04:00
Joey Hess
0c353121f5
web commit by http://sabr.myopenid.com/
2008-04-09 17:29:53 -04:00
Joey Hess
6e065626cd
web commit by http://sabr.myopenid.com/
2008-04-09 17:29:19 -04:00
Joey Hess
bad216bf1f
web commit by http://sabr.myopenid.com/ : poll vote (Accept only OpenID for logins)
2008-04-09 16:58:29 -04:00
Joey Hess
623c1aa34f
web commit by http://sabr.myopenid.com/
2008-04-09 02:45:14 -04:00
Joey Hess
109abb1f2b
web commit by http://sabr.myopenid.com/
2008-04-09 02:43:19 -04:00
Joey Hess
1080635372
web commit by http://sabr.myopenid.com/
2008-04-09 02:42:29 -04:00
Joey Hess
1ed60084d3
web commit by http://sabr.myopenid.com/
2008-04-09 02:41:29 -04:00
Joey Hess
7822606010
web commit by http://sabr.myopenid.com/
2008-04-09 02:36:12 -04:00
Joey Hess
dd464e4ca8
web commit by ittayd
2008-04-08 15:37:11 -04:00
Joey Hess
9e6b7ba79a
web commit by http://sabr.myopenid.com/
2008-04-08 14:37:31 -04:00
Joey Hess
8ea8f21c20
web commit by http://sabr.myopenid.com/
2008-04-08 14:33:13 -04:00
Joey Hess
16338ed771
web commit by http://sabr.myopenid.com/
2008-04-08 13:18:35 -04:00
Joey Hess
7c7dba8a71
Merge branch 'master' of ssh://git.ikiwiki.info/srv/git/ikiwiki.info
2008-04-08 12:52:48 -04:00
Joey Hess
3d8e767c36
web commit by http://xayk.net/
...
(cherry picked from commit 146b3d9ac2754112e7c6c63f7c2e783ac2bf4dbe)
2008-04-08 12:51:46 -04:00
Joey Hess
c381ec666b
web commit by http://sabr.myopenid.com/
...
(cherry picked from commit 8e4a0640c591df95810fe94ab62521030134823b)
2008-04-08 12:50:55 -04:00
Joey Hess
af3367eb4e
web commit by cjb: Trivial syntax bug.
2008-04-08 09:49:37 -04:00
Joey Hess
1b4493802f
web commit by http://cstork.org/ : poll vote (Accept only OpenID for logins)
2008-04-04 06:49:43 -04:00
Joey Hess
93d833da83
web commit by http://inthemedium.myopenid.com/ : poll vote (Accept only OpenID for logins)
2008-04-02 22:52:46 -04:00
Joey Hess
abb432ff4c
many thanks to madduck for his donation
2008-04-02 15:04:58 -04:00
Joey Hess
614d97063c
web commit by http://montyz.livejournal.com/ : more make woes
2008-04-02 13:51:12 -04:00
Joey Hess
c74b2e4b83
web commit by http://alcopop.org/me/openid/ : formatting, tagging
2008-04-02 08:44:23 -04:00
Joey Hess
c177d5c47e
web commit by http://alcopop.org/me/openid/ : minor documentation adjustment
2008-04-02 08:40:59 -04:00
Joey Hess
f8abf8d190
web commit by http://claimid.com/bug
2008-04-01 22:44:17 -04:00
Joey Hess
c9229bdeb6
web commit by http://jblevins.org/ : A plain SVG version of the ikiwiki favicon
2008-04-01 19:14:09 -04:00
Joey Hess
2427bd01d6
web commit by http://jblevins.org/ : My user page
2008-04-01 19:07:00 -04:00
Joey Hess
0d2076f85d
web commit by http://jblevins.org/ : Re: A make problem
2008-04-01 18:35:02 -04:00
Joey Hess
b8e822f49f
response
2008-04-01 17:10:26 -04:00
Joey Hess
ce73bf59c5
web commit by http://montyz.livejournal.com/ : A make problem
2008-04-01 13:04:14 -04:00
Joey Hess
d9c08fcb15
add news item for ikiwiki 2.41
2008-03-29 21:17:27 -04:00
Joey Hess
f6bd81db15
Added a hardlink option in the setup file, useful if the source and dest are on the same filesystem and the wiki includes large media files, which would normally be copied, wasting time and space.
2008-03-29 21:02:47 -04:00
Joey Hess
b95a86c069
wiki gnomes at work
2008-03-28 14:35:49 -04:00
Joey Hess
5c076a66d3
web commit by http://subvert.org.uk/~bma/ : Add stylesheet.
2008-03-28 13:20:19 -04:00