summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2008-04-10Fix broken rcs_update for bzr. (Scott Bronson)Joey Hess
2008-04-10Fix missing import of escapeHTML in userlink. (Scott Bronson)Joey Hess
2008-04-10responseJoey Hess
2008-04-10add news item for ikiwiki 2.42Joey Hess
2008-04-10releasing version 2.42Joey Hess
2008-04-10Merge branch 'master' of ssh://git.ikiwiki.info/srv/git/ikiwiki.infoJoey Hess
2008-04-10perl dumping core is not an ikiwiki bug, sorryJoey Hess
2008-04-10web commit by http://joey.kitenet.net/: testJoey Hess
2008-04-10Merge branch 'master' of ssh://git.ikiwiki.info/srv/git/ikiwiki.infoJoey Hess
2008-04-10Fix CSRF attacks against the preferences and edit forms. Closes: #475445Joey Hess
The fix involved embedding the session id in the forms, and not allowing the forms to be submitted if the embedded id does not match the session id. In the case of the preferences form, if the session id is not embedded, then the CGI parameters are cleared. This avoids a secondary attack where the link to the preferences form prefills password or other fields, and the user hits "submit" without noticing these prefilled values. In the case of the editpage form, the anonok plugin can allow anyone to edit, and so I chose not to guard against CSRF attacks against users who are not logged in. Otherwise, it also embeds the session id and checks it. For page editing, I assume that the user will notice if content or commit message is changed because of CGI parameters, and won't blndly hit save page. So I didn't block those CGI paramters. (It's even possible to use those CGI parameters, for good, not for evil, I guess..) The only other CSRF attack I can think of in ikiwiki involves the poll plugin. It's certianly possible to set up a link that causes the user to unknowingly vote in a poll. However, the poll plugin is not intended to be used for things that people would want to attack, since anyone can after all edit the poll page and fill in any values they like. So this "attack" is ignorable.
2008-04-10fix what I think is a typoJoey Hess
2008-04-10web commit by http://joey.kitenet.net/: oops :-)Joey Hess
2008-04-10web commit by http://joey.kitenet.net/Joey Hess
2008-04-10web commit by ScottSwalwell: Fixed my fix.Joey Hess
2008-04-10web commit by ScottSwalwell: Fixed this link.Joey Hess
2008-04-10web commit by cjb: Fixed URLJoey Hess
2008-04-10web commit by cjb: TaggedJoey Hess
2008-04-10web commit by cjb: Suggested patch for 302 redirect after page creation when ↵Joey Hess
using bzr
2008-04-09web commit by http://sabr.myopenid.com/Joey Hess
2008-04-09web commit by http://sabr.myopenid.com/Joey Hess
2008-04-09web commit by http://sabr.myopenid.com/Joey Hess
2008-04-09web commit by http://sabr.myopenid.com/Joey Hess
2008-04-09web commit by http://sabr.myopenid.com/Joey Hess
2008-04-09web commit by http://sabr.myopenid.com/Joey Hess
2008-04-09web commit by http://sabr.myopenid.com/Joey Hess
2008-04-09web commit by http://sabr.myopenid.com/Joey Hess
2008-04-09web commit by http://sabr.myopenid.com/Joey Hess
2008-04-09web commit by http://sabr.myopenid.com/Joey Hess
2008-04-09web commit by http://sabr.myopenid.com/: poll vote (Accept only OpenID for ↵Joey Hess
logins)
2008-04-09web commit by http://sabr.myopenid.com/Joey Hess
2008-04-09web commit by http://sabr.myopenid.com/Joey Hess
2008-04-09web commit by http://sabr.myopenid.com/Joey Hess
2008-04-09web commit by http://sabr.myopenid.com/Joey Hess
2008-04-09web commit by http://sabr.myopenid.com/Joey Hess
2008-04-08web commit by ittaydJoey Hess
2008-04-08web commit by http://sabr.myopenid.com/Joey Hess
2008-04-08web commit by http://sabr.myopenid.com/Joey Hess
2008-04-08web commit by http://sabr.myopenid.com/Joey Hess
2008-04-08Merge branch 'master' of ssh://git.ikiwiki.info/srv/git/ikiwiki.infoJoey Hess
2008-04-08web commit by http://xayk.net/Joey Hess
(cherry picked from commit 146b3d9ac2754112e7c6c63f7c2e783ac2bf4dbe)
2008-04-08web commit by http://sabr.myopenid.com/Joey Hess
(cherry picked from commit 8e4a0640c591df95810fe94ab62521030134823b)
2008-04-08web commit by cjb: Trivial syntax bug.Joey Hess
2008-04-04web commit by http://cstork.org/: poll vote (Accept only OpenID for logins)Joey Hess
2008-04-03need to handle urls to images the sameJoey Hess
Also, simplified finding the url to the top of the site.
2008-04-03Bug#473987: [PATCH] Links relative to baseurl mangled in atom/rss feedsManoj Srivastava
tag 473987 +patch thanks Hi, The issue is that we need to convert relative links to absolute ones for atom and rss feeds -- but there are two types of relative links. The first kind, relative to the current document ( href="some/path") is handled correctly. The second kind of relative url is is relative to the http server base (href="/semi-abs/path"), and that broke. It broke because we just prepended the url of the current document to the href (http://host/path/to/this-doc/ + link), which gave us, in the first place: http://host/path/to/this-doc/some/path [correct], and http://host/path/to/this-doc//semi-abs/path [wrong] The fix is to calculate the base for the http server (the base of the wiki does not help, since the base of the wiki can be different from the base of the http server -- I have, for example, "url => http://host.name.mine/blog/manoj/"), and prepend that to the relative references that start with a /. This has been tested. Signed-off-by: Manoj Srivastava <srivasta@debian.org>
2008-04-03Merge branch 'master' of ssh://git.ikiwiki.info/srv/git/ikiwiki.infoJoey Hess
2008-04-03aggregate: Correct a mistake in the code that dummy up a guid for feeds ↵Joey Hess
lacking one.
2008-04-02web commit by http://inthemedium.myopenid.com/: poll vote (Accept only ↵Joey Hess
OpenID for logins)
2008-04-02many thanks to madduck for his donationJoey Hess
2008-04-02web commit by http://montyz.livejournal.com/: more make woesJoey Hess