]> sipb.mit.edu Git - ikiwiki.git/commitdiff
web commit by JamesWestby: Add a bug and patch for 404 when cancelling the creation...
authorjoey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>
Sat, 16 Sep 2006 00:26:16 +0000 (00:26 +0000)
committerjoey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>
Sat, 16 Sep 2006 00:26:16 +0000 (00:26 +0000)
doc/bugs/404_when_cancel_create_page.mdwn [new file with mode: 0644]

diff --git a/doc/bugs/404_when_cancel_create_page.mdwn b/doc/bugs/404_when_cancel_create_page.mdwn
new file mode 100644 (file)
index 0000000..b802de7
--- /dev/null
@@ -0,0 +1,46 @@
+If you 
+
+ * Add a link to a non-existant page and save. (e.g. [[somewhere-over-the-rainbow]])
+ * Click the question mark to create the page.
+ * Click the cancel button.
+
+You get a 404 as the page doesn't exist. This patch redirects to the from location
+if it is known.
+
+
+        === modified file 'IkiWiki/CGI.pm'
+        --- IkiWiki/CGI.pm
+        +++ IkiWiki/CGI.pm
+        @@ -427,7 +427,11 @@
+                }
+        
+                if ($form->submitted eq "Cancel") {
+        -               redirect($q, "$config{url}/".htmlpage($page));
+        +               if ( $newpage && defined $from ) {
+        +                       redirect($q, "$config{url}/".htmlpage($from));
+        +               } else {
+        +                       redirect($q, "$config{url}/".htmlpage($page));
+        +               }
+                        return;
+                }
+                elsif ($form->submitted eq "Preview") {
+
+
+
+[P.S. just above that is 
+
+                $type=$form->param('type');
+                if (defined $type && length $type && $hooks{htmlize}{$type}) {
+                        $type=possibly_foolish_untaint($type);
+                }
+                ....
+                $file=$page.".".$type;
+
+I'm a little worried by the `possibly_foolish_untaint` (good name for it by the way,
+makes it stick out). I don't think much can be done to exploit this (if anything), 
+but it seems like you could have a very strict regex there rather than the untaint,
+is there aren't going to be many possible extensions. Something like `/(.\w+)+/`
+(groups of dot separated alpha-num chars if my perl-foo isn't failing me). You could
+at least exclude `/` and `..`. I'm happy to turn this in to a patch if you agree.]
+
+