headers
Andreas Gohr | 1 Oct 04:00
Favicon
Gravatar

darcs changes 2007-10-01


Good Morning!

This are the darcs changes for DokuWiki committed
yesterday. Please test them and report bugs.

---------------------------------------------------------------------
Mon Oct  1 01:00:01 CEST 2007  Andreas Gohr <andi[at]splitbrain.org>
  tagged develsnap 2007-10-01

Sun Sep 30 23:49:58 CEST 2007  Andreas Gohr <andi[at]splitbrain.org>
  * fullpath fix for Windows

Sun Sep 30 22:11:33 CEST 2007  Andreas Gohr <andi[at]splitbrain.org>
  * don't use fullpath() before initialized

Sun Sep 30 20:42:50 CEST 2007  Andreas Gohr <andi[at]splitbrain.org>
  * don't use realpath() anymore (FS#1261 and others)

  The use of realpath() to clean up relative file names caused some
  trouble in certain setups relying on symlinks or having restricitve
  file structure setups.

  This patch replaces all realpath() calls with a PHP only replacement
  which should solve those problems.
---------------------------------------------------------------------

Single patches can be downloaded from
http://dev.splitbrain.org/darcs/index.cgi/dokuwiki/?c=patches
(Continue reading)

Permalink | Reply | 1 comment |
headers
samuele | 1 Oct 07:32
Picon
Picon

Re: Security Token problem.

Last darcs pull was before writing to the ml and that dokuwiki is
regulary updated in this way.
Today i'll try to deeper investigate into the problem.

Cheers,
Samuele

Chris Smith ha scritto:
> Samuele Tognini wrote:
>> Hi,
>> I've a problem to remote login on a dokwuki development release (darcs
>> retrived).
>> I can't get the login form and the "Security Token did not match.
>> Possible CSRF attack." message is showed.
>> I've tryed to restart server and to clean client and server cookie
>> session but it does not solve.
>> Any idea?
>>
>> Regards,
>> Samuele
>>   
> Hi,
> 
> When did you last update?
> 
> I believe that problem was fixed earlier this month.
> 
> Cheers,
> 
> Chris
(Continue reading)

Permalink | Reply | 0 comments |
headers
Andreas Gohr | 1 Oct 09:12
Favicon
Gravatar

Re: Security Token problem.

Samuele Tognini writes:

> Hi,
> I've a problem to remote login on a dokwuki development release (darcs
> retrived).

Can you specify what "remote login" means? Are you trying to log in from a 
form outside DokuWiki?

Andi
--

-- 
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
Permalink | Reply | 6 comments |
headers
Tognini Samuele | 1 Oct 09:56
Picon
Picon

Re: Security Token problem.

Andreas Gohr wrote:
> Samuele Tognini writes:
>
>> Hi,
>> I've a problem to remote login on a dokwuki development release (darcs
>> retrived).
>
> Can you specify what "remote login" means? Are you trying to log in 
> from a form outside DokuWiki?
>
> Andi
No, I mean to login in dokuwiki from a pc that is not the web server.
That dokuwiki is a private installation on my office pc, so i usually 
login directly from it.
Last week i've been out of office and my attemps to login from my home 
pc were unsuccesfully.
I was almost sure that i worked as admin (from "local" login) before 
last week and after the CRF patches were applied, but now i'm again on 
my office pc and the problem is still here even with "local" login.
I'm going to investigate in the code, but if you could address me to 
what debug it should be easier.
Thanks,
Samuele

--

-- 
-------------------------------------------------
Samuele Tognini
Centro di calcolo didattico
Dipartimento di Informatica, Universita' di Pisa
Via Buonarroti, 4 56127 PISA
(Continue reading)

Permalink | Reply | 5 comments |
headers
Tognini Samuele | 1 Oct 12:55
Picon
Picon

Re: Security Token problem.

I've check it and the problem is simply template related.
I've changed my default template to the "monobook" tpl two weeks ago and 
it does not create the hidden sectok field used like security token. 
Probably it's an old template release, as i guess that the filed is 
created automatically by some new tpl Api.

Cheers,
Samuele

Tognini Samuele wrote:
> Andreas Gohr wrote:
>> Samuele Tognini writes:
>>
>>> Hi,
>>> I've a problem to remote login on a dokwuki development release (darcs
>>> retrived).
>>
>> Can you specify what "remote login" means? Are you trying to log in 
>> from a form outside DokuWiki?
>>
>> Andi
> No, I mean to login in dokuwiki from a pc that is not the web server.
> That dokuwiki is a private installation on my office pc, so i usually 
> login directly from it.
> Last week i've been out of office and my attemps to login from my home 
> pc were unsuccesfully.
> I was almost sure that i worked as admin (from "local" login) before 
> last week and after the CRF patches were applied, but now i'm again on 
> my office pc and the problem is still here even with "local" login.
> I'm going to investigate in the code, but if you could address me to
(Continue reading)

Permalink | Reply | 4 comments |
headers
Andreas Gohr | 1 Oct 13:03
Favicon
Gravatar

Re: Security Token problem.

Tognini Samuele writes:

> I've check it and the problem is simply template related.
> I've changed my default template to the "monobook" tpl two weeks ago and 
> it does not create the hidden sectok field used like security token. 
> Probably it's an old template release, as i guess that the filed is 
> created automatically by some new tpl Api.

Ah, right. If the template uses the build in functions for creating the 
forms, the sectoken will be added automatically. But I think the Monobook 
template uses a custom login form in the sidebar.

But I'm thinking about allowing logins without security tokens. A login is 
not a dangerous operation and it might be a common scenario to login from a 
form outside DokuWiki (eg. a form on the coorporate's intranet start page). 

Andi

--

-- 
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
Permalink | Reply | 3 comments |
headers
Terence J. Grant | 1 Oct 19:44

Re: Security Token problem.

Hi guys,

>I've check it and the problem is simply template related.
>I've changed my default template to the "monobook" tpl two weeks ago and
>it does not create the hidden sectok field used like security token.
>Probably it's an old template release, as i guess that the filed is
>created automatically by some new tpl Api.

> Ah, right. If the template uses the build in functions for creating the
> forms, the sectoken will be added automatically. But I think the Monobook
> template uses a custom login form in the sidebar.

Monobook doesn't create a custom form for the login page.
Monobook doesn't access login page APIs or anything like that.
Monobook just links a page served up by the dokuwiki engine:
  "doku.php?do=login"
So somebody (Andi?) may wish to investigate what's happening
differently in the "do=login" screen.

It's not a template problem from my P.O.V.

-- 
--Terence J. Grant
--

-- 
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
Permalink | Reply | 2 comments |
headers
TNHarris | 1 Oct 21:29
Picon
Favicon

Re: Indexer + Cookies + Security Token


On Sun, 30 Sep 2007 13:40:09 +0100, "Chris Smith" <chris <at> jalakai.co.uk>
said:
> 
> I am getting errors in my log due to attempts to send cookies after
> output has already started. The output is started by an 'echo "\n"' in
> inc/indexer.php on line 428. 

Yup, that's a gremlin. Sorry.

Patch attached.
-- tom
telliamed <at> fastmail.us

--

-- 
http://www.fastmail.fm - Access all of your messages and folders
                          wherever you are
Attachment (20071001-dokuwiki-badecho.darcs.gz): application/x-tar, 41 KiB
Permalink | Reply | 0 comments |
headers
Michael Klier | 1 Oct 21:45
Picon
Favicon
Gravatar

Re: Security Token problem.

Terence J. Grant wrote:
> Hi guys,
> 
> >I've check it and the problem is simply template related.
> >I've changed my default template to the "monobook" tpl two weeks ago and
> >it does not create the hidden sectok field used like security token.
> >Probably it's an old template release, as i guess that the filed is
> >created automatically by some new tpl Api.
> 
> > Ah, right. If the template uses the build in functions for creating the
> > forms, the sectoken will be added automatically. But I think the Monobook
> > template uses a custom login form in the sidebar.
> 
> Monobook doesn't create a custom form for the login page.
> Monobook doesn't access login page APIs or anything like that.
> Monobook just links a page served up by the dokuwiki engine:
>   "doku.php?do=login"
> So somebody (Andi?) may wish to investigate what's happening
> differently in the "do=login" screen.
> 
> It's not a template problem from my P.O.V.

Given your example above it is a template problem. You either have to
use the tpl_actionlink() function to generate the login link or if you
build it yourself, like your example implies, you have to add the
security token manually:

 "doku.php?do=login&amp;sectok=<?php echo getSecurityToken()?>"

otherwise it wont work. This however only affects the latest development
(Continue reading)

Permalink | Reply | 1 comment |
headers
Terence J. Grant | 1 Oct 22:28

Re: Security Token problem.

> > It's not a template problem from my P.O.V.
>
> Given your example above it is a template problem.
> ...
> otherwise it wont work. This however only affects the latest development
> version of DW and if Andi decides to remove the sectok check from the
> login action it`s no problem after all.

Gotcha; I'd hope "do=login" would work on its own in the future
though, since there's a couple of sites I use with DW that I don't
present login buttons for.

-- 
--Terence J. Grant
--

-- 
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
Permalink | Reply | 0 comments |

Gmane