en Copyright 2025 Java http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#5d8c9d422c83ef31e1acbe6e37664185196c3016 (security) Require a security token for the lock AJAX callThe lock AJAX call refreshes the edit lock and saves a draft, both ofwhich change server state. It was gated only by the write ACL and,unlike the sibling draft-delete call, did not verify a security token(low severity).A cross-site forged POST against a logged-in user could, within thatuser's own write permissions, take or hold an edit lock and storeattacker-controlled draft content under their name.The call now verifies the security token before taking the lock orsaving the draft. Logged out users are unaffected, as no token isissued or checked for them. The edit lock timer now always sends thetoken with its refresh request, including when draft saving isdisabled. List of files: /dokuwiki/inc/Ajax.php Sat, 06 Jun 2026 18:01:44 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#e8c9256af140fbe66c11ee76e814e1a226fd61af (security) Clean the media upload namespace in AJAX uploadThe namespace passed to the AJAX backend was not cleaned correctly,resulting in two separate issues.1. Theoretical Reflected XSS The raw namespace was reflected into the JSON response and injected into the mediamanager DOM. However since the media manager only passes cleaned namespaces to AJAX and the ajax backen only returns JSON, this issue was not exploitable.2. Cross-namespace ACL bypass (medium severity) The uncleaned namespace was directly used to check ACLs. In a wiki where a user has upload permission in a namespace above a namespace where they don't have permissions (eg. upload allowed in :user:*, but upload denied in :user:secret:*) they could pass an upper case namespace (eg :user:SECRET) - no ACL does exist for this upper case namespace and the acl of the namespace above applies (:user). When the file is written a cleanID is applied to the full filename, turning the uppercase namespace into lowercase. This can allow users to write into a namespace they normally should not be allowed to write to, but it does require upload permissions in a higher namespace. List of files: /dokuwiki/inc/Ajax.php Sat, 06 Jun 2026 15:21:28 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#8788dbbd585b42284320d64cc932f3c875eab6b2 �� Rector and PHPCS fixes List of files: /dokuwiki/inc/Ajax.php Wed, 06 May 2026 19:32:03 +0000 splitbrain <86426+splitbrain@users.noreply.github.com> http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#e1272c0811878577a2d543205c32808742d4a5da SearchIndex: add backward compatibility wrappersAdd deprecated wrappers for idx_* and ft_* functions that were removedwhen inc/indexer.php and inc/fulltext.php were replaced by the newSearch classes. These wrappers delegate to the new architecture andensure existing plugins continue to work.Deprecated standalone functions: idx_get_indexer, idx_getIndex,idx_lookup, idx_listIndexLengths, idx_indexLengths, ft_pageSearch,ft_backlinks, ft_mediause, ft_pageLookup, ft_snippet, ft_pagesorter,ft_snippet_re_preprocess, ft_queryParser.Deprecated methods on Indexer: lookupKey, getPages, addMetaKeys,renameMetaValue, getPID, lookup.Also migrates remaining core callers (Ajax, FeedCreator, ApiCore) touse the new classes directly and fixes a UTF-8 case folding bug inMetadataSearch title lookups. List of files: /dokuwiki/inc/Ajax.php Tue, 07 Apr 2026 17:55:12 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#7f394dd683d14aba9f6131a7f9d011383c280834 Merge branch 'master' into searchIndex-finish* master: (55 commits) Translation update (pt-br) Bump phpseclib/phpseclib from 3.0.49 to 3.0.50 �� Update deleted files strict value comparison in auth session check. fixes #4602 Translation update (pt-br) Translation update (pt-br) remove utf8_encode() from authad plugin todo checker action: ignore vendor updated rector and applied it removed another php 7.4 workaround removed an old PHP 5 workaround in HTTPClient remove checks for mbstring.func_overload removed php 8 polyfills ignore HTML validation issue with skipped headline levels declare PrefCookie constant visibility update slika which fixes another php 8.5 deprecation issue fix http tests fix destructuring false returns from changelog functions avoid using null as cache key Fix deprecation warning in UTF8/Conversion ... List of files: /dokuwiki/inc/Ajax.php Sun, 05 Apr 2026 09:15:35 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#093fe67e98c0cdb4b73fd46938e49b64971483c2 updated rector and applied it List of files: /dokuwiki/inc/Ajax.php Sat, 07 Mar 2026 20:26:13 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#9df9f0c8d11cfaadf321a358ea52a8328f6661ad Merge branch 'master' into searchIndex-finishThere were a lot of conflicts to resolve. Not all of them may have beenresolved correctly...* master: (1094 commits) Login accessibility improvements Translation update (it) translation update translation update translation update translation update translation update translation update translation update translation update translation update translation update translation update translation update Remove HTML from strings based on title and tagline SECURITY: fix XSS vulnerability. fixes #4512 translation update Fix typos in usermanager English strings Replace hardcoded message by localized string set DOKU_INC in rector ... List of files: /dokuwiki/inc/Ajax.php Mon, 27 Oct 2025 13:09:16 +0000 Andreas Gohr <gohr@cosmocode.de> http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#d4f83172d9533c4d84f450fe22ef630816b21d75 code style: line breaks List of files: /dokuwiki/inc/Ajax.php Thu, 31 Aug 2023 20:44:40 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#26dfc2323f8f70cb69aac4c8c51bf7997809f2ca Rector to rename print to echo calls List of files: /dokuwiki/inc/Ajax.php Thu, 31 Aug 2023 20:00:27 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#177d6836e2f75d0e404be9c566e61725852a1e07 coding style: control flow whitespaces List of files: /dokuwiki/inc/Ajax.php Thu, 31 Aug 2023 12:22:35 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#dccd6b2bba7367e4d1d2d7aa84c9f9d15584b593 coding style: function call spacing List of files: /dokuwiki/inc/Ajax.php Wed, 30 Aug 2023 16:41:45 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#73022918a947abda7eee4d7d2302ffd28fdb78e0 coding style: PSR12.Classes.ClassInstantiation.MissingParentheses List of files: /dokuwiki/inc/Ajax.php Wed, 30 Aug 2023 16:25:29 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#d868eb89f182718a31113373a6272670bd7f8012 codestyle adjustments: function declaration braces/spaces List of files: /dokuwiki/inc/Ajax.php Wed, 30 Aug 2023 15:09:14 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#8c7c53b0321a3cd3116b8d3b2ad27863a38dece7 codestyle adjustments: class declaration braces List of files: /dokuwiki/inc/Ajax.php Wed, 30 Aug 2023 15:05:28 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#24870174d2ee45460ba6bcfe5f5a0ae94715efd7 Apply rector fixes to the rest of inc List of files: /dokuwiki/inc/Ajax.php Tue, 29 Aug 2023 17:42:15 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#2b9be4565f8205c2186c4b537e1fa49846bf2fe9 some more fixes for undefined varsThis makes more use of $INPUT to access $_SERVER and fixes a warning inone of the search methods. List of files: /dokuwiki/inc/Ajax.php Thu, 10 Nov 2022 10:52:58 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#10f66413cde56fe6c46d5e6d33b9baf54b23b06b Merge pull request #3499 from alexdraconian/masterLinkwiz update (#3498) List of files: /dokuwiki/inc/Ajax.php Thu, 12 May 2022 13:58:28 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#357931f3460dd8530c6dbd1400cfc15f5398d4eb Merge branch 'master' into revisionHandle3 List of files: /dokuwiki/inc/Ajax.php Tue, 28 Dec 2021 00:35:30 +0000 Gerrit Uitslag <klapinklapin@gmail.com> http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#242015942326628da1d53d1303b4d2a900b747b8 fix security problems in draft handling. fixes #3565 List of files: /dokuwiki/inc/Ajax.php Fri, 17 Dec 2021 22:22:25 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/Ajax.php#fd260edfbe8956933a87faccd78fe15369809402 Update Ajax.php List of files: /dokuwiki/inc/Ajax.php Wed, 10 Nov 2021 11:14:17 +0000 alexdraconian <78018187+alexdraconian@users.noreply.github.com>