Merge pull request #4633 from dokuwiki/issue-1690

fix(mail): keep '&' intact in mailto links with multiple query params

fix(auth): scope media ACL checks to the namespace

Media files have no per-file ACLs; permissions must be evaluated against
the namespace they live in. Several call sites passed the raw media ID
to

fix(auth): scope media ACL checks to the namespace

Media files have no per-file ACLs; permissions must be evaluated against
the namespace they live in. Several call sites passed the raw media ID
to auth_quickaclcheck(), so a page-intended exact-ID rule (e.g. on
wiki:secret.png) could silently apply to a media file sharing that ID.

Introduce mediaAclPath() that builds the correct namespace wildcard
path (handling root-namespace media) and route all media-related ACL
checks through it. Also normalize the lone `:X` sentinel variant in
fetch.functions.php to the standard `:*` form.

fixes: #4647

show more ...

fix(mail): keep '&' intact in mailto links with multiple query params

Move the email-handling helpers (obfuscate, mail_isvalid,
mail_quotedprintable_encode, mail_setup) out of the procedural
inc/mai

fix(mail): keep '&' intact in mailto links with multiple query params

Move the email-handling helpers (obfuscate, mail_isvalid,
mail_quotedprintable_encode, mail_setup) out of the procedural
inc/mail.php into a namespaced dokuwiki\MailUtils class plus a new
Mailer::configInit(), and add a separate MailUtils::obfuscateUrl() for
the mailto-href context.

The xhtml renderer and PluginTrait now build the link label and the
href separately: the address half is run through the mailguard
obfuscation, the query string is preserved verbatim with only HTML
escaping applied. This fixes #1690 — in 'visible' mode the previous
code rawurlencoded the entire address+query, turning '?' into '%3F' and
breaking multi-parameter mailto links; in all modes the query string is
no longer mangled by the [at]/[dot] substitution.

Core call sites (Mailer, auth, LegacyApiCore, common, the xhtml
renderer, the parser, the bundled config/styling/usermanager plugins)
are migrated to MailUtils directly. The old top-level functions and
PREG_PATTERN_VALID_EMAIL constant remain as deprecated shims with
rector mappings.

Tests for obfuscate / mail_isvalid / mail_quotedprintable_encode are
consolidated into a single _test/tests/MailUtilsTest.php and extended
with regression coverage for the multi-parameter, double-escape and
URL-shape cases.

Closes #1690
Replaces #1964

show more ...

strict value comparison in auth session check. fixes #4602

updated rector and applied it

Merge pull request #4591 from eduardomozart/patch-11

fix: Update session validation checks in auth.php

Update session validation checks in auth.php

Refactor session validation to check for user and pass existence.

make JWT available in session

When a token authentication was successful, the token is now added to
the user session. This allows other plugins (like twofactor) make use of
it.

�� Rector and PHPCS fixes

correctly check for session auth data. fixes #4547

Merge pull request #4466 from dokuwiki/trustedproxies

Remove remaining uses of old proxy settings

�� Rector and PHPCS fixes

add random delay on login #4491

This is meant to mitigate timing attacks on the login mechanism.

Make is_ssl and baseurl use proper proxy checks

This should not only address #4455 but also ensures that the related
headers are only used when they come from a trusted reverse proxy chain.

treat getallheaders more suspiciously. fixes #4415

mv UNUSABLE_PASSWORD const to defines

add new behavior to doc block

allow to set unusable password

This could be used by plugins such as dokuwiki-plugin-oauth to create
accounts that can only by accessed via SSO.

�� Rector and PHPCS fixes

unset empty REMOTE_USER. fixes #4348

An empty remote user should not be set at all. Seems like some
webservers always set the environment var, even if no authentication
happened. I'd argue that this

unset empty REMOTE_USER. fixes #4348

An empty remote user should not be set at all. Seems like some
webservers always set the environment var, even if no authentication
happened. I'd argue that this is wrong, but this should fix the
behaviour.

show more ...

alternative token header support

The Authorization header is not always passed on to PHP, depending on
the setup (See https://stackoverflow.com/q/34472303 for examples and
workarounds).

This patch

alternative token header support

The Authorization header is not always passed on to PHP, depending on
the setup (See https://stackoverflow.com/q/34472303 for examples and
workarounds).

This patch adds support for an alternative X-DokuWiki-Token header that
can be used when using token authentication and the standard
Authorization header can not be used.

show more ...

gracefully handle decryption errors

This should fix #4198

adjust AES encryption to match phpseclib version2

See https://github.com/phpseclib/phpseclib/discussions/1974#discussioncomment-8107663

upgrade to phpseclib 3

This replaces the dependabot PR #4114 and adjusts the usage of the
library.

�� Rector and PHPCS fixes