ajgraves / aneuch Goto Github PK

Within Aneuch version 0.10, there is no way for a wiki user to delete a page. 
Administrators can manually remove the page (and all associated archives) from 
the shell, however without shell access, it is impossible to completely delete 
a page.

Original issue reported on code.google.com by [email protected] on 11 Jul 2012 at 2:24

In the various places where page titles are displayed, replace the underscore with a space. This will help break up long page titles, increasing readability when on a mobile device.

The preview function was set up to use the alert box in the bootstrap theme. Going forward, this should use a panel instead.

All internal links with spaces should be converted to underscores.

Example:
[[This is a test page]] renders right now as <a href="/This is a test page">, 
it should render as <a href="/This_is_a_test_page">

Original issue reported on code.google.com by [email protected] on 29 Apr 2013 at 7:59

On the edit screen, add a button called "Delete Page" or something similar that replaces the page text with "DeletedPage".

Update the form in sub DoRandomPage() to follow the bootstrap formatting

There are broken links.
Navbar: HomePage, RecentChanges 
Discuss SomePage (HomePage): SomePage (HomePage left corner below)

What steps will reproduce the problem?
1. Install wiki

What is the expected output?
1. $DiscussLink = $DiscussPrefix . $ShortPage;
2. $DiscussLink = $ShortUrl . $DiscussLink;
3. $NavBar = "<a href='$Url$DefaultPage' title='$DefaultPage'>$DefaultPage</a> 
".
4. "<a href='".$ShortUrl."RecentChanges' title='RecentChanges'>".

What do you see instead?
1. $DiscussLink = $ShortUrl . $DiscussPrefix . $ShortPage;
2. $DiscussLink = $DiscussLink;
3. $NavBar = "<a href='$DefaultPage' title='$DefaultPage'>$DefaultPage</a> ".
4. "<a href='RecentChanges' title='RecentChanges'>".

What version of the product are you using? On what operating system?
version 0.10 on Ubuntu

Original issue reported on code.google.com by [email protected] on 20 Jul 2012 at 9:35

If a URL has a trailing slash, remove it.

Original issue reported on code.google.com by [email protected] on 30 Jan 2013 at 4:19

This project looks like an Oddmuse derivative but all the copyright statement and the GPL have been replaced by a different license.

Maybe use

for this.

In DoSearch, append "?highlight=$search" to page links.

In DoRequest, check GetParam('highlight') and sub it out:

my $text = Markup($Filec{text});
$text =~ s#($search)?#<span style="background: yellow;">$1</span>#ge;

Completely untested code, will need to validate I got it right.

When a user is not authenticated, and is at the password page, do not show the admin menu.

Similar to WordPress "shortcodes", create a mechanism that allows plugins to 
create "codes" that are replaced by function output.

Original issue reported on code.google.com by [email protected] on 28 Jan 2013 at 8:20

Uploaded files should not go through "sanitization" as this could materially alter their contents and cause unpredictable behavior. Make doubly sure that on display they are sanitized, however.

If you attempt to search using the search bar from the admin panel, the search will not be successful. This is due to the parameter "do" still being set to "admin", rather than "search"

Remove the comma from the regex showing "good" page names.

If a user wants to have a mailto link in a wiki page, there is currently no way to accomplish this.

Send HTTP 404 status when a page does not exist so that search engines, etc, 
know not to catalog that page.

Original issue reported on code.google.com by [email protected] on 19 Dec 2012 at 4:41

Add the img-responsive class to images so they will behave properly.

Now that GetParam calls QuoteHTML, it's causing some problems in DoEdit when you preview. Initial tests indicate that this doesn't affect actual saving.

Aneuch allows you to edit past revisions (technically this isn't true, if you "edit" a past revision, it makes the text from that revision the newest revision). Maybe it should allow you to delete arbitrary revisions (say you have 50 revisions of a page, and you want to remove the first 20 revisions).

In InitVars, the $Page element should be sanitized similarly:

if($Page !~ /([a-zA-Z0-9._~#,-]+)/) {
  $Page =~ s/[^a-zA-Z0-9._~#,-]//g;
  ReDirect($Url.$Page);
  exit 0;
}

This is, of course, untested so far.

Aneuch keeps a page index, however it's not currently used by anything. The ListAllPages sub is actually pulling "live data" from the filesystem.

So, either a) the page index needs to be eliminated, or b) the page index needs to be used as it is intended.

If option b, then modify ListAllPages to pull from the page index by default, or accept a single parameter "force" which if set will pull the "live data" instead.

Change line 72:

if(!-f "$DataDir/snippets") {

to:

if(!-f $SnippetDB) {

What steps will reproduce the problem?
1. Attempt to post a comment on any page on http://aneuch.myunixhost.com/
2. Fill in the anti-spam and other fields correctly

What is the expected output? What do you see instead?
I get taken to a page that tells me to stop spamming.

What version of the product are you using? On what operating system?
Version 0.22 (version on site as of posting date)

Original issue reported on code.google.com by [email protected] on 29 Aug 2013 at 8:30

I found that PCRE grep extensions don't work on some platforms and/or systems. We need to check 'grep -P' and see if it fails. If it does, search for 'pcregrep'. If that doesn't exist, then what?

Re-do the notes form to be contained within a bootstrap panel to make it stand out a little bit better.

The list of templates on the edit page are not alphabetized. They should be.

Add "description" and "keyword" fields to page data. Display as meta tags in 
HTML output.

Original issue reported on code.google.com by [email protected] on 28 Jan 2013 at 7:39

Update DoSearch to allow for filtering of results (at least by page title). This isn't particularly a useful feature by itself, but plugins like the Quick Note plugin could use this feature to allow one to quickly search just the Quick Note entries.

The page history page should not show line, word, and character count for pages that are file uploads (this data is nonsensical in this usage case). Should still show total size though.

Something needs to be done to the DoDiff page to better separate the sections. Perhaps add a message "Showing revision XXX" before displaying the page revision. Maybe show a special background color for the diff section?

Since GetParam calls QuoteHTML, the summary field in WritePage should be run through UnquoteHTML. We should have as close to "raw" (albeit tainted) data in the page file itself, and be sure that anything we know is tainted data gets processed through QuoteHTML later (at display time).

It's possible to have duplicate anchors if multiple headers of the same title are used within a page. This should be corrected in the Markup sub.

Although taint checking is on, it seems like there are no checks at all.

Some examples (you have to make someone click this link):

• ?do=admin;page=index<script>alert('badum-tss')</script>
• ?do=admin<script>alert('badum-tss')</script>test (even though it errors out, javascript still runs)
• possibly more…

This, however, does not let you to leave some malicious javascript on the page and then just sit back.

But this does:

(arbitrary html injected into page name. In this case, it is <b>)

Please note that I was actually aiming for write access vulnerability (mentioning it because it can be seen on the screenshot). Possibly problematic lines:

sub WriteDB {
  # We receive file name, and hash
  my $filename = shift;
  my %filedata = %{shift()};
  $filename =~ m/^(.*)$/; $filename = $1;
  open(FILE, ">$filename") or push @Messages, "WriteDB: Unable to write to $filename: $!";

It seems like taint checking has turned on its alarms on this code, but was just silenced off. The problem with arbitrary filenames is that you can pass any kind of stuff there, for example /../../somefile. This should work! Unfortunately (luckily), I was unable to get it to work, but it should be investigated. Basically the first character will be used as a path in $PageDir (let's say data/), which turns it into data///../../somefile – perfectly valid file path. I wonder why I couldn't get it to write the file…

(Sorry if you don't like such reports to be posted on GitHub. I see no problem in posting it here publicly. The whole thing is about poking <b> into various places for 30 minutes)

Aneuch should generate a default robots.txt file for search engines.

Original issue reported on code.google.com by [email protected] on 28 Dec 2012 at 3:27

Taint mode (-T) switch is turned on, however there are no efforts to actually untaint data in the code.

Accept the summary parameter which will then display a brief summary of each page (similar to how the QuickNotes plugin works)

Use SanitizeFileName instead of ReplaceSpaces

If a site has no pages created yet, the "Random Page" link/function results in 
an endless redirect loop. This, of course, should not happen.

Original issue reported on code.google.com by [email protected] on 29 Jan 2013 at 7:56

The Links.pl plugin will re-direct to "Links#bottom" after form submission, however, the bottom anchor doesn't exist on the page. This should probably be added just before the input form.

The SearchForm sub needs to be updated with the new search form, and the DoHeader sub needs to have the hard-coded form remove and call print on SearchForm().

$NewPage should be updated in InitVars to a new default.

$NewPage = 'It appears that there is nothing here. Perhaps you'd like to '.CommandLink('edit', $Page, 'create it', "Create a new page titled $Page").'?' unless $NewPage;

If a page revision is requested that does not exist, a 404 error is not sent.

Original issue reported on code.google.com by [email protected] on 25 Jan 2013 at 6:45

Using the DeletedPage text to mark a page for deletion causes it to show up in the admin panel under "List pending deleted pages" which calls DoAdminDeleted. Inside this sub, give the admin user the option to force delete the page (and its associated history) with a simple click.

To facilitate this, DoMaintDeletePages should be modified to accept an optional parameter, call it "force". If force is set to 1, then:

my $RemoveTime = $TimeStamp - $PurgeDeletedPage;

becomes:

my $RemoveTime = ($force) ? $TimeStamp : $TimeStamp - $PurgeDeletedPage;

Move the div starter-template inside Markup. Also, rename it.

If a valid page whose name that ends in a period followed numerical characters 
(e.g. "Version 0.21") is passed through DoDiff and GetDiff, those functions 
break. They see that as an archive page, and look for it in the archive, but 
they will not find it there.

Original issue reported on code.google.com by [email protected] on 23 Jul 2013 at 4:14