sbrl-github/Pepperminty-Wiki
sbrl-github
/
Pepperminty-Wiki
mirror of https://github.com/sbrl/Pepperminty-Wiki.git
1
0
Fork 0
Code
1,863 Commits 5 Branches 62 Tags 9.2 MiB
Commit Graph

80 Commits

Author SHA1 Message Date
Starbeamrainbowlabs 7698290ee5
unpacking: catch all possible errors from ZipArchive->open() 
Thanks, @daveschroeter
For #249, but does NOT fix it
 2023-10-12 00:51:25 +01:00
Starbeamrainbowlabs f4f08d8066
docs: Update apiDoc 
As it turns out, we used @apiVersion for things that weren't HTTP API 
routes. In such cases, the recommended directive is @since, not 
@apiVersion
 2022-02-27 16:19:35 +00:00
Starbeamrainbowlabs 2e1e1d0535
100-run: fix XSS when action is not found 2021-09-25 11:42:07 +01:00
Starbeamrainbowlabs 525dbaa3e1
page history: fix username rendering 2021-09-03 02:01:07 +01:00
Starbeamrainbowlabs 0a950425e1
Bugfix: fix new slugify function 2021-09-03 01:55:05 +01:00
Starbeamrainbowlabs de4536e173
page-view: XSS again again again 2021-09-03 01:50:09 +01:00
Starbeamrainbowlabs 2d6bf1df70
feature-user-preferences: fiix potential xss vulnerabilities 2021-09-03 01:01:38 +01:00
Starbeamrainbowlabs 227a7ac662
feature-upload: fix potential XSS attacks 2021-09-03 00:42:36 +01:00
Starbeamrainbowlabs 39af83caf9
page-renderer: use htmlentities on admindetails_name 
This is NOT to fix a security issue - rather to allow the admin's name 
to contain special characters. Note that the admin's name can only be 
changed either in peppermint.json or via the admin settings panel (which 
only admins can access). If you're worries about admins serving 
arbitrary HTML, then Pepperminty Wiki is not for you because they could 
serve a random static HTML file that they've uploaded to their web 
server for instance.
 2021-09-03 00:09:44 +01:00
Starbeamrainbowlabs 738715af43
core | render_pagename, render_username: fix potential authenticated XSS attack 2021-09-02 23:04:26 +01:00
Starbeamrainbowlabs f400da6dce
Page renderer: Automatically run htmlentities() on all titles 2021-09-02 21:34:40 +01:00
Starbeamrainbowlabs 96546184dc
Implement simple slugify function 
I suspect I may have to fix a number of issues here.....
 2021-09-02 21:19:31 +01:00
Starbeamrainbowlabs 7f48302f1a
Bugfix: Fix XSS via action GET parameter. 
Ref CVE-2021-38601

Serously, don't make public GitHub repos before contacting me!

https://github.com/hmaverickadams/CVE-2021-38601
 2021-09-02 21:08:01 +01:00
Starbeamrainbowlabs 2e54a8a4d5
Improve resilience and error output if the PHP Zip extension is not installed on first run 2021-07-20 23:15:48 +01:00
Starbeamrainbowlabs b2a783e903
core: Support setting page through either GET or POST 
Fixes #217.
 2020-11-20 21:25:47 +00:00
Starbeamrainbowlabs cfd087d919
Add MPL 2.0 short header to core code files 2020-09-23 23:22:39 +01:00
Starbeamrainbowlabs 0085ddf0c4
Don't emit custom css unless there's something to emit 2020-08-31 21:04:59 +01:00
Starbeamrainbowlabs 23998f60bf
Bugfix: correctly escape ampersands with htmlentities in URLs 2020-08-31 21:00:15 +01:00
Starbeamrainbowlabs 42971f573d
Bugfix: Fix invalid HTML generated by new hide_email() logic 2020-08-31 20:56:34 +01:00
Starbeamrainbowlabs d9ddb504bf
Fix typo in the name of the didyoumean index (which is disabled by default). 
Admins need to manually rename `didyoumeaninddex.sqlite` → 
`didyoumeanindex.sqlite`
 2020-08-18 15:41:14 +01:00
Starbeamrainbowlabs 3c5a407356
Really fix #205 2020-08-11 23:01:44 +01:00
Starbeamrainbowlabs 93bff09422
Update hide_email implementation 
It now requires Javascript to decode the email address. If this is a 
problem for whatever reason, please get in touch by opening an issue. I 
take accessibility very seriously.
 2020-08-09 23:53:29 +01:00
Starbeamrainbowlabs e710d55883
makepathsafe: don't allow dots on their own 
Specifically, we don't want a single dot as a page name. This is because 
'.' has a special meaning on Linux: The current directory.
 2020-08-09 13:03:40 +01:00
Starbeamrainbowlabs 5fed4cb5ab
Bugfixx: improve rebustness of new filepath_to_pagename and pageindex rebuilder 2020-08-08 22:18:12 +01:00
Starbeamrainbowlabs c0fa5b8ae4
Finish improvements to pageindex rebuilder 
also squash warning from stats engine during the firstrun wizard
 2020-08-08 22:01:12 +01:00
Starbeamrainbowlabs 62a3ea9d1e
Start working on intelligently finding history revisions, but it isn't finished yet. 
Note that this commit does **not** build. I'm in the middle of something 
- please build the previous commit instead until I'm finished :P
 2020-08-08 02:15:08 +01:00
Starbeamrainbowlabs 6e7ff16041
For #204: Implement initial (untested!) page history algorithm. 
TODO: Search for existing page history revisions
 2020-08-08 02:07:35 +01:00
Starbeamrainbowlabs 75c15d66b2
page-move: Ensure that the new subpage actually exists - fixes #201 2020-08-06 15:47:41 +01:00
Starbeamrainbowlabs 607c9f8529
minify_css: minor improvements 
", " -> ","
"0." -> "."
 2020-07-28 21:46:00 +01:00
Starbeamrainbowlabs 3652c20662
Fix $env->is_secure detection 2020-07-28 19:51:56 +01:00
Starbeamrainbowlabs 1ec1705a62
Standardise error_log prefixes to aid clarity in multi-wiki environments 2020-07-28 19:42:41 +01:00
Starbeamrainbowlabs 7d93aa6a10
Overhaul the way we use setcookie() 
- Use SameSite=Strict to avoid issues in modern browsers & prevent 
session-stealing attacks
 - Use Secure when requests run over HTTPS by default to avoid 
downgrade-based session-stealing attacks
 - Add warning for PHP <= 7.2, as it doesn't support SameSite in 
setcookie().
 2020-07-28 19:40:22 +01:00
Starbeamrainbowlabs 45c2fa56cd
Add more type hints, and fail to get Server-Timing working. 
Note to self: If we do end up implementing it, remember that 
$env->perfdata does containsensitive information sometimes, so we might 
need to revise our approach a bit (e.g. only sending it to authenticated 
admins)
 2020-07-28 02:10:28 +01:00
Starbeamrainbowlabs 1813fe73e2
Add absolute redirects 2020-07-07 21:10:38 +01:00
Starbeamrainbowlabs 093b405182
Add meta theme-color support 2020-05-24 01:59:05 +01:00
Starbeamrainbowlabs f632c0907c
Integrate didyoumean into the main search engine, but it's crashing. 
We're getting there though!
 2020-03-15 17:54:27 +00:00
Starbeamrainbowlabs fa81f0df25
Implement basic Pepperminty Wiki CLI & shell :D 
The BkTree tester gave me the idea.

No longer will you have to hope that search indexing will complete in 
time and adjust the maximum execution time for larger wikis..... when 
that's implemented.
 2020-03-10 01:47:40 +00:00
Starbeamrainbowlabs 1d540d3d8a
Send content-type: text/plain when erroring out 'cause we can't write to disk 2020-02-04 01:23:44 +00:00
Starbeamrainbowlabs 0be001990f
Bugfix: fix new url_stem() function 2020-01-05 21:07:59 +00:00
Starbeamrainbowlabs b4c0782e58
bool -> boolean 2020-01-05 20:59:21 +00:00
Starbeamrainbowlabs 322f956a9f
Add url_stem() & email address verification system 2020-01-05 20:49:20 +00:00
Starbeamrainbowlabs 7548c1e7ee
Bugfix: Fix alt + enter search box submit failing with allow popups message 2019-12-23 20:52:48 +00:00
Starbeamrainbowlabs 86a9828565
Improve render_timestamp() 2019-12-23 18:30:06 +00:00
Starbeamrainbowlabs 1686ee33d3
Add new email_debug_dontsend setting 2019-12-23 17:53:46 +00:00
Starbeamrainbowlabs 1602fab2c3
Correctly handle utf-8 in email_user() 2019-12-23 17:39:18 +00:00
Starbeamrainbowlabs ead1663849
pageindex: Unset stray global 2019-12-23 15:42:40 +00:00
Starbeamrainbowlabs f02e486580
Tweak peppermint.josn access check message again 2019-12-22 14:32:46 +00:00
Starbeamrainbowlabs 23f526baaa
Bugfix: Avoid inadvertent link loop for bots on login page 2019-12-19 15:36:41 +00:00
Starbeamrainbowlabs d3e83a0aea
page_renderer: Don't generate the page list for the datalist if it's not displayed 2019-12-08 20:27:20 +00:00
Starbeamrainbowlabs 1ef86f117c
Bugfix: Make errorimage() multibyte-safe 2019-10-22 21:44:20 +01:00