| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: ikiwiki-w3m | Distribution: openSUSE:Factory:zSystems |
| Version: 3.20200202.3 | Vendor: openSUSE |
| Release: 2.16 | Build date: Mon Sep 28 15:58:10 2020 |
| Group: Productivity/Networking/Web/Utilities | Build host: reproducible |
| Size: 464 | Source RPM: ikiwiki-3.20200202.3-2.16.src.rpm |
| Packager: https://bugs.opensuse.org | |
| Url: https://ikiwiki.info/ | |
| Summary: Ikiwiki w3m cgi meta-wrapper | |
Enable to use all of ikiwiki's web features (page editing, etc) in the w3m web browser without using a web server. w3m supports local CGI scripts, and ikiwiki can be set up to run that way.
GPL-2.0-or-later AND BSD-2-Clause
* Mon Sep 28 2020 Callum Farmer <callumjfarmer13@gmail.com>
- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)
* Thu Jul 30 2020 Marketa Calabkova <mcalabkova@suse.com>
- update to 3.20200202.3
* highlight: Adapt to API change in highlight >= 3.51
* mdwn: Fix inverted footnote configuration when MultiMarkdown is
enabled. Thanks, Giuseppe Bilotta
* translation improvements
- Switch to python3-docutils since we do not have Python 2 anymore
* Wed Apr 08 2020 Matej Cepl <mcepl@suse.com>
- Remove BR of bzr ... we don't support it anymore, and there isn't any
need for it: the testsuite just skips the test, if bzr is not
available.
* Tue Jul 16 2019 Marketa Calabkova <mcalabkova@suse.com>
- update to 3.20190228
* aggregate: Use LWPx::ParanoidAgent if available.
Previously blogspam, openid and pinger used this module if available,
but aggregate did not. This prevents server-side request forgery or
local file disclosure, and mitigates denial of service when slow
"tarpit" URLs are accessed.
(CVE-2019-9187)
* blogspam, openid, pinger: Use a HTTP proxy if configured, even if
LWPx::ParanoidAgent is installed.
Previously, only aggregate would obey proxy configuration. If a proxy
is used, the proxy (not ikiwiki) is responsible for preventing attacks
like CVE-2019-9187.
* aggregate, blogspam, openid, pinger: Do not access non-http, non-https
URLs.
Previously, these plugins would have allowed non-HTTP-based requests if
LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local
file disclosure, and preventing other rarely-used URI schemes like
gopher mitigates request forgery attacks.
* aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly
recommended.
These plugins can request attacker-controlled URLs in some site
configurations.
* blogspam: Document LWPx::ParanoidAgent as desirable.
This plugin doesn't request attacker-controlled URLs, so it's
non-critical here.
* blogspam, openid, pinger: Consistently use cookiejar if configured.
Previously, these plugins would only obey this configuration if
LWPx::ParanoidAgent was not installed, but this appears to have been
unintended.
* po: Always filter .po files.
The po plugin in previous ikiwiki releases made the second and
subsequent filter call per (page, destpage) pair into a no-op,
apparently in an attempt to prevent *recursive* filtering (which as
far as we can tell can't happen anyway), with the undesired effect
of interpreting the raw .po file as page content (e.g. Markdown)
if it was inlined into the same page twice, which is apparently
something that tails.org does. Simplify this by deleting the code
that prevented repeated filtering. Thanks, intrigeri
(Closes: #911356)
- update to 3.20190207
* graph: Add an optional "file" parameter
* emailauth: When email can't be sent, show the error message
* osm: Don't raise errors if tags don't have attached icons
* cgi: Avoid C compiler warnings for waitpid() on NetBSD
* Hide popup template content from documentation (Closes: #898836)
* meta: Make [[!meta date]] show an error if dates are invalid or
Date::Parse can't be loaded
* inline: Cope with non-ASCII `rootpage` parameter.
Thanks, Feng Shu
* table: Cope with non-ASCII content in CSV format tables.
Thanks, Feng Shu
* trail: Allow unescaped punctuation in `pagenames` parameter
* comments: Hide "add comment" link from print stylesheet.
Thanks, Antoine Beaupré
* recentchangesdiff, relativedate, toggle:
Import JavaScript at the end of the page content, not the beginning,
so that the browser can render content as soon as possible.
Thanks, Antoine Beaupré
* debian: Allow Breezy as an alternative to bzr
Thanks, Jelmer Vernooij
* inline: Add basic test coverage for [[!inline rootpage]]
* table: Add basic test coverage
* po: Add enough test coverage to reproduce Debian #911356
* comments: Improve test coverage
* tests: Exercise Unicode more
* aggregate: Fix aggregation of posts without a title.
Thanks, Alexandre Oliva
* poll: Added postlink and posttrail options for better multi-page polls.
* Fix permalink to comments.
* Fri Apr 06 2018 kstreitova@suse.com
- run spec-cleaner
- update licence to GPL-2.0+ AND BSD-2-Clause as ikiwiki is
licensed under GPL-2.0+ and the Python code in plugins directory
is licensed under BSD-2-clause
- update description
- add w3m subpackage that holds w3mmode
- remove shebang for ikiwiki/plugins/rst
- update BuildRequires and Requires
- get cvs plugin back because File/chdir.pm is now available
- don't remove syslog.t test
* Thu Apr 05 2018 kstreitova@suse.com
- update to 3.20180311
* Avoid unexpected full paths from find(1)
* rst test: Probe for docutils Python 3 module, not Python 2
* mdwn: Automatically detect which Discount flags to use, fixing
regressions in 3.20180228 when using Discount < 2.2
* Add a test asserting that no plugin is an empty file, to confirm
that the build fixes in 3.20180228 were successful
- update to 3.20180228
* core: Don't send relative redirect URLs when behind a reverse
proxy
* core: Escape backticks etc. in directive error messages as HTML
entities so that the error message is not subsequently parsed as
Markdown
* mdwn: Enable fenced code blocks, PHP Markdown Extra-style
definition lists and GitHub-style extensions to HTML tag syntax
when used with Discount >= 2.2.0 (Closes: #888055)
* img: Fix auto-detection of image format (if enabled, which is
strongly discouraged) with ImageMagick >= 6.9.8-3
* rst: Use Python 3 instead of Python 2
* build: `set -e` before each `for` loop, so that errors are
reliably trapped
* build: Use if/then instead of `||` so that the `-e` flag works
* build: Ensure that pm_to_blib finishes before rewriting shebang
lines
* t: Make the img test pass with ImageMagick >= 6.9.8-3
(Closes: #891647)
* debian: Remove unused Lintian overrides for duplicate word false
positives
* debian: Declare compliance with Debian Policy 4.1.3
- update to 3.20180105
* emailauth: Fix cookie problem when user is on https and the cgiurl
uses http, by making the emailed login link use https.
* passwordauth: Use https for emailed password reset link when user
is on https.
* Remove openid provider icons from login selector, since openid
providers are increasingly not working. Verisign retired theirs,
and aol and yahoo/flickr are not commonly used for openid. Any
users who still clicked those icons to login will need to instead
enter their openid url.
* Updated German basewiki and directives translation from
Sebastian Kuhnert.
- update to 3.20171001
* htmlscrubber: Add support for the video tag's loop and muted
attributes. Those were not in the original html5 spec, but have
been added in the whatwg html living standard and have wide
browser support.
* emailauth, passwordauth: Avoid leaving cgisess_* files in the
system temp directory.
* core: Don't decode the result of strftime if it is already tagged
as UTF-8, as it might be since Perl >= 5.21.1. (Closes: #869240)
* img: Strip metadata from resized images when the deterministic
config option is set. Thanks, intrigeri
* receive: Avoid asprintf() in IkiWiki::Receive, to avoid implicit
declaration, potential misbehaviour on 64-bit platforms, and lack
of portability to non-GNU platforms
* t: Add a regression test for untrusted git push
* receive: Fix untrusted git push with git (>= 2.11) by passing
through the necessary environment variables to make the
quarantine area work
* debian: Declare compliance with Debian Policy 4.1.1
* l10n: Fix the build with po4a 0.52, by ensuring that msgstr ends
with a newline if and only if msgid does
- update to 3.20170622
* t/git-cgi.t: Wait 1 second before doing a revert that should work.
This hopefully fixes a race condition in which the test failed
around 6% of the time. (Closes: 862494)
* Guard against set-but-empty REMOTE_USER CGI variable on
misconfigured nginx servers, and in general treat sessions with
a set-but-empty name as if they were not signed in.
* When the CGI fails, print the error to stderr, not "Died"
* mdwn: Don't mangle <style> into <elyts> under some circumstances
* mdwn: Enable footnotes by default when using the default Discount
implementation. A new mdwn_footnotes option can be used to
disable footnotes in MultiMarkdown and Discount.
* mdwn: Don't enable alphabetically labelled ordered lists by
default when using the default Discount implementation. A new
mdwn_alpha_list option can be used to restore the old
interpretation.
* osm: Convert savestate hook into a changes hook. savestate is not
the right place to write wiki content, and in particular this
breaks websetup if osm's dependencies are not installed, even
if the osm plugin is not actually enabled. (Closes: #719913)
* toc: if the heading is of the form <h1 id="...">, use that for
the link in the table of contents (but continue to generate
<a name="index42"></a> in case someone was relying on it).
Thanks, Antoine Beaupré
* color: Do not leak markup into contexts that take only the plain
text, such as toc
* meta: Document [[!meta name="foo" content="bar"]]
* debian: Use preferred https URL for Format of debian/copyright
* debian: Declare compliance with Debian Policy 4.0.0
* Sat May 06 2017 mardnh@gmx.de
- update to 3.20170111
* passwordauth: prevent authentication bypass via multiple name
parameters (CVE-2017-0356, OVE-20170111-0001)
* passwordauth: avoid userinfo forgery via repeated email parameter
(also in the scope of CVE-2017-0356)
* CGI, attachment, passwordauth: harden against repeated parameters
(not believed to have been a vulnerability)
* remove: make it clearer that repeated page parameter is OK here
* t/passwordauth.t: new automated test for passwordauth
- update to 3.20170110
* wrappers: Correctly escape quotes in git_wrapper_background_command
* git: use an explicit function parameter for the directory to work
in. Previously, we used global state that was not restored correctly
on catching exceptions, causing an unintended log message
"cannot chdir to .../ikiwiki-temp-working: No such file or directory"
with versions >= 3.20161229 when an attempt to revert a change fails
or is disallowed
* git: don't run "git rev-list ... -- -- ..." which would select the
wrong commits if a file named literally "--" is present in the
repository
* check_canchange: log "bad file name whatever", not literal string
"bad file name %s"
* t/git-cgi.t: fix a race condition that made the test fail
intermittently
* t/git-cgi.t: be more careful to provide a syntactically valid
author/committer name and email, hopefully fixing this test on
ci.debian.net
* templates, comments, passwordauth: use rel=nofollow microformat
for dynamic URLs
* templates: use rel=nofollow microformat for comment authors
* news: use Debian security tracker instead of MITRE for security
references. Thanks, anarcat
* Set package format to 3.0 (native)
* d/copyright: re-order to put more specific stanzas later, to get the
intended interpretation
* d/source/lintian-overrides: override obsolete-url-in-packaging for
OpenID Selector, which does not seem to have any more current URL
(and in any case our version is a fork)
* docwiki.setup: exclude TourBusStop from offline documentation.
It does not make much sense there.
* d/ikiwiki.lintian-overrides: override script-not-executable warnings
* d/ikiwiki.lintian-overrides: silence false positive spelling warning
for Moin Moin
* d/ikiwiki.doc-base: register the documentation with doc-base
* d/control: set libmagickcore-6.q16-3-extra as preferred
build-dependency, with virtual package libmagickcore-extra as an
alternative, to help autopkgtest to do the right thing
- update to 3.20161229.1
* git: Attribute reverts to the user doing the revert, not the wiki
itself.
* git: Do not disable the commit hook while preparing a revert.
- update to 3.20161229
* Security: force CGI::FormBuilder->field to scalar context where
necessary, avoiding unintended function argument injection
analogous to CVE-2014-1572. In ikiwiki this could be used to
forge commit metadata, but thankfully nothing more serious.
(CVE-2016-9646)
* Security: try revert operations in a temporary working tree before
approving them. Previously, automatic rename detection could result in
a revert writing outside the wiki srcdir or altering a file that the
reverting user should not be able to alter, an authorization bypass.
(CVE-2016-10026 represents the original vulnerability.)
The incomplete fix released in 3.20161219 was not effective for git
versions prior to 2.8.0rc0.
(CVE-2016-9645 represents that incomplete solution.)
* Add CVE references for CVE-2016-10026
* Add automated test for using the CGI with git, including
CVE-2016-10026
- Build-depend on libipc-run-perl for better build-time test coverage
* Add missing ikiwiki.setup for the manual test for CVE-2016-10026
* git: don't issue a warning if the rcsinfo CGI parameter is undefined
* git: do not fail to commit changes with a recent git version
and an anonymous committer
- update to 3.20161219
* inline: Prevent creating a file named ".mdwn" when the
postform is submitted with an empty title.
* Security: tell `git revert` not to follow renames. If it does, then
renaming a file can result in a revert writing outside the wiki srcdir
or altering a file that the reverting user should not be able to alter,
an authorization bypass. Thanks, intrigeri. (CVE-2016-10026)
* cgitemplate: remove some dead code. Thanks, blipvert
* Restrict CSS matches against header class to not break
Pandoc tables with header rows. Thanks, karsk
* Make pagestats output more deterministic. Thanks, intrigeri
- update to 3.20160905
* Fix installation when prefix includes a string metacharacter.
Thanks, Sam Hathaway.
* Use git log --no-renames to generate recentchanges, fixing the git
test-case with git 2.9 (Closes: #835612)
* Thu Aug 18 2016 mardnh@gmx.de
- removed patch (fixed upstream)
* ikiwiki-skip-img-test.diff
- update to 3.20160728
* Explicitly remove current working directory from Perl's library
search path, mitigating CVE-2016-1238 (see #588017)
* wrappers: allocate new environment dynamically, so we won't overrun
the array if third-party plugins add multiple environment variables.
* Standards-Version: 3.9.8 (no changes required)
- update to 3.20160509
* img: ignore the case of the extension when detecting image format,
fixing the regression that *.JPG etc. would not be displayed
since 3.20160506
* img: parse img_allowed_formats case-insensitively, as was done in
3.20141016.3
* inline: restore backwards compat for show=-1 syntax, which
worked before 3.20160121
* Remove a spurious changelog entry from 3.20160506 (the relevant
change was already in 3.20150614)
* Add CVE-2016-4561 reference to 3.20160506 changelog
* Set high urgency to get the CVE-2016-4561 fix and CVE-2016-3714
mitigation into testing
- update to 3.20160506
* HTML-escape error messages, in one case avoiding potential cross-site
scripting (CVE-2016-4561, OVE-20160505-0012)
* Mitigate ImageMagick vulnerabilities such as CVE-2016-3714:
- img: force common Web formats to be interpreted according to extension,
so that "allowed_attachments: '*.jpg'" does what one might expect
- img: restrict to JPEG, PNG and GIF images by default, again mitigating
CVE-2016-3714 and similar vulnerabilities
- img: check that the magic number matches what we would expect from
the extension before giving common formats to ImageMagick
* img: Add back support for SVG images, bypassing ImageMagick and
simply passing the SVG through to the browser, which is supported by all
commonly used browsers these days.
SVG scaling by img directives has subtly changed; where before
size=wxh would preserve aspect ratio, this cannot be done when passing
them through and so specifying both a width and height can change
the SVG's aspect ratio.
* loginselector: When only openid and emailauth are enabled, but
passwordauth is not, avoid showing a "Other" box which opens an
empty form.
* mdwn: Process .md like .mdwn, but disallow web creation.
* git: Correctly handle filenames starting with a dash in add/rm/mv.
- update to 3.20160121
* meta: Fix [[!meta name=foo]] by closing the open quote.
* Avoid unescaped "{" in regular expressions
* meta test: Add tests for many behaviors of the directive.
* img test: Bail gracefully when ImageMagick is not present.
* emailauth: Added emailauth_sender config.
* Modified page.tmpl to to set html lang= and dir= when
values have been specified for them, which the po plugin does.
* Specifically license the javascript underlay under the permissive
basewiki license.
* git: if no committer identity is known, set it to
"IkiWiki <ikiwiki.info>" in .git/config. This resolves commit errors
in versions of git that require a non-trivial committer identity.
* inline, trail: rename show, feedshow parameters to limit, feedlimit
(with backwards compatibility)
* pagestats: add "show" option to show meta fields. Thanks, Louis
* inline: force RSS <comments> to be a fully absolute URL as required
by the W3C validator. Please use Atom feeds if relative URLs are
desirable on your site.
* inline: add <atom:link rel="self"> to RSS feeds as recommended by
the W3C validator
* inline: do not produce links containing /./ or /../
* syslog: accept and encode UTF-8 messages
* syslog: don't fail to log if the wiki name contains %s
* Change dependencies from transitional package perlmagick
to libimage-magick-perl (Closes: #789221)
* debian/copyright: update for the rename of openid-selector to
login-selector
* d/control: remove leading article from Description
(lintian: description-synopsis-starts-with-article)
* d/control: Standards-Version: 3.9.6, no changes required
* Wrap and sort control files (wrap-and-sort -abst)
* Silence "used only once: possible typo" warnings for variables
that are part of modules' APIs
* Run autopkgtest tests using autodep8 and the pkg-perl team's
infrastructure
* Add enough build-dependencies to run all tests, except for
non-git VCSs
* tests: consistently use done_testing instead of no_plan
* t/img.t: do not spuriously skip
* img test: skip testing PDFs if unsupported
* img test: use the right filenames when testing that deletion occurs
- update to 3.20150614
* inline: change default sort order from age to "age title" for
determinism, partially fixing deterministic build for git-annex,
ikiwiki-hosting etc. (Closes: #785757)
* img: avoid ImageMagick misinterpreting filenames containing a colon
* img test: set old timestamp on source file that will change, so that
the test will pass even if it takes less than 1 second
* Mon Jan 04 2016 mardnh@gmx.de
- update to 3.20150610
* The new "emailauth" plugin allows users to authenticate using an email
address, without otherwise creating an account.
* The openid plugin now enables emailauth by default. Please include
emailauth in the disable_plugins setting if this is not desired.
Conversely, if emailauth is required on a wiki that does not enable
openid, you can list it in the enable_plugins setting.
* Thu Apr 30 2015 mardnh@gmx.de
- skip syslog test for systems <= 13.2
/usr/lib/w3m /usr/lib/w3m/cgi-bin /usr/lib/w3m/cgi-bin/ikiwiki-w3m.cgi /usr/share/doc/packages/ikiwiki-w3m /usr/share/doc/packages/ikiwiki-w3m/README.w3m
Generated by rpm2html 1.8.1
Fabrice Bellet, Sat Jan 4 23:43:41 2025