Commit Graph

905 Commits (9fca7f2f8b64f4caded4a0099cef1f4d152dabee)

Author SHA1 Message Date
Joey Hess 9fca7f2f8b avoid uninitialised value 2008-05-02 13:01:51 -04:00
Joey Hess 6f852e88e3 anonk: Add anonok_pagespec configuration setting that can be used to allow anonymous users to edit only matching pages. Closes: #478892 2008-05-01 14:58:23 -04:00
Joey Hess bb51e81762 img: Support a title attribute, will be passed through to html. Closes: #478718 2008-04-30 12:58:36 -04:00
Joey Hess 9652cdfe2e toc: Add the table of contents at sanitize time, rather than at format time. This allows the toc to be displayed when previewing an edit. It also avoids headers in the page template from showing up in the toc. 2008-04-26 15:13:01 -04:00
Joey Hess b698bf2408 Use bzr --quiet to avoid it outputting stuff and messing up http headers. (Scott Bronson) 2008-04-10 17:44:40 -04:00
Joey Hess e4395a567b Fix broken rcs_update for bzr. (Scott Bronson) 2008-04-10 17:41:43 -04:00
Joey Hess 72b5ef2c5f Fix CSRF attacks against the preferences and edit forms. Closes: #475445
The fix involved embedding the session id in the forms, and not allowing the
forms to be submitted if the embedded id does not match the session id.

In the case of the preferences form, if the session id is not embedded,
then the CGI parameters are cleared. This avoids a secondary attack where the
link to the preferences form prefills password or other fields, and
the user hits "submit" without noticing these prefilled values.

In the case of the editpage form, the anonok plugin can allow anyone to edit,
and so I chose not to guard against CSRF attacks against users who are not
logged in. Otherwise, it also embeds the session id and checks it.

For page editing, I assume that the user will notice if content or commit
message is changed because of CGI parameters, and won't blndly hit save page.
So I didn't block those CGI paramters. (It's even possible to use those CGI
parameters, for good, not for evil, I guess..)

The only other CSRF attack I can think of in ikiwiki involves the poll plugin.
It's certianly possible to set up a link that causes the user to unknowingly
vote in a poll. However, the poll plugin is not intended to be used for things
that people would want to attack, since anyone can after all edit the poll page
and fill in any values they like. So this "attack" is ignorable.
2008-04-10 16:35:30 -04:00
Joey Hess 04e7467807 need to handle urls to images the same
Also, simplified finding the url to the top of the site.
2008-04-03 16:37:05 -04:00
Manoj Srivastava c207086282 Bug#473987: [PATCH] Links relative to baseurl mangled in atom/rss feeds
tag 473987 +patch
thanks
Hi,

The issue is that we need to convert relative links to absolute
ones for atom and rss feeds -- but there are two types of
relative links. The first kind, relative to the current
document ( href="some/path") is handled correctly. The second
kind of relative url is is relative to the http server
base (href="/semi-abs/path"), and that broke.

It broke because we just prepended the url of the current
document to the href (http://host/path/to/this-doc/ + link),
which gave us, in the first place:
 http://host/path/to/this-doc/some/path        [correct], and
 http://host/path/to/this-doc//semi-abs/path   [wrong]

The fix is to calculate the base for the http server (the base of
the wiki does not help, since the base of the wiki can be
different from the base of the http server -- I have, for example,
"url => http://host.name.mine/blog/manoj/"), and prepend that to
the relative references that start with a /.

This has been tested.

Signed-off-by: Manoj Srivastava <srivasta@debian.org>
2008-04-03 16:27:29 -04:00
Joey Hess de8c34df59 aggregate: Correct a mistake in the code that dummy up a guid for feeds lacking one. 2008-04-03 02:36:01 -04:00
Joey Hess f6bd81db15 Added a hardlink option in the setup file, useful if the source and dest are on the same filesystem and the wiki includes large media files, which would normally be copied, wasting time and space. 2008-03-29 21:02:47 -04:00
Joey Hess cb8d1c8642 revert destpage part of f7bdc2385
destpage does not normally need to be worried about when creating other files
as part of the process of rendering a page. Using destpage results in
inlined pages creating two copies of such files. It works to not use destpage
in this case because the inlining page depends on the source page, so if the
source page is modified or deleted the inlining page will be updated.
2008-03-23 20:01:26 -04:00
Joey Hess d2911a20a6 inline: Allow the "feedshow" parameter to take values greater than the value for "show". 2008-03-23 17:39:03 -04:00
Joey Hess 1c2f59239f typos 2008-03-21 19:09:29 -04:00
martin f. krafft e3624de63c Allow external plugins to return no value
Instead of using the XML-RPC v2 extension <nil/>, which Perl's
XML::RPC::Parser does not (yet) support (Joey's patch is pending), we
agreed on a sentinel: {'null':''}, that is, a hash with a single key
"null" pointing to the empty string.

The Python proxy automatically converts None appropriately and raises an
exception if a hook function should, by weird coincidence, attempt to
return {'null':''}.

Signed-off-by: martin f. krafft <madduck@madduck.net>
2008-03-21 15:07:10 -04:00
Joey Hess 14b3e645a8 work around perl warning 2008-03-21 05:08:04 -04:00
Joey Hess 42b6a6178c delete inline data after it's used 2008-03-21 04:51:14 -04:00
Joey Hess f937c1fb80 crazy optimisation to work around slow markdown
Markdown is slow. Especially if it has to process an enormous page. The
most common enormous page is currently the recentchanges page, which gets
processed a lot, and contains very little actual markdown. Most of it is a
big <div>, which markdown skips ... slowly.

This is a rather sick optimisation to work around markdown's speed issues.
Now inline inserts a small, dummy div, allows markdown to quickly render
the actual page content, then replaces the dummy with the actual inlined
pages later.

Results: Rendering just a recentchanges page, with diffs included, dropped
from 4.5 seconds to 2.7 seconds on my laptop. Building the entire wiki
dropped from 46.6 seconds to 39.5 seconds.

(It would be better if inline were a *post*-processor directive.)
2008-03-21 04:48:26 -04:00
Joey Hess 0b9e849aba process smilies in a sanitize hook
I had to move it to sanitize so all the markup is htmlized, so it can scan
for <pre> and <code>.
2008-03-21 03:16:28 -04:00
Joey Hess cd6055a893 another fix
I'm suprised that the second m//g didn't seem to clobber @-, but I don't
want to rely on that, so preserve it beforehand.
2008-03-21 02:57:34 -04:00
Joey Hess 88b5a0ece5 various fixes and simplifications 2008-03-21 02:55:14 -04:00
Joey Hess 44824dba1b smiley: Detect smileys inside pre and tags, and do not expand. 2008-03-21 02:43:20 -04:00
Joey Hess 628467125c Close meta tag for redir properly. 2008-03-21 00:24:06 -04:00
Joey Hess c92e9b34ec Store userinfo in network byte order for easy portability. (Old files will be automatically converted.) 2008-03-19 22:46:51 -04:00
Joey Hess 9f3788e2a2 optimisation, only load openid module when signing in
This makes the CGI about .2 seconds faster when editing pages etc.
2008-03-19 21:12:18 -04:00
Joey Hess d85c9660c5 fix setstate
Same fix as in d7f1292c31
2008-03-19 15:49:37 -04:00
Joey Hess 6eb3cf7e76 make setargv take an array
for consistentcy with getargv, which returns one
2008-03-19 15:49:00 -04:00
Joey Hess d7f1292c31 fix setvar
It was incorrectly setting the value to the number of items in @_, ie,
always 1.
2008-03-19 15:18:38 -04:00
Joey Hess f003e97d10 getargv needs to return a list reference
xml rpc only allows functions to return a single value, no lists. So getargv
needs to return a list reference, which means that the caller will see an xml
rpc array.
2008-03-19 15:12:59 -04:00
Joey Hess 52e16d4ec9 * Record new pages in %pagesources temporarily when previewing so that
things that need to know the page source or type can query it from there.
  Fixes previewing of tables when creating a new page.
2008-03-17 21:28:31 -04:00
Joey Hess ba480baa9e * external: Add getargv and setargv methods to allow access to ikiwiki's
@ARGV.
2008-03-15 14:19:49 -04:00
Joey Hess 5a7a89ffc5 * htmltidy: Pass --markup yes, in case tidy's config file disabled it. 2008-03-15 13:58:08 -04:00
Joey Hess e7ce86db11 * external: Fix support of XML::RPC::fault. 2008-03-15 13:49:22 -04:00
Joey Hess 7b6686ce70 * Fix expiry of old recentchanges changeset pages. 2008-03-14 18:55:17 -04:00
Joey Hess 16299dbae8 load HTML::Entities at top
Used in several subs, not all of which load it on demand, this seems simpler.
2008-03-14 18:43:54 -04:00
Joey Hess bc2671082b no need to use HTML::Entities, as it's loaded on demand by code below 2008-03-12 18:52:33 -04:00
Joey Hess 99c65a4c0e * Use absolute url for feedurl when filling out the feed templates.
Closes: #470530
2008-03-12 18:49:41 -04:00
Joey Hess 862ca19eb1 truncate recentchangesdiffs after 200 lines
This works around a perl crasher bug, and also avoids bloating pages
with enormous diffs.

rcs_recentchanges modified to return a list in an array context.
2008-03-12 15:45:10 -04:00
Joey Hess 3dc979470e use git show to get the diff
If a diff of the firsst commit in a git repo was requested, it would fail and
print to stderr since first^ isn't valid. Using git show will always work.
2008-03-12 14:44:20 -04:00
Joey Hess f7bdc2385d * Use forcebaseurl to make page previews be displayed with the html base
set to the destination page. This avoids need for hacks to munge the urls
  in preview mode, which fixes several bugs.
* Several destpage fixes in plugins.
2008-03-12 14:21:48 -04:00
Joey Hess 2fa9da9f16 * monotone: Require version 0.38 or greater, and stop using the mtnmergerc
option. (Brian May)
2008-03-12 10:46:04 -04:00
Joey Hess 51ee2a2eab fix syntax error 2008-03-12 10:35:25 -04:00
martin f. krafft d02e350a69 Correct meta.robots attribute value->content
This was a silly typo, sorry. <meta ...> takes an attribute content, not
value.

Signed-off-by: martin f. krafft <madduck@madduck.net>
2008-03-11 18:37:04 -04:00
martin f. krafft c471d5425f Generate openid2 headers as well
This causes meta.openid to also generate the openid2 headers.

Signed-off-by: martin f. krafft <madduck@madduck.net>
2008-03-11 15:53:21 -04:00
martin f. krafft 2325525713 Let meta.openid set X-XRDS-Location header
Adds an optional xrds-location parameter to the openid meta handler,
which allows for XRDS delegation.

A good document on XRDS is
http://www.windley.com/archives/2007/05/using_xrds.shtml

Signed-off-by: martin f. krafft <madduck@madduck.net>
2008-03-11 15:51:11 -04:00
Joey Hess fc4c1b7ec8 * Remove locking code in git rcs_commit. I'm not sure if this was ever
correct, and it's certianly not correct now, since the wiki is locked
  before rcs_commit is ever called, and should not be unlocked by
  rcs_commit either.
2008-03-07 12:25:40 -05:00
Joey Hess eec482aa65 test for Text::Markdown::[Mm]arkdown and use the available one
Markdown is such a splintered mess.. The current debian package provides
only Text::Markdown::Markdown, while all versions of Text::Markdown support
Text::Markdown::markdown, and old versions also support the capitalised version,
while new ones don't.

It's getting to the point where `grep /markdown/i %symbol_table` is the only
sane way to figure out what function to call..
2008-03-04 20:29:52 -05:00
Joey Hess 0217eebf49 * Use Text::Markdown::markdown, since version 1.0.16 of Text::Markdown
no longer supports Text::Markdown::Markdown. All old versions of
  Text::Markdown also support the lower-case version.
2008-03-04 20:17:55 -05:00
Joey Hess d93aaed791 * Add recentchangesdiff plugin that adds diffs to the recentchanges feeds.
* rcs_diff is a new function that rcs modules should implement.
* Implemented rcs_diff for git, svn, and tla (tla version untested).
  Mercurial and monotone still todo.
2008-03-03 15:53:34 -05:00
martin f. krafft c10cfb27d1 Add robots tag to meta plugin
Add special handling for <meta name="robots" ...> which needs not be
scrubbed as it's harmless.

Signed-off-by: martin f. krafft <madduck@madduck.net>
(cherry picked from commit b15d0299a7f7b147e89d8a202d6cca1c21491af2)
2008-03-02 18:04:09 -05:00