opensourcemirror
/
dokuwiki
mirror of https://github.com/splitbrain/dokuwiki.git
1
0
Fork 0
Code Issues Releases Wiki Activity
7,400 Commits 62 Branches 86 Tags 49 MiB
Commit Graph

7400 Commits

Author SHA1 Message Date
Guy Brand eb4aee7e8f Hotfix Release 2014-05-05e "Ponder Stibbons" 2015-03-19 20:33:50 +01:00
Andreas Gohr 8e1fb58763 SECURITY escape user properties in user manager #1081 
The user properties (login, real name, etc) where not properly escaped
in the user manager's edit form. This allowed a XSS attack on the
superuser by registered users.

Thanks to Filippo Cavallarin from www.segment.technology for discovering
this bug.
 2015-03-19 20:32:52 +01:00
Guy Brand d0a452980d Hotfix release 2014-05-05d "Ponder Stibbons" 2015-02-24 20:51:46 +01:00
Andreas Gohr 16ca97e169 check permissions in ACL plugin's RPC API component. #1056 
Security Fix

Severity: Medium
Type:     Remote Priviledge Escalation
Remote:   yes

Vulnerability Details:

This fixes a security hole in the ACL plugins remote API component. The
plugin failed to check for superuser permissions before executing ACL
addition or deletion. This means everybody with permissions to call the
XMLRPC API also had permissions to set up their own ACL rules and thus
circumventing any existing rules.

Risk Assessment:

The XMLRPC API in DokuWiki is marked experimental and off by default. It
also implements an additional safeguard by giving access to a configured
circle of users and groups only. So only a minor number of DokuWiki
installations will be affected at all.
For affected installations the risk is high if users with access to the
API are not to be trusted.
Thus the overall severity of medium.

Resolution:

Installations applying this commit are safe. A hotfix is about to be
released. Meanwhile users are advised to disable the XMLRPC API in the
config manager.
 2015-02-24 20:45:41 +01:00
Guy Brand 4325e9e136 hotfix release 2014-05-05c 2014-12-03 15:38:43 +01:00
Andreas Gohr 4488c6be24 disable flash uploading by default 
Thanks to Kacper Szurek for reporting this
 2014-12-03 15:36:34 +01:00
Andreas Gohr dbf5eb4c10 hotfix release 2014-05-05b 2014-09-29 20:28:51 +02:00
Andreas Gohr ee84e0b5e9 do not allow empty passwords 
When a username but no password is submitted, the login is denied right
away instead of relying on the backend to refuse the login.
 2014-09-29 20:27:34 +02:00
Andreas Gohr bd281746d3 clean user credentials from control chars 
This is to prevent zero byte attacks on external auth systems as
described in
http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication
 2014-09-29 20:27:34 +02:00
Andreas Gohr 617083fc80 Merge branch 'stable' into old-stable 
* stable: (474 commits)
  hotfix release for #765
  Quick fix for #765 - ACL checks in the media manager ajax calls
  Use git attributes to exclude some files from exported archives
  Release 2014-05-05 "Ponder Stibbons"
  Release preparation
  no fancy quotes in user manager import description
  add defaults to phpdocs of search universal
  update deprecation stuff for dw_qearch
  translation update
  translation update
  translation update
  added another test for arrays
  fixed some test inheriting from the wrong parent
  use new $INPUT->valid() method in feed.php
  add new valid() method to $INPUT #667
  some updates on phpunit docs and settings
  Fix https proxy authentication, the header was missing a colon so that the auth info was not working.
  translation update
  translation update
  translation update
  ...
 2014-09-29 20:12:20 +02:00
Andreas Gohr 9f998ce0ad hotfix release for #765 2014-06-25 19:08:52 +02:00
Michael Hamann e0f32972da Quick fix for #765 - ACL checks in the media manager ajax calls 
This should be superseded by a proper rewrite of the media manager code

Conflicts:
	inc/template.php
 2014-06-25 19:07:44 +02:00
Andreas Gohr 35f3340eb3 hotfix release for #765 2014-06-25 18:59:26 +02:00
Michael Hamann 0a2ef7a346 Quick fix for #765 - ACL checks in the media manager ajax calls 
This should be superseded by a proper rewrite of the media manager code
 2014-06-25 18:58:26 +02:00
Guy Brand ce8cd6ae97 Use git attributes to exclude some files from exported archives 2014-05-19 22:10:22 +02:00
Guy Brand 3d71006505 Use git attributes to exclude some files from exported archives 2014-05-19 22:09:42 +02:00
Guy Brand 56c485d3ac Release 2014-05-05 "Ponder Stibbons" 2014-05-05 22:53:23 +02:00
Guy Brand 43a2e077a2 Merge branch 'master' into stable 2014-05-05 22:51:26 +02:00
Guy Brand 75930869dd Release preparation 2014-05-05 22:48:47 +02:00
Guy Brand e9c3fd7ad5 Merge branch 'stable' into old-stable 2014-05-05 22:35:24 +02:00
Andreas Gohr 63ac7ec34e Merge pull request #675 from splitbrain/depr_dwqsearch 
Deprecated dwqsearch updated, no fancy quotes, some phpdocs
 2014-05-05 14:48:29 +02:00
Gerrit Uitslag 9e1bc3f3dd no fancy quotes in user manager import description 2014-05-05 13:35:56 +02:00
Gerrit Uitslag e14fe97318 add defaults to phpdocs of search universal 2014-05-05 13:26:47 +02:00
Gerrit Uitslag 5f785b9aeb update deprecation stuff for dw_qearch 2014-05-05 13:25:58 +02:00
Andreas Gohr e17b5b8976 Merge pull request #618 from splitbrain/cache_and_cachetime 
Fix longstanding issue with cache class & cachetime setting
 2014-05-04 19:32:38 +02:00
Andreas Gohr 923b198114 Merge pull request #672 from dokuwiki-translate/lang_update_274 
Translation update (ka)
 2014-05-04 19:31:23 +02:00
Andreas Gohr d2443ac6ff Merge pull request #671 from dokuwiki-translate/lang_update_273 
Translation update (fr)
 2014-05-04 19:28:56 +02:00
Andreas Gohr fae328bd63 Merge pull request #670 from dokuwiki-translate/lang_update_271 
Translation update (fr)
 2014-05-04 19:28:38 +02:00
Luka Lejava ff1e24d536 translation update 2014-05-03 19:30:32 +02:00
David VANTYGHEM b23c16e2bf translation update 2014-05-02 23:51:03 +02:00
David VANTYGHEM edb5a6f403 translation update 2014-05-02 23:46:20 +02:00
Andreas Gohr 9d303680c2 Merge pull request #669 from splitbrain/validinputs 
#667 - directly get a valid INPUT parameter
 2014-04-30 20:08:42 +02:00
Andreas Gohr 61ee3dfc9d added another test for arrays 2014-04-30 20:05:35 +02:00
Andreas Gohr 363404184f fixed some test inheriting from the wrong parent 2014-04-30 20:03:13 +02:00
Andreas Gohr d2704764cf use new $INPUT->valid() method in feed.php 2014-04-30 19:49:25 +02:00
Andreas Gohr 6920d2fd3e add new valid() method to $INPUT #667 2014-04-30 19:44:50 +02:00
Andreas Gohr 7a7b77ef2f some updates on phpunit docs and settings 2014-04-30 16:06:24 +02:00
Andreas Gohr 4dbf4add0c Merge pull request #664 from dokuwiki-translate/lang_update_259 
Translation update (ko)
 2014-04-30 15:11:16 +02:00
Andreas Gohr a0b1ca933e Merge pull request #665 from alexlehm/master 
Fix https proxy authentication, the header was missing a colon so that
 2014-04-29 22:48:52 +02:00
Alex 67f6ad6b94 Fix https proxy authentication, the header was missing a colon so that 
the auth info was not working.
 2014-04-29 22:31:58 +02:00
Myeongjin 6dda14c94f translation update 2014-04-27 02:21:03 +02:00
Anika Henke 537f332b5c Merge pull request #661 from dokuwiki-translate/lang_update_243 
Translation update (ko)
 2014-04-26 22:26:52 +01:00
Michael Hamann 2489c7a9b1 Merge pull request #663 from dokuwiki-translate/lang_update_252 
Translation update (ru)
 2014-04-25 11:35:24 +02:00
Владимир 3dcaf4be3d translation update 2014-04-25 09:11:00 +02:00
Myeongjin da2c1fba42 translation update 2014-04-22 10:51:03 +02:00
Andreas Gohr 8dfccb7a0f Merge pull request #656 from glensc/skip-bzgz 
tar: test. skip instead of error if bz2 or zlib extension is missing
 2014-04-16 18:31:49 +02:00
Andreas Gohr 4f6c1b595c Merge pull request #658 from dokuwiki-translate/lang_update_235 
Translation update (es)
 2014-04-16 14:54:56 +02:00
Antonio Bueno fc4ff0c349 translation update 2014-04-16 14:36:06 +02:00
Gerrit Uitslag a58ded8508 Merge remote-tracking branch 'origin/master' 2014-04-16 13:42:29 +02:00
Gerrit Uitslag c006b6aa93 use plaintext authornames in diff navigation dropdowns 2014-04-16 13:41:55 +02:00