Commit Graph

8 Commits (e262621db1fd778fac0fbe74fb8be38dffe956f1)

Author SHA1 Message Date
Simon McVittie 4729ff0812 Exclude working directory from library path (CVE-2016-1238)
Current Perl versions put '.' at the end of the library search path
@INC, although this will be fixed in a future Perl release. This means
that when software loads an optionally-present module, it will be
looked for in the current working directory before giving up. An
attacker could use this to execute arbitrary Perl code from ikiwiki's
current working directory.

Removing '.' from the library search path in Perl is the correct
fix for this vulnerability, but is not trivial to do due to
backwards-compatibility concerns. Mitigate this (even if ikiwiki is run
with a vulnerable Perl version) by explicitly removing '.' from the
search path, and instead looking for ikiwiki's own modules relative
to the absolute path of the executable when run from the source
directory.

In tests that specifically want to use the current working directory,
use "-I".getcwd instead of "-I." so we use its absolute path, which
is immune to the removal of ".".
2016-07-28 09:50:21 +01:00
Simon McVittie a1fda0b516 Standardize on --long-option instead of -long-option
[[forum/refresh_and_setup]] indicates some confusion between --setup
and -setup. Both work, but it's clearer if we stick to one in
documentation and code.

A 2012 commit to [[plugins/theme]] claims that "-setup" is required
and "--setup" won't work, but I cannot find any evidence in ikiwiki's
source code that this has ever been the case.
2015-03-01 16:15:01 +00:00
Joey Hess d93842ffc7 improve usage message 2011-06-13 12:20:21 -04:00
Joey Hess ecdfd1b864 rcs_commit and rcs_commit_staged api changes
Using named parameters for these is overdue. Passing the session in a
parameter instead of passing username and IP separately will later allow
storing other session info, like username or part of the email.

Note that these functions are not part of the exported API,
and the prototype change will catch (most) skew, so I am not changing
API versions. Any third-party plugins that call them will need updated
though.
2010-06-23 19:04:36 -04:00
Joey Hess 579ee70e95 fix parameter parsing when pagespec is ommited, and year is present 2010-04-15 18:51:35 -04:00
Joey Hess acd99bfe11 propigate ikiwiki setup error out 2010-04-15 14:39:07 -04:00
Joey Hess 3131433f64 calendar: Add archive_pagespec, which is used by ikiwiki-calendar to specify which pages to include on the calendar archive pages. (The pagespec can still also be specified on the ikiwiki-calendar command line.) 2010-04-15 13:40:53 -04:00
Joey Hess 1273f1de52 Add preprocessed 'use lib' line to ikiwiki-transition and ikiwiki-calendar if necessary for unusual install. 2010-03-26 13:11:02 -04:00