package IkiWiki;
-my $svn_log_infoline=qr/^r(\d+)\s+\|\s+([^\s]+)\s+\|\s+(\d+-\d+-\d+\s+\d+:\d+:\d+\s+[-+]?\d+).*/;
my $svn_webcommit=qr/^web commit by (\w+):?(.*)/;
sub svn_info ($$) { #{{{
my $num=shift;
my @ret;
+ return unless -d "$config{srcdir}/.svn";
+
eval q{use CGI 'escapeHTML'};
eval q{use Date::Parse};
eval q{use Time::Duration};
+ eval q{use XML::Simple};
- if (-d "$config{srcdir}/.svn") {
- my $svn_url=svn_info("URL", $config{srcdir});
+ my $svn_url=svn_info("URL", $config{srcdir});
+ my $xml = XMLin(scalar `svn --xml -v log '$svn_url'`,
+ ForceArray => [ 'logentry', 'path' ],
+ GroupTags => { paths => 'path' },
+ KeyAttr => { path => 'content' },
+ );
+ foreach my $logentry (@{$xml->{logentry}}) {
+ my (@pages, @message);
+
+ my $rev = $logentry->{revision};
+ my $user = $logentry->{author};
+
+ my $date = $logentry->{date};
+ $date =~ s/T/ /;
+ $date =~ s/\.\d+Z$//;
+ my $when=concise(ago(time - str2time($date, 'UTC')));
+
+ foreach my $msgline (split(/\n/, $logentry->{msg})) {
+ push @message, { line => escapeHTML($msgline) };
+ }
- my $div=qr/^--------------------+$/;
- my $state='start';
- my ($rev, $user, $when, @pages, @message);
- foreach (`LANG=C svn log -v '$svn_url'`) {
- chomp;
- if ($state eq 'start' && /$div/) {
- $state='header';
- }
- elsif ($state eq 'header' && /$svn_log_infoline/) {
- $rev=$1;
- $user=$2;
- $when=concise(ago(time - str2time($3)));
- }
- elsif ($state eq 'header' && /^\s+[A-Z]+\s+\/\Q$config{svnpath}\E\/([^ ]+)(?:$|\s)/) {
- my $file=$1;
- my $diffurl=$config{diffurl};
- $diffurl=~s/\[\[file\]\]/$file/g;
- $diffurl=~s/\[\[r1\]\]/$rev - 1/eg;
- $diffurl=~s/\[\[r2\]\]/$rev/g;
- push @pages, {
- link => htmllink("", "", pagename($file), 1),
- diffurl => $diffurl,
- } if length $file;
- }
- elsif ($state eq 'header' && /^$/) {
- $state='body';
- }
- elsif ($state eq 'body' && /$div/) {
- my $committype="web";
- if (defined $message[0] &&
- $message[0]->{line}=~/$svn_webcommit/) {
- $user="$1";
- $message[0]->{line}=$2;
- }
- else {
- $committype="svn";
- }
-
- push @ret, { rev => $rev,
- user => htmllink("", "", $user, 1),
- committype => $committype,
- when => $when, message => [@message],
- pages => [@pages],
- } if @pages;
- return @ret if @ret >= $num;
-
- $state='header';
- $rev=$user=$when=undef;
- @pages=@message=();
- }
- elsif ($state eq 'body') {
- push @message, {line => escapeHTML($_)},
- }
+ my $committype="web";
+ if (defined $message[0] &&
+ $message[0]->{line}=~/$svn_webcommit/) {
+ $user="$1";
+ $message[0]->{line}=$2;
+ }
+ else {
+ $committype="svn";
}
+
+ foreach (keys %{$logentry->{paths}}) {
+ next unless /^\/\Q$config{svnpath}\E\/([^ ]+)(?:$|\s)/;
+ my $file=$1;
+ my $diffurl=$config{diffurl};
+ $diffurl=~s/\[\[file\]\]/$file/g;
+ $diffurl=~s/\[\[r1\]\]/$rev - 1/eg;
+ $diffurl=~s/\[\[r2\]\]/$rev/g;
+ push @pages, {
+ link => htmllink("", "", pagename($file), 1),
+ diffurl => $diffurl,
+ } if length $file;
+ }
+ push @ret, { rev => $rev,
+ user => htmllink("", "", $user, 1),
+ committype => $committype,
+ when => $when,
+ message => [@message],
+ pages => [@pages],
+ } if @pages;
+ return @ret if @ret >= $num;
}
return @ret;
sub rcs_getctime ($) { #{{{
my $file=shift;
eval q{use Date::Parse};
+
+ my $svn_log_infoline=qr/^r\d+\s+\|\s+[^\s]+\s+\|\s+(\d+-\d+-\d+\s+\d+:\d+:\d+\s+[-+]?\d+).*/;
my $child = open(SVNLOG, "-|");
if (! $child) {
my $date;
while (<SVNLOG>) {
if (/$svn_log_infoline/) {
- $date=$3;
+ $date=$1;
}
}
close SVNLOG || warn "svn log $file exited $?";
Package: ikiwiki
Architecture: all
-Depends: ${perl:Depends}, markdown, libtimedate-perl, libhtml-template-perl, libhtml-scrubber-perl, libcgi-formbuilder-perl (>= 3.02.02), libtime-duration-perl, libcgi-session-perl, libmail-sendmail-perl, gcc | c-compiler, libc6-dev | libc-dev
+Depends: ${perl:Depends}, libxml-simple-perl, markdown, libtimedate-perl, libhtml-template-perl, libhtml-scrubber-perl, libcgi-formbuilder-perl (>= 3.02.02), libtime-duration-perl, libcgi-session-perl, libmail-sendmail-perl, gcc | c-compiler, libc6-dev | libc-dev
Recommends: subversion | git-core, hyperestraier
Suggests: viewcvs, librpc-xml-perl
Description: a wiki compiler
_(The list of things to fix.)_
-## svn commit logs
+## commit spoofing
-Anyone with svn commit access can forge "web commit from foo" and make it
-appear on [[RecentChanges]] like foo committed. One way to avoid this would
-be to limit web commits to those done by a certian user.
+Anyone with direct commit access can forge "web commit from foo" and
+make it appear on [[RecentChanges]] like foo committed. One way to avoid
+this would be to limit web commits to those done by a certian user.
-It's actually possible to force a whole series of svn commits to appear to
-have come just before yours, by forging svn log output. This could be
-guarded against by using svn log --xml.
+## other stuff to look at
-ikiwiki escapes any html in svn commit logs to prevent other mischief.
+I need to audit the git backend a bit, and have been meaning to
+see if any CRLF injection type things can be done.
----
ikiwiki supports protecting users from their own broken browsers via the
[[plugins/htmlscrubber]] plugin, which is enabled by default.
+
+## svn commit logs
+
+It's was possible to force a whole series of svn commits to appear to
+have come just before yours, by forging svn log output. This was
+guarded against by using svn log --xml.
+
+ikiwiki escapes any html in svn commit logs to prevent other mischief.
projects / ikiwiki.git / commitdiff