Commit Graph

10 Commits (93921c7c2b4eb193c588876dee0f8d0f97028330)

Author SHA1 Message Date
Simon McVittie 4729ff0812 Exclude working directory from library path (CVE-2016-1238)
Current Perl versions put '.' at the end of the library search path
@INC, although this will be fixed in a future Perl release. This means
that when software loads an optionally-present module, it will be
looked for in the current working directory before giving up. An
attacker could use this to execute arbitrary Perl code from ikiwiki's
current working directory.

Removing '.' from the library search path in Perl is the correct
fix for this vulnerability, but is not trivial to do due to
backwards-compatibility concerns. Mitigate this (even if ikiwiki is run
with a vulnerable Perl version) by explicitly removing '.' from the
search path, and instead looking for ikiwiki's own modules relative
to the absolute path of the executable when run from the source
directory.

In tests that specifically want to use the current working directory,
use "-I".getcwd instead of "-I." so we use its absolute path, which
is immune to the removal of ".".
2016-07-28 09:50:21 +01:00
Simon McVittie 7aca0d40a3 Compose relative URLs in RSS feeds correctly
If the relative link from the (page generating the) RSS to the target
would start with "./" or "../", just concatenating it with the URL to
the directory containing the RSS is not sufficient. Go via
URI::new_abs to fix this.
2016-01-21 08:40:14 +00:00
Simon McVittie b199349ffd Merge remote-tracking branch 'smcv/ready/limit' 2015-11-30 20:55:34 +00:00
Simon McVittie cdfb4ab1a3 Run autopkgtest tests using autodep8 and the pkg-perl team's infrastructure 2015-11-30 18:26:22 +00:00
Amitai Schlair 604d0391ba Squelch regex deprecation warnings from Perl 5.22.
Specifically:

"Unescaped left brace in regex is deprecated, passed through in regex"
2015-06-14 21:35:51 -04:00
Simon McVittie 9497fc1b6c t/inline.t: accept translations of "Add a new post titled:" (Closes: #779365) 2015-03-01 17:15:13 +00:00
Simon McVittie a1fda0b516 Standardize on --long-option instead of -long-option
[[forum/refresh_and_setup]] indicates some confusion between --setup
and -setup. Both work, but it's clearer if we stick to one in
documentation and code.

A 2012 commit to [[plugins/theme]] claims that "-setup" is required
and "--setup" won't work, but I cannot find any evidence in ikiwiki's
source code that this has ever been the case.
2015-03-01 16:15:01 +00:00
Simon McVittie ab768a62c6 Rename show parameter of [[!inline]] and [[!pagestats]] to limit
The old name still works, if its value is numeric.

This name allows a non-numeric "show" to mean the same thing
it does for [[!map]] (show title, show description, etc.).
2014-09-14 15:15:27 +01:00
Simon McVittie 43367c5e30 extend regression test for inline to cover inlining, show, reverse 2014-09-14 15:14:42 +01:00
Simon McVittie 0357ad66ea inline: postform=no should take precedence over rootpage existing
If someone has explicitly disabled the postform, it seems reasonable
from a least-astonishment point of view for that to take precedence
over rootpage, even though that makes rootpage useless.

Also add a regression test; so far, this is all it tests.
2014-07-04 23:23:42 +01:00