summaryrefslogtreecommitdiff
path: root/IkiWiki
AgeCommit message (Collapse)Author
2010-06-15fix other cases of unicode mixing issueJoey Hess
and fix underlaydir override attack guard when srcdir is non-absolute
2010-06-15Fix issues with combining unicode srcdirs and source files.Joey Hess
A short story: Once there was a unicode string, let's call him Srcdir. Along came a crufy old File::Find, who went through a tree and pasted each of the leaves in turn onto Srcdir. But this 90's relic didn't decode the leaves -- despite some of them using unicode! Poor Srcdir, with these leaves stuck on him, tainted them with his nice unicode-ness. They didn't look like leaves at all, but instead garbage. (In other words, perl's unicode support sucks mightily, and drives us all to drink and bad storytelling. But we knew that..) So, srcdir is not normally flagged as unicode, because typically it's pure ascii. And in that case, things work ok; File::Find finds filenames, which are not yet decoded to unicode, and appends them to the srcdir, and then decode_utf8 happily converts the whole thing. But, if the srcdir does contain utf8 characters, that breaks. Or, if a Yaml setup file is used, Yaml::Syck's implicitunicode sets the unicode flag of *all* strings, even those containing only ascii. In either case, srcdir has the unicode flag set; a non-decoded filename is appended, and the flag remains set; and decode_utf8 sees the flag and does *nothing*. The result is that the filename is not decoded, so looks valid and gets skipped. File::Find only sticks the directory and filenames together in no_chdir mode .. but we need that mode for security. In order to retain the security, and avoid the problem, I made it not pass srcdir to File::Find. Instead, chdir to the srcdir, and pass ".". Since "." is ascii, the problem is avoided. Note that chdir srcdir is safe because we check for symlinks in the srcdir path. Note that it takes care to chdir back to the starting location. Because the user may have specified relative paths and so staying in the srcdir might break. A relative path could even be specifed for an underlay dir, so it chdirs back after each.
2010-06-15Fix issues with combining unicode srcdirs and source files.Joey Hess
A short story: Once there was a unicode string, let's call him Srcdir. Along came a crufy old File::Find, who went through a tree and pasted each of the leaves in turn onto Srcdir. But this 90's relic didn't decode the leaves -- despite some of them using unicode! Poor Srcdir, with these leaves stuck on him, tainted them with his nice unicode-ness. They didn't look like leaves at all, but instead garbage. In other words, perl's unicode support sucks mightily, and drives us all to drink and bad storytelling. But we knew that.. So, srcdir is not normally flagged as unicode, because typically it's pure ascii. And in that case, things work ok; File::Find finds filenames, which are not yet decoded to unicode, and appends them to the srcdir, and then decode_utf8 happily converts the whole thing. But, if the srcdir does contain utf8 characters, that breaks. Or, if a Yaml setup file is used, Yaml::Syck's implicitunicode sets the unicode flag of *all* strings, even those containing only ascii. In either case, srcdir has the unicode flag set; a non-decoded filename is appended, and decode_utf8 sees the flag and does *nothing*. The result is that the filename is not decoded, so looks valid and gets skipped. File::Find only sticks the directory and filenames together in no_chdir mode .. but we need that mode for security. In order to retain the security, and avoid the problem, I made it not pass srcdir to File::Find. Instead, chdir to the srcdir, and pass ".". Since "." is ascii, the problem is avoided. Note that it takes care to chdir back to the starting location. Because the user may have specified relative paths and so staying in the srcdir might break. A relative path could even be specifed for an underlay dir, so it chdirs back after each.
2010-06-15calendar: Tune archive_pagespec to only match pages, not other files.Joey Hess
2010-06-14editpage, comments: Fix broken links in sidebar (due to forcebaseurl). ↵Joey Hess
(Thanks, privat)
2010-06-13more symetric enable/disableJoey Hess
Removing a plugin from add_plugins is not always enough to disable it. It may have been redundantly added there and also pulled in via goodstuff. Always add didabled plugins to disable_plugins.
2010-06-13websetup: Allow enabling plugins listed in disable_plugins.Joey Hess
The bug here was that disabling a plugin included thru goodstuff, like htmlscrubber, caused it to be added to disable_plugins, and those plugins were never loaded, so could not be re-enabled. Fix by allowing them to be force loaded when appropriate. (Also that allows disabled plugins to still record their setup options when dumping a setup file.)
2010-06-12attachment: When inserting links, insert img directives for images, if that ↵Joey Hess
plugin is enabled.
2010-06-12avoid ugly warning if size="" is specifiedJoey Hess
2010-06-12edittemplate: Look for template pages under templates/ like everything else ↵Joey Hess
(still looks in old location for backwards compatability).
2010-06-12edittemplate: Make silent mode not disable display when the template page ↵Joey Hess
does not exist, so it can be easily created.
2010-06-12editpage: Rename "comments" field to avoid CSS conflict with the comments div.Joey Hess
2010-06-12img: Support hspace and vspace attributes.Joey Hess
2010-06-12attachment: Show files from underlay in attachments list.Joey Hess
While those files cannot be removed or renamed, this allows easy downloading of them, and a new version can after all be uploaded.
2010-06-11realm is an url patternJoey Hess
2010-06-11openid: Add openid_realm and openid_cgiurl configuration options, useful in ↵Joey Hess
a few edge case setups.
2010-06-10calendar stylingJoey Hess
* calendar: Shorten day names, and improve styling of month calendar. * style.css: Reduced sidebar width back to 20ex from 30; the month calendar will now fit in the smaller width, and 30 was feeling too large.
2010-06-09let's allow comments of "0"Joey Hess
2010-06-09editpage: Avoid storing accidental state changes when previewing pages.Joey Hess
This is a slow, safe, stupid approach. Could make deep copies of the data structures as backups instead of re-loading the index from disk.
2010-06-09improve preview mode commentsJoey Hess
2010-06-09Fix display of sidebar when previewing page edit. (Thanks, privat)Joey Hess
On second thought, only display a page's personal sidebar when previewing it, not when editing normally.
2010-06-09relativedate: Fix problem with localised dates not working.Joey Hess
2010-06-09When editing a page, show that page's sidebar. (Thanks, privat)Joey Hess
2010-06-08img: Fill in missing height or width when scaling image.Joey Hess
2010-05-21fix uninitalized value warningJoey Hess
2010-05-21disable warnings when evaling setup filesJoey Hess
In particular, perl warns if a qw{} contains a #, but openids can. If the setup file has 'use warnings', it will turn warning messages back on, so it seems reasonable to squelch them by default.
2010-05-18Fix a typo in the last release.Joey Hess
2010-05-18simplify exampleJoey Hess
I've seen user(http://*) confuse someone who didn't know pagespecs to think that just http://* would moderate all comments to every page, or something like that.
2010-05-18Fix a bug that prevented matching deleted comments, and so did not update ↵Joey Hess
pages that had contained them. Problem is that by the time rendering calls render_dependent, %pagesources has had deleted files removed from it. So match_comment's lookup of files in there to see if they had the _comment extension failed. I had to introduce a hash that temporarily holds filenames of deleted pages to fix this. Note that unlike comment(), internal() had avoided this pitfall by being defined to match both internal and non-internal pages.
2010-05-17force scalar contextJoey Hess
2010-05-15fix typoJoey Hess
2010-05-15Revert "avoid showing comment post stuff on dynamic pages"Joey Hess
This reverts commit 4a6d5330e5b9554f1bd25b9025dd96200c6519c7. That was too ugly, the DYNAMIC test on page.tmpl will avoid the problem anyway -- just needs to be added.
2010-05-15avoid showing comment post stuff on dynamic pagesJoey Hess
If the site is configured to allow comments on *, then the comment post interface was being added to cgi pages like signin and prefs. This fixes it w/o requiring more page.tmpl changes. The pagetemplate hook is called by misctemplate with an empty page name for dynamic pages.
2010-05-14allow misctemplate callers to pass params to suppress actions etcJoey Hess
Suppress disiplay of small search for on search results page, and of Prefrences link on prefs page.
2010-05-14avoid showing redundant search box on search results pageJoey Hess
2010-05-14better misctemplate splitting sequenceJoey Hess
2010-05-14put back recentchangesurlJoey Hess
On second thought, misctemplate can use pagetemplate hooks to provide it, so it's better to keep back-compat, and allow full customisation of how it's displayed via the template.
2010-05-14bugfixJoey Hess
2010-05-14refactor template actionsJoey Hess
2010-05-14we want the recentchanges link to be the first floating actionJoey Hess
2010-05-14enable action bar on misctemplatesJoey Hess
So RecentChanges shows on the action bar there, convert recentchanges to use new pageactions hook, with compatability code to avoid breaking old templates.
2010-05-14remove, rename: Add guards against XSRF attacks.Joey Hess
2010-05-13po: guard against reimportationJoey Hess
If po is imported twice, bad things happen. Guard against that. I'm not sure what causes the double import; I saw it when websetup did a wiki rebuild. Carp failed to show a backtrace for the second call to import.
2010-05-08Use xhtml friendly pubdate setting.Joey Hess
2010-05-08moved non-openid signin form into same page as openid selector; show/hide as ↵Joey Hess
buttons are pressed
2010-05-08calendar: Display year name in title of month calendar.Joey Hess
Also, fix relative month calculations.
2010-05-08calendar: nextchange calculation bugfixJoey Hess
If a page had multiple calendars, the last one won and set nextchange. That's wrong; the calendar that needs to next update soonest should win.
2010-05-08calendar: Allow negative month to be specified. -1 is last month, etc. (And ↵Joey Hess
also negaitve years.)
2010-05-07Merge branch 'master' into commentreorgJoey Hess
2010-05-07scale display form to match openid sizeJoey Hess