ikiwiki
8 years agoadd details on bot setup
https://id.koumbit.net/anarcat [Mon, 16 May 2016 21:40:24 +0000 (17:40 -0400)] 
add details on bot setup

8 years agoWrapper: allocate new environment dynamically
Simon McVittie [Wed, 11 May 2016 08:18:14 +0000 (09:18 +0100)] 
Wrapper: allocate new environment dynamically

Otherwise, if third-party plugins extend newenviron by more than
3 entries, we could overflow the array. It seems unlikely that any
third-party plugin manipulates newenviron in practice, so this
is mostly theoretical. Just in case, I have deliberately avoided
using "i" as the variable name, so that any third-party plugin
that was manipulating newenviron directly will now result in the
wrapper failing to compile.

I have not assumed that realloc(NULL, ...) works as an equivalent of
malloc(...), in case there are still operating systems where that
doesn't work.

8 years ago3.20160509
Simon McVittie [Mon, 9 May 2016 20:59:50 +0000 (21:59 +0100)] 
3.20160509

8 years agoReference CVE-2016-4561 in 3.20160506 changelog
Simon McVittie [Mon, 9 May 2016 20:57:34 +0000 (21:57 +0100)] 
Reference CVE-2016-4561 in 3.20160506 changelog

8 years agoimg test: exercise upper-case extensions for image files
Simon McVittie [Mon, 9 May 2016 20:53:10 +0000 (21:53 +0100)] 
img test: exercise upper-case extensions for image files

8 years agoRemove spurious changelog entry
Simon McVittie [Mon, 9 May 2016 20:12:41 +0000 (21:12 +0100)] 
Remove spurious changelog entry

This change was new in 3.20141016.3, but was applied to the master
branch several releases ago, so it is not new in 3.20160506.

8 years agomention that the CVE-2016-4561 fix was backported
smcv [Mon, 9 May 2016 12:24:35 +0000 (08:24 -0400)] 
mention that the CVE-2016-4561 fix was backported

8 years agoClarifying
desci [Mon, 9 May 2016 01:54:17 +0000 (21:54 -0400)] 
Clarifying

8 years agoAdding info regarding bootstrap classes
desci [Mon, 9 May 2016 01:53:14 +0000 (21:53 -0400)] 
Adding info regarding bootstrap classes

8 years agoAdding sites
desci [Mon, 9 May 2016 01:42:54 +0000 (21:42 -0400)] 
Adding sites

8 years agoDetect image type from .JPG just like .jpg (etc.).
Amitai Schlair [Sun, 8 May 2016 22:26:15 +0000 (18:26 -0400)] 
Detect image type from .JPG just like .jpg (etc.).

8 years agoFix spelling of "ratio" in test.
Amitai Schlair [Sun, 8 May 2016 22:25:46 +0000 (18:25 -0400)] 
Fix spelling of "ratio" in test.

8 years agothanks!
https://id.koumbit.net/anarcat [Sun, 8 May 2016 21:10:50 +0000 (17:10 -0400)] 
thanks!

8 years agotag added
smcv [Sun, 8 May 2016 20:44:56 +0000 (16:44 -0400)] 
tag added

8 years agothanks!
https://id.koumbit.net/anarcat [Sun, 8 May 2016 20:40:13 +0000 (16:40 -0400)] 
thanks!

8 years agosorry, one day I'll review this, but this is not that day
smcv [Sun, 8 May 2016 20:37:34 +0000 (16:37 -0400)] 
sorry, one day I'll review this, but this is not that day

8 years agostill using this in production, would welcome feedback
https://id.koumbit.net/anarcat [Sun, 8 May 2016 18:59:12 +0000 (14:59 -0400)] 
still using this in production, would welcome feedback

8 years agodropping this.
https://id.koumbit.net/anarcat [Sun, 8 May 2016 18:57:28 +0000 (14:57 -0400)] 
dropping this.

8 years ago(no commit message)
https://id.koumbit.net/anarcat [Sun, 8 May 2016 18:56:26 +0000 (14:56 -0400)] 

8 years agoimg: make img_allowed_formats case-insensitive
Simon McVittie [Fri, 6 May 2016 06:32:17 +0000 (07:32 +0100)] 
img: make img_allowed_formats case-insensitive

8 years agoinline: expand show=N backwards compatibility to negative N
Simon McVittie [Fri, 6 May 2016 21:51:02 +0000 (22:51 +0100)] 
inline: expand show=N backwards compatibility to negative N

[[plugins/contrib]] uses show=-1 to show the post-creation widget
without actually inlining anything.

8 years agoAdd CVE reference
Simon McVittie [Fri, 6 May 2016 20:35:14 +0000 (21:35 +0100)] 
Add CVE reference

8 years agorespond
smcv [Fri, 6 May 2016 19:29:51 +0000 (15:29 -0400)] 
respond

8 years agouse intended filename
Simon McVittie [Fri, 6 May 2016 19:16:58 +0000 (20:16 +0100)] 
use intended filename

8 years agoescape directive properly; add paragraph breaks
smcv [Fri, 6 May 2016 19:14:09 +0000 (15:14 -0400)] 
escape directive properly; add paragraph breaks

8 years agorename todo/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv...
smcv [Fri, 6 May 2016 19:12:49 +0000 (15:12 -0400)] 
rename todo/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn to bugs/Correctly_handle_filenames_starting_with_a_dash_in_add/rm/mv.mdwn

8 years agoalready fixed
smcv [Fri, 6 May 2016 19:12:29 +0000 (15:12 -0400)] 
already fixed

8 years agoAnnounce 3.20160506
Simon McVittie [Fri, 6 May 2016 19:10:19 +0000 (20:10 +0100)] 
Announce 3.20160506

8 years agoMerge remote-tracking branch 'origin/master'
Simon McVittie [Fri, 6 May 2016 19:05:45 +0000 (20:05 +0100)] 
Merge remote-tracking branch 'origin/master'

8 years ago(no commit message)
florian@883672f3f4dbd3c6bb430afc661484a58a3a1296 [Fri, 6 May 2016 12:10:01 +0000 (08:10 -0400)] 

8 years ago3.20160506
Simon McVittie [Fri, 6 May 2016 06:54:47 +0000 (07:54 +0100)] 
3.20160506

8 years agoExclude users/* from the HTML documentation
Simon McVittie [Fri, 6 May 2016 06:53:53 +0000 (07:53 +0100)] 
Exclude users/* from the HTML documentation

8 years agoDo not recommend mimetype(image/*)
Simon McVittie [Fri, 6 May 2016 06:46:58 +0000 (07:46 +0100)] 
Do not recommend mimetype(image/*)

Not all image file types are safe for general use: in particular,
image/svg+xml is known to be vulnerable to CVE-2016-3714 under some
ImageMagick configurations.

8 years agoDocument the security fixes in this release
Simon McVittie [Fri, 6 May 2016 06:49:45 +0000 (07:49 +0100)] 
Document the security fixes in this release

8 years agoupdate test suite for svg passthrough by img directive
Joey Hess [Fri, 6 May 2016 00:44:11 +0000 (20:44 -0400)] 
update test suite for svg passthrough by img directive

Remove build dependency libmagickcore-6.q16-2-extra which was only there
for this test.

8 years agoimg: Add back support for SVG images, bypassing ImageMagick and simply passing the...
Simon McVittie [Fri, 6 May 2016 05:57:12 +0000 (06:57 +0100)] 
img: Add back support for SVG images, bypassing ImageMagick and simply passing the SVG through to the browser

SVG scaling by img directives has subtly changed; where before size=wxh
would preserve aspect ratio, this cannot be done when passing them through
and so specifying both a width and height can change the SVG's aspect
ratio.

(This patch looks significantly more complex than it was, because a large
block of code had to be indented.)

[smcv: drop trailing whitespace, fix some spelling]

8 years agochangelog for smcv's security fixes
Joey Hess [Fri, 6 May 2016 00:18:38 +0000 (20:18 -0400)] 
changelog for smcv's security fixes

[smcv: omit a change that was already in 3.20160514]

8 years agoimg: check magic number before giving common formats to ImageMagick
Simon McVittie [Thu, 5 May 2016 22:17:45 +0000 (23:17 +0100)] 
img: check magic number before giving common formats to ImageMagick

This mitigates CVE-2016-3714 and similar vulnerabilities by
avoiding passing obviously-wrong input to ImageMagick decoders.

8 years agoimg: restrict to JPEG, PNG and GIF images by default
Simon McVittie [Wed, 4 May 2016 07:54:19 +0000 (08:54 +0100)] 
img: restrict to JPEG, PNG and GIF images by default

This mitigates CVE-2016-3714. Wiki administrators who know that they
have prevented arbitrary code execution via other formats can re-enable
the other formats if desired.

8 years agoimg: force common Web formats to be interpreted according to extension
Simon McVittie [Wed, 4 May 2016 07:52:40 +0000 (08:52 +0100)] 
img: force common Web formats to be interpreted according to extension

A site administrator might unwisely set allowed_attachments to
something like '*.jpg or *.png'; if they do, an attacker could attach,
for example, a SVG file named attachment.jpg.

This mitigates CVE-2016-3714.

8 years agoHTML-escape error messages (OVE-20160505-0012)
Simon McVittie [Wed, 4 May 2016 07:46:02 +0000 (08:46 +0100)] 
HTML-escape error messages (OVE-20160505-0012)

The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-20160505-0012)

The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.

8 years agoall good
https://id.koumbit.net/anarcat [Wed, 4 May 2016 22:53:24 +0000 (18:53 -0400)] 
all good

8 years ago(no commit message)
smcv [Wed, 4 May 2016 22:35:33 +0000 (18:35 -0400)] 

8 years agoresponse: confirmation it's a bug in MMD and Discount doesn't have footnotes, and...
https://id.koumbit.net/anarcat [Wed, 4 May 2016 13:45:25 +0000 (09:45 -0400)] 
response: confirmation it's a bug in MMD and Discount doesn't have footnotes, and request for workaround

8 years agodiscount (as used on this wiki) can do footnotes, but they aren't enabled by ikiwiki
smcv [Wed, 4 May 2016 09:48:01 +0000 (05:48 -0400)] 
discount (as used on this wiki) can do footnotes, but they aren't enabled by ikiwiki

8 years agoresponse
smcv [Wed, 4 May 2016 09:38:27 +0000 (05:38 -0400)] 
response

8 years agoresponse
Joey Hess [Mon, 2 May 2016 13:33:59 +0000 (09:33 -0400)] 
response

8 years ago(no commit message)
https://id.koumbit.net/anarcat [Fri, 29 Apr 2016 04:32:02 +0000 (00:32 -0400)] 

8 years agoresponse
https://id.koumbit.net/anarcat [Fri, 29 Apr 2016 00:13:05 +0000 (20:13 -0400)] 
response

8 years agoMerge branch 'master' of ssh://git.ikiwiki.info
Joey Hess [Thu, 28 Apr 2016 23:34:51 +0000 (19:34 -0400)] 
Merge branch 'master' of ssh://git.ikiwiki.info

8 years agoresponse
Joey Hess [Thu, 28 Apr 2016 23:32:58 +0000 (19:32 -0400)] 
response

8 years agoMerge remote-tracking branch 'origin/master'
Joey Hess [Thu, 28 Apr 2016 23:06:01 +0000 (19:06 -0400)] 
Merge remote-tracking branch 'origin/master'

8 years ago(no commit message)
https://id.koumbit.net/anarcat [Thu, 28 Apr 2016 14:12:52 +0000 (10:12 -0400)] 

8 years agohttp/https issue
https://id.koumbit.net/anarcat [Thu, 28 Apr 2016 14:08:05 +0000 (10:08 -0400)] 
http/https issue

8 years agosmaller is too small for large blocks
Antoine Beaupré [Tue, 26 Apr 2016 22:52:25 +0000 (18:52 -0400)] 
smaller is too small for large blocks

8 years agofix typo and comment
Antoine Beaupré [Tue, 26 Apr 2016 22:50:47 +0000 (18:50 -0400)] 
fix typo and comment

8 years agonew CSS bug
Antoine Beaupré [Tue, 26 Apr 2016 22:46:52 +0000 (18:46 -0400)] 
new CSS bug

8 years agoexplain footnotes
https://id.koumbit.net/anarcat [Tue, 26 Apr 2016 22:35:20 +0000 (18:35 -0400)] 
explain footnotes

8 years agoChanged the expired domain and added question
desci [Tue, 19 Apr 2016 02:08:50 +0000 (22:08 -0400)] 
Changed the expired domain and added question

8 years agoFixed dead link.
RickHanson [Sun, 17 Apr 2016 23:38:12 +0000 (19:38 -0400)] 
Fixed dead link.

8 years agoadd screenshot
Antoine Beaupré [Fri, 15 Apr 2016 22:11:29 +0000 (18:11 -0400)] 
add screenshot

8 years agofix typos
Antoine Beaupré [Fri, 15 Apr 2016 21:31:53 +0000 (17:31 -0400)] 
fix typos

8 years agoannounce the admonition plugin
Antoine Beaupré [Fri, 15 Apr 2016 21:29:44 +0000 (17:29 -0400)] 
announce the admonition plugin

8 years agoelaborate copyright investigation. ugh.
Antoine Beaupré [Fri, 15 Apr 2016 16:29:25 +0000 (12:29 -0400)] 
elaborate copyright investigation. ugh.

8 years agoresponse
Antoine Beaupré [Fri, 15 Apr 2016 15:17:02 +0000 (11:17 -0400)] 
response

8 years agocan't login again
Antoine Beaupré [Fri, 15 Apr 2016 15:07:14 +0000 (11:07 -0400)] 
can't login again

8 years agoescape
smcv [Fri, 15 Apr 2016 14:38:11 +0000 (10:38 -0400)] 
escape

8 years agotemplates are another way to do this
smcv [Fri, 15 Apr 2016 14:37:43 +0000 (10:37 -0400)] 
templates are another way to do this

8 years ago(no commit message)
smcv [Fri, 15 Apr 2016 14:34:33 +0000 (10:34 -0400)] 

8 years agoa weird authentication bug
Antoine Beaupré [Fri, 15 Apr 2016 14:14:50 +0000 (10:14 -0400)] 
a weird authentication bug

8 years agoadmonitions proposal
Antoine Beaupré [Fri, 15 Apr 2016 13:57:53 +0000 (09:57 -0400)] 
admonitions proposal

8 years agoArguing more
desci [Fri, 15 Apr 2016 12:24:38 +0000 (08:24 -0400)] 
Arguing more

8 years agoAdded systemd for nginx
desci [Fri, 15 Apr 2016 12:12:11 +0000 (08:12 -0400)] 
Added systemd for nginx

8 years ago(no commit message)
desci [Thu, 14 Apr 2016 21:14:47 +0000 (17:14 -0400)] 

8 years agoDocument new feature.
spalax [Thu, 14 Apr 2016 16:43:32 +0000 (12:43 -0400)] 
Document new feature.

8 years agoclarify that theme and css is not only to change stylesheets, but the look in general
https://id.koumbit.net/anarcat [Wed, 13 Apr 2016 18:38:15 +0000 (14:38 -0400)] 
clarify that theme and css is not only to change stylesheets, but the look in general

8 years agolink to localstyle after a user struggled for hours to figure out exactly that
https://id.koumbit.net/anarcat [Wed, 13 Apr 2016 18:37:22 +0000 (14:37 -0400)] 
link to localstyle after a user struggled for hours to figure out exactly that

8 years agoexplain why multiple page.tmpl is a showstopper for upstream even if not for local...
smcv [Tue, 12 Apr 2016 06:00:21 +0000 (02:00 -0400)] 
explain why multiple page.tmpl is a showstopper for upstream even if not for local themes

8 years ago(no commit message)
desci [Mon, 11 Apr 2016 15:05:45 +0000 (11:05 -0400)] 

8 years agoUpdated link
desci [Mon, 11 Apr 2016 15:03:22 +0000 (11:03 -0400)] 
Updated link

8 years agoUpdated link
desci [Mon, 11 Apr 2016 15:01:54 +0000 (11:01 -0400)] 
Updated link

8 years agoEdited old sentence to reference the forum
desci [Mon, 11 Apr 2016 14:59:13 +0000 (10:59 -0400)] 
Edited old sentence to reference the forum

8 years ago(no commit message)
desci [Mon, 11 Apr 2016 14:57:37 +0000 (10:57 -0400)] 

8 years agoAsked Joey to reconsider
desci [Mon, 11 Apr 2016 14:21:24 +0000 (10:21 -0400)] 
Asked Joey to reconsider

8 years agoAdded yet another bootstrap theme
desci [Mon, 11 Apr 2016 14:15:39 +0000 (10:15 -0400)] 
Added yet another bootstrap theme

8 years agoAdded question
desci [Mon, 11 Apr 2016 14:12:17 +0000 (10:12 -0400)] 
Added question

8 years agoThere's also a config file option.
spwhitton [Sat, 9 Apr 2016 14:48:54 +0000 (10:48 -0400)] 
There's also a config file option.

8 years agoMarketing
desci [Sat, 9 Apr 2016 05:01:38 +0000 (01:01 -0400)] 
Marketing

8 years agoDelivering what I've promised
desci [Sat, 9 Apr 2016 04:53:34 +0000 (00:53 -0400)] 
Delivering what I've promised

8 years agoOk now I've got it right
desci [Sat, 9 Apr 2016 02:33:56 +0000 (22:33 -0400)] 
Ok now I've got it right

8 years agoThe structure was all wrong
desci [Sat, 9 Apr 2016 02:31:38 +0000 (22:31 -0400)] 
The structure was all wrong

8 years agoForgot to add the main folder
desci [Sat, 9 Apr 2016 02:29:02 +0000 (22:29 -0400)] 
Forgot to add the main folder

8 years agoAdded two questions
desci [Sat, 9 Apr 2016 02:27:44 +0000 (22:27 -0400)] 
Added two questions

8 years agoAdded a comment: Any chance on moving forward on this?
desci [Sat, 9 Apr 2016 00:21:45 +0000 (20:21 -0400)] 
Added a comment: Any chance on moving forward on this?

8 years agotodo
Joey Hess [Sun, 3 Apr 2016 21:06:52 +0000 (17:06 -0400)] 
todo

8 years agoadd missing </div>
Joey Hess [Sun, 3 Apr 2016 19:29:27 +0000 (15:29 -0400)] 
add missing </div>

8 years agoExplanation of my part on the confusion
desci [Sun, 3 Apr 2016 17:15:17 +0000 (13:15 -0400)] 
Explanation of my part on the confusion

8 years agoTried to fix considering http://ikiwiki.info/tips/bootstrap_themes_evaluation/
desci [Sun, 3 Apr 2016 17:11:48 +0000 (13:11 -0400)] 
Tried to fix considering ikiwiki.info/tips/bootstrap_themes_evaluation/

8 years agoadded personal information
desci [Sun, 3 Apr 2016 15:47:08 +0000 (11:47 -0400)] 
added personal information

8 years agoupdated sites list
desci [Sun, 3 Apr 2016 15:45:35 +0000 (11:45 -0400)] 
updated sites list