GeekLog History/Changes:
Dec 31, 2006 (1.4.1)
------------
- Changed the default character set in config.php back to iso-8859-1 [Dirk]
- Removed display of the site URL from admin/sectest.php. On sites not installed
in the webroot, it did not display the site's actual URL, which only causes
confusion (reported by Dazzy) [Dirk]
- Fixed conflict between the Spam-X DeleteComment and SLVreport action
modules which prevented the count of deleted spams from being incremented
[Dirk]
- Fixed max. allowed length for a user's homepage (128) and location (96) in the
preferences/profile.thtml template file (reported by burjans) [Dirk]
- Fixed page title after a successful batch import of users (which read "Error")
[Dirk]
- Back in Geeklog 1.4.0, a counter was added to the Spam-X plugin to count all
deleted spam posts. The counter was only added in fresh installs of 1.4.0,
though, but not when upgrading from an earlier version. Fixed that [Dirk]
- In lists created from the Links and Calendar plugins, use "links-new-plugin"
as the CSS class name [Oliver]
- Updated Estonian language file, provided by Artur Räpp
- Updated Russian language file, provided by Alexander Yurchenko
- New Russian language file for the Calendar plugin, provided by Alexander
Yurchenko
- Updated Turkish language file, provided by Kemal Cellat
Dec 17, 2006 (1.4.1rc1)
------------
- Improved handling of UTF-8 feeds (feature request #631) [Mike, Dirk]
- Fixes for the remaining MS SQL issues (bugs #620, #621, #622, #624)
[Randy Kolenko, Dirk]
- Initialize SQL request arrays to prevent PHP errors (e.g. with static pages),
reported by ldfoo [Dirk]
- Escape the '#' sign in spam checks since we're using it as the separator
character for the regexp [Dirk]
- Mark Evans provided a set of patches that let plugins hook into the user
registration, story and comment submission as well as the contact user and
email story forms. These hooks can be used to add CAPTCHAs to those forms,
but may also come in handy for other plugin applications.
Also modified several template files to include a {captcha} variable to ease
installation of Mark's CAPTCHA plugin.
- Update the timestamp for the last run of PLG_runScheduledTask before calling
the function to minimize the risk of the call being triggered more than once
(bug #628) [Dirk]
- In a multi-language setup, allow one static page per language to take over
the index page (bug #625) [Dirk]
- sectest.php didn't perform the test for the install script and default
passwords on some setups (reported by Christian Weiske) [Dirk]
- Fixed "delete account" option (reported by Paul Lelgemann) [Dirk]
- Fixed counting of comments in several places where comments were counted
without taking the type of the parent object into account (e.g. when a story
and a poll happened to use the same id, their comment counts would have been
messed up) [Dirk]
- Editing a story did reset the trackback count (reported by T. Marquez) [Dirk]
- In the admin's story editor, set the debug option for the image upload only
when $_CONF['debug_image_upload'] = true (thus avoiding the "Warning: File #x
on the HTML form was empty" messages in error.log) [Dirk]
- Renamed [calendar:] autotag back to [event:] for backward compatibility. It
also makes more sense this way, since it does provide a link to an event, not
a link to a calendar (bug #619) [Dirk]
- Need to check if field 'etids' is NULL (for MySQL 4) for the Daily Digest
(bug #595) [Dirk]
- Removed the outer table from the layout and merged several style declarations
into the body-tag declaration [Oliver]
- The spam check for comment posts did not include the comment title (reported
by Laugh) [Dirk]
- When multi-language support is enabled, allow language-specific overrides
of the locale settings, e.g. $_CONF['date_en'] and $_CONF['date_de'] to
overwrite $_CONF['date'] depending on the current language [Dirk]
- When installing the Geeklog database using InnoDB tables, create a
'database_engine' entry in gl_vars, so that plugins know to use InnoDB for
their tables. Updated the bundled plugins to act accordingly [Dirk]
- DB_query will now (optionally) accept an array of SQL request strings from
which it will pick the one applicable for the currently used database type
[Vinny, Dirk]
- Provide some more meta information in header.thtml [Dirk]
+ added optional {lang_id} variable and lang attribute
+ added a hreflang attribute to the feed links
+ added , , links
(via the {rel_links} variable)
- COM_isFrontpage has been deprecated, as it had its return values inverted
(returns false when on the site's index page). Use COM_onFrontpage instead
from now on [Dirk]
- Fixed check for new stories from archive topic [Dirk]
- Call PLG_templateSetVars() from STORY_renderArticle() so we can have custom
variables in the story templates [Dirk]
- Updated Chinese language files (traditional and simplified), provided by
Samuel M. Stone
- Updated Japanese language files for Geeklog and all the plugins, provided
by the Geeklog Japanese group
- Updated Ukrainian language files (Windows-1251, KOI8-U, and UTF-8 encoding)
for Geeklog and all the plugins, provided by Vitaliy Biliyenko
Nov 5, 2006 (1.4.1b2)
-----------
- Fixed potential SQL injection in the story editor preview (required Story
Admin permissions) [Dirk]
- Added multi-language support in static pages centerblocks and search [Dirk]
- When cloning a static page, keep the original's "wrap in a block" setting
[Dirk]
- Spam-X stats: Removed MT-Blacklist entry, added SLV whitelist entry [Dirk]
- Don't add empty "No Title" links in portal blocks when the feed has less than
the configured max. number of entries (bug #610) [Dirk]
- Added support for COM_mail to use a parm for a CC: distribution list [Blaine]
- Fixed bug #603, hardcoded mysql_error() [Oliver]
- Fixed bug #604, delete trackbacks of a story when story is deleted [Oliver]
- Allow users to switch the language again, even when the default character set
is not UTF-8. It is, however, not possible to mix UTF-8 and other charsets.
Also, "UTF-8" is not displayed in the language dropdown any more [Dirk]
- Corrected SQL for group counting in Admin menu for root admin to fix bug #573
[Oliver]
- Properly encode non-ASCII characters in email headers (subject, names),
loosely based on patch #489 and code from Cal Henderson's book [Dirk]
- Removed the Calendar styles and moved them to a dedicated file in the
plugin's directory [Oliver]
- Sorted all stylesheet definitions alphabetically and split semantics and
classes [Oliver]
- When making a topic the archive topic, update all existing stories in that
topic to "archived" status (and likewise revert that status if the topic
loses its archive topic status) [Dirk]
- Don't count archived stories as new stories in the What's New block [Dirk]
- Moved the defines for STORY_ARCHIVE_ON_EXPIRE and STORY_DELETE_ON_EXPIRE to
lib-story.php (from config.php) where they make more sense [Dirk]
- COM_getPermSQL was using the current user's group information when called for
another user. In Geeklog, this only happens for the Daily Digest, though
(bug #594) [Dirk]
- When comments are disabled for a story, don't show any existing comments in
the What's New block, in search results or via comment.php (bug #597) [Dirk]
- When trackbacks are disabled for a story, don't list any existing trackbacks
in the What's New block [Dirk]
- In the Admin's User Editor, disabled the checkboxes for the All Users,
Logged-in Users, and Remote Users groups to prevent accidental change of
group membership [Dirk]
- When deleting a topic, also delete all Trackbacks attached to stories in that
topic and update the Older Stories block and the feeds [Dirk]
- Fixed approve / delete of draft stories from moderation.php [Dirk]
- Strip blanks from the name of a PHP block function when saving a PHP block
[Dirk]
- Fixed / added multi-language support in the article directory, What's New
block, and the search for stories and comments [Dirk]
- Fixed an SQL error when changing a story's ID [Dirk]
- Call SET NAMES 'utf8' when using UTF-8 as the site's character set (with
MySQL), as pointed out by several people [Dirk]
- Removed wrong parameter when calling up the comment form again when the
comment's title was missing. This bug existed for both story and polls
comments. (bug #591) [Dirk]
- Users who were only in the Syndication Admin group didn't have access to
Command and Control (moderation.php) [Dirk]
- For Block, Group, Polls, Story and Topic Admins only display the number of
the respective entries they can actually see (instead of the number of all
entries, e.g. topics, in the system) [Dirk]
- Fixed highlighting parse error when the search term contained an apostrophe
(bug #590) [Dirk]
- Improved (and subsequently fixed) Pingback spam detection which now also uses
the $_CONF['check_trackback_link'] settings [Dirk]
- directory.php was still using $LANG30 instead of $LANG_MONTH (bug #583) [Dirk]
- When upgrading the database from 1.4.0, only update those plugins that are
actually installed (disabled or not) [Dirk]
- CSS Changes to support better scaling of Font size - using browser Text-Size
adjustment. Removed many extra font-size declarations. [Blaine]
- Don't allow viewing of a Banned user profile unless user admin [Blaine]
- Only call CUSTOM_loginErrorHandler when custom_registration is enabled
(bug #584) [Blaine]
- Fixed SQL error with some older MySQL versions when calling up the Batch User
Delete option [Oliver]
- Comments always displayed the comment author's full name, even when
$_CONF['show_fullname'] was set to 0 [Dirk]
- Fixed 404 (caused by a request for a file named '(none)') in the user profile
display when a user doesn't have a userphoto [Dirk]
- New Estonian language files for Geeklog and most of the plugins, provided
by Artur Räpp
- Updated Hebrew language file, provided by LWC
- Updated Japanese language files for Geeklog and all the plugins, provided
by the Geeklog Japanese group
- New Russian language files for the Spam-X plugin, provided by Pavel Kovalenko
- Updated Slovenian language files for Geeklog and all the plugins, provided
by gape
Calendar plugin
------------
- Created a dedicated stylesheet file and include the file only if the URL
contains the word 'calendar' [Oliver]
- Tweaked the Calendar search result listing: Removed the Event Description
(usually too long for the result listing), replaced Location (which is only a
part of the address and not very helpful) with Event Type, minimized Date &
Time display for events lasting only one day (don't list date twice) [Dirk]
Links plugin
------------
- Renamed classes block-vote-results to poll-vote-results and block-vote to
poll-vote [Oliver]
- Removed duplicate "Other" entry from the Link submission form [Dirk]
- In the Admin's list of links, only display an edit icon for links that the
current user can actually edit (they did get a proper error message when
trying to edit such a link, though) [Dirk]
- Don't return the number of links in the links submission queue if the
current user does not have links.moderate permissions [Dirk]
- Filter out special characters from link IDs. They were properly escaped
before storing them in the database but caused problems when using them
(bug #565) [Dirk]
Sep 17, 2006 (1.4.1b1)
------------
- Changes to templates and CSS to remove deprecated HTML (align= and valign=)
Removed un-used CSS declarations, redundant font-family declarations
Removed use of font-size percentage and used more acceptable EM units [Blaine]
- Don't display an "edit" link in a story if the current user doesn't have
edit permissions for the story's topic (bug #558) [Dirk]
- Added a new script to check the site's security (admin/sectest.php). This
replaces the "get bent" PHP block, but also performs additional checks [Dirk]
- Created a Batch Delete function for users that easily identifies inactive or
old users and allows mass-deletion of those [Oliver]
- Updated FCKeditor to version 2.3.1 [Blaine]
- Added ability to filter out Admin related groups on the Group Admin page
Allows users to easily see only user groups. When editing non-core groups,
You can select if this group is an Admin Group [Blaine]
- Added ability to multi-select submission queue items on the moderation page
and delete them all at once [Blaine]
- Always make "Submissions" the first entry in the Admins Only block to keep
the correspondence between the other entries and the icons on the moderation
page undisturbed (and because it's an important entry) [Dirk]
- Fixed 'emailstoriesperdefault' config option (bug #553) [Dirk]
- Added support for Microsoft SQL Server, provided by Randy Kolenko
- Introduced $_CONF['disallow_domains'] as a blacklist of domain names that are
not allowed for new users during signup. Both 'disallow_domains' and
'allow_domains' can also contain regular expressions [Dirk]
- Introduced DB_lockTable / DB_unlockTable to encapsulate the LOCK / UNLOCK
requests when updating the comments table [Dirk]
- Fixed bug: [#540] Blocking the last Root user or yourself should not be
possible [Oliver]
- Fixed bug: [#546] The phrase "Story Stats" is hardcoded [Oliver]
- Added a spam check to the email user form [Dirk]
- Use the same piece of code to compare plugin version numbers in lib-admin.php
and admin/plugins.php to avoid the "update" button not appearing for some
version numbers (bug #542) [Dirk]
- Re-implemented $_CONF['allow_domains'] whitelist (when the user submission
queue is enabled) that was inexplicably missing from 1.4.0 [Dirk]
- Merged User Preferences and Account information into one page, like the
Story editor with tabs etc. [Blaine, Oliver]
- Tried to make "3 new stories in the last 1 day" sound less awkward by going
back one unit, i.e. "3 new stories in the last 24 hours", in the What's New
block (likewise for 1 week, 1 month, etc.) [Dirk]
- Introduced config options to set the default for the story's draft flag
and frontpage option (feature request #163) [Dirk]
- Introduced $_CONF['hide_main_page_navigation'] to hide the "Google paging"
from index.php (may be useful for some layouts) [Dirk]
- Allow (optional) usage of autotags in "normal" blocks (can be enabled /
disabled per block) [Dirk]
- Introduced a {story_counter} variable in the story templates. It's 0 on the
article page and in previews, but 1 for the first story, 2 for the second,
etc. on the index page (per page, i.e. starts with 1 again on the second page)
[Dirk]
- Require that users enter their current password when changing their password,
email address or "Remember me for" setting. Redesigned the Account Information
page and added a note about this requirement. [Dirk]
- Prevent accidental banning of users when the Admin edits a user's information
using a theme that wasn't updated for Geeklog 1.4.0+ [Dirk]
- $_CONF['show_fullname'] now works as expected, i.e. when setting it to = 1,
a user's full name will be displayed everywhere in Geeklog instead of the
username (assuming the users entered their full name) [Dirk]
- Fixed a bug in the article directory where December was not listed when no
stories had been posted in that month (reported by Kino and Ivy of geeklog.jp)
- Replace Geeklog's [imageX] tags before extracting the What's Related links
from a story to prevent the (verbatim) tag to show up in the block [Dirk]
- Update story ids in the gl_trackback table when a story's id is changed [Mike]
- Implemented new plugin API function, PLG_spamAction, to perform the spam
actions in case spam has been detected through some other means (e.g.
trackbacks from sites that don't link back to us) [Dirk]
- Implemented new plugin API function, plugin_enablestatechange_, to inform
plugins when they are about to be enabled / disabled (Patch #405) [Dirk]
- Support backslashes in comment and submissions in HTML mode [Mike]
- Added breadcrumb functionality to the navbar class (v1.1) [Blaine]
- Enhancements to navbar templates and CSS for a more 3D TAB'ed look [Blaine]
- Changed several
s to
s + CSS in the Professional theme [Oliver]
- Introduced generic function to delete a user's photo to avoid code
duplication and slightly different error handling in various places [Dirk]
- Made the new user registration form remember the user's input so that they
don't have to retype everything in case of an error [Dirk]
- In the Admin's user list, banned users are indicated by striked-through
entries (based on a hack by Andy Maloney) [Dirk]
- Added new setting $_CONF['onlyrootfeatures']. This is for sites where two or
more story admins can feature stories that the other admins cannot see. The
setting prevents that one admin does not see that there is another recent
story featured and sets one by himself, "stealing" the feature from the other.
- Changed "Reply"-button to "Post a comment" [Oliver]
- Implemented an error handler to supress all PHP level errors and display a
much more userfriendly error text to the end user. Prevents all path exposure,
prevents "white error page" mystery debugging fun. [Mike]
- Full sweep of all code for $_REQUEST/$_GET/$_POST and $_COOKIE use. Made sure
that COM_applyFilter, or other safe usage is made of the variables. [Mike]
- Added an option to hide the "No News To Display" message on the index page
(new config option $_CONF['hide_no_news_msg']) [Dirk]
- Added an option to check if the sites sending trackbacks are actually linking
to our site (see $_CONF['check_trackback_link'] in config.php) [Dirk]
- Made it impossible to save two syndication feeds with identical filenames
[Oliver]
- Stories with comments/trackbacks disabled, do not show comment/trackback
url in RSS feeds [Mike]
- Added email confirmation fields for new user and usersettings [Oliver]
- Allow changing of group ownership for "gldefault" blocks. Requires a change
in admin/block/defaultblockeditor.thtml to enable the group dropdown. On a
fresh install, all the blocks (with the exception of "Are you secure?") are
now owned by the Block Admin group [Dirk]
- Users created by a User Admin should not be queued for approval, even when
$_CONF['usersubmission'] = 1 [Dirk]
- Introduced 'syndication.edit' permission and 'Syndication Admin' group so
that access to the Content Syndication panel no longer requires 'Root'
permissions [Dirk]
- For the "Submissions" entry in the Admins Only block, only count story and
event submissions when the current user has story.moderate or event.moderate
permissions, respectively [Dirk]
- On admin/moderation.php, list the stories that have their draft flag set only
when the current user has story.edit permission [Dirk]
- Fixed empty lines in a Group Admin's list of groups when that Group Admin
was not a member of all groups [Dirk]
- Renamed the misnamed CUSTOM_runSheduledTask function (in lib-custom.php) to
CUSTOM_runScheduledTask. Don't forget to make that change in your copy of
lib-custom.php if you're using that functionality! [Dirk]
- Improved error log contents when unable to acquire a feed reader for a portal
block. [Mike]
- Extended plugin API for feed extensions to include feed id and the topic (for
adding topic/feed specific data) [Mike]
- Don't attempt to rename a non-existing user photo when
$_CONF['allow_username_change'] is enabled (reported and fix suggested by
Yusuke Sakata) [Dirk]
- Made changes to ensure compatibility with MS SQL, as suggested by
Randy Kolenko [Dirk]
- The "last login date" column in the Admin's list of users now uses
$_CONF['shortdate'] so that it includes the year [Dirk]
- Fixed batch user import (which set all imported users to status "Awaiting
Authorization" instead of "Awaiting Activation") [Mike]
- Fixed admin lists google paging for use in static pages etc. [Oliver]
- Added support for a custom login error handler function,
CUSTOM_loginErrorHandler [Blaine]
- Format the user agent string according to the RFCs 1945 / 2068 / 2616, i.e.
"Geeklog/1.4.1" when trying to detect a Trackback URL [Dirk]
- Made the search option on the Admin pages behave like the site search, i.e.
it doesn't require you to pad queries with '*' any longer [Dirk]
- In story search results, show/hide the "Author" and "Views" columns based on
the $_CONF['contributedbyline'] and $_CONF['hideviewscount'] settings [Dirk]
- Introduced $_CONF['title_trim_length'] to make the max. title length of items
in the What's New block configurable (feature request #525). Also implemented
a new function COM_truncate (based on a patch by Yusuke Sakata) that properly
handles truncation of multi-byte text strings if the mb_ functions are
available [Dirk]
- Added a JavaScript confirmation box to most delete buttons/links. If you'd
rather not have such a confirmation, use {delete_option_no_confirmation}
instead of {delete_option} in the admin templates [Dirk]
- Fixed RSS Feed parser to create RFC 822 dates in en_GB or en_US locale as per
the RFC spec [Mike]
- Removed obsolete "do not use spaces" warning from user editor (bug #530)
[Dirk]
- Show fullname/username according to config.php settings in stories [Oliver]
- Added possibility to change the css-class for admin list headers and fields
[Oliver]
- Added unified new style class to stats.php/style.css to have all lists on
the page look the same [Oliver]
- Added multi-language support, based on earlier works by Euan McKay and LWC.
Also see http://wiki.geeklog.net/wiki/index.php/Multi-Language_Support
- Changed the default path for topic icons to /images/topics [Dirk]
- Fixed an SQL error when calling up the Admin's list of stories without any
topics [Dirk]
- Removed the public_html/portal.php script, as it is no longer needed [Dirk]
- Remove uninstalled plugins from the global $_PLUGINS array immediately
(just in case the array would be used to trigger any actions) [Dirk]
- The "Topic" column in the list of feeds was empty for feeds that are only
linked from a topic page [Dirk]
- Only use the mb_substr workaround in the calendar when the current character
set is UTF-8 (bug #524) [Dirk]
- Fixed SQL error on MySQL 5 when listing the members of a group (bug #527)
[Dirk]
- When emailing a story, don't include the text "Comment on this story at ..."
when comments have been switched off for that story [Dirk]
- Fixed wrong wording of some of the "access denied" messages when trying to
access Admin panels without proper privileges [Dirk]
- Fixed display of Admin block for users that only had certain Admin privileges
[Dirk]
- New Afrikaans language file, provided by Renier Maritz
- Updated Hebrew language file, provided by LWC
The Hebrew language file was also renamed to hebrew_utf-8.php for consistency
with the other UTF-8 language files.
- Updated Turkish language file, provided by Kemal Cellat
Calendar plugin (1.0.0)
---------------
- Bugfix: Replace autotags in the event description [Dirk]
- Added an option to switch between 24 hour and 12 hour am/pm mode for entering
and editing events [Dirk]
- Implemented plugin_enablestatechange API function to enable/disable plugin
feeds and blocks when the plugin is enabled/disabled [Dirk]
- Added calendar plugin initial version [Oliver]
Links plugin (1.0.1)
------------
- Implemented plugin_enablestatechange API function to enable/disable plugin
feeds when the plugin is enabled/disabled [Dirk]
- Changed the english language file from "Web Resources" to "Links"
- Fixed hard-coded link to the "admin" directory when editing a link (reported
by Ronnie Rigl) [Dirk]
- Optimized SQL requests for the plugin's What's New section [Dirk]
- Re-introduced {button_links} header variable [Dirk]
- Added an option to hide the Top Ten Links on the first page [Dirk]
- Made the page title on the Web Resources page more informative by adding the
category and page number [Dirk]
- The edit icon (only visible for Links Admins) now uses the same image type
as the current theme (was previously hardcoded to "edit.gif") [Dirk]
- Hide the "Web Resources" link from the menu when login is required to see
the links (for consistency with the Polls plugin) [Dirk]
- Added a title attribute to the links on the site stats page that contains
the link's actual URL [Dirk]
- Fixed site link in search results which wasn't using portal.php [Dirk]
- The Admin's search option now also searches the link description [Dirk]
- Removed extra tags from the What's New section (bug #526) [Dirk]
Polls plugin (1.1.0)
------------
- Fixed call to undefined function polllist when calling up a non-existing
poll [Dirk]
- Implemented plugin_enablestatechange API function to enable/disable the poll
block when the plugin is enabled/disabled [Dirk]
- Fixed search [Dirk]
- Added a remark field for polls answers [Oliver]
- Re-introduced {button_polls} header variable [Dirk]
- Added an option to hide the link to the polls from the menu (for consistency
with the Links plugin) [Dirk]
- Fixed poll URLs on the site stats page [Dirk]
- Remove the polls block when uninstalling the Polls plugin (another part of
bug #520) [Dirk]
Spam-X plugin (1.1.0)
-------------
- Added SLV (Spam Link Verification) modules [Dirk]
- The MT-Blacklist modules are not being shipped with Geeklog any longer. The
MT-Blacklist entries are removed from the database during the upgrade [Dirk]
- Allow special characters (e.g. backslashes) in the Admin modules (e.g. the
Personal Blacklist module) [Dirk]
- Moved spam actions to plugin_spamaction_spamx API function [Dirk]
- Fixed potential problems with the checkforSpam function's return code in case
of unusual configurations (e.g. $_CONF['spamx'] = 0) [Dirk, Tom Willet]
- Made the plugin's internal log flag a proper config option. So you can now
disable logging to spamx.log from the plugin's config.php [Dirk]
- Mass delete by IP now uses stored IP address [Mike]
Static Pages plugin (1.4.3)
-------------------
- Make sure autotags are replaced even when execution of PHP code is disabled
(reported by LWC) [Dirk]
- Added a help URL for the block display of static pages [Oliver]
- Added ability in staticpage editor to enable/disable Advanced Editor mode
so you can use FCKEditor and then if need basic html edit mode [Blaine]
- Fixed default sorting order for the list of static pages [Dirk]
- Allow to show/hide update date/time and hits [Oliver]
- When creating a new page, don't set the default group ownership to the Static
Page Admin group if the current user is not a member of that group. Instead,
pick a group with staticpages.edit permission that the user is a member of
[Dirk]
- Fixed paging for the list of static pages (bug #528) [Dirk]
July 23, 2006 (1.4.0sr5-1)
-------------
This release fixes display problems in the comment preview that were only
introduced in Geeklog 1.4.0sr5 (as a result of the fix for the XSS).
The complete 1.4.0sr5-1 tarball also includes the following language files:
- New Afrikaans language file, provided by Renier Maritz
- Updated Hebrew language file, provided by LWC
- Updated Turkish language file, provided by Kemal Cellat
July 16, 2006 (1.4.0sr5)
-------------
JPCERT/CC informed us about a possible XSS in the comment handling that we're
fixing with this release.
June 30, 2006 (1.4.0sr4)
-------------
Two exploits have been released by "rgod" for insecure Geeklog installations
and for a bug in the "mcpuk" file manager that we've been shipping as part of
FCKeditor in all 1.4.0 releases.
- Some of the files outside of the public_html directory were not protected
against direct execution. If Geeklog was installed such that those files were
accessible from a URL (which has always been strongly discouraged in the
installation instructions) then those files could be used to load and
execute malicious code from a remote server.
More information: http://www.geeklog.net/article.php/so-called-exploit
In this release, we've added the missing execution prevention for all files
outside of public_html. We would still, however, suggest that you fix your
Geeklog install if the files outside of public_html are accessible from a URL.
- The "mcpuk" file manager that we've integrated into FCKeditor allowed the
upload of arbitrary PHP code (even if FCKeditor was disabled in Geeklog's
config.php). Depending on your webserver's configuration, it was then possible
to execute that uploaded code.
More information:
http://www.geeklog.net/article.php/exploit-for-fckeditor-filemanager
The file manager has been removed from this release. You will therefore no
longer be able to upload files, e.g. images, through FCKeditor. Future
versions of Geeklog will ship with an updated version of FCKeditor and its
included file manager.
May 28, 2006 (1.4.0sr3)
------------
The Security Science Researchers Institute Of Iran reported the following
security issues:
- Possible SQL injection and authentication bypass in auth.inc.php
- Possible XSS in getimage.php
- Path disclosure in getimage.php and the functions.php of some themes,
e.g. the Professional theme
An internal code review also revealed a possible SQL injection in story
submissions.
Mar 5, 2006 (1.4.0sr2)
-----------
Security issues:
- Konstantin Dyakoff found an old bug in the session handling that would allow
anyone to log in as any user.
- HTML was not stripped from the Location field in a user's profile.
Feb 19, 2006 (1.4.0sr1)
------------
Security issues:
- James Bercegay of GulfTech Security Research reported several issues with
Geeklog's cookie handling that made it vulnerable to SQL injections, arbitrary
file access, and even injection and execution of arbitrary code.
Bugfixes:
- Fixed bug in page-break combined with url rewrite (bug #521) [Oliver]
- Fixed Story [page_break] showing only intro on first page [Oliver]
- Fixed install script for the Spam-X plugin which was trying to include an SQL
file that doesn't exist - and wasn't needed (part of bug #520) [Dirk]
- Updated Hebrew language file, provided by LWC
- New Russian language files for the Links and Polls plugins, provided by
Volodymyr V. Prokurashko
- Fixed Static pages dutch language file [Oliver]
- New Polish language file for the Links plugin, provided by Robert Stadnik
- Added UTF-8 English versions of the Links, Polls, Static Pages, and Spam-X
language files [Dirk]
- Added all UTF-8 Language files for core [Oliver]
Feb 5, 2006 (1.4.0)
------------
- Prevent execution of PHP code in "normal" blocks [Dirk]
- Added missing navbar images - used for CSS based buttons as part of the
standard Plugin CSS [Blaine]
- Set options in FCKConfig to have Firefox browsers by default not using the
and font tags to format Bold and Italic [Blaine]
- Fixed another bug in google pagination of admin-lists [Oliver]
- Fixed "wrap static page in a block" and "exit type" options in the static
page editor. Also link to the "rewritten" URL from the list of static pages
when URL rewriting is on [Dirk]
- Fixed JavaScript error in the Admin's story editor (bug #479) [Dirk]
- Fixed hard-coded paths in the check.php script and added tests for missing
directories (reported by Markus Wollschlaeger) [Dirk]
- A humble attempt to add some semantics [Dirk]
+ Added rel="category tag" to a story's topic link
+ Added rel="self bookmark" for a comment's permalink
- Cosmetics: Moved the number of links per category out of the actual link to
the category [Dirk]
- On MySQL 5, the drop-down list of link categories presented to a user when
submitting a new link came out wrong (while the one in the Admin's link
editor worked just fine). Moved the working code into a new function in the
plugin's functions.inc and changed the code to use it in both cases now [Dirk]
- Fixed an SQL error when the "length of entries" field in the Feed Editor was
left empty [Dirk]
- Fixed date and time defaulting to the current date and time when creating
a new event as an Admin user (adding a workaround for changes of strtotime()
behavior in PHP 5) [Dirk]
- Fixed SQL error on MySQL 5 when creating a new topic (bug #517) [Dirk]
- In HTTP requests, format the user agent string according to the RFCs 1945 /
2068 / 2616, i.e. "Geeklog/1.4.0" [Dirk]
- Updated Japanese language files, provided by Yusuke Sakata
- Updated Ukrainian (Windows-1251) language file, provided by Vitaliy Biliyenko
Jan 22, 2006 (1.4.0rc2)
------------
- header.thtml now specifies the CSS Class Declaration to use for the body.
This addresses the issue with FCKEditor when displayed, its CSS was
over-riding the main site tag and the site margin padding was being
affected [Blaine]
- Removed CSS for the Forum plugin from style.css [Blaine]
- Fixed "Cannot modify header ..." message when logging in from the admin
pages (reported by Samuel M. Stone). This also fixes confusing intermittent
displays during the login (e.g. only some of the "Command and Control" icons
showing up, messages about missing permissions flashing up) [Dirk]
- Removed Geeklog version number from feed files due to security concerns
(pointed out by Samuel M. Stone) [Dirk]
- Login through the admin pages didn't work with register_globals=off [Dirk]
- Fixed admin lists so pagination works also in static pages [Oliver]
- Pass GeekLog as user agent when fetching RSS feeds [Mike]
- Made the image upload work with out-of-the-box PHP 5 configurations [Dirk]
- Fixed handling of HTML entities in Pingbacks [Dirk]
- Fixed Spam-X Mass Delete Trackback Spam module to update the story's trackback
count when deleting trackbacks [Dirk]
- Fixed a possible SQL error when saving a block (reported by BDUB) [Dirk]
- Fixed story titles in the What's New block when they contained HTML entities
(entities where sometimes cut off and/or encoded twice) [Dirk]
- Fixed a typo in all the plugin install script which set the group description
to "grp_desc" instead of $grp_desc (found by Ingo Schaefer) [Dirk]
- Improved autodetect of Trackback URLs [Dirk]
- The submit story form was not selecting the advanced Editor if user was not
logged in or did not have Story Editor permissions [Blaine]
- Added missing CSS class name "list-feed" for portal blocks [Dirk]
- Fixed user submission queue (reported by Andrew Lawlor) [Dirk]
- Fixed handling of integer fields in the Admin's story editor (reported by
Ron Ackerman) [Dirk]
- Fixed handling of checkboxes in the static pages editor (reported by
Ron Ackerman) [Dirk]
- Fixed SQL error when saving a static page that had had more than 1000 hits
(reported by Euan McKay) [Dirk]
- Removed visible table border from advanced comment editor form [Blaine]
- Moved some hard-coded text strings from the advanced editor into the
language files [Blaine]
- Updated Chinese language files, provided by Samuel M. Stone
- Updated Japanese language files, provided by Yusuke Sakate
Dec 31, 2005 (1.4.0rc1)
------------
- Added support for Advanced Editor in the Add Comment Feature [Blaine]
- Fixed SQL error in search on MySQL 5 (fix suggested by dariball) [Dirk]
- Added trackback.php and pingback.php to the included robots.txt [Dirk]
- Added a few more calls to COM_numberFormat all over the place (links and polls
plugins, Admins Only block, ...) [Dirk]
- Fixed test for a Geeklog 1.3.9 database in the install script [Dirk]
- When emailing a story, make sure all fields are filled in [Dirk]
- Don't lose the current topic selection when a Story Admin uses the Contribute
link [Dirk]
- Fixed highlighting of search query in comments when register_globals = off
[Dirk]
- When the entries in the Admin's block are not sorted, make sure the icons in
Command and Control are in the same order as the block entries [Dirk]
- Allow topic icons to be uploaded to and retrieved from a 'topics' directory
outside of the document root [Dirk]
- Added a workaround to produce abbreviated day names in the calendar for UTF-8
language files (reported by Euan McKay) [Dirk]
- The Spam-X plugin now uses the same "universal" install script as the other
three preinstalled plugins [Dirk]
- Added more allowable HTML tags and attributes if Advanced_Editor enabled
config.php setting [Blaine]
- Added logic to detect if Javascript was not enabled and Advanced Editor was
enabled.
User will be prompted with alert and able to use the default editor [Blaine]
- Changed spam handling for Trackbacks and Pingbacks to check for spam on the
unfiltered Trackback/Pingback content [Dirk]
- When editing a link submission with a new link category (i.e. the submitter
selected "other" and entered a non-existing category), make sure that new
category actually shows up in the links editor [Dirk]
- In the Admin's list of stories, show the display name of the topic (i.e. the
same as in the Topics block) instead of the topic ID [Dirk]
- Hide the edit icon in the Admin's list of stories when the current user
doesn't have edit access to a story (since they only got a note saying they
can't edit that story anyway) [Dirk]
- Fixed alternating row colors in admin lists if one row has no data [Oliver]
- Made it impossible to switch off blocks if there is no access [Oliver]
- Fixed handling of items in the submission queues (it was only possible to
approve / delete the first item in a queue) [Dirk]
- Grant users with 'plugin.edit' permission access to the plugin editor [Dirk]
- Changed admin-lists 'default-filter' to require 'AND' [Oliver]
- Fixed admin lists for events & static pages for non-root users [Oliver]
- Fixed invalid language string in submit.php [Oliver]
- Fixed problems with the query highlighting code escaping double quotes [Dirk]
- In the list of plugins, display only the plugin's current version number as
long as it's in sync with the code version or the plugin hasn't implemented
the chkVersion API function [Dirk]
- Limit length of a new user's username to 16 characters in the
admin/user/edituser.thtml template file [Dirk]
- Don't display the current user's userphoto when creating a new user in
admin/user.php [Dirk]
- Fixed sanity checks in USER_addGroup and USER_delGroup [Trinity, Dirk]
- Allowed the Links-entry from the top menu to be hidden by config.php in links
[Oliver]
- Fixed small HTML validation issues with adv. editor and admin lists [Oliver]
- Fixed comment bug that allowed comments to be saved even when user did not
have the correct story/topic permissions. [Vinny]
- Send the character set as an HTTP header from COM_siteHeader now [Oliver]
- Fixed updating Links feeds [Mike]
- Corrected RSS handling of GUID or LINK [Mike]
- Fixed date format in Atom feeds [Mike]
- Fixed loss of sort setting when browsing the user list [Oliver]
- Fixed block title of the site stats (reported by Tom Willet) [Dirk]
- Fixed an SQL error when approving the default story submission ("Are you
secure?") after a fresh install (reported by suvi) [Dirk]
- Fixed warnings that exposed the full path to Geeklog when attempting SQL
injections on the advanced search [Mike]
- The "Mail Users" icon was missing from Command and Control [Dirk]
- In Command and Control, show the Trackback icon only when at least one of the
Trackback, Pingback, or Ping features is enabled (in addition to 'story.ping'
permissions for the current user) [Dirk]
- Replaced the delete_event.gif icon (in layout/professional/images/icons) with
a PNG, since the Professional theme uses PNGs now and the icon wouldn't show
up otherwise [Dirk]
- The block around the list of backups was missing the title [Dirk]
- Don't emit the Trackback and Pingback headers when trackbacks have been
disabled for a story [Dirk]
- Introduced {lang_trackback_comments_no_link} (in trackback/trackback.thtml)
so that you can have an article page entirely without links back to itself
(for picky spiders such as the one for Google News) [Dirk]
- Call COM_refresh when creating a user with usersubmission = 1 [Mike]
- Fixed sorting of Trackbacks in the What's New block [Dirk]
- The search by author or by date switched to searching for everything on
page 2 of the results [Dirk]
- For the Links plugin, the "last x days" text in the What's New block was
missing [Dirk]
- Fixed an SQL error when creating new blocks [Mike]
- The feed reader will now also follow redirects [Mike]
- Updated Chinese traditional and simplified language files, and new Chinese
language files for the Links, Polls, and Static Pages plugins, provided by
Samuel M. Stone
- German language files now exist in 4 combinations (formal / informal German,
ISO-8859-15 / UTF-8 encoding) for Geeklog, the Links, Polls and Static Pages
plugins [Dirk]
- Updated Japanese language files, provided by Yusuke Sakate
- New Ukrainian language files (Windows-1251) for Geeklog and all four plugins,
provided by Vitaliy Biliyenko
- New Ukrainian language files (UTF-8 and KOI8-U encoding) for Geeklog, the
Spam-X, and Static Pages plugins, provided by Yaroslav Fedevych
Nov 20, 2005 (1.4.0b1)
------------
- Introduced {start_storylink_anchortag} and {end_storylink_anchortag} template
variables in the story and commentbar template files which only produce a
link to the story when not on article.php, thus avoiding links back to the
article page itself, which the spider for Google News doesn't seem to like
(feature request #486) [Dirk]
- Added a workaround for image uploads using GD when ImageCreateTrueColor is
not available (patch #468) [Dirk]
- Allow a subject to be passed as a parameter for the "contact user" form
(based on patch #497) [Dirk]
- Added support for right-to-left languages (based on patch #488) [Dirk]
- Update Feeds and Older Stories block when changing topic settings [Dirk]
- Added a hits counter to events and added a Top Ten Events section to the
site stats [Dirk]
- Introduced $_CONF['show_topic_icon'], i.e. the default setting whether to
show topic icons or not [Dirk]
- The "Older Stories" block now only lists articles that appeared on the
frontpage (i.e. have not been set to "Show only in topic", bug #408) [Dirk]
- Fixed problems with query highlighting in stories scrambling links in
autotags (bug #492) [Dirk]
- Group names are now unique (as they should have been from the beginning). The
install script takes care of existing duplicate group names when upgrading
to 1.4.0 (bug #367) [Dirk]
- Allow for more topic IDs in the user's preferences (bug #490) [Dirk]
- Replace autotags in the Daily Digest (bug #484) [Dirk]
- Explicitly link to /docs/index.html for the documentation link in the Admin's
block (bug #504) [Dirk]
- Added an option to enable / disable trackbacks per story (just like you can
enable / disable comments per story) [Dirk]
- Changed COM_optionList to check for language arrays which override the text
strings that are embedded in the database (for comment mode, featured story,
post mode, etc.) Bug #227 [Dirk]
- Fixed Bug #174 -- quotes in titles are no longer double htmlentized [Vinny]
- The default permissions for new objects (stories, topics, blocks, etc.) can
now be set in config.php (feature request #90) [Dirk]
- Added an "Active users" entry to the site statistics. If Geeklog is configured
to track a user's last login, this will display the number of users who
logged into the site during the last 4 weeks. Otherwise, it displays the
number of user accounts with status = 3 (i.e. have logged into their account
at least once and haven't been banned) [Dirk]
- Introduced a new plugin API function so that the plugin's summary (e.g.
number of items) can be properly integrated with the "Site Stats" section.
Modified stats/sitestatistics.thtml, removed stats/stats.thtml, added
stats/singlesummary.thtml template files [Dirk]
- Introduced a generic function, USER_getPhoto, which provides the user's photo,
if available. The function also supports getting the user's avatar from
gravatar.com (if enabled in config.php) [Dirk]
- The texts in the What's New block ("x new stories in the last y hours",
"last 2 weeks", etc.) now properly reflect the actual settings of the
$_CONF['newXXXinterval'] variables (bug #390) [Oliver, Dirk]
- Introduced a method to signal a forced update for feeds in case the content
of one of the feed entries has changed - so far, we only checked if entries
had been added or removed (bug #277) [Dirk]
- Added $_CONF['show_right_blocks'] option which, if set = true, will display
right-side blocks on all pages (also addresses feature request #31) [Dirk]
- Fixed bug #454, SQL error when reading comments. [Vinny]
- Leave off the "page=1" parameter on the "Google paging" navigation bar for
links that point back to the first page [Dirk]
- The default feed for a new site is now in RSS 2.0 format and named
"geeklog.rss" [Mike, Dirk]
- Added time of the day to the name of the database backups to allow several
backups a day [Oliver]
- When the search returns no results, the search form is now pre-populated
with the last search query, so that it can be changed easily. On successful
searches, a "refine search" link will appear that also takes you back to a
pre-populated search form (to refine your search, obviously) [Dirk]
- Changed search to only return a certain amount of hits per page, thus
avoiding timeouts on servers where the script execution time is limited
(bug #274) [Dirk]
A new config variable, $_CONF['num_search_results'], defines the number of
search results to be returned per page (and per type). The search form also
includes a drop-down menu where this can be changed for every search.
Plugins will have to indicate if they support this "paged" search. Otherwise,
Geeklog will fake the paging for the plugin, so that the plugin does a full
search for every page, but Geeklog will only display the hits for the current
page (such a plugin can therefore still cause a timeout until it is changed
to support "paged" searching).
- Added a permanent link to comments (in the professional theme) [Vinny]
- Added new icons for the admin sections and made sure each admin section
now has an icon in admin/moderation.php [Dirk]
The new icons have been taken from the Gnome project (some of them modified
by Jakub Steiner). They are released under the GPL.
- Introduced global variable $_IMAGE_TYPE that specifies the image type to
use. Defaults to 'gif'. Themes can override it to use other images types,
e.g. PNG, for all images [Dirk]
- Added option to upload topic icons (Feature Request #415, Patch #423),
provided by Alford Deeley (machinari)
- Changed the Admin's "Command and Control" center such that there is an icon
for every entry in the Admin's block [Dirk]
- Removed duplicate code for creating a "topic SQL" query in moderation.php
(use COM_getTopicSQL instead) [Dirk]
- Added the ability to allow users to login via defined remote services (ships
with Blogger and LiveJournal support) [Mike]
- Added the ability to ban users, and to tell when a user has logged in at least
once [Mike]
- Added edit-icon, List-Sorting, searching, Limits & alternating row colors
in admin menus for groups, syndication, staticpages, trackback
(where not yet done) [Oliver]
- Added function to allow user-defined scaling of images in articles by using
[unscaledX] instead of [imageX] [Oliver]
- Removed $_CONF['whosonline_fullname'] option - use $_CONF['show_fullname']
instead [Dirk]
- Fixed bug where extra slashes appeared when previewing comments [Vinny]
- Removed the "lastvisit" cookies, as they are obviously not used [Dirk]
- Removed redundant changepwd-button & code from /admin/user.php (Bug #9)
[Oliver]
- Added new feature to insert a feed-links into header depending on topic, to
be chosen from /admin/syndication.php in the form of
[Oliver]
- Added options to google-Navigation so it can be used by plugins and work with
url-rewriting (feature request #315). [Oliver]
- Userlist now also shows Registration Date and if $_CONF['lastlogin']= true it
shows the last login date instead. [Oliver]
- Added option in config.php to hide "Viewed: x" line with
$_CONF['viewscountline'] just as the $_CONF['contributedbyline'] [Oliver]
- Added function COM_numberFormat to format displayed numbers with custom
decimal & thousand - separators and fixed decimal places if necessary
Includes the respecitve 3 new config.php values in locale section.
(Feature Request #298) [Oliver]
- Default Blocks showed always in all Topics before. Now you can choose to show
them in All/only one topic/only on homepage like other blocks (feature #326)
[Oliver]
- A Story can now break over several pages in the body-text. The tag
[page_break] will split the bodytext in pieces that can be opened with the
std. COM_printPageNavigation. Introtext is removed for pages>1 [Oliver]
- Added field for old password check in /usersettings.php (bug #230) [Oliver]
- Added password confirmation to /admin/user.php and /usersettings.php
(bug #230) [Oliver]
- Made the alternating row colors in the Admin's trackback functions compatible
with the scheme used in other places (list of users, etc.). Also changed the
list of weblog directory services so that editing is now done by clicking on
the number of the service [Dirk]
- Stories are no longer forced to be featured _and_ on frontpage (bug #362)
[Oliver]
- Changed links locations in User-list, added user-photo indicator [Oliver]
- Don't update a story's date any more when unchecking the 'draft' flag
(bug #400) [Dirk]
- Don't use "rewritten" URLs in the static pages editor any more (bug #403).
Also updated the list of static pages to use alternating colors for the
rows [Dirk]
- Use "\r\n" when sending trackback pings (bug #407) [Dirk]
- Allow autotags to optionally have a space after the tag name [Blaine]
Valid tags are:
[story:20040101093000103 here] or [story: 20040101093000103 here]
- Fixed inconsistent use of {site_url} and {layout_url} in some of the
professional theme's admin template files - using {layout_url} everywhere
now when referring to icons (bug #395) [Dirk]
- Event titles containing quotes were cut off at the first quote in the event
editor, i.e. both the admin's event editor and the editor for personal events.
(bug #399) [Dirk]
- Modified PLG_templateSetVars API to also check for a custom function [Blaine]
Users can now set header template using CUSTOM_templatesetvars()
- Added new CSS declarations as recommened CSS for plugins [Blaine]
- Added a basic scheduler Plugin API plugin_runScheduledTask [Blaine]
Interval is set in config.php - $_CONF['cron_schedule_interval']
- Enhanced the Group Admin interface display [Blaine]
- Enhanced the User Admin display and made the headings sortable [Blaine]
- Geeklog will now properly handle html special characters (such as quotes and
ampersands) in comment titles (bug #174) [Vinny]
- Hide 'edit' option for articles in preview (bug #347) [Dirk]
- Changed admin/user.php to use file() for the batch import [Dirk]
- Implemented pinging weblog directory services like blo.gs and weblogs.com
(Feature Request #35). By default, we ping pingomatic.com [Dirk]
- Complete overhaul of the Plugin Comment API to reduce the likelyhood of
plugins introducing security problems. Older plugins that use the comment
API will no longer work. [Vinny]
- Refactored Comment code out of lib-common.php and into lib-comment.php, also
some changes to comment.php [Vinny]
- Introduced a 'story.ping' permission that enables users to send Pings,
Pingbacks, and Trackbacks for a story (or plugin item). Members of the Story
Admin group have that permission by default.
- Overhauled install script: It will now abort the installation if the minumum
requirements (PHP 4.1.0, MySQL 3.23.2) are not met. It also displays a warning
message if register_long_arrays is off (PHP 5 only, bug #360). Another
warning message is displayed if "public_html" is part of the URL.
When upgrading, it now tries to identify the Geeklog version that was used
previously (only really works for versions 1.3.8 - 1.3.11) [Dirk]
- Fixed date in comment preview (bug #370) [Dirk]
- Incorporated the new syndication framework for reading and writing feeds of
different formats (RSS, RDF, Atom), provided by Michael Jervis (patch #352).
This contribution also addresses Task #19 ("RSS import class") and Feature
Request #67 ("Limiting number of entries in RSS feeds").
Please note that the feed writer classes, system/classes/*.feed.class.php,
are now obsolete and can be removed. Please also note this adds new PEAR
package requirements for Net_URL and HTTP_Request.
- Added support for sending and receiving trackback comments (Feature Request
#34) Also implemented Pingback support in pretty much the same way. Once
received, Geeklog treats Trackbacks and Pingbacks the same and stores them
in the gl_trackback table. [Dirk]
Both can be switched off in config.php: $_CONF['trackback_enabled'] = false;
and $_CONF['pingback_enabled'] = false;
- Added a new script, directory.php, that implements a date-based listing of
all the stories on a site [Dirk]
A link to the directory is available as a new option, 'directory', for the
$_CONF['menu_elements'] config variable, so that it can be added to the menu.
- The column headline for event search results was not displayed [Dirk]
- Added logos to syndication feeds. [Mike]
- Added config option to disable new accounts (Patch #426 from Alford Deeley)
[Mike]
- Alphabet Sort on Admin Menu and C&C Block [Mike]
- New Farsi (Persian) language file, provided by Hesam.H
- Updated Japanese language file, provided by Yusuke Sakata
- New Farsi (Persian) language file for the static pages plugin,
provided by Hesam.H
Links plugin 1.0.0
------------
- Added ID-editor and Autotags-feature [link: ... ] [Oliver]
- Added Category-Specific Feeds [Oliver]
- Added Edit-Icon, List-Sorting, searching, Limits & etc for admin menu [Oliver]
- Moved links functionality into a plugin [Trinity, Oliver]
Polls plugin 1.0.0
------------
- Polls moved to a plugin [Trinity]
Spam-X plugin 1.0.3
-------------
- The LogView module now automatically truncates the Spam-X logfile to 100KB
[Tom Willet]
- The IP Blacklist module now supports regular expressions [Mike]
- Added a Mass Delete module for Trackback comments [Dirk]
- Added an "admin override" option, so that postings by members of the 'spamx
Admin' group will not be checked for spam [Dirk]
July 16, 2006 (1.3.11sr7)
-------------
JPCERT/CC informed us about a possible XSS in the comment handling that we're
fixing with this release.
May 28, 2006 (1.3.11sr6)
------------
The Security Science Researchers Institute Of Iran reported the following
security issues:
- Possible SQL injection and authentication bypass in auth.inc.php
- Possible XSS in getimage.php
- Path disclosure in getimage.php and the functions.php of some themes,
e.g. the Professional theme
An internal code review also revealed a possible SQL injection in story
submissions.
Mar 5, 2006 (1.3.11sr5)
-----------
Security issue:
- Konstantin Dyakoff found an old bug in the session handling that would allow
anyone to log in as any user.
Feb 19, 2006 (1.3.11sr4)
------------
Security issues:
- James Bercegay of GulfTech Security Research reported several issues with
Geeklog's cookie handling that made it vulnerable to SQL injections, arbitrary
file access, and even injection and execution of arbitrary code.
- Prevent execution of PHP code in "normal" blocks
Dec 12, 2005 (1.3.11sr3)
------------
Security issues:
- Fixed comment bug that allowed comments to be saved even when user did not
have the correct story/topic permissions (reported by LWC) [Vinny]
- Fixed a path disclosure in case someone tampered with the start date or end
date in advanced search (reported by r0t3d3Vil) [Mike]
Feeding malformed dates to the search caused a warning message to be displayed
that disclosed the path to the Geeklog install on the server. It was NOT
possible to use this for SQL injections.
Bugfixes:
- Fixed the problems (introduced in 1.3.11sr2) editing static pages when
$_CONF['url_rewrite'] = true (bug #491) [Dirk]
- The "Reply" button didn't work when viewing individual comments [Vinny]
- Fixed the definition of the 'expire' field (in table gl_stories), which
caused an SQL error when doing a fresh install on MySQL 5
(reported by Johannes) [Dirk]
- Fixed and updated the Hebrew language file [LWC, Dirk]
- New Ukrainian language file (Windows-1251), provided by Vitaliy Biliyenko
- New Ukrainian language files (UTF-8 and KOI8-U encoding) for Geeklog, the
Spam-X, and Static Pages plugins, provided by Yaroslav Fedevych
Oct 9, 2005 (1.3.11sr2)
-----------
This release provides security enhancements and better spam protection
originally developed for Geeklog 1.3.12. It also addresses a few bugs where
the bugfix could be integrated with a reasonable amount of work (other bugfixes
will have to wait for the 1.3.12 release).
Security and Spam protection:
- Added speedlimit to login attempts, defaults to allowing three tries in a
five minute period. [Vinny]
See new config options $_CONF['login_attempts'] and $_CONF['login_speedlimit']
- Changed the spam handling to update the speed limit when spam is detected
(i.e. handle spam posts as if they were successful posts and make the
submitter wait for the speed limit to expire). Also send a 403 "Forbidden"
HTTP response code when displaying the "spam detected" message [Dirk]
To quote RFC2616: "403 Forbidden: The server understood the request, but is
refusing to fulfill it. Authorization will not help and the request SHOULD
NOT be repeated."
- Filter linefeeds in the To:, From:, and Subject: fields of an email in
COM_mail [Dirk]
- When a new user account is created and the user submission queue is enabled
in config.php, ensure that the user is properly "queued" even in the
unlikely event that the account creation fails halfway through (reported by
LWC) [Dirk]
- When $_CONF['emailstoryloginrequired'] = 1, hide the links to the "email
story" form from anonymous users [Dirk]
- When emailing a story, check the user's message that is sent with the story
for spam [Dirk]
- Added a robots.txt file to the distribution. By default, it excludes
comment.php, submit.php, and the docs directory from being spidered [Dirk]
- Added a spam check to the user profile [Dirk]
- Story, event, and link submissions are now also checked for spam [Dirk]
- This release also includes the Spam-X plugin version 1.0.2
Please note that MT-Blacklist (used by Spam-X) has recently been discontinued.
For the time being, we provide the last version of the blacklist for download
from geeklog.net (the Spam-X plugin as included in this release is configured
to get it from there for the initial import). There will, however, be no
updates the blacklist. For details, please see
http://www.geeklog.net/article.php/mt-blacklist-discontinued
Bugfixes:
- Fixed an error message thrown up by PHP 5.0.5 or later when viewing the
article page (bug #483) [Dirk]
- Fixed bug with topic-specific blocks not showing up on the article page when
URL rewriting was enabled (bug #401) [Dirk]
- Fixed missing site header when trying to submit an event without required
fields. Also fixed that it would redirect you to the story submission form
then (bug #409) [Dirk]
- Make sure {menu_elements} is rendered using the menuitem_none.thtml template
when no menu elements are to be displayed (bug #378) [Dirk]
- Quote names in email addresses as soon as they contain any non-alphanumeric
characters (apart from the blank). This also addresses bug #368 [Dirk]
- Allow single quotes in passwords (bug #396, also previously reported as
bug #349 / #996354) [Dirk]
- When $_CONF['profileloginrequired'] was set to 1, the actual message that
you have to log in before being able to see a user profile was not wrapped
in the Geeklog framework (reported by Sean C) [Dirk]
- Fix: Made a story's archive/expire date work with the timezone hack [Dirk]
- COM_applyFilter will now accept negative numbers if the isnumeric parameter
is true. Needed to fix problems with pollbooth.php (and others) [Vinny]
- Upgraded included kses class to version 0.2.2 which fixes problems with
Japanese and Thai characters (among other things), thus addressing bugs #94
and #119 [Dirk]
- Fixed SQL error when using the [staticpage:] autotag (bug #373) [Dirk]
- Added a missing stripslashes call to remove backslashes when a topic's name
was displayed in the index page's title (bug #369) [Dirk]
- Link tags are now translated in printer friendly mode (Bug #411) [Mike]
- Removed the entry from the Professional theme's
header.thtml as "INDEX,FOLLOW" is the default anyway. For finer control,
we now ship a robots.txt [Dirk]
Improvements:
- Don't check for auto-archived stories when no archive topic has been
defined yet [Dirk]
- Added support for a custom_usercheck function. Custom registration code that
requires certain information can now abort the creation of a new account if
that information is missing. The function is called after Geeklog has checked
that the username and email address of the new user are okay (valid and not
in the database yet), but before the user has been added to the database
[Dirk]
- Saved one SQL request for a story's printable view [Dirk]
Language files:
- Made sure all language files refer to Geeklog's [image] tags as [imageX],
[imageX_right], and [imageX_left] (bug #381) [Dirk]
- New Catalan language file, provided by an anonymous user
- New Russian (UTF-8) language file, provided by Konstantin Boyandin
- Updated Hebrew language file, provided by LWC
- Updated Hellenic (Greek) language file, provided by MzOzD
- Updated Italian language file, provided by Marcello Teodori
- Updated Japanese (UTF-8) language file, provided by Yusuke Sakata
- Updated Portuguese (Brazil) language file, provided by Alcides Soares Filho
- Updated Russian language file, provided by Konstantin Boyandin
- New Japanese (UTF-8) language file for the Static Pages plugin, provided by
Yusuke Sakata
- Updated Italian language file for the Static Pages plugin, provided by
Marcello Teodori
- Updated Japanese language file for the Static Pages plugin, provided by
Yusuke Sakata
Aug 21, 2005 (Spam-X plugin 1.0.2)
------------
- Changed the display name of the plugin to "Spam-X" to avoid potential
confusion with the email spam filter of the same name.
"SpamX" is a registered trademark of Hendrickson Software Components.
- Added a new module to filter posts based on the IP address of the poster
[Tom Willet]
- Added a new module to filter posts based on the IP address of the
spamvertised site [Tom Willet]
- Added a new module to filter posts based on characteristics of the HTTP header
[Dirk]
- Fixed the Mass Delete Spam Comments module [Tom Willet]
- The Spam-X plugin's examine modules run the post through html_entity_decode()
now in case the spammers try to obfuscate their posts by using HTML entities
[Tom Willet, Dirk]
- The Mail Admin action module now also reports the HTTP headers of the post
that triggered the spam filter [Dirk]
- Added a simple stats function (reports the number of posts deleted as spam,
and - to the Spam-X Admin only - the number of entries for each module) [Dirk]
- Implemented an update function for the plugin [Dirk]
- New Farsi (Persian) language file, provided by Hesam.H
- New Italian language file, provided by Marcello Teodori
- New Spanish language file, provided by vivi1123
Jul 3, 2005 (1.3.11sr1)
-----------
This release addresses the following security issue:
Stefan Esser found an SQL injection that can, under certain circumstances,
be exploited to extract user data such as the user's password hash.
Dec 31, 2004 (1.3.11)
------------
Geeklog 1.3.11 addresses the following security issues:
1. It was possible to submit stories anonymously even if anonymous submissions
were turned off in config.php (reported by Barry Wong).
These stories still ended up in the submission queue, though, unless you
disabled it in config.php.
2. Some of the parameters in link and event submissions weren't filtered,
leaving them open to potential SQL injections.
3. The links for the What's Related block were created from the unfiltered story
text, opening the possibility of XSS attacks (reported by Vincent Furia).
Bugfixes:
- Added a missing stripslashes() call for the topic name in the What's Related
block (bug #351) [Dirk]
(affected file: system/lib-story.php)
- Fixed problems in the story editor when editing plain-text posts with
uploaded images (bug #356) [Dirk]
(affected file: public_html/admin/story.php)
- When changing a story ID, update the story ID in any comments to that story,
too (bug #357) [Dirk]
(affected file: public_html/admin/story.php)
- Fixed handling of autotags that started with the same substring, e.g. for
2 tags 'mytag' and 'mytagtwo', the second tag would not be recognized
(reported by Dr. Shakagee) [Dirk]
(affected file: system/lib-plugins.php)
- Fixed caching of $_GROUPS [Dirk]
(affected files: system/lib-security.php, public_html/lib-common.php)
- Made a minor optimization to save one SQL request when displaying the comment
bar for anonymous users [Dirk]
(affected file: public_html/lib-common.php)
- Updated Slovenian language file, provided by gape.
(affected file: language/slovenian.php)
Dec 22, 2004 (1.3.11rc1)
------------
- Fixed "archive" option being activated too early on certain non-featured
stories (bug #345) [Blaine]
- Added missing handling of autotags in static pages being displayed as center
blocks (reported by Jill) [Dirk]
- Fixed size of the 'sid' field in the gl_comments table. It should be 40
characters, to be able to hold the long story IDs introduced in 1.3.10
(reported by Douglas Santos) [Dirk]
- When using mogrify (ImageMagick) to resize uploaded images, the name of the
image is now enclosed in double quotes instead of single quotes, which
caused the command to fail on Windows [Dirk]
- The emails sent from the Spam-X plugin's MailAdmin action now also include
the IP address of the spam poster [Dirk]
- SEC_getFeatureGroup() should not overwrite $_GROUPS if not operating on the
current user (bug #331) [Dirk]
- Introduced a {camera_icon} variable in story and comment templates that
displays the little camera icon if the author has uploaded a user photo, just
like in the Who's Online block (suggested by Laurence Whitworth) [Dirk]
- The parent link in top-level comments took the user to the homepage rather
than to the article page (bug #346) [Vinny]
- Stories submitted for the archive topic will automatically be saved with
frontpage = 0 when approved, i.e. only be displayed in the topic [Dirk]
- Avoid emitting an extra tag after the last section in the What's New
block (bug #330) [Dirk]
- Update comment count in Older Stories block when a new comment is posted
(bug #317). Also optimized the code to collect the contents of the Older
Stories block [Dirk]
- Fixed extra being emitted in the calendar for events that aren't
visible for the current user (bug #268) [Dirk]
- (Event) Admins can now delete events directly from the calendar's day and
week views (just like events in the personal calendar) [Dirk]
- Fixed usersettings.php so that it displays the "benefits" message again when
called up by an anonymous user. Also made it go to the user's preferences
when called without a 'mode' parameter [Dirk]
- Added {layout_url} to the available theme variables in the submission forms.
Also added {separator} for those who prefer correct spelling ;-) [Dirk]
- More parameter filtering and permission checks in submit.php [Dirk]
- Fixed over-zealous parameter filtering in links.php which prevented
categories with apostrophes from working [Dirk]
- Fixed broken URLs when editing a plain-text story that contained uploaded
images (reported by LWC) [Dirk]
- The PEAR classes that ship with Geeklog actually require PHP 4.2.x now.
However, the missing functions in older PHP versions (minimum requirement
for Geeklog itself is now PHP 4.1.0) are provided by the PEAR PHP_Compat
package, which we will have to ship with Geeklog from now on. Added the
necessary code to lib-common.php to load PHP_Compat, if required [Dirk]
Many thanks to Tom Willet for providing a test setup.
- Fixed "quick add form" for personal events, so that it stores the new event
directly now [Dirk]
- Fixed handling of 12am/pm in events, event submissions, and when passing the
time from the calendar to the event submission forms [Dirk]
- Improved handling of personal events / personal calendar, especially for
(Event) Admins [Dirk]
- Fixed What's Related links when magic_quotes_qpc = on [Vinny, Dirk]
- Fixed use of an undefined variable $U in COM_showBlocks and warning messages
for undefined array indexes in COM_getCurrentURL (reported by irawen) [Dirk]
- Allow empty search query strings so that the "More by " and "More
from " options work again [Dirk]
- When deleting a poll, also delete any comments to that poll [Dirk]
- Delete comments and story images when deleting stories from a deleted topic
(bug #339) [Dirk]
- When deleting a story, added an extra check for type='article' when deleting
the story's comments [Dirk]
- Set current user as the owner when cloning an event (bug #338) [Dirk]
- Start time, end time, and event location weren't copied over when adding a
site event to the personal calendar (bug #336) [Dirk]
- Fixed wrong use of htmlentities() on comment title (bug #335) [Dirk]
- Changed "read more" word count so that it ignores HTML tags (bug #333) [Dirk]
- Updated Slovenian language file, provided by gape.
- Updated Dutch language file, provided by Ko de Pree.
- Updated Dutch language file for the Static Pages plugin,
provided by Ko de Pree.
- New French language files for the Spam-X plugin, provided by Alain Ponton.
Nov 28, 2004 (1.3.10)
------------
- Allow omission of the link text for the [story:], [event:], and [staticpage:]
autotags. Geeklog will then use the title (of the story / event / static page)
as the link text [Dirk]
(affected files: system/lib-plugins.php, plugins/staticpages/functions.inc)
- Updated Chinese language files (all 4 of them), provided by Samuel M. Stone
Nov 21, 2004 (1.3.10rc3)
------------
- Changed wording of the error message if the "backups" directory is not
writable [Dirk]
- Fixed comments for the DB_result (in lib-database.php) and dbResult
(in mysql.class.php) functions (bug #320) [Dirk]
- Display a success message when using the "changepw" option in admin/user.php
[Dirk]
- When changing a username, make sure to change the name of the user's photo,
too (bug #321) [Dirk]
- Links in "plain text" stories and comments are now made clickable (i.e.
enclosed in tags) when the post is saved instead of when it's displayed,
as in the previous release candidates. This also fixes bug #308. [Dirk]
- Added $_CONF['disable_autolinks'] config option to disable autolinks [Dirk]
- Removed ViewBlacklist.Admin.class.php from the Spam-X plugin [Tom Willet]
- Overhauled handling of personal events [Dirk]:
+ Fixed deleting personal events (again).
+ The upcoming events block now links to the event details of personal
events (just like it already did for site events).
+ Added stricter checks for permissions, user IDs, and the personal calendars
being activated in the first place.
- Added a check for allow_url_fopen if reading a (RSS) feed fails and report it
in error.log if it is off [Dirk]
- When deleting a story (automatically), make sure we're only deleting comments
belonging to that story (i.e. added a check for type = 'article') [Dirk]
- Added {event_type}, {lang_event_type}, and {edit_icon} in all the themes'
calendar/eventdetails.thtml template file [Dirk]
- Fixed some URLs in the calendar (missing slash) [Dirk]
- Comment IDs don't have to be numeric (in comment.php) [Vinny]
- The Static Pages plugin now takes $_CONF['showfirstasfeatured'] into account
when displaying static pages in center blocks (reported by eyecravedvd) [Dirk]
- Forgot to declare $_CONF as global when fixing bug #301 (bug #302) [Dirk]
- Updated Chinese language files (all 4 of them), provided by Samuel M. Stone
- Updated Japanese language files (euc-jp and UTF-8), provided by Yusuke Sakata
- Updated Polish language file, provided by Robert Stadnik
- Updated Slovenian language file, provided by gape
- Updated Spanish language file, provided by Angel Romero
- Updated Swedish language file, provided by Markus Berg
Oct 24, 2004 (1.3.10rc2)
------------
- Fixed plugin update function [Blaine]
- Set the target encoding in Geeklog's RSS parser (bug #301) [Dirk]
- Set the {topic_icon} variable to an empty string for the "Home" link in the
Topics block (reported by jhwhite) [Dirk]
- Fixed News Box Configuration, i.e. the ability to disable blocks [Vinny]
- In the story template files, the number of comments now only is a link when
there actually is a comment on the story [Dirk]
- Hard-coded the English word 'delete' in the URLs to delete a comment [Dirk]
- For the list of a user's recent comments, use 'mode=view' to link directly
to a comment now [Dirk]
- Fixed comment id in comment notification emails [Dirk]
- Fixed display of the number of static pages that the user has access to (in
the Admin Block) [Dirk]
- COM_makeClickableLinks did not recognize links with the 'http:' at the
start of a line [Dirk]
- Re-introduced between plugin sections in the What's New block, pretty
much reverting the change suggested by feature request #292 [Dirk]
- Introduced function COM_formatEmailAddress that creates a (more or less)
RFC(2)822 compliant email address from a name and an address [Dirk]
This function is now used for formatting the site address, as well as for
addresses entered by the user in profiles.php and admin/mail.php.
- The Spam-X plugin's MailAdmin action didn't send any email notifications,
since the call to COM_mail was commented out ... [Dirk]
- admin/mail.php and admin/group.php use the complete URL to the script in
the tag in story search results (bug #260) [Dirk]
- Added a second parameter to function COM_makeList that is used as a CSS
class name in the list it returns (use {list_class_name} to get the actual
class name, and {list_class} to get class="classname"). Changed the existing
calls to COM_makeList to include class names, so that you can now use the
following class names in your stylesheet to style lists: list-feed,
list-new-comments, list-new-links, list-new-plugins, list-older-stories,
list-personal-events, list-site-events, list-story-options, list-whats-related
(the names should be self-explanatory) [Dirk]
- Moved the docs directory to public_html/docs and added a link to it from the
Admin's block (can be switched off in config.php by setting the new option
$_CONF['link_documentation'] = 0) [Dirk]
- Replaced 'ppmtojpeg' with 'pnmtojpeg' when using NetPBM for scaling
uploaded JPEG images (bug #257) [Dirk]
- Added a check (and a warning message) for PHP 4.1.0 to the install script,
as that is our new minimum requirement [Dirk]
- Rewrote install/success.php and added a link to install/check.php [Dirk]
- Added the 'data' and 'pdfs' directory to install/check.php [Dirk]
- Integrated the "welcome email hack": If the file 'welcome_email.txt' exists
in the 'data' directory, the contents of that file are sent out as the
welcome email to new users (instead of the hard-coded welcome message) [Dirk]
- Introduced a 'data' directory ($_CONF['path_data'], defaulting to
/path/to/geeklog/data) and use it for the batch user import, as Geeklog's
base directory may not be writable on some setups (bug #77) [Dirk]
- Sort list of older polls by date (newest first) and added paging [Dirk]
- Make sure the old userphoto is deleted when uploading a new one (bug #228).
So far, the old photo was not removed when the file type changed (e.g. from
.gif to .jpg) [Dirk]
- Don't assume the uploaded file in usersettings.php is always the userphoto -
it may in fact belong to a plugin (bug #179). This bug prevented plugins from
uploading their own files through the plugin API [Dirk]
- Fixed repeating events in the personal calendar's day view (bug #232) [Dirk]
- COM_siteHeader() now accepts a page title (to go between the page's
... tags) as the second parameter, replacing the
$_CONF['pagetitle'] hack (which still works but should be avoided) [Dirk]
- In the site's page title, replace the site slogan with more meaningful
information, where possible, e.g. "Submit a Story" on the story submission
form, "Search Results", etc. (feature request #95) [Dirk]
- Fixed deleting events from the personal calendar (bug #199) [Dirk]
- Carry over the date and time from the calendar when Admins add a new event
(bug #132) [Dirk]
- Don't display "Site Events" headline in the Upcoming Events block when
personal calendars are off (feature request #151) [Dirk]
- Removed hard-coded am/pm formatted hours from the calendar's day view
(calendar/dayview/dayview.thtml) and replaced them with {xx_hour} variables,
where 'xx' is 0-23, which will be replaced with the hours formatted
according to the $_CONF['timeonly'] config variable [Dirk]
- Themes can now use a couple of CSS class names to style the small calendar (of
the previous and next month) in month view: .smallcal, .smallcal-headline,
.smallcal-week-even, .smallcal-week-odd, .smallcal-week-empty,
.smallcal-day-even, .smallcal-day-odd, and .smallcal-day-empty [Dirk]
- Improvements to the Story Archive Feature, UI tweaks, Language Extraction,
Added new field to the topics table. Admin now sets the archive topic in
the Topic Editor. Only one topic can be used - logic enforced. [Blaine]
- Don't emit the