This mitigates CVE-2016-3714. Wiki administrators who know that they
have prevented arbitrary code execution via other formats can re-enable
the other formats if desired.
If the relative link from the (page generating the) RSS to the target
would start with "./" or "../", just concatenating it with the URL to
the directory containing the RSS is not sufficient. Go via
URI::new_abs to fix this.
$im->Read() takes a filename-like argument with several sets of special
syntax. Most of the possible metacharacters are escaped by the
default `wiki_file_chars` (and in any case not particularly disruptive),
but the colon ":" is not.
It seems the way to force ImageMagick to treat colons within the
filename as literal is to prepend a colon, so do that.
[[forum/refresh_and_setup]] indicates some confusion between --setup
and -setup. Both work, but it's clearer if we stick to one in
documentation and code.
A 2012 commit to [[plugins/theme]] claims that "-setup" is required
and "--setup" won't work, but I cannot find any evidence in ikiwiki's
source code that this has ever been the case.
Discount in current Debian unstable turns the IURI href into a URI
by encoding the Unicode as UTF-8 and %-escaping each byte.
That is valid, and matches Wikipedia's expectations, but was breaking
this test for me.
It would also be entirely valid (and lead to equivalent parsing) if the
ö was represented as ö, ö or ö in the text and/or the href.
Inkscape loses the bounding box of a SVG with no content when it
converts it to EPS, and ImageMagick does not have a special case for
converting SVG to PNG with Inkscape in one step (which Inkscape can do);
it prefers to convert SVG to EPS with Inkscape, then EPS to whatever.
This means that people can do XSLT nonsense if they want to.
The failures are currently marked TODO because not everything in the
docwiki is in fact well-formed.
According to caniuse.com, a significant fraction of Web users are
still using Internet Explorer versions that do not support HTML5
sectioning elements. However, claiming we're XHTML 1.0 Strict
means we can't use features invented in the last 12 years, even if
they degrade gracefully in older browsers (like the role and placeholder
attributes).
This means our output is no longer valid according to any particular
DTD. Real browsers and other non-validator user-agents have never
cared about DTD compliance anyway, so I don't think this is a real loss.
I didn't try to parameterize when a test should fail when we can't
remove ikiwiki.cgi because there already isn't one. (Hooray, natural
language.) Instead, we stop worrying about it and always tolerate
ENOENT.
The old name still works, if its value is numeric.
This name allows a non-numeric "show" to mean the same thing
it does for [[!map]] (show title, show description, etc.).
there is now a size calculating part (which chooses a final size) and a
scaling part (which triggers if the sizes calculated by the former
indicate a downscaling).
this solves the issue of unproportional upscalings
(bugs/image_rescaling_distorts_with_small_pictures).
also, "small" pdf files (or pdf files without explicit size settings),
which would not be converted under the old mechanism, now get rendered
to pngs.
this commit affects a unit test: while svgs were previously
unconditionally rendered to pngs, this now only happens on downscaling.
this is intentional -- while a small version of an svg graphic is
likely to be more compact when rendered (eg as a preview), a large
version would not have that benefit, and why convert something that
browsers basically can show and be inconsistend with how other images
are handled. the new unit test simply makes the original svg larger to
check for the same behaviros as before.
If someone has explicitly disabled the postform, it seems reasonable
from a least-astonishment point of view for that to take precedence
over rootpage, even though that makes rootpage useless.
Also add a regression test; so far, this is all it tests.
After this change autoindex creates index pages also for empty directories
included in underlays, but only if it isn't going to commit them to the
srcdir ($config{autoindex_commit} = 0).
Inspired by a patch from Tuomas Jormola.
Bug-Debian: http://bugs.debian.org/611068
My change did cause this state to be retained. I hope this is not a
problem.
Afaik, plugins test if they were disabled before by looking at the toplevel
plugin state, not the per-page plugin state. So the only remaining problem
might be
a) A plugin is disabled but its state keeps being saved. Which is not
ideal, perhaps, but the large speedup of my optimisation seems worth it.
b) A plugin might have been enabled, be disabled, and get re-enabled, and
see old state from before. I don't see how this would be different from
the plugin seeing any other old state, though, so hopefully no breakage.
My optmisation looks a little more risky, but I still hope I can keep it.
Simple podcast feeds didn't have content tags and I made sure to
keep it that way. This may be unnecessarily conservative. Changing
the behavior to include empty content tags might be fine, but I
don't want to think about it right now, I just want my tests to
keep passing!
The new fancy-podcast tests are copy-pasted-edited from the
simple-podcast tests. These tests shall be refactored.
Joey Hess
Simon McVittie
Amitai Schlair
chrysn
Joey Hess
intrigeri
Antoine Beaupré