Commit Graph

15551 Commits (9c23006d31c5a70e5f8b60477862eb0b04281db6)

Author SHA1 Message Date
Simon McVittie 4fe6dd0551 request more information 2017-06-22 15:37:19 +01:00
Joey Hess 52a9d23e2c
add bug report originally emailed to me by Peter Simons 2017-06-22 09:55:27 -04:00
Simon McVittie fee378f056 Announce 3.20170622 2017-06-22 10:55:32 +01:00
Simon McVittie 453e07fd9f meta: Specifically document [[!meta foo:bar="baz"]] as not working 2017-06-22 09:19:02 +01:00
j@d945f5982c686dda5ab7bc2ef45e09d388233fad 63e6fa68b0 2017-06-20 19:03:02 -04:00
alicef 18c4559f4e 2017-06-12 17:14:22 -04:00
https://tylercipriani.com/ 15278cad15 Ensure repo gets picked up by gitremotes script 2017-06-02 08:55:00 -04:00
https://tylercipriani.com/ e8ca4e5b8c Add jsonfeed patch 2017-06-01 19:26:28 -04:00
https://tylercipriani.com/ 07f0f84a8e Add thcipriani repository 2017-06-01 19:17:04 -04:00
https://tylercipriani.com/ d64ce01e0a Add my user page 2017-06-01 19:15:33 -04:00
smcv af501e9e14 current headinganchors does not damage headings' attributes, although it does not act on those headings 2017-06-01 10:03:51 -04:00
smcv d20dd0c97e 2017-06-01 09:59:36 -04:00
smcv 2f765597de resolved 2017-06-01 09:48:10 -04:00
anarcat bbf2d13ae3 response 2017-06-01 09:14:23 -04:00
anarcat 1bb8301ad6 response 2017-06-01 09:02:26 -04:00
https://me.yahoo.com/a/GwQv.Tw.p_ux8p4eLf9CkcwYsQ--#2fdeb 5c57e46dd5 2017-05-26 22:25:07 -04:00
smcv 25ba5d260c Added a comment: Please do not patch out the symlink check 2017-05-26 02:20:23 -04:00
mail@b2ae8518bb6eba14728f86acae7830e4c2d9943d 4bb6132283 Added a comment: git-annex support 2017-05-25 10:43:20 -04:00
openmedi 11b9eb0c19 2017-05-25 07:30:47 -04:00
smcv b29efcb4c6 Added a comment: I suggest asking macOS/brew people 2017-05-22 07:02:44 -04:00
qazwsx 88ca349cd1 2017-05-21 19:23:36 -04:00
qazwsx aeb9317387 2017-05-21 19:22:54 -04:00
openmedi dbb06580d5 Added a comment 2017-05-19 11:32:18 -04:00
smcv 8503f8ddaa Suggested syntax does work, and has a test 2017-05-19 09:57:28 -04:00
smcv 778d9e50d4 Document the special case for [[!meta name=foo content=bar]] 2017-05-19 09:50:52 -04:00
smcv 1e4e51754e it is (meant to be) possible, just not with that syntax 2017-05-19 09:43:08 -04:00
fmarier 219134beff 2017-05-18 13:33:44 -04:00
bma@d2ddf927e0bde7166ad151d794bee58589bedb40 da0900649c long out of date 2017-05-16 08:59:37 -04:00
Simon McVittie 01f2a84360 color: Use markup for the preserved CSS, not character data
This still smuggles it past the sanitize step, but avoids having
other plugins that want to capture text content without markup
(notably toc) see the CSS as if it was text content.
2017-05-16 12:08:55 +01:00
smcv 6ab4dee728 we should prefer existing IDs and only act as a fallback 2017-05-16 05:38:02 -04:00
smcv 81221cb030 cross-reference i18nheadinganchors 2017-05-16 05:26:25 -04:00
smcv ab793c1db0 correct ID syntax 2017-05-16 05:17:57 -04:00
smcv 5150874861 browsers and specifications support more Unicode than we give them credit for 2017-05-16 05:17:00 -04:00
smcv cad72ecfad close 2017-05-16 04:27:56 -04:00
Simon McVittie 787fb8b058 Prune dead links 2017-05-16 08:55:24 +01:00
Simon McVittie 9858519cc5 Reinstate a git repo that has come back 2017-05-16 08:55:24 +01:00
smcv 55ae3c7368 Added a comment 2017-05-16 03:29:33 -04:00
Simon McVittie 4fd5f7d910 Clarify documentation 2017-05-16 08:28:04 +01:00
Simon McVittie c72dc5ddb7 mdwn: Don't enable alphabetically labelled ordered lists by default
This avoids misinterpreting initials ("C. S. Lewis was an author"),
the abbreviation for Monsieur ("M. Descartes was a philosopher") and
German page numbering ("S. 42") as ordered lists if they happen to
begin a line.

This only affects the default Discount implementation: Text::Markdown
and Text::MultiMarkdown do not have this feature anyway. A new
mdwn_alpha_list option can be used to restore the old interpretation.
2017-05-16 08:09:15 +01:00
qazwsx 94316fca54 Added a comment 2017-05-15 02:19:37 -04:00
Simon McVittie 4db4e589e4 mdwn: Enable footnotes by default when using Discount
A new mdwn_footnotes option can be used to disable footnotes in
MultiMarkdown and Discount.
2017-05-14 18:16:53 +01:00
Simon McVittie 81c3258269 mdwn: Don't mangle <style> into <elyts> under some circumstances
We can ask libdiscount not to elide <style> blocks, which means we
don't have to work around them.
2017-05-14 17:45:55 +01:00
Simon McVittie 31c89db246 httpauth: If REMOTE_USER is empty, behave as though it was unset
A frequently cut-and-pasted HTTP basic authentication configuration
for nginx sets it to the empty string when not authenticated, which
is not useful.
2017-05-14 15:37:45 +01:00
Simon McVittie 59daf36cb2 httpauth: Recommend if_not_empty parameter for REMOTE_USER
This is untested, but should hopefully avoid the failure mode
described in [[bugs/Anon_edit_caused_lock_out_on_entire_site_]].
2017-05-14 15:36:26 +01:00
smcv 365a930c2c complete last paragraph 2017-05-14 08:31:49 -04:00
smcv f6fc4543fb I have a theory 2017-05-14 08:20:49 -04:00
smcv 1f2f8d5f77 Added a comment 2017-05-14 08:01:09 -04:00
smcv 75f905a18a 2017-05-14 07:53:24 -04:00
smcv 65fe86e6f3 recommend discount over multimarkdown 2017-05-14 07:51:56 -04:00
smcv b14e3456dd multimarkdown: it's a trap! 2017-05-14 07:47:42 -04:00
smcv 50fb6f8b95 Added a comment: Use an underlay instead 2017-05-14 07:37:14 -04:00
smcv b047fc3757 removed 2017-05-14 07:28:50 -04:00
smcv f56e365dd0 Added a comment: You can do almost this with an underlay 2017-05-14 07:27:54 -04:00
smcv 02b4fb50c9 Added a comment 2017-05-14 07:00:48 -04:00
smcv 74d99b0063 Added a comment: you can't use and/or/! inside the page() parameter, move them outside 2017-05-14 06:49:54 -04:00
smcv d49aefdb19 fix syntax 2017-05-14 06:41:21 -04:00
Joe Rayhawk b919f1c3d4
Piny: mothballing 2017-05-13 09:23:56 -07:00
STrRedWolf de347f9f6c 2017-05-10 20:52:32 -04:00
qazwsx 69a0f01355 2017-05-09 13:45:51 -04:00
DataComputist 708023250a Added a comment 2017-05-08 17:16:18 -04:00
DataComputist 587d5dc874 2017-05-08 14:04:22 -04:00
desci cd651030ea Updating links 2017-05-01 15:18:15 -04:00
desci 187c5a259c Updating links 2017-05-01 15:14:33 -04:00
openmedi d00ddc9aea Added a comment 2017-04-18 09:13:42 -04:00
openmedi d16946c950 2017-04-18 08:19:44 -04:00
STrRedWolf 3f709fab6c Initial commit. 2017-04-16 17:38:24 -04:00
STrRedWolf 42bfe31b8a 2017-04-16 16:53:43 -04:00
STrRedWolf d090696696 First time theme help needed. 2017-04-16 16:53:21 -04:00
anarcat defdf8544f add list of pending patches 2017-04-13 09:27:10 -04:00
anarcat 76001618c2 mark this as a real plugin: forgot the plugin template! 2017-04-13 09:23:21 -04:00
anarcat 2c0f52cd48 mark this as ready for merging 2017-04-13 09:22:28 -04:00
anarcat 1d96095af7 clarify that "patch" on contrib plugins means the author wants to merge 2017-04-13 09:21:09 -04:00
anarcat ad6d2e7de0 this is a patch - i'd like this in core, or at least a discussion on how to merge it with the main plugin 2017-04-13 09:19:23 -04:00
anarcat 6a1efc5c6a add a patch to make this happen 2017-04-12 16:15:23 -04:00
anarcat 7d72549ef8 rename plugins/contrib/i18nheadinganchor.mdwn to plugins/contrib/i18nheadinganchors.mdwn 2017-04-12 16:14:30 -04:00
anarcat 42b8a58565 add i18nheadinganchors plugin 2017-04-12 16:14:13 -04:00
anarcat a0a57fa8cc move my repo to gitlab 2017-04-12 16:13:47 -04:00
anarcat f65eae2126 respond to an old question 2017-04-12 15:40:09 -04:00
Joey Hess 6cdba67dac
todo 2017-04-04 12:51:40 -04:00
desci 207666e903 Fixing format 2017-03-29 15:37:02 -04:00
desci 886610d85b As requested 2017-03-29 15:36:28 -04:00
desci 5c9d9b3213 Answering questions and updating links 2017-03-29 15:35:54 -04:00
tuxillo eba821b5f8 2017-03-19 20:33:38 -04:00
tuxillo 8d4342183b 2017-03-19 20:32:47 -04:00
martymcfly@55267c498da1bbb4b9fe2a8baadc45dc1bd8f57a f6f482af42 MyUserPage 2017-03-09 10:01:37 -04:00
martymcfly@55267c498da1bbb4b9fe2a8baadc45dc1bd8f57a 3e1d1ec36a Added a comment: PS 2017-03-09 10:00:23 -04:00
martymcfly@55267c498da1bbb4b9fe2a8baadc45dc1bd8f57a 17988f95b1 Ikiwiki error with Asciidoc 2017-03-09 09:59:06 -04:00
Joey Hess a3a6ec02e7
cleanup 2017-03-07 11:53:39 -04:00
kw_ikiwiki1@64633d204c198f52735247ca119bddbcbfaafdef 48a959eebb 2017-03-07 10:04:42 -04:00
kw_ikiwiki1@64633d204c198f52735247ca119bddbcbfaafdef 888b4603e1 test test blah blah 2017-03-07 09:59:48 -04:00
jmtd@d79be1606aba831a3b476d5fff7d99f4b321eab2 6b75169007 speed up commenting by optionally providing a comment form in static pages 2017-03-03 10:52:14 -04:00
jmtd@d79be1606aba831a3b476d5fff7d99f4b321eab2 5fc2e8b55b Added a comment 2017-03-03 10:48:03 -04:00
jmtd@d79be1606aba831a3b476d5fff7d99f4b321eab2 135a302acc Added a comment 2017-03-03 10:29:13 -04:00
Joey Hess 90f4fd6635
my github mirror of ikiwiki has been deleted due to their horrible anti-free-software TOS 2017-03-01 13:34:42 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 31e095be9b Added a comment 2017-02-21 18:02:45 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 a7cf415822 +aka use page/index.mdwn source files 2017-02-21 17:51:59 -04:00
smcv 5bc7a30f64 Added a comment 2017-02-21 14:21:19 -04:00
smcv c24f538c6d Added a comment 2017-02-21 14:17:35 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 4e77978328 Added a comment 2017-02-20 23:56:19 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 4a2c4842bf Added a comment 2017-02-20 23:47:35 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 dc232c0006 Added a comment 2017-02-20 19:42:13 -04:00
openmedi 7618dafe0c Added a comment 2017-02-20 11:43:13 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 f3a9bed1c5 Added a comment 2017-02-19 17:59:26 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 8c4408900c removed 2017-02-19 17:52:54 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 3b19cc0ddd Added a comment 2017-02-19 17:48:23 -04:00
Louis 37056e736a Merge branch 'master' of git://ikiwiki.branchable.com 2017-02-18 22:56:06 +01:00
Louis ff784524b4 Update my (spalax) information 2017-02-18 21:11:47 +01:00
Louis e66912e677 Apology about the poor choice for the name of the sidebar2 plugin 2017-02-18 21:08:48 +01:00
Louis d9f6141cd7 New plugin: verboserpc 2017-02-18 21:08:48 +01:00
Louis 7bb8226987 New plugin: pageversion 2017-02-18 21:08:48 +01:00
Louis d2c4047282 New plugin: redirect 2017-02-18 20:43:52 +01:00
krqt.kndy@eb44788e4eb202f3e68eeb8ba175d3897c3979a9 b92b8caf11 2017-02-17 17:15:00 -04:00
vegardv@75ae889e836bda8ce69bc038d8335c398a2f6f40 c0fcd409fa Added a comment 2017-02-10 04:33:42 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 e748e0016d Added a comment 2017-02-09 17:48:06 -04:00
smcv 8502eb47fa Added a comment 2017-02-09 08:13:03 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 3d177313d6 2017-02-09 07:22:48 -04:00
svetlana 40d3bdac4c +update broken uris 2017-02-07 20:36:02 -04:00
svetlana 139197d823 2017-02-07 19:15:02 -04:00
svetlana 4f9a8d10de Confuses a map 2017-02-07 19:11:17 -04:00
svetlana 7b664f4151 2017-02-06 01:39:02 -04:00
svetlana 7c0292edc5 removed 2017-02-05 22:37:01 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 4c96c9decd 2017-02-05 15:31:24 -04:00
smcv 7744b4d849 change `pwd` to $HOME so assumptions are met even if you cd elsewhere 2017-02-03 16:48:48 -04:00
me@4eb1b66f86170ba2ff0690b93ad01f46bfc8eac4 c72fbbe21d No longer using ikiwiki 2017-02-03 12:54:47 -04:00
smcv 47b12458ae 2017-01-26 07:38:48 -04:00
svetlana 2265aef4e6 Does not show up in the setup 2017-01-24 00:59:27 -04:00
svetlana 9581c039e8 * [[guppy|http://guppy.branchable.com]] an internationalized modular Python IRC bot 2017-01-18 19:27:48 -04:00
smcv 1c8c0ccf59 Added a comment 2017-01-18 17:46:14 -04:00
smcv 0acf3b6d0c Added a comment: Do that through your web server, not ikiwiki 2017-01-18 17:45:30 -04:00
openmedi 6d0f460b12 2017-01-17 08:44:20 -04:00
Simon McVittie 12b4618228 Note another Debian 8 backport 2017-01-12 00:31:10 +00:00
Simon McVittie 666d87a50c Fix typo 2017-01-11 19:02:10 +00:00
Simon McVittie 8b54ba7ad1 Release 3.20170111 2017-01-11 18:18:38 +00:00
Simon McVittie 4d0e525e6a Document the security fix soon to be released in 3.20170111 2017-01-11 18:16:42 +00:00
Simon McVittie c7a4d57772 3.20170110 2017-01-10 13:22:13 +00:00
Simon McVittie 7586f5165e news: Use Debian security tracker instead of MITRE for CVE references
The Debian security tracker gets timely updates, whereas the official
CVE pages hosted by MITRE tend to show up as "RESERVED" for several
weeks or months after assignment.
2017-01-09 14:11:18 +00:00
Simon McVittie 9e03c00202 shortcuts: Use security-tracker.debian.org for [[!debcve]]
security.debian.org currently rejects HTTPS connections.
2017-01-09 14:09:35 +00:00
https://anarc.at/openid/ f2b65d0370 add debian security tracker 2016-12-30 16:48:40 -04:00
Simon McVittie a60f837695 Merge remote-tracking branch 'origin/master' 2016-12-29 21:34:10 +00:00
Simon McVittie e0341d0e88 3.20161229.1 2016-12-29 20:47:17 +00:00
smcv 7562350a3a add anchors for use in advisory to oss-security 2016-12-29 16:24:48 -04:00
Simon McVittie 04e322fd6b Clarify which versions of ikiwiki fixed CVE-2016-9645, -9646 2016-12-29 20:08:49 +00:00
Simon McVittie 287bb19883 3.20161229 2016-12-29 17:37:51 +00:00
Simon McVittie cf0166347c Add CVE references for CVE-2016-9646, CVE-2016-9645
Thanks to the Debian security team for allocating these.
2016-12-29 17:36:11 +00:00
Simon McVittie 078d4208ca Prune git remotes that are unreachable or unresponsive 2016-12-29 17:30:56 +00:00
Simon McVittie a8a7462382 Try revert operations (on a branch) before approving them
Otherwise, we have a time-of-check/time-of-use vulnerability:
rcs_preprevert previously looked at what changed in the commit we are
reverting, not at what would result from reverting it now. In
particular, if some files were renamed since the commit we are
reverting, a revert of changes that were within the designated
subdirectory and allowed by check_canchange() might now affect
files that are outside the designated subdirectory or disallowed
by check_canchange().

It is not sufficient to disable rename detection, since git older
than 2.8.0rc0 (in particular the version in Debian stable) silently
accepts and ignores the relevant options.

OVE-20161226-0002
2016-12-28 21:32:12 +00:00
Simon McVittie c1120bbbe8 Force CGI::FormBuilder->field to scalar context where necessary
CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in f4ec7b0. Force it into scalar context where it is used
in an argument list.

This prevents two (relatively minor) commit metadata forgery
vulnerabilities:

* In the comments plugin, an attacker who was able to post a comment
  could give it a user-specified author and author-URL even if the wiki
  configuration did not allow for that, by crafting multiple values
  to other fields.
* In the editpage plugin, an attacker who was able to edit a page
  could potentially forge commit authorship by crafting multiple values
  for the rcsinfo field.

The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.

OVE-20161226-0001
2016-12-28 21:32:12 +00:00
spalax a9b876e1fa Added a comment 2016-12-26 18:03:28 -04:00
smcv 836f165939 Added a comment 2016-12-26 15:26:25 -04:00
spalax 1a73c8d528 Question about default timezone ":/etc/localtime" 2016-12-25 17:05:08 -04:00