Merge branch 'client_ip_header'

* client_ip_header:
Clean up stale realip references after client_ip_header rename
remove realip option, add default in conf/dokuwiki.php
convert tests to data

Merge branch 'client_ip_header'

* client_ip_header:
Clean up stale realip references after client_ip_header rename
remove realip option, add default in conf/dokuwiki.php
convert tests to data provider
add comment to the real-ip test
add custom client_ip_header

show more ...

remove realip option, add default in conf/dokuwiki.php

feat: add diff to disableactions config option

Add 'diff' as a checkbox option in the disableactions configuration
setting, allowing admins to disable the diff action separately from
other actions l

feat: add diff to disableactions config option

Add 'diff' as a checkbox option in the disableactions configuration
setting, allowing admins to disable the diff action separately from
other actions like revisions or edit.

When diff is disabled, diff icon links in revision lists and recent
changes are hidden, and the "compare" submit button on page and media
revision pages is removed.

Fixes #4504

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

show more ...

add custom client_ip_header

rename trustedproxy option to trustedproxies

We use a new format (array instead of regex) and need a sure way to
recognize it. Zebra's approach would not have survived the editing via
config manager

rename trustedproxy option to trustedproxies

We use a new format (array instead of regex) and need a sure way to
recognize it. Zebra's approach would not have survived the editing via
config manager.
As a side effect this also introduces a new languange string, which is
good because the old one did no longer apply.

show more ...

automatically prune old logs

This adds a new configuration that allows to define how many logfiles
per facility should be kept. Old files are pruned daily via the task
runner.

code style: line breaks

Apply rector fixes to config plugin

add setting to define the samesite cookie policy

As mentioned in
https://github.com/dokuwiki/dokuwiki/pull/3994#pullrequestreview-1473052428
there might be occasions when users might want to change

add setting to define the samesite cookie policy

As mentioned in
https://github.com/dokuwiki/dokuwiki/pull/3994#pullrequestreview-1473052428
there might be occasions when users might want to change the policy to a
stricter one or the somewhat more lenient Lax implementation of current
browsers.

show more ...

Remove the htmlok and phpok embedding options

Both options have grave security implications and novice users seem to
ignore advice about them. In the last decades I never came across a wiki
that had

Remove the htmlok and phpok embedding options

Both options have grave security implications and novice users seem to
ignore advice about them. In the last decades I never came across a wiki
that had legitimate use of these options.

If someone needs the functionality, it can easily be added back using a
plugin. But I prefer to give users one less option to shoot themselves
in the foot.

Removal of the translations for the config strings can follow after this
has been merged.

show more ...

log warnings to error log

This introduces an error handler that will log warnings, including a
stack trace in the error log. This should help plugin and core authors with
identifying cases of uninit

log warnings to error log

This introduces an error handler that will log warnings, including a
stack trace in the error log. This should help plugin and core authors with
identifying cases of uninitilized variables in PHP8+ environments.

A feature flag (default off) will let users temporarily disable the
display of warnings in the frontend. This should allow the usage of not
yet upgraded plugins in many cases. In the future the flag can be
removed again.

show more ...

CORS on XMLRMPC API

This allows setting a CORS header to make the xmlrpc API accessible from
JavaScript clients directly in the browser.

Revert "Merge pull request #3039 from takuy/video-attributes"

This reverts commit 408d79f78505248f9ccb44bd2561cedc250ce5a1, reversing
changes made to b7c67f83bd81eff3186e4ebd2d9e86cd2c32468d.

Merge pull request #3039 from takuy/video-attributes

Add handling for video embed attributes

added logging configuration

Log facitlities can now be disabled. By default only debug is disabled.
It might make sense to by default disable deprecated as well?

Debug logging is now independend of

added logging configuration

Log facitlities can now be disabled. By default only debug is disabled.
It might make sense to by default disable deprecated as well?

Debug logging is now independend of the allowdebug method. allowdebug
was often used in two ways: for displaying errors directly to the user
and for logging to the debug log. Now it only controls the former.

show more ...

add options & defaults to config, no* counterparts

Add option rss_show_deleted

Add feature flag for deferred javascript

This adds a feature flag for the jQuery and main-js requests added in
#2786 and #2958. This adds only a single feature flag since deferring
jQuery without d

Add feature flag for deferred javascript

This adds a feature flag for the jQuery and main-js requests added in
#2786 and #2958. This adds only a single feature flag since deferring
jQuery without deferring the main javascript request is likely to cause
errors and confusion.

The feature flag defaults to "on" as this should be unproblematic except
for a few plugins. Also, with this flag being on by default, it should
see more usage and is more likely to uncover existing issues.

This feature flag should be removed once this feature is deemed safe.

show more ...

Fix one remaining line being too long for PSR-12

This slipped in with #2957 between the checks on #2945 being run and
that pull request being merged.

Added password change support for argon2i/argon2id, added matching config options and hash_X functions

clientIP: add trustedproxy, return first untrusted IP instead of the last one

This fixes #2828, where malicious clients passed in customized HTTP header to keep its IP address off records.

This is

clientIP: add trustedproxy, return first untrusted IP instead of the last one

This fixes #2828, where malicious clients passed in customized HTTP header to keep its IP address off records.

This is inspired by Sympony's Request::setTrustedProxies, but I don't want to implement everything including IP CIDR matching (IPv4 + IPv6), so I decided to reuse the local IP checker in place powered by regexp. Now admins can customize this "local" (trusted) proxy list using $conf['trustedproxy'], and by default it will allow any local IPs.

If in the future there is a need to implement array-based CIDR matching, $conf['trustedproxies'] can be used for the new config name.

show more ...

Merge branch 'master' into psr2

* master:
upgraded JSON class to latest (2006) version
continue is break in switch
translation update
reference existing proper progress gif. fixes #2441
Fi

Merge branch 'master' into psr2

* master:
upgraded JSON class to latest (2006) version
continue is break in switch
translation update
reference existing proper progress gif. fixes #2441
Fix missing ui-bg_glass_95_fef1ec_1x400.png and be/jquery.ui.datepicker.js for jquery
removed accidental merges of outdated translations
Change `const` use to `var` for Safari 9 (on iOS)
Fix .htaccess files for Apache 2.4 (and 2.2)
add logic if the server uses unlimited memory settings in is_mem_available()
removed safemode hack

show more ...

removed safemode hack

Safemode has been removed in PHP 5.4.0. We finally no longer need to
deal with this insanity.

clean settings data

start of refactoring the config plugin

split up all the files and added namespaces. everything broken