Commit Graph

33 Commits (7562350a3a2ed9aee52ed17972b80cafaf39c540)

Author SHA1 Message Date
Simon McVittie f4ec7b06d9 Make sure we do not pass multiple CGI parameters in function calls
When CGI->param is called in list context, such as in function
parameters, it expands to all the potentially multiple values
of the parameter: for instance, if we parse query string a=b&a=c&d=e
and call func($cgi->param('a')), that's equivalent to func('b', 'c').
Most of the functions we're calling do not expect that.

I do not believe this is an exploitable security vulnerability in
ikiwiki, but it was exploitable in Bugzilla.
2014-10-16 22:24:47 +01:00
Joey Hess 2f8bafb709 poll: Fix behavior of poll buttons when inlined. 2013-11-13 22:06:02 -04:00
Joey Hess 37cf511f06 poll: Add expandable option to allow users to easily add new choices to a poll. 2013-01-10 12:43:27 -04:00
Joey Hess 1182e9d0ee use one-parameter form of urlto 2010-11-29 15:07:26 -04:00
Simon McVittie 296e5cb2fd Use local paths for the CGI URL 2010-11-23 00:12:17 +00:00
Simon McVittie d2e3741a6f Use local paths for redirection where possible 2010-11-23 00:00:11 +00:00
Joey Hess ecdfd1b864 rcs_commit and rcs_commit_staged api changes
Using named parameters for these is overdue. Passing the session in a
parameter instead of passing username and IP separately will later allow
storing other session info, like username or part of the email.

Note that these functions are not part of the exported API,
and the prototype change will catch (most) skew, so I am not changing
API versions. Any third-party plugins that call them will need updated
though.
2010-06-23 19:04:36 -04:00
Joey Hess 4292802ee5 stop using REMOTE_ADDR
Everywhere that REMOTE_ADDR was used, a session object is available, so
instead use its remote_addr method.

In IkiWiki::Receive, stop setting a dummy REMOTE_ADDR.

Note that it's possible for a session cookie to be obtained using one IP
address, and then used from another IP. In this case, the first IP will now
be used. I think that should be ok.
2010-06-23 16:35:51 -04:00
Joey Hess 34fff64e7b setup file ordering 2010-02-12 06:35:52 -05:00
Joey Hess 678d467a40 finalise version 3.00 of the plugin api 2008-12-23 16:34:19 -05:00
Joey Hess bb93fccf06 Coding style change: Remove explcit vim folding markers. 2008-12-17 15:22:16 -05:00
Joey Hess bfab23ce33 typo 2008-09-27 14:27:42 -04:00
Simon McVittie 97e3263ad1 poll: Use urlto to produce redirection URLs, avoiding mentions of index.html 2008-09-21 18:26:48 +01:00
Joey Hess 6432d15cb4 fix a common case typo 2008-08-12 15:48:44 -04:00
Joey Hess 39195de96e add plugin safe/rebuild info (part 2 of 3)
(brain.. melting..)
2008-08-03 17:20:21 -04:00
Joey Hess d101269bde Move yesno function out of inline and into IkiWiki core, not exported. 2008-07-12 12:01:22 -04:00
Joey Hess fb3d5b4800 Fixes for behavior changes in perl 5.10's CGI
Something has changed in CGI.pm in perl 5.10. It used to not care
if STDIN was opened using :utf8, but now it'll mis-encode utf-8 values
when used that way by ikiwiki. Now I have to binmode(STDIN) before
instantiating the CGI object.

In 57bba4dac1, I changed from decoding
CGI::Formbuilder fields to utf-8, to decoding cgi parameters before setting
up the form object. As of perl 5.10, that approach no longer has any effect
(reason unknown). To get correctly encoded values in FormBuilder forms,
they must once again be decoded after the form is set up.

As noted in 57bba4da, this can cause one set of problems for
formbuilder_setup hooks if decode_form_utf8 is called before the hooks, and
a different set if it's called after. To avoid both sets of problems, call
it both before and after. (Only remaining problem is the sheer ugliness and
inefficiency of that..)

I think that these changes will also work with older perl versions, but I
haven't checked.

Also, in the case of the poll plugin, the cgi parameter needs to be
explcitly decoded before it is used to handle utf-8 values. (This may have
always been broken, not sure if it's related to perl 5.10 or not.)
2008-05-12 20:44:22 -04:00
Joey Hess a4b2e77077 add support for prefix_directives 2008-02-05 16:14:38 -05:00
Joey Hess 42e5b8dfdc prototype fix 2008-02-03 14:22:25 -05:00
Joey Hess 9f60272831 * poll: This plugin turns out to have edited pages w/o doing any locking.
Oops. Convert it from a cgi to a sessioncgi hook, which will work
  much better.
2008-02-03 00:26:00 -05:00
joey ee1ad53c4c * pagespec_match() has changed to take named parameters, to better allow
for extended pagespecs. The old calling convention will still work for
  back-compat for now.
* The calling convention for functions in the IkiWiki::PageSpec namespace
  has changed so they are passed named parameters.
* Plugin interface version increased to 2.00 since I don't anticipate any
  more interface changes before 2.0.
2007-04-27 02:55:52 +00:00
joey 68784b593f fix breakage 2007-02-21 09:04:59 +00:00
joey c60477228c * Since the CGI had to drop the wiki lock to avoid deadlocking the
commit hook, it was possible for one CGI to race another one and "win"
  the commit of both their files. This race has been fixed by adding a new
  commitlock, which when locked by the CGI, disables the commit hook
  (except for commit mails). The CGI then takes care of the updates the
  commit hook would have done.
2007-02-21 08:55:28 +00:00
joey 912521ef07 * Initial work on internationalization of the program code. po/ikiwiki.pot
is available for translation.
* Export gettext() from IkiWiki module.
2006-12-29 04:38:40 +00:00
joey 02c41e9eb1 use POST 2006-12-18 16:11:51 +00:00
joey 264a28a3b4 include choice in commit msg 2006-12-14 19:25:05 +00:00
joey c269d5c789 * Use POST for poll to avoid some robots. 2006-12-14 19:04:42 +00:00
joey 39c917cc5a bug 2006-11-26 20:56:46 +00:00
joey 10a45c8f43 oops 2006-11-26 20:53:29 +00:00
joey 278ea6e037 bugfix 2006-11-26 20:52:37 +00:00
joey fc11e4ad81 bugfixes 2006-11-26 20:50:46 +00:00
joey e7ddbb822a bugs 2006-11-26 20:23:23 +00:00
joey 5800d2160c add a poll plugin 2006-11-26 19:46:11 +00:00