2020bd88a5
Remove spurious changelog entry
...
This change was new in 3.20141016.3, but was applied to the master
branch several releases ago, so it is not new in 3.20160506.
2016-05-09 21:46:04 +01:00
a8c96a1418
mention that the CVE-2016-4561 fix was backported
2016-05-09 08:24:35 -04:00
176ff2fb5c
Clarifying
2016-05-08 21:54:17 -04:00
dfcfefea74
Adding info regarding bootstrap classes
2016-05-08 21:53:14 -04:00
ed5ea6c303
Adding sites
2016-05-08 21:42:54 -04:00
89af9ecc57
Detect image type from .JPG just like .jpg (etc.).
2016-05-08 18:31:02 -04:00
e24e6fed62
Fix spelling of "ratio" in test.
2016-05-08 18:31:02 -04:00
0ee5cb719c
thanks!
2016-05-08 17:10:50 -04:00
dca4461c11
tag added
2016-05-08 16:44:56 -04:00
590c42da03
thanks!
2016-05-08 16:40:13 -04:00
200a002ac5
sorry, one day I'll review this, but this is not that day
2016-05-08 16:37:34 -04:00
2576bceba2
still using this in production, would welcome feedback
2016-05-08 14:59:12 -04:00
f80fdeb044
dropping this.
2016-05-08 14:57:28 -04:00
c7364a0567
2016-05-08 14:56:26 -04:00
47b180e35f
img: make img_allowed_formats case-insensitive
2016-05-07 23:22:52 +01:00
125461cab7
inline: expand show=N backwards compatibility to negative N
...
[[plugins/contrib]] uses show=-1 to show the post-creation widget
without actually inlining anything.
2016-05-06 22:51:02 +01:00
0abef571c7
Add CVE reference
2016-05-06 21:36:51 +01:00
855a7b5c6c
respond
2016-05-06 15:29:51 -04:00
cffc503e0c
use intended filename
2016-05-06 20:16:58 +01:00
dfadaa0bf9
escape directive properly; add paragraph breaks
2016-05-06 15:14:09 -04:00
455be983c0
rename todo/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn to bugs/Correctly_handle_filenames_starting_with_a_dash_in_add/rm/mv.mdwn
2016-05-06 15:12:49 -04:00
f4b1244878
already fixed
2016-05-06 15:12:29 -04:00
26d4641d02
Announce 3.20160506
2016-05-06 20:10:19 +01:00
847c9f232e
Merge remote-tracking branch 'origin/master'
2016-05-06 20:05:45 +01:00
644d099e5a
2016-05-06 08:10:01 -04:00
9fe33a4c94
3.20160506
2016-05-06 07:54:47 +01:00
f01283478b
Exclude users/* from the HTML documentation
2016-05-06 07:53:53 +01:00
1ae01a592f
Do not recommend mimetype(image/*)
...
Not all image file types are safe for general use: in particular,
image/svg+xml is known to be vulnerable to CVE-2016-3714 under some
ImageMagick configurations.
2016-05-06 07:49:50 +01:00
dea96e5113
Document the security fixes in this release
2016-05-06 07:49:45 +01:00
21b9b9e306
update test suite for svg passthrough by img directive
...
Remove build dependency libmagickcore-6.q16-2-extra which was only there
for this test.
2016-05-06 06:58:56 +01:00
984ba82f1b
img: Add back support for SVG images, bypassing ImageMagick and simply passing the SVG through to the browser
...
SVG scaling by img directives has subtly changed; where before size=wxh
would preserve aspect ratio, this cannot be done when passing them through
and so specifying both a width and height can change the SVG's aspect
ratio.
(This patch looks significantly more complex than it was, because a large
block of code had to be indented.)
[smcv: drop trailing whitespace, fix some spelling]
2016-05-06 06:57:12 +01:00
7ff6221ac9
changelog for smcv's security fixes
...
[smcv: omit a change that was already in 3.20160514]
2016-05-06 06:53:41 +01:00
170cd41489
img: check magic number before giving common formats to ImageMagick
...
This mitigates CVE-2016-3714 and similar vulnerabilities by
avoiding passing obviously-wrong input to ImageMagick decoders.
2016-05-05 23:43:50 +01:00
545a7bbbf0
img: restrict to JPEG, PNG and GIF images by default
...
This mitigates CVE-2016-3714. Wiki administrators who know that they
have prevented arbitrary code execution via other formats can re-enable
the other formats if desired.
2016-05-05 23:43:50 +01:00
54a9f8d07d
img: force common Web formats to be interpreted according to extension
...
A site administrator might unwisely set allowed_attachments to
something like '*.jpg or *.png'; if they do, an attacker could attach,
for example, a SVG file named attachment.jpg.
This mitigates CVE-2016-3714.
2016-05-05 23:43:50 +01:00
32ef584dc5
HTML-escape error messages (OVE-20160505-0012)
...
The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-20160505-0012)
The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.
2016-05-05 23:43:17 +01:00
355ba85137
all good
2016-05-04 18:53:24 -04:00
e874ce623b
2016-05-04 18:35:33 -04:00
bd881a8ee6
response: confirmation it's a bug in MMD and Discount doesn't have footnotes, and request for workaround
2016-05-04 09:45:25 -04:00
291a09e537
discount (as used on this wiki) can do footnotes, but they aren't enabled by ikiwiki
2016-05-04 05:48:01 -04:00
337736663b
response
2016-05-04 05:38:27 -04:00
f4b75b3b2c
response
2016-05-02 09:33:59 -04:00
017a7e9446
2016-04-29 00:32:02 -04:00
467f501d90
response
2016-04-28 20:13:05 -04:00
fe7ec461d4
Merge branch 'master' of ssh://git.ikiwiki.info
2016-04-28 19:34:51 -04:00
3aa705b38a
response
2016-04-28 19:32:58 -04:00
95c0a63675
Merge remote-tracking branch 'origin/master'
2016-04-28 19:06:01 -04:00
1e38006bbc
2016-04-28 10:12:52 -04:00
965aa5c6fa
http/https issue
2016-04-28 10:08:05 -04:00
81852a7db7
smaller is too small for large blocks
2016-04-26 18:52:25 -04:00
Simon McVittie
smcv
desci
Amitai Schlair
https://id.koumbit.net/anarcat
florian@883672f3f4dbd3c6bb430afc661484a58a3a1296
Joey Hess
Antoine Beaupré