diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/bugs/attachment:_escaping_underscores_in_filename__63__.mdwn | 3 | ||||
| -rw-r--r-- | doc/bugs/markdown_bug:_email_escaping_and_plus_addresses.mdwn | 36 | ||||
| -rw-r--r-- | doc/bugs/ssl_certificates_not_checked_with_openid.mdwn | 16 | ||||
| -rw-r--r-- | doc/bugs/toggle_fails_on_Safari.mdwn | 58 | ||||
| -rw-r--r-- | doc/download.mdwn | 4 | ||||
| -rw-r--r-- | doc/todo/Bestdir_along_with_bestlink_in_IkiWiki.pm/discussion.mdwn | 6 | ||||
| -rw-r--r-- | doc/todo/Moving_Pages.mdwn | 13 | ||||
| -rw-r--r-- | doc/todo/done.mdwn | 2 | ||||
| -rw-r--r-- | doc/todo/mercurial.mdwn | 1 | ||||
| -rw-r--r-- | doc/todo/rcs_updates_needed_for_rename_and_remove.mdwn | 4 | ||||
| -rw-r--r-- | doc/users/ptecza.mdwn | 9 |
11 files changed, 143 insertions, 9 deletions
diff --git a/doc/bugs/attachment:_escaping_underscores_in_filename__63__.mdwn b/doc/bugs/attachment:_escaping_underscores_in_filename__63__.mdwn index d7d101700..4ce4ac5ee 100644 --- a/doc/bugs/attachment:_escaping_underscores_in_filename__63__.mdwn +++ b/doc/bugs/attachment:_escaping_underscores_in_filename__63__.mdwn @@ -17,3 +17,6 @@ Is it a bug or security feature? --[[Paweł|ptecza]] >> (`myisam__95__vs__95__ndb` instead of `myisam_vs_ndb`). --[[Paweł|ptecza]] > [[done]], uses `linkpage` now. + +>> It's seems that now Ikiwiki doesn't escape the filenames with underscore(s). +>> Thank you very much for the fast fix! --[[Paweł|ptecza]] diff --git a/doc/bugs/markdown_bug:_email_escaping_and_plus_addresses.mdwn b/doc/bugs/markdown_bug:_email_escaping_and_plus_addresses.mdwn new file mode 100644 index 000000000..8efd6da57 --- /dev/null +++ b/doc/bugs/markdown_bug:_email_escaping_and_plus_addresses.mdwn @@ -0,0 +1,36 @@ +compare: + + * <jon+markdownbug@example.org> + * <jon.markdownbug@example.org> + +* <jon+markdownbug@example.org> +* <jon.markdownbug@example.org> + +It seems putting a '+' in there throws it. Maybe it's a markdown bug, or maybe the obfuscation markdown applies to email-links is being caught by the HTML sanitizer. + + -- [[JonDowland]] + +> It's a markdown bug. For some reason, markdown doesn't recognize the email with a '+' as an email: +> +> $ echo '<a+b@c.org>' | markdown +> <p><a+b@c.org></p> +> +> htmlscrubber then (rightly) removes this unknown tag. +> + +>> Filed [in CPAN](http://rt.cpan.org/Ticket/Display.html?id=37909) --[[Joey]] [[tag done]] + +> But I've noticed some other Text::Markdown bugs that, even with htmlscrubber, produce +> [ill-formed (X)HTML](http://validator.w3.org/check?uri=http%3A%2F%2Fikiwiki.info%2Fbugs%2Fmarkdown_bug%3A_email_escaping_and_plus_addresses%2F). +> (View the markdown source of this page.) +> +> --Gabriel + +>> The htmlscrubber does not attempt to produce valid html from invalid. It +>> attempts to prevent exploits in html. The tidy plugin can force html to +>> valid. --[[Joey]] + +<tt> + +- +> diff --git a/doc/bugs/ssl_certificates_not_checked_with_openid.mdwn b/doc/bugs/ssl_certificates_not_checked_with_openid.mdwn index cb4c706f0..e3bd56cfd 100644 --- a/doc/bugs/ssl_certificates_not_checked_with_openid.mdwn +++ b/doc/bugs/ssl_certificates_not_checked_with_openid.mdwn @@ -12,6 +12,10 @@ For now, I want to try and resolve the issues with net\_ssl\_test, and run more > ikiwiki) performing any sanity checking of the openid server. All the > security authentication goes on between your web browser and the openid > server. This may involve ssl, or not. +> +>> Note that I'm not an openid expert, and the above may need to be taken +>> with a grain of salt. I also can make no general statements about openid +>> being secure. ;-) --[[Joey]] > > For example, my openid is "http://joey.kitenet.net/". If I log in with > this openid, ikiwiki connects to that http url to determine what openid @@ -34,3 +38,15 @@ For now, I want to try and resolve the issues with net\_ssl\_test, and run more >> for use by ikiwiki and the rest is simple. >> -- Brian May + +>>> I guess that the place to add SSL cert checking would be in either +>>> [[cpan LWPx::ParanoidAgent]] or [[cpan Net::OpenID::Consumer]]. Adding +>>> it to ikiwiki itself, which is just a user of those libraries, doesn't +>>> seem right. +>>> +>>> It's not particularly clear to me how a SSL cert can usefully be +>>> checked at this level, where there is no way to do anything but +>>> succeed, or fail; and where the extent of the check that can be done is +>>> that the SSL cert is issued by a trusted party and matches the domain name +>>> of the site being connected to. I also don't personally think that SSL +>>> certs are the right fix for DNS poisoning issues. --[[Joey]] diff --git a/doc/bugs/toggle_fails_on_Safari.mdwn b/doc/bugs/toggle_fails_on_Safari.mdwn new file mode 100644 index 000000000..25f62e088 --- /dev/null +++ b/doc/bugs/toggle_fails_on_Safari.mdwn @@ -0,0 +1,58 @@ +The [[plugins/toggle]] plugin has no effect when viewed on the Safari web browser. + +All toggles appear open all the time. + +I don't know if this is true for other webkit browsers (the new Konqueror, the iPhone, etc). +I'm currently testing in the Safari nightly builds, but I've seen the bug in the current release +of Safari too. + +Looking at the Safari Web Inspector, it believes there is a parse error on line 47 of the +[[news]] page. This is the definition of the getElementsByClass(class) function. + + 45 } + 46 + 47 function getElementsByClass(class) { + SyntaxError: Parse error + 48 var ret = new Array(); + +> Reproduced in epiphany-webkit on debian. +> +> Also noticed something interesting when I opened the page in vim. It +> highlighted the "class" like a type definition, not a variable. Sure +> enough, replacing with "c" fixed it. +> +> I wonder if webkit is actually in the right here, and using a reseved +> word like, presumably, "class" as a variable name is not legal. As I try +> to ignore javascript as much as possible, I can't say. [[done]] --[[Joey]] + +>> I also started having a look at this. I found the same issue with the +>> the variable 'class'. I'm not a javascript guru so I looked on the web +>> at other implementations of getElementsByClass() and noticed some +>> things that we might use. I took a bunch of different ideas and came +>> up with this: + + function getElementsByClass(cls, node, tag) { + if (document.getElementsByClass) + return document.getElementsByClass(cls, node, tag); + if (! node) node = document; + if (! tag) tag = '*'; + var ret = new Array(); + var pattern = new RegExp("(^|\\s)"+cls+"(\\s|$)"); + var els = node.getElementsByTagName(tag); + for (i = 0; i < els.length; i++) { + if ( pattern.test(els[i].className) ) { + ret.push(els[i]); + } + } + return ret; + } + +>> Most of the changes are minor, except that this one will use the +>> built in function if it is available. That is likely to be significantly +>> faster. Adding the extra parameters doesn't cause a problem -- +>> they're filled in with useful defaults. + +>> I don't know if it is worth making this change, but it is there if you want it. + +>>> Well, it seems to work. Although god only knows about IE. Suppose I +>>> might as well.. --[[Joey]] diff --git a/doc/download.mdwn b/doc/download.mdwn index e35cc0a45..98defb382 100644 --- a/doc/download.mdwn +++ b/doc/download.mdwn @@ -24,8 +24,8 @@ Or download the deb from <http://packages.debian.org/unstable/web/ikiwiki>. There is a backport of a recent version of ikiwiki for Debian 4.0 at <http://packages.debian.org/etch-backports/ikiwiki>. -There is also an unofficial backport of ikiwiki for Ubuntu Gutsy -and Ubuntu Hardy, provided by Paweł Tęcza, +There is also an unofficial backport of ikiwiki for Ubuntu Hardy, provided by +[[Paweł_Tęcza|users/ptecza]], at [http://gpa.net.icm.edu.pl/ubuntu/](http://gpa.net.icm.edu.pl/ubuntu/index-en.html). FreeBSD has ikiwiki in its diff --git a/doc/todo/Bestdir_along_with_bestlink_in_IkiWiki.pm/discussion.mdwn b/doc/todo/Bestdir_along_with_bestlink_in_IkiWiki.pm/discussion.mdwn new file mode 100644 index 000000000..d473bc3ad --- /dev/null +++ b/doc/todo/Bestdir_along_with_bestlink_in_IkiWiki.pm/discussion.mdwn @@ -0,0 +1,6 @@ +- Is there some implicit license for patches posted on the wiki? + I would like to maybe use this in [[todo/mbox]] --[[DavidBremner]] + +> If it's not clear to me that a patch is a derivative work of ikiwiki, I +> always ask for a license clarification before adding it to ikiwiki. +> --[[Joey]] diff --git a/doc/todo/Moving_Pages.mdwn b/doc/todo/Moving_Pages.mdwn index 61f2663e0..bd6507dd0 100644 --- a/doc/todo/Moving_Pages.mdwn +++ b/doc/todo/Moving_Pages.mdwn @@ -205,3 +205,16 @@ Cases to consider: Update: Meh. It's certianly not ideal; if Bob tries to save the page he uploaded the attachment to, he'll get a message about it having been deleted/renamed, and he can try to figure out what to do... :-/ +* I don't know if this is a conflict, but it is an important case to consider; + you need to make sure that there are no security holes. You dont want + someone to be able to rename something to <code>/etc/passwd</code>. + I think it would be enough that you cannot rename to a location outside + of srcdir, you cannot rename to a location that you wouldn't be able + to edit because it is locked, and you cannot rename to an existing page. + + > Well, there are a few more cases (like not renaming to a pruned + > filename, and not renaming _from_ a file that is not a known source + > file or is locked), but yes, that's essentially it. + > + > PS, the first thing I do to any + > web form is type /etc/passwd and ../../../../etc/passwd into it. ;-) --[[Joey]] diff --git a/doc/todo/done.mdwn b/doc/todo/done.mdwn index ed161fb5b..7fcbe44b6 100644 --- a/doc/todo/done.mdwn +++ b/doc/todo/done.mdwn @@ -1,3 +1,3 @@ recently fixed [[TODO]] items -[[!inline pages="link(todo/done) and !todo and !*/Discussion" sort=mtime show=10]] +[[!inline pages="link(todo/done) and !todo and !*/Discussion" sort=mtime show=10 archive=yes]] diff --git a/doc/todo/mercurial.mdwn b/doc/todo/mercurial.mdwn index 77b538c02..f0dbf9806 100644 --- a/doc/todo/mercurial.mdwn +++ b/doc/todo/mercurial.mdwn @@ -1,4 +1,3 @@ -* rcs_notify is not implemented (not needed in this branch --[[Joey]]) * Is the code sufficiently robust? It just warns when mercurial fails. * When rcs_commit is called with a $user that is an openid, it will be passed through to mercurial -u. Will mercurial choke on this? diff --git a/doc/todo/rcs_updates_needed_for_rename_and_remove.mdwn b/doc/todo/rcs_updates_needed_for_rename_and_remove.mdwn index 02c935b4f..412f94804 100644 --- a/doc/todo/rcs_updates_needed_for_rename_and_remove.mdwn +++ b/doc/todo/rcs_updates_needed_for_rename_and_remove.mdwn @@ -1,5 +1,5 @@ I've added three new functions to the ikiwiki VCS interface to support -renaming and removing files using the web interface. The bzr, mercurial, -monotone, and tla [[rcs]] backends need implementions of these functions. +renaming and removing files using the web interface. The bzr, +mercurial, and tla [[rcs]] backends need implementions of these functions. (The maintainers of these backends have been mailed. --[[Joey]]) diff --git a/doc/users/ptecza.mdwn b/doc/users/ptecza.mdwn index 97d63ab94..3f6fd39e8 100644 --- a/doc/users/ptecza.mdwn +++ b/doc/users/ptecza.mdwn @@ -13,6 +13,9 @@ but now I rather prefer Ubuntu, because it has faster release cycle than Debian and I don't want to wait more then 1 year for new stable release. -I'm also author of ikiwiki backports for Debian 'sarge'. You can find -this and another my backports at -[public GPA's Debian packages archive](http://gpa.net.icm.edu.pl/debian/). +I'm also author of unofficial ikiwiki backports. In the past I was +rebuilding ikiwiki source package for Debian Sarge and Ubuntu Gutsy. +Now I do the same for Ubuntu Hardy. You can find this and another +my backports at [public GPA's Ubuntu packages archive](http://gpa.net.icm.edu.pl/ubuntu/). + +I love using Ikiwiki and bug reporting ;) |