Simon McVittie [Mon, 9 May 2016 20:59:50 +0000 (21:59 +0100)]
Simon McVittie [Mon, 9 May 2016 20:57:34 +0000 (21:57 +0100)]
Reference CVE-2016-4561 in 3.
20160506 changelog
Simon McVittie [Mon, 9 May 2016 20:53:10 +0000 (21:53 +0100)]
img test: exercise upper-case extensions for image files
Simon McVittie [Mon, 9 May 2016 20:12:41 +0000 (21:12 +0100)]
Remove spurious changelog entry
This change was new in 3.
20141016.3, but was applied to the master
branch several releases ago, so it is not new in 3.
20160506.
smcv [Mon, 9 May 2016 12:24:35 +0000 (08:24 -0400)]
mention that the CVE-2016-4561 fix was backported
desci [Mon, 9 May 2016 01:54:17 +0000 (21:54 -0400)]
Clarifying
desci [Mon, 9 May 2016 01:53:14 +0000 (21:53 -0400)]
Adding info regarding bootstrap classes
desci [Mon, 9 May 2016 01:42:54 +0000 (21:42 -0400)]
Adding sites
Amitai Schlair [Sun, 8 May 2016 22:26:15 +0000 (18:26 -0400)]
Detect image type from .JPG just like .jpg (etc.).
Amitai Schlair [Sun, 8 May 2016 22:25:46 +0000 (18:25 -0400)]
Fix spelling of "ratio" in test.
https://id.koumbit.net/anarcat [Sun, 8 May 2016 21:10:50 +0000 (17:10 -0400)]
thanks!
smcv [Sun, 8 May 2016 20:44:56 +0000 (16:44 -0400)]
tag added
https://id.koumbit.net/anarcat [Sun, 8 May 2016 20:40:13 +0000 (16:40 -0400)]
thanks!
smcv [Sun, 8 May 2016 20:37:34 +0000 (16:37 -0400)]
sorry, one day I'll review this, but this is not that day
https://id.koumbit.net/anarcat [Sun, 8 May 2016 18:59:12 +0000 (14:59 -0400)]
still using this in production, would welcome feedback
https://id.koumbit.net/anarcat [Sun, 8 May 2016 18:57:28 +0000 (14:57 -0400)]
dropping this.
https://id.koumbit.net/anarcat [Sun, 8 May 2016 18:56:26 +0000 (14:56 -0400)]
Simon McVittie [Fri, 6 May 2016 06:32:17 +0000 (07:32 +0100)]
img: make img_allowed_formats case-insensitive
Simon McVittie [Fri, 6 May 2016 21:51:02 +0000 (22:51 +0100)]
inline: expand show=N backwards compatibility to negative N
[[plugins/contrib]] uses show=-1 to show the post-creation widget
without actually inlining anything.
Simon McVittie [Fri, 6 May 2016 20:35:14 +0000 (21:35 +0100)]
Add CVE reference
smcv [Fri, 6 May 2016 19:29:51 +0000 (15:29 -0400)]
respond
Simon McVittie [Fri, 6 May 2016 19:16:58 +0000 (20:16 +0100)]
use intended filename
smcv [Fri, 6 May 2016 19:14:09 +0000 (15:14 -0400)]
escape directive properly; add paragraph breaks
smcv [Fri, 6 May 2016 19:12:49 +0000 (15:12 -0400)]
rename todo/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn to bugs/Correctly_handle_filenames_starting_with_a_dash_in_add/rm/mv.mdwn
smcv [Fri, 6 May 2016 19:12:29 +0000 (15:12 -0400)]
already fixed
Simon McVittie [Fri, 6 May 2016 19:10:19 +0000 (20:10 +0100)]
Simon McVittie [Fri, 6 May 2016 19:05:45 +0000 (20:05 +0100)]
Merge remote-tracking branch 'origin/master'
Simon McVittie [Fri, 6 May 2016 06:54:47 +0000 (07:54 +0100)]
Simon McVittie [Fri, 6 May 2016 06:53:53 +0000 (07:53 +0100)]
Exclude users/* from the HTML documentation
Simon McVittie [Fri, 6 May 2016 06:46:58 +0000 (07:46 +0100)]
Do not recommend mimetype(image/*)
Not all image file types are safe for general use: in particular,
image/svg+xml is known to be vulnerable to CVE-2016-3714 under some
ImageMagick configurations.
Simon McVittie [Fri, 6 May 2016 06:49:45 +0000 (07:49 +0100)]
Document the security fixes in this release
Joey Hess [Fri, 6 May 2016 00:44:11 +0000 (20:44 -0400)]
update test suite for svg passthrough by img directive
Remove build dependency libmagickcore-6.q16-2-extra which was only there
for this test.
Simon McVittie [Fri, 6 May 2016 05:57:12 +0000 (06:57 +0100)]
img: Add back support for SVG images, bypassing ImageMagick and simply passing the SVG through to the browser
SVG scaling by img directives has subtly changed; where before size=wxh
would preserve aspect ratio, this cannot be done when passing them through
and so specifying both a width and height can change the SVG's aspect
ratio.
(This patch looks significantly more complex than it was, because a large
block of code had to be indented.)
[smcv: drop trailing whitespace, fix some spelling]
Joey Hess [Fri, 6 May 2016 00:18:38 +0000 (20:18 -0400)]
changelog for smcv's security fixes
[smcv: omit a change that was already in 3.
20160514]
Simon McVittie [Thu, 5 May 2016 22:17:45 +0000 (23:17 +0100)]
img: check magic number before giving common formats to ImageMagick
This mitigates CVE-2016-3714 and similar vulnerabilities by
avoiding passing obviously-wrong input to ImageMagick decoders.
Simon McVittie [Wed, 4 May 2016 07:54:19 +0000 (08:54 +0100)]
img: restrict to JPEG, PNG and GIF images by default
This mitigates CVE-2016-3714. Wiki administrators who know that they
have prevented arbitrary code execution via other formats can re-enable
the other formats if desired.
Simon McVittie [Wed, 4 May 2016 07:52:40 +0000 (08:52 +0100)]
img: force common Web formats to be interpreted according to extension
A site administrator might unwisely set allowed_attachments to
something like '*.jpg or *.png'; if they do, an attacker could attach,
for example, a SVG file named attachment.jpg.
This mitigates CVE-2016-3714.
Simon McVittie [Wed, 4 May 2016 07:46:02 +0000 (08:46 +0100)]
HTML-escape error messages (OVE-
20160505-0012)
The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-
20160505-0012)
The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.
https://id.koumbit.net/anarcat [Wed, 4 May 2016 22:53:24 +0000 (18:53 -0400)]
all good
smcv [Wed, 4 May 2016 22:35:33 +0000 (18:35 -0400)]
https://id.koumbit.net/anarcat [Wed, 4 May 2016 13:45:25 +0000 (09:45 -0400)]
response: confirmation it's a bug in MMD and Discount doesn't have footnotes, and request for workaround
smcv [Wed, 4 May 2016 09:48:01 +0000 (05:48 -0400)]
discount (as used on this wiki) can do footnotes, but they aren't enabled by ikiwiki
smcv [Wed, 4 May 2016 09:38:27 +0000 (05:38 -0400)]
response
Joey Hess [Mon, 2 May 2016 13:33:59 +0000 (09:33 -0400)]
response
https://id.koumbit.net/anarcat [Fri, 29 Apr 2016 04:32:02 +0000 (00:32 -0400)]
https://id.koumbit.net/anarcat [Fri, 29 Apr 2016 00:13:05 +0000 (20:13 -0400)]
response
Joey Hess [Thu, 28 Apr 2016 23:34:51 +0000 (19:34 -0400)]
Merge branch 'master' of ssh://git.ikiwiki.info
Joey Hess [Thu, 28 Apr 2016 23:32:58 +0000 (19:32 -0400)]
response
Joey Hess [Thu, 28 Apr 2016 23:06:01 +0000 (19:06 -0400)]
Merge remote-tracking branch 'origin/master'
https://id.koumbit.net/anarcat [Thu, 28 Apr 2016 14:12:52 +0000 (10:12 -0400)]
https://id.koumbit.net/anarcat [Thu, 28 Apr 2016 14:08:05 +0000 (10:08 -0400)]
http/https issue
Antoine Beaupré [Tue, 26 Apr 2016 22:52:25 +0000 (18:52 -0400)]
smaller is too small for large blocks
Antoine Beaupré [Tue, 26 Apr 2016 22:50:47 +0000 (18:50 -0400)]
fix typo and comment
Antoine Beaupré [Tue, 26 Apr 2016 22:46:52 +0000 (18:46 -0400)]
new CSS bug
https://id.koumbit.net/anarcat [Tue, 26 Apr 2016 22:35:20 +0000 (18:35 -0400)]
explain footnotes
desci [Tue, 19 Apr 2016 02:08:50 +0000 (22:08 -0400)]
Changed the expired domain and added question
RickHanson [Sun, 17 Apr 2016 23:38:12 +0000 (19:38 -0400)]
Fixed dead link.
Antoine Beaupré [Fri, 15 Apr 2016 22:11:29 +0000 (18:11 -0400)]
add screenshot
Antoine Beaupré [Fri, 15 Apr 2016 21:31:53 +0000 (17:31 -0400)]
fix typos
Antoine Beaupré [Fri, 15 Apr 2016 21:29:44 +0000 (17:29 -0400)]
announce the admonition plugin
Antoine Beaupré [Fri, 15 Apr 2016 16:29:25 +0000 (12:29 -0400)]
elaborate copyright investigation. ugh.
Antoine Beaupré [Fri, 15 Apr 2016 15:17:02 +0000 (11:17 -0400)]
response
Antoine Beaupré [Fri, 15 Apr 2016 15:07:14 +0000 (11:07 -0400)]
can't login again
smcv [Fri, 15 Apr 2016 14:38:11 +0000 (10:38 -0400)]
escape
smcv [Fri, 15 Apr 2016 14:37:43 +0000 (10:37 -0400)]
templates are another way to do this
smcv [Fri, 15 Apr 2016 14:34:33 +0000 (10:34 -0400)]
Antoine Beaupré [Fri, 15 Apr 2016 14:14:50 +0000 (10:14 -0400)]
a weird authentication bug
Antoine Beaupré [Fri, 15 Apr 2016 13:57:53 +0000 (09:57 -0400)]
admonitions proposal
desci [Fri, 15 Apr 2016 12:24:38 +0000 (08:24 -0400)]
Arguing more
desci [Fri, 15 Apr 2016 12:12:11 +0000 (08:12 -0400)]
Added systemd for nginx
desci [Thu, 14 Apr 2016 21:14:47 +0000 (17:14 -0400)]
spalax [Thu, 14 Apr 2016 16:43:32 +0000 (12:43 -0400)]
Document new feature.
https://id.koumbit.net/anarcat [Wed, 13 Apr 2016 18:38:15 +0000 (14:38 -0400)]
clarify that theme and css is not only to change stylesheets, but the look in general
https://id.koumbit.net/anarcat [Wed, 13 Apr 2016 18:37:22 +0000 (14:37 -0400)]
link to localstyle after a user struggled for hours to figure out exactly that
smcv [Tue, 12 Apr 2016 06:00:21 +0000 (02:00 -0400)]
explain why multiple page.tmpl is a showstopper for upstream even if not for local themes
desci [Mon, 11 Apr 2016 15:05:45 +0000 (11:05 -0400)]
desci [Mon, 11 Apr 2016 15:03:22 +0000 (11:03 -0400)]
Updated link
desci [Mon, 11 Apr 2016 15:01:54 +0000 (11:01 -0400)]
Updated link
desci [Mon, 11 Apr 2016 14:59:13 +0000 (10:59 -0400)]
Edited old sentence to reference the forum
desci [Mon, 11 Apr 2016 14:57:37 +0000 (10:57 -0400)]
desci [Mon, 11 Apr 2016 14:21:24 +0000 (10:21 -0400)]
Asked Joey to reconsider
desci [Mon, 11 Apr 2016 14:15:39 +0000 (10:15 -0400)]
Added yet another bootstrap theme
desci [Mon, 11 Apr 2016 14:12:17 +0000 (10:12 -0400)]
Added question
spwhitton [Sat, 9 Apr 2016 14:48:54 +0000 (10:48 -0400)]
There's also a config file option.
desci [Sat, 9 Apr 2016 05:01:38 +0000 (01:01 -0400)]
Marketing
desci [Sat, 9 Apr 2016 04:53:34 +0000 (00:53 -0400)]
Delivering what I've promised
desci [Sat, 9 Apr 2016 02:33:56 +0000 (22:33 -0400)]
Ok now I've got it right
desci [Sat, 9 Apr 2016 02:31:38 +0000 (22:31 -0400)]
The structure was all wrong
desci [Sat, 9 Apr 2016 02:29:02 +0000 (22:29 -0400)]
Forgot to add the main folder
desci [Sat, 9 Apr 2016 02:27:44 +0000 (22:27 -0400)]
Added two questions
desci [Sat, 9 Apr 2016 00:21:45 +0000 (20:21 -0400)]
Added a comment: Any chance on moving forward on this?
Joey Hess [Sun, 3 Apr 2016 21:06:52 +0000 (17:06 -0400)]
todo
Joey Hess [Sun, 3 Apr 2016 19:29:27 +0000 (15:29 -0400)]
add missing </div>
desci [Sun, 3 Apr 2016 17:15:17 +0000 (13:15 -0400)]
Explanation of my part on the confusion
desci [Sun, 3 Apr 2016 17:11:48 +0000 (13:11 -0400)]
Tried to fix considering ikiwiki.info/tips/bootstrap_themes_evaluation/
desci [Sun, 3 Apr 2016 15:47:08 +0000 (11:47 -0400)]
added personal information
desci [Sun, 3 Apr 2016 15:45:35 +0000 (11:45 -0400)]
updated sites list
kjs [Thu, 31 Mar 2016 21:39:07 +0000 (17:39 -0400)]
Amitai Schlair [Tue, 22 Mar 2016 18:53:05 +0000 (14:53 -0400)]
New inline's same as old, plus plugins/contrib/*.