summaryrefslogtreecommitdiff
path: root/IkiWiki/CGI.pm
AgeCommit message (Collapse)Author
2008-07-06editpage escaping fixesJoey Hess
* The editpage form now uses the raw page name, not the page title, in its 'page' cgi parameter. Using the title was ambiguous and made it impossible to tell between some pages, like "foo/bar" and "foo__47__bar", sometimes causing the wrong page to be edited. * This change means that some edit links need to be updated. Force a rebuild on upgrade to this version. * Above change also allowed really fixing escaped slashes from the blogpost form.
2008-07-01better approach for cgi upload disablingJoey Hess
Make it a config setting, this way subtle load order issues don't come into play. (As much?)
2008-07-01simplificationJoey Hess
2008-06-30disable cgi uploads earlierJoey Hess
This allows plugins that want to enable uploads to do so by changing the value of $CGI::DISABLE_UPLOADS at some point before the cgi hook is run.
2008-06-30remove unused editpage titleJoey Hess
The title was set to editpage, but then always changed. And some code tested for this. Remove this dead code.
2008-06-30Configure CGI.pm to disable file uploads by default.Joey Hess
2008-06-28call format hooks when generating page previewsJoey Hess
* toc: Revert change in 2.45 that made it run at sanitize time. This breaks use of toc in a sidebar. * Call format hooks when generating page previews, thus fixing toc display there, as well as fixing inlins to again display in page previews, since it's started using format hooks. This also allows several other things, like embed, that use format hooks, to work during page preview time. * Format hooks should not rely on getting an entire html document, as they will only get the body during page preview. * toggle: Deal with preview mode when adding javascript.
2008-06-04Pass a destpage parameter to the sanitize hook.Joey Hess
Because the search plugin needed it, also because it's one of the few plugins that didn't already have it. I also considered adding it to htmlize, but I really cannot imagine caring what the destpage is when htmlizing. (I'll probably be poven wrong later.)
2008-05-21Perls older than 5.10 need to use the old method of decoding utf-8 in CGI ↵Joey Hess
values. Neither method will work for all versions of perl, so check version number at runtime.
2008-05-21display an error message if CGI::Session fails to loadJoey Hess
2008-05-12Fixes for behavior changes in perl 5.10's CGIJoey Hess
Something has changed in CGI.pm in perl 5.10. It used to not care if STDIN was opened using :utf8, but now it'll mis-encode utf-8 values when used that way by ikiwiki. Now I have to binmode(STDIN) before instantiating the CGI object. In 57bba4dac132a06729eeec809f5e1a5adf829806, I changed from decoding CGI::Formbuilder fields to utf-8, to decoding cgi parameters before setting up the form object. As of perl 5.10, that approach no longer has any effect (reason unknown). To get correctly encoded values in FormBuilder forms, they must once again be decoded after the form is set up. As noted in 57bba4da, this can cause one set of problems for formbuilder_setup hooks if decode_form_utf8 is called before the hooks, and a different set if it's called after. To avoid both sets of problems, call it both before and after. (Only remaining problem is the sheer ugliness and inefficiency of that..) I think that these changes will also work with older perl versions, but I haven't checked. Also, in the case of the poll plugin, the cgi parameter needs to be explcitly decoded before it is used to handle utf-8 values. (This may have always been broken, not sure if it's related to perl 5.10 or not.)
2008-05-02Fix ugly display when editing a page that has vanished.Joey Hess
srcfile now has an optional second parameter to avoid it throwing an error if the source file does not exist.
2008-04-10Fix CSRF attacks against the preferences and edit forms. Closes: #475445Joey Hess
The fix involved embedding the session id in the forms, and not allowing the forms to be submitted if the embedded id does not match the session id. In the case of the preferences form, if the session id is not embedded, then the CGI parameters are cleared. This avoids a secondary attack where the link to the preferences form prefills password or other fields, and the user hits "submit" without noticing these prefilled values. In the case of the editpage form, the anonok plugin can allow anyone to edit, and so I chose not to guard against CSRF attacks against users who are not logged in. Otherwise, it also embeds the session id and checks it. For page editing, I assume that the user will notice if content or commit message is changed because of CGI parameters, and won't blndly hit save page. So I didn't block those CGI paramters. (It's even possible to use those CGI parameters, for good, not for evil, I guess..) The only other CSRF attack I can think of in ikiwiki involves the poll plugin. It's certianly possible to set up a link that causes the user to unknowingly vote in a poll. However, the poll plugin is not intended to be used for things that people would want to attack, since anyone can after all edit the poll page and fill in any values they like. So this "attack" is ignorable.
2008-03-17* Record new pages in %pagesources temporarily when previewing so thatJoey Hess
things that need to know the page source or type can query it from there. Fixes previewing of tables when creating a new page.
2008-03-12* Use forcebaseurl to make page previews be displayed with the html baseJoey Hess
set to the destination page. This avoids need for hacks to munge the urls in preview mode, which fixes several bugs. * Several destpage fixes in plugins.
2008-02-24Fix links generated by preprocessor directives when previewing.Joey Hess
As was already done for linkfication, links generated in a prevew page are relative to the top of the wiki, so it has to be told that the destpage is there. I was using "" to indicate this, but that may confuse some preprocessor plugins, which treat parameters with an empry value specially (sparkline is one such). Instead, use "/", which is more accurate anyway and works just as well.
2008-02-14* Preview limits the page dropdown to what's selected previouslyJoey Hess
(as preserving the full list across preview would be tricky). Userdirs were still being offered as an option there, remove them. * Fix a bug where user A created a page concurrently with user B, and when B previewed it would redirect B to A's new page, losing B's work. Instead, don't redirect and let conflict handling resolve it.
2008-02-03move saveindex call into preview blockJoey Hess
This call is only present to handle the case where previewing a page actually causes files to be rendered.
2008-02-03remove another commit mail mentionJoey Hess
2008-02-03* cgi hooks are now run before ikiwiki state is loaded.Joey Hess
* This allows locking the wiki before loading state, which avoids some tricky locking code when saving a web edit.
2008-01-29non-tabular recentchanges displayJoey Hess
Doesn't look as good as the old table, but works as a rss feed.
2008-01-29* Removed support for sending commit notification mails. Along with it wentJoey Hess
the svnrepo and notify settings, though both will be ignored if left in setup files.
2008-01-28support for internal-use page typesJoey Hess
If a page type starts with an underscore, hide it from the list of page types in the edit form, and don't allow editing pages of that type. This allows for plugins to add page types for internal use.
2008-01-28move userlink to IkiWiki.pmJoey Hess
I have a plugin that needs to use userlink.
2008-01-28change rcs_recentchanges when to absolute, not relative, timeJoey Hess
No point in using a relative time value in rcs_recentchanges. Different consumers of the info want different things.
2008-01-09In preferences, allow the subscriptions and email fields to be clearedJoey Hess
2008-01-07add explicit test for do=postsigninJoey Hess
This happens when openid auth fails in certian ways
2008-01-07fixesJoey Hess
2008-01-07* Improved the canedit hook interface, allowing a callback function to beJoey Hess
returned (and not run in some cases) rather than the plugins directly forcing a user to log in. * opendiscussion: allow editing of the toplevel discussion page, and, indirectly, allow creating new discussion pages.
2008-01-07* Only try postsignin if no other action matched. Fixes a bug where theJoey Hess
user goes back from the signin screen and does something else. * Improve behavior when trying to sign in with no cookies.
2008-01-05fix an uninitialised value warningJoey Hess
2008-01-01* Stop testing Encode::is_utf8 in decode_form_utf8: That doesn't work.Joey Hess
* decode_form_utf8 only fixed the utf-8 encoding for fields that were registered at the time it was called, which was before the formbuilder_setup hook. Fields added by the hook didn't get decoded. But it can't be put after the hook either, since plugins using the hook need to be able to use form values. To fix this dilemma, it's been changed to a decode_cgi_utf8, which is called on the cgi query object, before the form is set up, and decodes *all* cgi parameters.
2007-12-12* Allow editing a page and deleting all content, while still disallowingJoey Hess
creating a new page that's entirely empty.
2007-12-12* Ensure that web edited pages always end in a newline.Joey Hess
2007-12-12* Change formbuilder hook to not be responsible for displaying a form,Joey Hess
so that more than one plugin can use this hook. I believe this is a safe change, since only passwordauth uses this hook. (If some other plugin already used it, it would have broken passwordauth!)
2007-12-08MAJOR basewiki reorgJoey Hess
Including redir pages for the moved basewiki pages. These will be removed in a future release.
2007-10-10* In the cgi edit path, reload the index file before rendering. A bugjoey
showed up where a web edit that added a page caused a near-concurrent web edit to fail in will_render. While it would be hard to reproduce this, my analysis is that the failing cgi started first, loaded the index file (prior to locking) then the other cgi created the new page and rendered it, and then the failing cgi choked on the new file when _it_ tried to render it. Ensuring that the index file is loaded after taking the lock will avoid this bug.
2007-09-22* Save index after previewing page edit, since even previewing can createjoey
files in some situations, and this is appropriate in some cases, such as the teximg plugin's error log file. Such files will be automatically cleaned up at an appopriate later time.
2007-08-28* Support for looking in multiple directories for underlay files.joey
* Plugins can add new directories to the search path with the add_underlay function. * Split out smiley underlay files into a separate underlay, so if the plugin isn't used, the wiki isn't bloated with all those files.
2007-08-26* Add an editcontent hook.joey
2007-08-22* Call the formbuilder hook for the edit page.joey
* Call decode_form_utf8 before running formbuilder_setup hooks. * Add editdiff plugin contributed by Jeremie Koenig. * Fix it to not leak path info.
2007-08-17* Applied Jeremie Koenig's pluggable editpage buttons patch:joey
- add a title to the editpage form; - pass a reference to the list of buttons to the formbuilder_setup hooks, so we can add ours; - relax asumption about the possible submit values (use "Save Page" explicitly); - de-hardcode the submit buttons from the editpage template (This was needed for compatability with a bug in CGI::FormBuilder 3.0401, but ikiwiki already needs a newer version.) * Pass buttons to all other formbuilder_setup hooks too.
2007-08-15proper fix for adding file, based on jkoenig's patchjoey
2007-08-14* Fix bug when editing file from underlaydir, need to rcs_add it even thoughjoey
a page creation isn't occuring.
2007-08-14* Fix bug in deletion/move during edit code introduced in 1.44. Need to takejoey
the underlaydir into account.
2007-08-14Remove two header => 1 settings that were overridden by later header => 0joey
2007-08-05* Move blog form code out of CGI.pm and into the inline plugin.joey
2007-08-05* Add sessioncgi hook. joey
2007-08-05remove cruftjoey
2007-07-16* Wrap the editpage template in the standard misctemplate, this allows thejoey
pagetemplate hook to work for that page. * Above change fixes the favicon plugin to work on edit pages.