Commit Graph

186 Commits (62c9df67212c7c42eb03ad9e36891afe4bc2d9a2)

Author SHA1 Message Date
Simon McVittie c1120bbbe8 Force CGI::FormBuilder->field to scalar context where necessary
CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in f4ec7b0. Force it into scalar context where it is used
in an argument list.

This prevents two (relatively minor) commit metadata forgery
vulnerabilities:

* In the comments plugin, an attacker who was able to post a comment
  could give it a user-specified author and author-URL even if the wiki
  configuration did not allow for that, by crafting multiple values
  to other fields.
* In the editpage plugin, an attacker who was able to edit a page
  could potentially forge commit authorship by crafting multiple values
  for the rcsinfo field.

The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.

OVE-20161226-0001
2016-12-28 21:32:12 +00:00
Amitai Schlair 63fa0ef5ba Process .md like .mdwn, but disallow web creation. 2016-03-08 14:31:15 -05:00
Simon McVittie 855b757f37 Force comments URL in RSS feeds to be absolute
Now I'm going to get bug reports about wanting the URLs to be
protocol-relative, but we can't win there as long as we generate RSS,
because RSS doesn't have well-defined semantics for relative URLs
(and the W3C's validator complains about them). If absolute URLs are
a problem for you, please use Atom feeds.
2016-01-21 07:50:13 +00:00
Joey Hess ab1bba9dab cloak user PII when making commits etc, and let cloaked PII be used in banned_users
This was needed due to emailauth, but I've also wrapped all IP address
exposure in cloak(), although the function doesn't yet cloak IP addresses.

(One IP address I didn't cloak is the one that appears on the password
reset email template. That is expected to be the user's own IP address,
so ok to show it to them.)

Thanks to smcv for the pointer to
http://xmlns.com/foaf/spec/#term_mbox_sha1sum
2015-05-14 11:58:21 -04:00
Joey Hess 7a68c4a01c when an emailauth user posts a comment, use the username only, not the full email address
This makes the email not be displayed on the wiki, so spammers won't find
it there.

Note that the full email address is still put into the comment template.
The email is also used as the username of the git commit message
(when posting comments or page edits). May want to revisit this later.
2015-05-13 23:26:22 -04:00
Amitai Schlair 3a19663d48 In VCS-committed anonymous comments, link to url. 2015-01-08 08:11:40 -05:00
Amitai Schlair a87f43d71e Avoid uninitialized warnings with comments+no CGI. 2014-12-28 13:15:45 -05:00
Amitai Schlair 38a088a433 ikiwiki-comment: optionally override parameters. 2014-12-27 22:38:18 -05:00
Joey Hess 82a4fb49ae add ikiwiki-comment program 2014-10-20 12:08:07 -04:00
Simon McVittie 4e2bfe1e17 comments: don't log remote IP address for signed-in users
The intention was that signed-in users (for instance via httpauth,
passwordauth or openid) are already adequately identified, but
there's nothing to indicate who an anonymous commenter is unless
their IP address is recorded.
2014-10-12 18:03:28 +01:00
Simon McVittie ef7c80258d comments: use comments_pagespec for authorization, not just UI 2014-07-04 23:27:43 +01:00
Joey Hess 81aa58e7ca comments: Write pending moderation comments to the transient underlay to avoid conflict with only_committed_changes. 2013-11-17 13:07:00 -04:00
Joey Hess 7dd110ba51 disable only_committed_changes when uncommitted files are created by plugins 2013-11-17 00:04:05 -04:00
Joey Hess 5038f36cba Merge branch 'restrict-comment-formats' of git://rtime.felk.cvut.cz/sojka/ikiwiki 2013-06-23 14:04:42 -04:00
Michal Sojka c42fd7d758 Add configuration to restrict the formats allowed for comments
I want to write my blog posts in a convenient format (Emacs org mode)
but do not want commenters to be able to use this format for security
reasons. This patch allows to configure which formats are allowed for
writing comments.

Effectively, it restricts the formats enabled with add_plugin to those
mentioned in comments_allowformats. If this is empty, all formats are
allowed, which is the behavior without this patch.
2013-03-05 11:00:29 +01:00
Joey Hess a3c1768e10 comments: Remove ipv6 address specific code. 2012-08-25 10:43:24 -04:00
Joey Hess a434e3ed8d remove unnecessary quoting 2012-04-08 15:56:53 -04:00
Simon McVittie 5674e7fc12 prune: do not prune beyond an optional base directory, and add a test
Previously, prune("wiki/srcdir/sandbox/test.mdwn") could delete srcdir
or even wiki, if they happened to be empty. This is rarely what you
want: there's usually some base directory (destdir, srcdir, transientdir
or another subdirectory of wikistatedir) beyond which you do not want to
delete.
2012-04-07 17:52:29 +01:00
Joey Hess c885ec66e0 allow users to subscribe to comments w/o registering
Technically, when the user does this, a passwordless account is created
for them. The notify mails include a login url, and once logged in that
way, the user can enter a password to get a regular account (although
one with an annoying username).

This all requires the passwordauth plugin is enabled. A future enhancement
could be to split the passwordless user concept out into a separate plugin.
2012-04-02 13:45:39 -04:00
Joey Hess 1916f97472 integrate comments plugin with notifyemail 2012-03-28 18:38:37 -04:00
Joey Hess a78126c55e calendar, prettydate: Fix strftime encoding bug
strftime is a C function, it does not return decoded utf8.
Several places in ikiwiki manually decoded it, but at least two
forgot to.

Also, strftime might not return even encoded utf8, if LC_TIME is set
to a non-utf8 value. Went ahead and supported decoding whatever encoding
it uses.

The remaining direct calls to strftime() are all ones that first set
LC_TIME=C, in order to get times that are not for human display.
2012-01-30 15:09:37 -04:00
Joey Hess b8bf318b91 remove x bit from comments.pm
how did that get set?
2011-12-27 11:37:28 -04:00
Simon McVittie aae95b8d54 comments: collect metadata in a scan-phase preprocess hook 2011-06-04 16:55:02 +01:00
Joey Hess bb44bac175 look up avatar at comment post time
There is a tension between looking up the avatar at post time
and build time. I have not yet decided which is better.

Lookup at build time has the benefit that if a user changes their
email address, or sets up their own federated libravatar
server, on rebuild their new avatar will show up.

It also allows getting a https version of the avatar easily if
the site was using http but was changed to use https.

And it can look up avatars for posts that have already been made.
Which is a nice thing, especially as we roll this out, eh?

But it has a drawback, that it depends on the sessiondb contents
for emails and so rebuilding a site w/o that will lose info.

And, it means dns lookups every time a comment is rendered. A page
with a lot of comments on it would render them all whenever another is
posted or the page is changed, and that could significantly slow things
down. (This could be amelorated by caching the lookups.)

Since I'm undecided, I have moved it into a function that could be called
either way. Currently looking up only at post time.
2011-03-30 11:24:01 -04:00
Joey Hess 51e8a4eeda check site url for https
HTTPS won't be set when rebuilding a site at the command line
2011-03-30 11:00:55 -04:00
Joey Hess f4262696ad robustness fix
Don't fail if libravatar fails for some reason. Reasons I can think
of:

* too old version to do openid lookups (fall back to email lookup)
* network problem perhaps
2011-03-30 10:54:24 -04:00
Joey Hess c8cf2d1ed7 indentation 2011-03-30 10:48:57 -04:00
Francois Marier e2e1b1cd20 comments: add OpenID-based avatars (libravatar.org)
This requires version 1.04 or later of Libravatar::URL.
2011-03-30 20:59:18 +13:00
Francois Marier 83056abb87 comments: serve avatars over https in https wikis 2011-03-30 20:59:17 +13:00
Francois Marier 7723e94218 comments: add avatar picture of comment author
Use Libravatar::URL to pull the avatar picture for the comment
author if we have an email address for him/her.
2011-03-30 20:59:17 +13:00
Joey Hess a0e31f38d5 comment: Better fix to avoid showing comments of subpages, while not breaking manual inlining of comments. 2011-03-28 11:53:55 -04:00
Joey Hess 6908406989 Revert "comment: Don't show comments of subpages on parent pages. (Fixes bug introduced in version 3.20100505.)"
This reverts commit b34d31142b.

This was the wrong approach. It broke inlining of comment(*) on eg, a
toplevel comment page.
2011-03-28 11:42:21 -04:00
Joey Hess b34d31142b comment: Don't show comments of subpages on parent pages. (Fixes bug introduced in version 3.20100505.) 2011-02-27 18:16:07 -04:00
Joey Hess 2be49b623a bleagh 2011-01-24 16:56:28 -04:00
Joey Hess dcfeaaad5b comments: Fix XSS security hole due to missing validation of page name.
Values have to be checked against wiki_file_regexp, not just file_pruned.
Audited the rest of the code base for similar problems, found none.
2011-01-22 10:15:33 -04:00
Joey Hess d991ccf134 use cgitemplate, remove misctemplate 2011-01-05 17:15:38 -04:00
Joey Hess 4a6ac6b485 add cgitemplate
cgitemplate is a modified misctemplate that takes an optional cgi object
and uses it to set the baseurl, and also optionally the forcebaseurl,
if a page is provided.

If no cgi object is provided, it will fall back to using $config{url}.
I expect this will only be needed in exceptional cases where
that doesn't much matter, such as cgierror().

showform uses cgitemplate, so there is no more need for showform_preview.
2011-01-05 17:06:11 -04:00
Joey Hess ea734d451c better handling of relative permalinks
This way, do=goto will go to the page relative to
the current location, while the permalinks in feeds
will be absolute (unless an url is not configured at all).
2011-01-05 16:26:09 -04:00
Joey Hess 3eabf323f0 Fix permalinks to recentchanges items and comments, broken by last release.
permalinks always need to be full urls
2011-01-05 15:22:55 -04:00
Joey Hess 8c9c3915ec Fix base url when previewing. Was broken by urlto changes in last release.
Added a showform_preview that is like showform, but sets forcebaseurl
to point to the page being previewed.
2011-01-05 13:50:42 -04:00
Joey Hess beae7ef9db editpage, comment: Clean up title when editing or creating a page or comment.
Now that page.tmpl is used for cgi, the parentlinks are able to be
displayed even when creating or editing a page. So it's redundant to
include the path to the page in the title, remove it.
2010-12-25 13:38:26 -04:00
Joey Hess 1182e9d0ee use one-parameter form of urlto 2010-11-29 15:07:26 -04:00
Simon McVittie 4625e0c4d9 Pass a CGIURL into commentmoderation.tmpl
Omitting this resulted <form action=""> which is in fact a working
self-referential form, but is less obvious than it ought to be.
2010-11-23 00:20:57 +00:00
Simon McVittie 1f019ac2aa Use local paths for most references to pages 2010-11-23 00:19:10 +00:00
Simon McVittie 296e5cb2fd Use local paths for the CGI URL 2010-11-23 00:12:17 +00:00
Simon McVittie d2e3741a6f Use local paths for redirection where possible 2010-11-23 00:00:11 +00:00
Joey Hess d8de98911e comments: Make comment() pagespec also match comments that are being posted. 2010-11-12 00:36:03 -04:00
Joey Hess 78de33d2ea comments: Make postcomment() pagespec work when previewing a comment. 2010-11-12 00:28:27 -04:00
Joey Hess fd2b2f386f Merge branch 'filter-full' 2010-07-12 15:35:40 -04:00
Joey Hess 7e3fb8b8a2 comments: Added commentmoderation directive for easy linking to the comment moderation queue. 2010-07-05 20:19:31 -04:00