| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
| |
The user properties (login, real name, etc) where not properly escaped
in the user manager's edit form. This allowed a XSS attack on the
superuser by registered users.
Thanks to Filippo Cavallarin from www.segment.technology for discovering
this bug.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Security Fix
Severity: Medium
Type: Remote Priviledge Escalation
Remote: yes
Vulnerability Details:
This fixes a security hole in the ACL plugins remote API component. The
plugin failed to check for superuser permissions before executing ACL
addition or deletion. This means everybody with permissions to call the
XMLRPC API also had permissions to set up their own ACL rules and thus
circumventing any existing rules.
Risk Assessment:
The XMLRPC API in DokuWiki is marked experimental and off by default. It
also implements an additional safeguard by giving access to a configured
circle of users and groups only. So only a minor number of DokuWiki
installations will be affected at all.
For affected installations the risk is high if users with access to the
API are not to be trusted.
Thus the overall severity of medium.
Resolution:
Installations applying this commit are safe. A hotfix is about to be
released. Meanwhile users are advised to disable the XMLRPC API in the
config manager.
|
| |\ |
|
| | | |
|
| | | |
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* master: (214 commits)
release preparations
postgresql auth plugin: correct function name
parse AT parameter: first strtotime then timestamp remove config option
move more strings to lang.php
move strings to lang.php
add placeholders for create page text
phpdocs parserutils
improve some scrutinizer issues
visibility plugin methods
use config cascade for loading of localizations
reformatting config cascade
add lang files to cascading
work around missing gzopen on certain systems #865
translation update
fix scrutinizer issues
fixed typos in docblock comments
do not allow empty passwords
clean user credentials from control chars
added filter method to INPUT class
translation update
...
|
| | |\
| | |
| | | |
date_at support
|
| | | |
| | |
| | |
| | | |
remove config option
|
| | | |\ |
|
| | | | | |
|
| | | |\ \ |
|
| | | |\ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Conflicts:
inc/parser/xhtml.php
|
| | | |\ \ \ \ |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
changed variable name $create_time to $modified_time
|
| | | | | | | | |
|
| | | | | | | | |
|
| | |\ \ \ \ \ \
| | |_|_|_|_|/
| |/| | | | | |
Last Update Date info of extension fix
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
This request makes "Your last update" of the extension info shown when
clicking more info triangle mark. The first installed date of the
extension may not be necessary for local site admin work.
|
| | |\ \ \ \ \ \
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
* origin/auth_getUserData_improvements:
KISS - remove class constants for REQUIRE_GROUPS & IGNORE_GROUPS and replace with boolean values
use $requireGroups constants in auth classes; comments; code improvements
fix comment errors, sp. & grammar
code styling - add missing braces
Allow user info to be retrieved without groups
Restore correct public interface of getUserData() for authldap plugin
Conflicts:
inc/common.php
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
with boolean values
|
| | | | | | | | | |
|
| | | | | | | | | |
|
| | | | | | | | | |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Some parts of dokuwiki (e.g. recent changes, old revisions) can
requests lots of user info (to provide editor names) without
requiring any group information.
This change also implements caching of user info by authmysql &
authpgsql plugins to avoid repeated querying of the DB to retrieve
the same user information.
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
plugin
The outer/public getUserData() implemented as a wrapper for the
previous fn which is now protected.
|
| | | | | | | | | |
|
| | | | | | | | | |
|
| | | | | | | | | |
|
| | | | | | | | | |
|
| | |\ \ \ \ \ \ \
| | | | | | | | |
| | | | | | | | | |
Translation update (zh-tw)
|
| | | | | | | | | | |
|
| | |/ / / / / / / |
|
| | | | | | | | | |
|
| | |\ \ \ \ \ \ \
| | | | | | | | |
| | | | | | | | | |
Translation update (hr)
|
| | | | | | | | | | |
|
| | |/ / / / / / / |
|
| | | | | | | | | |
|
| | | | | | | | | |
|
| | | | | | | | | |
|
| | | | | | | | | |
|
| | |\ \ \ \ \ \ \
| | | | | | | | |
| | | | | | | | | |
Translation update (ru)
|
| | | | |/ / / / /
| | |/| | | | | |
|
| | |/ / / / / / |
|
| | | | | | | | |
|
| | | | | | | | |
|
| | | | | | | | |
|
| | | | | | | | |
|
| | |\ \ \ \ \ \
| | | | | | | |
| | | | | | | | |
update jquery and jquery-ui
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
This now pulls all data from official jQuery sources. Either their CDN
or their github account. Google tends to serve outdated or even broken
files :-(
Unfortunately there's no simple way to get the latest stable jQuery-UI
so for now the version has to be adjusted manually in the script.
|
| | | | | | | | | |
|
