Commit Graph

152 Commits (328ad8bf0d2b3ac7c20d0079fcc5286685825d88)

Author SHA1 Message Date
Joey Hess 2718fc2b25 response 2008-04-10 19:54:38 -04:00
Joey Hess 2beb279806 Give the full path to the hyperestraier helpfile in estseek.conf. 2008-04-10 17:50:43 -04:00
Joey Hess 72b5ef2c5f Fix CSRF attacks against the preferences and edit forms. Closes: #475445
The fix involved embedding the session id in the forms, and not allowing the
forms to be submitted if the embedded id does not match the session id.

In the case of the preferences form, if the session id is not embedded,
then the CGI parameters are cleared. This avoids a secondary attack where the
link to the preferences form prefills password or other fields, and
the user hits "submit" without noticing these prefilled values.

In the case of the editpage form, the anonok plugin can allow anyone to edit,
and so I chose not to guard against CSRF attacks against users who are not
logged in. Otherwise, it also embeds the session id and checks it.

For page editing, I assume that the user will notice if content or commit
message is changed because of CGI parameters, and won't blndly hit save page.
So I didn't block those CGI paramters. (It's even possible to use those CGI
parameters, for good, not for evil, I guess..)

The only other CSRF attack I can think of in ikiwiki involves the poll plugin.
It's certianly possible to set up a link that causes the user to unknowingly
vote in a poll. However, the poll plugin is not intended to be used for things
that people would want to attack, since anyone can after all edit the poll page
and fill in any values they like. So this "attack" is ignorable.
2008-04-10 16:35:30 -04:00
Joey Hess d93aaed791 * Add recentchangesdiff plugin that adds diffs to the recentchanges feeds.
* rcs_diff is a new function that rcs modules should implement.
* Implemented rcs_diff for git, svn, and tla (tla version untested).
  Mercurial and monotone still todo.
2008-03-03 15:53:34 -05:00
Joey Hess 8be2b60aac * The search plugin needs to override <base> to point to the directory
containing ikiwiki.cgi, but this should not change the urls to the style
  sheets etc. Add a new forcebareurl parameter to misctemplate to allow
  it to do that.
2008-02-14 15:20:49 -05:00
Josh Triplett 122f6df325 Merge branch 'master' into prefix-directives
Conflicts:

	debian/changelog
	templates/change.tmpl
2008-02-09 23:02:52 -08:00
Joey Hess f1fcb5be9c * Page templates can now use CTIME to show when the page was created. 2008-02-09 23:05:48 -05:00
Joey Hess a72a620134 change wording 2008-02-09 22:59:50 -05:00
Joey Hess 18d16309ce reword to put the more important info (page names) nearer the front 2008-02-09 22:59:01 -05:00
Joey Hess f3efacb16d add ! prefix to some directives in templates, and to the recentchanges page 2008-02-05 16:18:29 -05:00
Joey Hess 7da5b9948e more whitespace nonsense 2008-01-29 18:27:41 -05:00
Joey Hess e40a9b0511 more HTML::Template fun
fix whitespace that led to bad wrapping and display
2008-01-29 18:25:13 -05:00
Joey Hess 3d29c5e3f8 fix display of diff icon 2008-01-29 18:06:03 -05:00
Joey Hess 64a8c828b8 * meta: Add pagespec functions to match against title, author, authorurl,
license, and copyright. This can be used to create custom RecentChanges.
* meta: To support the pagespec functions, metadata about pages has to be
  retained as pagestate.
* Fix encoding bug when pagestate values contained spaces.
2008-01-29 17:16:51 -05:00
Joey Hess f630b6ca37 really use unmunged author in metadata 2008-01-29 16:07:57 -05:00
Joey Hess 2bfd2e9841 rename template 2008-01-29 13:39:12 -05:00
Joey Hess 6446b67239 move message to end 2008-01-29 04:53:45 -05:00
Joey Hess 38e79f206e more style improvements 2008-01-29 04:44:05 -05:00
Joey Hess a6a300f675 fairly good css style for static recentchanges page
The customary 2.5 hours of staring at random css turtorials later, here
is a pure css latout for the static recentchanges page that, while not as good
as the old table layout, it decent. And it works well in lynx. And
should generate some pretty nice rss too.
2008-01-29 04:22:40 -05:00
Joey Hess 21f44880cd non-tabular recentchanges display
Doesn't look as good as the old table, but works as a rss feed.
2008-01-29 01:48:55 -05:00
Joey Hess d7fdd04b5a * Removed support for sending commit notification mails. Along with it went
the svnrepo and notify settings, though both will be ignored if left in
  setup files.
2008-01-29 00:36:58 -05:00
Joey Hess 5921b86fcc proof of concept implementation of static recentchanges
Currently hardcoded to write to recentchanges/*, and the page format needs
to be rethought to be usable for aggregation, but it basically works.
2008-01-28 23:56:26 -05:00
Joey Hess 0f76f8774d add 2008-01-28 22:56:25 -05:00
Joey Hess 405e8a7031 include license/copyright/author info if available 2008-01-09 02:32:03 -05:00
Joey Hess b31e8c0826 * inline: Add copyright/license info on a per-post basis to atom
feeds if available. (rss doesn't allow such info on a per-post basis)
* meta: Allow copyright/license metadata to contain arbitrary markup.
2008-01-09 01:05:54 -05:00
Joey Hess 86781fc43e * aggregate: Include copyright statements from rss feed as meta copyright
directives.
* aggregate: Yet another state saving fix (sigh).
* aggregate: Add hack to support feeds with invalidly escaped html entities.
2008-01-08 20:41:25 -05:00
Josh Triplett 899d836683 Add xmlns attribute on html element in templates; pages can now validate. 2007-11-08 12:59:02 -08:00
joey 3cf42a466c * Fix copyright and licence styling. 2007-09-20 18:06:55 +00:00
joey 50e5e6a5d4 basic styling for license and copyright 2007-09-15 00:38:30 +00:00
joey 9dc796737f bugfixes 2007-09-15 00:23:08 +00:00
joey 906dcfd518 * meta: Support license and copyright information. The information will
be shown in the page footer. HTML will also be inserted that should
  support the rel=license microformat as well as the HTML spec's
  rel=copyright.
2007-09-14 18:11:10 +00:00
joey ce7596dad9 * Applied Jeremie Koenig's pluggable editpage buttons patch:
- add a title to the editpage form;
  - pass a reference to the list of buttons to the formbuilder_setup
    hooks, so we can add ours;
  - relax asumption about the possible submit values (use "Save Page"
    explicitly);
  - de-hardcode the submit buttons from the editpage template
    (This was needed for compatability with a bug in CGI::FormBuilder
    3.0401, but ikiwiki already needs a newer version.)
* Pass buttons to all other formbuilder_setup hooks too.
2007-08-17 05:34:59 +00:00
joey 160326b469 * Apply a patch from NicolasLimare adding modification date tags to rss and
atom feeds, and also changing the publication time for a feed to the
  newest modiciation time (was newest creation time).
* The patch also adds dcterms:creator to rss items that have a known author.
2007-08-11 23:15:08 +00:00
joey c92ab9cddd * Wrap the editpage template in the standard misctemplate, this allows the
pagetemplate hook to work for that page.
* Above change fixes the favicon plugin to work on edit pages.
2007-07-16 05:24:31 +00:00
joey ba1765fbdf * More consistent encoding of titles in rss and atom feeds. Don't use
ESCAPE=HTML for titles in the templates for these feeds, and instead
  escape the title going in to the template. Previously, the title was
  sometimes double-escaped in a feed (if set via meta title), and sometimes
  not (if set from the page filename).
* In the meta plugin, when a title is set, encode the html entities in it
  numerically. This works better in the current landscape of a rss spec that
  doesn't specify encoding, and variously broken feed consumers, according
  to <http://www.rssboard.org/rss-profile#data-types-characterdata>.
2007-05-28 19:43:28 +00:00
joey 190202dd4e * Make all templates have a footer div to ease themeing. Required template
and style sheet updates, and unless you're using customised versions,
  you'll want to rebuild wikis on upgrade to this version to avoid
  inconsistencies.
* Allow WIKINAME to to used in footers, as an example of something to put
  there.
2007-05-11 20:09:58 +00:00
joshtriplett 27bfa7b40e Remove img style attribute from recentchanges.tmpl; the default style.css covers this. 2007-05-08 20:45:40 +00:00
joey 2ece784167 don't generate tags span if there are no tags.. 2007-05-01 23:13:00 +00:00
joey fa6852bb7c remove empty footer, doesn't play well with new css 2007-04-29 22:22:00 +00:00
joey 160fd34187 more footer improvements 2007-04-26 19:49:06 +00:00
joey fe52c28bd6 * Move the footer div to enclose tags and links too.
* More style sheet updates, remove the hack that used the tags div to create
  the footer border.
2007-04-26 19:33:28 +00:00
joey 3af6dea3b5 * Minor template improvements by Alessandro. 2007-04-18 23:35:48 +00:00
joey 01b058a285 * Add postformtext parameter to inline. 2007-04-12 04:13:55 +00:00
joey 127945aad3 use popup balloon for more backlinks, rather than expanding on hover, since
in some cases it's not possible to move the mouse over the more backlinks
using the old method
2007-04-06 22:30:51 +00:00
joey 8d03891eba * Reorder the icon in the template above the stylesheets, to avoid icon
flashing during page load.
2007-04-06 17:31:00 +00:00
joey a2cfdaaec5 * Hide excess backlinks and expand using CSS trick; control quantiy via
the numbacklinks setting.
2007-03-31 08:48:10 +00:00
joey 72ed9e455c the real bug turned out to be in the meta plugin 2007-03-21 06:46:06 +00:00
joey af63a2ebff forgot to revert this 2007-03-21 06:39:01 +00:00
joey 03e5438155 oh, this is confusing, it needs escaping in <title>, but not when it's used
inline, already escaped there
2007-03-21 06:22:06 +00:00
joey 1c65ca4922 * Fix a few bugs around page titles containing html. The worst of these
is an actual security hole as it allows insertion of html into the title
  element of a page, which is not processed by the htmlscrubber.
2007-03-21 06:05:21 +00:00