Commit Graph

2609 Commits (f54c1c5b95423062bd1206fd82b3acf84f1b52d1)

Author SHA1 Message Date
Joey Hess a298959888 fix other cases of unicode mixing issue
and fix underlaydir override attack guard when srcdir is non-absolute
2010-06-15 17:41:26 -04:00
Joey Hess 86a43aefb4 Fix issues with combining unicode srcdirs and source files.
A short story:

  Once there was a unicode string, let's call him Srcdir.

  Along came a crufy old File::Find, who went through a tree and pasted each
  of the leaves in turn onto Srcdir. But this 90's relic didn't decode the
  leaves -- despite some of them using unicode! Poor Srcdir, with these
  leaves stuck on him, tainted them with his nice unicode-ness. They didn't
  look like leaves at all, but instead garbage.

(In other words, perl's unicode support sucks mightily, and drives
us all to drink and bad storytelling. But we knew that..)

So, srcdir is not normally flagged as unicode, because typically it's pure
ascii. And in that case, things work ok; File::Find finds filenames, which
are not yet decoded to unicode, and appends them to the srcdir, and then
decode_utf8 happily converts the whole thing.

But, if the srcdir does contain utf8 characters, that breaks. Or, if a Yaml
setup file is used, Yaml::Syck's implicitunicode sets the unicode flag of
*all* strings, even those containing only ascii. In either case, srcdir
has the unicode flag set; a non-decoded filename is appended, and the flag
remains set; and decode_utf8 sees the flag and does *nothing*. The result
is that the filename is not decoded, so looks valid and gets skipped.

File::Find only sticks the directory and filenames together in no_chdir
mode .. but we need that mode for security. In order to retain the
security, and avoid the problem, I made it not pass srcdir to File::Find.
Instead, chdir to the srcdir, and pass ".". Since "." is ascii, the problem
is avoided.

Note that chdir srcdir is safe because we check for symlinks in the srcdir
path.

Note that it takes care to chdir back to the starting location. Because
the user may have specified relative paths and so staying in the srcdir
might break. A relative path could even be specifed for an underlay dir, so
it chdirs back after each.
2010-06-15 17:13:46 -04:00
Joey Hess 69383fb6b0 Fix issues with combining unicode srcdirs and source files.
A short story:

  Once there was a unicode string, let's call him Srcdir.

  Along came a crufy old File::Find, who went through a tree and pasted each
  of the leaves in turn onto Srcdir. But this 90's relic didn't decode the
  leaves -- despite some of them using unicode! Poor Srcdir, with these
  leaves stuck on him, tainted them with his nice unicode-ness. They didn't
  look like leaves at all, but instead garbage.

In other words, perl's unicode support sucks mightily, and drives
us all to drink and bad storytelling. But we knew that..

So, srcdir is not normally flagged as unicode, because typically it's pure
ascii. And in that case, things work ok; File::Find finds filenames, which
are not yet decoded to unicode, and appends them to the srcdir, and then
decode_utf8 happily converts the whole thing.

But, if the srcdir does contain utf8 characters, that breaks. Or, if a Yaml
setup file is used, Yaml::Syck's implicitunicode sets the unicode flag of
*all* strings, even those containing only ascii. In either case, srcdir
has the unicode flag set; a non-decoded filename is appended, and
decode_utf8 sees the flag and does *nothing*. The result is that the
filename is not decoded, so looks valid and gets skipped.

File::Find only sticks the directory and filenames together in no_chdir
mode .. but we need that mode for security. In order to retain the
security, and avoid the problem, I made it not pass srcdir to File::Find.
Instead, chdir to the srcdir, and pass ".". Since "." is ascii, the problem
is avoided.

Note that it takes care to chdir back to the starting location. Because
the user may have specified relative paths and so staying in the srcdir
might break. A relative path could even be specifed for an underlay dir, so
it chdirs back after each.
2010-06-15 16:40:37 -04:00
Joey Hess d541cc854a calendar: Tune archive_pagespec to only match pages, not other files. 2010-06-15 13:38:19 -04:00
Joey Hess c0bc2d0839 editpage, comments: Fix broken links in sidebar (due to forcebaseurl). (Thanks, privat) 2010-06-14 14:34:52 -04:00
Joey Hess 9f7a118ffc more symetric enable/disable
Removing a plugin from add_plugins is not always enough to disable it.
It may have been redundantly added there and also pulled in via goodstuff.
Always add didabled plugins to disable_plugins.
2010-06-13 10:25:17 -04:00
Joey Hess 17592a951b websetup: Allow enabling plugins listed in disable_plugins.
The bug here was that disabling a plugin included thru goodstuff, like
htmlscrubber, caused it to be added to disable_plugins, and those plugins
were never loaded, so could not be re-enabled. Fix by allowing them to be
force loaded when appropriate. (Also that allows disabled plugins to still
record their setup options when dumping a setup file.)
2010-06-13 10:21:19 -04:00
Joey Hess c65658eeb5 attachment: When inserting links, insert img directives for images, if that plugin is enabled. 2010-06-12 23:00:30 -04:00
Joey Hess 35a0715b9a avoid ugly warning if size="" is specified 2010-06-12 22:59:46 -04:00
Joey Hess dccd764871 edittemplate: Look for template pages under templates/ like everything else (still looks in old location for backwards compatability). 2010-06-12 22:43:34 -04:00
Joey Hess c225cdad25 edittemplate: Make silent mode not disable display when the template page does not exist, so it can be easily created. 2010-06-12 22:20:22 -04:00
Joey Hess 31fa7714e7 editpage: Rename "comments" field to avoid CSS conflict with the comments div. 2010-06-12 18:10:33 -04:00
Joey Hess d7cfcef54a img: Support hspace and vspace attributes. 2010-06-12 16:43:24 -04:00
Joey Hess 9923f5db65 attachment: Show files from underlay in attachments list.
While those files cannot be removed or renamed, this allows easy
downloading of them, and a new version can after all be uploaded.
2010-06-12 14:29:56 -04:00
Joey Hess d5181a1977 realm is an url pattern 2010-06-11 14:14:20 -04:00
Joey Hess 475b4199e1 openid: Add openid_realm and openid_cgiurl configuration options, useful in a few edge case setups. 2010-06-11 13:53:56 -04:00
Joey Hess 04ff998c51 calendar styling
* calendar: Shorten day names, and improve styling of month calendar.
* style.css: Reduced sidebar width back to 20ex from 30; the month calendar
  will now fit in the smaller width, and 30 was feeling too large.
2010-06-10 15:07:28 -04:00
Joey Hess 1bdf98a4a0 let's allow comments of "0" 2010-06-09 17:47:49 -04:00
Joey Hess 24b59b3a9e editpage: Avoid storing accidental state changes when previewing pages.
This is a slow, safe, stupid approach. Could make deep copies of the data
structures as backups instead of re-loading the index from disk.
2010-06-09 17:44:40 -04:00
Joey Hess b2327cfae4 improve preview mode comments 2010-06-09 17:43:20 -04:00
Joey Hess e93cee3378 Fix display of sidebar when previewing page edit. (Thanks, privat)
On second thought, only display a page's personal sidebar when previewing
it, not when editing normally.
2010-06-09 16:59:17 -04:00
Joey Hess 95b45864de relativedate: Fix problem with localised dates not working. 2010-06-09 16:16:48 -04:00
Joey Hess e96cf38ecc When editing a page, show that page's sidebar. (Thanks, privat) 2010-06-09 16:00:12 -04:00
Joey Hess 0ccf21daaf img: Fill in missing height or width when scaling image. 2010-06-08 21:13:46 -04:00
Joey Hess 3d769f7849 fix uninitalized value warning 2010-05-21 18:03:21 -04:00
Joey Hess 6472302b8d disable warnings when evaling setup files
In particular, perl warns if a qw{} contains a #, but openids can.

If the setup file has 'use warnings', it will turn warning messages back
on, so it seems reasonable to squelch them by default.
2010-05-21 13:39:07 -04:00
Joey Hess 14de1d87ef Fix a typo in the last release. 2010-05-18 14:16:58 -04:00
Joey Hess baaa176b9b simplify example
I've seen user(http://*) confuse someone who didn't know pagespecs to think
that just http://* would moderate all comments to every page, or something
like that.
2010-05-18 13:36:51 -04:00
Joey Hess 7aa209f1ce Fix a bug that prevented matching deleted comments, and so did not update pages that had contained them.
Problem is that by the time rendering calls render_dependent, %pagesources
has had deleted files removed from it. So match_comment's lookup of
files in there to see if they had the _comment extension failed.

I had to introduce a hash that temporarily holds filenames of deleted pages
to fix this.

Note that unlike comment(), internal() had avoided this pitfall by being
defined to match both internal and non-internal pages.
2010-05-18 13:32:28 -04:00
Joey Hess facc77e109 force scalar context 2010-05-17 17:06:13 -04:00
Joey Hess 8e77dc1c9c fix typo 2010-05-15 23:54:00 -04:00
Joey Hess ff67a31db5 Revert "avoid showing comment post stuff on dynamic pages"
This reverts commit 4a6d5330e5.

That was too ugly, the DYNAMIC test on page.tmpl will avoid the problem
anyway -- just needs to be added.
2010-05-15 22:38:59 -04:00
Joey Hess 4a6d5330e5 avoid showing comment post stuff on dynamic pages
If the site is configured to allow comments on *, then the comment post
interface was being added to cgi pages like signin and prefs. This fixes it
w/o requiring more page.tmpl changes. The pagetemplate hook is called by
misctemplate with an empty page name for dynamic pages.
2010-05-15 22:28:07 -04:00
Joey Hess c8b34aa31c allow misctemplate callers to pass params to suppress actions etc
Suppress disiplay of small search for on search results page, and of
Prefrences link on prefs page.
2010-05-14 21:45:54 -04:00
Joey Hess 4c6fa6413f avoid showing redundant search box on search results page 2010-05-14 21:42:48 -04:00
Joey Hess f69c072d8a better misctemplate splitting sequence 2010-05-14 21:40:30 -04:00
Joey Hess 3dd98a3b3f put back recentchangesurl
On second thought, misctemplate can use pagetemplate hooks to provide
it, so it's better to keep back-compat, and allow full customisation
of how it's displayed via the template.
2010-05-14 20:38:08 -04:00
Joey Hess d80a649073 bugfix 2010-05-14 20:29:16 -04:00
Joey Hess bbe971881a refactor template actions 2010-05-14 20:20:41 -04:00
Joey Hess 377e82b16c we want the recentchanges link to be the first floating action 2010-05-14 20:10:18 -04:00
Joey Hess 5a4c95cc35 enable action bar on misctemplates
So RecentChanges shows on the action bar there,
convert recentchanges to use new pageactions hook,
with compatability code to avoid breaking old templates.
2010-05-14 20:04:02 -04:00
Joey Hess 8ff761afa2 remove, rename: Add guards against XSRF attacks. 2010-05-14 14:21:45 -04:00
Joey Hess 031da9c134 po: guard against reimportation
If po is imported twice, bad things happen. Guard against that.

I'm not sure what causes the double import; I saw it when websetup did a
wiki rebuild. Carp failed to show a backtrace for the second call to
import.
2010-05-13 16:28:09 -04:00
Joey Hess bc0aa4d40e Use xhtml friendly pubdate setting. 2010-05-08 19:45:02 -04:00
Joey Hess c3e9215e1f moved non-openid signin form into same page as openid selector; show/hide as buttons are pressed 2010-05-08 15:57:39 -04:00
Joey Hess d0c17a4a46 calendar: Display year name in title of month calendar.
Also, fix relative month calculations.
2010-05-08 13:51:05 -04:00
Joey Hess fd817f9ac3 calendar: nextchange calculation bugfix
If a page had multiple calendars, the last one won and set nextchange.
That's wrong; the calendar that needs to next update soonest should win.
2010-05-08 12:52:19 -04:00
Joey Hess 0f778849c6 calendar: Allow negative month to be specified. -1 is last month, etc. (And also negaitve years.) 2010-05-08 12:45:21 -04:00
Joey Hess 937b24e0cf Merge branch 'master' into commentreorg 2010-05-07 22:30:42 -04:00
Joey Hess b8dcaf91d0 scale display form to match openid size 2010-05-07 21:48:50 -04:00
Joey Hess 8f6cfbfade Removed the openidsignup option. 2010-05-07 21:33:27 -04:00
Joey Hess 1e75389a85 bugfix
Always load IkiWiki::CGI so its cgi_signin is present, so we replace it.
2010-05-07 21:28:59 -04:00
Joey Hess dc0d48459c bugfix 2010-05-07 21:27:02 -04:00
Joey Hess c1e365abdc remove loginlabel, not used 2010-05-07 21:20:21 -04:00
Joey Hess f8c2a67b3c pretty openid login
* openid: Incorporated a fancy openid-selector signin form.
  (http://code.google.com/p/openid-selector/)
* openid: Use "openid_identifier" as the form field, as required
  by OpenID Authentication v2.0 spec.
2010-05-07 20:14:25 -04:00
Joey Hess 378c647768 patch hidden field setting code
Fixes http://code.google.com/p/openid-selector/issues/detail?id=11#c3
2010-05-07 19:10:50 -04:00
Joey Hess 2ee820dedd avoid linking directly to ikiwiki.cgi?do=signin
Instead, add a custom do=commentsignin, that calls cgi_signin.

This allows a plugin to inject a custom cgi_signin, that uses a different
do= parameter, and have it be used consitently. (This was the only
place to hardcode a link to do=signin.)
2010-05-07 17:11:23 -04:00
Joey Hess b50b549cab fix comment matching pagespecs
test isinternal first, because match_glob with internal => 1 also returns
non-internal pages that match. This order should also be faster.

Remove test to see if pagesources is set. isinternal will not succeed if it
is not.
2010-05-07 14:02:30 -04:00
Joey Hess fe8f4a7781 better wording 2010-05-07 13:55:08 -04:00
Joey Hess 2dfdadf10c bugfix 2010-05-07 13:47:29 -04:00
Joey Hess 8d3c89f0c7 bugfixes 2010-05-07 13:44:24 -04:00
Joey Hess be0c2df6db check that pagesources exists before testing 2010-05-07 13:28:14 -04:00
Joey Hess 8cd216d748 fix match_comment 2010-05-07 12:55:34 -04:00
Joey Hess 5e6ed10583 nasty update to ugly hack to allow comment() pagespecs to work 2010-05-07 12:43:51 -04:00
Joey Hess 3adb47ec4f Merge branch 'master' into commentreorg
Conflicts:
	debian/changelog
2010-05-07 12:42:38 -04:00
Joey Hess 915d9281db call delete hook even if only internal pages are deleted 2010-05-07 00:26:59 -04:00
Joey Hess 1678604fe3 avoid redir loop when going to an internal page that has no permalink 2010-05-07 00:22:05 -04:00
Joey Hess 575080d6ef respect permalinks 2010-05-06 23:28:40 -04:00
Joey Hess 14826ad927 Delete hooks are passed deleted internal pages.
Necessary so search can remove its indexes for internal pages.
But also, it seems it was an omission not to pass the deleted
pages before.
2010-05-06 23:25:27 -04:00
Joey Hess ea4967f184 inline: Call indexhtml when inlining internal pages, so their text can be indexed for searching. 2010-05-06 23:20:48 -04:00
Joey Hess 121e2ffc2f Renamed postscan hook to indexhtml, to reflect its changed position.
Probably only the search plugin uses it, so this seemed safe.
2010-05-06 23:14:36 -04:00
Joey Hess 4c320176c0 simplify formbuilder stylesheet specification
Since all forms are wrapped in a template that defines the actual
stylesheets, formbuilder just has to be told to turn on stylesheet mode,
not what file is the style sheet.
2010-05-06 22:27:12 -04:00
Joey Hess d3aaf6e01f fix pagediff to not display as "preview"
I think originally, the page preview header was not displayed,
so diff was hacked in using it.
2010-05-06 22:19:14 -04:00
Joey Hess d9d910f676 moved comments pending moderation
* comments: Comments pending moderation are now stored in the srcdir
  alongside accepted comments, but with a `._comment_pending` extension.
* This allows easier byhand moderation, as the "_pending" need
  only be stripped off and the comment be committed to version control.
* The `comment_pending()` pagespec can be used to match such unmoderated
  comments, which makes it easy to add a feed of them, or a counter
  indicating how many there are.
* Belatedly added a `comment()` pagespec.
2010-05-06 20:05:53 -04:00
Joey Hess cb2025af45 refactor 2010-05-05 22:41:23 -04:00
Joey Hess ee9a4e06fc rename ispage variable 2010-05-05 22:36:50 -04:00
Joey Hess 1193759568 remove unused indexlink function and template variable 2010-05-05 20:42:56 -04:00
Joey Hess 66c787658e remove unused 2010-05-05 18:53:03 -04:00
Joey Hess 8aa5f2d23e add ISPAGE variable to page.tmpl
Plugins will also be able to use this to tell if the template
is being used to generate a wiki page, when misctemplate starts
also using page.tmpl.
2010-05-05 18:17:25 -04:00
Joey Hess d0a5945000 Fixes a bug in skipping of illegal source files introduced in 3.20100427. 2010-05-04 20:26:17 -04:00
Joey Hess 76a5dbe7cb note that tcc workaround is for bug fixed in tcc now 2010-05-04 18:41:55 -04:00
Joey Hess ab575a4b69 graphviz: Fix display of preexisting images in preview mode. 2010-05-04 16:54:58 -04:00
Joey Hess 9699f16b51 websetup: Only display Setup button on admins' preferences page.
Renamed it from "Wiki Setup" to just "Setup" for good measure.
2010-05-03 13:59:43 -04:00
Joey Hess 0fc32c8b2f allow do=setup to log a user in if necessary 2010-05-03 13:46:52 -04:00
Joey Hess 2f22ee85e5 Add ACTIONS variable to page.tmpl, which allows plugins to add arbitrary links to the action bar without modifying the template further.
(COMMENTSLINK and DISCUSSIONLINK could be folded into this, but are kept
separate for now to avoid breaking modified templates.)
2010-05-03 12:46:52 -04:00
Joey Hess adf182669d add a missing space 2010-05-02 22:43:55 -04:00
Joey Hess 154732dc42 adapt comment.tmpl to html5
Note that I put comment-header in a <header> despite it being
below the comment. Using a <footer> would be confusing given
the class name. Also, the content is semantically closer to
a header than a footer.
2010-05-02 16:12:08 -04:00
Joey Hess 932fc0c25f use a div, not a p .. and in html5, a nav 2010-05-02 14:41:20 -04:00
Joey Hess b21df5029b Add placeholder text in search form (in html5 mode only). 2010-05-02 13:49:56 -04:00
Joey Hess 970373548f Add parameter to displaytime to specify that it is a pubdate, and in html5 mode, use time tag. 2010-05-02 13:44:13 -04:00
Joey Hess a547d26858 html5 option
* Ikiwiki can be configured to generate html5 instead of the default xhtml
  1.0. The html5 output mode is experimental, not yet fully standards
  compliant, and will be subject to rapid change.
2010-05-01 20:49:18 -04:00
Joey Hess ccafb10007 enable hidden attribute 2010-05-01 19:59:16 -04:00
Joey Hess 790a339db1 htmlscrubber: Also allow some other html5 tags: canvas, progress, meter, ruby, rt, rp, details, summary. 2010-05-01 19:28:28 -04:00
Joey Hess f1e2d0af12 more html5 attributes 2010-05-01 19:11:03 -04:00
Joey Hess 78cee5140a add rest of html5 form attributes
It's easy to imagine pattern being used to freeze or crash browsers, if
they implement it stupidly. Let's hope not..
2010-05-01 18:44:37 -04:00
Joey Hess 80f9a2a087 add figure and figcaption 2010-05-01 18:31:33 -04:00
Joey Hess 0a139aba82 htmlscrubber: Allow the html5 form attributes: placeholder autofocus, min, max, step. 2010-05-01 18:27:53 -04:00
Joey Hess 442bc59a15 htmlscrubber: Allow the placeholder attribute. 2010-05-01 18:14:50 -04:00
Joey Hess 73c8209484 more html5
* htmlscrubber: Also allow html5 canvas tags.
* htmlscrubber: Round out html5 video support with the preload
  attribute and the source tag.
2010-05-01 17:56:35 -04:00
Joey Hess 80f2042464 htmlscrubber: Allow html5 semantic tags: section nav article aside hgroup header footer time mark 2010-05-01 16:34:47 -04:00