Commit Graph

195 Commits (ff6433179e7b0d6d5c04ec09f648c619d16e4eb8)

Author SHA1 Message Date
Joey Hess 1715c0399e updated French translation 2008-05-30 18:17:50 -04:00
Joey Hess e943812dc9 hashed password support, and empty password security fix
This implements the previously documented hashed password support.

While implementing that, I noticed a security hole, which this commit
also fixes..
2008-05-30 17:35:34 -04:00
Joey Hess 6b68c6ff72 releasing version 2.47 2008-05-25 14:28:33 -04:00
Joey Hess 344b50d783 releasing version 2.46 2008-05-12 20:57:28 -04:00
Joey Hess b144831e46 pinger/pingee now tested and working 2008-05-06 19:06:53 -04:00
Joey Hess 1f88cad3a2 aggregate: Add support for web-based triggering of aggregation for people stuck on shared hosting without cron. (Sheesh.) Enabled via the `aggregate_webtrigger` configuration optiom. 2008-05-05 20:20:45 -04:00
Joey Hess 545054c356 releasing version 2.45 2008-05-05 15:17:44 -04:00
Joey Hess 3a9dfb8361 enhancesments for shared hosting
* Add a Bundle::Ikiwiki to the source for use with CPAN to install *all*
  the modules ikiwiki can use.
* Add a cpan directory containing a CPAN::MyConfig that can ease use of
  CPAN to install in a home directory on shared hosting providers.
* With these changes, it's pretty easy to install onto nearlyfreespeech.net
  and probably other shared hosting providers like dreamhost. Added
  a tip page documentng the process for nearlyfreespeech.
2008-05-05 14:51:26 -04:00
Joey Hess b2dea99417 Fix ugly display when editing a page that has vanished.
srcfile now has an optional second parameter to avoid it throwing an error
if the source file does not exist.
2008-05-02 13:02:07 -04:00
Joey Hess 41ee809bf7 releasing version 2.44 2008-04-24 13:52:32 -04:00
Joey Hess 18cb252e74 releasing version 2.43 2008-04-16 18:44:58 -04:00
Joey Hess 72b5ef2c5f Fix CSRF attacks against the preferences and edit forms. Closes: #475445
The fix involved embedding the session id in the forms, and not allowing the
forms to be submitted if the embedded id does not match the session id.

In the case of the preferences form, if the session id is not embedded,
then the CGI parameters are cleared. This avoids a secondary attack where the
link to the preferences form prefills password or other fields, and
the user hits "submit" without noticing these prefilled values.

In the case of the editpage form, the anonok plugin can allow anyone to edit,
and so I chose not to guard against CSRF attacks against users who are not
logged in. Otherwise, it also embeds the session id and checks it.

For page editing, I assume that the user will notice if content or commit
message is changed because of CGI parameters, and won't blndly hit save page.
So I didn't block those CGI paramters. (It's even possible to use those CGI
parameters, for good, not for evil, I guess..)

The only other CSRF attack I can think of in ikiwiki involves the poll plugin.
It's certianly possible to set up a link that causes the user to unknowingly
vote in a poll. However, the poll plugin is not intended to be used for things
that people would want to attack, since anyone can after all edit the poll page
and fill in any values they like. So this "attack" is ignorable.
2008-04-10 16:35:30 -04:00
Joey Hess f6bd81db15 Added a hardlink option in the setup file, useful if the source and dest are on the same filesystem and the wiki includes large media files, which would normally be copied, wasting time and space. 2008-03-29 21:02:47 -04:00
Joey Hess 862ca19eb1 truncate recentchangesdiffs after 200 lines
This works around a perl crasher bug, and also avoids bloating pages
with enormous diffs.

rcs_recentchanges modified to return a list in an array context.
2008-03-12 15:45:10 -04:00
Joey Hess f7bdc2385d * Use forcebaseurl to make page previews be displayed with the html base
set to the destination page. This avoids need for hacks to munge the urls
  in preview mode, which fixes several bugs.
* Several destpage fixes in plugins.
2008-03-12 14:21:48 -04:00
Joey Hess c9df38fe33 response 2008-03-03 16:01:16 -05:00
Joey Hess d93aaed791 * Add recentchangesdiff plugin that adds diffs to the recentchanges feeds.
* rcs_diff is a new function that rcs modules should implement.
* Implemented rcs_diff for git, svn, and tla (tla version untested).
  Mercurial and monotone still todo.
2008-03-03 15:53:34 -05:00
Joey Hess bd55d276b3 Fix links generated by preprocessor directives when previewing.
As was already done for linkfication, links generated in a prevew page
are relative to the top of the wiki, so it has to be told that the destpage
is there.

I was using "" to indicate this, but that may confuse some preprocessor
plugins, which treat parameters with an empry value specially (sparkline is one
such). Instead, use "/", which is more accurate anyway and works just as well.
2008-02-24 16:37:11 -05:00
Joey Hess d14bde197e * Disable taint checking for all builds as people keep complaining about it,
and since all versions of perl seem to be hopelessly broken.
2008-02-24 15:42:43 -05:00
Joey Hess 1de1fb15a0 * camelcase: Convert to use new linkify and scan hooks rather than the old
hack.
2008-02-11 23:04:19 -05:00
Joey Hess 4763514861 * Add the linkify and scan hooks. These hooks can be used to implement
custom, first-class types of wikilinks.
* Move standard wikilink implementation to a new wikilink plugin, which
  will of course be enabled by default.
2008-02-11 22:48:27 -05:00
Joey Hess 1eeb683f1a releasing version 2.31 2008-02-10 01:11:48 -05:00
Joey Hess 9d54cc4659 implement aggregate_locking design
Now aggregation will not lock the wiki. Any changes made during aggregaton are
merged in with the changed state accumulated while aggregating. A separate
lock file prevents multiple concurrent aggregators. Garbage collection
of orphaned guids is much improved. loadstate() is only called once
per process, so tricky support for reloading wiki state is not needed.

(Tested fairly thuroughly.)
2008-02-03 16:48:26 -05:00
Joey Hess ac58aa804e update po files 2008-02-03 15:02:34 -05:00
Joey Hess b3290c64ca announce no more mail notifications on this wiki 2008-01-29 18:48:01 -05:00
Joey Hess 3803266b8f merged the recentchanges branch
misc fixes
2008-01-29 17:50:11 -05:00
Joey Hess 64a8c828b8 * meta: Add pagespec functions to match against title, author, authorurl,
license, and copyright. This can be used to create custom RecentChanges.
* meta: To support the pagespec functions, metadata about pages has to be
  retained as pagestate.
* Fix encoding bug when pagestate values contained spaces.
2008-01-29 17:16:51 -05:00
Joey Hess 8b31c53366 added configuration for recentchanges
I kept it to a simple global configuration, rather than using the
preprocessor directive for recentchanges, because that had chicken and egg
problems and seemed overcomplicated. This should work reasonably well,
though it would be good to add some more metadata so that more customised
recentchanges pages can be made.
2008-01-29 15:51:32 -05:00
Joey Hess cabd5140c4 add code to delete old change pages 2008-01-29 15:22:23 -05:00
Joey Hess 85eb1abc61 typo 2008-01-29 04:45:54 -05:00
Joey Hess 01461d3537 releasing version 2.20 2008-01-10 14:58:47 -05:00
Joey Hess 141d363888 In preferences, allow the subscriptions and email fields to be cleared 2008-01-09 17:59:56 -05:00
Joey Hess 2b9ce0129b * mdwn: When htmlizing text, if it's a single line with no newline,
remove the enclosing paragraph and newline markdown wraps it in.
  This allows removing several hacks around this markdown behavior from
  other plugins that htmlize fragements of pages.
2008-01-09 14:35:23 -05:00
Joey Hess 57ff2ecaed * template: Remove bogus htmlize pass added in 2.16.
* template: Htmlize template variables, but also provide a raw version
  via `<TMPL_VAR raw_variable>`.
2008-01-09 14:17:25 -05:00
Joey Hess 8e1b4c00f6 update po 2008-01-09 02:42:58 -05:00
Joey Hess c487b847e2 * Improved the canedit hook interface, allowing a callback function to be
returned (and not run in some cases) rather than the plugins directly
  forcing a user to log in.
* opendiscussion: allow editing of the toplevel discussion page,
  and, indirectly, allow creating new discussion pages.
2008-01-07 16:34:13 -05:00
Joey Hess e5ecdba4c3 releasing version 2.18 2008-01-05 02:26:24 -05:00
Joey Hess 41234a3f0f round days old message 2008-01-02 23:38:45 -05:00
Joey Hess 6b8a7a6bee releasing version 2.17 2007-12-30 15:04:25 -05:00
Joey Hess f0f52e602d * aggregate: Fix stupid mistake introduced when converting it to use
the needsbuild hook. This resulted in feeds not being removed when pages
  were updated, and probably other bugs.
* aggregate: Avoid uninitialised value warning when removing a feed that
  has an expired guid.
2007-12-30 14:49:25 -05:00
Joey Hess c2afda7f90 * img: Allow the link parameter to point to an exterior url. 2007-12-28 16:14:43 -05:00
Joey Hess 0a26c630eb releasing version 2.16 2007-12-18 19:50:40 -05:00
Joey Hess dd0b844477 further improve the .. regexp 2007-12-17 13:53:51 -05:00
Joey Hess 90bce7d139 * Don't refuse to render files with ".." in their name. (Anchor the regexp.) 2007-12-17 13:37:19 -05:00
Joey Hess f40c6928f4 * Re-organise dependencies and recommends now that recommends are installed
by default.
2007-12-16 17:16:56 -05:00
Joey Hess 58f1ef0784 * git: Correct display of multiline commit messages in recentchanges. 2007-12-16 16:52:39 -05:00
Joey Hess c3fed25ad4 * brokenlinks: Don't list the same link multiple times. (%links might
contain multiple copies of the same link)
2007-12-16 16:42:18 -05:00
Joey Hess 96817b0032 * meta: Drop support for "meta link", since supporting this for internal
links required meta to be run during scan, which complicated its data
  storage, since it had to clear data stored during the scan pass to avoid
  duplicating it during the normal preprocessing pass.
* If you used "meta link", you should switch to either "meta openid" (for
  openid delegations), or tags (for internal, invisible links). I assume
  that nobody really used "meta link" for external, non-openid links, since
  the htmlscrubber ate those. (Tell me differently and I'll consider bringing
  back that support.)
* meta: Improved data storage.
* meta: Drop the hackish filter hook that was used to clear
  stored data before preprocessing, this hack was ugly, and broken (cf:
  liw's disappearing openids).
* aggregate: Convert filter hook to a needsbuild hook.
2007-12-16 15:56:09 -05:00
Joey Hess 10a2895b3b * shortcut: Expand %S to the raw input text, not url-encoded. 2007-12-12 16:50:29 -05:00
Joey Hess c8cb931890 reorg 2007-12-09 00:05:07 -05:00