Commit Graph

18870 Commits (d0dd293449c31cf041cd7942c6bc50bf7e4149bf)

Author SHA1 Message Date
fr33domlover 67d1960676 New wishlist item - put /tags page in the basewiki? 2014-10-22 11:20:00 +03:00
openmedi 1ba0317241 2014-10-20 21:11:53 -04:00
openmedi 1bbdc76f9a 2014-10-20 21:00:30 -04:00
http://anastigmatix.net/ 34e7fe13e4 Hadn't listed any drawbacks for the FastCGI Authorizer idea. 2014-10-20 19:58:54 -04:00
http://anastigmatix.net/ 8d7ad8c345 Review request for: Let plugins influence what environment variables a wrapper will preserve 2014-10-20 19:07:13 -04:00
http://anastigmatix.net/ 34373e0df9 Fix dangling link to branch I deleted after merge. Link instead to merged commits in ikiwiki repo. 2014-10-20 18:39:55 -04:00
Amitai Schlair 2e9992568f Add ikiwiki-comment to shebang_scripts. 2014-10-20 14:20:41 -04:00
Joey Hess d858ce3e93 Add missing build-depends on libcgi-formbuilder-perl, needed for t/relativity.t 2014-10-20 12:28:54 -04:00
Joey Hess 82a4fb49ae add ikiwiki-comment program 2014-10-20 12:08:07 -04:00
http://anastigmatix.net/ 13331e8243 bit on how inlinability isn't only bad 2014-10-19 17:48:47 -04:00
http://anastigmatix.net/ f49d15649f Add link to the proposed wrapper generation patch 2014-10-19 17:37:46 -04:00
http://anastigmatix.net/ 9a4fab05e0 initial description of signinview plugin 2014-10-19 17:07:15 -04:00
http://anastigmatix.net/ 18f41b73da more on caching behavior 2014-10-19 14:40:02 -04:00
http://anastigmatix.net/ bc509a3119 make formatting more consistent 2014-10-19 14:17:03 -04:00
http://anastigmatix.net/ 623b428efe discuss zoned-ikiwiki implementation approaches, including signinview plugin 2014-10-19 14:12:11 -04:00
http://anastigmatix.net/ c4493533b6 it helps to distinguish some use cases 2014-10-19 13:32:52 -04:00
Amitai Schlair 60188d7280 also search 2014-10-19 13:13:07 -04:00
http://anastigmatix.net/ fea2ec0926 start fleshing out "things that make zoned ikiwiki hard" 2014-10-19 13:09:33 -04:00
Amitai Schlair f9fe7fd254 sign previous 2014-10-19 13:08:13 -04:00
Amitai Schlair 9f04f8ccc5 Match word boundary (think "/usr/bin/perl5.18"). 2014-10-19 13:07:34 -04:00
https://www.google.com/accounts/o8/id?id=AItOawlGzzISNi9sKsbbqyRjCZEecyypgaFV56U f47af2b8c4 2014-10-19 12:04:48 -04:00
https://www.google.com/accounts/o8/id?id=AItOawlGzzISNi9sKsbbqyRjCZEecyypgaFV56U 1cfaacbfb5 [patch], patch 2014-10-19 12:04:02 -04:00
openmedi b9558ad3aa Added a comment 2014-10-17 13:23:13 -04:00
Amitai Schlair 305c91ccfb Remove space from perl shebang path. 2014-10-17 09:05:00 -04:00
Amitai Schlair 7a2446f798 Disambiguate myself a bit (like that's needed). 2014-10-16 21:51:18 -04:00
Simon McVittie d9b1e10d72 reformat 2014-10-17 01:07:50 +01:00
Simon McVittie 04f9ce457f news 2014-10-17 01:01:53 +01:00
Simon McVittie d922b1897c Merge remote-tracking branch 'refs/remotes/dgit/dgit/sid' 2014-10-17 00:02:33 +01:00
Simon McVittie a89dbd9892 release 2014-10-16 23:28:35 +01:00
Simon McVittie 44e05edaf4 debian: fix some wrong paths in the copyright file 2014-10-16 23:28:23 +01:00
Simon McVittie 0e783e915b debian: rename debian/link to debian/links so the intended symlinks appear 2014-10-16 23:04:11 +01:00
Simon McVittie 37296bcb5a close a bug 2014-10-16 23:03:48 +01:00
Simon McVittie 0c73a825d1 Drop unused python-support dependency 2014-10-16 22:48:09 +01:00
Simon McVittie 3429e81596 changelog so far 2014-10-16 22:44:29 +01:00
Simon McVittie e1deb28e08 build-depend on libcgi-pm-perl too, for tests 2014-10-16 22:40:52 +01:00
Simon McVittie edbc54ec6e Explicitly depend on CGI.pm, which is no longer in Perl core
I was going to depend on the version that has CGI->param_fetch,
but that has been supported since 2.37, which is older than oldstable.
2014-10-16 22:24:48 +01:00
Amitai Schlair 09e7c1ad99 IkiWiki::Plugin::openid: as a precaution, do not call non-coderefs
We're running under "use strict" here, so if CGI->param's array-context
misbehaviour passes an extra non-ref parameter, it shouldn't be executed
anyway... but it's as well to be safe.

[commit message added by smcv]
2014-10-16 22:24:48 +01:00
Amitai Schlair cfbcbda0ad Call CGI->param_fetch instead of CGI->param in array context
CGI->param has the misfeature that it is context-sensitive, and in
particular can expand to more than one scalar in function calls.
This led to a security vulnerability in Bugzilla, and recent versions
of CGI.pm will warn when it is used in this way.

In the situations where we do want to cope with more than one parameter
of the same name, CGI->param_fetch (which always returns an
array-reference) makes the intention clearer.

[commit message added by smcv]
2014-10-16 22:24:47 +01:00
Simon McVittie f4ec7b06d9 Make sure we do not pass multiple CGI parameters in function calls
When CGI->param is called in list context, such as in function
parameters, it expands to all the potentially multiple values
of the parameter: for instance, if we parse query string a=b&a=c&d=e
and call func($cgi->param('a')), that's equivalent to func('b', 'c').
Most of the functions we're calling do not expect that.

I do not believe this is an exploitable security vulnerability in
ikiwiki, but it was exploitable in Bugzilla.
2014-10-16 22:24:47 +01:00
https://www.google.com/accounts/o8/id?id=AItOawk8U772S3jDrZJCO0WA5WaDLjJv5mMl6Yw d8943d8668 Added a comment: It was an Apache problem... 2014-10-16 10:57:26 -04:00
smcv 99bc12a3ab branch 2014-10-16 08:11:52 -04:00
smcv 6de6479b3c comment 2014-10-16 07:52:05 -04:00
Simon McVittie 22961f81dd Emit vestigial xmlns so people can still pass ikiwiki output through XSLT 2014-10-16 11:25:28 +01:00
Simon McVittie b679fc65f5 We no longer have a test for DTD-valid XHTML 1.0, but at least check well-formedness
This means that people can do XSLT nonsense if they want to.

The failures are currently marked TODO because not everything in the
docwiki is in fact well-formed.
2014-10-16 11:25:10 +01:00
Simon McVittie fb7225dbe6 Remove now-redundant test-cases for a non-default html5 setting 2014-10-16 11:08:01 +01:00
Simon McVittie a052771287 Now that we're always using HTML5, <base href> can be relative 2014-10-16 11:05:19 +01:00
Simon McVittie 490a1eca7b Always produce HTML5 doctype and new attributes, but not new elements
According to caniuse.com, a significant fraction of Web users are
still using Internet Explorer versions that do not support HTML5
sectioning elements. However, claiming we're XHTML 1.0 Strict
means we can't use features invented in the last 12 years, even if
they degrade gracefully in older browsers (like the role and placeholder
attributes).

This means our output is no longer valid according to any particular
DTD. Real browsers and other non-validator user-agents have never
cared about DTD compliance anyway, so I don't think this is a real loss.
2014-10-16 11:04:53 +01:00
Simon McVittie 1561fbb365 Replace PayPal and Flattr buttons with text links
In particular, this avoids loading third-party resources from the
offline documentation (see
<https://lintian.debian.org/tags/privacy-breach-donation.html>).
2014-10-16 09:47:07 +01:00
http://anastigmatix.net/ 0a6ca5c892 mention pagespec_alias patches 2014-10-15 22:53:41 -04:00
smcv a67e0d212c Added a comment 2014-10-15 19:30:22 -04:00