some preparations for 1.1.0: bump version

wiki.pl: Use of uninitialized value within %UseModWiki::SaveNumUrl in numeric gt (>) at /var/www/cgi-bin/wiki.pl line 1926.

warning on normal page view, page contains BracketUrl ([http://...])

CREDITS

@@ -6,8 +6,10 @@ Users which contributed patches added to versions after 1.0:
 * CliffordAdams
 * DavidClaughton
 * DavidWall
+* GunnarH
 * GyPark
 * JuanMtnezPineda
+* MarkIrons
 * MikeCastle
 * RichardP
 * Robin Rowe (rower@movieeditor.com)

Changelog

@@ -1,4 +1,39 @@
 
+Changes for release 1.1.0 (October 31, 2017):
+* enable warnings (perl -w)
+* fix warnings
+* enable taint mode (perl -T)
+* fixes for taint mode
+  based on work by MarkIrons
+* fixed bug UnusedVariableDeclaration
+  fix contributed by JuanMtnezPineda
+* fixed bug PwlistArray
+  fix contributed by JuanMtnezPineda
+* remove unused variables
+
+Changes for bugfix release 1.0.6 (November 05, 2016):
+
+* fixed bug CookieIgnored
+* fixed bug CGIStartformAndEndform
+* fixed bug SkipMigratingParameterLock
+  based on fix by GyPark
+
+Changes for bugfix release 1.0.5 (August 28, 2009):
+
+* added patch RssLinkInHeader (but only for normal pages)
+  contributed by UngarPeter
+* added patch DoPageLockMinorTweak
+  contributed by JuanMtnezPineda
+* Allow "0" as page name if FreeLinks are allowed
+* fixed bug NumericDatesNeedZeroPadding
+  fix contributed by GunnarH
+* fixed bug ExtraBRAtDoBackLinks
+  fix contributed by JuanMtnezPineda
+* fixed bug TTatDoEditBanned
+  fix contributed by JuanMtnezPineda
+* fixed bug NonEnglishRSS
+  fixes contributed by GunnarH
+
 Changes for bugfix release 1.0.4 (December 1, 2007):
 
 * fixed bug NoDisplayFooterInActionLink

README

@@ -1,5 +1,5 @@
-README for UseModWiki 1.0.4
-Last updated: December 1, 2007
+README for UseModWiki 1.0.6
+Last updated: August 28, 2009
 
 Release notes:
 

config

@@ -1,5 +1,5 @@
-# == Configuration =======================================================
-# Original version from UseModWiki 1.0.4
+# == Configuration =====================================================
+# Original version from UseModWiki 1.1.0
 
 $CookieName  = "Wiki";          # Name for this wiki (for multi-wiki sites)
 $SiteName    = "Wiki";          # Name of site (used for titles)
@@ -96,7 +96,7 @@ $MaskHosts    = 0;      # 1 = mask hosts/IPs,      0 = no masking
 $LockCrash    = 0;      # 1 = crash if lock stuck, 0 = auto clear locks
 $HistoryEdit  = 0;      # 1 = edit links on history page, 0 = no edit links
 $OldThinLine  = 0;      # 1 = old ==== thick line, 0 = ------ for thick line
-$NumberDates  = 0;      # 1 = 2003-6-17 dates,     0 = June 17, 2003 dates
+$NumberDates  = 0;      # 1 = 2003-06-17 dates,    0 = June 17, 2003 dates
 $ParseParas   = 0;      # 1 = new paragraph markup, 0 = old markup
 $AuthorFooter = 1;      # 1 = show last author in footer, 0 = do not show
 $AllUpload    = 0;      # 1 = anyone can upload,   0 = only editor/admins

misc/trans.pl

@@ -449,13 +449,17 @@ This operation is restricted to site editors only...
 
 This operation is restricted to administrators only...
 
-Set or Remove global edit lock
+Set global edit lock
+
+Remove global edit lock
 
 Edit lock created.
 
 Edit lock removed.
 
-Set or Remove page edit lock
+Set page edit lock
+
+Remove page edit lock
 
 Missing page id to lock/unlock...
 

wiki.pl

@@ -1,5 +1,5 @@
-#!/usr/bin/perl
-# UseModWiki version 1.0.4 (December 1, 2007)
+#!/usr/bin/perl -wT
+# UseModWiki version 1.1.0 (October 31, 2017)
 # Copyright (C) 2000-2003 Clifford A. Adams  <caadams@usemod.com>
 # Copyright (C) 2002-2003 Sunir Shah  <sunir@sunir.org>
 # Based on the GPLed AtisWiki 0.3  (C) 1998 Markus Denker
@@ -165,7 +165,7 @@ $MaskHosts    = 0;      # 1 = mask hosts/IPs,      0 = no masking
 $LockCrash    = 0;      # 1 = crash if lock stuck, 0 = auto clear locks
 $HistoryEdit  = 0;      # 1 = edit links on history page, 0 = no edit links
 $OldThinLine  = 0;      # 1 = old ==== thick line, 0 = ------ for thick line
-$NumberDates  = 0;      # 1 = 2003-6-17 dates,     0 = June 17, 2003 dates
+$NumberDates  = 0;      # 1 = 2003-06-17 dates,    0 = June 17, 2003 dates
 $ParseParas   = 0;      # 1 = new paragraph markup, 0 = old markup
 $AuthorFooter = 1;      # 1 = show last author in footer, 0 = do not show
 $AllUpload    = 0;      # 1 = anyone can upload,   0 = only editor/admins
@@ -411,7 +411,7 @@ use CGI;
 use CGI::Carp qw(fatalsToBrowser);
 
 sub InitRequest {
-  my @ScriptPath = split('/', "$ENV{SCRIPT_NAME}");
+  my @ScriptPath = $ENV{SCRIPT_NAME} ? split('/', $ENV{SCRIPT_NAME}) : ();
 
   $CGI::POST_MAX = $MaxPost;
   if ($UseUpload) {
@@ -425,7 +425,7 @@ sub InitRequest {
     $q->charset($HttpCharset);
   }
   $Now = time;                     # Reset in case script is persistent
-  $ScriptName = pop(@ScriptPath);  # Name used in links
+  $ScriptName = pop(@ScriptPath) || '';  # Name used in links
   $IndexInit = 0;                  # Must be reset for each request
   $InterSiteInit = 0;
   %InterSite = ();
@@ -441,39 +441,37 @@ sub InitRequest {
 }
 
 sub InitCookie {
+  my $unsafe_uid;
+
   %SetCookie = ();
   $TimeZoneOffset = 0;
   undef $q->{'.cookies'};  # Clear cache if it exists (for SpeedyCGI)
   %UserData = ();          # Fix for persistent environments.
   %UserCookie = $q->cookie($CookieName);
-  $UserID = $UserCookie{'id'};
-  $UserID =~ s/\D//g;  # Numeric only
-  if ($UserID < 200) {
-    $UserID = 111;
-  } else {
-    &LoadUserData($UserID);
-  }
+  $unsafe_uid = $UserCookie{'id'} || 0;
+  $UserID = &SanitizeUserID($unsafe_uid);
   if ($UserID > 199) {
+    &LoadUserData($UserID);
     if (($UserData{'id'}       != $UserCookie{'id'})      ||
         ($UserData{'randkey'}  != $UserCookie{'randkey'})) {
       $UserID = 113;
       %UserData = ();   # Invalid.  Consider warning message.
     }
   }
-  if ($UserData{'tzoffset'} != 0) {
+  if ($UserData{'tzoffset'}) {
     $TimeZoneOffset = $UserData{'tzoffset'} * (60 * 60);
   }
 }
 
 sub DoBrowseRequest {
-  my ($id, $action, $text);
+  my ($id, $action);
 
   if (!$q->param) {             # No parameter
     &BrowsePage($HomePage);
     return 1;
   }
   $id = &GetParam('keywords', '');
-  if ($id) {                    # Just script?PageName
+  if ($id ne '') {                    # Just script?PageName
     if ($FreeLinks && (!-f &GetPageFile($id))) {
       $id = &FreeToNormal($id);
     }
@@ -614,7 +612,7 @@ sub ReBrowsePage {
 
 sub DoRc {
   my ($rcType) = @_;   # 0 = RSS, 1 = HTML
-  my ($fileData, $rcline, $i, $daysago, $lastTs, $ts, $idOnly);
+  my ($fileData, $i, $daysago, $lastTs, $ts, $idOnly);
   my (@fullrc, $status, $oldFileData, $firstTs, $errorText, $showHTML);
   my $starttime = 0;
   my $showbar = 0;
@@ -745,8 +743,8 @@ sub DoRc {
 sub GetRc {
   my $rcType = shift;
   my @outrc = @_;
-  my ($rcline, $date, $newtop, $author, $inlist, $result);
-  my ($showedit, $link, $all, $idOnly, $headItem, $item);
+  my ($rcline, $date, $newtop, $inlist, $result);
+  my ($showedit, $all, $idOnly, $headItem, $item);
   my ($ts, $pagename, $summary, $isEdit, $host, $kind, $extraTemp);
   my ($rcchangehist, $tEdit, $tChanges, $tDiff);
   my ($headList, $pagePrefix, $historyPrefix, $diffPrefix);
@@ -775,9 +773,11 @@ sub GetRc {
   $tEdit    = T('(edit)');
   $tDiff    = T('(diff)');
   $tChanges = T('changes');
-  $pagePrefix = $QuotedFullUrl . &ScriptLinkChar();
-  $diffPrefix = $pagePrefix . &QuoteHtml("action=browse&diff=4&id=");
-  $historyPrefix = $pagePrefix . &QuoteHtml("action=history&id=");
+  if (0 == $rcType) {  # RSS
+    $pagePrefix = $QuotedFullUrl . &ScriptLinkChar();
+    $diffPrefix = $pagePrefix . &QuoteHtml("action=browse&diff=4&id=");
+    $historyPrefix = $pagePrefix . &QuoteHtml("action=history&id=");
+  }
   foreach $rcline (@outrc) {
     ($ts, $pagename) = split(/$FS3/, $rcline);
     $pagecount{$pagename}++;
@@ -893,7 +893,7 @@ sub GetRcRss {
   my $ChannelAbout = &QuoteHtml($FullUrl . &ScriptLinkChar()
                                 . $ENV{QUERY_STRING});
   $rssHeader = <<RSS ;
-<?xml version="1.0" encoding="ISO-8859-1"?>
+<?xml version="1.0" encoding="@{[$HttpCharset or 'ISO-8859-1']}"?>
 <rdf:RDF
     xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
     xmlns="http://purl.org/rss/1.0/"
@@ -902,7 +902,7 @@ sub GetRcRss {
 >
     <channel rdf:about="$ChannelAbout">
         <title>${\(&QuoteHtml($SiteName))}</title>
-        <link>${\($QuotedFullUrl . &ScriptLinkChar() . &QuoteHtml("$RCName"))}</link>
+        <link>${\($QuotedFullUrl . &ScriptLinkChar() . &QuoteHtml(&UriEscape($RCName)))}</link>
         <description>${\(&QuoteHtml($SiteDescription))}</description>
         <wiki:interwiki>
             <rdf:Description link="$QuotedFullUrl">
@@ -935,7 +935,7 @@ sub GetRssRcLine{
   my ($pagenameEsc, $itemID, $description, $authorLink, $author, $status,
       $importance, $date, $item, $headItem);
 
-  $pagenameEsc = CGI::escape($pagename);
+  $pagenameEsc = &UriEscape($pagename);
   # Add to list of items in the <channel/>
   $itemID = $FullUrl . &ScriptLinkChar()
             . &GetOldPageParameters('browse', $pagenameEsc, $revision);
@@ -944,13 +944,16 @@ sub GetRssRcLine{
   # Add to list of items proper.
   if (($summary ne "") && ($summary ne "*")) {
     $description = &QuoteHtml($summary);
+  } else {
+    $description = '';
   }
   $host = &QuoteHtml($host);
   if ($userName) {
     $author = &QuoteHtml($userName);
-    $authorLink = 'link="' . $QuotedFullUrl . &ScriptLinkChar() . $author . '"';
+    $authorLink = 'link="' . $QuotedFullUrl . &ScriptLinkChar() . &UriEscape($author) . '"';
   } else {
     $author = $host;
+    $authorLink = '';
   }
   $status = (1 == $revision) ? 'new' : 'updated';
   $importance = $isEdit ? 'minor' : 'major';
@@ -960,6 +963,7 @@ sub GetRssRcLine{
   $date = sprintf("%4d-%02d-%02dT%02d:%02d:%02d+%02d:00",
     $year, $mon+1, $mday, $hour, $min, $sec, $TimeZoneOffset/(60*60));
   $pagename = &QuoteHtml($pagename);
+  $pagename =~ tr/_/ /;
   # Write it out longhand
   $item = <<RSS ;
     <item rdf:about="$itemID">
@@ -983,7 +987,7 @@ RSS
 }
 
 sub DoRss {
-  print "Content-type: text/xml\n\n";
+  print "Content-type: text/xml", $HttpCharset ? "; charset=$HttpCharset" : "", "\n\n";
   &DoRc(0);
 }
 
@@ -999,7 +1003,7 @@ sub DoHistory {
   my ($id) = @_;
   my ($html, $canEdit, $row, $newText);
 
-  print &GetHeader('', Ts('History of %s', $id), '') . '<br>';
+  print &GetHeader('', Ts('History of %s', $id), '');
   &OpenPage($id);
   &OpenDefaultText();
   $newText = $Text{'text'};
@@ -1066,8 +1070,9 @@ sub GetHistoryLine {
   $minor = '';
   $minor = '<i>' . T('(edit)') . '</i> '  if ($revtext{'minor'});
   $expirets = $Now - ($KeepDays * 24 * 60 * 60);
+  $html = '';
   if ($UseDiff) {
-    my ($c1, $c2);
+    my ($c1, $c2) = ('', '');
     $c1 = 'checked="checked"' if 1 == $row;
     $c2 = 'checked="checked"' if 0 == $row;
     $html .= "<tr><td align='center'><input type='radio' "
@@ -1266,7 +1271,7 @@ sub ScriptLinkTitle {
 
 sub GetAuthorLink {
   my ($host, $userName, $uid) = @_;
-  my ($html, $title, $userNameShow);
+  my ($html, $userNameShow);
 
   $userNameShow = $userName;
   if ($FreeLinks) {
@@ -1306,7 +1311,7 @@ sub GetHeader {
   if ($FreeLinks) {
     $title =~ s/_/ /g;   # Display as spaces
   }
-  $result .= &GetHtmlHeader("$SiteName: $title");
+  $result .= &GetHtmlHeader("$SiteName: $title", $id);
   return $result  if ($embed);
 
   $result .= '<div class=wikiheader>';
@@ -1321,7 +1326,7 @@ sub GetHeader {
     }
     $header = &ScriptLink($HomePage, "<$logoImage>");
   }
-  if ($id and $backlinks) {
+  if (($id ne '') and $backlinks) {
     $result .= $q->h1($header . &GetBackLinksSearchLink($id));
   } else {
     $result .= $q->h1($header . $title);
@@ -1339,11 +1344,12 @@ sub GetHttpHeader {
 
   $type = 'text/html'  if ($type eq '');
   if (defined($SetCookie{'id'})) {
-    $cookie = "$CookieName="
-            . "rev&" . $SetCookie{'rev'}
-            . "&id&" . $SetCookie{'id'}
-            . "&randkey&" . $SetCookie{'randkey'};
-    $cookie .= ";expires=Fri, 08-Sep-2013 19:48:23 GMT";
+    $cookie = $q->cookie(
+                -name => $CookieName,
+                -value => { rev => $SetCookie{'rev'},
+                            id => $SetCookie{'id'},
+                            randkey => $SetCookie{'randkey'} },
+                -expires => '+3y');
     if ($HttpCharset ne '') {
       return $q->header(-cookie=>$cookie,
                         -type=>"$type; charset=$HttpCharset");
@@ -1357,7 +1363,7 @@ sub GetHttpHeader {
 }
 
 sub GetHtmlHeader {
-  my ($title) = @_;
+  my ($title, $id) = @_;
   my ($dtd, $html, $bodyExtra, $stylesheet);
 
   $html = '';
@@ -1381,6 +1387,11 @@ sub GetHtmlHeader {
   if ($SiteBase ne "") {
     $html .= qq(<BASE HREF="$SiteBase">\n);
   }
+  unless ($action) {
+    $html .= qq(<link rel="alternate" title="$SiteName RSS" href=")
+          . $ScriptName . &ScriptLinkChar() . &UriEscape("action=rss&days=$RssDays")
+          . qq(" type="application/rss+xml">\n);
+  }
   $stylesheet = &GetParam('stylesheet', $StyleSheet);
   $stylesheet = $StyleSheet  if ($stylesheet eq '');
   $stylesheet = ''  if ($stylesheet eq '*');  # Allow removing override
@@ -1455,11 +1466,11 @@ sub GetFooterText {
                . Ts('Database is stored in temporary directory %s',
                     $DataDir) . '<br>';
   }
-  if ($ConfigError ne '') {
+  if ($ConfigError) {
     $result .= '<br><b>' . T('Config file error:') . '</b> '
                . $ConfigError . '<br>';
   }
-  $result .= $q->endform;
+  $result .= $q->end_form;
   if ($FooterNote ne '') {
     $result .= T($FooterNote);
   }
@@ -1473,7 +1484,7 @@ sub GetCommonFooter {
 
   $html = '<div class=wikifooter>' . '<hr class=wikilinefooter>'
           . &GetFormStart() . &GetGotoBar('')
-          . &GetSearchForm() . $q->endform;
+          . &GetSearchForm() . $q->end_form;
   if ($FooterNote ne '') {
     $html .= T($FooterNote);
   }
@@ -1486,7 +1497,7 @@ sub GetMinimumFooter {
 }
 
 sub GetFormStart {
-  return $q->startform("POST", "$ScriptName",
+  return $q->start_form("POST", "$ScriptName",
                        "application/x-www-form-urlencoded");
 }
 
@@ -1641,6 +1652,7 @@ sub WikiToHTML {
     $pageText = &CommonMarkup($pageText, 1, 0);   # Multi-line markup
     $pageText = &WikiLinesToHtml($pageText);      # Line-oriented markup
   }
+  $TableOfContents ||= '';
   while (@HeadingNumbers) {
     pop @HeadingNumbers;
     $TableOfContents .= "</dd></dl>\n\n";
@@ -1847,7 +1859,7 @@ sub EvalLocalRules {
  
 sub UriEscape {
   my ($uri) = @_;
-  $uri =~ s/([\x00-\x1f\x7f-\xff])/sprintf("%%%02X", ord($1))/ge;
+  $uri =~ s/([^\w\-.!~*'()\/\&=#])/sprintf("%%%02X", ord($1))/ge;
   $uri =~ s/\&/\&amp;/g;
   return $uri;
 }
@@ -1886,7 +1898,7 @@ sub InterPageLink {
 
 sub StoreBracketInterPage {
   my ($id, $text, $useImage) = @_;
-  my ($site, $remotePage, $url, $index);
+  my ($site, $remotePage, $url);
 
   ($site, $remotePage) = split(/:/, $id, 2);
   $remotePage =~ s/&amp;/&/g;  # Unquote common URL HTML
@@ -1908,10 +1920,9 @@ sub StoreBracketInterPage {
 
 sub GetBracketUrlIndex {
   my ($id) = @_;
-  my ($index, $key);
 
   # Consider plain array?
-  if ($SaveNumUrl{$id} > 0) {
+  if ($SaveNumUrl{$id} and $SaveNumUrl{$id} > 0) {
     return $SaveNumUrl{$id};
   }
   $SaveNumUrlIndex++;  # Start with 1
@@ -1957,6 +1968,7 @@ sub StorePre {
 sub StoreHref {
   my ($anchor, $text) = @_;
 
+  $text ||= '';
   return "<a" . &StoreRaw($anchor) . ">$text</a>";
 }
 
@@ -2144,6 +2156,7 @@ sub SplitUrlPunct {
     ($punct) = ($url =~ /([^a-zA-Z0-9\/\xc0-\xff]+)$/);
     $url =~ s/([^a-zA-Z0-9\/\xc0-\xff]+)$//;
   }
+  $punct ||= '';
   return ($url, $punct);
 }
 
@@ -2204,7 +2217,7 @@ sub WikiHeading {
 # ==== Difference markup and HTML ====
 sub GetDiffHTML {
   my ($diffType, $id, $revOld, $revNew, $newText) = @_;
-  my ($html, $diffText, $diffTextTwo, $priorName, $links, $usecomma);
+  my ($html, $diffText, $priorName, $links, $usecomma);
   my ($major, $minor, $author, $useMajor, $useMinor, $useAuthor, $cacheName);
 
   $links = "(";
@@ -2561,9 +2574,9 @@ sub ExpireKeepFile {
   return  if (!(-f $fname));
   $data = &ReadFileOrDie($fname);
   @kplist = split(/$FS1/, $data, -1);  # -1 keeps trailing null fields
-  return  if (length(@kplist) < 1);  # Also empty
+  return  if (scalar(@kplist) < 1);  # Also empty
   shift(@kplist)  if ($kplist[0] eq "");  # First can be empty
-  return  if (length(@kplist) < 1);  # Also empty
+  return  if (scalar(@kplist) < 1);  # Also empty
   %tempSection = split(/$FS2/, $kplist[0], -1);
   if (!defined($tempSection{'keepts'})) {
     return;  # Bad keep file
@@ -2628,12 +2641,13 @@ sub OpenKeptList {
 
 sub OpenKeptRevisions {
   my ($name) = @_;  # Name of section
-  my ($fname, $data, %tempSection);
+  my (%tempSection);
 
   %KeptRevisions = ();
   &OpenKeptList();
   foreach (@KeptList) {
     %tempSection = split(/$FS2/, $_, -1);
+    next  unless ($tempSection{'name'});
     next  if ($tempSection{'name'} ne $name);
     $KeptRevisions{$tempSection{'revision'}} = $_;
   }
@@ -2722,6 +2736,35 @@ sub ValidIdOrDie {
   return 1;
 }
 
+sub SanitizePageName {
+  my ($unsafe_id) = @_;
+  my $id = '';
+
+  if ($FreeLinks) {
+    if ($unsafe_id =~ /^($FreeLinkPattern)$/) {
+      $id = $1; # untaint
+    }
+  } else {
+    if ($unsafe_id =~ /^($LinkPattern)$/) {
+      $id = $1; # untaint
+    }
+  }
+  return $id;
+}
+
+sub SanitizeUserID {
+  my ($unsafe_uid) = @_;
+  my $uid = 111;
+
+  if ($unsafe_uid =~ /^(\d+)$/) {
+    $uid = $1; # untaint
+    if ($uid < 200) {
+      $uid = 111;
+    }
+  }
+  return $uid;
+}
+
 sub UserCanEdit {
   my ($id, $deepCheck) = @_;
 
@@ -2763,7 +2806,7 @@ sub UserIsBanned {
 }
 
 sub UserIsAdmin {
-  my (@pwlist, $userPassword);
+  my ($userPassword);
 
   return 0  if ($AdminPass eq "");
   $userPassword = &GetParam("adminpw", "");
@@ -2776,7 +2819,7 @@ sub UserIsAdmin {
 }
 
 sub UserIsEditor {
-  my (@pwlist, $userPassword);
+  my ($userPassword);
 
   return 1  if (&UserIsAdmin());             # Admin includes editor
   return 0  if ($EditPass eq "");
@@ -3042,7 +3085,7 @@ sub CalcDay {
   $ts += $TimeZoneOffset;
   my ($sec, $min, $hour, $mday, $mon, $year) = localtime($ts);
   if ($NumberDates) {
-    return ($year + 1900) . '-' . ($mon+1) . '-' . $mday;
+    return sprintf("%d-%02d-%02d", $year+1900, $mon+1, $mday);
   }
   return ("January", "February", "March", "April", "May", "June",
           "July", "August", "September", "October", "November",
@@ -3059,15 +3102,15 @@ sub CalcTime {
   if (($TimeZoneOffset == 0) && ($ScriptTZ ne "")) {
     $mytz = " " . $ScriptTZ;
   }
-  $ampm = "";
-  if ($UseAmPm) {
-    $ampm = " am";
-    if ($hour > 11) {
-      $ampm = " pm";
-      $hour = $hour - 12;
-    }
-    $hour = 12   if ($hour == 0);
+  unless ($UseAmPm) {
+    return sprintf("%02d:%02d$mytz", $hour, $min);
   }
+  $ampm = " am";
+  if ($hour > 11) {
+    $ampm = " pm";
+    $hour = $hour - 12;
+  }
+  $hour = 12   if ($hour == 0);
   $min = "0" . $min   if ($min<10);
   return $hour . ":" . $min . $ampm . $mytz;
 }
@@ -3104,7 +3147,7 @@ sub GetRemoteHost {
   my ($doMask) = @_;
   my ($rhost, $iaddr);
 
-  $rhost = $ENV{REMOTE_HOST};
+  $rhost = $ENV{REMOTE_HOST} || '';
   if ($UseLookup && ($rhost eq "")) {
     # Catch errors (including bad input) without aborting the script
     eval 'use Socket; $iaddr = inet_aton($ENV{REMOTE_ADDR});'
@@ -3146,7 +3189,7 @@ $OtherCode = ""; # Comment next line to always compile (slower)
 #$OtherCode = <<'#END_OF_OTHER_CODE';
 
 sub DoOtherRequest {
-  my ($id, $action, $text, $search);
+  my ($id, $action, $search);
 
   $action = &GetParam("action", "");
   $id = &GetParam("id", "");
@@ -3239,7 +3282,7 @@ sub DoOtherRequest {
 sub DoEdit {
   my ($id, $isConflict, $oldTime, $newText, $preview) = @_;
   my ($header, $editRows, $editCols, $userName, $revision, $oldText);
-  my ($summary, $isEdit, $pageTime);
+  my ($summary, $pageTime);
 
   if ($FreeLinks) {
     $id = &FreeToNormal($id);  # Take care of users like Markus Lude :-)
@@ -3317,7 +3360,7 @@ sub DoEdit {
         $q->textfield(-name=>'summary',
                       -default=>$summary, -override=>1,
                       -size=>60, -maxlength=>200);
-  if (&GetParam("recent_edit") eq "on") {
+  if (&GetParam("recent_edit", '') eq "on") {
     print "<br>", $q->checkbox(-name=>'recent_edit', -checked=>1,
                                -label=>T('This change is a minor edit.'));
   } else {
@@ -3363,7 +3406,7 @@ sub DoEdit {
     print "<h2>", T('Preview only, not yet saved'), "</h2>\n";
     print '</div>';
   }
-  print $q->endform;
+  print $q->end_form;
   if (!&GetParam('embed', $EmbedWiki)) {
     print '<div class=wikifooter>';
     print "<hr class=wikilinefooter>\n";
@@ -3388,7 +3431,7 @@ sub GetTextArea {
 }
 
 sub DoEditPrefs {
-  my ($check, $recentName, %labels);
+  my ($recentName, %labels);
 
   $recentName = $RCName;
   $recentName =~ s/_/ /g;
@@ -3469,7 +3512,7 @@ sub DoEditPrefs {
   print '<br>' . T('StyleSheet URL:') . ' ',
         &GetFormText('stylesheet', "", 30, 150);
   print '<br>', $q->submit(-name=>'Save', -value=>T('Save')), "\n";
-  print $q->endform;
+  print $q->end_form;
   print '</div>';
   if (!&GetParam('embed', $EmbedWiki)) {
     print '<div class=wikifooter>';
@@ -3503,7 +3546,6 @@ sub DoUpdatePrefs {
   &UpdatePrefCheckbox("toplinkbar");
   &UpdatePrefCheckbox("linkrandom");
   print &GetHeader('', T('Saving Preferences'), '');
-  print '<br>';
   if ($UserID < 1001) {
     print '<b>',
           Ts('Invalid UserID %s, preferences not saved.', $UserID), '</b>';
@@ -3522,7 +3564,7 @@ sub DoUpdatePrefs {
   }
   if ($username eq "") {
     print T('UserName removed.'), '<br>';
-    undef $UserData{'username'};
+    delete $UserData{'username'};
   } elsif ((!$FreeLinks) && (!($username =~ /^$LinkPattern$/))) {
     print Ts('Invalid UserName %s: not saved.', $username), "<br>\n";
   } elsif ($FreeLinks && (!($username =~ /^$FreeLinkPattern$/))) {
@@ -3536,7 +3578,7 @@ sub DoUpdatePrefs {
   $password = &GetParam("p_password",  "");
   if ($password eq "") {
     print T('Password removed.'), '<br>';
-    undef $UserData{'password'};
+    delete $UserData{'password'};
   } elsif ($password ne "*") {
     print T('Password changed.'), '<br>';
     $UserData{'password'} = $password;
@@ -3545,7 +3587,7 @@ sub DoUpdatePrefs {
     $password = &GetParam("p_adminpw",  "");
     if ($password eq "") {
       print T('Administrator password removed.'), '<br>';
-      undef $UserData{'adminpw'};
+      delete $UserData{'adminpw'};
     } elsif ($password ne "*") {
       print T('Administrator password changed.'), '<br>';
       $UserData{'adminpw'} = $password;
@@ -3587,7 +3629,7 @@ sub DoUpdatePrefs {
     if (&GetParam('stylesheet', '') ne '') {
       print T('StyleSheet URL removed.'), '<br>';
     }
-    undef $UserData{'stylesheet'};
+    delete $UserData{'stylesheet'};
   } else {
     $stylesheet =~ s/[">]//g;  # Remove characters that would cause problems
     $UserData{'stylesheet'} = $stylesheet;
@@ -3662,7 +3704,6 @@ sub UpdatePrefNumber {
 
 sub DoIndex {
   print &GetHeader('', T('Index of all pages'), '');
-  print '<br>';
   &PrintPageList(&AllPagesList());
   print &GetCommonFooter();
 }
@@ -3695,7 +3736,7 @@ sub DoEnterLogin {
         $q->password_field(-name=>'p_password', -value=>'', 
                            -size=>15, -maxlength=>50);
   print '<br>', $q->submit(-name=>'Login', -value=>T('Login')), "\n";
-  print $q->endform;
+  print $q->end_form;
   if (!&GetParam('embed', $EmbedWiki)) {
     print '<div class=wikifooter>';
     print "<hr class=wikilinefooter>\n";
@@ -3706,11 +3747,11 @@ sub DoEnterLogin {
 }
 
 sub DoLogin {
-  my ($uid, $password, $success);
+  my ($unsafe_uid, $uid, $password, $success);
 
   $success = 0;
-  $uid = &GetParam("p_userid", "");
-  $uid =~ s/\D//g;
+  $unsafe_uid = &GetParam("p_userid", "");
+  $uid = &SanitizeUserID($unsafe_uid);
   $password = &GetParam("p_password",  "");
   if (($uid > 199) && ($password ne "") && ($password ne "*")) {
     $UserID = $uid;
@@ -3727,9 +3768,9 @@ sub DoLogin {
   }
   print &GetHeader('', T('Login Results'), '');
   if ($success) {
-    print Ts('Login for user ID %s complete.', $uid);
+    print Ts('Login for user ID %s complete.', $unsafe_uid);
   } else {
-    print Ts('Login for user ID %s failed.', $uid);
+    print Ts('Login for user ID %s failed.', $unsafe_uid);
   }
   if (!&GetParam('embed', $EmbedWiki)) {
     print '<div class=wikifooter>';
@@ -3793,7 +3834,6 @@ sub DoSearch {
     return;
   }
   print &GetHeader('', &QuoteHtml(Ts('Search for: %s', $string)), '');
-  print '<br>';
   &PrintPageList(&SearchTitleAndBody($string));
   print &GetCommonFooter();
 }
@@ -3802,7 +3842,6 @@ sub DoBackLinks {
   my ($string) = @_;
 
   print &GetHeader('', &QuoteHtml(Ts('Backlinks for: %s', $string)), '');
-  print '<br>';
   # At this time the backlinks are mostly a renamed search.
   # An initial attempt to match links only failed on subpages and free links.
   # Escape some possibly problematic characters:
@@ -3823,7 +3862,7 @@ sub PrintPageList {
 
 sub DoLinks {
   print &GetHeader('', &QuoteHtml(T('Full Link List')), '');
-  print "<hr><pre>\n\n\n\n\n";  # Extra lines to get below the logo
+  print "<pre>\n\n\n\n\n";  # Extra lines to get below the logo
   &PrintLinkList(&GetFullLinkList());
   print "</pre>\n";
   print &GetCommonFooter();
@@ -3968,9 +4007,9 @@ sub GetPageLinks {
 }
 
 sub DoPost {
-  my ($editDiff, $old, $newAuthor, $pgtime, $oldrev, $preview, $user);
+  my ($id, $old, $newAuthor, $pgtime, $oldrev, $preview, $user);
   my $string = &GetParam("text", undef);
-  my $id = &GetParam("title", "");
+  my $unsafe_id = &GetParam("title", "");
   my $summary = &GetParam("summary", "");
   my $oldtime = &GetParam("oldtime", "");
   my $oldconflict = &GetParam("oldconflict", "");
@@ -3979,7 +4018,12 @@ sub DoPost {
   my $authorAddr = $ENV{REMOTE_ADDR};
 
   if ($FreeLinks) {
-    $id = &FreeToNormal($id);
+    $unsafe_id = &FreeToNormal($unsafe_id);
+  }
+  $id = &SanitizePageName($unsafe_id);
+  if (!$id) {
+    &ReportError(Ts('Invalid Page %s', $unsafe_id));
+    return;
   }
   if (!&UserCanEdit($id, 1)) {
     # This is an internal interface--we don't need to explain
@@ -4330,7 +4374,6 @@ sub ProcessVetos {
 sub DoMaintain {
   my ($name, $fname, $data, $message, $status);
   print &GetHeader('', T('Maintenance on all pages'), '');
-  print "<br>";
   $fname = "$DataDir/maintain";
   if (!&UserIsAdmin()) {
     if ((-f $fname) && ((-M $fname) < 0.5)) {
@@ -4419,9 +4462,9 @@ sub DoMaintainRc {
   return  if (!&UserIsAdminOrError());
   &RequestLock() or die(T('Could not get lock for RC maintenance'));
   if (&TrimRc()) {
-    print '<br>' . T('RC maintenance done.') . '<br>';
+    print T('RC maintenance done.') . '<br>';
   } else {
-    print '<br>' . T('RC maintenance not done.') . '<br>';
+    print T('RC maintenance not done.') . '<br>';
   }
   &ReleaseLock();
   print &GetCommonFooter();
@@ -4446,12 +4489,17 @@ sub UserIsAdminOrError {
 }
 
 sub DoEditLock {
-  my ($fname);
+  my ($set, $fname);
 
-  print &GetHeader('', T('Set or Remove global edit lock'), '');
+  $set = &GetParam("set", 1) ? 1 : 0;
+  if ($set) {
+    print &GetHeader('', T('Set global edit lock'), '');
+  } else {
+    print &GetHeader('', T('Remove global edit lock'), '');
+  }
   return  if (!&UserIsAdminOrError());
   $fname = "$DataDir/noedit";
-  if (&GetParam("set", 1)) {
+  if ($set) {
     &WriteStringToFile($fname, "editing locked.");
   } else {
     unlink($fname);
@@ -4465,19 +4513,29 @@ sub DoEditLock {
 }
 
 sub DoPageLock {
-  my ($fname, $id);
+  my ($set, $fname, $unsafe_id, $id);
 
-  print &GetHeader('', T('Set or Remove page edit lock'), '');
+  $set = &GetParam("set", 1) ? 1 : 0;
+  if ($set) {
+    print &GetHeader('', T('Set page edit lock'), '');
+  } else {
+    print &GetHeader('', T('Remove page edit lock'), '');
+  }
   # Consider allowing page lock/unlock at editor level?
   return  if (!&UserIsAdminOrError());
-  $id = &GetParam("id", "");
-  if ($id eq "") {
+  $unsafe_id = &GetParam("id", "");
+  if ($unsafe_id eq "") {
     print '<p>', T('Missing page id to lock/unlock...');
     return;
   }
-  return  if (!&ValidIdOrDie($id));       # Consider nicer error?
+  return  if (!&ValidIdOrDie($unsafe_id));       # Consider nicer error?
+  $id = &SanitizePageName($unsafe_id);
+  if (!$id) {
+    &ReportError(Ts('Invalid Page %s', $unsafe_id));
+    return;
+  }
   $fname = &GetLockedPageFile($id);
-  if (&GetParam("set", 1)) {
+  if ($set) {
     &WriteStringToFile($fname, "editing locked.");
   } else {
     unlink($fname);
@@ -4505,15 +4563,15 @@ sub DoEditBanned {
         "a hostname).  <b>Note:</b> To test the ban on yourself, you must ",
         "give up your admin access (remove password in Preferences).";
   print "<p>Example:<br>",
-        "# blocks hosts ending with .foocorp.com<br>",
-        "\\.foocorp\\.com\$<br>",
-        "# blocks exact IP address<br>",
-        "^123\\.21\\.3\\.9\$<br>",
-        "# blocks whole 123.21.3.* IP network<br>",
-        "^123\\.21\\.3\\.\\d+\$<p>";
+        "<tt># blocks hosts ending with .foocorp.com</tt><br>",
+        "<tt>\\.foocorp\\.com\$</tt><br>",
+        "<tt># blocks exact IP address</tt><br>",
+        "<tt>^123\\.21\\.3\\.9\$</tt><br>",
+        "<tt># blocks whole 123.21.3.* IP network</tt><br>",
+        "<tt>^123\\.21\\.3\\.\\d+\$</tt><p>";
   print &GetTextArea('banlist', $banList, 12, 50);
   print "<br>", $q->submit(-name=>'Save'), "\n";
-  print $q->endform;
+  print $q->end_form;
   if (!&GetParam('embed', $EmbedWiki)) {
     print '<div class=wikifooter>';
     print "<hr class=wikilinefooter>\n";
@@ -4569,7 +4627,7 @@ sub DoEditLinks {
   print $q->checkbox(-name=>"p_changetext", -override=>1, -checked=>1,
                       -label=>"Substitute text for rename");
   print "<br>", $q->submit(-name=>'Edit'), "\n";
-  print $q->endform;
+  print $q->end_form;
   if (!&GetParam('embed', $EmbedWiki)) {
     print '<div class=wikifooter>';
     print "<hr class=wikilinefooter>\n";
@@ -4605,7 +4663,7 @@ sub UpdateLinksList {
 }
 
 sub BuildLinkIndex {
-  my (@pglist, $page, @links, $link, %seen);
+  my (@pglist, $page);
 
   @pglist = &AllPagesList();
   %LinkIndex = ();
@@ -4775,9 +4833,7 @@ sub SubFreeLink {
 
 sub SubWikiLink {
   my ($link, $old, $new) = @_;
-  my ($newBracket);
 
-  $newBracket = 0;
   if ($link eq $old) {
     $link = $new;
     if (!($new =~ /^$LinkPattern$/)) {
@@ -4798,9 +4854,9 @@ sub RenameKeepText {
   ($status, $data) = &ReadFile($fname);
   return  if (!$status);
   @kplist = split(/$FS1/, $data, -1);  # -1 keeps trailing null fields
-  return  if (length(@kplist) < 1);  # Also empty
+  return  if (scalar(@kplist) < 1);  # Also empty
   shift(@kplist)  if ($kplist[0] eq "");  # First can be empty
-  return  if (length(@kplist) < 1);  # Also empty
+  return  if (scalar(@kplist) < 1);  # Also empty
   %tempSection = split(/$FS2/, $kplist[0], -1);
   if (!defined($tempSection{'keepts'})) {
     return;
@@ -4930,6 +4986,11 @@ sub RenamePage {
   unlink($newkeep)  if (-f $newkeep);  # Clean up if needed.
   rename($oldkeep,  $newkeep);
   unlink($IndexFile)  if ($UseIndex);
+  my $oldlock = &GetLockedPageFile($old);
+  if (-f $oldlock) {
+    my $newlock = &GetLockedPageFile($new);
+    rename($oldlock, $newlock);
+  }
   &EditRecentChanges(2, $old, $new)  if ($doRC);
   if ($doText) {
     &BuildLinkIndexPage($new);  # Keep index up-to-date
@@ -4939,15 +5000,21 @@ sub RenamePage {
 
 sub DoShowVersion {
   print &GetHeader('', T('Displaying Wiki Version'), '');
-  print "<p>UseModWiki version 1.0.4</p>\n";
+  print "<p>UseModWiki version 1.1.0</p>\n";
   print &GetCommonFooter();
 }
 
 # Thanks to Phillip Riley for original code
 sub DoDeletePage {
-  my ($id) = @_;
+  my ($unsafe_id) = @_;
+  my $id;
 
-  return  if (!&ValidIdOrDie($id));
+  return  if (!&ValidIdOrDie($unsafe_id));
+  $id = &SanitizePageName($unsafe_id);
+  if (!$id) {
+    &ReportError(Ts('Invalid Page %s', $unsafe_id));
+    return;
+  }
   print &GetHeader('', Ts('Delete %s', $id), '');
   return  if (!&UserIsAdminOrError());
   if ($ConfirmDel && !&GetParam('confirm', 0)) {
@@ -5169,6 +5236,6 @@ sub DoTrimUsers {
 }
 #END_OF_OTHER_CODE
 
-&DoWikiRequest()  if ($RunCGI && ($_ ne 'nocgi'));   # Do everything.
+&DoWikiRequest()  if ($RunCGI && (!$_ or $_ ne 'nocgi'));   # Do everything.
 1; # In case we are loaded from elsewhere
 # == End of UseModWiki script. ===========================================