"Host key verification failed."
I think that the setuid isn't fully taking; it should be running as me,
but commit log shows www-data. So maybe it has the wrong username?
+* Can't put the source in a directory named .source; the page finder skips
+ that due to too broad exclusion of any dotfile in a path.
they could still fool ikiwiki using similar races. So it's best if only one
person can ever write to the checkout that ikiwiki compiles the moo from.
+## webserver symlink attacks
+
+If someone checks in a symlink to /etc/passwd, ikiwiki would publish that.
+To aoid this, ikiwiki will need to avoid reading files that are symlinks.
+TODO and note discussion of races above.
+
## cgi security
When ikiwiki runs as a cgi to edit a page, it is passed the name of the
such as subversion dotfiles. This is done by sanitising the filename
removing unallowed characters, then making sure it doesn't start with "/"
or contain ".." or "/.svn/". Annoyingly ad-hoc, this kind of code is where
-security holes breed.
+security holes breed. It needs a test suite at the very least.
* No support for web user tracking/login yet.
* Doesn't svn commit yet.
-## [[RecentChanges]]
+## recentchanges
-This will need to be another cgi script, that grubs through the
-[[Subversion]] logs.
-
-This should support RSS for notification of new and changed pages.
+Should support RSS for notification of new and changed pages.
## page history
print $q->header,
$q->start_html("Creating $page"),
$q->start_h1("<a href=\"$url\">$wikiname</a>/ Creating $page"),
+ $q->end_hi,
$q->start_form(-action => $action),
$q->hidden('do'),
"Select page location:",
print $q->header,
$q->start_html("Editing $page"),
$q->h1("<a href=\"$url\">$wikiname</a>/ Editing $page"),
+ $q->end_hi,
$q->start_form(-action => $action),
$q->hidden('do'),
$q->hidden('page'),