Commit Graph

19606 Commits (545a7bbbf07dd2375a96eae09f9abd6329a919e5)

Author SHA1 Message Date
Simon McVittie 545a7bbbf0 img: restrict to JPEG, PNG and GIF images by default
This mitigates CVE-2016-3714. Wiki administrators who know that they
have prevented arbitrary code execution via other formats can re-enable
the other formats if desired.
2016-05-05 23:43:50 +01:00
Simon McVittie 54a9f8d07d img: force common Web formats to be interpreted according to extension
A site administrator might unwisely set allowed_attachments to
something like '*.jpg or *.png'; if they do, an attacker could attach,
for example, a SVG file named attachment.jpg.

This mitigates CVE-2016-3714.
2016-05-05 23:43:50 +01:00
Simon McVittie 32ef584dc5 HTML-escape error messages (OVE-20160505-0012)
The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-20160505-0012)

The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.
2016-05-05 23:43:17 +01:00
https://id.koumbit.net/anarcat 355ba85137 all good 2016-05-04 18:53:24 -04:00
smcv e874ce623b 2016-05-04 18:35:33 -04:00
https://id.koumbit.net/anarcat bd881a8ee6 response: confirmation it's a bug in MMD and Discount doesn't have footnotes, and request for workaround 2016-05-04 09:45:25 -04:00
smcv 291a09e537 discount (as used on this wiki) can do footnotes, but they aren't enabled by ikiwiki 2016-05-04 05:48:01 -04:00
smcv 337736663b response 2016-05-04 05:38:27 -04:00
Joey Hess f4b75b3b2c
response 2016-05-02 09:33:59 -04:00
https://id.koumbit.net/anarcat 017a7e9446 2016-04-29 00:32:02 -04:00
https://id.koumbit.net/anarcat 467f501d90 response 2016-04-28 20:13:05 -04:00
Joey Hess fe7ec461d4
Merge branch 'master' of ssh://git.ikiwiki.info 2016-04-28 19:34:51 -04:00
Joey Hess 3aa705b38a
response 2016-04-28 19:32:58 -04:00
Joey Hess 95c0a63675
Merge remote-tracking branch 'origin/master' 2016-04-28 19:06:01 -04:00
https://id.koumbit.net/anarcat 1e38006bbc 2016-04-28 10:12:52 -04:00
https://id.koumbit.net/anarcat 965aa5c6fa http/https issue 2016-04-28 10:08:05 -04:00
Antoine Beaupré 81852a7db7 smaller is too small for large blocks 2016-04-26 18:52:25 -04:00
Antoine Beaupré e316ea9a7c fix typo and comment 2016-04-26 18:50:47 -04:00
Antoine Beaupré 093ad8b890 new CSS bug 2016-04-26 18:46:59 -04:00
https://id.koumbit.net/anarcat 4871d48718 explain footnotes 2016-04-26 18:35:20 -04:00
desci 053f96e80b Changed the expired domain and added question 2016-04-18 22:08:50 -04:00
RickHanson 344f831c2e Fixed dead link. 2016-04-17 19:38:12 -04:00
Antoine Beaupré da596e5c79 add screenshot 2016-04-15 18:11:29 -04:00
Antoine Beaupré 1719ad31ee fix typos 2016-04-15 17:31:53 -04:00
Antoine Beaupré 8f67b981cd announce the admonition plugin 2016-04-15 17:29:44 -04:00
Antoine Beaupré fcf10269fc elaborate copyright investigation. ugh. 2016-04-15 12:29:25 -04:00
Antoine Beaupré ad5b749847 response 2016-04-15 11:17:02 -04:00
Antoine Beaupré e5c93a6ac0 can't login again 2016-04-15 11:07:14 -04:00
smcv f211764c1d escape 2016-04-15 10:38:11 -04:00
smcv 18c9d18b76 templates are another way to do this 2016-04-15 10:37:43 -04:00
smcv 7493b4015b 2016-04-15 10:34:33 -04:00
Antoine Beaupré 568b0fe11d a weird authentication bug 2016-04-15 10:14:50 -04:00
Antoine Beaupré 54f71deab5 admonitions proposal 2016-04-15 09:57:53 -04:00
desci 8eb3a06f1e Arguing more 2016-04-15 08:24:38 -04:00
desci 65095203f5 Added systemd for nginx 2016-04-15 08:12:11 -04:00
desci 9bb481ccd7 2016-04-14 17:14:47 -04:00
spalax 96e2315499 Document new feature. 2016-04-14 12:43:32 -04:00
https://id.koumbit.net/anarcat 552b42f039 clarify that theme and css is not only to change stylesheets, but the look in general 2016-04-13 14:38:15 -04:00
https://id.koumbit.net/anarcat df17472bbf link to localstyle after a user struggled for hours to figure out exactly that 2016-04-13 14:37:22 -04:00
smcv 06a67db3f9 explain why multiple page.tmpl is a showstopper for upstream even if not for local themes 2016-04-12 02:00:21 -04:00
desci 687e3f94ea 2016-04-11 11:05:45 -04:00
desci 57f48eac19 Updated link 2016-04-11 11:03:22 -04:00
desci 2829486a81 Updated link 2016-04-11 11:01:54 -04:00
desci 5afcfd501a Edited old sentence to reference the forum 2016-04-11 10:59:13 -04:00
desci a25ad4f984 2016-04-11 10:57:37 -04:00
desci 3f95ac468a Asked Joey to reconsider 2016-04-11 10:21:24 -04:00
desci 4071feaa2a Added yet another bootstrap theme 2016-04-11 10:15:39 -04:00
desci eef3e0350c Added question 2016-04-11 10:12:17 -04:00
spwhitton e6be5ee97a There's also a config file option. 2016-04-09 10:48:54 -04:00
desci 47f4ac8f08 Marketing 2016-04-09 01:01:38 -04:00