From 0a37c45f32b6a0cf92eb046deabf933fb48ac197 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 30 Jun 2008 22:58:33 -0400 Subject: basic attachment plugin, unfinished Currently includes UI, and a few tests of the attachment, as well as the framework to extend pagespecs to test attachments. Does not actually save the file yet. --- doc/plugins/attachment.mdwn | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 doc/plugins/attachment.mdwn (limited to 'doc') diff --git a/doc/plugins/attachment.mdwn b/doc/plugins/attachment.mdwn new file mode 100644 index 000000000..a03865987 --- /dev/null +++ b/doc/plugins/attachment.mdwn @@ -0,0 +1,43 @@ +[[template id=plugin name=conditional core=1 author="[[Joey]]"]] +[[tag type/useful]] + +This plugin allows files to be uploaded to the wiki over the web. + +For each page `foo`, files in the subdirectory `foo/` are treated as +attachments of that page. Attachments can be uploaded and managed as +part of the interface for editing a page. + +Warning: Do not enable this plugin on publically editable wikis, unless you +take care to lock down the types and sizes of files that can be uploaded. +Bear in mind that if you let anyone upload a particular kind of file +("*.mp3" files, say), then someone can abuse your wiki in at least three ways: + +1. By uploading many mp3 files, wasting your disk space. +2. By uploading mp3 files that attempt to exploit security holes + in web browsers or other players. +3. By uploading files that claim to be mp3 files, but are really some + other kind of file. Some web browsers may display a `foo.mp3` that + contains html as a web page; including running any malicious javascript + embedded in that page. + +To provide a way to combat these abuses, the wiki admin can specify a +[[ikiwiki/PageSpec]] on their preferences page, to control what types of +attachments can be uploaded. The regular [[ikiwiki/PageSpec]] syntax is +expanded with additional tests. + +For example, to limit arbitrary files to 50 kilobtes, but allow +larger mp3 files to be uploaded, a test like this could be used: + + (*.mp3 and maxsize(15mb)) or (* and maxsize(50kb)) + +The following additional tests are available: + +* maxsize(size) + + Tests whether the attachment is no larger than the specified size. + The size defaults to being in bytes, but "kb", "mb", "gb" etc can be + used to specify the units. + +* minsize(size) + + Tests whether the attachment is no smaller than the specified size. -- cgit v1.2.3 From b01ee9b3b33daa8d305017aa914913f3dac20ce5 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 30 Jun 2008 23:17:01 -0400 Subject: add an ispage limit --- IkiWiki/Plugin/attachment.pm | 33 ++++++++++++++++++++++----------- doc/plugins/attachment.mdwn | 12 +++++++++++- 2 files changed, 33 insertions(+), 12 deletions(-) (limited to 'doc') diff --git a/IkiWiki/Plugin/attachment.pm b/IkiWiki/Plugin/attachment.pm index 48a1c58b4..186f3ea21 100644 --- a/IkiWiki/Plugin/attachment.pm +++ b/IkiWiki/Plugin/attachment.pm @@ -8,7 +8,7 @@ use CGI; $CGI::DISABLE_UPLOADS=0; # TODO move to admin prefs -$config{valid_attachments}="(*.mp3 and maxsize(15mb)) or (* and maxsize(50kb))"; +$config{valid_attachments}="(*.mp3 and maxsize(15mb)) or (!ispage() and maxsize(50kb))"; sub import { #{{{ hook(type => "formbuilder_setup", id => "attachment", call => \&formbuilder_setup); @@ -48,12 +48,12 @@ sub formbuilder (@) { #{{{ if (IkiWiki::file_pruned($filename, $config{srcdir})) { error(gettext("bad attachment filename")); } - + # Use a pagespec to test that the attachment is valid. if (exists $config{valid_attachments} && length $config{valid_attachments}) { my $result=pagespec_match($filename, $config{valid_attachments}, - tempfile => $tempfile); + file => $tempfile); if (! $result) { error(gettext("attachment rejected")." ($result)"); } @@ -101,15 +101,15 @@ sub match_maxsize ($$;@) { #{{{ } my %params=@_; - if (! exists $params{tempfile}) { + if (! exists $params{file}) { return IkiWiki::FailReason->new("no tempfile specified"); } - if (-s $params{tempfile} > $maxsize) { - return IkiWiki::FailReason->new("attachment too large"); + if (-s $params{file} > $maxsize) { + return IkiWiki::FailReason->new("file too large"); } else { - return IkiWiki::SuccessReason->new("attachment size ok"); + return IkiWiki::SuccessReason->new("file not too large"); } } #}}} @@ -121,15 +121,26 @@ sub match_minsize ($$;@) { #{{{ } my %params=@_; - if (! exists $params{tempfile}) { + if (! exists $params{file}) { return IkiWiki::FailReason->new("no tempfile specified"); } - if (-s $params{tempfile} < $minsize) { - return IkiWiki::FailReason->new("attachment too small"); + if (-s $params{file} < $minsize) { + return IkiWiki::FailReason->new("file too small"); + } + else { + return IkiWiki::SuccessReason->new("file not too small"); + } +} #}}} + +sub match_ispage ($$;@) { #{{{ + my $filename=shift; + + if (IkiWiki::pagetype($filename)) { + return IkiWiki::SuccessReason->new("file is a wiki page"); } else { - return IkiWiki::SuccessReason->new("attachment size ok"); + return IkiWiki::FailReason->new("file is not a wiki page"); } } #}}} diff --git a/doc/plugins/attachment.mdwn b/doc/plugins/attachment.mdwn index a03865987..019d1c9e4 100644 --- a/doc/plugins/attachment.mdwn +++ b/doc/plugins/attachment.mdwn @@ -28,7 +28,7 @@ expanded with additional tests. For example, to limit arbitrary files to 50 kilobtes, but allow larger mp3 files to be uploaded, a test like this could be used: - (*.mp3 and maxsize(15mb)) or (* and maxsize(50kb)) + (*.mp3 and maxsize(15mb)) or (!ispage() and maxsize(50kb)) The following additional tests are available: @@ -41,3 +41,13 @@ The following additional tests are available: * minsize(size) Tests whether the attachment is no smaller than the specified size. + +* ispage() + + Tests whether the attachment will be treated by ikiwiki as a wiki page. + (Ie, if it has an extension of ".mdwn", or of any other enabled page + format). + + So, if you don't want to allow wiki pages to be uploaded as attachments, + use `!ispage()` ; if you only want to allow wiki pages to be uploaded + as attachments, use `ispage()`. -- cgit v1.2.3 From 0ffcafc1305de5ec242f3f0835064682d408c3d0 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 1 Jul 2008 17:54:23 -0400 Subject: attachment doc updates --- doc/plugins/contrib/attach/discussion.mdwn | 18 ++++++++++++++++++ doc/soc.mdwn | 2 +- doc/todo/attachments.mdwn | 20 ++++++++++++++++++++ doc/todo/attachments_plugin.mdwn | 1 - doc/todo/fileupload.mdwn | 2 +- 5 files changed, 40 insertions(+), 3 deletions(-) create mode 100644 doc/plugins/contrib/attach/discussion.mdwn create mode 100644 doc/todo/attachments.mdwn delete mode 100644 doc/todo/attachments_plugin.mdwn (limited to 'doc') diff --git a/doc/plugins/contrib/attach/discussion.mdwn b/doc/plugins/contrib/attach/discussion.mdwn new file mode 100644 index 000000000..803b7dcdb --- /dev/null +++ b/doc/plugins/contrib/attach/discussion.mdwn @@ -0,0 +1,18 @@ +I found this posted to todo list, moved here: --[[Joey]] + +> First pass at an attachments plugin. See [[plugins/contrib/attach]] for +> details/docs. Here's the [diff](http://pastebin.com/f4d889b65), and +> here's some [technical notes](http://pastebin.com/f584b9d9d). There are +> still various things I want to fix and tweak, but it works reasonably for +> me as is. + +I guess I missed this when the plugin page was posted last September, and +since the [[soc]] stuff wasn't updated, I didn't realize this was Ben's soc +work. Which is more or less why I didn't look at it. + +This plugin would need quite a lot of work to finish up, I do think it was +taking the right approach, sorry I never followed up on it. + +In the meantime, I've written an attachment plugin that does most of the +same stuff, and behaves closer to how I originally sketched [[todo/fileupload]] +as working. diff --git a/doc/soc.mdwn b/doc/soc.mdwn index c762d2e43..fffb5bed4 100644 --- a/doc/soc.mdwn +++ b/doc/soc.mdwn @@ -11,7 +11,7 @@ accepted, and the following projects were worked on: (See [[todo/latex]]) * Implement File Upload Functionality and Image Gallery Creation by Ben Coffey - (See [[todo/fileupload/soc-proposal]]) + (See [[todo/fileupload/soc-proposal]] and [[plugins/contrib/attach]]) * Wiki WYSIWYG Editor by [[TaylorKillian]] (See [[todo/wikiwyg]]) diff --git a/doc/todo/attachments.mdwn b/doc/todo/attachments.mdwn new file mode 100644 index 000000000..de7d81400 --- /dev/null +++ b/doc/todo/attachments.mdwn @@ -0,0 +1,20 @@ +Stuff the [[plugins/attachment]] plugin is currently missing, that might be +nice to add: + +* `user()` pagespecs, to limit what individual users can do. (See examples + in [[fileupload]]. +* `mimetype()` pagespecs. (Using a mime type sniffer.)a +* Virus scanning. +* Make the attachments part of the Edit page hidden unless something is + clicked on to display it. To avoid clutter. +* Add a progress bar for attachment uploads (needs AJAX stuff..) +* Maybe optimise the "Insert Links" button with javascript, so, if + javascript is available, the link is inserted at the current cursor + position in the page edit form, without actually reposting the form. + (Falling back to the current reposting of the form if javascript is not + available of course.) +* Set `$CGI::POST_MAX` to some sane value (ie, larger than the largest + configured `maxsize()` in the pagespec, or if none is configured, + something reasonable. Just as a belt-and-suspenders DOS prevention. +* Only allow attachments to be added to a given list of pages. + Maybe a pagespec like `parent(patches/*)` diff --git a/doc/todo/attachments_plugin.mdwn b/doc/todo/attachments_plugin.mdwn deleted file mode 100644 index 3b050b43e..000000000 --- a/doc/todo/attachments_plugin.mdwn +++ /dev/null @@ -1 +0,0 @@ -First pass at an attachments plugin. See [[plugins/contrib/attach]] for details/docs. Here's the [diff](http://pastebin.com/f4d889b65), and here's some [technical notes](http://pastebin.com/f584b9d9d). There are still various things I want to fix and tweak, but it works reasonably for me as is. \ No newline at end of file diff --git a/doc/todo/fileupload.mdwn b/doc/todo/fileupload.mdwn index 1962d6b40..9a9106229 100644 --- a/doc/todo/fileupload.mdwn +++ b/doc/todo/fileupload.mdwn @@ -60,4 +60,4 @@ pagespec lock like the above prevents an edit or upload from happening, ikiwiki could display a reasonable message to the user, indicating what they've done wrong.) -[[tag soc]] +[[tag soc done]] -- cgit v1.2.3 From 895faed6428f3523871d29ed82b0ab3326453b75 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 2 Jul 2008 16:02:01 -0400 Subject: toggle: Add support for toggles that are open by default. Also fix to work in preview mode. --- IkiWiki/Plugin/toggle.pm | 15 +++++---------- debian/changelog | 2 ++ doc/plugins/toggle.mdwn | 3 +++ doc/todo/toggle_initial_state.mdwn | 2 ++ 4 files changed, 12 insertions(+), 10 deletions(-) (limited to 'doc') diff --git a/IkiWiki/Plugin/toggle.pm b/IkiWiki/Plugin/toggle.pm index 54c9a0d9a..f969d7686 100644 --- a/IkiWiki/Plugin/toggle.pm +++ b/IkiWiki/Plugin/toggle.pm @@ -81,17 +81,11 @@ sub preprocess_toggle (@) { #{{{ my %params=(id => "default", text => "more", @_); my $id=genid($params{page}, $params{id}); - if (! $params{preview}) { - return "$params{text}"; - } - else { - return "$params{text} ". - gettext("(not toggleable in preview mode)"); - } + return "$params{text}"; } # }}} sub preprocess_toggleable (@) { #{{{ - my %params=(id => "default", text => "", @_); + my %params=(id => "default", text => "", open => "no", @_); # Preprocess the text to expand any preprocessor directives # embedded inside it. @@ -99,19 +93,20 @@ sub preprocess_toggleable (@) { #{{{ IkiWiki::filter($params{page}, $params{destpage}, $params{text})); my $id=genid($params{page}, $params{id}); + my $class=(lc($params{open}) ne "yes") ? "toggleable" : "toggleable-open"; # Should really be a postprocessor directive, oh well. Work around # markdown's dislike of markdown inside a
with various funky # whitespace. my ($indent)=$params{text}=~/( +)$/; $indent="" unless defined $indent; - return "
\n\n$params{text}\n$indent
"; + return "
\n\n$params{text}\n$indent
"; } # }}} sub format (@) { #{{{ my %params=@_; - if ($params{content}=~s!(
)
!$1!g) { + if ($params{content}=~s!(
)
!$1!g) { $params{content}=~s/
//g; if (! ($params{content}=~s!^<\/body>!$javascript!m)) { # no tag, probably in preview mode diff --git a/debian/changelog b/debian/changelog index 152689948..314415788 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,8 @@ ikiwiki (2.52) UNRELEASED; urgency=low (Sponsored by The TOVA Company.) * If attachments are not enabled, configure CGI.pm to disable file uploads by default. (An anti-DOS measure.) + * toggle: Add support for toggles that are open by default. + * toggle: Fix to work in preview mode. -- Joey Hess Mon, 30 Jun 2008 19:56:28 -0400 diff --git a/doc/plugins/toggle.mdwn b/doc/plugins/toggle.mdwn index cb76d0b7b..b33575824 100644 --- a/doc/plugins/toggle.mdwn +++ b/doc/plugins/toggle.mdwn @@ -28,3 +28,6 @@ each other, but can be located anywhere on the page. There can also be mutiple toggles that all toggle a single togglable. The id has a default value of "default", so can be omitted in simple cases. + +If you'd like a toggleable to be displayed by default, and toggle to +hidden, then pass a parameter "open=true" when setting up the toggleable. diff --git a/doc/todo/toggle_initial_state.mdwn b/doc/todo/toggle_initial_state.mdwn index f54d33c04..cbbf7e6fd 100644 --- a/doc/todo/toggle_initial_state.mdwn +++ b/doc/todo/toggle_initial_state.mdwn @@ -2,3 +2,5 @@ It would be nice if one could set the initial state of the toggleable area. --[[[rdennis]] [[tag plugins/toggle]] + +[[done]] -- cgit v1.2.3 From ba707cdcd997c09f1fe0efc2addd03f8553303ea Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 2 Jul 2008 16:33:35 -0400 Subject: add user and ip support to attachment pagespecs --- IkiWiki/Plugin/attachment.pm | 39 ++++++++++++++++++++++++++++++++++++++- doc/plugins/attachment.mdwn | 21 ++++++++++++++++----- 2 files changed, 54 insertions(+), 6 deletions(-) (limited to 'doc') diff --git a/IkiWiki/Plugin/attachment.pm b/IkiWiki/Plugin/attachment.pm index c1d1d1c60..a5c42d638 100644 --- a/IkiWiki/Plugin/attachment.pm +++ b/IkiWiki/Plugin/attachment.pm @@ -101,7 +101,10 @@ sub formbuilder (@) { #{{{ length $allowed_attachments) { $allowed=pagespec_match($filename, $allowed_attachments, - file => $tempfile); + file => $tempfile, + user => $session->param("name"), + ip => $ENV{REMOTE_ADDR}, + ); last if $allowed; } } @@ -306,4 +309,38 @@ sub match_ispage ($$;@) { #{{{ } } #}}} +sub match_user ($$;@) { #{{{ + shift; + my $user=shift; + my %params=@_; + + if (! exists $params{user}) { + return IkiWiki::FailReason->new("no user specified"); + } + + if (defined $params{user} && lc $params{user} eq lc $user) { + return IkiWiki::SuccessReason->new("user is $user"); + } + else { + return IkiWiki::FailReason->new("user is $params{user}, not $user"); + } +} #}}} + +sub match_ip ($$;@) { #{{{ + shift; + my $ip=shift; + my %params=@_; + + if (! exists $params{ip}) { + return IkiWiki::FailReason->new("no IP specified"); + } + + if (defined $params{ip} && lc $params{ip} eq lc $ip) { + return IkiWiki::SuccessReason->new("IP is $ip"); + } + else { + return IkiWiki::FailReason->new("IP is $params{ip}, not $ip"); + } +} #}}} + 1 diff --git a/doc/plugins/attachment.mdwn b/doc/plugins/attachment.mdwn index 019d1c9e4..184f5b5df 100644 --- a/doc/plugins/attachment.mdwn +++ b/doc/plugins/attachment.mdwn @@ -22,13 +22,14 @@ Bear in mind that if you let anyone upload a particular kind of file To provide a way to combat these abuses, the wiki admin can specify a [[ikiwiki/PageSpec]] on their preferences page, to control what types of -attachments can be uploaded. The regular [[ikiwiki/PageSpec]] syntax is -expanded with additional tests. +attachments can be uploaded, and by whom. The regular [[ikiwiki/PageSpec]] +syntax is expanded with additional tests. -For example, to limit arbitrary files to 50 kilobtes, but allow -larger mp3 files to be uploaded, a test like this could be used: +For example, to limit arbitrary files to 50 kilobytes, but allow +larger mp3 files to be uploaded by joey, a test like this could be +used: - (*.mp3 and maxsize(15mb)) or (!ispage() and maxsize(50kb)) + (user(joey) and *.mp3 and maxsize(15mb)) or (!ispage() and maxsize(50kb)) The following additional tests are available: @@ -51,3 +52,13 @@ The following additional tests are available: So, if you don't want to allow wiki pages to be uploaded as attachments, use `!ispage()` ; if you only want to allow wiki pages to be uploaded as attachments, use `ispage()`. + +* user(username) + + Tests whether the attachment is being uploaded by a user with the + specified username. If openid is enabled, an openid can also be put here. + +* ip(address) + + Tests whether the attacment is being uploaded from the specified IP + address. -- cgit v1.2.3 From aaca4902dd29e7ba7769daedcc2f7ee86d1e058a Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 2 Jul 2008 16:37:17 -0400 Subject: update --- doc/todo/attachments.mdwn | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'doc') diff --git a/doc/todo/attachments.mdwn b/doc/todo/attachments.mdwn index de7d81400..08052f368 100644 --- a/doc/todo/attachments.mdwn +++ b/doc/todo/attachments.mdwn @@ -1,12 +1,8 @@ Stuff the [[plugins/attachment]] plugin is currently missing, that might be nice to add: -* `user()` pagespecs, to limit what individual users can do. (See examples - in [[fileupload]]. -* `mimetype()` pagespecs. (Using a mime type sniffer.)a +* `mimetype()` pagespecs. (Using a mime type sniffer.) * Virus scanning. -* Make the attachments part of the Edit page hidden unless something is - clicked on to display it. To avoid clutter. * Add a progress bar for attachment uploads (needs AJAX stuff..) * Maybe optimise the "Insert Links" button with javascript, so, if javascript is available, the link is inserted at the current cursor -- cgit v1.2.3