Ernesto Hernández-Novich wrote: > Does not work if I set > > anonok => 0 > httpauth => 1
Ok, I've finally managed to reproduce your problem. And it is a cookie problem. Since httpauth avoids the need to log in, the login cookie is never set, so the session id varies every time. The recent security fix exposed this latent bug, which was fixed a long time ago in newer versions of ikiwiki. It may take a while for the security team to get a fixed version, in the meantime, I've attached a patch. -- see shy jo
diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm
index 2fdd611..13432c5 100644
--- a/IkiWiki/CGI.pm
+++ b/IkiWiki/CGI.pm
@@ -305,7 +305,7 @@ sub cgi_prefs ($$) { #{{{
$q->delete_all;
}
elsif ($sid ne $session->id) {
- error(gettext("Your login session has expired."));
+ error("Your login session has expired.");
}
eval q{use CGI::FormBuilder};
@@ -417,7 +417,7 @@ sub cgi_editpage ($$) { #{{{
});
my $form = CGI::FormBuilder->new(
fields => [EMAIL PROTECTED],
- header => 1,
+ header => 0,
charset => "utf-8",
method => 'POST',
validate => {
@@ -600,6 +600,7 @@ sub cgi_editpage ($$) { #{{{
$form->title("editing ".pagetitle($page));
}
+ printheader($session);
print $form->render(submit => [EMAIL PROTECTED]);
}
else {
@@ -612,7 +613,7 @@ sub cgi_editpage ($$) { #{{{
if (defined $session->param("name")) {
my $sid=$q->param('sid');
if (! defined $sid || $sid ne $session->id) {
- error(gettext("Your login session has expired."));
+ error("Your login session has expired.");
}
}
@@ -657,6 +658,7 @@ sub cgi_editpage ($$) { #{{{
$form->field(name => "page", type => 'hidden');
$form->field(name => "type", type => 'hidden');
$form->title("editing $page");
+ printheader($session);
print $form->render(submit => [EMAIL PROTECTED]);
return;
}
diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm
index 5543733..9d7e9f7 100644
--- a/IkiWiki/Plugin/meta.pm
+++ b/IkiWiki/Plugin/meta.pm
@@ -90,7 +90,7 @@ sub preprocess (@) { #{{{
# editable page as a stylesheet
my $stylesheet=bestlink($page, $value.".css");
if (! length $stylesheet) {
- return "[[meta ".gettext("stylesheet not found")."]]";
+ return "[[meta "."stylesheet not found"."]]";
}
$meta{$page}.='<link href="'.$stylesheet.
'" rel="'.encode_entities($rel).
diff --git a/debian/changelog b/debian/changelog
index 64c0c87..0f68f26 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+ikiwiki (1.33.6) stable-security; urgency=low
+
+ * Some error messages in recent backported security fixes used gettext,
+ but this version of ikiwiki is not localised and display of those error
+ messages would fail. Remove the gettext use.
+ * Fix a problem with cookie setting when httpauth is used. Closes: #479658
+ This bug was always present, but was only exposed by the CSRF fixes.
+
+ -- Joey Hess <[EMAIL PROTECTED]> Fri, 30 May 2008 23:34:15 -0400
+
ikiwiki (1.33.5) stable-security; urgency=high
* Fix CSRF attacks against the preferences and edit forms. The fix involved
signature.asc
Description: Digital signature
