Commit Graph

59 Commits (cb8421b0249dc9fc85d6891ef6685a28c7818785)

Author SHA1 Message Date
Simon McVittie c1120bbbe8 Force CGI::FormBuilder->field to scalar context where necessary
CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in f4ec7b0. Force it into scalar context where it is used
in an argument list.

This prevents two (relatively minor) commit metadata forgery
vulnerabilities:

* In the comments plugin, an attacker who was able to post a comment
  could give it a user-specified author and author-URL even if the wiki
  configuration did not allow for that, by crafting multiple values
  to other fields.
* In the editpage plugin, an attacker who was able to edit a page
  could potentially forge commit authorship by crafting multiple values
  for the rcsinfo field.

The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.

OVE-20161226-0001
2016-12-28 21:32:12 +00:00
Amitai Schlair 63fa0ef5ba Process .md like .mdwn, but disallow web creation. 2016-03-08 14:31:15 -05:00
Simon McVittie 17fccbca94 Do not pass ignored sid parameter to checksessionexpiry
checksessionexpiry's signature changed from
(CGI::Session, CGI->param('sid')) to (CGI, CGI::Session) in commit
985b229b, but editpage still passed the sid as a useless third
parameter, and this was later cargo-culted into remove, rename and
recentchanges.
2014-10-12 18:03:57 +01:00
Simon McVittie bb359796b8 protect $@ whenever a block using $@ is non-trivial
As noted in the Try::Tiny man page, eval/$@ can be quite awkward in
corner cases, because $@ has the same properties and problems as C's
errno. While writing a regression test for definetemplate
in which it couldn't find an appropriate template, I received

    <span class="error">Error: failed to process template
    <span class="createlink">deftmpl</span> </span>

instead of the intended

    <span class="error">Error: failed to process template
    <span class="createlink">deftmpl</span> template deftmpl not
    found</span>

which turned out to be because the "catch"-analogous block called
gettext before it used $@, and gettext can call define_gettext,
which uses eval.

This commit alters all current "catch"-like blocks that use $@, except
those that just do trivial things with $@ (string interpolation, string
concatenation) and call a function (die, error, print, etc.)
2014-02-21 17:06:36 +00:00
Joey Hess e81e857ba6 add comment subscription checkbox to editpage
Reworded template, which also called the commit message a "comment".
2012-04-13 14:28:02 -04:00
Simon McVittie 5674e7fc12 prune: do not prune beyond an optional base directory, and add a test
Previously, prune("wiki/srcdir/sandbox/test.mdwn") could delete srcdir
or even wiki, if they happened to be empty. This is rarely what you
want: there's usually some base directory (destdir, srcdir, transientdir
or another subdirectory of wikistatedir) beyond which you do not want to
delete.
2012-04-07 17:52:29 +01:00
Joey Hess 41f6363a63 editpage: Fix FormattingHelp link on Discussion pages.
In 875d550f12 I for some reason
made $page be changed when creating a discussion page, which
broke the link on the edit page. Changing page seems unnecessary,
so reverted that part of the change.
2011-11-27 13:19:19 -04:00
Joey Hess 875d550f12 Fix handling of discussion page creation links to make discussion pages in the right place and with the right case.
Broken by page case preservation feature added in 3.20110707.
2011-11-06 16:14:04 -04:00
Joey Hess 25b01f9404 Preserve mixed case in page creation links, and when creating a page whose title is mixed case, allow selecting between the mixed case and all lower-case names. 2011-06-29 16:38:32 -04:00
Joey Hess b752e7fec4 editpage: Avoid inheriting internal page types. 2011-02-01 21:01:26 -04:00
Joey Hess c1c69db749 fix uninitilized value warning on bad page name
properly this time
2011-01-23 17:36:27 -04:00
Joey Hess 73364d2b29 Revert "fix uninitilized value warning on bad page name"
This reverts commit 5d3998555f.

That broke posting via blog form.
2011-01-23 10:11:46 -04:00
Joey Hess 5d3998555f fix uninitilized value warning on bad page name 2011-01-22 10:07:37 -04:00
Joey Hess 4a6ac6b485 add cgitemplate
cgitemplate is a modified misctemplate that takes an optional cgi object
and uses it to set the baseurl, and also optionally the forcebaseurl,
if a page is provided.

If no cgi object is provided, it will fall back to using $config{url}.
I expect this will only be needed in exceptional cases where
that doesn't much matter, such as cgierror().

showform uses cgitemplate, so there is no more need for showform_preview.
2011-01-05 17:06:11 -04:00
Joey Hess 8c9c3915ec Fix base url when previewing. Was broken by urlto changes in last release.
Added a showform_preview that is like showform, but sets forcebaseurl
to point to the page being previewed.
2011-01-05 13:50:42 -04:00
Joey Hess beae7ef9db editpage, comment: Clean up title when editing or creating a page or comment.
Now that page.tmpl is used for cgi, the parentlinks are able to be
displayed even when creating or editing a page. So it's redundant to
include the path to the page in the title, remove it.
2010-12-25 13:38:26 -04:00
Joey Hess 1182e9d0ee use one-parameter form of urlto 2010-11-29 15:07:26 -04:00
Simon McVittie 1f019ac2aa Use local paths for most references to pages 2010-11-23 00:19:10 +00:00
Simon McVittie 296e5cb2fd Use local paths for the CGI URL 2010-11-23 00:12:17 +00:00
Simon McVittie d2e3741a6f Use local paths for redirection where possible 2010-11-23 00:00:11 +00:00
Joey Hess ecdfd1b864 rcs_commit and rcs_commit_staged api changes
Using named parameters for these is overdue. Passing the session in a
parameter instead of passing username and IP separately will later allow
storing other session info, like username or part of the email.

Note that these functions are not part of the exported API,
and the prototype change will catch (most) skew, so I am not changing
API versions. Any third-party plugins that call them will need updated
though.
2010-06-23 19:04:36 -04:00
Joey Hess 4292802ee5 stop using REMOTE_ADDR
Everywhere that REMOTE_ADDR was used, a session object is available, so
instead use its remote_addr method.

In IkiWiki::Receive, stop setting a dummy REMOTE_ADDR.

Note that it's possible for a session cookie to be obtained using one IP
address, and then used from another IP. In this case, the first IP will now
be used. I think that should be ok.
2010-06-23 16:35:51 -04:00
Joey Hess c0bc2d0839 editpage, comments: Fix broken links in sidebar (due to forcebaseurl). (Thanks, privat) 2010-06-14 14:34:52 -04:00
Joey Hess 31fa7714e7 editpage: Rename "comments" field to avoid CSS conflict with the comments div. 2010-06-12 18:10:33 -04:00
Joey Hess 24b59b3a9e editpage: Avoid storing accidental state changes when previewing pages.
This is a slow, safe, stupid approach. Could make deep copies of the data
structures as backups instead of re-loading the index from disk.
2010-06-09 17:44:40 -04:00
Joey Hess e93cee3378 Fix display of sidebar when previewing page edit. (Thanks, privat)
On second thought, only display a page's personal sidebar when previewing
it, not when editing normally.
2010-06-09 16:59:17 -04:00
Joey Hess e96cf38ecc When editing a page, show that page's sidebar. (Thanks, privat) 2010-06-09 16:00:12 -04:00
Joey Hess 1193759568 remove unused indexlink function and template variable 2010-05-05 20:42:56 -04:00
Joey Hess c2656f08f3 template() - return params in list context
I forgot CGI::Formbuilder's horrible interface that needs template
parameters instead of a constructed object.
2010-04-24 16:15:47 -04:00
Joey Hess abd2339312 look for templates in srcdir and underlays, first
This entailed changing template_params; it no longer takes the template
filename as its first parameter.

Add template_depends to api and replace calls to template() with
template_depends() in appropriate places, where a dependency should be
added on the template.

Other plugins don't use template(), so will need further work.

Also, includes are disabled for security. Enabling includes only when using
templates from the templatedir would be nice, but would add a lot of
complexity to the implementation.
2010-04-22 15:55:58 -04:00
Joey Hess 81eae1a531 typo 2010-04-20 14:25:17 -04:00
Joey Hess 230a8b22a4 remove explicit absolute test
file_pruned now tests for that
2010-04-20 13:59:17 -04:00
Joey Hess 7a92c0aa4a clarify why absolute is tested & stripped here
file_prune also fails on absolute filenames now
2010-04-20 13:49:46 -04:00
Joey Hess a97964688b unfinished file_prune revamp
Many calls to file_prune were incorrectly calling it with 2 parameters.
In cases where the filename being checked is relative to the srcdir,
that is not needed.

Made absolute filenames be pruned. (This won't work for the 2 parameter call
style.)
2010-04-17 19:05:40 -04:00
Joey Hess a63929f6cc Group related plugins into sections in the setup file, and drop unused rcs plugins from the setup file. 2010-02-11 22:24:15 -05:00
Joey Hess 7af18f2a1e reorder canedit checks during page creation to have best_loc first
When creating a page, multiple locations are tested to see if they can be
edited. If all fail, one of the failure subs is called, to log the user in
to allow them to proceed with the edit. So far so good.

But, what if some pages fail for one reason, and some for another? This
occurs when httpauth_pagespec is used in conjunction with signinedit (and
openid or something). When the user is not signed in at all
The former will fail to edit a page because the user was not httpauthed.
The latter will fail to edit a different page, because the user was not
signed in. One of their failure methods gets to run first.

The page creation code always ran the failure method corresponding to the
topmost page location. So, when editing a foo/Discussion page, and with
httpauth_pagespec => "*!/Discussion", it ran the httpauth failure method,
which was exactly the wrong thing to do.

I fixed this by making it instead run the failure method for the *best*
page location. In the above example, that's foo/Discussion, so signinedit
runs, as desired, and we get the signin page.

This seems like it will be the right choice, or at least an acceptable
choice. If a user wants to use httpauth they can always choose it on the
signin page.
2010-02-11 20:13:30 -05:00
Joey Hess 8380a9d000 factor out a userpage function
Not yet exported, as only 4 quite core plugins use it.
2010-02-04 18:24:15 -05:00
Joey Hess 830c9e59b2 Add discussionpage configuration setting
By adding this setting, we get both more configurability, and a minor
optimisation too, since gettext does not need to be called continually
to get the Discussion value.
2009-08-13 21:41:33 -04:00
Joey Hess 059d6f01fa fix further places where translated discussion case was assumed
Another benefit is that consistently using gettext("Discussion")
eliminates the need to translate one string.
2009-06-04 13:20:52 -04:00
Joey Hess 27193a2eeb support longname for page types in commands and rename
Also, sort the list of page types.
2009-05-21 15:50:25 -04:00
Jon Dowland eba9b862b2 tidy up new page_types code 2009-05-16 14:44:23 +01:00
Jon Dowland 30248df40a check for longname for each syntax plugin
We build an array of [ plugin name, long name ] pairs, where long name
is an optional argument to hook(). So, a syntax plugin could define
long "friendly" name, such as "Markdown" instead of mdwn, and we would
then pass this array to formbuilder to populate the drop-down on the
edit page.
2009-05-16 13:56:25 +01:00
Joey Hess 2c51b18aec move check_canedit, check_content to IkiWiki library from editpage
It no longer makes sense to keep these functions in editpage, because
serveral plugins now exist that use them, and users may want to disable
editpage, while leaving those plugins enabled.

Most notably, comments uses both functions, and it's entirely appropriate
to disable editpage but still want to have comments enabled.

Less likely, attachments, rename, and remove all use check_canedit -- but
it would be unusual indeed to want to use these w/o editpage.
2009-02-12 16:33:35 -05:00
Joey Hess c154fa5d6c comments: If comment content checks fail, store the comment (in .ikiwiki/comments_pending) for moderator review. 2009-01-25 15:42:13 -05:00
Joey Hess f7b2cfcf50 checkcontent: New hook, can be used to implement arbitrary content filters, including spam filters. 2009-01-16 20:46:55 -05:00
Joey Hess 4bdeec4961 remove cruft
wtf does it do? absolutely nothing
2008-12-19 14:09:39 -05:00
Joey Hess bb93fccf06 Coding style change: Remove explcit vim folding markers. 2008-12-17 15:22:16 -05:00
Joey Hess 985b229be6 checksessionexpiry: rework
This function as factored out was a bit confusing, I think this makes more
sense.
2008-12-17 14:26:08 -05:00
Simon McVittie 9a6005a212 editpage: factor out checksessionexpiry into IkiWiki::CGI 2008-12-11 21:14:03 +00:00
Joey Hess 4669eab596 more work on untrusted committers
Wired up check_canedit and check_canremove, still need to deal with
check_canattach, and test.
2008-10-23 16:29:50 -04:00