mirror of
https://github.com/sbrl/Pepperminty-Wiki.git
synced 2024-11-26 05:32:59 +00:00
Add setting to disallow anonymous users from invoking the external renderer on new input
This commit is contained in:
parent
b75ad067eb
commit
bba614df2f
3 changed files with 10 additions and 2 deletions
|
@ -337,7 +337,7 @@
|
||||||
"version": "0.10",
|
"version": "0.10",
|
||||||
"author": "Emanuil Rusev & Starbeamrainbowlabs",
|
"author": "Emanuil Rusev & Starbeamrainbowlabs",
|
||||||
"description": "An upgraded (now default!) parser based on Emanuil Rusev's Parsedown Extra PHP library (https:\/\/github.com\/erusev\/parsedown-extra), which is licensed MIT. Please be careful, as this module adds some weight to your installation.",
|
"description": "An upgraded (now default!) parser based on Emanuil Rusev's Parsedown Extra PHP library (https:\/\/github.com\/erusev\/parsedown-extra), which is licensed MIT. Please be careful, as this module adds some weight to your installation.",
|
||||||
"lastupdate": 1571944258,
|
"lastupdate": 1571947549,
|
||||||
"optional": false,
|
"optional": false,
|
||||||
"extra_data": {
|
"extra_data": {
|
||||||
"Parsedown.php": "https:\/\/raw.githubusercontent.com\/erusev\/parsedown\/fe7a50eceb4a3c867cc9fa9c0aa906b1067d1955\/Parsedown.php",
|
"Parsedown.php": "https:\/\/raw.githubusercontent.com\/erusev\/parsedown\/fe7a50eceb4a3c867cc9fa9c0aa906b1067d1955\/Parsedown.php",
|
||||||
|
|
|
@ -110,6 +110,13 @@ register_module([
|
||||||
exit();
|
exit();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if(!$settings->parser_ext_allow_anon && !$env->is_logged_in) {
|
||||||
|
http_response_code(401);
|
||||||
|
header("content-type: image/png");
|
||||||
|
imagepng(errorimage(wordwrap("Error: You aren't logged in, that image hasn't yet been cached, and $settings->sitename does not allow anonymous users to invoke external renderers, so that image can't be generated right now. Try contacting $settings->admindetails_name, $settings->sitename's administrator (their details can be found at the bottom of every page).")));
|
||||||
|
exit();
|
||||||
|
}
|
||||||
|
|
||||||
// Create the cache directory if doesn't exist already
|
// Create the cache directory if doesn't exist already
|
||||||
if(!file_exists(dirname($cache_file_location)))
|
if(!file_exists(dirname($cache_file_location)))
|
||||||
mkdir(dirname($cache_file_location), 0750, true);
|
mkdir(dirname($cache_file_location), 0750, true);
|
||||||
|
|
|
@ -57,6 +57,7 @@
|
||||||
}
|
}
|
||||||
} },
|
} },
|
||||||
"parser_ext_time_limit": { "type": "number", "description": "The number of seconds external renderers are allowed to run for. Has no effect if external renderers are turned off. Also currently has no effect on Windows.", "default": 5 },
|
"parser_ext_time_limit": { "type": "number", "description": "The number of seconds external renderers are allowed to run for. Has no effect if external renderers are turned off. Also currently has no effect on Windows.", "default": 5 },
|
||||||
|
"parser_ext_allow_anon": { "type": "checkbox", "description": "<p>Whether to allow anonymous users to render new diagrams with the external renderer. When disabled, anonymous users will still be allowed to recall pre-rendered items from the cache, but will be unable to generate brand-new diagrams.</p><p>Note that if you allow anonymous edits this setting won't fully protect you: anonymous users could edit a page and insert a malicious diagram, and then laer a logged in user could unwittingly invoke the external renderer on the anonymous user's behalf.", "default": false },
|
||||||
"interwiki_index_location": { "type": "text", "description": "The location to find the interwiki wiki definition file, which contains a list of wikis along with their names, prefixes, and root urls. May be a URL, or simply a file path - as it's passed to file_get_contents(). If left blank, interwiki link parsing is disabled.", "default": null },
|
"interwiki_index_location": { "type": "text", "description": "The location to find the interwiki wiki definition file, which contains a list of wikis along with their names, prefixes, and root urls. May be a URL, or simply a file path - as it's passed to file_get_contents(). If left blank, interwiki link parsing is disabled.", "default": null },
|
||||||
"clean_raw_html": { "type": "checkbox", "description": "Whether page sources should be cleaned of HTML before rendering. It is STRONGLY recommended that you keep this option turned on.", "default": true },
|
"clean_raw_html": { "type": "checkbox", "description": "Whether page sources should be cleaned of HTML before rendering. It is STRONGLY recommended that you keep this option turned on.", "default": true },
|
||||||
"all_untrusted": { "type": "checkbox", "description": "Whether to treat both page sources and comment text as untrusted input. Untrusted input has additional restrictions to protect against XSS attacks etc. Turn on if your wiki allows anonymous edits.", "default": false},
|
"all_untrusted": { "type": "checkbox", "description": "Whether to treat both page sources and comment text as untrusted input. Untrusted input has additional restrictions to protect against XSS attacks etc. Turn on if your wiki allows anonymous edits.", "default": false},
|
||||||
|
|
Loading…
Reference in a new issue