check permissions in ACL plugin's RPC API component. #1056

Security Fix

Severity: Medium
Type: Remote Priviledge Escalation
Remote: yes

Vulnerability Details:

This fixes a security hole in

check permissions in ACL plugin's RPC API component. #1056

Security Fix

Severity: Medium
Type: Remote Priviledge Escalation
Remote: yes

Vulnerability Details:

This fixes a security hole in the ACL plugins remote API component. The
plugin failed to check for superuser permissions before executing ACL
addition or deletion. This means everybody with permissions to call the
XMLRPC API also had permissions to set up their own ACL rules and thus
circumventing any existing rules.

Risk Assessment:

The XMLRPC API in DokuWiki is marked experimental and off by default. It
also implements an additional safeguard by giving access to a configured
circle of users and groups only. So only a minor number of DokuWiki
installations will be affected at all.
For affected installations the risk is high if users with access to the
API are not to be trusted.
Thus the overall severity of medium.

Resolution:

Installations applying this commit are safe. A hotfix is about to be
released. Meanwhile users are advised to disable the XMLRPC API in the
config manager.

show more ...

Fixing bugs found by scrutinizer

Adding listAcls to the XMLRPC API as suggested in Issue #1054

simple fix for pageID clash with sidebar in mobile view

Since the pageid is no longer positioned absolute it clashed with the
sidebar since #1027. this introduces a very simplisitc fix.

fixed the margin for the sidebar

add bottom margin to tables in print. fixes #1052

translation update

Added icon for interwiki.conf

Support for the URI scheme tel: #643

translation update

avoid messages pushing down page tools. fixes #1011

This moves the message area into content div. The pageid is now aligned
by floating instead of absolute positioning.

fix referral settings in AuthLDAP. closes #1023

fixed method signature #1024

Add ob_flush() to sendGIF

I'm running this dokuwiki docker container: https://registry.hub.docker.com/u/mprasil/dokuwiki/

It uses lighttpd and fastcgi. For some reason, the ignore_user_abort() fe

Add ob_flush() to sendGIF

I'm running this dokuwiki docker container: https://registry.hub.docker.com/u/mprasil/dokuwiki/

It uses lighttpd and fastcgi. For some reason, the ignore_user_abort() feature where the browser should close the connection after the GIF has been received is not working on lighty. The browser keeps loading the page until the indexer run is complete, which leads to extremely slow load times with a larger page index.

Adding ob_flush() to sendGIF fixes the issue.

show more ...

translation update

translation update

fixed wrong config check in extension manager #1006

Losslessly reduced PNG images with optipng -o7 -strip all, advdef -z4 -i60, and advpng -z4 -i60.

Update css.php

1 little fix

Scrutinizer Auto-Fixes

This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com

translation update

Scrutinizer Auto-Fixes

This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com

fixed search'and'replace fuckup in config plugin

Remove error supression for file_exists()

In an older version of PHP a file_exists() call would issue a warning
when the file did not exist. This was fixed in later PHP releases. Since
we require PH

Remove error supression for file_exists()

In an older version of PHP a file_exists() call would issue a warning
when the file did not exist. This was fixed in later PHP releases. Since
we require PHP 5.3 now, there's no need to supress any error here
anymore. This might even give a minor performance boost.

show more ...

translation update

translation update