Commit Graph

252 Commits (f15b0a03b52b6b6829d37603874411e52746910c)

Author SHA1 Message Date
Simon McVittie a147f5349d Don't send relative redirect URLs when behind a reverse proxy 2018-01-08 10:56:12 +00:00
Joey Hess 61f0dc669f
improve error message when postsignin is not set
This can happen if the user goes directly to /ikiwiki.cgi?do=login and
logs in, since nothing redirected them to there, there's no postsignin
value set. It can also happen when cookies are disabled, or perhaps
other problems.
2018-01-04 19:21:51 -04:00
Simon McVittie 60cb2ac458 cgierror: When the CGI fails, print the error to stderr, not "Died"
$@ could be clobbered by the "exception handler", and in practice
it seems that it is. This can be seen on stderr of t/git-cgi.t.
2017-05-14 15:39:21 +01:00
Simon McVittie 26ded17653 Defend against empty session names
If misconfiguration has resulted in an empty session name, treat the
session as having not signed in.
2017-05-14 15:37:47 +01:00
Simon McVittie d157a97452 CGI, attachment, passwordauth: harden against repeated parameters
These instances of code similar to OVE-20170111-0001 are not believed
to be exploitable, because defined(), length(), setpassword(),
userinfo_set() and the binary "." operator all have prototypes that
force the relevant argument to be evaluated in scalar context. However,
using a safer idiom makes mistakes less likely.

(cherry picked from commit 69230a2220f673c66b5ab875bfc759b32a241c0d)
2017-01-11 18:11:07 +00:00
Simon McVittie b0b1428e62 cgitemplate: actually remove dead code
Signed-off-by: Simon McVittie <smcv@debian.org>
2016-12-19 13:20:55 +00:00
Simon McVittie 32ef584dc5 HTML-escape error messages (OVE-20160505-0012)
The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-20160505-0012)

The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.
2016-05-05 23:43:17 +01:00
Simon McVittie 317d19842c Silence "used only once: possible typo" warnings for variables that are part of modules' APIs 2016-01-19 11:24:18 +00:00
Joey Hess ab1bba9dab cloak user PII when making commits etc, and let cloaked PII be used in banned_users
This was needed due to emailauth, but I've also wrapped all IP address
exposure in cloak(), although the function doesn't yet cloak IP addresses.

(One IP address I didn't cloak is the one that appears on the password
reset email template. That is expected to be the user's own IP address,
so ok to show it to them.)

Thanks to smcv for the pointer to
http://xmlns.com/foaf/spec/#term_mbox_sha1sum
2015-05-14 11:58:21 -04:00
Anders Kaseorg f35c6a97d1 Fix double UTF-8 decode on Perl < 5.20 with upgraded Encode.pm
Commit feb21ebfac added a
safe_decode_utf8 function that avoids double decoding on Perl 5.20.
But the Perl behavior change actually happened in Encode.pm 2.53
(https://github.com/dankogai/p5-encode/pull/11).  Although Perl 5.20
is the first Perl version to bundle an affected version of Encode.pm,
it’s also possible to upgrade Encode.pm independently; for example,
Fedora 20 has Perl 5.18.4 with Encode.pm 2.54.  On such a system,
editing a non-ASCII file still fails with errors like

Error: Cannot decode string with wide characters at
/usr/lib64/perl5/vendor_perl/Encode.pm line 216.

There doesn’t seem to be any reason not to check Encode::is_utf8 on
old versions too, so just remove the version check altogether.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
Bug-Debian: https://bugs.debian.org/776181
2015-03-01 12:43:20 +00:00
Simon McVittie 6c51b764bc Merge branch 'ready/html5' 2014-11-26 11:58:05 +00:00
Amitai Schlair cfbcbda0ad Call CGI->param_fetch instead of CGI->param in array context
CGI->param has the misfeature that it is context-sensitive, and in
particular can expand to more than one scalar in function calls.
This led to a security vulnerability in Bugzilla, and recent versions
of CGI.pm will warn when it is used in this way.

In the situations where we do want to cope with more than one parameter
of the same name, CGI->param_fetch (which always returns an
array-reference) makes the intention clearer.

[commit message added by smcv]
2014-10-16 22:24:47 +01:00
Simon McVittie a052771287 Now that we're always using HTML5, <base href> can be relative 2014-10-16 11:05:19 +01:00
Simon McVittie 33f60260b2 In html5 mode, generate a host- or protocol-relative <base> for the CGI
This increases the number of situations in which we do the right thing.
2014-10-05 23:49:37 +01:00
Simon McVittie 3b8da667cc Add reverse_proxy option which hard-codes cgiurl in CGI output
This solves several people's issues with the CGI trying to be
too clever when IkiWiki is placed behind a reverse-proxy.
2014-10-05 23:49:37 +01:00
Simon McVittie b0a35c817e Force use of $config{url} as top URL in w3mmode 2014-10-05 15:19:55 +01:00
Antoine Beaupré feb21ebfac do not double-decode unicode in CGI forms
this works around a behavior change introduced in Encode.pm 2.53
shipped with the Perl 5.20 release described here:

http://ikiwiki.info/bugs/garbled_non-ascii_characters_in_body_in_web_interface/
2014-09-09 23:11:51 -04:00
Simon McVittie bb359796b8 protect $@ whenever a block using $@ is non-trivial
As noted in the Try::Tiny man page, eval/$@ can be quite awkward in
corner cases, because $@ has the same properties and problems as C's
errno. While writing a regression test for definetemplate
in which it couldn't find an appropriate template, I received

    <span class="error">Error: failed to process template
    <span class="createlink">deftmpl</span> </span>

instead of the intended

    <span class="error">Error: failed to process template
    <span class="createlink">deftmpl</span> template deftmpl not
    found</span>

which turned out to be because the "catch"-analogous block called
gettext before it used $@, and gettext can call define_gettext,
which uses eval.

This commit alters all current "catch"-like blocks that use $@, except
those that just do trivial things with $@ (string interpolation, string
concatenation) and call a function (die, error, print, etc.)
2014-02-21 17:06:36 +00:00
Joey Hess 4e1806ef7c save whole form state, not just QUERY_STRING, for postsignin
Normally, needsignin is called when there is a QUERY_STRING, not when a
form is posted. However, it's certianly possible, and should be supported,
to make a form that invokes an ikiwiki action that checks needsignin.

I encountered this when posting ?do=rename&page=foo. The form is displayed
without checking needsignin, for complicated reasons. Posting the form
is when the true authentication happens.
2012-04-08 14:14:33 -04:00
Joey Hess 72f30a40a3 record email of new users in userinfo for userlist 2011-06-09 10:58:05 -04:00
Joey Hess 0423cac6de let's assume some web server will think OFF is a good idea.. 2011-06-03 14:41:13 -04:00
Joey Hess 254080bc85 Support the Hiawatha web server which sets HTTPS=off rather than not setting it. (There does not seem to be a standard here.) 2011-06-03 14:36:31 -04:00
Joey Hess 04498cdeb4 Fix broken baseurl in cgi mode when usedirs is disabled. Bug introduced in 3.20101231. 2011-02-21 14:57:15 -04:00
Joey Hess a3605a90d5 fix urlto(undef) 2011-01-05 18:08:03 -04:00
Joey Hess 4a6ac6b485 add cgitemplate
cgitemplate is a modified misctemplate that takes an optional cgi object
and uses it to set the baseurl, and also optionally the forcebaseurl,
if a page is provided.

If no cgi object is provided, it will fall back to using $config{url}.
I expect this will only be needed in exceptional cases where
that doesn't much matter, such as cgierror().

showform uses cgitemplate, so there is no more need for showform_preview.
2011-01-05 17:06:11 -04:00
Joey Hess c91b39fdb5 factored out an urlabs from aggregate and cgi 2011-01-05 16:18:25 -04:00
Joey Hess 49928906b0 oops 2011-01-05 16:11:54 -04:00
Joey Hess 7a88638c6c typo 2011-01-05 15:12:23 -04:00
Joey Hess 270cbd7cf5 Fix redirect to use a full url.
Was broken (in theory) by baseurl changes in last release.
2011-01-05 14:57:04 -04:00
Joey Hess 8c9c3915ec Fix base url when previewing. Was broken by urlto changes in last release.
Added a showform_preview that is like showform, but sets forcebaseurl
to point to the page being previewed.
2011-01-05 13:50:42 -04:00
Joey Hess 3697a684df Merge remote branch 'smcv/ready/sslcookie-auto' 2010-11-29 16:31:25 -04:00
Simon McVittie f33c2af2c4 Always set secure cookies if logging in via HTTPS 2010-11-29 19:30:44 +00:00
Simon McVittie 2411e2be1f Use local path for even more CGI URLs 2010-11-23 23:12:21 +00:00
Simon McVittie d2e3741a6f Use local paths for redirection where possible 2010-11-23 00:00:11 +00:00
Joey Hess 4292802ee5 stop using REMOTE_ADDR
Everywhere that REMOTE_ADDR was used, a session object is available, so
instead use its remote_addr method.

In IkiWiki::Receive, stop setting a dummy REMOTE_ADDR.

Note that it's possible for a session cookie to be obtained using one IP
address, and then used from another IP. In this case, the first IP will now
be used. I think that should be ok.
2010-06-23 16:35:51 -04:00
Joey Hess c8b34aa31c allow misctemplate callers to pass params to suppress actions etc
Suppress disiplay of small search for on search results page, and of
Prefrences link on prefs page.
2010-05-14 21:45:54 -04:00
Joey Hess c3e9215e1f moved non-openid signin form into same page as openid selector; show/hide as buttons are pressed 2010-05-08 15:57:39 -04:00
Joey Hess 4c320176c0 simplify formbuilder stylesheet specification
Since all forms are wrapped in a template that defines the actual
stylesheets, formbuilder just has to be told to turn on stylesheet mode,
not what file is the style sheet.
2010-05-06 22:27:12 -04:00
Joey Hess 32472c02eb brace style 2010-01-18 12:33:25 -05:00
Joey Hess 97bc5d8bca typos 2010-01-18 12:08:26 -05:00
Joey Hess 6a0af02d3f make decode_form_utf8 safe for arrays 2010-01-09 16:07:01 -05:00
Joey Hess 2bceb10b5f 404/goto: Fix 404 display of utf-8 pages.
Problem here was that no charset http header was being sent.

I fixed this globally by making cgi_custom_failure send the header.
Required changing its parameters.
2009-12-14 18:16:47 -05:00
Joey Hess ce785c8702 fix url encoding in redir
When redirecting to a page, ie, after editing, ensure that the url is
uri-encoded. Most browsers other than MSIE don't care, but it's the right
thing to do.

The known failure case involved editing a page that had utf-8 in the name
using MSIE.
2009-10-29 10:17:30 -04:00
Joey Hess 55474f44d9 Expand banned_users; it can now include PageSpecs, which allows banning by IP address. 2009-09-08 15:17:39 -04:00
Jonas Smedegaard dc9e0f3e32 Fix typo attepting→attempting 2009-07-23 00:41:33 +02:00
Joey Hess 158c6c3ac8 detect sslcookie set and no https
This is likely a misconfiguration and can cause login to fail as the
browser refuses the send the session cookie back over http.

Not entirely happy with putting the check where I did, since users have to
try to log in, and fail, to see the misconfiguration explained. But I could
not find a better place to put the check.
2009-02-26 01:59:05 -05:00
Joey Hess b0361b8efd factor out IE stupididy workaround 2009-01-31 19:02:50 -05:00
Simon McVittie c886bea320 Split cgi_goto into a goto plugin 2009-01-31 23:01:10 +00:00
Simon McVittie 46b880f839 Split apache404 into an independent plugin
Also make it ignore the 'do' parameter at Joey's suggestion, to have one
less thing to remember when configuring.
2009-01-31 22:32:10 +00:00
Simon McVittie dedbe110f2 CGI: pad error responses with 512 bytes of spaces so IE will display them
IE displays its own error responses unless the server's was >= 512 bytes.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q294807
2009-01-31 18:26:37 +00:00