The fix involved embedding the session id in the forms, and not allowing the
forms to be submitted if the embedded id does not match the session id.
In the case of the preferences form, if the session id is not embedded,
then the CGI parameters are cleared. This avoids a secondary attack where the
link to the preferences form prefills password or other fields, and
the user hits "submit" without noticing these prefilled values.
In the case of the editpage form, the anonok plugin can allow anyone to edit,
and so I chose not to guard against CSRF attacks against users who are not
logged in. Otherwise, it also embeds the session id and checks it.
For page editing, I assume that the user will notice if content or commit
message is changed because of CGI parameters, and won't blndly hit save page.
So I didn't block those CGI paramters. (It's even possible to use those CGI
parameters, for good, not for evil, I guess..)
The only other CSRF attack I can think of in ikiwiki involves the poll plugin.
It's certianly possible to set up a link that causes the user to unknowingly
vote in a poll. However, the poll plugin is not intended to be used for things
that people would want to attack, since anyone can after all edit the poll page
and fill in any values they like. So this "attack" is ignorable.
set to the destination page. This avoids need for hacks to munge the urls
in preview mode, which fixes several bugs.
* Several destpage fixes in plugins.
As was already done for linkfication, links generated in a prevew page
are relative to the top of the wiki, so it has to be told that the destpage
is there.
I was using "" to indicate this, but that may confuse some preprocessor
plugins, which treat parameters with an empry value specially (sparkline is one
such). Instead, use "/", which is more accurate anyway and works just as well.
(as preserving the full list across preview would be tricky). Userdirs
were still being offered as an option there, remove them.
* Fix a bug where user A created a page concurrently with user B, and
when B previewed it would redirect B to A's new page, losing B's work.
Instead, don't redirect and let conflict handling resolve it.
If a page type starts with an underscore, hide it from the list of page types
in the edit form, and don't allow editing pages of that type. This allows
for plugins to add page types for internal use.
returned (and not run in some cases) rather than the plugins directly
forcing a user to log in.
* opendiscussion: allow editing of the toplevel discussion page,
and, indirectly, allow creating new discussion pages.
* decode_form_utf8 only fixed the utf-8 encoding for fields that were
registered at the time it was called, which was before the
formbuilder_setup hook. Fields added by the hook didn't get decoded.
But it can't be put after the hook either, since plugins using the hook
need to be able to use form values. To fix this dilemma, it's been changed
to a decode_cgi_utf8, which is called on the cgi query object, before the
form is set up, and decodes *all* cgi parameters.
so that more than one plugin can use this hook.
I believe this is a safe change, since only passwordauth uses this hook.
(If some other plugin already used it, it would have broken passwordauth!)
showed up where a web edit that added a page caused a near-concurrent
web edit to fail in will_render. While it would be hard to reproduce this,
my analysis is that the failing cgi started first, loaded the index file
(prior to locking) then the other cgi created the new page and rendered
it, and then the failing cgi choked on the new file when _it_ tried to
render it. Ensuring that the index file is loaded after taking the lock
will avoid this bug.
files in some situations, and this is appropriate in some cases, such as
the teximg plugin's error log file.
Such files will be automatically cleaned up at an appopriate later time.
* Plugins can add new directories to the search path with the add_underlay
function.
* Split out smiley underlay files into a separate underlay, so if the plugin
isn't used, the wiki isn't bloated with all those files.
- add a title to the editpage form;
- pass a reference to the list of buttons to the formbuilder_setup
hooks, so we can add ours;
- relax asumption about the possible submit values (use "Save Page"
explicitly);
- de-hardcode the submit buttons from the editpage template
(This was needed for compatability with a bug in CGI::FormBuilder
3.0401, but ikiwiki already needs a newer version.)
* Pass buttons to all other formbuilder_setup hooks too.
and style sheet updates, and unless you're using customised versions,
you'll want to rebuild wikis on upgrade to this version to avoid
inconsistencies.
* Allow WIKINAME to to used in footers, as an example of something to put
there.
were titlepage escaped in the urls, and then doubly escaped by the CGI
when editing. To fix this, I removed the titlepage escaping in the edit
urls.
* That means that *every edit link* on the wiki is potentially changed.
Rebuilding wikis on upgrade to this version therefore necessary; enabled
that in postinst.
since it ended up being double-escaped. Instead, just remove slashes.
* Fix some nasty issues with page name escaping during previewing
(introduced in 1.44).
previous ugly hack used to avoid writing rss feeds in previews.
* Fix the img plugin to avoid overwriting images in previews. Instead it
does all the work to make sure the resizing works, and dummys up a resized
image using width and height attributes.
* Also fixes img preview display, the links were wrong in preview before.
commit hook, it was possible for one CGI to race another one and "win"
the commit of both their files. This race has been fixed by adding a new
commitlock, which when locked by the CGI, disables the commit hook
(except for commit mails). The CGI then takes care of the updates the
commit hook would have done.
parameters remain the same, but additional options are now passed in using
named parameters.
* Change plugin interface version to 1.02 to reflect this change.
* Add a new anchor option to htmllink. Thanks Ben for the idea.
* Support anchors in wikilinks.
* Add a "more" plugin based on one contributed by Ben to allow implementing
those dreaded "Read more" links in blogs.
including out of disk space situations. ikiwiki should never leave
truncated files, and if the error occurs during a web-based file edit,
the user will be given an opportunity to retry.
Inspired by the many ways Moin Moin destroys itself when out of disk. :-)
* Fix syslogging of errors.
non-page format files in the wiki. To exploit this, the file already had
to exist in the wiki, and the web user would need to somehow use the web
based editor to replace it with malicious content.
(Sorry Josh, this means you can't edit style.css directly anymore,
although I do appreciate your fixes, actually..)
edited.
* Move code forcing signing before edit to a new "signinedit" plugin, and
code checking for locked pages into a new "lockedit" plugin. Both are
enabled by default.
* Remove the anonok config setting. This is now implemented by a new
"anonok" plugin. Anyone with a wiki allowing anonymous edits should
change their configs to enable this new plugin.
* Add an opendiscussion plugin that allows anonymous users to edit
discussion pages, on a wiki that is otherwise wouldn't allow it.
* Lots of CGI code reorg and cleanup.
manipulate.
* Only exclude rss and atom files from processing if the inline plugin
is enabled and that feed type is enabled. Else it's just a copyable file
type.
* Move rss and atom option handling code into the inline plugin.
* Applied a rather old patch from Recai to fix the "pruning is too strict"
issue. Now you can have wiki source directories inside dotdirs and the
like, if you want.
template won't work with CGI::FormBuilder 3.0401, so disable it for now.
* CGI::FormBuilder 3.0401 seems to work ok now with ikiwiki, although
there might still be bugs lurking..
nothing more spohisticated will be needed.
* Add formbuilder_setup and formbuilder hooks.
* Split out a passwordauth module, that holds all the traditional password
based authentication etc code. It's enabled by default, but can be disabled
if you want only openid or some other auth method.
* Make the openid plugin support the callbacks from myopenid.com via its
affiliate program.
* Change how post signin actions are propigated through the signin process;
they're now stored in the session.
* Web commits by OpenID users will record the full OpenID url for the user,
but in recentchanges, these urls will be converted to a simplified display
form+link.
* Modified svn, git, tla backends to recognise such web commits.
FORM-SUBMIT unusable on customised formbuilder templates. For now,
hardcode the submit buttons in editpage.tmpl instead of using the
template variable, which is ok, since the buttons are static.
* Add feeds=no option to inline preprocessor directive to turn off all types
of feeds. feeds=rss will still work, and feeds=atom was also added, for
fine control.
* $IkiWiki::version now holds the program version, and is accessible to
plugins.
using HTTP Authentication instead of ikiwiki's built in authentication.
Useful for eg, large sites with their own previously existing user auth
setup. Closes: #384534
- Plugins should not need to load IkiWiki::Render to get commonly
used functions, so moved some functions from there to IkiWiki.
- Picked out the set of functions and variables that most plugins
use, documented them, and made IkiWiki export them by default,
like a proper perl module should.
- Use the other functions at your own risk.
- This is not quite complete, I still have to decide whether to
export some other things.
* Changed all plugins included in ikiwiki to not use "IkiWiki::" when
referring to stuff now exported by the IkiWiki module.
* Anyone with a third-party ikiwiki plugin is strongly enrouraged
to make like changes to it and avoid use of non-exported symboles from
"IkiWiki::".
* Link debian/changelog and debian/news to NEWS and CHANGELOG.
* Support hyperestradier version 1.4.2, which adds a new required phraseform
setting.
Joey Hess
Joey Hess
joey