[ Joey Hess ]
* inline: Prevent creating a file named ".mdwn" when the
postform is submitted with an empty title.
[ Simon McVittie ]
* Security: tell `git revert` not to follow renames. If it does, then
renaming a file can result in a revert writing outside the wiki srcdir
or altering a file that the reverting user should not be able to alter,
an authorization bypass. Thanks, intrigeri
* cgitemplate: remove some dead code. Thanks, blipvert
* Restrict CSS matches against header class to not break
Pandoc tables with header rows. Thanks, karsk
* Make pagestats output more deterministic. Thanks, intrigeri
* [ Joey Hess ]
* Fix installation when prefix includes a string metacharacter.
Thanks, Sam Hathaway.
* [ Simon McVittie ]
* Use git log --no-renames to generate recentchanges, fixing the git
test-case with git 2.9 (Closes: #835612)
* Explicitly remove current working directory from Perl's library
search path, mitigating CVE-2016-1238 (see #588017)
* wrappers: allocate new environment dynamically, so we won't overrun
the array if third-party plugins add multiple environment variables.
* Standards-Version: 3.9.8 (no changes required)
[ Amitai Schlair ]
* img: ignore the case of the extension when detecting image format,
fixing the regression that *.JPG etc. would not be displayed
since 3.20160506
[ Simon McVittie ]
* img: parse img_allowed_formats case-insensitively, as was done in
3.20141016.3
* inline: restore backwards compat for show=-1 syntax, which
worked before 3.20160121
* Remove a spurious changelog entry from 3.20160506 (the relevant
change was already in 3.20150614)
* Add CVE-2016-4561 reference to 3.20160506 changelog
* Set high urgency to get the CVE-2016-4561 fix and CVE-2016-3714
mitigation into testing
-- Simon McVittie <smcv@debian.org> Mon, 09 May 2016 21:57:09 +0100
[ Simon McVittie ]
* img: stop ImageMagick trying to be clever if filenames contain a colon,
avoiding mis-processing
* HTML-escape error messages, in one case avoiding potential cross-site
scripting (OVE-20160505-0012)
* Mitigate ImageMagick vulnerabilities such as CVE-2016-3714:
- img: force common Web formats to be interpreted according to extension,
so that "allowed_attachments: '*.jpg'" does what one might expect
- img: restrict to JPEG, PNG and GIF images by default, again mitigating
CVE-2016-3714 and similar vulnerabilities
- img: check that the magic number matches what we would expect from
the extension before giving common formats to ImageMagick
* d/control: use https for Homepage
* d/control: add Vcs-Browser
[ Joey Hess ]
* img: Add back support for SVG images, bypassing ImageMagick and
simply passing the SVG through to the browser, which is supported by all
commonly used browsers these days.
SVG scaling by img directives has subtly changed; where before
size=wxh would preserve aspect ratio, this cannot be done when passing
them through and so specifying both a width and height can change
the SVG's aspect ratio.
* loginselector: When only openid and emailauth are enabled, but
passwordauth is not, avoid showing a "Other" box which opens an
empty form.
[ Amitai Schlair ]
* mdwn: Process .md like .mdwn, but disallow web creation.
[ Florian Wagner ]
* git: Correctly handle filenames starting with a dash in add/rm/mv.
-- Simon McVittie <smcv@debian.org> Fri, 06 May 2016 07:54:26 +0100
uncomment a maintainer make target to find where REPLACE_PERL might be
needed, and remove one that's no longer needed. (No change to the
installed package, so no PKGREVISION bump.)
[ Amitai Schlair ]
* meta: Fix [[!meta name=foo]] by closing the open quote.
* Avoid unescaped "{" in regular expressions
* meta test: Add tests for many behaviors of the directive.
* img test: Bail gracefully when ImageMagick is not present.
[ Joey Hess ]
* emailauth: Added emailauth_sender config.
* Modified page.tmpl to to set html lang= and dir= when
values have been specified for them, which the po plugin does.
* Specifically license the javascript underlay under the permissive
basewiki license.
[ Simon McVittie ]
* git: if no committer identity is known, set it to
"IkiWiki <ikiwiki.info>" in .git/config. This resolves commit errors
in versions of git that require a non-trivial committer identity.
* inline, trail: rename show, feedshow parameters to limit, feedlimit
(with backwards compatibility)
* pagestats: add "show" option to show meta fields. Thanks, Louis
* inline: force RSS <comments> to be a fully absolute URL as required
by the W3C validator. Please use Atom feeds if relative URLs are
desirable on your site.
* inline: add <atom:link rel="self"> to RSS feeds as recommended by
the W3C validator
* inline: do not produce links containing /./ or /../
* syslog: accept and encode UTF-8 messages
* syslog: don't fail to log if the wiki name contains %s
* Change dependencies from transitional package perlmagick
to libimage-magick-perl (Closes: #789221)
* debian/copyright: update for the rename of openid-selector to
login-selector
* d/control: remove leading article from Description
(lintian: description-synopsis-starts-with-article)
* d/control: Standards-Version: 3.9.6, no changes required
* Wrap and sort control files (wrap-and-sort -abst)
* Silence "used only once: possible typo" warnings for variables
that are part of modules' APIs
* Run autopkgtest tests using autodep8 and the pkg-perl team's
infrastructure
* Add enough build-dependencies to run all tests, except for
non-git VCSs
* tests: consistently use done_testing instead of no_plan
* t/img.t: do not spuriously skip
* img test: skip testing PDFs if unsupported
* img test: use the right filenames when testing that deletion occurs
-- Simon McVittie <smcv@debian.org> Thu, 21 Jan 2016 09:53:07 +0000
* inline: change default sort order from age to "age title" for
determinism, partially fixing deterministic build for git-annex,
ikiwiki-hosting etc. (Closes: #785757)
* img: avoid ImageMagick misinterpreting filenames containing a colon
* img test: set old timestamp on source file that will change, so that
the test will pass even if it takes less than 1 second
[ Joey Hess ]
* New emailauth plugin lets users log in, without any registration,
by simply clicking on a link in an email.
* Re-remove google from openid selector; their openid provider is
gone for good.
* Make the openid selector display "Password" instead of "Other"
when appropriate, so users are more likely to click on it when
they don't have an openid.
* Converted openid-selector into a more generic loginselector helper
plugin.
* passwordauth: Don't allow registering accounts that look like openids.
* Make cgiurl output deterministic, not hash order. Closes: #785738
Thanks, Daniel Kahn Gillmor
[ Simon McVittie ]
* Do not enable emailauth by default, to avoid surprises on httpauth-only
sites. Enable it by default in openid instead, since it is essentially
a replacement for OpenIDs.
* Make the attachment plugin work with CGI.pm 4.x (Closes: #786586;
workaround for #786587 in libcgi-pm-perl)
* Add a public-domain email icon from tango-icon-theme
* Populate pagectime from either mtime or inode change time,
whichever is older, again for more reproducible builds
* debian: build the docwiki with LC_ALL=C.UTF-8 and TZ=UTC
* debian/copyright: consolidate permissive licenses
* debian/copyright: turn comments on provenance into Comment
* brokenlinks: sort the pages that link to the missing page, for
better reproducibility
* Add [[!meta date]] to news items and tips, since the git checkout
and build process can leave the checkout date in the tarball
release, leading to unstable sorting
* Sort backlinks deterministically, by falling back to sorting by href
if the link text is identical
* Add a $config{deterministic} option and use it for the docwiki
* haiku: if deterministic build is requested, return a hard-coded haiku
* polygen: if deterministic build is requested, use a well-known random seed
[ Joey Hess ]
* Fix NULL ptr deref on ENOMEM in wrapper. (Thanks, igli)
[ Simon McVittie ]
* Really don't double-decode CGI submissions, even on Perl versions that
bundle an old enough Encode.pm for that not to be a problem: the
system might have a newer Encode.pm installed separately, like Fedora 20.
(Closes: #776181; thanks, Anders Kaseorg)
* If neither timezone nor TZ is set, set both to :/etc/localtime if
we're on a GNU system and that file exists, or GMT otherwise
* t/inline.t: accept translations of "Add a new post titled:"
(Closes: #779365)
* Consistently document command-line options as e.g. --refresh, not -refresh
[ Amitai Schlair ]
* In VCS-committed anonymous comments, link to url.
[ Joey Hess ]
* Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483)
-- Simon McVittie <smcv@debian.org> Sun, 29 Mar 2015 21:48:24 +0100
Updating this leaf package during the freeze for the bugfixes.
[ Joey Hess ]
* Added ikiwiki-comment program.
* Add missing build-depends on libcgi-formbuilder-perl, needed for
t/relativity.t
* openid: Stop suppressing the email field on the Preferences page.
* po: If msgmerge falls over on a problem po file, print a warning
message, but don't let this problem crash ikiwiki entirely.
* Set Debian package maintainer to Simon McVittie as I'm retiring from
Debian.
[ Simon McVittie ]
* calendar: add calendar_autocreate option, with which "ikiwiki --refresh"
can mostly supersede the ikiwiki-calendar command.
Thanks, Louis Paternault
* search: add more classes as a hook for CSS. Thanks, sajolida
* core: generate HTML5 by default, but keep avoiding new elements
like <section> that require specific browser support unless html5 is
set to 1.
* Tell mobile browsers to draw our pages in a device-sized viewport,
not an 800-1000px viewport designed to emulate a desktop/laptop browser.
* Add new responsive_layout option which can be set to 0 if your custom
CSS only works in a large viewport.
* style.css, actiontabs, blueview, goldtype, monochrome: adjust layout
below 600px ("responsive layout") so that horizontal scrolling is not
needed on smartphone browsers or other small viewports.
* core: new libdirs option alongside libdir. Thanks, Louis Paternault
[ Amitai Schlair ]
* core: log a debug message before waiting for the lock.
Thanks, Mark Jason Dominus
* build: in po/Makefile, use the same $(MAKE) as the rest of the build.
Thanks, ttw
* blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd).
Closes: #774441
pkgsrc changes:
Add a not-yet-upstreamed patch to link to the commenter's URL for
anonymous-style comments committed directly via the VCS (i.e.,
imported from another CMS).
- Upstream's perl-shebang replacement missed one due to a space
(fixed upstream). check-interpreter hadn't told me on OS X because
"/usr/bin/perl" does exist there.
- gmake seems to choose a build order where the perl-shebang
replacement doesn't happen early enough, breaking the build.
Force the needed ordering.
[ Joey Hess ]
* Fix crash that can occur when only_committed_changes is set and a
file is deleted from the underlay.
[ Simon McVittie ]
* core: avoid dangerous use of CGI->param in list context, which led
to a security flaw in Bugzilla; as far as we can tell, ikiwiki
is not vulnerable to a similar attack, but it's best to be safe
* core: new reverse_proxy option prevents ikiwiki from trying to detect
how to make self-referential URLs by using the CGI environment variables,
for instance when it's deployed behind a HTTP reverse proxy
(Closes: #745759)
* core: the default User-Agent is now "ikiwiki/$version" to work around
ModSecurity rules assuming that only malware uses libwww-perl
* core: use protocol-relative URLs (e.g. //www.example.com/wiki) so that
https stays on https and http stays on http, particularly if the
html5 option is enabled
* core: avoid mixed content when a https cgiurl links to http static pages
on the same server (the static pages are assumed to be accessible via
https too)
* core: force the correct top URL in w3mmode
* google plugin: Use search form
* docwiki: replace Paypal and Flattr buttons with text links
* comments: don't record the IP address in the wiki if the user is
logged in via passwordauth or httpauth
* templates: add ARIA roles to some page elements, if html5 is enabled.
Thanks, Patrick
pkgsrc changes:
* For the python option, add missing py-expat dependency.
* Don't double-decode CGI submissions with Encode.pm >= 2.53,
fixing "Error: Cannot decode string with wide characters".
Thanks, Antoine Beaupré
* Avoid making trails depend on everything in the wiki by giving them
a better way to sort the pages
* Don't let users post comments that won't be displayed
* Fix encoding of Unicode strings in Python plugins.
Thanks, chrysn
* Improve performance and correctness of the [[!if]] directive
* Let [[!inline rootpage=foo postform=no]] disable the posting form
* Switch default [[!man]] shortcut to manpages.debian.org. Closes: #700322
* Add UUID and TIME variables to edittemplate. Closes: #752827
Thanks, Jonathon Anderson
* Display pages in linkmaps as their pagetitle (no underscore escapes).
Thanks, chrysn
* Fix aspect ratio when scaling small images, and add support for
converting SVG and PDF graphics to PNG.
Thanks, chrysn
- suggest ghostscript (required for PDF-to-PNG thumbnailing)
and libmagickcore-extra (required for SVG-to-PNG thumbnailing)
- build-depend on ghostscript so the test for scalable images can be run
* In the CGI wrapper, incorporate $config{ENV} into the environment
before executing Perl code, so that PERL5LIB can point to a
non-system-wide installation of IkiWiki.
Thanks, Lafayette Chamber Singers Webmaster
* filecheck: accept MIME types not containing ';'
* autoindex: index files in underlays if the resulting pages aren't
going to be committed. Closes: #611068
* Add [[!templatebody]] directive so template pages don't have to be
simultaneously a valid template and valid HTML
* Add myself to Uploaders and release to Debian
-- Simon McVittie <smcv@debian.org> Fri, 12 Sep 2014 21:23:58 +0100
pkgsrc changes:
* Add 'cgi' option, enabled by default
* Add 'git' option, disabled by default
Updating during the freeze because it's a leaf with many fixes,
including our local patches.
* Add google back to openid selector. Apparently this has gotten a stay
of execution until April 2015. (It may continue to work until 2017.)
* highlight: Add compatibility with highlight 3.18, while still supporting
3.9+. Closes: #757679
Thanks, David Bremner
* highlight: Add support for multiple language definition directories
Closes: #757680
Thanks, David Bremner
pkgsrc changes:
* Add ikiwiki-highlight option that pulls in textproc/p5-highlight,
for syntax highlighting code blocks (or entire source files).
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
* Added useragent config setting. Closes: #737121
Thanks, Tuomas Jormola
* po: Add html_lang_code and html_lang_dir template variables
for the language code and direction of text.
Thanks, Mesar Hameed
* Allow up to 8 levels of nested directives, rather than previous 3
in directive infinite loop guard.
* git diffurl: Do not escape / in paths to changed files, in order to
interoperate with cgit (gitweb works either way)
Thanks, intrigeri.
* git: Explicity push master branch, as will be needed by git 2.0's
change to push.default=matching by default.
Thanks, smcv
* Deal with nasty issue with gettext clobbering $@ while printing
error message containing it.
Thanks, smcv
* Cleanup of the openid login widget, including replacing of hotlinked
images from openid providers with embedded, freely licensed artwork.
Thanks, smcv
* Improve templates testing.
Thanks, smcv
* python proxy: Avoid utf-8 related crash.
Thanks, Antoine Beaupré
* Special thanks to Simon McVittie for being the patchmeister for this
release.
* aggregate: Improve display of post author.
* poll: Fix behavior of poll buttons when inlined.
* Fixed unncessary tight loop hash copy in saveindex where a pointer
can be used instead. Can speed up refreshes by nearly 50% in some
circumstances.
* Optimized loadindex by caching the page name in the index.
* Added only_committed_changes config setting, which speeds up wiki
refresh by querying git to find the files that were changed, rather
than looking at the work tree. Not enabled by default as it can
break some setups where not all files get committed to git.
* comments: Write pending moderation comments to the transient underlay
to avoid conflict with only_committed_changes.
* search: Added google_search option, which makes it search google
rather than using the internal xapain database.
(googlesearch plugin is too hard to turn on when xapain databases
corrupt themselves, which happens all too frequently).
* osm: Remove invalid use of charset on embedded javascript tags.
Closes: #731197
* style.css: Add compatibility definitions for more block-level
html5 elements. Closes: #731199
* aggregrate: Fix several bugs in handling of empty and colliding
titles when generating filenames.
* calendar: Display the popup mouseover when there is only 1 page for a
given day, for better UI consistency.
* meta: Can now be used to add an enclosure to a page, which is a fancier
way to do podcasting than just inlining the media files directly;
this way you can write a post about the podcast episode with show notes,
author information, etc.
(schmonz)
* aggregate: Show author in addition to feedname, if different.
(schmonz)
* Consistently configure LWP::UserAgent to allow use of http_proxy
and no_proxy environment variables, as well as ~/.ikiwiki/cookies
(schmonz)
* Fix test suite to work with perl 5.18. Closes: #719969
* Fix cookiejar default setting.
* Deal with git behavior change in 1.7.2 and newer that broke support
for commits with an empty commit message.
* Pass --no-edit when used with git 1.7.8 and newer.
* blogspam: Fix encoding issue in RPC::XML call.
Thanks, Changaco
* comments: The formats allowed to be used in comments can be configured
using comments_allowformats.
Thanks, Michal Sojka
* calendar: When there are multiple pages for a given day, they're
displayed in a popup on mouseover.
Thanks, Louis
* osm: Remove trailing slash from KML maps icon.
* page.tmpl: omit searchform, trails, sidebar and most metadata in CGI
(smcv)
* openid: Automatically upgrade openid_realm to https when
accessed via https.
* The ip() pagespec can now contain glob characters to match eg, a subnet
full of spammers.
* Fix crash that could occur when a needsbuild hook returned a file
that does not exist.
* Fix python proxy to not crash when fed unicode data in getstate
and setstate.
Thanks, chrysn
* Fix committing attachments when using svn.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
* Fix test suite to not fail when XML::Twig is not installed. Closes:
#707436
* theme: Now <TMPL_IF THEME_$NAME> can be used in all templates
when a theme is enabled.
* notifyemail: Fix bug that caused duplicate emails to be sent when
site was rebuilt.
* bzr: bzr rm no longer has a --force option, remove
This broke packages that needed a target Python at build-time.
Instead, change it from defined/undefined to yes/no/tool. Most cases
of defined used `yes' anyway; fix the few stragglers do that instead.
New case `tool' is for TOOL_DEPENDS rather than buildlink3.
* Allow dots in directive parameter names. (tango)
* Add missing plugin section, and deal with missing sections with a warning.
* Detect plugins with a broken getsetup and warn.
* map: Correct reversion introduced in version 3.20110225 that could
generate invalid html. (smcv)
* Makefile.PL: overwrite theme style.css instead of appending
(Thanks, Mikko Rapeli)
* meta: Fix anchors used to link to the page's license and copyright.
Closes: #706437
* htmlscrubber: Allow the bitcoin URI scheme.
* htmlscrubber: Allow the URI schemes of major VCS's.
* aggregate: When run with --aggregate, if an aggregation is already
running, don't go on and --refresh.
* trail: Avoid excess dependencies between pages in the trail
and the page defining the trail. Thanks, smcv.
* opendiscussion: Don't allow editing discussion pages if discussion pages
are disabled. (smcv)
* poll: Add expandable option to allow users to easily add new choices to
a poll.
* trail: Avoid massive slowdown caused by pagetemplate hook when displaying
dynamic cgi pages, which cannot use trail anyway.
* Deal with empty diffurl in configuration.
* cvs: Various fixes. (schmonz)
* highlight: Now adds a span with class highlight-<extension> around
highlighted content, allowing for language-specific css styling.
* `6753235d`: Return bounded output from `rcs_diff()` when asked, as
the API states.
* `e45175d5`: Always explicitly set CVS keyword substitution behavior.
Fixes behavior when a text file is added under a name formerly
used for a binary file.
* `b30cacdf`: If the previous working directory no longer exists after
a CVS operation, don't try to `chdir()` back to it afterward.
Bump PKGREVISION.
* filecheck: Fix bug that prevented File::MimeInfo::Magic from ever
being used.
* openid: Display openid in Preferences page as a comment, so it can be
selected in all browsers.
* monochrome: New theme, contributed by Jon Dowland.
* rst: Ported to python 3, while still also being valid python 2.
Thanks, W. Trevor King
* Try to avoid a situation in which so many ikiwiki cgi wrapper programs
are running, all waiting on some long-running thing like a site rebuild,
that it prevents the web server from doing anything else. The current
approach only avoids this problem for GET requests; if multiple cgi's
run GETs on a site at the same time, one will display a "please wait"
page for a configurable number of seconds, which then redirects to retry.
To enable this protection, set cgi_overload_delay to the number of
seconds to wait. This is not enabled by default.
* Add back a 1em margin between archivepage divs.
* recentchangesdiff: Correct broken template that resulted in duplicate
diff icons being displayed, and bloated the recentchanges page with
inline diffs when the configuration should have not allowed them.
