f01283478b
Exclude users/* from the HTML documentation
2016-05-06 07:53:53 +01:00
1ae01a592f
Do not recommend mimetype(image/*)
...
Not all image file types are safe for general use: in particular,
image/svg+xml is known to be vulnerable to CVE-2016-3714 under some
ImageMagick configurations.
2016-05-06 07:49:50 +01:00
dea96e5113
Document the security fixes in this release
2016-05-06 07:49:45 +01:00
21b9b9e306
update test suite for svg passthrough by img directive
...
Remove build dependency libmagickcore-6.q16-2-extra which was only there
for this test.
2016-05-06 06:58:56 +01:00
984ba82f1b
img: Add back support for SVG images, bypassing ImageMagick and simply passing the SVG through to the browser
...
SVG scaling by img directives has subtly changed; where before size=wxh
would preserve aspect ratio, this cannot be done when passing them through
and so specifying both a width and height can change the SVG's aspect
ratio.
(This patch looks significantly more complex than it was, because a large
block of code had to be indented.)
[smcv: drop trailing whitespace, fix some spelling]
2016-05-06 06:57:12 +01:00
7ff6221ac9
changelog for smcv's security fixes
...
[smcv: omit a change that was already in 3.20160514]
2016-05-06 06:53:41 +01:00
170cd41489
img: check magic number before giving common formats to ImageMagick
...
This mitigates CVE-2016-3714 and similar vulnerabilities by
avoiding passing obviously-wrong input to ImageMagick decoders.
2016-05-05 23:43:50 +01:00
545a7bbbf0
img: restrict to JPEG, PNG and GIF images by default
...
This mitigates CVE-2016-3714. Wiki administrators who know that they
have prevented arbitrary code execution via other formats can re-enable
the other formats if desired.
2016-05-05 23:43:50 +01:00
54a9f8d07d
img: force common Web formats to be interpreted according to extension
...
A site administrator might unwisely set allowed_attachments to
something like '*.jpg or *.png'; if they do, an attacker could attach,
for example, a SVG file named attachment.jpg.
This mitigates CVE-2016-3714.
2016-05-05 23:43:50 +01:00
32ef584dc5
HTML-escape error messages (OVE-20160505-0012)
...
The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-20160505-0012)
The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.
2016-05-05 23:43:17 +01:00
355ba85137
all good
2016-05-04 18:53:24 -04:00
e874ce623b
2016-05-04 18:35:33 -04:00
bd881a8ee6
response: confirmation it's a bug in MMD and Discount doesn't have footnotes, and request for workaround
2016-05-04 09:45:25 -04:00
291a09e537
discount (as used on this wiki) can do footnotes, but they aren't enabled by ikiwiki
2016-05-04 05:48:01 -04:00
337736663b
response
2016-05-04 05:38:27 -04:00
f4b75b3b2c
response
2016-05-02 09:33:59 -04:00
017a7e9446
2016-04-29 00:32:02 -04:00
467f501d90
response
2016-04-28 20:13:05 -04:00
fe7ec461d4
Merge branch 'master' of ssh://git.ikiwiki.info
2016-04-28 19:34:51 -04:00
3aa705b38a
response
2016-04-28 19:32:58 -04:00
95c0a63675
Merge remote-tracking branch 'origin/master'
2016-04-28 19:06:01 -04:00
1e38006bbc
2016-04-28 10:12:52 -04:00
965aa5c6fa
http/https issue
2016-04-28 10:08:05 -04:00
81852a7db7
smaller is too small for large blocks
2016-04-26 18:52:25 -04:00
e316ea9a7c
fix typo and comment
2016-04-26 18:50:47 -04:00
093ad8b890
new CSS bug
2016-04-26 18:46:59 -04:00
4871d48718
explain footnotes
2016-04-26 18:35:20 -04:00
053f96e80b
Changed the expired domain and added question
2016-04-18 22:08:50 -04:00
344f831c2e
Fixed dead link.
2016-04-17 19:38:12 -04:00
da596e5c79
add screenshot
2016-04-15 18:11:29 -04:00
1719ad31ee
fix typos
2016-04-15 17:31:53 -04:00
8f67b981cd
announce the admonition plugin
2016-04-15 17:29:44 -04:00
fcf10269fc
elaborate copyright investigation. ugh.
2016-04-15 12:29:25 -04:00
ad5b749847
response
2016-04-15 11:17:02 -04:00
e5c93a6ac0
can't login again
2016-04-15 11:07:14 -04:00
f211764c1d
escape
2016-04-15 10:38:11 -04:00
18c9d18b76
templates are another way to do this
2016-04-15 10:37:43 -04:00
7493b4015b
2016-04-15 10:34:33 -04:00
568b0fe11d
a weird authentication bug
2016-04-15 10:14:50 -04:00
54f71deab5
admonitions proposal
2016-04-15 09:57:53 -04:00
8eb3a06f1e
Arguing more
2016-04-15 08:24:38 -04:00
65095203f5
Added systemd for nginx
2016-04-15 08:12:11 -04:00
9bb481ccd7
2016-04-14 17:14:47 -04:00
96e2315499
Document new feature.
2016-04-14 12:43:32 -04:00
552b42f039
clarify that theme and css is not only to change stylesheets, but the look in general
2016-04-13 14:38:15 -04:00
df17472bbf
link to localstyle after a user struggled for hours to figure out exactly that
2016-04-13 14:37:22 -04:00
06a67db3f9
explain why multiple page.tmpl is a showstopper for upstream even if not for local themes
2016-04-12 02:00:21 -04:00
687e3f94ea
2016-04-11 11:05:45 -04:00
57f48eac19
Updated link
2016-04-11 11:03:22 -04:00
2829486a81
Updated link
2016-04-11 11:01:54 -04:00
Simon McVittie
Joey Hess
https://id.koumbit.net/anarcat
smcv
Antoine Beaupré
desci
RickHanson
spalax