Commit Graph

22 Commits (b234981213a8916b84afefa5d2ec6a3b1ba06750)

Author SHA1 Message Date
Simon McVittie 4126840f8d t: Accept optional file:// prefix on W3m-control 2018-01-29 22:35:29 +00:00
Simon McVittie a147f5349d Don't send relative redirect URLs when behind a reverse proxy 2018-01-08 10:56:12 +00:00
Simon McVittie 263f27c774 t/relativity.t: Add tests for IkiWiki::redirect behaviour
This reproduces [[bugs/cgi_redirecting_to_non-https_URL]].
2018-01-08 10:09:05 +00:00
Simon McVittie 4729ff0812 Exclude working directory from library path (CVE-2016-1238)
Current Perl versions put '.' at the end of the library search path
@INC, although this will be fixed in a future Perl release. This means
that when software loads an optionally-present module, it will be
looked for in the current working directory before giving up. An
attacker could use this to execute arbitrary Perl code from ikiwiki's
current working directory.

Removing '.' from the library search path in Perl is the correct
fix for this vulnerability, but is not trivial to do due to
backwards-compatibility concerns. Mitigate this (even if ikiwiki is run
with a vulnerable Perl version) by explicitly removing '.' from the
search path, and instead looking for ikiwiki's own modules relative
to the absolute path of the executable when run from the source
directory.

In tests that specifically want to use the current working directory,
use "-I".getcwd instead of "-I." so we use its absolute path, which
is immune to the removal of ".".
2016-07-28 09:50:21 +01:00
Simon McVittie cdfb4ab1a3 Run autopkgtest tests using autodep8 and the pkg-perl team's infrastructure 2015-11-30 18:26:22 +00:00
Simon McVittie fb7225dbe6 Remove now-redundant test-cases for a non-default html5 setting 2014-10-16 11:08:01 +01:00
Simon McVittie a052771287 Now that we're always using HTML5, <base href> can be relative 2014-10-16 11:05:19 +01:00
Amitai Schlair 47fff754c8 Extract test subs for each site. No change meant. 2014-10-12 09:30:31 -04:00
Amitai Schlair 508457fc05 Extract run_cgi(). No functional change intended. 2014-10-12 00:01:09 -04:00
Amitai Schlair 0db1679a3d Extract check_generated_content(). Same output. 2014-10-11 09:52:21 -04:00
Amitai Schlair dc872e42c8 Extract check_cgi_mode_bits(). No change intended. 2014-10-10 21:17:39 -04:00
Amitai Schlair cd9297322a Extract thoroughly_rebuild(), a slight test change.
I didn't try to parameterize when a test should fail when we can't
remove ikiwiki.cgi because there already isn't one. (Hooray, natural
language.) Instead, we stop worrying about it and always tolerate
ENOENT.
2014-10-10 20:40:24 -04:00
Amitai Schlair 7d82570fe0 Extract write_setup_file(). No functional change.
Test output differs only by the line numbers of the TODO items.
2014-10-10 20:25:54 -04:00
Amitai Schlair bb8f15e2a7 simplify IPC::Run check (same behavior) 2014-10-06 16:31:52 -04:00
Simon McVittie 33f60260b2 In html5 mode, generate a host- or protocol-relative <base> for the CGI
This increases the number of situations in which we do the right thing.
2014-10-05 23:49:37 +01:00
Simon McVittie 3b8da667cc Add reverse_proxy option which hard-codes cgiurl in CGI output
This solves several people's issues with the CGI trying to be
too clever when IkiWiki is placed behind a reverse-proxy.
2014-10-05 23:49:37 +01:00
Simon McVittie d712389ae3 Avoid mixed content when cgiurl is https but url is not 2014-10-05 23:49:37 +01:00
Simon McVittie 532f7adfdb Use protocol-relative URIs if cgiurl and url differ only by authority (hostname) 2014-10-05 15:56:19 +01:00
Simon McVittie fe9e94513a Fix a test-case that actually just repeated the previous one instead 2014-10-05 15:49:20 +01:00
Simon McVittie b0a35c817e Force use of $config{url} as top URL in w3mmode 2014-10-05 15:19:55 +01:00
Simon McVittie 210bf742b9 relative URLs test: pass an appropriate PERL5LIB through
We were previously using the system copy of IkiWiki, because the CGI
resets its environment.
2014-10-05 15:19:12 +01:00
Simon McVittie 823268e5c7 add the beginnings of a test for CGI/static URL interactions 2014-10-05 14:29:32 +01:00