Geeklog Documentation - Changes

Changes

This document is intended to give a quick overview over the most import and / or obvious changes. For a detailed list of changes, please consult the ChangeLog. The file docs/changed-files has a list of files that have been changed since the last release.

Geeklog 1.3.7sr2

Security issues

The purpose of this release is to fix the following security issues. All users are strongly encouraged to upgrade to this version ASAP.

1. It was possible to obtain valid session ids for every account on a Geeklog site, including the Admin account (reported by SCAN Associates).
2. Using Internet Explorer, it was possible to upload an image with embedded PHP code and execute it (reported by SCAN Associates).
3. Story permissions could override topic permissions, resulting in the display of stories to users who shouldn't have access to them (reported by Andrew Lawlor). This was already fixed with the new index.php, released 2003-05-15.
4. Added a warning in config.php that adding any of the following tags to the list of allowable HTML can make the site vulnerable to scripting attacks:
   <img> <span> <marquee> <script> <embed> <object> <iframe>
   (pointed out by Joat Dede).

This update also includes fixes for the notorious "permission denied" error messages that some users would get in the Admin area (e.g. when trying to save a story and being "only" a user with Story Admin permissions).

The full 1.3.7sr2 tarball also includes various new and updated language files (see the Changelog for details).

Geeklog 1.3.7sr1

Security issues

The main purpose of this release is to fix the following security issues. All users are strongly recommended to upgrade to this version.

1. Javascript code could be injected in the homepage field of a user's profile (reported by Jin Yean Tan).
2. Javascript code could be injected in certain URLs to be used in a cross-site scripting attack (reported by Jin Yean Tan).
3. Comments could be deleted by anybody if they knew the comment id (which is not normally visible).
4. A StoryAdmin could manipulate stories even if s/he did not have access to them (e.g. when s/he was not a member of a certain group). The same applied to Admins for events, links, polls, topics, and blocks (reported by Kobaz).

Other Bugfixes

• Fixed possible causes for endless loops with the redirect in index.php: No redirect will be done if $HTTP_SERVER_VARS['HTTP_HOST'] is not set. Also, the comparison of the configured and actual server name is not case-sensitive any more.
• Fixed image resizing when using ImageMagick.
• The new user notification email (introduced in Geeklog 1.3.7) was always sent out, even if 'user' was not listed in $_CONF['notification'].
• The Admin menu will now be displayed for users who have Admin access to plugins only, but not to one of the core Admin features.
• The default for the daily digest is now back to "off", i.e. new users will not receive it automatically. To enable the daily digest for new users again, set $_CONF['emailstoriesperdefault'] = 1 in config.php.

Documentation and hard-coded links (version check, link to Geeklog in a site's footer) have been updated to point to www.geeklog.net.

Geeklog 1.3.7

New Features

• A notification email can now be sent when a new story, link, or event has been submitted or a new user has registered with the site (see the submission settings for details).
  Please note that this feature doesn't tie in with Geeklog's security features - it's really more of a hack, since many people asked for this functionality.
• Following the "X stories in last 24 hours" link in the What's New block will now display just those new stories.
• User photos are now resized, just like images in stories (if the use of an image library is configured). The max. dimensions for user photos can be set with a separate set of config variables in config.php.
• The plugin menu now lists all plugins which exist in the file system but haven't been installed yet. It also provides a link to the install script of those plugins for easy installation.
• Several new config variables have been added to config.php (notification, showfirstasfeatured, dateonly, timeonly, skip_preview, upcomingeventsrange, emailstoryloginrequired, hideemailicon, hideprintericon, hidenewstories, hidenewcomments, hidenewlinks, max_photo_width, max_photo_height, max_photo_size). Please see the config documentation for details.
• Theme changes: Please consult the themes documentation for a list of changes.

Bugfixes

• Added sanity checks in the Admin story editor to prevent the loss of all stories when using an incomplete language file (or when manipulating the URL).
• Fixed a nasty bug in lib-security.php that let any user with UserAdmin permissions change the Root user's password, thus effectively becoming root.
• Fixed problems with blocks disappearing when they were set to "homeonly".
• Fixed problems with multiple [code] ... [/code] sections in stories and comments.
• Fixed double line spacing in [code] sections and HTML-formatted comments on PHP 4.2.0 and up.
• Fixed problems with slashes and HTML entities in emails sent by Geeklog.
• Fixes and improvements to the plugin API.

Contributors: Blaine Lang, Vincent Furia, and Kenn Osborne have contributed to this release. Thank you!

Speeding up Geeklog (a bit)

If you're upgrading from 1.3.6 or older versions, you may want to run the script called addindex.php that you will find in the install directory. This script adds index fields to some of Geeklog's database tables which should improve overall access times a bit.

This has been implemented as a separate script (and not as part of the upgrade process of the install script) since it may take some time to run, depending on how many users / stories / etc. you have in your database. Some people may even run into timeouts, e.g. when their hosting service limits the execution time of PHP scripts. If that happens to you - Don't Panic. Simply run the script again (and again and ...) until it reports that it didn't add any fields to any tables.

Please note that you do not need to run this script if you're doing a fresh install of Geeklog 1.3.7. A database created during a fresh install already has the new index fields.

Geeklog 1.3.6

New Features

• Images in articles can now be resized automatically during upload (provided you have either ImageMagick or netpbm installed). See the configuration description for details.
• The contents of a static page entitled "Frontpage" will be displayed before the first story on the front page of a Geeklog site. If the static page additionally carries the label "nonews", then it will completely replace the news on the front page.
• User submission queue: When activated (in config.php), new users will need to be approved by an admin before they receive their password.
• The submission queues can be switched off separately, either completely (in config.php) or only for certain groups of users (by using the new features story.submit, links.submit, and event.submit).
• When posting source code (e.g. PHP, HTML, ...), you can now use the [code] ... [/code] pseudo tags to enclose those portions of your posting that should be reproduced verbatim.
• The links section now uses a categorized and paged display (can be switched off separately and even back to the pre-1.3.6 style listing).
• Anonymous users can now be blocked from almost every part of the site (e.g. links section, site stats, ...), if needed.
• A Geeklog site can now be disabled easily (e.g. for maintenance) by setting a flag in config.php.
• Theme changes: Please consult the themes documentation for a list of changes.

Bugfixes

• Several fixes have been made to ensure that permissions are taken into account properly (e.g. not revealing titles of stories that the user has no access to).
• Several fixes have been made to make sure that Geeklog can now be properly localized (provided you have a language file that is up to date and have chosen the proper locale settings for your country and language).
• The variable $_CONF['site_admin_url'] is now used properly so that you can rename Geeklog's admin directory if needed.
• New RDF parser will now import most (if not all) RDF news feeds properly

Notes

• Since there are a lot of new variables in config.php, it is recommended you start with a fresh copy of that file instead of copying over your old config.php from your previous installation.
• Please note that currently only the English, German, Italian, Polish, and Japanese language files are up to date. Using one of the other language files may result in your Geeklog site not working properly.

Contributors: Gene Wood, Blaine Lang, Tom Willet, and Roger Webster have contributed to this release. Thank you!