[geeklog-cvs] geeklog-1.3/docs changes.html,1.18.2.2,1.18.2.3 config.html,1.23,1.23.2.1 history,1.120.2.2,1.120.2.3 install.html,1.23.2.1,1.23.2.2

dhaun at geeklog.net dhaun at geeklog.net
Fri Dec 5 14:38:47 EST 2003 

Update of /usr/cvs/geeklog/geeklog-1.3/docs
In directory geeklog_prod:/tmp/cvs-serv24016/docs

Modified Files:
      Tag: geeklog_1_3_8_1_1
	changes.html config.html history install.html 
Log Message:
Updated documentation


Index: changes.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/changes.html,v
retrieving revision 1.18.2.2
retrieving revision 1.18.2.3
diff -C2 -d -r1.18.2.2 -r1.18.2.3
*** changes.html	14 Oct 2003 21:21:56 -0000	1.18.2.2
--- changes.html	5 Dec 2003 19:38:44 -0000	1.18.2.3
***************
*** 23,26 ****
--- 23,43 ----
  of files that have been changed since the last release.</p>
  
+ <h2><a name="changes138-1sr3">Geeklog 1.3.8-1sr3</a></h2>
+ <p>This release addresses the following security-related issues:</p>
+ 
+ <ol>
+ <li>As "dr.wh0" pointed out, the category field for link submissions was not
+     filtered at all. Although you probably can't cause too much harm with
+     those 32 characters, this has now been fixed.</li>
+ <li>Vincent Furia found that the restrictions for the form to email users
+     could be circumvented and could even be used to spam users. 
+     In addition to fixing theses issues, there is now also a speed limit
+     on that form (defaults to the speed limit for story submissions).</li>
+ <li>There was a way to post comments anonymously even when posting for
+     anonymous users had been disabled.</li>
+ <li>It was possible to post comments under someone else's username.</li>
+ </ol>
+ 
+ 
  <h2><a name="changes138-1sr2">Geeklog 1.3.8-1sr2</a></h2>
  

Index: config.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/config.html,v
retrieving revision 1.23
retrieving revision 1.23.2.1
diff -C2 -d -r1.23 -r1.23.2.1
*** config.html	16 Jul 2003 09:45:43 -0000	1.23
--- config.html	5 Dec 2003 19:38:44 -0000	1.23.2.1
***************
*** 712,723 ****
      <th width="63%">Description</th></tr>
  <tr>
!   <td valign="top"><a name="desc_allowablehtml">allowablehtml</a></td>
!   <td valign="top"><p>,<b>,<i>,<a>,<em>,<br>,<tt>,<hr>,<li>,<ol>,<br>
!       <div>,<ul></td>
!   <td valign="top">Allowed HTML in stories submissions and comments.</td></tr>
  <tr>
!   <td valign="top"><a name="desc_adminhtml">adminhtml</a></td>
!   <td valign="top">the values from allowablehtml (above) plus HTML tags for tables</td>
!   <td valign="top">Allowed HTML that only admin users can use</td></tr>
  <tr>
    <td valign="top"><a name="desc_censormode">censormode</a></td>
--- 712,726 ----
      <th width="63%">Description</th></tr>
  <tr>
!   <td valign="top"><a name="desc_user_html">user_html</a></td>
!   <td valign="top"><p>,<b>,<i>,<a>,<em>,<br>,<tt>,<hr>,<ol>,<ul>,<br>
!       <li>,<code>,<pre></td>
!   <td valign="top">HTML tags and attributes that normal users are allowed to
!       use in story submissions and comments.</td></tr>
  <tr>
!   <td valign="top"><a name="desc_admin_html">admin_html</a></td>
!   <td valign="top">additional HTML tags, e.g. for tables</td>
!   <td valign="top">HTML tags and attributes that admin users are allowed to
!       use (in addition to those from user_html). Redefining a tag with
!       additional attributes will overwrite the definition from user_html.</td></tr>
  <tr>
    <td valign="top"><a name="desc_censormode">censormode</a></td>

Index: history
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/history,v
retrieving revision 1.120.2.2
retrieving revision 1.120.2.3
diff -C2 -d -r1.120.2.2 -r1.120.2.3
*** history	14 Oct 2003 21:21:56 -0000	1.120.2.2
--- history	5 Dec 2003 19:38:44 -0000	1.120.2.3
***************
*** 1,4 ****
--- 1,21 ----
  GeekLog History/Changes:
  
+ December 5, 2003 (1.3.8-1sr3)
+ ----------------
+ 
+ This release addresses the following security-related issues:
+ 
+ 1. As "dr.wh0" pointed out, the category field for link submissions was not
+    filtered at all. Although you probably can't cause too much harm with
+    those 32 characters, this has now been fixed.
+ 2. Vincent Furia found that the restrictions for the form to email users
+    could be circumvented and could even be used to spam users. 
+    In addition to fixing theses issues, there is now also a speed limit
+    on that form (defaults to the speed limit for story submissions).
+ 3. There was a way to post comments anonymously even when posting for
+    anonymous users had been disabled.
+ 4. It was possible to post comments under someone else's username.
+ 
+ 
  October 14, 2003 (1.3.8-1sr2)
  ----------------
***************
*** 367,370 ****
--- 384,415 ----
  
  Please see docs/staticpages.html for details.
+ 
+ 
+ October 12, 2003 (1.3.7sr3)
+ ----------------
+ 
+ This release is intended to address some of the security issues reported in
+ September and early October 2003.
+ 
+ 1. Includes Ulf Harnhammar's kses HTML filter to address possible Javascript
+    injections and CSS defacements.
+ 
+    When upgrading from an earlier version, please make sure to copy over the
+    $_CONF['user_html'] and $_CONF['admin_html'] arrays from the included
+    config.php to your own copy of that file.
+ 
+ 2. While almost all of the alleged SQL injection issues could not be
+    reproduced, this release includes an update to the MySQL class to not
+    report SQL errors in the browser any more (but only in Geeklog's error.log).
+    This will avoid disclosing any sensitive information as part of the error
+    message.
+ 
+    Please note that at the moment we do NOT recommend to use Geeklog with
+    MySQL 4.1 (which, at the time of this writing, is in alpha state and should
+    not be used on production sites anyway).
+ 
+    An upcoming release of Geeklog will address the remaining SQL issues,
+    including any problems with MySQL 4.1.
+ 
  
  May 26, 2003 (1.3.7sr2)

Index: install.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/install.html,v
retrieving revision 1.23.2.1
retrieving revision 1.23.2.2
diff -C2 -d -r1.23.2.1 -r1.23.2.2
*** install.html	12 Oct 2003 08:35:20 -0000	1.23.2.1
--- install.html	5 Dec 2003 19:38:44 -0000	1.23.2.2
***************
*** 139,143 ****
  			<li>Unpack the tarball *within* your web tree by running the following in your shell (this assumes you have ssh access and that you are working with the tarball <i>on the designated server </i>- this can be locally or hosted elsewhere):<br>
  				<br>
! 				<code>tar -zxvf geeklog-1.3.8-1sr1.tar.gz</code><br>
  				<br>
  				<b>FTP, Windows Users:</b> unpack the tarball on your <i>local computer</i> and upload the result to your designated server. Everything uploads as ASCII except the images.<br>
--- 139,143 ----
  			<li>Unpack the tarball *within* your web tree by running the following in your shell (this assumes you have ssh access and that you are working with the tarball <i>on the designated server </i>- this can be locally or hosted elsewhere):<br>
  				<br>
! 				<code>tar -zxvf geeklog-1.3.8-1sr3.tar.gz</code><br>
  				<br>
  				<b>FTP, Windows Users:</b> unpack the tarball on your <i>local computer</i> and upload the result to your designated server. Everything uploads as ASCII except the images.<br>

More information about the geeklog-cvs mailing list