rename trustedproxy option to trustedproxies

We use a new format (array instead of regex) and need a sure way to
recognize it. Zebra's approach would not have survived the editing via
config manager

rename trustedproxy option to trustedproxies

We use a new format (array instead of regex) and need a sure way to
recognize it. Zebra's approach would not have survived the editing via
config manager.
As a side effect this also introduces a new languange string, which is
good because the old one did no longer apply.

show more ...

Merge branch 'pr/3815' into clientIP

* pr/3815:
Move IP functions into a class
Factor out IP address functions; all proxies must be trusted
Fix clientIP() returning the wrong address

automatically prune old logs

This adds a new configuration that allows to define how many logfiles
per facility should be kept. Old files are pruned daily via the task
runner.

add setting to define the samesite cookie policy

As mentioned in
https://github.com/dokuwiki/dokuwiki/pull/3994#pullrequestreview-1473052428
there might be occasions when users might want to change

add setting to define the samesite cookie policy

As mentioned in
https://github.com/dokuwiki/dokuwiki/pull/3994#pullrequestreview-1473052428
there might be occasions when users might want to change the policy to a
stricter one or the somewhat more lenient Lax implementation of current
browsers.

show more ...

Fixed some typos

Move IP functions into a class

Remove the htmlok and phpok embedding options

Both options have grave security implications and novice users seem to
ignore advice about them. In the last decades I never came across a wiki
that had

Remove the htmlok and phpok embedding options

Both options have grave security implications and novice users seem to
ignore advice about them. In the last decades I never came across a wiki
that had legitimate use of these options.

If someone needs the functionality, it can easily be added back using a
plugin. But I prefer to give users one less option to shoot themselves
in the foot.

Removal of the translations for the config strings can follow after this
has been merged.

show more ...

log warnings to error log

This introduces an error handler that will log warnings, including a
stack trace in the error log. This should help plugin and core authors with
identifying cases of uninit

log warnings to error log

This introduces an error handler that will log warnings, including a
stack trace in the error log. This should help plugin and core authors with
identifying cases of uninitilized variables in PHP8+ environments.

A feature flag (default off) will let users temporarily disable the
display of warnings in the frontend. This should allow the usage of not
yet upgraded plugins in many cases. In the future the flag can be
removed again.

show more ...

CORS on XMLRMPC API

This allows setting a CORS header to make the xmlrpc API accessible from
JavaScript clients directly in the browser.

Revert "Merge pull request #3039 from takuy/video-attributes"

This reverts commit 408d79f78505248f9ccb44bd2561cedc250ce5a1, reversing
changes made to b7c67f83bd81eff3186e4ebd2d9e86cd2c32468d.

Merge pull request #3039 from takuy/video-attributes

Add handling for video embed attributes

added logging configuration

Log facitlities can now be disabled. By default only debug is disabled.
It might make sense to by default disable deprecated as well?

Debug logging is now independend of

added logging configuration

Log facitlities can now be disabled. By default only debug is disabled.
It might make sense to by default disable deprecated as well?

Debug logging is now independend of the allowdebug method. allowdebug
was often used in two ways: for displaying errors directly to the user
and for logging to the debug log. Now it only controls the former.

show more ...

add options & defaults to config, no* counterparts

Add option rss_show_deleted

Add feature flag for deferred javascript

This adds a feature flag for the jQuery and main-js requests added in
#2786 and #2958. This adds only a single feature flag since deferring
jQuery without d

Add feature flag for deferred javascript

This adds a feature flag for the jQuery and main-js requests added in
#2786 and #2958. This adds only a single feature flag since deferring
jQuery without deferring the main javascript request is likely to cause
errors and confusion.

The feature flag defaults to "on" as this should be unproblematic except
for a few plugins. Also, with this flag being on by default, it should
see more usage and is more likely to uncover existing issues.

This feature flag should be removed once this feature is deemed safe.

show more ...

change default of passcrypt to bcrypt #2936

clientIP: add trustedproxy, return first untrusted IP instead of the last one

This fixes #2828, where malicious clients passed in customized HTTP header to keep its IP address off records.

This is

clientIP: add trustedproxy, return first untrusted IP instead of the last one

This fixes #2828, where malicious clients passed in customized HTTP header to keep its IP address off records.

This is inspired by Sympony's Request::setTrustedProxies, but I don't want to implement everything including IP CIDR matching (IPv4 + IPv6), so I decided to reuse the local IP checker in place powered by regexp. Now admins can customize this "local" (trusted) proxy list using $conf['trustedproxy'], and by default it will allow any local IPs.

If in the future there is a need to implement array-based CIDR matching, $conf['trustedproxies'] can be used for the new config name.

show more ...

add UGC hint

conf: remoteuser doc inprovement

removed safemode hack

Safemode has been removed in PHP 5.4.0. We finally no longer need to
deal with this insanity.

shortened new search configs

shorter names are more in line with what we already use, makes less
layout problems in the documentation and is easier to type when telling
people about it.

feat(search): add config options to adjust default behavior

This adds two new config options:

`search_limit_to_first_ns`:
Limit the search to the current X namespaces. When a search is executed
fro

feat(search): add config options to adjust default behavior

This adds two new config options:

`search_limit_to_first_ns`:
Limit the search to the current X namespaces. When a search is executed
from a page within a deeper namespace, the first X namespaces will be
added as filter.
Possible use case could be with language namespaces to ensure that the
default search is initially within the current language.

`search_default_fragment_behaviour`:
Option to specify the default fragment search behavior

show more ...

Support for configurable e-mail return path

split off jquery from other JS and add CDN option #1766

jQuery (and UI and Migrate) are now loaded separately from the rest of
the JavaScript. This adds at least one HTTP request more but has some
a

split off jquery from other JS and add CDN option #1766

jQuery (and UI and Migrate) are now loaded separately from the rest of
the JavaScript. This adds at least one HTTP request more but has some
advantages:

* browsers can cache it independently
* the cache is only invalidated when versions update
* we do not apply any transformations (replacements, minimizing, etc) on
this code anymore which makes our dispatcher faster for the other JS
* browsers seem to load (not execut) both (jquery and other) parallel,
which might increase download speed a bit

This split allowed for the introduction of a new config: jquerycdn. When
enabled the 3 jquery files are loaded from jQueries CDN. This adds
another two HTTP requests but:

* since it's another host those files do not apply to the 4 request per
host limit and can be loaded (not executed) in paralell which might
increase download speeds a bit
* the CDN is distributed worldwide which means files are requested from
the closest location, increasing the download speeds
* since these files/CDN are very popular, chances are high that people
already have them cached in their browsers, reducing the download time
to 0 and effectiely halving the javascript needed to download

The option currently defaults to 'off', but I would argue 'on' would be
the better default.

show more ...

inline small images into the CSS by default

Since we no longer support old IE 8 and below we can enable data uris
by default now. The picked size here is open for discussion.

A typical HTTP header

inline small images into the CSS by default

Since we no longer support old IE 8 and below we can enable data uris
by default now. The picked size here is open for discussion.

A typical HTTP header for a static image ressource is about 200 to 250
bytes at dokuwiki.org. I picked twice of that as the cutoff for inlining
images.

show more ...