37 Commits

Author	SHA1	Message	Date
Ilia Ross	c72d232e2f	Fix to restrict Basic auth for websocket routes ... ⓘ Require websocket routes to opt in with allow_basic_ws before Basic auth is accepted in session mode. Mark linked ws-link routes and no-cookie backend-session routes as allowed, while leaving normal session-backed routes unmarked.	2026-06-23 01:09:43 +02:00
Ilia Ross	26311baab9	Fix to use Webmin config locking for ws-link cleanup ... ⓘ Make linked websocket teardown use the same `miniserv.conf.lock` convention as `link.cgi`, release the lock safely on cleanup errors	2026-06-22 20:34:00 +02:00
Ilia Ross	45ca170c20	Add support to proxy linked-server WebSockets ... This PR adds general WebSocket proxying for linked Webmin servers, allowing modules such as `xterm` to work when opened through `servers/link.cgi`. As requested in https://github.com/webmin/webmin/issues/1866.	2026-06-22 16:19:33 +02:00
Jamie Cameron	29c14acf98	Merge pull request #2749 from webmin/dev/tmp-dir-auto ... Fix Webmin temp directory setup in Advanced Options	2026-06-19 12:52:18 -07:00
Ilia Ross	a9c6fe724a	Fix IPv6 CIDR access control matching ... This PR fixes Webmin IP access control handling for IPv6 CIDR prefixes that are not divisible by 8, such as `/29` as mentioned in this https://github.com/webmin/webmin/issues/1570 ticket. Before Webmin validation rejected non-byte-aligned IPv6 network sizes, and the runtime matcher compared IPv6 networks only by whole bytes. This meant valid IPv6 CIDR prefixes could not be used safely in access control rules. Changes: - Allow IPv6 access-control prefixes from `/0` through `/128`, without requiring divisibility by 8. - Add bit-accurate IPv6 prefix matching for ACL checks. - Apply the same matching behavior in both `miniserv.pl` and `webmin/webmin-lib.pl`. - Fix IPv6 canonicalization for `::` and trailing `::` forms used by the matcher. - Add regression tests for `/0`, `/29`, `/32`, `/63`, `/64`, `/127`, and `/128`.	2026-06-19 14:50:24 +02:00
Ilia Ross	ccd2b13942	Fix to enforce private basename for Webmin temp dirs ... ⓘ Adds hidden `tempdirname` support and normalizes custom temp paths so Webmin always uses a private final directory like `.webmin`, while keeping the existing permission checks.	2026-06-18 20:48:47 +02:00
Ilia Ross	74fd0ca12d	Fix XML-RPC CGI execution under miniserv ... ⓘ Allow xmlrpc.cgi to run when invoked through Webmin's internal CGI do() path while preserving require-safe helper tests, and add regression coverage for CGI header emission. https://github.com/webmin/webmin/pull/2763#issuecomment-4726296870	2026-06-17 15:06:18 +02:00
Jamie Cameron	8157ff60d2	Merge pull request #2732 from swelljoe/ui-lib-tests-and-quote-escapes ... Add some ui-lib tests and fix quote escapes	2026-06-16 22:29:23 -07:00
Joe Cooper	69548c4bb8	Escape in ui_select, too	2026-06-15 16:35:42 -05:00
Joe Cooper	7ca3819d2b	xmlrpc.cgi strict, warnings, critic, tests, and security audit	2026-06-15 01:16:09 -05:00
Jamie Cameron	73821b72b0	Merge pull request #2729 from swelljoe/web-lib-funcs-test-data-transforms ... Add web-lib-funcs data transform tests	2026-05-23 19:25:00 -07:00
Joe Cooper	76833b9e68	Add some ui-lib tests and fix quote escapes	2026-05-21 23:32:14 -05:00
Joe Cooper	9de7560728	Update t/README.md to cover stringy eval	2026-05-21 22:30:44 -05:00
Joe Cooper	2c4467a82e	Handle lowercase 2FA secret	2026-05-21 18:01:25 -05:00
Joe Cooper	65c2a0da50	Fix warnings for undef in compare	2026-05-21 17:47:38 -05:00
Joe Cooper	da2090bad7	Add web-lib-funcs data transform tests	2026-05-21 17:21:44 -05:00
Joe Cooper	53c3bef94c	Expand test coverage for check_ip6address	2026-05-20 16:36:28 -05:00
Joe Cooper	100253bec3	Fix quirks in trunc and split_quoted_string	2026-05-20 15:55:07 -05:00
Joe Cooper	3e38e3268e	Fix check_ip6address in miniserv	2026-05-20 14:04:53 -05:00
Joe Cooper	d2ba0d910b	Fix check_ip6address in web-lib-funcs	2026-05-20 14:04:37 -05:00
Joe Cooper	c487b579ed	Add ip, paths, string tests for web-lib-funcs	2026-05-20 01:01:01 -05:00
Jamie Cameron	b2fec1756d	Merge pull request #2716 from swelljoe/miniserv-tests-trois ... Even more unit tests for miniserv.pl	2026-05-18 20:30:47 -07:00
Joe Cooper	d1c6e8d3a3	Even more tests for miniserv.pl	2026-05-18 00:46:20 -05:00
Joe Cooper	d81eb13f22	Run tests on PR, add docs	2026-05-17 23:33:59 -05:00
Joe Cooper	ab37804ef9	Add docs for coverage	2026-05-17 23:17:15 -05:00
Joe Cooper	b658bdd3ed	Remove comment noise about known bug in encrypt_sha512, as bug has been fixed by this PR	2026-05-17 19:30:38 -05:00
Joe Cooper	b71c046596	More miniserv.pl tests	2026-05-17 17:28:21 -05:00
Ilia Ross	3b819eafb5	Merge pull request #2705 from swelljoe/miniserv-unit-tests ... rename miniserv-http_error.t to miniserv.t, test all subs	2026-05-17 23:24:04 +02:00
Joe Cooper	49138dc5b5	Capture warnings, instead of silencing	2026-05-17 16:14:23 -05:00
Ilia Ross	2d01675139	Fix reflected XSS in Webmin status messages ... * Note: Escape the /webmin/ message parameter, strip restart redirect HTML to plain text, and harden filter_javascript().	2026-05-17 14:32:10 +02:00
Joe Cooper	bf5ae8b5e5	Accomodate modification in place ... Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-05-16 18:33:55 -04:00
Joe Cooper	d3c9f331c8	rename miniserv-http_error.t to miniserv.t, test all subs	2026-05-13 13:11:43 -05:00
Joe Cooper	da0ff56ee0	Cleanup ASCII decorations	2026-05-10 23:04:08 -05:00
Joe Cooper	bf43c793d3	qualify the test name, since other files will get tests	2026-05-10 22:57:15 -05:00
Joe Cooper	46d571c6b5	Add http_error unit tests as useful example	2026-05-10 22:55:41 -05:00
yangfl	7eca89007d	remove t	2017-10-21 14:51:32 +08:00
Joe Cooper	5e06b2fae9	Add tests...most fail because they aren't setup for Webmin versions, and os_list.txt needs a few tweaks to be more specific.	2008-08-11 23:29:49 +00:00