s + CSS in the Professional theme [Oliver]
- Introduced generic function to delete a user's photo to avoid code
duplication and slightly different error handling in various places [Dirk]
- Made the new user registration form remember the user's input so that they
don't have to retype everything in case of an error [Dirk]
- In the Admin's user list, banned users are indicated by striked-through
entries (based on a hack by Andy Maloney) [Dirk]
- Added new setting $_CONF['onlyrootfeatures']. This is for sites where two or
more story admins can feature stories that the other admins cannot see. The
setting prevents that one admin does not see that there is another recent
story featured and sets one by himself, "stealing" the feature from the other.
- Changed "Reply"-button to "Post a comment" [Oliver]
- Implemented an error handler to supress all PHP level errors and display a
much more userfriendly error text to the end user. Prevents all path exposure,
prevents "white error page" mystery debugging fun. [Mike]
- Full sweep of all code for $_REQUEST/$_GET/$_POST and $_COOKIE use. Made sure
that COM_applyFilter, or other safe usage is made of the variables. [Mike]
- Added an option to hide the "No News To Display" message on the index page
(new config option $_CONF['hide_no_news_msg']) [Dirk]
- Added an option to check if the sites sending trackbacks are actually linking
to our site (see $_CONF['check_trackback_link'] in config.php) [Dirk]
- Made it impossible to save two syndication feeds with identical filenames
[Oliver]
- Stories with comments/trackbacks disabled, do not show comment/trackback
url in RSS feeds [Mike]
- Added email confirmation fields for new user and usersettings [Oliver]
- Allow changing of group ownership for "gldefault" blocks. Requires a change
in admin/block/defaultblockeditor.thtml to enable the group dropdown. On a
fresh install, all the blocks (with the exception of "Are you secure?") are
now owned by the Block Admin group [Dirk]
- Users created by a User Admin should not be queued for approval, even when
$_CONF['usersubmission'] = 1 [Dirk]
- Introduced 'syndication.edit' permission and 'Syndication Admin' group so
that access to the Content Syndication panel no longer requires 'Root'
permissions [Dirk]
- For the "Submissions" entry in the Admins Only block, only count story and
event submissions when the current user has story.moderate or event.moderate
permissions, respectively [Dirk]
- On admin/moderation.php, list the stories that have their draft flag set only
when the current user has story.edit permission [Dirk]
- Fixed empty lines in a Group Admin's list of groups when that Group Admin
was not a member of all groups [Dirk]
- Renamed the misnamed CUSTOM_runSheduledTask function (in lib-custom.php) to
CUSTOM_runScheduledTask. Don't forget to make that change in your copy of
lib-custom.php if you're using that functionality! [Dirk]
- Improved error log contents when unable to acquire a feed reader for a portal
block. [Mike]
- Extended plugin API for feed extensions to include feed id and the topic (for
adding topic/feed specific data) [Mike]
- Don't attempt to rename a non-existing user photo when
$_CONF['allow_username_change'] is enabled (reported and fix suggested by
Yusuke Sakata) [Dirk]
- Made changes to ensure compatibility with MS SQL, as suggested by
Randy Kolenko [Dirk]
- The "last login date" column in the Admin's list of users now uses
$_CONF['shortdate'] so that it includes the year [Dirk]
- Fixed batch user import (which set all imported users to status "Awaiting
Authorization" instead of "Awaiting Activation") [Mike]
- Fixed admin lists google paging for use in static pages etc. [Oliver]
- Added support for a custom login error handler function,
CUSTOM_loginErrorHandler [Blaine]
- Format the user agent string according to the RFCs 1945 / 2068 / 2616, i.e.
"Geeklog/1.4.1" when trying to detect a Trackback URL [Dirk]
- Made the search option on the Admin pages behave like the site search, i.e.
it doesn't require you to pad queries with '*' any longer [Dirk]
- In story search results, show/hide the "Author" and "Views" columns based on
the $_CONF['contributedbyline'] and $_CONF['hideviewscount'] settings [Dirk]
- Introduced $_CONF['title_trim_length'] to make the max. title length of items
in the What's New block configurable (feature request #525). Also implemented
a new function COM_truncate (based on a patch by Yusuke Sakata) that properly
handles truncation of multi-byte text strings if the mb_ functions are
available [Dirk]
- Added a JavaScript confirmation box to most delete buttons/links. If you'd
rather not have such a confirmation, use {delete_option_no_confirmation}
instead of {delete_option} in the admin templates [Dirk]
- Fixed RSS Feed parser to create RFC 822 dates in en_GB or en_US locale as per
the RFC spec [Mike]
- Removed obsolete "do not use spaces" warning from user editor (bug #530)
[Dirk]
- Show fullname/username according to config.php settings in stories [Oliver]
- Added possibility to change the css-class for admin list headers and fields
[Oliver]
- Added unified new style class to stats.php/style.css to have all lists on
the page look the same [Oliver]
- Added multi-language support, based on earlier works by Euan McKay and LWC.
Also see http://wiki.geeklog.net/wiki/index.php/Multi-Language_Support
- Changed the default path for topic icons to /images/topics [Dirk]
- Fixed an SQL error when calling up the Admin's list of stories without any
topics [Dirk]
- Removed the public_html/portal.php script, as it is no longer needed [Dirk]
- Remove uninstalled plugins from the global $_PLUGINS array immediately
(just in case the array would be used to trigger any actions) [Dirk]
- The "Topic" column in the list of feeds was empty for feeds that are only
linked from a topic page [Dirk]
- Only use the mb_substr workaround in the calendar when the current character
set is UTF-8 (bug #524) [Dirk]
- Fixed SQL error on MySQL 5 when listing the members of a group (bug #527)
[Dirk]
- When emailing a story, don't include the text "Comment on this story at ..."
when comments have been switched off for that story [Dirk]
- Fixed wrong wording of some of the "access denied" messages when trying to
access Admin panels without proper privileges [Dirk]
- Fixed display of Admin block for users that only had certain Admin privileges
[Dirk]
- New Afrikaans language file, provided by Renier Maritz
- Updated Hebrew language file, provided by LWC
The Hebrew language file was also renamed to hebrew_utf-8.php for consistency
with the other UTF-8 language files.
- Updated Turkish language file, provided by Kemal Cellat
Calendar plugin (1.0.0)
---------------
- Bugfix: Replace autotags in the event description [Dirk]
- Added an option to switch between 24 hour and 12 hour am/pm mode for entering
and editing events [Dirk]
- Implemented plugin_enablestatechange API function to enable/disable plugin
feeds and blocks when the plugin is enabled/disabled [Dirk]
- Added calendar plugin initial version [Oliver]
Links plugin (1.0.1)
------------
- Implemented plugin_enablestatechange API function to enable/disable plugin
feeds when the plugin is enabled/disabled [Dirk]
- Changed the english language file from "Web Resources" to "Links"
- Fixed hard-coded link to the "admin" directory when editing a link (reported
by Ronnie Rigl) [Dirk]
- Optimized SQL requests for the plugin's What's New section [Dirk]
- Re-introduced {button_links} header variable [Dirk]
- Added an option to hide the Top Ten Links on the first page [Dirk]
- Made the page title on the Web Resources page more informative by adding the
category and page number [Dirk]
- The edit icon (only visible for Links Admins) now uses the same image type
as the current theme (was previously hardcoded to "edit.gif") [Dirk]
- Hide the "Web Resources" link from the menu when login is required to see
the links (for consistency with the Polls plugin) [Dirk]
- Added a title attribute to the links on the site stats page that contains
the link's actual URL [Dirk]
- Fixed site link in search results which wasn't using portal.php [Dirk]
- The Admin's search option now also searches the link description [Dirk]
- Removed extra tags from the What's New section (bug #526) [Dirk]
Polls plugin (1.1.0)
------------
- Fixed call to undefined function polllist when calling up a non-existing
poll [Dirk]
- Implemented plugin_enablestatechange API function to enable/disable the poll
block when the plugin is enabled/disabled [Dirk]
- Fixed search [Dirk]
- Added a remark field for polls answers [Oliver]
- Re-introduced {button_polls} header variable [Dirk]
- Added an option to hide the link to the polls from the menu (for consistency
with the Links plugin) [Dirk]
- Fixed poll URLs on the site stats page [Dirk]
- Remove the polls block when uninstalling the Polls plugin (another part of
bug #520) [Dirk]
Spam-X plugin (1.1.0)
-------------
- Added SLV (Spam Link Verification) modules [Dirk]
- The MT-Blacklist modules are not being shipped with Geeklog any longer. The
MT-Blacklist entries are removed from the database during the upgrade [Dirk]
- Allow special characters (e.g. backslashes) in the Admin modules (e.g. the
Personal Blacklist module) [Dirk]
- Moved spam actions to plugin_spamaction_spamx API function [Dirk]
- Fixed potential problems with the checkforSpam function's return code in case
of unusual configurations (e.g. $_CONF['spamx'] = 0) [Dirk, Tom Willet]
- Made the plugin's internal log flag a proper config option. So you can now
disable logging to spamx.log from the plugin's config.php [Dirk]
- Mass delete by IP now uses stored IP address [Mike]
Static Pages plugin (1.4.3)
-------------------
- Make sure autotags are replaced even when execution of PHP code is disabled
(reported by LWC) [Dirk]
- Added a help URL for the block display of static pages [Oliver]
- Added ability in staticpage editor to enable/disable Advanced Editor mode
so you can use FCKEditor and then if need basic html edit mode [Blaine]
- Fixed default sorting order for the list of static pages [Dirk]
- Allow to show/hide update date/time and hits [Oliver]
- When creating a new page, don't set the default group ownership to the Static
Page Admin group if the current user is not a member of that group. Instead,
pick a group with staticpages.edit permission that the user is a member of
[Dirk]
- Fixed paging for the list of static pages (bug #528) [Dirk]
July 23, 2006 (1.4.0sr5-1)
-------------
This release fixes display problems in the comment preview that were only
introduced in Geeklog 1.4.0sr5 (as a result of the fix for the XSS).
The complete 1.4.0sr5-1 tarball also includes the following language files:
- New Afrikaans language file, provided by Renier Maritz
- Updated Hebrew language file, provided by LWC
- Updated Turkish language file, provided by Kemal Cellat
July 16, 2006 (1.4.0sr5)
-------------
JPCERT/CC informed us about a possible XSS in the comment handling that we're
fixing with this release.
June 30, 2006 (1.4.0sr4)
-------------
Two exploits have been released by "rgod" for insecure Geeklog installations
and for a bug in the "mcpuk" file manager that we've been shipping as part of
FCKeditor in all 1.4.0 releases.
- Some of the files outside of the public_html directory were not protected
against direct execution. If Geeklog was installed such that those files were
accessible from a URL (which has always been strongly discouraged in the
installation instructions) then those files could be used to load and
execute malicious code from a remote server.
More information: http://www.geeklog.net/article.php/so-called-exploit
In this release, we've added the missing execution prevention for all files
outside of public_html. We would still, however, suggest that you fix your
Geeklog install if the files outside of public_html are accessible from a URL.
- The "mcpuk" file manager that we've integrated into FCKeditor allowed the
upload of arbitrary PHP code (even if FCKeditor was disabled in Geeklog's
config.php). Depending on your webserver's configuration, it was then possible
to execute that uploaded code.
More information:
http://www.geeklog.net/article.php/exploit-for-fckeditor-filemanager
The file manager has been removed from this release. You will therefore no
longer be able to upload files, e.g. images, through FCKeditor. Future
versions of Geeklog will ship with an updated version of FCKeditor and its
included file manager.
May 28, 2006 (1.4.0sr3)
------------
The Security Science Researchers Institute Of Iran reported the following
security issues:
- Possible SQL injection and authentication bypass in auth.inc.php
- Possible XSS in getimage.php
- Path disclosure in getimage.php and the functions.php of some themes,
e.g. the Professional theme
An internal code review also revealed a possible SQL injection in story
submissions.
Mar 5, 2006 (1.4.0sr2)
-----------
Security issues:
- Konstantin Dyakoff found an old bug in the session handling that would allow
anyone to log in as any user.
- HTML was not stripped from the Location field in a user's profile.
Feb 19, 2006 (1.4.0sr1)
------------
Security issues:
- James Bercegay of GulfTech Security Research reported several issues with
Geeklog's cookie handling that made it vulnerable to SQL injections, arbitrary
file access, and even injection and execution of arbitrary code.
Bugfixes:
- Fixed bug in page-break combined with url rewrite (bug #521) [Oliver]
- Fixed Story [page_break] showing only intro on first page [Oliver]
- Fixed install script for the Spam-X plugin which was trying to include an SQL
file that doesn't exist - and wasn't needed (part of bug #520) [Dirk]
- Updated Hebrew language file, provided by LWC
- New Russian language files for the Links and Polls plugins, provided by
Volodymyr V. Prokurashko
- Fixed Static pages dutch language file [Oliver]
- New Polish language file for the Links plugin, provided by Robert Stadnik
- Added UTF-8 English versions of the Links, Polls, Static Pages, and Spam-X
language files [Dirk]
- Added all UTF-8 Language files for core [Oliver]
Feb 5, 2006 (1.4.0)
------------
- Prevent execution of PHP code in "normal" blocks [Dirk]
- Added missing navbar images - used for CSS based buttons as part of the
standard Plugin CSS [Blaine]
- Set options in FCKConfig to have Firefox browsers by default not using the
and font tags to format Bold and Italic [Blaine]
- Fixed another bug in google pagination of admin-lists [Oliver]
- Fixed "wrap static page in a block" and "exit type" options in the static
page editor. Also link to the "rewritten" URL from the list of static pages
when URL rewriting is on [Dirk]
- Fixed JavaScript error in the Admin's story editor (bug #479) [Dirk]
- Fixed hard-coded paths in the check.php script and added tests for missing
directories (reported by Markus Wollschlaeger) [Dirk]
- A humble attempt to add some semantics [Dirk]
+ Added rel="category tag" to a story's topic link
+ Added rel="self bookmark" for a comment's permalink
- Cosmetics: Moved the number of links per category out of the actual link to
the category [Dirk]
- On MySQL 5, the drop-down list of link categories presented to a user when
submitting a new link came out wrong (while the one in the Admin's link
editor worked just fine). Moved the working code into a new function in the
plugin's functions.inc and changed the code to use it in both cases now [Dirk]
- Fixed an SQL error when the "length of entries" field in the Feed Editor was
left empty [Dirk]
- Fixed date and time defaulting to the current date and time when creating
a new event as an Admin user (adding a workaround for changes of strtotime()
behavior in PHP 5) [Dirk]
- Fixed SQL error on MySQL 5 when creating a new topic (bug #517) [Dirk]
- In HTTP requests, format the user agent string according to the RFCs 1945 /
2068 / 2616, i.e. "Geeklog/1.4.0" [Dirk]
- Updated Japanese language files, provided by Yusuke Sakata
- Updated Ukrainian (Windows-1251) language file, provided by Vitaliy Biliyenko
Jan 22, 2006 (1.4.0rc2)
------------
- header.thtml now specifies the CSS Class Declaration to use for the body.
This addresses the issue with FCKEditor when displayed, its CSS was
over-riding the main site tag and the site margin padding was being
affected [Blaine]
- Removed CSS for the Forum plugin from style.css [Blaine]
- Fixed "Cannot modify header ..." message when logging in from the admin
pages (reported by Samuel M. Stone). This also fixes confusing intermittent
displays during the login (e.g. only some of the "Command and Control" icons
showing up, messages about missing permissions flashing up) [Dirk]
- Removed Geeklog version number from feed files due to security concerns
(pointed out by Samuel M. Stone) [Dirk]
- Login through the admin pages didn't work with register_globals=off [Dirk]
- Fixed admin lists so pagination works also in static pages [Oliver]
- Pass GeekLog as user agent when fetching RSS feeds [Mike]
- Made the image upload work with out-of-the-box PHP 5 configurations [Dirk]
- Fixed handling of HTML entities in Pingbacks [Dirk]
- Fixed Spam-X Mass Delete Trackback Spam module to update the story's trackback
count when deleting trackbacks [Dirk]
- Fixed a possible SQL error when saving a block (reported by BDUB) [Dirk]
- Fixed story titles in the What's New block when they contained HTML entities
(entities where sometimes cut off and/or encoded twice) [Dirk]
- Fixed a typo in all the plugin install script which set the group description
to "grp_desc" instead of $grp_desc (found by Ingo Schaefer) [Dirk]
- Improved autodetect of Trackback URLs [Dirk]
- The submit story form was not selecting the advanced Editor if user was not
logged in or did not have Story Editor permissions [Blaine]
- Added missing CSS class name "list-feed" for portal blocks [Dirk]
- Fixed user submission queue (reported by Andrew Lawlor) [Dirk]
- Fixed handling of integer fields in the Admin's story editor (reported by
Ron Ackerman) [Dirk]
- Fixed handling of checkboxes in the static pages editor (reported by
Ron Ackerman) [Dirk]
- Fixed SQL error when saving a static page that had had more than 1000 hits
(reported by Euan McKay) [Dirk]
- Removed visible table border from advanced comment editor form [Blaine]
- Moved some hard-coded text strings from the advanced editor into the
language files [Blaine]
- Updated Chinese language files, provided by Samuel M. Stone
- Updated Japanese language files, provided by Yusuke Sakate
Dec 31, 2005 (1.4.0rc1)
------------
- Added support for Advanced Editor in the Add Comment Feature [Blaine]
- Fixed SQL error in search on MySQL 5 (fix suggested by dariball) [Dirk]
- Added trackback.php and pingback.php to the included robots.txt [Dirk]
- Added a few more calls to COM_numberFormat all over the place (links and polls
plugins, Admins Only block, ...) [Dirk]
- Fixed test for a Geeklog 1.3.9 database in the install script [Dirk]
- When emailing a story, make sure all fields are filled in [Dirk]
- Don't lose the current topic selection when a Story Admin uses the Contribute
link [Dirk]
- Fixed highlighting of search query in comments when register_globals = off
[Dirk]
- When the entries in the Admin's block are not sorted, make sure the icons in
Command and Control are in the same order as the block entries [Dirk]
- Allow topic icons to be uploaded to and retrieved from a 'topics' directory
outside of the document root [Dirk]
- Added a workaround to produce abbreviated day names in the calendar for UTF-8
language files (reported by Euan McKay) [Dirk]
- The Spam-X plugin now uses the same "universal" install script as the other
three preinstalled plugins [Dirk]
- Added more allowable HTML tags and attributes if Advanced_Editor enabled
config.php setting [Blaine]
- Added logic to detect if Javascript was not enabled and Advanced Editor was
enabled.
User will be prompted with alert and able to use the default editor [Blaine]
- Changed spam handling for Trackbacks and Pingbacks to check for spam on the
unfiltered Trackback/Pingback content [Dirk]
- When editing a link submission with a new link category (i.e. the submitter
selected "other" and entered a non-existing category), make sure that new
category actually shows up in the links editor [Dirk]
- In the Admin's list of stories, show the display name of the topic (i.e. the
same as in the Topics block) instead of the topic ID [Dirk]
- Hide the edit icon in the Admin's list of stories when the current user
doesn't have edit access to a story (since they only got a note saying they
can't edit that story anyway) [Dirk]
- Fixed alternating row colors in admin lists if one row has no data [Oliver]
- Made it impossible to switch off blocks if there is no access [Oliver]
- Fixed handling of items in the submission queues (it was only possible to
approve / delete the first item in a queue) [Dirk]
- Grant users with 'plugin.edit' permission access to the plugin editor [Dirk]
- Changed admin-lists 'default-filter' to require 'AND' [Oliver]
- Fixed admin lists for events & static pages for non-root users [Oliver]
- Fixed invalid language string in submit.php [Oliver]
- Fixed problems with the query highlighting code escaping double quotes [Dirk]
- In the list of plugins, display only the plugin's current version number as
long as it's in sync with the code version or the plugin hasn't implemented
the chkVersion API function [Dirk]
- Limit length of a new user's username to 16 characters in the
admin/user/edituser.thtml template file [Dirk]
- Don't display the current user's userphoto when creating a new user in
admin/user.php [Dirk]
- Fixed sanity checks in USER_addGroup and USER_delGroup [Trinity, Dirk]
- Allowed the Links-entry from the top menu to be hidden by config.php in links
[Oliver]
- Fixed small HTML validation issues with adv. editor and admin lists [Oliver]
- Fixed comment bug that allowed comments to be saved even when user did not
have the correct story/topic permissions. [Vinny]
- Send the character set as an HTTP header from COM_siteHeader now [Oliver]
- Fixed updating Links feeds [Mike]
- Corrected RSS handling of GUID or LINK [Mike]
- Fixed date format in Atom feeds [Mike]
- Fixed loss of sort setting when browsing the user list [Oliver]
- Fixed block title of the site stats (reported by Tom Willet) [Dirk]
- Fixed an SQL error when approving the default story submission ("Are you
secure?") after a fresh install (reported by suvi) [Dirk]
- Fixed warnings that exposed the full path to Geeklog when attempting SQL
injections on the advanced search [Mike]
- The "Mail Users" icon was missing from Command and Control [Dirk]
- In Command and Control, show the Trackback icon only when at least one of the
Trackback, Pingback, or Ping features is enabled (in addition to 'story.ping'
permissions for the current user) [Dirk]
- Replaced the delete_event.gif icon (in layout/professional/images/icons) with
a PNG, since the Professional theme uses PNGs now and the icon wouldn't show
up otherwise [Dirk]
- The block around the list of backups was missing the title [Dirk]
- Don't emit the Trackback and Pingback headers when trackbacks have been
disabled for a story [Dirk]
- Introduced {lang_trackback_comments_no_link} (in trackback/trackback.thtml)
so that you can have an article page entirely without links back to itself
(for picky spiders such as the one for Google News) [Dirk]
- Call COM_refresh when creating a user with usersubmission = 1 [Mike]
- Fixed sorting of Trackbacks in the What's New block [Dirk]
- The search by author or by date switched to searching for everything on
page 2 of the results [Dirk]
- For the Links plugin, the "last x days" text in the What's New block was
missing [Dirk]
- Fixed an SQL error when creating new blocks [Mike]
- The feed reader will now also follow redirects [Mike]
- Updated Chinese traditional and simplified language files, and new Chinese
language files for the Links, Polls, and Static Pages plugins, provided by
Samuel M. Stone
- German language files now exist in 4 combinations (formal / informal German,
ISO-8859-15 / UTF-8 encoding) for Geeklog, the Links, Polls and Static Pages
plugins [Dirk]
- Updated Japanese language files, provided by Yusuke Sakate
- New Ukrainian language files (Windows-1251) for Geeklog and all four plugins,
provided by Vitaliy Biliyenko
- New Ukrainian language files (UTF-8 and KOI8-U encoding) for Geeklog, the
Spam-X, and Static Pages plugins, provided by Yaroslav Fedevych
Nov 20, 2005 (1.4.0b1)
------------
- Introduced {start_storylink_anchortag} and {end_storylink_anchortag} template
variables in the story and commentbar template files which only produce a
link to the story when not on article.php, thus avoiding links back to the
article page itself, which the spider for Google News doesn't seem to like
(feature request #486) [Dirk]
- Added a workaround for image uploads using GD when ImageCreateTrueColor is
not available (patch #468) [Dirk]
- Allow a subject to be passed as a parameter for the "contact user" form
(based on patch #497) [Dirk]
- Added support for right-to-left languages (based on patch #488) [Dirk]
- Update Feeds and Older Stories block when changing topic settings [Dirk]
- Added a hits counter to events and added a Top Ten Events section to the
site stats [Dirk]
- Introduced $_CONF['show_topic_icon'], i.e. the default setting whether to
show topic icons or not [Dirk]
- The "Older Stories" block now only lists articles that appeared on the
frontpage (i.e. have not been set to "Show only in topic", bug #408) [Dirk]
- Fixed problems with query highlighting in stories scrambling links in
autotags (bug #492) [Dirk]
- Group names are now unique (as they should have been from the beginning). The
install script takes care of existing duplicate group names when upgrading
to 1.4.0 (bug #367) [Dirk]
- Allow for more topic IDs in the user's preferences (bug #490) [Dirk]
- Replace autotags in the Daily Digest (bug #484) [Dirk]
- Explicitly link to /docs/index.html for the documentation link in the Admin's
block (bug #504) [Dirk]
- Added an option to enable / disable trackbacks per story (just like you can
enable / disable comments per story) [Dirk]
- Changed COM_optionList to check for language arrays which override the text
strings that are embedded in the database (for comment mode, featured story,
post mode, etc.) Bug #227 [Dirk]
- Fixed Bug #174 -- quotes in titles are no longer double htmlentized [Vinny]
- The default permissions for new objects (stories, topics, blocks, etc.) can
now be set in config.php (feature request #90) [Dirk]
- Added an "Active users" entry to the site statistics. If Geeklog is configured
to track a user's last login, this will display the number of users who
logged into the site during the last 4 weeks. Otherwise, it displays the
number of user accounts with status = 3 (i.e. have logged into their account
at least once and haven't been banned) [Dirk]
- Introduced a new plugin API function so that the plugin's summary (e.g.
number of items) can be properly integrated with the "Site Stats" section.
Modified stats/sitestatistics.thtml, removed stats/stats.thtml, added
stats/singlesummary.thtml template files [Dirk]
- Introduced a generic function, USER_getPhoto, which provides the user's photo,
if available. The function also supports getting the user's avatar from
gravatar.com (if enabled in config.php) [Dirk]
- The texts in the What's New block ("x new stories in the last y hours",
"last 2 weeks", etc.) now properly reflect the actual settings of the
$_CONF['newXXXinterval'] variables (bug #390) [Oliver, Dirk]
- Introduced a method to signal a forced update for feeds in case the content
of one of the feed entries has changed - so far, we only checked if entries
had been added or removed (bug #277) [Dirk]
- Added $_CONF['show_right_blocks'] option which, if set = true, will display
right-side blocks on all pages (also addresses feature request #31) [Dirk]
- Fixed bug #454, SQL error when reading comments. [Vinny]
- Leave off the "page=1" parameter on the "Google paging" navigation bar for
links that point back to the first page [Dirk]
- The default feed for a new site is now in RSS 2.0 format and named
"geeklog.rss" [Mike, Dirk]
- Added time of the day to the name of the database backups to allow several
backups a day [Oliver]
- When the search returns no results, the search form is now pre-populated
with the last search query, so that it can be changed easily. On successful
searches, a "refine search" link will appear that also takes you back to a
pre-populated search form (to refine your search, obviously) [Dirk]
- Changed search to only return a certain amount of hits per page, thus
avoiding timeouts on servers where the script execution time is limited
(bug #274) [Dirk]
A new config variable, $_CONF['num_search_results'], defines the number of
search results to be returned per page (and per type). The search form also
includes a drop-down menu where this can be changed for every search.
Plugins will have to indicate if they support this "paged" search. Otherwise,
Geeklog will fake the paging for the plugin, so that the plugin does a full
search for every page, but Geeklog will only display the hits for the current
page (such a plugin can therefore still cause a timeout until it is changed
to support "paged" searching).
- Added a permanent link to comments (in the professional theme) [Vinny]
- Added new icons for the admin sections and made sure each admin section
now has an icon in admin/moderation.php [Dirk]
The new icons have been taken from the Gnome project (some of them modified
by Jakub Steiner). They are released under the GPL.
- Introduced global variable $_IMAGE_TYPE that specifies the image type to
use. Defaults to 'gif'. Themes can override it to use other images types,
e.g. PNG, for all images [Dirk]
- Added option to upload topic icons (Feature Request #415, Patch #423),
provided by Alford Deeley (machinari)
- Changed the Admin's "Command and Control" center such that there is an icon
for every entry in the Admin's block [Dirk]
- Removed duplicate code for creating a "topic SQL" query in moderation.php
(use COM_getTopicSQL instead) [Dirk]
- Added the ability to allow users to login via defined remote services (ships
with Blogger and LiveJournal support) [Mike]
- Added the ability to ban users, and to tell when a user has logged in at least
once [Mike]
- Added edit-icon, List-Sorting, searching, Limits & alternating row colors
in admin menus for groups, syndication, staticpages, trackback
(where not yet done) [Oliver]
- Added function to allow user-defined scaling of images in articles by using
[unscaledX] instead of [imageX] [Oliver]
- Removed $_CONF['whosonline_fullname'] option - use $_CONF['show_fullname']
instead [Dirk]
- Fixed bug where extra slashes appeared when previewing comments [Vinny]
- Removed the "lastvisit" cookies, as they are obviously not used [Dirk]
- Removed redundant changepwd-button & code from /admin/user.php (Bug #9)
[Oliver]
- Added new feature to insert a feed-links into header depending on topic, to
be chosen from /admin/syndication.php in the form of
[Oliver]
- Added options to google-Navigation so it can be used by plugins and work with
url-rewriting (feature request #315). [Oliver]
- Userlist now also shows Registration Date and if $_CONF['lastlogin']= true it
shows the last login date instead. [Oliver]
- Added option in config.php to hide "Viewed: x" line with
$_CONF['viewscountline'] just as the $_CONF['contributedbyline'] [Oliver]
- Added function COM_numberFormat to format displayed numbers with custom
decimal & thousand - separators and fixed decimal places if necessary
Includes the respecitve 3 new config.php values in locale section.
(Feature Request #298) [Oliver]
- Default Blocks showed always in all Topics before. Now you can choose to show
them in All/only one topic/only on homepage like other blocks (feature #326)
[Oliver]
- A Story can now break over several pages in the body-text. The tag
[page_break] will split the bodytext in pieces that can be opened with the
std. COM_printPageNavigation. Introtext is removed for pages>1 [Oliver]
- Added field for old password check in /usersettings.php (bug #230) [Oliver]
- Added password confirmation to /admin/user.php and /usersettings.php
(bug #230) [Oliver]
- Made the alternating row colors in the Admin's trackback functions compatible
with the scheme used in other places (list of users, etc.). Also changed the
list of weblog directory services so that editing is now done by clicking on
the number of the service [Dirk]
- Stories are no longer forced to be featured _and_ on frontpage (bug #362)
[Oliver]
- Changed links locations in User-list, added user-photo indicator [Oliver]
- Don't update a story's date any more when unchecking the 'draft' flag
(bug #400) [Dirk]
- Don't use "rewritten" URLs in the static pages editor any more (bug #403).
Also updated the list of static pages to use alternating colors for the
rows [Dirk]
- Use "\r\n" when sending trackback pings (bug #407) [Dirk]
- Allow autotags to optionally have a space after the tag name [Blaine]
Valid tags are:
[story:20040101093000103 here] or [story: 20040101093000103 here]
- Fixed inconsistent use of {site_url} and {layout_url} in some of the
professional theme's admin template files - using {layout_url} everywhere
now when referring to icons (bug #395) [Dirk]
- Event titles containing quotes were cut off at the first quote in the event
editor, i.e. both the admin's event editor and the editor for personal events.
(bug #399) [Dirk]
- Modified PLG_templateSetVars API to also check for a custom function [Blaine]
Users can now set header template using CUSTOM_templatesetvars()
- Added new CSS declarations as recommened CSS for plugins [Blaine]
- Added a basic scheduler Plugin API plugin_runScheduledTask [Blaine]
Interval is set in config.php - $_CONF['cron_schedule_interval']
- Enhanced the Group Admin interface display [Blaine]
- Enhanced the User Admin display and made the headings sortable [Blaine]
- Geeklog will now properly handle html special characters (such as quotes and
ampersands) in comment titles (bug #174) [Vinny]
- Hide 'edit' option for articles in preview (bug #347) [Dirk]
- Changed admin/user.php to use file() for the batch import [Dirk]
- Implemented pinging weblog directory services like blo.gs and weblogs.com
(Feature Request #35). By default, we ping pingomatic.com [Dirk]
- Complete overhaul of the Plugin Comment API to reduce the likelyhood of
plugins introducing security problems. Older plugins that use the comment
API will no longer work. [Vinny]
- Refactored Comment code out of lib-common.php and into lib-comment.php, also
some changes to comment.php [Vinny]
- Introduced a 'story.ping' permission that enables users to send Pings,
Pingbacks, and Trackbacks for a story (or plugin item). Members of the Story
Admin group have that permission by default.
- Overhauled install script: It will now abort the installation if the minumum
requirements (PHP 4.1.0, MySQL 3.23.2) are not met. It also displays a warning
message if register_long_arrays is off (PHP 5 only, bug #360). Another
warning message is displayed if "public_html" is part of the URL.
When upgrading, it now tries to identify the Geeklog version that was used
previously (only really works for versions 1.3.8 - 1.3.11) [Dirk]
- Fixed date in comment preview (bug #370) [Dirk]
- Incorporated the new syndication framework for reading and writing feeds of
different formats (RSS, RDF, Atom), provided by Michael Jervis (patch #352).
This contribution also addresses Task #19 ("RSS import class") and Feature
Request #67 ("Limiting number of entries in RSS feeds").
Please note that the feed writer classes, system/classes/*.feed.class.php,
are now obsolete and can be removed. Please also note this adds new PEAR
package requirements for Net_URL and HTTP_Request.
- Added support for sending and receiving trackback comments (Feature Request
#34) Also implemented Pingback support in pretty much the same way. Once
received, Geeklog treats Trackbacks and Pingbacks the same and stores them
in the gl_trackback table. [Dirk]
Both can be switched off in config.php: $_CONF['trackback_enabled'] = false;
and $_CONF['pingback_enabled'] = false;
- Added a new script, directory.php, that implements a date-based listing of
all the stories on a site [Dirk]
A link to the directory is available as a new option, 'directory', for the
$_CONF['menu_elements'] config variable, so that it can be added to the menu.
- The column headline for event search results was not displayed [Dirk]
- Added logos to syndication feeds. [Mike]
- Added config option to disable new accounts (Patch #426 from Alford Deeley)
[Mike]
- Alphabet Sort on Admin Menu and C&C Block [Mike]
- New Farsi (Persian) language file, provided by Hesam.H
- Updated Japanese language file, provided by Yusuke Sakata
- New Farsi (Persian) language file for the static pages plugin,
provided by Hesam.H
Links plugin 1.0.0
------------
- Added ID-editor and Autotags-feature [link: ... ] [Oliver]
- Added Category-Specific Feeds [Oliver]
- Added Edit-Icon, List-Sorting, searching, Limits & etc for admin menu [Oliver]
- Moved links functionality into a plugin [Trinity, Oliver]
Polls plugin 1.0.0
------------
- Polls moved to a plugin [Trinity]
Spam-X plugin 1.0.3
-------------
- The LogView module now automatically truncates the Spam-X logfile to 100KB
[Tom Willet]
- The IP Blacklist module now supports regular expressions [Mike]
- Added a Mass Delete module for Trackback comments [Dirk]
- Added an "admin override" option, so that postings by members of the 'spamx
Admin' group will not be checked for spam [Dirk]
July 16, 2006 (1.3.11sr7)
-------------
JPCERT/CC informed us about a possible XSS in the comment handling that we're
fixing with this release.
May 28, 2006 (1.3.11sr6)
------------
The Security Science Researchers Institute Of Iran reported the following
security issues:
- Possible SQL injection and authentication bypass in auth.inc.php
- Possible XSS in getimage.php
- Path disclosure in getimage.php and the functions.php of some themes,
e.g. the Professional theme
An internal code review also revealed a possible SQL injection in story
submissions.
Mar 5, 2006 (1.3.11sr5)
-----------
Security issue:
- Konstantin Dyakoff found an old bug in the session handling that would allow
anyone to log in as any user.
Feb 19, 2006 (1.3.11sr4)
------------
Security issues:
- James Bercegay of GulfTech Security Research reported several issues with
Geeklog's cookie handling that made it vulnerable to SQL injections, arbitrary
file access, and even injection and execution of arbitrary code.
- Prevent execution of PHP code in "normal" blocks
Dec 12, 2005 (1.3.11sr3)
------------
Security issues:
- Fixed comment bug that allowed comments to be saved even when user did not
have the correct story/topic permissions (reported by LWC) [Vinny]
- Fixed a path disclosure in case someone tampered with the start date or end
date in advanced search (reported by r0t3d3Vil) [Mike]
Feeding malformed dates to the search caused a warning message to be displayed
that disclosed the path to the Geeklog install on the server. It was NOT
possible to use this for SQL injections.
Bugfixes:
- Fixed the problems (introduced in 1.3.11sr2) editing static pages when
$_CONF['url_rewrite'] = true (bug #491) [Dirk]
- The "Reply" button didn't work when viewing individual comments [Vinny]
- Fixed the definition of the 'expire' field (in table gl_stories), which
caused an SQL error when doing a fresh install on MySQL 5
(reported by Johannes) [Dirk]
- Fixed and updated the Hebrew language file [LWC, Dirk]
- New Ukrainian language file (Windows-1251), provided by Vitaliy Biliyenko
- New Ukrainian language files (UTF-8 and KOI8-U encoding) for Geeklog, the
Spam-X, and Static Pages plugins, provided by Yaroslav Fedevych
Oct 9, 2005 (1.3.11sr2)
-----------
This release provides security enhancements and better spam protection
originally developed for Geeklog 1.3.12. It also addresses a few bugs where
the bugfix could be integrated with a reasonable amount of work (other bugfixes
will have to wait for the 1.3.12 release).
Security and Spam protection:
- Added speedlimit to login attempts, defaults to allowing three tries in a
five minute period. [Vinny]
See new config options $_CONF['login_attempts'] and $_CONF['login_speedlimit']
- Changed the spam handling to update the speed limit when spam is detected
(i.e. handle spam posts as if they were successful posts and make the
submitter wait for the speed limit to expire). Also send a 403 "Forbidden"
HTTP response code when displaying the "spam detected" message [Dirk]
To quote RFC2616: "403 Forbidden: The server understood the request, but is
refusing to fulfill it. Authorization will not help and the request SHOULD
NOT be repeated."
- Filter linefeeds in the To:, From:, and Subject: fields of an email in
COM_mail [Dirk]
- When a new user account is created and the user submission queue is enabled
in config.php, ensure that the user is properly "queued" even in the
unlikely event that the account creation fails halfway through (reported by
LWC) [Dirk]
- When $_CONF['emailstoryloginrequired'] = 1, hide the links to the "email
story" form from anonymous users [Dirk]
- When emailing a story, check the user's message that is sent with the story
for spam [Dirk]
- Added a robots.txt file to the distribution. By default, it excludes
comment.php, submit.php, and the docs directory from being spidered [Dirk]
- Added a spam check to the user profile [Dirk]
- Story, event, and link submissions are now also checked for spam [Dirk]
- This release also includes the Spam-X plugin version 1.0.2
Please note that MT-Blacklist (used by Spam-X) has recently been discontinued.
For the time being, we provide the last version of the blacklist for download
from geeklog.net (the Spam-X plugin as included in this release is configured
to get it from there for the initial import). There will, however, be no
updates the blacklist. For details, please see
http://www.geeklog.net/article.php/mt-blacklist-discontinued
Bugfixes:
- Fixed an error message thrown up by PHP 5.0.5 or later when viewing the
article page (bug #483) [Dirk]
- Fixed bug with topic-specific blocks not showing up on the article page when
URL rewriting was enabled (bug #401) [Dirk]
- Fixed missing site header when trying to submit an event without required
fields. Also fixed that it would redirect you to the story submission form
then (bug #409) [Dirk]
- Make sure {menu_elements} is rendered using the menuitem_none.thtml template
when no menu elements are to be displayed (bug #378) [Dirk]
- Quote names in email addresses as soon as they contain any non-alphanumeric
characters (apart from the blank). This also addresses bug #368 [Dirk]
- Allow single quotes in passwords (bug #396, also previously reported as
bug #349 / #996354) [Dirk]
- When $_CONF['profileloginrequired'] was set to 1, the actual message that
you have to log in before being able to see a user profile was not wrapped
in the Geeklog framework (reported by Sean C) [Dirk]
- Fix: Made a story's archive/expire date work with the timezone hack [Dirk]
- COM_applyFilter will now accept negative numbers if the isnumeric parameter
is true. Needed to fix problems with pollbooth.php (and others) [Vinny]
- Upgraded included kses class to version 0.2.2 which fixes problems with
Japanese and Thai characters (among other things), thus addressing bugs #94
and #119 [Dirk]
- Fixed SQL error when using the [staticpage:] autotag (bug #373) [Dirk]
- Added a missing stripslashes call to remove backslashes when a topic's name
was displayed in the index page's title (bug #369) [Dirk]
- Link tags are now translated in printer friendly mode (Bug #411) [Mike]
- Removed the entry from the Professional theme's
header.thtml as "INDEX,FOLLOW" is the default anyway. For finer control,
we now ship a robots.txt [Dirk]
Improvements:
- Don't check for auto-archived stories when no archive topic has been
defined yet [Dirk]
- Added support for a custom_usercheck function. Custom registration code that
requires certain information can now abort the creation of a new account if
that information is missing. The function is called after Geeklog has checked
that the username and email address of the new user are okay (valid and not
in the database yet), but before the user has been added to the database
[Dirk]
- Saved one SQL request for a story's printable view [Dirk]
Language files:
- Made sure all language files refer to Geeklog's [image] tags as [imageX],
[imageX_right], and [imageX_left] (bug #381) [Dirk]
- New Catalan language file, provided by an anonymous user
- New Russian (UTF-8) language file, provided by Konstantin Boyandin
- Updated Hebrew language file, provided by LWC
- Updated Hellenic (Greek) language file, provided by MzOzD
- Updated Italian language file, provided by Marcello Teodori
- Updated Japanese (UTF-8) language file, provided by Yusuke Sakata
- Updated Portuguese (Brazil) language file, provided by Alcides Soares Filho
- Updated Russian language file, provided by Konstantin Boyandin
- New Japanese (UTF-8) language file for the Static Pages plugin, provided by
Yusuke Sakata
- Updated Italian language file for the Static Pages plugin, provided by
Marcello Teodori
- Updated Japanese language file for the Static Pages plugin, provided by
Yusuke Sakata
Aug 21, 2005 (Spam-X plugin 1.0.2)
------------
- Changed the display name of the plugin to "Spam-X" to avoid potential
confusion with the email spam filter of the same name.
"SpamX" is a registered trademark of Hendrickson Software Components.
- Added a new module to filter posts based on the IP address of the poster
[Tom Willet]
- Added a new module to filter posts based on the IP address of the
spamvertised site [Tom Willet]
- Added a new module to filter posts based on characteristics of the HTTP header
[Dirk]
- Fixed the Mass Delete Spam Comments module [Tom Willet]
- The Spam-X plugin's examine modules run the post through html_entity_decode()
now in case the spammers try to obfuscate their posts by using HTML entities
[Tom Willet, Dirk]
- The Mail Admin action module now also reports the HTTP headers of the post
that triggered the spam filter [Dirk]
- Added a simple stats function (reports the number of posts deleted as spam,
and - to the Spam-X Admin only - the number of entries for each module) [Dirk]
- Implemented an update function for the plugin [Dirk]
- New Farsi (Persian) language file, provided by Hesam.H
- New Italian language file, provided by Marcello Teodori
- New Spanish language file, provided by vivi1123
Jul 3, 2005 (1.3.11sr1)
-----------
This release addresses the following security issue:
Stefan Esser found an SQL injection that can, under certain circumstances,
be exploited to extract user data such as the user's password hash.
Dec 31, 2004 (1.3.11)
------------
Geeklog 1.3.11 addresses the following security issues:
1. It was possible to submit stories anonymously even if anonymous submissions
were turned off in config.php (reported by Barry Wong).
These stories still ended up in the submission queue, though, unless you
disabled it in config.php.
2. Some of the parameters in link and event submissions weren't filtered,
leaving them open to potential SQL injections.
3. The links for the What's Related block were created from the unfiltered story
text, opening the possibility of XSS attacks (reported by Vincent Furia).
Bugfixes:
- Added a missing stripslashes() call for the topic name in the What's Related
block (bug #351) [Dirk]
(affected file: system/lib-story.php)
- Fixed problems in the story editor when editing plain-text posts with
uploaded images (bug #356) [Dirk]
(affected file: public_html/admin/story.php)
- When changing a story ID, update the story ID in any comments to that story,
too (bug #357) [Dirk]
(affected file: public_html/admin/story.php)
- Fixed handling of autotags that started with the same substring, e.g. for
2 tags 'mytag' and 'mytagtwo', the second tag would not be recognized
(reported by Dr. Shakagee) [Dirk]
(affected file: system/lib-plugins.php)
- Fixed caching of $_GROUPS [Dirk]
(affected files: system/lib-security.php, public_html/lib-common.php)
- Made a minor optimization to save one SQL request when displaying the comment
bar for anonymous users [Dirk]
(affected file: public_html/lib-common.php)
- Updated Slovenian language file, provided by gape.
(affected file: language/slovenian.php)
Dec 22, 2004 (1.3.11rc1)
------------
- Fixed "archive" option being activated too early on certain non-featured
stories (bug #345) [Blaine]
- Added missing handling of autotags in static pages being displayed as center
blocks (reported by Jill) [Dirk]
- Fixed size of the 'sid' field in the gl_comments table. It should be 40
characters, to be able to hold the long story IDs introduced in 1.3.10
(reported by Douglas Santos) [Dirk]
- When using mogrify (ImageMagick) to resize uploaded images, the name of the
image is now enclosed in double quotes instead of single quotes, which
caused the command to fail on Windows [Dirk]
- The emails sent from the Spam-X plugin's MailAdmin action now also include
the IP address of the spam poster [Dirk]
- SEC_getFeatureGroup() should not overwrite $_GROUPS if not operating on the
current user (bug #331) [Dirk]
- Introduced a {camera_icon} variable in story and comment templates that
displays the little camera icon if the author has uploaded a user photo, just
like in the Who's Online block (suggested by Laurence Whitworth) [Dirk]
- The parent link in top-level comments took the user to the homepage rather
than to the article page (bug #346) [Vinny]
- Stories submitted for the archive topic will automatically be saved with
frontpage = 0 when approved, i.e. only be displayed in the topic [Dirk]
- Avoid emitting an extra
tag after the last section in the What's New block (bug #330) [Dirk] - Update comment count in Older Stories block when a new comment is posted (bug #317). Also optimized the code to collect the contents of the Older Stories block [Dirk] - Fixed extra
being emitted in the calendar for events that aren't visible for the current user (bug #268) [Dirk] - (Event) Admins can now delete events directly from the calendar's day and week views (just like events in the personal calendar) [Dirk] - Fixed usersettings.php so that it displays the "benefits" message again when called up by an anonymous user. Also made it go to the user's preferences when called without a 'mode' parameter [Dirk] - Added {layout_url} to the available theme variables in the submission forms. Also added {separator} for those who prefer correct spelling ;-) [Dirk] - More parameter filtering and permission checks in submit.php [Dirk] - Fixed over-zealous parameter filtering in links.php which prevented categories with apostrophes from working [Dirk] - Fixed broken URLs when editing a plain-text story that contained uploaded images (reported by LWC) [Dirk] - The PEAR classes that ship with Geeklog actually require PHP 4.2.x now. However, the missing functions in older PHP versions (minimum requirement for Geeklog itself is now PHP 4.1.0) are provided by the PEAR PHP_Compat package, which we will have to ship with Geeklog from now on. Added the necessary code to lib-common.php to load PHP_Compat, if required [Dirk] Many thanks to Tom Willet for providing a test setup. - Fixed "quick add form" for personal events, so that it stores the new event directly now [Dirk] - Fixed handling of 12am/pm in events, event submissions, and when passing the time from the calendar to the event submission forms [Dirk] - Improved handling of personal events / personal calendar, especially for (Event) Admins [Dirk] - Fixed What's Related links when magic_quotes_qpc = on [Vinny, Dirk] - Fixed use of an undefined variable $U in COM_showBlocks and warning messages for undefined array indexes in COM_getCurrentURL (reported by irawen) [Dirk] - Allow empty search query strings so that the "More by" and "More
from " options work again [Dirk]
- When deleting a poll, also delete any comments to that poll [Dirk]
- Delete comments and story images when deleting stories from a deleted topic
(bug #339) [Dirk]
- When deleting a story, added an extra check for type='article' when deleting
the story's comments [Dirk]
- Set current user as the owner when cloning an event (bug #338) [Dirk]
- Start time, end time, and event location weren't copied over when adding a
site event to the personal calendar (bug #336) [Dirk]
- Fixed wrong use of htmlentities() on comment title (bug #335) [Dirk]
- Changed "read more" word count so that it ignores HTML tags (bug #333) [Dirk]
- Updated Slovenian language file, provided by gape.
- Updated Dutch language file, provided by Ko de Pree.
- Updated Dutch language file for the Static Pages plugin,
provided by Ko de Pree.
- New French language files for the Spam-X plugin, provided by Alain Ponton.
Nov 28, 2004 (1.3.10)
------------
- Allow omission of the link text for the [story:], [event:], and [staticpage:]
autotags. Geeklog will then use the title (of the story / event / static page)
as the link text [Dirk]
(affected files: system/lib-plugins.php, plugins/staticpages/functions.inc)
- Updated Chinese language files (all 4 of them), provided by Samuel M. Stone
Nov 21, 2004 (1.3.10rc3)
------------
- Changed wording of the error message if the "backups" directory is not
writable [Dirk]
- Fixed comments for the DB_result (in lib-database.php) and dbResult
(in mysql.class.php) functions (bug #320) [Dirk]
- Display a success message when using the "changepw" option in admin/user.php
[Dirk]
- When changing a username, make sure to change the name of the user's photo,
too (bug #321) [Dirk]
- Links in "plain text" stories and comments are now made clickable (i.e.
enclosed in tags) when the post is saved instead of when it's displayed,
as in the previous release candidates. This also fixes bug #308. [Dirk]
- Added $_CONF['disable_autolinks'] config option to disable autolinks [Dirk]
- Removed ViewBlacklist.Admin.class.php from the Spam-X plugin [Tom Willet]
- Overhauled handling of personal events [Dirk]:
+ Fixed deleting personal events (again).
+ The upcoming events block now links to the event details of personal
events (just like it already did for site events).
+ Added stricter checks for permissions, user IDs, and the personal calendars
being activated in the first place.
- Added a check for allow_url_fopen if reading a (RSS) feed fails and report it
in error.log if it is off [Dirk]
- When deleting a story (automatically), make sure we're only deleting comments
belonging to that story (i.e. added a check for type = 'article') [Dirk]
- Added {event_type}, {lang_event_type}, and {edit_icon} in all the themes'
calendar/eventdetails.thtml template file [Dirk]
- Fixed some URLs in the calendar (missing slash) [Dirk]
- Comment IDs don't have to be numeric (in comment.php) [Vinny]
- The Static Pages plugin now takes $_CONF['showfirstasfeatured'] into account
when displaying static pages in center blocks (reported by eyecravedvd) [Dirk]
- Forgot to declare $_CONF as global when fixing bug #301 (bug #302) [Dirk]
- Updated Chinese language files (all 4 of them), provided by Samuel M. Stone
- Updated Japanese language files (euc-jp and UTF-8), provided by Yusuke Sakata
- Updated Polish language file, provided by Robert Stadnik
- Updated Slovenian language file, provided by gape
- Updated Spanish language file, provided by Angel Romero
- Updated Swedish language file, provided by Markus Berg
Oct 24, 2004 (1.3.10rc2)
------------
- Fixed plugin update function [Blaine]
- Set the target encoding in Geeklog's RSS parser (bug #301) [Dirk]
- Set the {topic_icon} variable to an empty string for the "Home" link in the
Topics block (reported by jhwhite) [Dirk]
- Fixed News Box Configuration, i.e. the ability to disable blocks [Vinny]
- In the story template files, the number of comments now only is a link when
there actually is a comment on the story [Dirk]
- Hard-coded the English word 'delete' in the URLs to delete a comment [Dirk]
- For the list of a user's recent comments, use 'mode=view' to link directly
to a comment now [Dirk]
- Fixed comment id in comment notification emails [Dirk]
- Fixed display of the number of static pages that the user has access to (in
the Admin Block) [Dirk]
- COM_makeClickableLinks did not recognize links with the 'http:' at the
start of a line [Dirk]
- Re-introduced
between plugin sections in the What's New block, pretty much reverting the change suggested by feature request #292 [Dirk] - Introduced function COM_formatEmailAddress that creates a (more or less) RFC(2)822 compliant email address from a name and an address [Dirk] This function is now used for formatting the site address, as well as for addresses entered by the user in profiles.php and admin/mail.php. - The Spam-X plugin's MailAdmin action didn't send any email notifications, since the call to COM_mail was commented out ... [Dirk] - admin/mail.php and admin/group.php use the complete URL to the script in the tag in story search results (bug #260) [Dirk] - Added a second parameter to function COM_makeList that is used as a CSS class name in the list it returns (use {list_class_name} to get the actual class name, and {list_class} to get class="classname"). Changed the existing calls to COM_makeList to include class names, so that you can now use the following class names in your stylesheet to style lists: list-feed, list-new-comments, list-new-links, list-new-plugins, list-older-stories, list-personal-events, list-site-events, list-story-options, list-whats-related (the names should be self-explanatory) [Dirk] - Moved the docs directory to public_html/docs and added a link to it from the Admin's block (can be switched off in config.php by setting the new option $_CONF['link_documentation'] = 0) [Dirk] - Replaced 'ppmtojpeg' with 'pnmtojpeg' when using NetPBM for scaling uploaded JPEG images (bug #257) [Dirk] - Added a check (and a warning message) for PHP 4.1.0 to the install script, as that is our new minimum requirement [Dirk] - Rewrote install/success.php and added a link to install/check.php [Dirk] - Added the 'data' and 'pdfs' directory to install/check.php [Dirk] - Integrated the "welcome email hack": If the file 'welcome_email.txt' exists in the 'data' directory, the contents of that file are sent out as the welcome email to new users (instead of the hard-coded welcome message) [Dirk] - Introduced a 'data' directory ($_CONF['path_data'], defaulting to /path/to/geeklog/data) and use it for the batch user import, as Geeklog's base directory may not be writable on some setups (bug #77) [Dirk] - Sort list of older polls by date (newest first) and added paging [Dirk] - Make sure the old userphoto is deleted when uploading a new one (bug #228). So far, the old photo was not removed when the file type changed (e.g. from .gif to .jpg) [Dirk] - Don't assume the uploaded file in usersettings.php is always the userphoto - it may in fact belong to a plugin (bug #179). This bug prevented plugins from uploading their own files through the plugin API [Dirk] - Fixed repeating events in the personal calendar's day view (bug #232) [Dirk] - COM_siteHeader() now accepts a page title (to go between the page's... tags) as the second parameter, replacing the
$_CONF['pagetitle'] hack (which still works but should be avoided) [Dirk]
- In the site's page title, replace the site slogan with more meaningful
information, where possible, e.g. "Submit a Story" on the story submission
form, "Search Results", etc. (feature request #95) [Dirk]
- Fixed deleting events from the personal calendar (bug #199) [Dirk]
- Carry over the date and time from the calendar when Admins add a new event
(bug #132) [Dirk]
- Don't display "Site Events" headline in the Upcoming Events block when
personal calendars are off (feature request #151) [Dirk]
- Removed hard-coded am/pm formatted hours from the calendar's day view
(calendar/dayview/dayview.thtml) and replaced them with {xx_hour} variables,
where 'xx' is 0-23, which will be replaced with the hours formatted
according to the $_CONF['timeonly'] config variable [Dirk]
- Themes can now use a couple of CSS class names to style the small calendar (of
the previous and next month) in month view: .smallcal, .smallcal-headline,
.smallcal-week-even, .smallcal-week-odd, .smallcal-week-empty,
.smallcal-day-even, .smallcal-day-odd, and .smallcal-day-empty [Dirk]
- Improvements to the Story Archive Feature, UI tweaks, Language Extraction,
Added new field to the topics table. Admin now sets the archive topic in
the Topic Editor. Only one topic can be used - logic enforced. [Blaine]
- Don't emit the
in article.php when the story's body text is empty (based on patch #147, provided by Andy Maloney) [Dirk] - Set {article_url} variable when displaying the story in article.php [Dirk] - Fixed missing tags for the comment display mode and sort order drop-down menus in usersettings.php (patch #255, provided by machinari) [Dirk] - Hard-coded the names of the pseudo image tags in story.php, i.e. they are always [imageX], [imageX_left], and [imageX_right] now, independent of the current language file (bug #139) [Dirk] - Added the Auto-Archive Management feature. Optionally allows the Story Editor to archive or delete a story when the expire date is reached [Blaine] - Improved the commentbar to logically support comments viewed from comment.php [Vinny] - Removed a bug in comment.php that allowed a story/comment mismatch during display. This was not exploitable. [Vinny] - Integrated the timezone hack to compensate for time differences when your webserver is located in another timezone (original timezone hack by Yew Loong, with additions by "Joe" as well as several other geeklog.net users) [Dirk] - The calendar can now be configured so that the week starts on either a Sunday or a Monday - see new config variable $_CONF['week_start'] (based on a patch by bond_anton) [Dirk] - Sort the admin's list of events by date (newest first). Also added paging, a row number and parameter filtering. Paging and the row number require theme changes in admin/event/eventlist.thtml and listitem.thtml [Dirk] - Incorporated a patch provided by Drago Goricanec to sort the Admin's user list by uid [Dirk] - Introduced 2 config options for the Who's Online block: - $_CONF['whosonline_fullname'] will display the user's full name, - $_CONF['whosonline_anonymous'] does not display the names of registered users to anonymous visitors of the site. Both options are disabled by default [Dirk] - Added support for single quotes and nested tags to COM_extractLinks [Vinny] - The admin_html and user_html are now merged recursively (bug #240) [Vinny] - Remove colons from email addresses, as they have a special meaning, according to RFC(2)822, that we didn't intend (bug #6) [Dirk] - Fixed compilation of regexp if the search query ended or started with a space (the resulting error message would also expose the path to article.php), (bug #251) [Dirk] - Sort the admin's list of polls by date (newest first). Also added paging, a row number and parameter filtering. Paging and the row number require theme changes in admin/poll/polllist.thtml and listitem.thtml [Dirk] - Added paging to the plugin editor (for more than 25 installed plugins). A {google_paging} variable is needed in admin/plugins/pluginlist.thtml for the paging links to show up [Dirk] - Emails sent from the Admin's mail form (admin/mail.php) were always sent with the site name and site email address, even if you entered something else in the form. Also made admin/mail/mailform.thtml slightly less ugly [Dirk] - When deleting a topic, keep the blocks assigned to that topic (bug #247). They're assigned to 'all topics' and disabled, but kept around now. The same applies for topic feeds, which weren't handled at all before [Dirk] - Make sure upload errors for user photos and story images are displayed in a Geeklog block, not on a blank screen [Dirk] - Fixed description of DB_insertId() in lib-database.php and dbInsertId() in mysql.class.php: The functions take a resource, describing the opened link to the database, not a record set (pointed out by lgonze on IRC). [Dirk] - Plugins are now getting the key type passed to their search function, so that they can perform a search for "exact phrase", "all of these words", or "any of these words" as selected from the search form. [Dirk] - Use URL rewriting for the link to a story's printer-friendly version, when activated (bug #201) [Dirk] - Resizing an image didn't work when the image height exceeded the max. height but the image width was still below the max. width (bug #242) [Dirk] - Keeping the unscaled image when using GDlib didn't work (bug #197) [Dirk] - Added a workaround for the Zeus webserver so that blocks marked "homeonly" properly appear there (bug #244) [Dirk] - Previewing a story submission from admin/story.php before saving it left the original story submission in the submission queue while also adding it as a new story. This has been fixed now [Dirk] - Added {article_url} variable for article/printable.thtml so that we can print the proper URL to the article if URL rewriting is on [Dirk] - Added filtering for the $order parameter in article.php [Dirk] - Added {link_actual_url} variable in links.php, holding the actual URL of a link (not Geeklog's redirect URL via portal.php). Updated template file links/linkdetails.thtml in all default themes to use {link_actual_url} in a title attribute for the links [Dirk] - The event description now honors linefeeds to allow some basic text formatting [Dirk] - Escape all PCRE special characters in the code to highlight search query words (bug #200). Also moved the code to its own function, COM_highlightQuery, in lib-common.php [Dirk] - The contents and order of the menu entries, i.e. of the {menu_elements} variable in header.thtml, is now configurable in config.php (new config variable $_CONF['menu_elements']). It also includes an option to add custom entries by implementing a function CUSTOM_menuEntries() that returns the additional entries [Dirk] - Use an UPDATE request when increasing the number of times a story has been emailed [Dirk] - When an error occurs while creating a backup, the complete command line used to call mysqldump is now added to error.log [Dirk] - Added 'view' mode to allow links directly to a single comment (and optionally its children) in comments.php. [Vinny] - Added a few variables to be used in the eventdetails.thtml template file: {event_state_name} (full name of the state), {event_state_only} and {event_state_name_only} (abbreviated and full state name without the comma), {event_edit} (link to edit the event, if allowed for the current user), {edit_icon} (same, but with the edit icon instead of a text link), {lang_event_type} and {event_type} for the event type [Dirk] - Registered users can now report abusive comments to the site admin (inspired by Feature Request #171, which actually requested this for the forums). Requires new text strings in the language files and a new template file, comment/reportcomment.thtml [Dirk] - Bugfix: New users created through the batch import didn't get the email with their password [Dirk] - Moved function to create and send a password to lib-user.php to avoid having identical code in users.php, admin/user.php, and admin/moderation.php [Dirk] - Added {topic_image} variable (available in the topicoption.thtml and topicoption_off.thtml template files) so that you can use topic images in the Topics block (feature request #152) [Dirk] - COM_undoSpecialChars() now also handles (bug #192) [Dirk] - Fixed handling of HTML entities in [code] sections (bug #159) [Dirk] - Added an option to look up IP addresses (new variable $_CONF['ip_lookup'] in config.php, pointing to a service that does IP address lookups) [Dirk] - Fixed problems with the database backup when there were spaces in the path to the backups directory (bug #185). [Dirk] - Added email notification for new comments (feature request #155) [Dirk] - Added tracking of IP addresses of comment posters (as suggested by Michael Jervis) [Dirk] - Altered COM_article to improve performance by reducing queries. [Vinny] - Reduced DB queries in COM_showTopics to improve performance. [Vinny] - Cached enabled plugins to reduce db queries and improve performance. [Vinny] - Fixed SEC_inGroup not using $_GROUPS cache in several instances. [Vinny] - mysql.class.php now only runs mysql_connect once per page load. [Vinny] - The "Google paging" now has additional links to jump to the first and last page (patch provided by Niels Leenheer). [Dirk] - Introduced function COM_makeClickableLinks to turn URLs in text-only posts into clickable links (i.e. it's adding tags around URLs). [Dirk] - Changed the comment insert, delete, display algorithms for improved efficiency. They now use a modified preorder tree traversal method. [Vinny] - Comment limit now applies to all the comments displayed, not just the top level comments. [Vinny] - Added pagination ability to comments ({pagenav} template variable in startcomment.thtml). [Vinny] - Fixed typo in timer.class.php that broke the ->restart() function. [Vinny] - Make sure the database backup files are always sorted by (last modified) date (found & fixed by Alexander Schmacks). [Dirk] - Make sure the user's preferred comment limit is used when changing the comment display via the comment bar (bug #176). [Vinny] - When URL rewriting is activated, the "rewritten" URLs are now also used in all (RSS) feeds containing links to articles. [Dirk] - Experimental: On a fresh install, use InnoDB tables (instead of MyISAM) if the MySQL version running on the server supports them (usually as of MySQL 4.0). This should avoid locks on tables where hit counters and the actual data are stored in the same table, e.g. stories (suggested by Marc Von Ahn). [Dirk] - Fixed bug in the install script when upgrading from 1.3.8 or earlier: Check to see if the static pages plugin is installed before attempting to update its tables (reported by Rob Griffiths). [Dirk] - Implemented a change to DB_fetchArray, suggested by Niels Leenheer: Geeklog will now, by default, only return associative array indices. In case the numeric indices are needed, a new (optional) second parameter for DB_fetchArray has to be set to "true". [Dirk] - Removed extra quotes in SQL statements in admin/block.php to ensure compatibility with old MySQL versions (reported by Elmer Masters). [Dirk] - In admin/database.php, if the is_executable function is not available (e.g. on Windows), do at least a file_exists to check if the mysqldump executable exists in the path given in config.php. [Dirk] - Introduced function COM_getTopicSQL which returns part of an SQL request to check for a user's topic access [Dirk] (This was actually introduced in 1.3.9sr1 but missing from the changelog) Language files -------------- - New Bosnian language file, provided by Kenan Hodzic - Updated Croatian language file, provided by Roberto Bilic - New Indonesian language file, provided by Piotr Sobis - Updated Norwegian language file, provided by Torfinn Ingolfsen Static Pages Plugin 1.4.1 ------------------------- - Added a printable version for static pages (based on a concept by Jannetta S Lewis). Requires a new template file, printable.thtml, located in the static pages' template directory [Dirk] - Added support for autolinks and provide a [staticpage:] autotag [Dirk] - Added an option to sort the static pages that are added to a site's menu (see {plg_menu_elements} in header.thtml) by id, label, title, or date [Dirk] - The block templates used to wrap a static page in a block can now be overridden, using '_staticpages_block' and '_staticpages_centerblock' as the index for the $_BLOCK_TEMPLATE array [Dirk] - The plugin now checks for template files in the current theme's directory (layout/THEMENAME/staticpages) first before using the default template files from plugin/staticpages/templates [Dirk] - When displaying a static page, the plugin no longer checks if the current user is a member of the Root group, so that "Root" users shouldn't see static pages that are for anonymous users only [Dirk] This change was actually supposed to be in Static Pages 1.4 (Geeklog 1.3.9), but somehow didn't make it ... - For center blocks, ignore the "blank page" setting, unless it's for a page that is supposed to replace the entire frontpage (bug #234) [Dirk] - The static pages editor doesn't display a "delete" button for new and cloned pages any more (since, obviously, you can't delete what hasn't been saved yet ...). [Dirk] - Bugfix: Fresh installs of Geeklog 1.3.9 only allowed 20 characters for the static page ID, while installs upgraded from an earlier version allowed up to 40 characters [Dirk] - New Portuguese (Brazil) language file, provided by Alcides Soares Filho. Mar 5, 2006 (1.3.9sr5) ----------- This release addresses the following security issues: - Konstantin Dyakoff found an old bug in the session handling that would allow anyone to log in as any user. - James Bercegay of GulfTech Security Research reported several issues with Geeklog's cookie handling that made it vulnerable to SQL injections, arbitrary file access, and even injection and execution of arbitrary code. - Prevent execution of PHP code in "normal" blocks Jul 3, 2005 (1.3.9sr4) ----------- This release addresses the following security issue: Stefan Esser found an SQL injection that can, under certain circumstances, be exploited to extract user data such as the user's password hash. Dec 31, 2004 (1.3.9sr3) ------------ This release addresses 2 security issues: 1. It was possible to submit stories anonymously even if anonymous submissions were turned off in config.php (reported by Barry Wong). These stories still ended up in the submission queue, though, unless you disabled it in config.php. 2. Some of the parameters in link and event submissions weren't filtered, leaving them open to potential SQL injections. Oct 8, 2004 (1.3.9sr2) ----------- This release addresses 2 security issues: - Fixed a cross site scripting vulnerability caused by using the $topic variable in the language files ($LANG05[3]) where it should have been using '%s' instead (bug #293) [Vinny, Dirk] - It was possible to post comments to stories or polls for which comment posting had been switched off [Dirk] This was only a problem if you allowed anonymous posts or when spammers went through the trouble of actually signing up for an account before posting. Non-security related fixes: - Fixed lib-plugins.php to be compatible with PHP 5 [Dirk] - Includes updated PEAR packages to resolve email problems some users were having (especially with safe_mode being on). Jun 1, 2004 (1.3.9sr1) ----------- This release addresses the following security issues: - It was possible to post anonymous comments, even when anonymous comment posting had been switched off in config.php [Vinny, Dirk] - Added additional speed limit checks for comments and submissions [Vinny] - It was still possible to read the comments to stories, even when the user didn't have access to the story's topic (provided they knew the story id) [Vinny, Dirk] - If none of the topics were visible for anonymous users, the site's index page may still have displayed some stories for anonymous users, depending on the stories' permissions [Vinny, Dirk] - Users still got Daily Digest emails for topics from which they had been removed (bug #178) [Dirk] - It was possible to subscribe to the Daily Digest for all topics, even if the user did not have access to certain topics [Dirk] - Don't list stories or comments in the user profile if the current user isn't allowed to see the topics they were posted under (bug #208) [Dirk] Non-security related fixes: - Fixed an SQL error in COM_showTopics if users excluded topics in their preferences (reported by Rob Young) [Dirk] - Fixed sporadic "Duplicate entry '...' for key 1." messages in error.log (caused by the handling of pseudo-session ids for anonymous users) [Dirk] - Fixed incorrect author names in Daily Digest (bug #207) [Dirk] - The plugin_profileblocksedit_ Plugin API function wasn't working
due to a missing piece of code in usersettings.php [Dirk]
- COM_extractLinks will now ignore anchor tags that do not contain "href"
(bug #183) [Vinny]
Mar 14, 2004 (1.3.9)
------------
- Custom Registration function hook to custom_useredit added in the edituser()
when creating a new user from the admin screen. The custom function was not
being called if this was a new user [file: admin/user.php].
- Fixed wrong use of DB_count in COM_showPoll in lib-common.php. This may have
prevented people from voting on other polls once they voted on any poll on
a site [file: lib-common.php].
- Updated Danish language file, provided by ZooN.
- Updated Hebrew language file, provided by Tal Vizel (please note that this
file was made for 1.3.8-1 and is missing a few of the texts added in 1.3.9).
Mar 7, 2004 (1.3.9rc3)
-----------
- Fixed call to CUSTOM_mail and added a sample implementation in
lib-custom.php (commented out by default).
- Made an attempt to recover from duplicate session ids for anonymous users.
- Adding new topics always resulted in a "Please fill in the Topic ID and Topic
Name fields" error message, even if you did fill in both fields (this bug was
only introduced in 1.3.9rc2).
- Filter out backslashes.
- Comment titles were cut off at the first single or double quote (when
submitting a new comment).
- The text string $LANG04[89] in all language files must be enclosed in
double quotes, not single quotes.
- Updated Hebrew language file, provided by Tal Vizel.
- Updated Polish language file, provided by Robert Stadnik.
- Updated Polish language file for the Static Pages plugin, provided by
Robert Stadnik
- Updated Russian language file, provided by Denis Kuznetsov.
- Updated Slovenian language file, provided by gape.
- Included UTF-8 versions of the Croatian and Japanese language files,
provided by Samuel Stone.
Feb 29, 2004 (1.3.9rc2)
------------
- The new Admin interface for handling blocks (introduced in 1.3.9rc1) will
renumber the block order in steps of 10, which can lead to order numbers
> 255 if you have many blocks. Changed the 'blockorder' field in the
"gl_blocks" table from TINYINT to SMALLINT to compensate.
If you are upgrading from 1.3.9rc1, you will need to run the following SQL
request manually:
ALTER TABLE gl_blocks CHANGE blockorder blockorder smallint(5) unsigned NOT NULL default '1';
Replacing "gl_blocks" with the proper table name, if you are using a table
prefix other than 'gl_'. This step is not necessary when upgrading from 1.3.8
or earlier versions.
- The Group Admin restrictions introduced in 1.3.9rc1 didn't even let the
Admin assign unassigned features to groups (e.g. there was no way to add
the staticpages.PHP feature to the Static Page Admin group on a fresh
1.3.9rc1 install).
- When normal users tried to submit an event, they were redirected to the
story submission form (this bug was only introduced in 1.3.9rc1).
- Cosmetic changes in the beautifying of language names (in the user's
preferences).
- Fixed COM_extractLinks to work with links that follow [IMAGE] tags and more
generally handle the extraction of links better and more efficiently.
- If a function CUSTOM_mail() exists, it will be called instead of COM_mail(),
to allow users to implement their own function to send emails, if necessary.
- The Static Pages plugin now supports the "exact phrase", "all of these words",
and "any of these words" search options.
- Included a simplified custom registration example and made the naming
convention for the custom registration functions more consistent.
- Fixed display problems with comments in nested and threaded mode.
Please note that the template file comment/comment.thtml has changed (again)
since 1.3.9rc1!
- Don't rely on the Who's Online block being active when handling sessions
for anonymous users.
- Removed some unused code that handled the obsolete "layout" blocks.
- Try to guess the correct path separator when running on PHP < 4.3.0.
- When upgrading from a pre-1.3.9 install, the install script choked on
single quotes in the site name or site slogan.
- More parameter filtering.
- Included UTF-8 versions of the English, German, Finnish, and Chinese
(traditional and simplified) language files, provided by Samuel Stone.
- Added new Croatian language file, provided by Roberto Bilic.
- Added new Finnish language file, provided by Jussi Josefsson.
- Added new Hebrew language file, provided by Tal Vizel.
- Updated Dutch language file, provided by Wim Niemans.
Feb 16, 2004 (1.3.9rc1)
------------
- Use COM_getYearFormOptions() etc. for the event submission form in
submit.php, thus avoiding duplicated code.
- Plugins can now add their new entries to the What's New block by implementing
the new plugin_whatsnewsupported and plugin_getwhatsnew API functions.
This section can be enabled/disabled with the new $_CONF['hidenewplugins']
config variable.
- When a user is deleted, make sure we assign any objects that require Admin
access (blocks, topics, ...) to a user from the Root group.
- Slightly revamped the install script and made it catch (or silently ignore)
the most popular problems with the path to Geeklog ...
- Removed the hard-coded from {welcome_msg} and added it to the
header.thtml of the Classic, XSilver, and Yahoo themes (the other themes
either look fine without it or didn't use {welcome_msg} anyway).
- Added a missing stripslashes() call for link titles returned from a search.
- Fixed bug when highlighting search queries that contained a '*' (reported
by wlparks).
- Fixed a bug/typo introduced in 1.3.8-1sr4 that prevented you from deleting
story submissions from the Admin's story editor (reported by James Bothe).
- Changed all url fields in the database to hold up to 255 characters per URL.
Please note that the template files in most themes will limit the max.
number of characters to 96 or 128 characters. See docs/theme.html for more
information on how to update the themes.
- Fixed problems batch-importing users with single quotes in their names
(bug #141).
- The permissions for the "Group Admin" group have been changed such that
members of that group now only have access to groups of which they themselves
are a member of. When creating new groups, the rights (permissions) to chose
from are also limited to those that the Group Admin users have themselves.
These changes should make the Group Admin group more useful.
Note: Group admins can still see all the existing groups and who is a member
of those groups.
- Fixed search class so that the simplified and the advanced search return
the same results (as long as none of the advanced options are used).
- Added new config variable $_CONF['allowed_protocols'] which lets you specify
the protocols that are allowed to be used in a link (feature request #109).
Note: The kses class has a hard-coded list of allowed protocols to which
the above will be added. It is currently not possible to remove any of the
predefined protocols.
- Introduced variable {allowed_menu_elements} in header.thtml which only
includes those menu elements that the current user is allowed to use
(i.e. honoring the $_CONF['XXXloginrequired'] settings).
- COM_accessLog() now logs the user's uid and IP address automatically.
- The option to stay logged in for 1 year has been removed and an option to
not stay logged in (after the session has expired) has been added.
- Fixed display of default blocks in the user preferences.
- If the user chose not to see certain topics (by selecting them from the
"Excluded Items" list in the preferences) then don't list those topics in
the Topics block.
- After saving your account information, you are now redirected to your
profile page, so that you can see your changes as they would be displayed
for other users of the site.
- Integrated Vincent Furia's patches to use Geeklog's URL rewriting for links
to stories (i.e. article.php).
- In the story templates, you can now use {article_url} as the URL to the
article.php with the current story (e.g. for a "link to this story" link).
- There is a new file, system/lib-user.php, for user-related code that is
used by usersettings.php, admin/user.php, and admin/moderation.php.
- All template files that let you enter a URL are now using {max_url_length}
for the maxlength attribute.
- Access to admin/mail.php is now granted to all users with 'user.mail'
permissions (previously, users with that permission without being in the
'Mail Admin' group would see the "Mail Users" entry in the Admin block but
were refused access to it).
- The list of group names in the Mail Users form is now sorted alphabetically.
- Any unauthorized attempts to access the admin pages are now properly logged
in access.log.
- Fixed problems when resizing userphotos for user names that have spaces in
them (reported by Per on geeklog-users).
- Now accomodate strict webhosts who don't allow file uploads to the standard
image directory, you can now set a new configuration variable,
$_CONF['path_images'] to point to a directory outside of your webtree where
article images and user profile pictures will be saved and served from.
- Don't append a '-' to the page title if $_CONF['site_slogan'] is empty
(feature request #88).
- COM_getMonthFormOptions() now always lists the month names instead of only
the numbers. COM_getYearFormOptions() also lists the previous year.
- Changed admin/event.php to use the COM_getMonthFormOptions() etc. functions
from lib-common.php, thus avoiding duplicated code.
- In the calendar/calendar.thtml template file, you can now use {start_block}
and {end_block} to wrap the calendar in a block.
- Fixed a few display problems in case of errors in calendar_event.php. Also
made calendar.php display messages sent from calendar_event.php.
- Make sure the custom registration form is properly called from all relevent
places (bug #57).
- Single quotes are now silently stripped from topic IDs (bug #113).
- Fixed search displaying all the links for an empty search string, e.g. when
searching for "more from" some user (bug #87).
- Fixed link from search results that contained a '/' (bug #115).
- Comments from a story that has been marked as "draft" are no longer returned
from a search (bug #128).
- The Admin's link list now uses "google paging", 50 links per page (bug #104).
Note: Requires a change in the admin/link/linklist.thtml template file.
- (Block)Admins can now change the order of blocks and enable / disable blocks
directly from the Admin's list of blocks (based on a concept by stratosfear).
- An alternative interface to adding (multiple) users to a group is now
available from the Admin's list of groups. This feature requires JavaScript.
- Fixed display of permissions in the "Access" column of the Admin's list of
stories (didn't take Topic permissions into account).
- Fixed handling of "0" as a poll answer (bug #73).
- Added a check and warning message in admin/moderation.php if register_globals
is "off".
- Changed function COM_isEmail() to use PEAR::Mail/RFC822 to check for valid
email addresses.
- Added an edit icon to each theme (images/edit.gif). Variable {edit_icon} can
be used as an alternative to {edit_link}, i.e. as an icon that Story Admins
can click on to edit a story.
- You can now enable debug messages (to error.log) for the image upload by
setting $_CONF['debug_image_upload'] = true in config.php.
- When deleting a group, delete all references to that group from the
group_assignments table (bug #50). The install script will remove any
orphaned entries when upgrading the database to 1.3.9.
- The option to delete comments was only available to users in the Root group
(e.g. Admin). Since comments don't have permissions, comments can now be
deleted by users with Story Admin permissions for the story they are
commenting on (or Poll Admin permissions for comments on polls; bug #27).
- Display a generic (and localised) error message when there is a problem
importing an (RSS) feed - details will be available in error.log. Also checks
for empty (but existing) feeds now.
- When the user submission queue is activated, you now have an "edit" link
that takes you to the Admin's user editor (the profile link is now on the
username). Contributed by Ed Magin.
- COM_siteHeader() now uses output buffering for the eval(), preventing the
header from being output directly.
Note: This may require changes in 3rd party scripts, e.g. the Geeklog/Gallery
integration.
- The install script will set the 'date' field for links to sensible values
now (reconstructed from the date that's encoded in the link id).
- The author exclusion list in the preferences is now a (multi-select) listbox.
- A proper error message is now displayed if the Admin creates a new user or
changes an existing account with an email address that already exists (that
test was already introduced in 1.3.8-1 but the error message was confusing),
thus closing bug #24. Also checks for valid email addresses now.
- You can now use {author_fullname} and {author_photo} variables in comment
templates (feature request #35).
- Remove extra backslashes from new links in What's New block (bug #59).
- The [code] tag is now displayed in the list of allowed HTML tags.
- Image upload can now use the GD library (contributed by Rob Coenen).
If possible, GIF images will be converted to PNGs during upload. However,
some versions of the GD library may not allow to read GIF images at all.
- Geeklog now uses PEAR::Mail to send all emails.
In config.php, you can select whether emails should be sent via PHP's mail()
function, sendmail, or SMTP.
- Introduced /path/to/geeklog/system/pear as the directory to hold the PEAR
packages used by Geeklog. Currently, those are PEAR, Mail, Net_SMTP, and
Net_Socket. These packages will be included in the releases from now on.
- Introduced function COM_mail(). From now on, all Geeklog email will be sent
from this function (instead of using PHP's mail() function directly).
- When users try to register with an empty username or invalid email address,
make sure we're displaying a custom registration form (if one exists) when
displaying the error message (part 1 of bug #57).
- Prevent users from registering with an empty username (bug #56).
- Use $_CONF['emailstoriesperdefault'] when batch-adding users. Until now,
new users were subscribed to the Daily Digest automatically (bug #55).
- Added an 'edit' link to links/linkdetails.thtml, so that (Link) Admins can
edit links easily (contributed by Euan McKay).
- What's Related applied COM_checkHTML() on the entire block instead of on the
individual items, thus stripping out HTML from the template file (bug #52).
- Words from a search query are now properly highlighted in comments when the
words occured only in the comments (but not in the story).
- Integrated Vincent Furia's new comment code to use templates for comments
(instead of hard-coded HTML).
New template files: comment/comment.thtml, comment/thread.thtml.
Updated: comment/startcomment.thtml
- New Admin interface for content syndication (RSS feeds etc.). This lets you
create feeds for all the stories and per topic as well as for links and
(upcoming) events. Plugins can also provide feeds (through extensions of the
Plugin API). Additional feed formats (other than RSS 0.91) can be implemented
as new classes (xxx.feed.class.php).
Includes new admin/syndication template directory.
- Don't display the "delete" button in the Admin's Event editor when we're
editing a new event (reported by Simon Lord).
Static Pages Plugin 1.4
-----------------------
- It is now possible to disable the use of PHP in static pages entirely by
setting $_SP_CONF['allow_php'] = 0 in the static pages' config.php file.
If you don't plan on using PHP in static pages, it is recommended that you
do that as an additional security measure.
- You can now use "plain PHP" code in a static page, i.e. it doesn't need to
be written such that it returns all output in a 'return' statement. The
PHP checkbox has been replaced with a dropdown menu offering "do not execute
PHP", "execute PHP (return)" [that's the old way], and "execute PHP" [new].
- The ID of a static page can now have up to 40 characters.
- When displaying a static page, the plugin no longer checks if the current
user is a member of the Root group, so that "Root" users shouldn't see static
pages that are for anonymous users only.
- The option to wrap static pages in a block can now be applied to each page
individually. $_SP_CONF['in_block'] is only used as the default setting
for new pages.
- Static pages to be displayed after the featured story (in a center block) are
now displayed even if there is no featured story (after the static pages to
be displayed at the top of the page).
- Static pages are not wrapped in a block when the page format is set to "blank
page" (bug #60).
- Added a "Cancel" button in the static pages editor.
- Bugfix: Depending on the permission settings, the "Edit" link was sometimes
displayed for users without them having edit permissions for the static page.
It wasn't possible to edit the page, though, but the link shouldn't have
been there in the first place.
- For security reasons, the Static Page Admin group does not include
'staticpages.PHP' permissions by default any more.
- When a user is deleted, static pages created by that user can now either be
deleted or assigned to a Root user (see $_SP_CONF['delete_pages'] option).
Please see docs/staticpages.html for details.
Oct 8, 2004 (1.3.8-1sr6)
-----------
This release addresses 2 security issues:
- Fixed a cross site scripting vulnerability caused by using the $topic
variable in the language files ($LANG05[3]) where it should have been
using '%s' instead (bug #293) [Vinny, Dirk]
Note: german.php was not affected and is therefore not included.
- It was possible to post comments to stories or polls for which comment
posting had been switched off [Dirk]
This was only a problem if you allowed anonymous posts or when spammers
went through the trouble of actually signing up for an account before
posting.
Jun 1, 2004 (1.3.8-1sr5)
-----------
This release fixes a bug due to which it was possible to post anonymous
comments even when anonymous comment posting had been switched off in
config.php.
To upgrade from Geeklog 1.3.8-1sr4 to 1.3.8-1sr5, simply upload the included
comment.php, replacing the file of the same name on your webserver.
January 26, 2004 (1.3.8-1sr4)
----------------
This release addresses the following security issues:
1. It was possible for users in the Group Admin and User Admin groups to
become a member of the Root group (reported by Samuel M. Stone, bug #135).
2. Being admin for a certain area (e.g. Story Admin for stories) made it
possible to delete all objects in that area (e.g. stories) even if the
user was not supposed to have access to them, provided the id of the object
was known.
3. It was possible to delete other people's personal events if you knew the
event ID.
4. It was possible to browse through the comments of a story even if the user
did not have access to the actual story (reported by Peter Roozemaal).
5. Due to an XSS issue, it was possible to change someone's account settings
(including the password) if you got them to click on a specially crafted
link (reported by Jelmer, fix suggested by Vincent Furia).
6. The comment display suffered from the possibility of an SQL injection
(reported by Jelmer).
7. It was possible to inject Javascript code in the calendar (reported by
Jelmer).
8. It was possible to execute (but not save) Javascript code in the comment
preview (reported by Jelmer).
December 5, 2003 (1.3.8-1sr3)
----------------
This release addresses the following security-related issues:
1. As "dr.wh0" pointed out, the category field for link submissions was not
filtered at all. Although you probably can't cause too much harm with
those 32 characters, this has now been fixed.
2. Vincent Furia found that the restrictions for the form to email users
could be circumvented and could even be used to spam users.
In addition to fixing theses issues, there is now also a speed limit
on that form (defaults to the speed limit for story submissions).
3. There was a way to post comments anonymously even when posting for
anonymous users had been disabled.
4. It was possible to post comments under someone else's username.
October 14, 2003 (1.3.8-1sr2)
----------------
Jouko Pynnonen found a way to trick the new "forgot password" feature,
introduced in 1.3.8, into letting an attacker change the password for _any_
account. This release addresses this issue - there were no other changes.
The only thing you need to do is to replace the file users.php on your site
with the file that comes with this tarball. It's suggested that you change
the version number in your config.php to '1.3.8-1sr2' afterwards.
Please note that only Geeklog 1.3.8, 1.3.8-1, and 1.3.8-1sr1 are affected,
as this feature did not exist in earlier versions.
October 12, 2003 (1.3.8-1sr1)
----------------
This release is intended to address some of the security issues reported in
September and early October 2003.
1. Includes Ulf Harnhammar's kses HTML filter to address possible Javascript
injections and CSS defacements.
When upgrading from an earlier version, please make sure to copy over the
$_CONF['user_html'] and $_CONF['admin_html'] arrays from the included
config.php to your own copy of that file.
2. While almost all of the alleged SQL injection issues could not be
reproduced, this release includes an update to the MySQL class to not
report SQL errors in the browser any more (but only in Geeklog's error.log).
This will avoid disclosing any sensitive information as part of the error
message.
Please note that at the moment we do NOT recommend to use Geeklog with
MySQL 4.1 (which, at the time of this writing, is in alpha state and should
not be used on production sites anyway).
An upcoming release of Geeklog will address the remaining SQL issues,
including any problems with MySQL 4.1.
Other fixes (not security-related):
- When trying to guess the value of $_CONF['cookiedomain'], we need to remove
the port number from the URL, if there is one (bug #75).
- The full 1.3.8-1sr1 tarball also includes updated French (Canada) and
Turkish language files.
August 9, 2003 (1.3.8-1)
--------------
- When upgrading, the install script will now default the version selection to
the last version in the list (currently: 1.3.7) instead of the first one
(1.2.5-1).
- Don't allow HTML in static page titles (bug #26).
- Display the search form again if the query returned no results.
- Make sure we're not attempting to send a Daily Digest email to Anonymous.
- Prevent admin from changing a user's email address to one that's already used
by someone else (bug #24). The error message you get when you try this may
be confusing, though ("The username you tried saving already exists.") since
I don't want to introduce new texts in the language file at this point. To
be corrected later.
- Fixed a problem with the cookie timeout: When a user edited his/her profile
for the first time, the cookie timeout defaulted to 1 hour, while the default
in config.php was usually much longer (default: 1 week). So after editing
their profile for the first time, users didn't stay logged in as long as
before (unless they noticed that and changed the cookie timeout accordingly
themselves).
- Fixed problems in the install script when trying to find out the MySQL
version number.
- Fixed a problem collecting links for the What's Related block when the article
contained (uploaded) images.
- Words from a search query are now hightlighted in comments as well.
- You can now use variables {rss_url} and {rdf_file} in both the site header
and footer. Both variables hold the URL to the RSS feed.
- Fixed an occassional "call to member function of non-object" error message
in lib-plugins.php.
- Make sure the RSS feed and Older Stories block are updated when a story is
deleted.
- The language selection will only list files that end in .php and do not
start with a '.'.
- Fixed links to a user's comments from the Last 10 Comments block in the user
profile.
- Removed '&query=' from links in search results if the query was empty.
- Anonymous users couldn't use the advanced search even if
$_CONF['searchloginrequired'] was not set.
- Fix to disallow access to the extended search for anonymous users (i.e.
$_CONF['searchloginrequired'] works again as it did in 1.3.7)
- Fixed search by date.
- Template variable {uid_value} was always empty in the user's profile edit
form (in usersettings.php).
- New French (Canada) language file, provided by Jean-Francois Allard.
- Updated Dutch language file, provided by W. Niemans.
- Updated Bulgarian language file, provided by Vassil Simeonov and Itso Banov.
- Updated Spanish language file, provided by Angel Romero.
- New French (Canada) language file for the Static Pages plugin, provided by
Jean-Francois Allard.
- New Dutch language file for the Static Pages plugin, provided by W. Niemans.
July 17, 2003 (1.3.8)
-------------
- Added Blaine's sample code for the custom registration to lib-custom.php
(there's also an accompanying sample template file, memberdetail.thtml).
- "No new links" wasn't displayed in the What's New block when you didn't
have any links in the database or when the current user didn't have access
to any of them (reported by krove).
- Applied a patch by Tatsumi Imai to fix problems with Japanese characters
when editing polls (bug #17).
- Hide those story submissions from moderators that don't have access to the
topic.
- Use $HTTP_SERVER_VARS['PATH_INFO'] instead of $PATH_INFO for the url_rewrite
feature, since the latter doesn't seem to work on some setups (reported by
Peter Sieradzki).
- Updated Slovenian language file, provided by gape.
- Updated Polish language file for the Static Pages plugin, provided by
Robert Stadnik
July 6, 2003 (1.3.8rc2)
------------
- When failing to delete an image for a story (from the Admin's story editor),
only log this problem in the error.log but don't abort the script (reported
by Rob).
- When editing a story that used double quotes in the title, the title was cut
off after the first quote sign.
- Story Admins could edit stories in a topic they didn't have access to, if
they somehow found out the story id.
- When $_CONF['listdraftstories'] was enabled, moderation.php listed all stories
that had the "draft" flag set without checking for topic permissions (this
option was only introduced in 1.3.8rc1).
- For Story Admins, the Admin menu may have listed a greater number of stories
than the user actually had access to (didn't check for topic permissions).
- Fixed "Google paging" on the Admin's list of stories when the current user
didn't have access to all the topics (paging was only introduced in 1.3.8rc1).
- Try to prevent "illegal access" messages in error.log, caused by the plugin
page looking for uninstalled plugins.
- Upcoming events (in the block of the same name) are now sorted by start date
and start time, which makes more sense than the old start date, end date
sort order (reported by Peter Sieradzki).
- Fixed description of function DB_count() in lib-database.php (reported by
jose on IRC).
- Changed the "getBent" block to test the real admin directory in case it has
been renamed (bug #762881).
- Saving the user profile also saved the privacy options, setting them all to
"off" (reported by Dwight Trumbower).
- Check the topic permissions when doing a search on stories and comments.
- Check the topic permissions when displaying the new stories and comments in
the What's New block.
- Need to use date_sub() in the SQL request for the display=new mode on the
index page to ensure compatibility with old versions of MySQL (reported by
Markus Guske).
- New users created manually from the Admin's User menu were assigned a
random password, even when the Admin entered one (reported by TechFan).
This bug was only introduced in 1.3.8rc1.
- The printer-friendly version of a story in HTML format should not call
nl2br() on the story text (bug #762636).
- When attempting to edit a submission, check that it still exists in the
submission queue (since another Admin could already have handled it),
avoiding an SQL error (reported by Simon Lord).
- New language file for formal German (addressing the user as "Sie" instead of
"Du"), provided by Philip Sack.
- Updated Italian language file, provided by quess65.
- Updated Japanese language file, provided by Yusuke Sakata.
- Updated Polish language file, provided by Robert Stadnik.
- Updated Spanish language file, provided by Angel Romero.
- Updated Swedish language file, provided by Markus Berg.
- New formal German language file for the Static Pages plugin.
- New Italian language file for the Static Pages plugin, provided by quess65.
- New Japanese language file for the Static Pages plugin, provided by Yusuke
Sakata.
- New Swedish language file for the Static Pages plugin, provided by Markus Berg
June 29, 2003 (1.3.8rc1)
-------------
- Fixed SQL error when using quotes in a group description.
- Fixed bug where blocks assigned to a topic disappeared when viewing articles.
- Add new Plugin API PLG_getHeaderCode, Used to return JS Functions or other
Header Meta Tags required by the plugin. Added new variable {plg_headercode}
to the template header.thtml files.
- New search: You can search for the exact phrase, all of the words, or any of
the words from the query. Search words are highlighted in stories. Also,
results in stories and comments are listed separately.
- Added new block "Privacy Options" to the Preferences:
+ chose to receive email from admins and/or other users
+ chose to show up in Who's Online block
(Feature requests #609758 and #609759)
- New config option $_CONF['hide_author_exclusion'] to hide the author
exclusion list from the user's preferences (useful e.g. when it's a rather
long list but hardly used by the users of your site).
- Added tracking of users lastlogin to the userinfo table.
New $_CONF['lastlogin'] added to config.php - SESSION SETTINGS area
- Added an option in admin/group.php to list all the users belonging to a group.
- Added adminoption_off.thtml template file (for current entry in the Admin
menu) and topicoption.thtml and topicoption_off.thtml files (for entries in
the Topics/Sections menu).
- Geeklog will not accept topic ids containing spaces any more.
- Added new config option $_CONF['allow_account_delete'] to allow users to
delete their account (from their Account Information page).
- Posts (stories and comments) from deleted users will now be reassigned to
user "Anonymous".
- Removed the Geeklog version number from the footer of the default themes.
Instead, the version number is now displayed in the headline of the "Command
and Control" block (moderation.php) and next to the "GL Version Test" entry
in the Admin's functions block.
- New Norwegian language file, provided by Torfinn Ingolfsen.
- Introduced new config.php variable $_CONF['mysqldump_options'] that holds
additional options to be used when Geeklog calls mysqldump to do a backup
of the database.
- Added a check for an existing email address in the user's profile so that
users can't change their email address to one that's already in use for
another account.
- Pick up the 'postmode' default setting for the Admin's story editor.
- Stories in the Daily Digest are now sorted by date (newest first, as on the
index page).
- Changed handling of plugin comments slightly: Plugins will have to do the
'delete' operation on their comments on their own now since Geeklog can't
possibly know which (if any) permissions are needed to delete a comment.
The 'id' parameter in the call to plugin_handlecomment_ will now
always be the comment id.
- In another attempt to solve the various issues regarding "www vs. non-www"
URLs and related login problems:
+ Made sure all setcookie() calls use all 6 parameters
+ Try to guess the correct value for $_CONF['cookiedomain'] if it isn't set
+ Removed the redirection attempt from index.php
- When requesting a new password for your account, you can now enter either
your username or the email address you used to register with the site.
- Added a speed limit for requests for a new password (defaults to 5 minutes
between requests).
- The commentspeedlimit and submitspeedlimit tables have been replaced with a
general speedlimit table and three new functions operating on it have been
introduced (in lib-common.php). The new table has a 'type' field, so plugins
could easily implement their own speed limits.
- Introduced new "forgot password" functionality: When requesting a new password
for an account, the user will now receive an email with a link that s/he has
to click on. It will take the user to a form where s/he can enter a new
password (a unique id is contained in the URL and checked when entering the
new password, thus preventing misuse). The old password remains valid until a
new password is entered from this form, so the email can simply be ignored in
case the user didn't request a new password (cf. Feature Request #567979).
- Removed unused commentheader.thtml file from all default themes.
- Fixed the redirect after posting a comment to a poll (should return to the
poll, not to the index page).
- You can now "clone" events, i.e. make a copy of an existing event. This comes
in handy if you have a lot of similar events (e.g. repeating events).
Template files admin/event/eventlist.thtml and admin/event/listitem.thtml
need to be updated or the "clone" option will not show up ...
- Fixed a bug in the Admin's poll editor which let you enter more than
$_CONF['maxanswers'] answers for a poll. You may need to adjust your setting
of $_CONF['maxanswers'] or you may lose an answer when editing such a poll
(found & fixed by Tom Willet).
- Moved hard-coded HTML for the poll block and poll results to new template
files.
- When the theme uses a replacement function for COM_siteHeader and/or
COM_siteFooter, we need to pass it the same parameter that the replaced
function was being called with.
- Fixed "Last 10 comments by user" in the user's profile which was missing the
comments to polls.
- When a new user registers, we need to check for a valid email address
first (before searching the database to see if that address is already in use)
- You are now taken back to the moderation page after editing a story submission
- Fixed 'previous' link on the Admin's list of stories. Alternatively, you can
now use {google_paging} there (requires a change in the template).
- Added -Q option to the mysqldump call when doing a database backup. This will
enclose database names in quotes and thus prevent problems with special
characters in table names as used by some plugins (bug #712901).
- Set the max length of the input field for the event URL to 128 characters
(was 96) in the default themes (other themes may need adjusting).
- Fixed localisation of the date of all-day events in the event details.
- Added missing {event_location} variable in calendar/eventdetails.thtml
template files.
- Fixed display of events spanning several days in the personal calendar.
- Moved hard-coded HTML for the login form in the User Functions block to a new
template file.
- The Sections block now uses the useroption.thtml and the new
useroption_off.thtml template files for the list of topics. You can also use
$_CONF['hide_home_link'] to hide the "Home" link from the Sections block.
- New config option $_CONF['keep_unscaled_image'] allows you to keep the
original, unscaled image after upload (in stories only, for now). The smaller,
scaled image will be used as a thumbnail and link to the original image
(based on code provided by Alexander Schmacks).
- In admin/database.php:
+ Made sure we really display the last 10 backups (fix by Alexander Schmacks)
+ Display total number of backups in the directory
+ Moved hard-coded HTML for the list of backups to template files
+ Replaced $PHP_SELF with $_CONF['site_admin_url']/database.php since
$PHP_SELF seems to cause problems in some environments
- You can now make one topic the default topic. The topic selection in the
story submission form will then default to this topic.
- When clicking on the "contribute" link from the topic index page, the new
story will now default to the topic you just viewed.
This only works with themes that use the {menu_elements} variable in
header.thtml. Other themes can use the new variable {current_topic} which
holds '&topic=' when a topic is selected (and is empty otherwise).
- Integrated Vincent Furia's improvements for COM_exportRDF. You can now use
$_CONF['rdf_limit'] to limit the number of stories in the RDF file by
setting this to a number (e.g. 10) or a number of hours (e.g. 24h).
$_CONF['rdf_storytext'] lets you add the story's introtext to the RDF feed.
Also fixed a bug with un-escaped special characters in the feed's title.
- Added paging to the list of Static Pages (for more than 50 pages).
- Fixed problem with the Older Stories block disappearing when it was edited
(e.g. moved from left to right), bug #670673.
- Fixed "late" update of portal blocks (bug #681855).
- Fixed mixing of comments from different plugins, found & fixed by Alan McKay.
- A theme can provide its own functions to render the site header and footer
(this is not a new feature). Geeklog now expects those functions to be named
_siteHeader and _siteFoote, respectively. Until now,
it was, however, looking for the wrong function names ...
- Added the piece of code that is needed to make the Theme Tester work to
lib-common.php (won't do anything without the Theme Tester block).
- Fixed SQL query for displaying new comments in the What's New block, provided
by Marc Von Ahn (with some help from Rob Griffiths).
- Changes to make Geeklog install and work again on old versions of MySQL
(e.g. MySQL 3.22). Special thanks to Markus Guske for providing the fixes
for the What's New block and for testing the new install.
- Feb 13/03: (Blaine) Added new Plugin function to support Center Blocks
Included call to PLG_showCenterblock in index.php
- The user's signature is now appended to messages sent to another user.
- Feb 6/03: (Blaine) Added support for custom user registration and account
profile: Added hooks to users.php, usersettings.php and admin/user.php and
new $_CONF parm to enable
Developer is responsible for code to handle new form processing, account
record save, update and delete.
- The list of blocks now includes a column indicating whether the block is
enabled or disabled (will need changes in admin/block/listblocks.thtml and
listitem.thtml template files of custom themes).
- Variable {rdf_url} (available in footer.thtml) holds the URL of the RDF file.
- What's Related block is now created dynamically.
- Top Ten Commented Stories didn't count comments on stories submitted by
anonymous users (found & fixed by Laurence Whitworth).
- Allow users to change their username if $_CONF['allow_username_change'] is
set to 1.
- Jan 18/03: (Blaine) Corrected problem in mysql.class.php where the checks in
dbdelete, dbchange, dbcount and dbcopy for a passed value of 0 were not
sufficient. If the parameter was 0 - it was assuming it was empty.
Consequence: The dbdelete would delete all records or dbcount would return
count(*)
- Display Preferences and Comment Preferences have been merged. There is now
only one option, Preferences, in the User Functions block.
- Hard-coded HTML for the Display Preferences, Comment Preferences, and
Account information has been moved to template files (new "preferences"
directory).
Static Pages Plugin 1.3
-----------------------
- Integrated (and extended) the Static Pages plugin 1.2 (originally started by
Phill Gillespie and later supported by Tom Willet). This "combined" version
is now called Static Pages 1.3.
Use Geeklog's install script to upgrade from any previous version (1.1 or 1.2)
- Supports the use of PHP in static pages.
- You can now edit the ID of a static page to create more readable URLs like
http://yoursite/staticpages/index.php?page=about
In combination with Geeklog's $_CONF['url_rewrite'] option, the URL can even
look like http://yoursite/staticpages/index.php/page/about
- You can now "clone" static pages, i.e. make a copy of an existing page.
- Removed the "static pages on frontpage" hack and changed the plugin to use
the new Center Block API instead:
A static page can now be displayed on the top of the front page, on the
bottom, or after the featured story. It can also replace the front page
entirely. Instead of using special label names (like "frontpage"), the
display mode and position can now be selected from drop-down menus in the
static pages editor.
Please see docs/staticpages.html for details.
January 26, 2004 (1.3.7sr5)
----------------
This release addresses the following security issues:
1. It was possible for users in the Group Admin and User Admin groups to
become a member of the Root group (reported by Samuel M. Stone, bug #135).
2. Being admin for a certain area (e.g. Story Admin for stories) made it
possible to delete all objects in that area (e.g. stories) even if the
user was not supposed to have access to them, provided the id of the object
was known.
3. It was possible to delete other people's personal events if you knew the
event ID.
4. It was possible to browse through the comments of a story even if the user
did not have access to the actual story (reported by Peter Roozemaal).
5. Due to an XSS issue, it was possible to change someone's account settings
(including the password) if you got them to click on a specially crafted
link (reported by Jelmer, fix suggested by Vincent Furia).
6. The comment display suffered from the possibility of an SQL injection
(reported by Jelmer).
7. It was possible to inject Javascript code in the calendar (reported by
Jelmer).
8. It was possible to execute (but not save) Javascript code in the comment
preview (reported by Jelmer).
December 5, 2003 (1.3.7sr4)
----------------
This release addresses the following security-related issues:
1. As "dr.wh0" pointed out, the category field for link submissions was not
filtered at all. Although you probably can't cause too much harm with
those 32 characters, this has now been fixed.
2. Vincent Furia found that the restrictions for the form to email users
could be circumvented and could even be used to spam users.
3. There was a way to post comments anonymously even when posting for
anonymous users had been disabled.
4. It was possible to post comments under someone else's username.
October 12, 2003 (1.3.7sr3)
----------------
This release is intended to address some of the security issues reported in
September and early October 2003.
1. Includes Ulf Harnhammar's kses HTML filter to address possible Javascript
injections and CSS defacements.
When upgrading from an earlier version, please make sure to copy over the
$_CONF['user_html'] and $_CONF['admin_html'] arrays from the included
config.php to your own copy of that file.
2. While almost all of the alleged SQL injection issues could not be
reproduced, this release includes an update to the MySQL class to not
report SQL errors in the browser any more (but only in Geeklog's error.log).
This will avoid disclosing any sensitive information as part of the error
message.
Please note that at the moment we do NOT recommend to use Geeklog with
MySQL 4.1 (which, at the time of this writing, is in alpha state and should
not be used on production sites anyway).
An upcoming release of Geeklog will address the remaining SQL issues,
including any problems with MySQL 4.1.
May 26, 2003 (1.3.7sr2)
------------
Security issues:
1. It was possible to obtain valid session ids for every account (reported by
SCAN Associates).
2. Using Internet Explorer, it was possible to upload an image with embedded
PHP code and execute it (reported by SCAN Associates).
3. Story permissions could override topic permissions, resulting in the display
of stories to users who shouldn't have access to them (reported by Andrew
Lawlor).
Note: This was already fixed with the new index.php, released 2003-05-15.
4. Added a warning in config.php that adding any of the following tags to the
list of allowable HTML can make the site vulnerable to scripting attacks:
![]()
tag after the last section in the What's New block (bug #330) [Dirk] - Update comment count in Older Stories block when a new comment is posted (bug #317). Also optimized the code to collect the contents of the Older Stories block [Dirk] - Fixed extra
being emitted in the calendar for events that aren't visible for the current user (bug #268) [Dirk] - (Event) Admins can now delete events directly from the calendar's day and week views (just like events in the personal calendar) [Dirk] - Fixed usersettings.php so that it displays the "benefits" message again when called up by an anonymous user. Also made it go to the user's preferences when called without a 'mode' parameter [Dirk] - Added {layout_url} to the available theme variables in the submission forms. Also added {separator} for those who prefer correct spelling ;-) [Dirk] - More parameter filtering and permission checks in submit.php [Dirk] - Fixed over-zealous parameter filtering in links.php which prevented categories with apostrophes from working [Dirk] - Fixed broken URLs when editing a plain-text story that contained uploaded images (reported by LWC) [Dirk] - The PEAR classes that ship with Geeklog actually require PHP 4.2.x now. However, the missing functions in older PHP versions (minimum requirement for Geeklog itself is now PHP 4.1.0) are provided by the PEAR PHP_Compat package, which we will have to ship with Geeklog from now on. Added the necessary code to lib-common.php to load PHP_Compat, if required [Dirk] Many thanks to Tom Willet for providing a test setup. - Fixed "quick add form" for personal events, so that it stores the new event directly now [Dirk] - Fixed handling of 12am/pm in events, event submissions, and when passing the time from the calendar to the event submission forms [Dirk] - Improved handling of personal events / personal calendar, especially for (Event) Admins [Dirk] - Fixed What's Related links when magic_quotes_qpc = on [Vinny, Dirk] - Fixed use of an undefined variable $U in COM_showBlocks and warning messages for undefined array indexes in COM_getCurrentURL (reported by irawen) [Dirk] - Allow empty search query strings so that the "More by
between plugin sections in the What's New block, pretty much reverting the change suggested by feature request #292 [Dirk] - Introduced function COM_formatEmailAddress that creates a (more or less) RFC(2)822 compliant email address from a name and an address [Dirk] This function is now used for formatting the site address, as well as for addresses entered by the user in profiles.php and admin/mail.php. - The Spam-X plugin's MailAdmin action didn't send any email notifications, since the call to COM_mail was commented out ... [Dirk] - admin/mail.php and admin/group.php use the complete URL to the script in the tag in story search results (bug #260) [Dirk] - Added a second parameter to function COM_makeList that is used as a CSS class name in the list it returns (use {list_class_name} to get the actual class name, and {list_class} to get class="classname"). Changed the existing calls to COM_makeList to include class names, so that you can now use the following class names in your stylesheet to style lists: list-feed, list-new-comments, list-new-links, list-new-plugins, list-older-stories, list-personal-events, list-site-events, list-story-options, list-whats-related (the names should be self-explanatory) [Dirk] - Moved the docs directory to public_html/docs and added a link to it from the Admin's block (can be switched off in config.php by setting the new option $_CONF['link_documentation'] = 0) [Dirk] - Replaced 'ppmtojpeg' with 'pnmtojpeg' when using NetPBM for scaling uploaded JPEG images (bug #257) [Dirk] - Added a check (and a warning message) for PHP 4.1.0 to the install script, as that is our new minimum requirement [Dirk] - Rewrote install/success.php and added a link to install/check.php [Dirk] - Added the 'data' and 'pdfs' directory to install/check.php [Dirk] - Integrated the "welcome email hack": If the file 'welcome_email.txt' exists in the 'data' directory, the contents of that file are sent out as the welcome email to new users (instead of the hard-coded welcome message) [Dirk] - Introduced a 'data' directory ($_CONF['path_data'], defaulting to /path/to/geeklog/data) and use it for the batch user import, as Geeklog's base directory may not be writable on some setups (bug #77) [Dirk] - Sort list of older polls by date (newest first) and added paging [Dirk] - Make sure the old userphoto is deleted when uploading a new one (bug #228). So far, the old photo was not removed when the file type changed (e.g. from .gif to .jpg) [Dirk] - Don't assume the uploaded file in usersettings.php is always the userphoto - it may in fact belong to a plugin (bug #179). This bug prevented plugins from uploading their own files through the plugin API [Dirk] - Fixed repeating events in the personal calendar's day view (bug #232) [Dirk] - COM_siteHeader() now accepts a page title (to go between the page's
in article.php when the story's body text is empty (based on patch #147, provided by Andy Maloney) [Dirk] - Set {article_url} variable when displaying the story in article.php [Dirk] - Fixed missing tags for the comment display mode and sort order drop-down menus in usersettings.php (patch #255, provided by machinari) [Dirk] - Hard-coded the names of the pseudo image tags in story.php, i.e. they are always [imageX], [imageX_left], and [imageX_right] now, independent of the current language file (bug #139) [Dirk] - Added the Auto-Archive Management feature. Optionally allows the Story Editor to archive or delete a story when the expire date is reached [Blaine] - Improved the commentbar to logically support comments viewed from comment.php [Vinny] - Removed a bug in comment.php that allowed a story/comment mismatch during display. This was not exploitable. [Vinny] - Integrated the timezone hack to compensate for time differences when your webserver is located in another timezone (original timezone hack by Yew Loong, with additions by "Joe" as well as several other geeklog.net users) [Dirk] - The calendar can now be configured so that the week starts on either a Sunday or a Monday - see new config variable $_CONF['week_start'] (based on a patch by bond_anton) [Dirk] - Sort the admin's list of events by date (newest first). Also added paging, a row number and parameter filtering. Paging and the row number require theme changes in admin/event/eventlist.thtml and listitem.thtml [Dirk] - Incorporated a patch provided by Drago Goricanec to sort the Admin's user list by uid [Dirk] - Introduced 2 config options for the Who's Online block: - $_CONF['whosonline_fullname'] will display the user's full name, - $_CONF['whosonline_anonymous'] does not display the names of registered users to anonymous visitors of the site. Both options are disabled by default [Dirk] - Added support for single quotes and nested tags to COM_extractLinks [Vinny] - The admin_html and user_html are now merged recursively (bug #240) [Vinny] - Remove colons from email addresses, as they have a special meaning, according to RFC(2)822, that we didn't intend (bug #6) [Dirk] - Fixed compilation of regexp if the search query ended or started with a space (the resulting error message would also expose the path to article.php), (bug #251) [Dirk] - Sort the admin's list of polls by date (newest first). Also added paging, a row number and parameter filtering. Paging and the row number require theme changes in admin/poll/polllist.thtml and listitem.thtml [Dirk] - Added paging to the plugin editor (for more than 25 installed plugins). A {google_paging} variable is needed in admin/plugins/pluginlist.thtml for the paging links to show up [Dirk] - Emails sent from the Admin's mail form (admin/mail.php) were always sent with the site name and site email address, even if you entered something else in the form. Also made admin/mail/mailform.thtml slightly less ugly [Dirk] - When deleting a topic, keep the blocks assigned to that topic (bug #247). They're assigned to 'all topics' and disabled, but kept around now. The same applies for topic feeds, which weren't handled at all before [Dirk] - Make sure upload errors for user photos and story images are displayed in a Geeklog block, not on a blank screen [Dirk] - Fixed description of DB_insertId() in lib-database.php and dbInsertId() in mysql.class.php: The functions take a resource, describing the opened link to the database, not a record set (pointed out by lgonze on IRC). [Dirk] - Plugins are now getting the key type passed to their search function, so that they can perform a search for "exact phrase", "all of these words", or "any of these words" as selected from the search form. [Dirk] - Use URL rewriting for the link to a story's printer-friendly version, when activated (bug #201) [Dirk] - Resizing an image didn't work when the image height exceeded the max. height but the image width was still below the max. width (bug #242) [Dirk] - Keeping the unscaled image when using GDlib didn't work (bug #197) [Dirk] - Added a workaround for the Zeus webserver so that blocks marked "homeonly" properly appear there (bug #244) [Dirk] - Previewing a story submission from admin/story.php before saving it left the original story submission in the submission queue while also adding it as a new story. This has been fixed now [Dirk] - Added {article_url} variable for article/printable.thtml so that we can print the proper URL to the article if URL rewriting is on [Dirk] - Added filtering for the $order parameter in article.php [Dirk] - Added {link_actual_url} variable in links.php, holding the actual URL of a link (not Geeklog's redirect URL via portal.php). Updated template file links/linkdetails.thtml in all default themes to use {link_actual_url} in a title attribute for the links [Dirk] - The event description now honors linefeeds to allow some basic text formatting [Dirk] - Escape all PCRE special characters in the code to highlight search query words (bug #200). Also moved the code to its own function, COM_highlightQuery, in lib-common.php [Dirk] - The contents and order of the menu entries, i.e. of the {menu_elements} variable in header.thtml, is now configurable in config.php (new config variable $_CONF['menu_elements']). It also includes an option to add custom entries by implementing a function CUSTOM_menuEntries() that returns the additional entries [Dirk] - Use an UPDATE request when increasing the number of times a story has been emailed [Dirk] - When an error occurs while creating a backup, the complete command line used to call mysqldump is now added to error.log [Dirk] - Added 'view' mode to allow links directly to a single comment (and optionally its children) in comments.php. [Vinny] - Added a few variables to be used in the eventdetails.thtml template file: {event_state_name} (full name of the state), {event_state_only} and {event_state_name_only} (abbreviated and full state name without the comma), {event_edit} (link to edit the event, if allowed for the current user), {edit_icon} (same, but with the edit icon instead of a text link), {lang_event_type} and {event_type} for the event type [Dirk] - Registered users can now report abusive comments to the site admin (inspired by Feature Request #171, which actually requested this for the forums). Requires new text strings in the language files and a new template file, comment/reportcomment.thtml [Dirk] - Bugfix: New users created through the batch import didn't get the email with their password [Dirk] - Moved function to create and send a password to lib-user.php to avoid having identical code in users.php, admin/user.php, and admin/moderation.php [Dirk] - Added {topic_image} variable (available in the topicoption.thtml and topicoption_off.thtml template files) so that you can use topic images in the Topics block (feature request #152) [Dirk] - COM_undoSpecialChars() now also handles (bug #192) [Dirk] - Fixed handling of HTML entities in [code] sections (bug #159) [Dirk] - Added an option to look up IP addresses (new variable $_CONF['ip_lookup'] in config.php, pointing to a service that does IP address lookups) [Dirk] - Fixed problems with the database backup when there were spaces in the path to the backups directory (bug #185). [Dirk] - Added email notification for new comments (feature request #155) [Dirk] - Added tracking of IP addresses of comment posters (as suggested by Michael Jervis) [Dirk] - Altered COM_article to improve performance by reducing queries. [Vinny] - Reduced DB queries in COM_showTopics to improve performance. [Vinny] - Cached enabled plugins to reduce db queries and improve performance. [Vinny] - Fixed SEC_inGroup not using $_GROUPS cache in several instances. [Vinny] - mysql.class.php now only runs mysql_connect once per page load. [Vinny] - The "Google paging" now has additional links to jump to the first and last page (patch provided by Niels Leenheer). [Dirk] - Introduced function COM_makeClickableLinks to turn URLs in text-only posts into clickable links (i.e. it's adding tags around URLs). [Dirk] - Changed the comment insert, delete, display algorithms for improved efficiency. They now use a modified preorder tree traversal method. [Vinny] - Comment limit now applies to all the comments displayed, not just the top level comments. [Vinny] - Added pagination ability to comments ({pagenav} template variable in startcomment.thtml). [Vinny] - Fixed typo in timer.class.php that broke the ->restart() function. [Vinny] - Make sure the database backup files are always sorted by (last modified) date (found & fixed by Alexander Schmacks). [Dirk] - Make sure the user's preferred comment limit is used when changing the comment display via the comment bar (bug #176). [Vinny] - When URL rewriting is activated, the "rewritten" URLs are now also used in all (RSS) feeds containing links to articles. [Dirk] - Experimental: On a fresh install, use InnoDB tables (instead of MyISAM) if the MySQL version running on the server supports them (usually as of MySQL 4.0). This should avoid locks on tables where hit counters and the actual data are stored in the same table, e.g. stories (suggested by Marc Von Ahn). [Dirk] - Fixed bug in the install script when upgrading from 1.3.8 or earlier: Check to see if the static pages plugin is installed before attempting to update its tables (reported by Rob Griffiths). [Dirk] - Implemented a change to DB_fetchArray, suggested by Niels Leenheer: Geeklog will now, by default, only return associative array indices. In case the numeric indices are needed, a new (optional) second parameter for DB_fetchArray has to be set to "true". [Dirk] - Removed extra quotes in SQL statements in admin/block.php to ensure compatibility with old MySQL versions (reported by Elmer Masters). [Dirk] - In admin/database.php, if the is_executable function is not available (e.g. on Windows), do at least a file_exists to check if the mysqldump executable exists in the path given in config.php. [Dirk] - Introduced function COM_getTopicSQL which returns part of an SQL request to check for a user's topic access [Dirk] (This was actually introduced in 1.3.9sr1 but missing from the changelog) Language files -------------- - New Bosnian language file, provided by Kenan Hodzic - Updated Croatian language file, provided by Roberto Bilic - New Indonesian language file, provided by Piotr Sobis - Updated Norwegian language file, provided by Torfinn Ingolfsen Static Pages Plugin 1.4.1 ------------------------- - Added a printable version for static pages (based on a concept by Jannetta S Lewis). Requires a new template file, printable.thtml, located in the static pages' template directory [Dirk] - Added support for autolinks and provide a [staticpage:] autotag [Dirk] - Added an option to sort the static pages that are added to a site's menu (see {plg_menu_elements} in header.thtml) by id, label, title, or date [Dirk] - The block templates used to wrap a static page in a block can now be overridden, using '_staticpages_block' and '_staticpages_centerblock' as the index for the $_BLOCK_TEMPLATE array [Dirk] - The plugin now checks for template files in the current theme's directory (layout/THEMENAME/staticpages) first before using the default template files from plugin/staticpages/templates [Dirk] - When displaying a static page, the plugin no longer checks if the current user is a member of the Root group, so that "Root" users shouldn't see static pages that are for anonymous users only [Dirk] This change was actually supposed to be in Static Pages 1.4 (Geeklog 1.3.9), but somehow didn't make it ... - For center blocks, ignore the "blank page" setting, unless it's for a page that is supposed to replace the entire frontpage (bug #234) [Dirk] - The static pages editor doesn't display a "delete" button for new and cloned pages any more (since, obviously, you can't delete what hasn't been saved yet ...). [Dirk] - Bugfix: Fresh installs of Geeklog 1.3.9 only allowed 20 characters for the static page ID, while installs upgraded from an earlier version allowed up to 40 characters [Dirk] - New Portuguese (Brazil) language file, provided by Alcides Soares Filho. Mar 5, 2006 (1.3.9sr5) ----------- This release addresses the following security issues: - Konstantin Dyakoff found an old bug in the session handling that would allow anyone to log in as any user. - James Bercegay of GulfTech Security Research reported several issues with Geeklog's cookie handling that made it vulnerable to SQL injections, arbitrary file access, and even injection and execution of arbitrary code. - Prevent execution of PHP code in "normal" blocks Jul 3, 2005 (1.3.9sr4) ----------- This release addresses the following security issue: Stefan Esser found an SQL injection that can, under certain circumstances, be exploited to extract user data such as the user's password hash. Dec 31, 2004 (1.3.9sr3) ------------ This release addresses 2 security issues: 1. It was possible to submit stories anonymously even if anonymous submissions were turned off in config.php (reported by Barry Wong). These stories still ended up in the submission queue, though, unless you disabled it in config.php. 2. Some of the parameters in link and event submissions weren't filtered, leaving them open to potential SQL injections. Oct 8, 2004 (1.3.9sr2) ----------- This release addresses 2 security issues: - Fixed a cross site scripting vulnerability caused by using the $topic variable in the language files ($LANG05[3]) where it should have been using '%s' instead (bug #293) [Vinny, Dirk] - It was possible to post comments to stories or polls for which comment posting had been switched off [Dirk] This was only a problem if you allowed anonymous posts or when spammers went through the trouble of actually signing up for an account before posting. Non-security related fixes: - Fixed lib-plugins.php to be compatible with PHP 5 [Dirk] - Includes updated PEAR packages to resolve email problems some users were having (especially with safe_mode being on). Jun 1, 2004 (1.3.9sr1) ----------- This release addresses the following security issues: - It was possible to post anonymous comments, even when anonymous comment posting had been switched off in config.php [Vinny, Dirk] - Added additional speed limit checks for comments and submissions [Vinny] - It was still possible to read the comments to stories, even when the user didn't have access to the story's topic (provided they knew the story id) [Vinny, Dirk] - If none of the topics were visible for anonymous users, the site's index page may still have displayed some stories for anonymous users, depending on the stories' permissions [Vinny, Dirk] - Users still got Daily Digest emails for topics from which they had been removed (bug #178) [Dirk] - It was possible to subscribe to the Daily Digest for all topics, even if the user did not have access to certain topics [Dirk] - Don't list stories or comments in the user profile if the current user isn't allowed to see the topics they were posted under (bug #208) [Dirk] Non-security related fixes: - Fixed an SQL error in COM_showTopics if users excluded topics in their preferences (reported by Rob Young) [Dirk] - Fixed sporadic "Duplicate entry '...' for key 1." messages in error.log (caused by the handling of pseudo-session ids for anonymous users) [Dirk] - Fixed incorrect author names in Daily Digest (bug #207) [Dirk] - The plugin_profileblocksedit_