en Copyright 2025 Java http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#75aef198cdc7307a75ab63c9403e704e2194959a Merge pull request #4633 from dokuwiki/issue-1690fix(mail): keep '&' intact in mailto links with multiple query params List of files: /dokuwiki/inc/auth.php Thu, 04 Jun 2026 17:29:59 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#7e687fd85a40bd8453b39b64bae8e989ab32fd36 fix(auth): scope media ACL checks to the namespaceMedia files have no per-file ACLs; permissions must be evaluated againstthe namespace they live in. Several call sites passed the raw media IDto auth_quickaclcheck(), so a page-intended exact-ID rule (e.g. onwiki:secret.png) could silently apply to a media file sharing that ID.Introduce mediaAclPath() that builds the correct namespace wildcardpath (handling root-namespace media) and route all media-related ACLchecks through it. Also normalize the lone `:X` sentinel variant infetch.functions.php to the standard `:*` form.fixes: #4647 List of files: /dokuwiki/inc/auth.php Fri, 29 May 2026 09:17:21 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#73dc0a8919857718a3b64a4c0741b57580a34b2a fix(mail): keep '&' intact in mailto links with multiple query paramsMove the email-handling helpers (obfuscate, mail_isvalid,mail_quotedprintable_encode, mail_setup) out of the proceduralinc/mail.php into a namespaced dokuwiki\MailUtils class plus a newMailer::configInit(), and add a separate MailUtils::obfuscateUrl() forthe mailto-href context.The xhtml renderer and PluginTrait now build the link label and thehref separately: the address half is run through the mailguardobfuscation, the query string is preserved verbatim with only HTMLescaping applied. This fixes #1690 — in 'visible' mode the previouscode rawurlencoded the entire address+query, turning '?' into '%3F' andbreaking multi-parameter mailto links; in all modes the query string isno longer mangled by the [at]/[dot] substitution.Core call sites (Mailer, auth, LegacyApiCore, common, the xhtmlrenderer, the parser, the bundled config/styling/usermanager plugins)are migrated to MailUtils directly. The old top-level functions andPREG_PATTERN_VALID_EMAIL constant remain as deprecated shims withrector mappings.Tests for obfuscate / mail_isvalid / mail_quotedprintable_encode areconsolidated into a single _test/tests/MailUtilsTest.php and extendedwith regression coverage for the multi-parameter, double-escape andURL-shape cases.Closes #1690Replaces #1964 List of files: /dokuwiki/inc/auth.php Wed, 06 May 2026 21:21:37 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#e4b0c5a094bccfa42244b569e89fc3e5d07eedb3 strict value comparison in auth session check. fixes #4602 List of files: /dokuwiki/inc/auth.php Sun, 22 Mar 2026 18:11:50 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#093fe67e98c0cdb4b73fd46938e49b64971483c2 updated rector and applied it List of files: /dokuwiki/inc/auth.php Sat, 07 Mar 2026 20:26:13 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#42042e3eaeaec2b7061680f97789b1d293cc7591 Merge pull request #4591 from eduardomozart/patch-11fix: Update session validation checks in auth.php List of files: /dokuwiki/inc/auth.php Sat, 07 Mar 2026 12:11:11 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#9d1b64723676aa055991830d88f232fec75d8798 Update session validation checks in auth.phpRefactor session validation to check for user and pass existence. List of files: /dokuwiki/inc/auth.php Fri, 06 Mar 2026 12:39:07 +0000 Eduardo Mozart de Oliveira <2974895+eduardomozart@users.noreply.github.com> http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#9cdd189d9aad1d3be0376522f25dedab2b627baa make JWT available in sessionWhen a token authentication was successful, the token is now added tothe user session. This allows other plugins (like twofactor) make use ofit. List of files: /dokuwiki/inc/auth.php Wed, 25 Feb 2026 09:34:14 +0000 Andreas Gohr <gohr@cosmocode.de> http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#9399c87e10527bd9270ac34f45432bcff3a2b473 �� Rector and PHPCS fixes List of files: /dokuwiki/inc/auth.php Wed, 03 Dec 2025 09:04:24 +0000 splitbrain <86426+splitbrain@users.noreply.github.com> http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#bc6b17592ae16a7462ffd2cfbbfa0f9d2b8ff6ef correctly check for session auth data. fixes #4547 List of files: /dokuwiki/inc/auth.php Wed, 29 Oct 2025 18:46:32 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#4ca97743e1b5c620a79c9098fe6e080192cbfc1c Merge pull request #4466 from dokuwiki/trustedproxiesRemove remaining uses of old proxy settings List of files: /dokuwiki/inc/auth.php Tue, 12 Aug 2025 07:43:48 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#f7f6f5fc567ba989fd9d4ec98fbe69e074010077 �� Rector and PHPCS fixes List of files: /dokuwiki/inc/auth.php Sat, 02 Aug 2025 14:07:58 +0000 splitbrain <86426+splitbrain@users.noreply.github.com> http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#e37d2b418f454167d95eb82ad44cb8d6c1277f9b add random delay on login #4491This is meant to mitigate timing attacks on the login mechanism. List of files: /dokuwiki/inc/auth.php Wed, 30 Jul 2025 07:08:29 +0000 Andreas Gohr <gohr@cosmocode.de> http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#33cb4e0125bb3ea66842b52c5d02739268775800 Make is_ssl and baseurl use proper proxy checksThis should not only address #4455 but also ensures that the relatedheaders are only used when they come from a trusted reverse proxy chain. List of files: /dokuwiki/inc/auth.php Tue, 03 Jun 2025 12:22:14 +0000 Andreas Gohr <gohr@cosmocode.de> http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#0a302752e755cf33d4d0dea11f5f447a87ec2996 treat getallheaders more suspiciously. fixes #4415 List of files: /dokuwiki/inc/auth.php Wed, 12 Mar 2025 11:40:31 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#b21b7935c54bce6b6a1c8ab8c8fa74218871b916 mv UNUSABLE_PASSWORD const to defines List of files: /dokuwiki/inc/auth.php Tue, 07 Jan 2025 14:33:44 +0000 Tobias Bengfort <tobias.bengfort@posteo.de> http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#0ffe9fda98b8e7088190efc9dc669b6722ede464 add new behavior to doc block List of files: /dokuwiki/inc/auth.php Tue, 07 Jan 2025 14:31:08 +0000 Tobias Bengfort <tobias.bengfort@posteo.de> http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#527ad715b3b74fada32ec52d7db096c5f65d57e5 allow to set unusable passwordThis could be used by plugins such as dokuwiki-plugin-oauth to createaccounts that can only by accessed via SSO. List of files: /dokuwiki/inc/auth.php Tue, 07 Jan 2025 11:16:10 +0000 Tobias Bengfort <tobias.bengfort@posteo.de> http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#8407f251434f578d07231a3f252ce6276d9e0b05 �� Rector and PHPCS fixes List of files: /dokuwiki/inc/auth.php Mon, 02 Dec 2024 13:22:00 +0000 splitbrain <86426+splitbrain@users.noreply.github.com> http://127.0.0.1:8080/history/dokuwiki/inc/auth.php#b9cda918faccf704038ebb05823e6e2e9afc5507 unset empty REMOTE_USER. fixes #4348An empty remote user should not be set at all. Seems like somewebservers always set the environment var, even if no authenticationhappened. I'd argue that this is wrong, but this should fix thebehaviour. List of files: /dokuwiki/inc/auth.php Wed, 27 Nov 2024 09:22:36 +0000 Andreas Gohr <andi@splitbrain.org>