Commit Graph

15 Commits (a87f43d71eccc6c71bd0dadcc1fe06ec809cfdcf)

Author SHA1 Message Date
Simon McVittie f4ec7b06d9 Make sure we do not pass multiple CGI parameters in function calls
When CGI->param is called in list context, such as in function
parameters, it expands to all the potentially multiple values
of the parameter: for instance, if we parse query string a=b&a=c&d=e
and call func($cgi->param('a')), that's equivalent to func('b', 'c').
Most of the functions we're calling do not expect that.

I do not believe this is an exploitable security vulnerability in
ikiwiki, but it was exploitable in Bugzilla.
2014-10-16 22:24:47 +01:00
Joey Hess d991ccf134 use cgitemplate, remove misctemplate 2011-01-05 17:15:38 -04:00
Joey Hess 1182e9d0ee use one-parameter form of urlto 2010-11-29 15:07:26 -04:00
Simon McVittie d2e3741a6f Use local paths for redirection where possible 2010-11-23 00:00:11 +00:00
Joey Hess ac6b5c12fa squash undef 2010-10-25 23:31:41 -04:00
Joey Hess c4cee4cfc5 add 2 more missing getsetup hooks 2010-07-14 14:44:40 -04:00
Joey Hess 1678604fe3 avoid redir loop when going to an internal page that has no permalink 2010-05-07 00:22:05 -04:00
Joey Hess 20ba12802b add section information 2010-02-12 04:22:15 -05:00
Joey Hess 2bceb10b5f 404/goto: Fix 404 display of utf-8 pages.
Problem here was that no charset http header was being sent.

I fixed this globally by making cgi_custom_failure send the header.
Required changing its parameters.
2009-12-14 18:16:47 -05:00
Joey Hess e40d2a6b2b goto: Support being passed a page title that is not a valid page name, to support several cases including mercurial's long user names on the RecentChanges page, and urls with spaces being handled by the 404 plugin. 2009-06-06 02:36:40 -04:00
Joey Hess affd4ca3da goto: Fix typo that broke recentchanges_link compatability. 2009-02-27 13:21:29 -05:00
Joey Hess 5f96944dd5 typo 2009-02-17 19:37:36 -05:00
Joey Hess 52f2235e60 goto: Fix redirect to comments. 2009-02-17 19:36:58 -05:00
Joey Hess b0361b8efd factor out IE stupididy workaround 2009-01-31 19:02:50 -05:00
Simon McVittie c886bea320 Split cgi_goto into a goto plugin 2009-01-31 23:01:10 +00:00