Commit Graph

2367 Commits (650445645430931bea5947a217fa425b0ca3b521)

Author SHA1 Message Date
Simon McVittie e0341d0e88 3.20161229.1 2016-12-29 20:47:17 +00:00
Simon McVittie d092b0b777 git: Do not disable commit hook for temporary working tree
We exclude .git/hooks from symlinking into the temporary working tree,
which avoids the commit hook being run for the temporary branch anyway.
This avoids the wiki not being updated if an orthogonal change is
received in process A, while process B prepares a revert that is
subsequently cancelled.
2016-12-29 20:46:38 +00:00
Simon McVittie afda054796 git: Attribute reverts to the user doing the revert, not the wiki itself 2016-12-29 20:43:15 +00:00
Simon McVittie 287bb19883 3.20161229 2016-12-29 17:37:51 +00:00
Simon McVittie cf0166347c Add CVE references for CVE-2016-9646, CVE-2016-9645
Thanks to the Debian security team for allocating these.
2016-12-29 17:36:11 +00:00
Simon McVittie ad04dac19b Add automated test for using the CGI with git, including CVE-2016-10026 2016-12-28 21:32:12 +00:00
Simon McVittie a8a7462382 Try revert operations (on a branch) before approving them
Otherwise, we have a time-of-check/time-of-use vulnerability:
rcs_preprevert previously looked at what changed in the commit we are
reverting, not at what would result from reverting it now. In
particular, if some files were renamed since the commit we are
reverting, a revert of changes that were within the designated
subdirectory and allowed by check_canchange() might now affect
files that are outside the designated subdirectory or disallowed
by check_canchange().

It is not sufficient to disable rename detection, since git older
than 2.8.0rc0 (in particular the version in Debian stable) silently
accepts and ignores the relevant options.

OVE-20161226-0002
2016-12-28 21:32:12 +00:00
Simon McVittie c1120bbbe8 Force CGI::FormBuilder->field to scalar context where necessary
CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in f4ec7b0. Force it into scalar context where it is used
in an argument list.

This prevents two (relatively minor) commit metadata forgery
vulnerabilities:

* In the comments plugin, an attacker who was able to post a comment
  could give it a user-specified author and author-URL even if the wiki
  configuration did not allow for that, by crafting multiple values
  to other fields.
* In the editpage plugin, an attacker who was able to edit a page
  could potentially forge commit authorship by crafting multiple values
  for the rcsinfo field.

The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.

OVE-20161226-0001
2016-12-28 21:32:12 +00:00
Simon McVittie e193c75b7d git: do not fail to commit if committer is anonymous 2016-12-28 21:32:12 +00:00
Simon McVittie a67f4d3944 git: don't issue a warning if rcsinfo is undefined
The intention here seems to be that $prev may be undefined, and the
only way that can legitimately happen is for $params{token} to be
undefined too.
2016-12-28 21:32:12 +00:00
Simon McVittie 7c34df633d git_revert test: reinstate ikiwiki.setup, and make it work uninstalled
Previously it was relying on running with an installed ikiwiki
and being able to copy in recentchanges.mdwn and wikiicons/ from the
underlay in /usr. The underlay in ./underlays/basewiki can't be used
(yet) because ikiwiki doesn't allow following symlinks, even from
underlays.

I'd like to make ikiwiki follow symlinks whose destinations can be
verified to be safe (for example making it willing to expose
/usr/share/javascript to the web, but not /etc/passwd), at least from
underlays, but this is security-sensitive so I'm not going to rush
into it.
2016-12-28 21:32:11 +00:00
Simon McVittie 28409cd358 Add CVE references for CVE-2016-10026 2016-12-21 13:03:36 +00:00
Simon McVittie c96149fa3e Release 3.20161219 2016-12-19 20:35:01 +00:00
Simon McVittie 0fe2ff8579 changelog 2016-12-19 18:21:07 +00:00
Simon McVittie 592c13cc61 Update changelog 2016-12-19 18:21:07 +00:00
Joey Hess 68e2320696
inline: Prevent creating a file named ".mdwn" when the postform is submitted with an empty title. 2016-09-21 13:51:42 -04:00
Amitai Schlair 85c10d149b Update my surname to its new legal spelling. 2016-09-14 14:28:01 -04:00
Simon McVittie 6750fb6f8b 3.20160905 2016-09-05 21:26:32 +01:00
Joey Hess 3f78c41770
changelog for previous commit
Closes https://github.com/joeyh/ikiwiki/pull/19
2016-08-03 15:00:04 -04:00
Simon McVittie 6264e91bac 3.20160728 2016-07-28 10:42:35 +01:00
Simon McVittie 1ffb9d4931 Standards-Version: 3.9.8 (no changes required) 2016-07-28 10:41:25 +01:00
Simon McVittie 5f6f9a1bea Wrapper: allocate new environment dynamically
Otherwise, if third-party plugins extend newenviron by more than
3 entries, we could overflow the array. It seems unlikely that any
third-party plugin manipulates newenviron in practice, so this
is mostly theoretical. Just in case, I have deliberately avoided
using "i" as the variable name, so that any third-party plugin
that was manipulating newenviron directly will now result in the
wrapper failing to compile.

I have not assumed that realloc(NULL, ...) works as an equivalent of
malloc(...), in case there are still operating systems where that
doesn't work.
2016-05-11 09:18:14 +01:00
Simon McVittie 062dbf1373 3.20160509 2016-05-09 21:59:50 +01:00
Simon McVittie ab97cd56f3 Reference CVE-2016-4561 in 3.20160506 changelog 2016-05-09 21:57:34 +01:00
Simon McVittie 2020bd88a5 Remove spurious changelog entry
This change was new in 3.20141016.3, but was applied to the master
branch several releases ago, so it is not new in 3.20160506.
2016-05-09 21:46:04 +01:00
Simon McVittie 9fe33a4c94 3.20160506 2016-05-06 07:54:47 +01:00
Simon McVittie dea96e5113 Document the security fixes in this release 2016-05-06 07:49:45 +01:00
Joey Hess 21b9b9e306 update test suite for svg passthrough by img directive
Remove build dependency libmagickcore-6.q16-2-extra which was only there
for this test.
2016-05-06 06:58:56 +01:00
Simon McVittie 984ba82f1b img: Add back support for SVG images, bypassing ImageMagick and simply passing the SVG through to the browser
SVG scaling by img directives has subtly changed; where before size=wxh
would preserve aspect ratio, this cannot be done when passing them through
and so specifying both a width and height can change the SVG's aspect
ratio.

(This patch looks significantly more complex than it was, because a large
block of code had to be indented.)

[smcv: drop trailing whitespace, fix some spelling]
2016-05-06 06:57:12 +01:00
Joey Hess 7ff6221ac9 changelog for smcv's security fixes
[smcv: omit a change that was already in 3.20160514]
2016-05-06 06:53:41 +01:00
Amitai Schlair 6253567127 Changelog: process .md files iff created directly. 2016-03-08 14:34:02 -05:00
Joey Hess 8d28f70b37
loginselector: When only openid and emailauth are enabled, but passwordauth is not, avoid showing a "Other" box which opens an empty form. 2016-03-02 16:35:16 -04:00
Simon McVittie a3ee60f2f8 d/control: add Vcs-Browser 2016-01-22 00:55:03 +00:00
Simon McVittie 7db255ff60 d/control: use https for Homepage 2016-01-22 00:55:03 +00:00
Simon McVittie 53b10a64f0 3.20160121 2016-01-21 09:53:28 +00:00
Simon McVittie 0cc21b69e4 document recent inline and syslog fixes 2016-01-21 09:36:16 +00:00
Simon McVittie 179807e742 changelog: sort user-visible changes before packaging and test fixes 2016-01-21 09:31:07 +00:00
Simon McVittie b0627aef10 img test: use the right filenames when testing that deletion occurs
Also use a less misleading name for the sample SVG: it is no longer empty.
Since commit 105f285a it has contained a blue square.
2016-01-19 11:24:18 +00:00
Simon McVittie 5dceeb28d8 img test: skip testing PDFs if unsupported 2016-01-19 11:24:18 +00:00
Simon McVittie 317d19842c Silence "used only once: possible typo" warnings for variables that are part of modules' APIs 2016-01-19 11:24:18 +00:00
Simon McVittie e33b4678c7 d/control: Standards-Version: 3.9.6, no changes required 2016-01-19 11:24:18 +00:00
Simon McVittie 509a5a48d7 d/control: remove leading article from Description (lintian: description-synopsis-starts-with-article) 2016-01-19 11:24:18 +00:00
Simon McVittie 64d9729601 Change dependencies from transitional package perlmagick to libimage-magick-perl (Closes: #789221) 2016-01-19 11:24:18 +00:00
Simon McVittie 245109fa39 changelog: mention pagestats enhancement 2016-01-19 11:24:18 +00:00
Simon McVittie fc02c7fb69 Add license info to javascript underlay 2016-01-19 11:24:18 +00:00
Joey Hess 3cbc16abd6
underlays/javascript/* use ikiwiki's permissive license
I'm the sole author and copyright holder of these files.
2015-12-01 12:11:50 -04:00
Simon McVittie b199349ffd Merge remote-tracking branch 'smcv/ready/limit' 2015-11-30 20:55:34 +00:00
Simon McVittie ed1e1ebe70 git: if no committer identity is known, set it to "IkiWiki <ikiwiki.info>" in .git/config
This resolves commit errors in versions of git that require a non-trivial
committer identity.
2015-11-30 19:34:04 +00:00
Simon McVittie 719612a976 debian/copyright: update for the rename of openid-selector to login-selector 2015-11-30 18:52:19 +00:00
Simon McVittie a71ade73ff Add enough build-dependencies to run all tests, except for non-git VCSs 2015-11-30 18:26:23 +00:00