firefox 3 smooshed the page location dropdown up to the page title,
obscuring descenders and underscores. Maybe that's a bug, since the CSS
didn't ask it to, but I think adding the extra space of a br at the top
looks better anyway.
FormBuilder makes it annoyingly hard to move a submit button to a
nonstandard place. The button name has to be "_submit" or FormBuilder will
ignore it.
The fix involved embedding the session id in the forms, and not allowing the
forms to be submitted if the embedded id does not match the session id.
In the case of the preferences form, if the session id is not embedded,
then the CGI parameters are cleared. This avoids a secondary attack where the
link to the preferences form prefills password or other fields, and
the user hits "submit" without noticing these prefilled values.
In the case of the editpage form, the anonok plugin can allow anyone to edit,
and so I chose not to guard against CSRF attacks against users who are not
logged in. Otherwise, it also embeds the session id and checks it.
For page editing, I assume that the user will notice if content or commit
message is changed because of CGI parameters, and won't blndly hit save page.
So I didn't block those CGI paramters. (It's even possible to use those CGI
parameters, for good, not for evil, I guess..)
The only other CSRF attack I can think of in ikiwiki involves the poll plugin.
It's certianly possible to set up a link that causes the user to unknowingly
vote in a poll. However, the poll plugin is not intended to be used for things
that people would want to attack, since anyone can after all edit the poll page
and fill in any values they like. So this "attack" is ignorable.
- add a title to the editpage form;
- pass a reference to the list of buttons to the formbuilder_setup
hooks, so we can add ours;
- relax asumption about the possible submit values (use "Save Page"
explicitly);
- de-hardcode the submit buttons from the editpage template
(This was needed for compatability with a bug in CGI::FormBuilder
3.0401, but ikiwiki already needs a newer version.)
* Pass buttons to all other formbuilder_setup hooks too.
and style sheet updates, and unless you're using customised versions,
you'll want to rebuild wikis on upgrade to this version to avoid
inconsistencies.
* Allow WIKINAME to to used in footers, as an example of something to put
there.
including out of disk space situations. ikiwiki should never leave
truncated files, and if the error occurs during a web-based file edit,
the user will be given an opportunity to retry.
Inspired by the many ways Moin Moin destroys itself when out of disk. :-)
* Fix syslogging of errors.
FORM-SUBMIT unusable on customised formbuilder templates. For now,
hardcode the submit buttons in editpage.tmpl instead of using the
template variable, which is ok, since the buttons are static.
pages.
* Change how the stylesheet url is determined in the templates: Remove
STYLEURL and add BASEURL to all templates (some already had it). This
new more general variable can be used to link to other things (eg, images)
from the template, as well as stylesheets.
<span>, so pages can use <h1> internally instead of needing to use <h2>.
* Updated all of ikiwiki's own wiki pages for that.
* Add pagetemplate hook, which can be used by plugins that want to mess
around with adding new stuff to the page template.
* Remove headercontent; the search plugin now adds the search box to the
header by registering a pagetemplate hook, and other plugins should do
similarly.
wikilinks since the urls should work now in more situations
- drop --limit from svn log run, since a) it needs a fairly new svn and
b) in some cases, it would limit it to too few entries to display the
requested number of changes
- Use driver:DB_File and not driver:db_file for better compatability with
old versions of CGI::Session.
- Note that HTML::Template 3.02.02 is needed.
- escape & in urls (also clean up cgi url generation)
- since markdown wraps inlined pages in <p></p>, close and re-open
the paragraph tags when generating the embedded html
- added XHTML 1.0 doctypes to templates
- fixed <hr /> and <br /> in templates
- add an alt attribute to inline images, based on the WikiLink to the
image. Allows things like [[my_image|img.png]] to customise alt text.
- use FormBuilder for edit page forms (also use template)
- print debug to stderr in cgi mode to avoid breaking http headers
- fix links to page in parentlinks if $url is unset
- reorganise how wikilink is used in templates
- only make recentchanes link if svn is enabled
- change session id cookie to something we control
- add support for logging committer name for web commits from signed in
users (untested)
- probably more changes I forgot
Joey Hess
joey