Commit Graph

20138 Commits (8d864c2ab666871cf3391a12a8795c91f67f04f1)

Author SHA1 Message Date
smcv a8c96a1418 mention that the CVE-2016-4561 fix was backported 2016-05-09 08:24:35 -04:00
desci 176ff2fb5c Clarifying 2016-05-08 21:54:17 -04:00
desci dfcfefea74 Adding info regarding bootstrap classes 2016-05-08 21:53:14 -04:00
desci ed5ea6c303 Adding sites 2016-05-08 21:42:54 -04:00
Amitai Schlair 89af9ecc57 Detect image type from .JPG just like .jpg (etc.). 2016-05-08 18:31:02 -04:00
Amitai Schlair e24e6fed62 Fix spelling of "ratio" in test. 2016-05-08 18:31:02 -04:00
https://id.koumbit.net/anarcat 0ee5cb719c thanks! 2016-05-08 17:10:50 -04:00
smcv dca4461c11 tag added 2016-05-08 16:44:56 -04:00
https://id.koumbit.net/anarcat 590c42da03 thanks! 2016-05-08 16:40:13 -04:00
smcv 200a002ac5 sorry, one day I'll review this, but this is not that day 2016-05-08 16:37:34 -04:00
https://id.koumbit.net/anarcat 2576bceba2 still using this in production, would welcome feedback 2016-05-08 14:59:12 -04:00
https://id.koumbit.net/anarcat f80fdeb044 dropping this. 2016-05-08 14:57:28 -04:00
https://id.koumbit.net/anarcat c7364a0567 2016-05-08 14:56:26 -04:00
Simon McVittie 47b180e35f img: make img_allowed_formats case-insensitive 2016-05-07 23:22:52 +01:00
Simon McVittie 125461cab7 inline: expand show=N backwards compatibility to negative N
[[plugins/contrib]] uses show=-1 to show the post-creation widget
without actually inlining anything.
2016-05-06 22:51:02 +01:00
Simon McVittie 0abef571c7 Add CVE reference 2016-05-06 21:36:51 +01:00
smcv 855a7b5c6c respond 2016-05-06 15:29:51 -04:00
Simon McVittie cffc503e0c use intended filename 2016-05-06 20:16:58 +01:00
smcv dfadaa0bf9 escape directive properly; add paragraph breaks 2016-05-06 15:14:09 -04:00
smcv 455be983c0 rename todo/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn to bugs/Correctly_handle_filenames_starting_with_a_dash_in_add/rm/mv.mdwn 2016-05-06 15:12:49 -04:00
smcv f4b1244878 already fixed 2016-05-06 15:12:29 -04:00
Simon McVittie 26d4641d02 Announce 3.20160506 2016-05-06 20:10:19 +01:00
Simon McVittie 847c9f232e Merge remote-tracking branch 'origin/master' 2016-05-06 20:05:45 +01:00
florian@883672f3f4dbd3c6bb430afc661484a58a3a1296 644d099e5a 2016-05-06 08:10:01 -04:00
Simon McVittie 9fe33a4c94 3.20160506 2016-05-06 07:54:47 +01:00
Simon McVittie f01283478b Exclude users/* from the HTML documentation 2016-05-06 07:53:53 +01:00
Simon McVittie 1ae01a592f Do not recommend mimetype(image/*)
Not all image file types are safe for general use: in particular,
image/svg+xml is known to be vulnerable to CVE-2016-3714 under some
ImageMagick configurations.
2016-05-06 07:49:50 +01:00
Simon McVittie dea96e5113 Document the security fixes in this release 2016-05-06 07:49:45 +01:00
Joey Hess 21b9b9e306 update test suite for svg passthrough by img directive
Remove build dependency libmagickcore-6.q16-2-extra which was only there
for this test.
2016-05-06 06:58:56 +01:00
Simon McVittie 984ba82f1b img: Add back support for SVG images, bypassing ImageMagick and simply passing the SVG through to the browser
SVG scaling by img directives has subtly changed; where before size=wxh
would preserve aspect ratio, this cannot be done when passing them through
and so specifying both a width and height can change the SVG's aspect
ratio.

(This patch looks significantly more complex than it was, because a large
block of code had to be indented.)

[smcv: drop trailing whitespace, fix some spelling]
2016-05-06 06:57:12 +01:00
Joey Hess 7ff6221ac9 changelog for smcv's security fixes
[smcv: omit a change that was already in 3.20160514]
2016-05-06 06:53:41 +01:00
Simon McVittie 170cd41489 img: check magic number before giving common formats to ImageMagick
This mitigates CVE-2016-3714 and similar vulnerabilities by
avoiding passing obviously-wrong input to ImageMagick decoders.
2016-05-05 23:43:50 +01:00
Simon McVittie 545a7bbbf0 img: restrict to JPEG, PNG and GIF images by default
This mitigates CVE-2016-3714. Wiki administrators who know that they
have prevented arbitrary code execution via other formats can re-enable
the other formats if desired.
2016-05-05 23:43:50 +01:00
Simon McVittie 54a9f8d07d img: force common Web formats to be interpreted according to extension
A site administrator might unwisely set allowed_attachments to
something like '*.jpg or *.png'; if they do, an attacker could attach,
for example, a SVG file named attachment.jpg.

This mitigates CVE-2016-3714.
2016-05-05 23:43:50 +01:00
Simon McVittie 32ef584dc5 HTML-escape error messages (OVE-20160505-0012)
The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-20160505-0012)

The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.
2016-05-05 23:43:17 +01:00
https://id.koumbit.net/anarcat 355ba85137 all good 2016-05-04 18:53:24 -04:00
smcv e874ce623b 2016-05-04 18:35:33 -04:00
https://id.koumbit.net/anarcat bd881a8ee6 response: confirmation it's a bug in MMD and Discount doesn't have footnotes, and request for workaround 2016-05-04 09:45:25 -04:00
smcv 291a09e537 discount (as used on this wiki) can do footnotes, but they aren't enabled by ikiwiki 2016-05-04 05:48:01 -04:00
smcv 337736663b response 2016-05-04 05:38:27 -04:00
Joey Hess f4b75b3b2c
response 2016-05-02 09:33:59 -04:00
https://id.koumbit.net/anarcat 017a7e9446 2016-04-29 00:32:02 -04:00
https://id.koumbit.net/anarcat 467f501d90 response 2016-04-28 20:13:05 -04:00
Joey Hess fe7ec461d4
Merge branch 'master' of ssh://git.ikiwiki.info 2016-04-28 19:34:51 -04:00
Joey Hess 3aa705b38a
response 2016-04-28 19:32:58 -04:00
Joey Hess 95c0a63675
Merge remote-tracking branch 'origin/master' 2016-04-28 19:06:01 -04:00
https://id.koumbit.net/anarcat 1e38006bbc 2016-04-28 10:12:52 -04:00
https://id.koumbit.net/anarcat 965aa5c6fa http/https issue 2016-04-28 10:08:05 -04:00
Antoine Beaupré 81852a7db7 smaller is too small for large blocks 2016-04-26 18:52:25 -04:00
Antoine Beaupré e316ea9a7c fix typo and comment 2016-04-26 18:50:47 -04:00