summaryrefslogtreecommitdiff
path: root/lib/plugins
Commit message (Collapse)AuthorAge
* check permissions in ACL plugin's RPC API component. #1056Andreas Gohr2015-02-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Security Fix Severity: Medium Type: Remote Priviledge Escalation Remote: yes Vulnerability Details: This fixes a security hole in the ACL plugins remote API component. The plugin failed to check for superuser permissions before executing ACL addition or deletion. This means everybody with permissions to call the XMLRPC API also had permissions to set up their own ACL rules and thus circumventing any existing rules. Risk Assessment: The XMLRPC API in DokuWiki is marked experimental and off by default. It also implements an additional safeguard by giving access to a configured circle of users and groups only. So only a minor number of DokuWiki installations will be affected at all. For affected installations the risk is high if users with access to the API are not to be trusted. Thus the overall severity of medium. Resolution: Installations applying this commit are safe. A hotfix is about to be released. Meanwhile users are advised to disable the XMLRPC API in the config manager.
* Merge branch 'master' into stableGuy Brand2014-10-08
|\
| * escaping backslash should be included in split itemsChristopher Smith2014-10-04
| |
| * Fix for issues 877 & 885 related to a bug in PCRE 6.6Christopher Smith2014-10-03
| |
* | Merge branch 'master' into stableAndreas Gohr2014-09-29
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * master: (214 commits) release preparations postgresql auth plugin: correct function name parse AT parameter: first strtotime then timestamp remove config option move more strings to lang.php move strings to lang.php add placeholders for create page text phpdocs parserutils improve some scrutinizer issues visibility plugin methods use config cascade for loading of localizations reformatting config cascade add lang files to cascading work around missing gzopen on certain systems #865 translation update fix scrutinizer issues fixed typos in docblock comments do not allow empty passwords clean user credentials from control chars added filter method to INPUT class translation update ...
| * postgresql auth plugin: correct function nameChristopher Smith2014-09-29
| |
| * Merge pull request #828 from ssahara/extension-make_infoAndreas Gohr2014-09-27
| |\ | | | | | | Last Update Date info of extension fix
| | * Last Update Date info of extension fixSatoshi Sahara2014-08-06
| | | | | | | | | | | | | | | | | | This request makes "Your last update" of the extension info shown when clicking more info triangle mark. The first installed date of the extension may not be necessary for local site admin work.
| * | Merge remote-tracking branch 'origin/auth_getUserData_improvements'Andreas Gohr2014-09-26
| |\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * origin/auth_getUserData_improvements: KISS - remove class constants for REQUIRE_GROUPS & IGNORE_GROUPS and replace with boolean values use $requireGroups constants in auth classes; comments; code improvements fix comment errors, sp. & grammar code styling - add missing braces Allow user info to be retrieved without groups Restore correct public interface of getUserData() for authldap plugin Conflicts: inc/common.php
| | * | KISS - remove class constants for REQUIRE_GROUPS & IGNORE_GROUPS and replace ↵Christopher Smith2014-05-04
| | | | | | | | | | | | | | | | with boolean values
| | * | use $requireGroups constants in auth classes; comments; code improvementsChristopher Smith2014-03-14
| | | |
| | * | fix comment errors, sp. & grammarChristopher Smith2014-03-12
| | | |
| | * | code styling - add missing bracesChristopher Smith2014-03-12
| | | |
| | * | Allow user info to be retrieved without groupsChristopher Smith2014-03-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some parts of dokuwiki (e.g. recent changes, old revisions) can requests lots of user info (to provide editor names) without requiring any group information. This change also implements caching of user info by authmysql & authpgsql plugins to avoid repeated querying of the DB to retrieve the same user information.
| | * | Restore correct public interface of getUserData() for authldapChristopher Smith2014-03-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | plugin The outer/public getUserData() implemented as a wrapper for the previous fn which is now protected.
| * | | translation updateMohamed Belhsine2014-09-22
| | | |
| * | | translation updateJaroslav Lichtblau2014-09-20
| | | |
| * | | translation updateDavor Turkalj2014-09-19
| | | |
| * | | translation updateSchplurtz le Déboulonné2014-09-17
| | | |
| * | | Merge pull request #857 from dokuwiki-translate/lang_update_20Andreas Gohr2014-09-15
| |\ \ \ | | | | | | | | | | Translation update (zh-tw)
| | * | | translation updateJune-Hao Hou2014-09-13
| | | | |
| * | | | translation updateViktor Zavadil2014-09-15
| |/ / /
| * | | translation updateDavor Turkalj2014-09-10
| | | |
| * | | Merge pull request #851 from dokuwiki-translate/lang_update_12Andreas Gohr2014-09-10
| |\ \ \ | | | | | | | | | | Translation update (hr)
| | * | | translation updateDavor Turkalj2014-09-08
| | | | |
| * | | | translation updateMohamad Mehdi Habibi2014-09-10
| |/ / /
| * | | translation updatepokesakura2014-08-28
| | | |
| * | | translation updateFelipe Castro2014-08-27
| | | |
| * | | translation updateHamid2014-08-18
| | | |
| * | | translation updateFabio2014-08-09
| | | |
| * | | Merge pull request #831 from dokuwiki-translate/lang_update_127Andreas Gohr2014-08-07
| |\ \ \ | | | | | | | | | | Translation update (ru)
| | * | | translation updateIgor Degraf2014-08-07
| | | |/ | | |/|
| * / | translation updateIgor Degraf2014-08-07
| |/ /
| * | updated dates in info.txt of various plugins and templateAnika Henke2014-08-02
| | |
| * | translation updateStan2014-08-02
| | |
| * | translation updateDominik Mahr2014-08-01
| | |
| * | translation updateDavor Turkalj2014-07-17
| | |
| * | translation updateYuthana Tantirungrotechai2014-07-12
| | |
| * | translation updateDavor Turkalj2014-07-10
| | |
| * | Merge pull request #755 from projectgus/masterAndreas Gohr2014-07-05
| |\ \ | | | | | | | | authplain: Escape ':'s that appear in the pwhash string
| | * | authplain: Escape ':' in any data field as '\:'Angus Gratton2014-07-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ':' is the field delimiter in the authplain flat text conf/users.auth.php file, but it's also used as an internal delimiter for the 'mediawiki' password hash format. Currently using this hash format corrupts the file This change escapes ':' as '\:' in any field in the users.auth.php file, and any '\' as '\\'. Also adds test cases for escaping modes.
| * | | translation updateJonathan Hernández2014-07-04
| | | |
| * | | translation updateMikael Bergström2014-07-01
| |/ /
| * | Replace two non-free icons by free alternativesTanguy Ortolo2014-06-15
| | |
| * | Merge pull request #756 from dokuwiki-translate/lang_update_36Andreas Gohr2014-06-15
| |\ \ | | | | | | | | Translation update (lv)
| | * | translation updateAivars Miška2014-06-10
| | | |
| * | | Merge remote-tracking branch 'origin/master' into trailingcolonsGerrit Uitslag2014-06-05
| |\| |
| | * | Merge pull request #750 from dokuwiki-translate/lang_update_27Gerrit Uitslag2014-06-05
| | |\ \ | | | | | | | | | | Translation update (tr)
| | | * | translation updateİlker R. Kapaç2014-05-31
| | | | |
| * | | | Merge remote-tracking branch 'origin/master' into trailingcolonsGerrit Uitslag2014-06-03
| |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: inc/lang/lv/lang.php inc/lang/pt/lang.php
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-20 23:02:40 +0000