Commit Graph

284 Commits (69227b8b2611632592fce096cc06f04861a0b339)

Author SHA1 Message Date
Simon McVittie c1120bbbe8 Force CGI::FormBuilder->field to scalar context where necessary
CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in f4ec7b0. Force it into scalar context where it is used
in an argument list.

This prevents two (relatively minor) commit metadata forgery
vulnerabilities:

* In the comments plugin, an attacker who was able to post a comment
  could give it a user-specified author and author-URL even if the wiki
  configuration did not allow for that, by crafting multiple values
  to other fields.
* In the editpage plugin, an attacker who was able to edit a page
  could potentially forge commit authorship by crafting multiple values
  for the rcsinfo field.

The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.

OVE-20161226-0001
2016-12-28 21:32:12 +00:00
Joey Hess f88e109bec po: If msgmerge falls over on a problem po file, print a warning message, but don't let this problem crash ikiwiki entirely. 2014-12-30 15:51:50 -04:00
Mesar Hameed 062b196f51 Add two template variables, expose html language code and language direction. 2013-10-14 12:47:48 +02:00
Simon McVittie 5674e7fc12 prune: do not prune beyond an optional base directory, and add a test
Previously, prune("wiki/srcdir/sandbox/test.mdwn") could delete srcdir
or even wiki, if they happened to be empty. This is rarely what you
want: there's usually some base directory (destdir, srcdir, transientdir
or another subdirectory of wikistatedir) beyond which you do not want to
delete.
2012-04-07 17:52:29 +01:00
Joey Hess d68d255268 Added a "changes" hook. Renamed the "change" hook to "rendered", but
the old hook name is called for now for back-compat.
2012-03-28 18:43:07 -04:00
Joey Hess d134a2a6e9 avoid unnecessary uses of UNIVERSAL
Foo->Bar->can("method") works just as well, even if Foo::Bar is not
loaded. Using UNIVERSAL::can is deprecated.

But, I was unable to easily eliminate conditional.pm's use of UNIVERSAL::can
2012-03-18 14:34:21 -04:00
intrigeri f5c8fca887 po: add lang_code and lang_name template variables. 2011-07-18 16:39:18 +02:00
Joey Hess 50d2704db6 Merge remote-tracking branch 'intrigeri/po' 2011-06-03 12:36:30 -04:00
intrigeri 8084c79f92 po: set Locale::Po4a::Xml's ontagerror option to warn only. 2011-05-26 16:54:29 +02:00
intrigeri 3cd0c1f91a po: support language codes in the form of 'es_AR', and 'arn'.
... additionally to the previously supported two-letters codes.
2011-05-26 09:39:50 +02:00
Joey Hess 7821965ef0 fix targetpage replacement to support 3 argument form
Oddly, this hadn't caused any visible breakage. Possibly inline,
which is the only thing to use targetpage, resolves the function
to the "real" one before po gets loaded?
2011-03-24 19:44:32 -04:00
Joey Hess f39d02583a avoid stomping on inline's rootpage sub if it's not already present
If the inline plugin is not being loaded, or is perhaps loaded after po
(when IkiWiki::Setup::getsetup loads all the plugins, for example),
po should not inject its custom rootpage sub, as that will lead to a
redefinition error message when inline loads.
2011-03-24 17:55:03 -04:00
Joey Hess 726e0de7d7 run po checkconfig last so it can see underlays added in other checkconfig hooks 2011-01-25 15:39:58 -04:00
intrigeri 406485917a po: do not override homepage title when it was overridden. 2010-12-22 17:33:57 +01:00
intrigeri 74055be78f po plugin: update injected urlto signature.
The lack of $from will probably hurt setups using po_link_to = current,
but at least we can fix the blocker bug that prevents any wiki using the po
plugin to build.
2010-12-20 14:36:21 +01:00
Simon McVittie 55515050e1 make use of precompiled regex objects 2010-11-20 00:02:49 +00:00
Joey Hess 163fc34db7 use warn 2010-09-10 14:20:53 -04:00
Joey Hess 8c1a3595d4 avoid dups getting into @slavelanguages
This could happen if checkconfig was run twice, I think.
2010-09-10 14:12:59 -04:00
Joey Hess 23f8869009 po: Auto-upgrade old format settings to new formats when writing setup file. 2010-09-10 14:04:43 -04:00
Joey Hess fbfda5ccfc po: Make the po_master_language use a langpair like "en|English", so it can be configured via the web. 2010-09-10 13:13:00 -04:00
Joey Hess 400aabe82d po: Allow enabling via web setup.
The only unsafe thing should be that enabling it with some languages will
generate po files.
2010-09-10 11:45:59 -04:00
Joey Hess 8a6f4a7e50 needsbuild hook interface changed; the hooks should now return the modified array of things that need built. (Backwards compatability code keeps plugins using the old interface working.) 2010-09-07 12:08:59 -04:00
intrigeri 5b0890f402 po: re-scan in scan hook rather than using the rescan hook that won't be added. 2010-08-02 13:39:41 +02:00
intrigeri 352c62a8de po: ignore non-existent translations in otherlanguages* 2010-08-02 13:10:28 +02:00
intrigeri d8a99e97ad po: avoid bringing duplicates into %links 2010-08-02 12:52:46 +02:00
intrigeri d9f0b56a41 po(mybestlink): avoid linking to non-existent translation pages. 2010-08-02 12:52:10 +02:00
intrigeri 5948bb01cb po: rescan converted content on refresh too. 2010-07-30 16:20:12 +02:00
intrigeri b09b8621b2 po: use rescan hook instead of rebuilding twice.
The po rescan hook re-runs the scan hooks, and runs the preprocess ones in scan
mode, both on the po-to-markup converted content. This way, plugins such as meta
are given a chance to gather correct information, rather than ugly/buggy escaped
data it did gather from unconverted PO files.
2010-07-30 16:14:30 +02:00
intrigeri 2f71e7f8f5 Merge remote branch 'upstream/master' into prv/po 2010-07-24 11:19:28 +02:00
Joey Hess b5bd92e77e whitespace fixes and a typo 2010-07-23 14:26:57 -04:00
intrigeri bb22e8c4a6 po: optimization
No need to use "keys %{$config{po_slave_languages}}" repeatedly:
the slave languages codes list is already cached in @slavelanguages.
2010-07-20 02:26:23 +02:00
intrigeri 862fc7c1ab Support ordered po_slave_languages as discussed previously.
Backward compatibility is still supported.
2010-07-20 02:25:17 +02:00
Joey Hess 35c9956df0 Revert "po_slave_languages can now be a hash, if order matters."
This reverts commit 4cf185e781.

That commit broke t/po.t (probably the test case only is testing too
close the the old implementation and needs correcting).

Also, we have not decided how to want to represent it yet, so I'm not
ready for this change.

Conflicts:

	IkiWiki/Plugin/po.pm
	doc/plugins/po.mdwn
2010-07-18 20:04:39 -04:00
Joey Hess bfd896f5e5 typo 2010-07-18 19:37:14 -04:00
intrigeri 4449a70214 po: check validity of po_slave_languages array. 2010-07-11 12:28:02 +02:00
intrigeri 98cc9460ac po: added an optional target percentage to needstranslation 2010-07-11 11:58:09 +02:00
intrigeri 4a1cb092ba Revert po vs. template kludges.
This reverts commits dcd57dd5c9,
d4136aea8a and
d877b9644b.
2010-07-11 11:03:41 +02:00
intrigeri c99d26030e Merge remote branch 'upstream/master' into prv/po
Conflicts:
	IkiWiki/Plugin/po.pm
	doc/plugins/po.mdwn
2010-07-11 10:46:18 +02:00
intrigeri cd03bd0b80 po: added support for html pagetype
... after having audited the po4a Xml and Xhtml modules for security issues.

Signed-off-by: intrigeri <intrigeri@boum.org>
(cherry picked from commit a128c256a5)
2010-07-04 15:27:02 -04:00
intrigeri a6e629e5cf po: s/utf-8/UTF-8, to solve part of the double commit bug.
(cherry picked from commit 4f44534d72)
2010-07-04 15:25:07 -04:00
Joey Hess 8a8914151c review of needstranslation() pagespec
Minor wording fix; changelog; etc.
2010-07-04 14:22:19 -04:00
intrigeri be49679fe9 po: added a needstranslation() pagespec
(cherry picked from commit b225fdc44d)
2010-07-04 14:20:12 -04:00
intrigeri c9b1a4dd7d bugfix 2010-07-02 11:46:49 +02:00
intrigeri b225fdc44d po: added a needstranslation() pagespec 2010-06-29 15:45:34 +02:00
intrigeri dcd57dd5c9 Add a fullpage arg to filter.
Set it to true every time IkiWiki::filter is called on a full page's content.

This is a much nicer solution, for the po plugin, than previous whitelisting
using caller().
2010-06-29 15:17:56 +02:00
intrigeri 4f44534d72 po: s/utf-8/UTF-8, to solve part of the double commit bug. 2010-06-26 01:16:56 +02:00
intrigeri 4cf185e781 po_slave_languages can now be a hash, if order matters. 2010-06-26 00:56:06 +02:00
intrigeri a128c256a5 po: added support for html pagetype
... after having audited the po4a Xml and Xhtml modules for security issues.

Signed-off-by: intrigeri <intrigeri@boum.org>
2010-06-25 23:18:57 +02:00
intrigeri 903a71c1b9 TODO++ 2010-06-25 17:45:08 +02:00
intrigeri d4136aea8a po: also filter sidebar translation pages 2010-06-25 17:43:25 +02:00