Commit Graph

486 Commits (e3279c8b508ce88ea2b23f99a1d8a4295fb06dd9)

Author SHA1 Message Date
Simon McVittie e3279c8b50 mdwn: Automatically detect which libdiscount flags to use
Unconditionally passing arbitrary numbers as flags turns out to be a
bad idea, because some of the "unused" values have historically had
side-effects internal to libdiscount. Detect whether the known flags
work by rendering short Markdown snippets the first time we htmlize,
checking whether each known flag is both necessary and sufficient.

Signed-off-by: Simon McVittie <smcv@debian.org>
2018-03-08 23:36:31 +00:00
http://thm.id.fedoraproject.org/ 7253137b31 rst test: Probe for docutils Python 3 module, not Python 2 2018-03-04 10:56:18 +00:00
Simon McVittie 379d763a21 img test: Exercise a format that is uncommon on the web (BMP)
Signed-off-by: Simon McVittie <smcv@debian.org>
2018-02-28 09:56:08 +00:00
Simon McVittie f446e7ca5f img test: Don't rely on using an empty ImageMagick coder name
This used to work, but has been interpreted as a literal part of
the filename since ImageMagick 6.9.8-3. In newer versions, there does
not seem to be any way to indicate that a filename containing ':' is
to be taken literally without first knowing the decoder to use.

Signed-off-by: Simon McVittie <smcv@debian.org>
2018-02-28 09:56:07 +00:00
Simon McVittie aa02f160cc t/wellformed: Rebuild the docwiki, not everything 2018-01-29 22:35:29 +00:00
Simon McVittie 4126840f8d t: Accept optional file:// prefix on W3m-control 2018-01-29 22:35:29 +00:00
Simon McVittie a147f5349d Don't send relative redirect URLs when behind a reverse proxy 2018-01-08 10:56:12 +00:00
Simon McVittie 263f27c774 t/relativity.t: Add tests for IkiWiki::redirect behaviour
This reproduces [[bugs/cgi_redirecting_to_non-https_URL]].
2018-01-08 10:09:05 +00:00
Joey Hess 9ff9088636
Remove openid provider icons from login selector
Remove openid provider icons from login selector, since openid providers
are increasingly not working. Verisign retired theirs, and aol and
yahoo/flickr are not commonly used for openid. Any users who still  clicked
those icons to login will need to instead enter their openid url.

This commit was sponsored by andrea rota.
2018-01-05 12:27:46 -04:00
Simon McVittie 6e5f320ab8 t/git-untrusted.t: Fix redundant declaration
Signed-off-by: Simon McVittie <smcv@debian.org>
2017-10-01 16:24:48 +01:00
Simon McVittie 76fe7432fb t/git-untrusted.t: New test case for untrusted pushes
This also exercises the typical centralized git repository workflow,
where changes flow from a non-bare clone (for example on a laptop)
to a centralized bare repository, then from the centralized bare
repository to a non-bare clone that is ikiwiki's srcdir.

Signed-off-by: Simon McVittie <smcv@debian.org>
2017-10-01 13:21:56 +01:00
intrigeri 948bc22ae4 t/img.t: test determinism of PNG resizing. 2017-09-01 19:25:44 +00:00
Simon McVittie 4ace7dbb75 t/img.t: Give better diagnostics if we can't load an image 2017-06-22 15:16:07 +01:00
Simon McVittie afdf8c0a8c color, toc: Fix `make test` 2017-05-16 12:08:55 +01:00
Simon McVittie 01f2a84360 color: Use markup for the preserved CSS, not character data
This still smuggles it past the sanitize step, but avoids having
other plugins that want to capture text content without markup
(notably toc) see the CSS as if it was text content.
2017-05-16 12:08:55 +01:00
Simon McVittie 49de9594b7 color: Add a unit test 2017-05-16 12:08:54 +01:00
Simon McVittie 77df914b3a Add a simple unit test for [[!toc]] 2017-05-16 08:55:24 +01:00
Simon McVittie 1b4571acd5 Add a test-case for Markdown options 2017-05-16 08:25:53 +01:00
Simon McVittie 8b5c729b8b t/git-cgi.t: Wait 1 second before doing a revert that should succeed
This hopefully fixes a race condition in which the test failed
around 6% of the time.

If we don't wait, the mtime (which is rounded down to 1 second precision
in the APIs we use) will not necessarily change, so the update will not
necessarily cause the page to be refreshed.

Bug-Debian: https://bugs.debian.org/862494
2017-05-14 15:35:52 +01:00
Simon McVittie 3964787238 t/passwordauth.t: new automated test for passwordauth
In particular this includes an exploit for OVE-20170111-0001.

(cherry picked from commit fbe207212b1f4a395dc297fb274ef07afd7d68f3)
2017-01-11 18:11:06 +00:00
Simon McVittie ca1b06d599 git-cgi.t: when committing directly, make sure we have a valid author
In the environment used on ci.debian.net, we have neither a name nor
an email address.
2017-01-09 13:07:24 +00:00
Simon McVittie 62c9df6721 t/git-cgi.t: fix race condition
We need the changes to take place at least 1 second after the first
rebuild, so that the changed files are seen to have changed.
2017-01-09 13:07:24 +00:00
Simon McVittie 29b91c970b git: Add test coverage for reverting attachments 2016-12-28 21:32:13 +00:00
Simon McVittie ad04dac19b Add automated test for using the CGI with git, including CVE-2016-10026 2016-12-28 21:32:12 +00:00
Simon McVittie 7c34df633d git_revert test: reinstate ikiwiki.setup, and make it work uninstalled
Previously it was relying on running with an installed ikiwiki
and being able to copy in recentchanges.mdwn and wikiicons/ from the
underlay in /usr. The underlay in ./underlays/basewiki can't be used
(yet) because ikiwiki doesn't allow following symlinks, even from
underlays.

I'd like to make ikiwiki follow symlinks whose destinations can be
verified to be safe (for example making it willing to expose
/usr/share/javascript to the web, but not /etc/passwd), at least from
underlays, but this is security-sensitive so I'm not going to rush
into it.
2016-12-28 21:32:11 +00:00
Simon McVittie da395ac33c Add a manual test for reverting git commits
Signed-off-by: Simon McVittie <smcv@debian.org>
2016-12-19 18:21:07 +00:00
Simon McVittie 4729ff0812 Exclude working directory from library path (CVE-2016-1238)
Current Perl versions put '.' at the end of the library search path
@INC, although this will be fixed in a future Perl release. This means
that when software loads an optionally-present module, it will be
looked for in the current working directory before giving up. An
attacker could use this to execute arbitrary Perl code from ikiwiki's
current working directory.

Removing '.' from the library search path in Perl is the correct
fix for this vulnerability, but is not trivial to do due to
backwards-compatibility concerns. Mitigate this (even if ikiwiki is run
with a vulnerable Perl version) by explicitly removing '.' from the
search path, and instead looking for ikiwiki's own modules relative
to the absolute path of the executable when run from the source
directory.

In tests that specifically want to use the current working directory,
use "-I".getcwd instead of "-I." so we use its absolute path, which
is immune to the removal of ".".
2016-07-28 09:50:21 +01:00
Simon McVittie 5f6f9a1bea Wrapper: allocate new environment dynamically
Otherwise, if third-party plugins extend newenviron by more than
3 entries, we could overflow the array. It seems unlikely that any
third-party plugin manipulates newenviron in practice, so this
is mostly theoretical. Just in case, I have deliberately avoided
using "i" as the variable name, so that any third-party plugin
that was manipulating newenviron directly will now result in the
wrapper failing to compile.

I have not assumed that realloc(NULL, ...) works as an equivalent of
malloc(...), in case there are still operating systems where that
doesn't work.
2016-05-11 09:18:14 +01:00
Simon McVittie 6879e37828 img test: exercise upper-case extensions for image files 2016-05-09 21:53:10 +01:00
Amitai Schlair e24e6fed62 Fix spelling of "ratio" in test. 2016-05-08 18:31:02 -04:00
Simon McVittie 47b180e35f img: make img_allowed_formats case-insensitive 2016-05-07 23:22:52 +01:00
Joey Hess 21b9b9e306 update test suite for svg passthrough by img directive
Remove build dependency libmagickcore-6.q16-2-extra which was only there
for this test.
2016-05-06 06:58:56 +01:00
Simon McVittie 170cd41489 img: check magic number before giving common formats to ImageMagick
This mitigates CVE-2016-3714 and similar vulnerabilities by
avoiding passing obviously-wrong input to ImageMagick decoders.
2016-05-05 23:43:50 +01:00
Simon McVittie 545a7bbbf0 img: restrict to JPEG, PNG and GIF images by default
This mitigates CVE-2016-3714. Wiki administrators who know that they
have prevented arbitrary code execution via other formats can re-enable
the other formats if desired.
2016-05-05 23:43:50 +01:00
Amitai Schlair b4222955b4 Fix CVS tests by uninverting $installed (cdfb4ab). 2016-02-18 23:25:54 -05:00
Simon McVittie 7aca0d40a3 Compose relative URLs in RSS feeds correctly
If the relative link from the (page generating the) RSS to the target
would start with "./" or "../", just concatenating it with the URL to
the directory containing the RSS is not sufficient. Go via
URI::new_abs to fix this.
2016-01-21 08:40:14 +00:00
Simon McVittie 02a1aa4e49 Don't fail to syslog if the wiki name contains %s
This is a corner case spotted while fixing UTF-8 syslogging.
2016-01-21 07:33:41 +00:00
Simon McVittie b8dbb48fdc Force log messages to be bytestrings
Sys::Syslog is not UTF-8-literate.
2016-01-21 07:33:41 +00:00
Simon McVittie b0627aef10 img test: use the right filenames when testing that deletion occurs
Also use a less misleading name for the sample SVG: it is no longer empty.
Since commit 105f285a it has contained a blue square.
2016-01-19 11:24:18 +00:00
Simon McVittie 5dceeb28d8 img test: skip testing PDFs if unsupported 2016-01-19 11:24:18 +00:00
Simon McVittie b199349ffd Merge remote-tracking branch 'smcv/ready/limit' 2015-11-30 20:55:34 +00:00
Simon McVittie 67906ded04 Add a test for unconfigured git identity 2015-11-30 20:46:58 +00:00
Simon McVittie d90002b8d7 tests: consistently use done_testing instead of no_plan 2015-11-30 18:26:23 +00:00
Simon McVittie 6b322448ca t/img.t: do not spuriously skip 2015-11-30 18:26:23 +00:00
Simon McVittie cdfb4ab1a3 Run autopkgtest tests using autodep8 and the pkg-perl team's infrastructure 2015-11-30 18:26:22 +00:00
Amitai Schlair 09916a90ed Fix [[!meta name=foo]] by closing the open quote. 2015-08-22 22:34:53 -04:00
Amitai Schlair 69f8b6427e Sans ImageMagick, bail gracefully. 2015-08-22 21:50:38 -04:00
Amitai Schlair 7f76e0ccc1 Mark a few straggling test scripts +x. 2015-08-18 07:31:29 -04:00
Amitai Schlair d42ed9bdc3 Test many behaviors of the meta directive. 2015-08-15 23:37:43 -04:00
Amitai Schlair 604d0391ba Squelch regex deprecation warnings from Perl 5.22.
Specifically:

"Unescaped left brace in regex is deprecated, passed through in regex"
2015-06-14 21:35:51 -04:00