Commit Graph

20178 Commits (cb7aa6cf3d2bf22a2762ae19434131eb9d2a2bcb)

Author SHA1 Message Date
kw_ikiwiki1@64633d204c198f52735247ca119bddbcbfaafdef 888b4603e1 test test blah blah 2017-03-07 09:59:48 -04:00
jmtd@d79be1606aba831a3b476d5fff7d99f4b321eab2 6b75169007 speed up commenting by optionally providing a comment form in static pages 2017-03-03 10:52:14 -04:00
jmtd@d79be1606aba831a3b476d5fff7d99f4b321eab2 5fc2e8b55b Added a comment 2017-03-03 10:48:03 -04:00
jmtd@d79be1606aba831a3b476d5fff7d99f4b321eab2 135a302acc Added a comment 2017-03-03 10:29:13 -04:00
Joey Hess 90f4fd6635
my github mirror of ikiwiki has been deleted due to their horrible anti-free-software TOS 2017-03-01 13:34:42 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 31e095be9b Added a comment 2017-02-21 18:02:45 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 a7cf415822 +aka use page/index.mdwn source files 2017-02-21 17:51:59 -04:00
smcv 5bc7a30f64 Added a comment 2017-02-21 14:21:19 -04:00
smcv c24f538c6d Added a comment 2017-02-21 14:17:35 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 4e77978328 Added a comment 2017-02-20 23:56:19 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 4a2c4842bf Added a comment 2017-02-20 23:47:35 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 dc232c0006 Added a comment 2017-02-20 19:42:13 -04:00
openmedi 7618dafe0c Added a comment 2017-02-20 11:43:13 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 f3a9bed1c5 Added a comment 2017-02-19 17:59:26 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 8c4408900c removed 2017-02-19 17:52:54 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 3b19cc0ddd Added a comment 2017-02-19 17:48:23 -04:00
Louis 37056e736a Merge branch 'master' of git://ikiwiki.branchable.com 2017-02-18 22:56:06 +01:00
Louis ff784524b4 Update my (spalax) information 2017-02-18 21:11:47 +01:00
Louis e66912e677 Apology about the poor choice for the name of the sidebar2 plugin 2017-02-18 21:08:48 +01:00
Louis d9f6141cd7 New plugin: verboserpc 2017-02-18 21:08:48 +01:00
Louis 7bb8226987 New plugin: pageversion 2017-02-18 21:08:48 +01:00
Louis d2c4047282 New plugin: redirect 2017-02-18 20:43:52 +01:00
krqt.kndy@eb44788e4eb202f3e68eeb8ba175d3897c3979a9 b92b8caf11 2017-02-17 17:15:00 -04:00
vegardv@75ae889e836bda8ce69bc038d8335c398a2f6f40 c0fcd409fa Added a comment 2017-02-10 04:33:42 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 e748e0016d Added a comment 2017-02-09 17:48:06 -04:00
smcv 8502eb47fa Added a comment 2017-02-09 08:13:03 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 3d177313d6 2017-02-09 07:22:48 -04:00
svetlana 40d3bdac4c +update broken uris 2017-02-07 20:36:02 -04:00
svetlana 139197d823 2017-02-07 19:15:02 -04:00
svetlana 4f9a8d10de Confuses a map 2017-02-07 19:11:17 -04:00
svetlana 7b664f4151 2017-02-06 01:39:02 -04:00
svetlana 7c0292edc5 removed 2017-02-05 22:37:01 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 4c96c9decd 2017-02-05 15:31:24 -04:00
smcv 7744b4d849 change `pwd` to $HOME so assumptions are met even if you cd elsewhere 2017-02-03 16:48:48 -04:00
me@4eb1b66f86170ba2ff0690b93ad01f46bfc8eac4 c72fbbe21d No longer using ikiwiki 2017-02-03 12:54:47 -04:00
smcv 47b12458ae 2017-01-26 07:38:48 -04:00
svetlana 2265aef4e6 Does not show up in the setup 2017-01-24 00:59:27 -04:00
svetlana 9581c039e8 * [[guppy|http://guppy.branchable.com]] an internationalized modular Python IRC bot 2017-01-18 19:27:48 -04:00
smcv 1c8c0ccf59 Added a comment 2017-01-18 17:46:14 -04:00
smcv 0acf3b6d0c Added a comment: Do that through your web server, not ikiwiki 2017-01-18 17:45:30 -04:00
openmedi 6d0f460b12 2017-01-17 08:44:20 -04:00
Simon McVittie 12b4618228 Note another Debian 8 backport 2017-01-12 00:31:10 +00:00
Simon McVittie 666d87a50c Fix typo 2017-01-11 19:02:10 +00:00
Simon McVittie 8b54ba7ad1 Release 3.20170111 2017-01-11 18:18:38 +00:00
Simon McVittie 4d0e525e6a Document the security fix soon to be released in 3.20170111 2017-01-11 18:16:42 +00:00
Simon McVittie 2486d83706 remove: make it clearer that repeated page parameter is OK here
ikiwiki's web interface does not currently have UI for removing
multiple pages simultaneously, but the remove plugin is robust
against doing so. Use a clearer idiom to make that obvious.
2017-01-11 18:11:21 +00:00
Simon McVittie d157a97452 CGI, attachment, passwordauth: harden against repeated parameters
These instances of code similar to OVE-20170111-0001 are not believed
to be exploitable, because defined(), length(), setpassword(),
userinfo_set() and the binary "." operator all have prototypes that
force the relevant argument to be evaluated in scalar context. However,
using a safer idiom makes mistakes less likely.

(cherry picked from commit 69230a2220f673c66b5ab875bfc759b32a241c0d)
2017-01-11 18:11:07 +00:00
Simon McVittie b642cbef80 passwordauth: avoid userinfo forgery via repeated email parameter
OVE-20170111-0001

(cherry picked from commit bffb71d6a7d28f6dd5f0be241f214e79eea7bb91)
2017-01-11 18:11:07 +00:00
Simon McVittie 3964787238 t/passwordauth.t: new automated test for passwordauth
In particular this includes an exploit for OVE-20170111-0001.

(cherry picked from commit fbe207212b1f4a395dc297fb274ef07afd7d68f3)
2017-01-11 18:11:06 +00:00
Simon McVittie f357856448 passwordauth: prevent authentication bypass via multiple name parameters
Calling CGI::FormBuilder::field with a name argument in list context
returns zero or more user-specified values of the named field, even
if that field was not declared as supporting multiple values.
Passing the result of field as a function parameter counts as list
context. This is the same bad behaviour that is now discouraged
for CGI::param.

In this case we pass the multiple values to CGI::Session::param.
That accessor has six possible calling conventions, of which four are
documented. If an attacker passes (2*n + 1) values for the 'name'
field, for example name=a&name=b&name=c, we end up in one of the
undocumented calling conventions for param:

    # equivalent to: (name => 'a', b => 'c')
    $session->param('name', 'a', 'b', 'c')

and the 'b' session parameter is unexpectedly set to an
attacker-specified value.

In particular, if an attacker "bob" specifies
name=bob&name=name&name=alice, then authentication is carried out
for "bob" but the CGI::Session ends up containing {name => 'alice'},
an authentication bypass vulnerability.

This vulnerability is tracked as OVE-20170111-0001.

(cherry picked from commit e909eb93f4530a175d622360a8433e833ecf0254)
2017-01-11 18:11:06 +00:00