[geeklog-cvs] geeklog-1.3/docs changes.html,1.18.2.2,1.18.2.3 config.html,1.23,1.23.2.1 history,1.120.2.2,1.120.2.3 install.html,1.23.2.1,1.23.2.2
dhaun at geeklog.net
dhaun at geeklog.net
Fri Dec 5 14:38:47 EST 2003
Update of /usr/cvs/geeklog/geeklog-1.3/docs
In directory geeklog_prod:/tmp/cvs-serv24016/docs
Modified Files:
Tag: geeklog_1_3_8_1_1
changes.html config.html history install.html
Log Message:
Updated documentation
Index: changes.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/changes.html,v
retrieving revision 1.18.2.2
retrieving revision 1.18.2.3
diff -C2 -d -r1.18.2.2 -r1.18.2.3
*** changes.html 14 Oct 2003 21:21:56 -0000 1.18.2.2
--- changes.html 5 Dec 2003 19:38:44 -0000 1.18.2.3
***************
*** 23,26 ****
--- 23,43 ----
of files that have been changed since the last release.</p>
+ <h2><a name="changes138-1sr3">Geeklog 1.3.8-1sr3</a></h2>
+ <p>This release addresses the following security-related issues:</p>
+
+ <ol>
+ <li>As "dr.wh0" pointed out, the category field for link submissions was not
+ filtered at all. Although you probably can't cause too much harm with
+ those 32 characters, this has now been fixed.</li>
+ <li>Vincent Furia found that the restrictions for the form to email users
+ could be circumvented and could even be used to spam users.
+ In addition to fixing theses issues, there is now also a speed limit
+ on that form (defaults to the speed limit for story submissions).</li>
+ <li>There was a way to post comments anonymously even when posting for
+ anonymous users had been disabled.</li>
+ <li>It was possible to post comments under someone else's username.</li>
+ </ol>
+
+
<h2><a name="changes138-1sr2">Geeklog 1.3.8-1sr2</a></h2>
Index: config.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/config.html,v
retrieving revision 1.23
retrieving revision 1.23.2.1
diff -C2 -d -r1.23 -r1.23.2.1
*** config.html 16 Jul 2003 09:45:43 -0000 1.23
--- config.html 5 Dec 2003 19:38:44 -0000 1.23.2.1
***************
*** 712,723 ****
<th width="63%">Description</th></tr>
<tr>
! <td valign="top"><a name="desc_allowablehtml">allowablehtml</a></td>
! <td valign="top"><p>,<b>,<i>,<a>,<em>,<br>,<tt>,<hr>,<li>,<ol>,<br>
! <div>,<ul></td>
! <td valign="top">Allowed HTML in stories submissions and comments.</td></tr>
<tr>
! <td valign="top"><a name="desc_adminhtml">adminhtml</a></td>
! <td valign="top">the values from allowablehtml (above) plus HTML tags for tables</td>
! <td valign="top">Allowed HTML that only admin users can use</td></tr>
<tr>
<td valign="top"><a name="desc_censormode">censormode</a></td>
--- 712,726 ----
<th width="63%">Description</th></tr>
<tr>
! <td valign="top"><a name="desc_user_html">user_html</a></td>
! <td valign="top"><p>,<b>,<i>,<a>,<em>,<br>,<tt>,<hr>,<ol>,<ul>,<br>
! <li>,<code>,<pre></td>
! <td valign="top">HTML tags and attributes that normal users are allowed to
! use in story submissions and comments.</td></tr>
<tr>
! <td valign="top"><a name="desc_admin_html">admin_html</a></td>
! <td valign="top">additional HTML tags, e.g. for tables</td>
! <td valign="top">HTML tags and attributes that admin users are allowed to
! use (in addition to those from user_html). Redefining a tag with
! additional attributes will overwrite the definition from user_html.</td></tr>
<tr>
<td valign="top"><a name="desc_censormode">censormode</a></td>
Index: history
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/history,v
retrieving revision 1.120.2.2
retrieving revision 1.120.2.3
diff -C2 -d -r1.120.2.2 -r1.120.2.3
*** history 14 Oct 2003 21:21:56 -0000 1.120.2.2
--- history 5 Dec 2003 19:38:44 -0000 1.120.2.3
***************
*** 1,4 ****
--- 1,21 ----
GeekLog History/Changes:
+ December 5, 2003 (1.3.8-1sr3)
+ ----------------
+
+ This release addresses the following security-related issues:
+
+ 1. As "dr.wh0" pointed out, the category field for link submissions was not
+ filtered at all. Although you probably can't cause too much harm with
+ those 32 characters, this has now been fixed.
+ 2. Vincent Furia found that the restrictions for the form to email users
+ could be circumvented and could even be used to spam users.
+ In addition to fixing theses issues, there is now also a speed limit
+ on that form (defaults to the speed limit for story submissions).
+ 3. There was a way to post comments anonymously even when posting for
+ anonymous users had been disabled.
+ 4. It was possible to post comments under someone else's username.
+
+
October 14, 2003 (1.3.8-1sr2)
----------------
***************
*** 367,370 ****
--- 384,415 ----
Please see docs/staticpages.html for details.
+
+
+ October 12, 2003 (1.3.7sr3)
+ ----------------
+
+ This release is intended to address some of the security issues reported in
+ September and early October 2003.
+
+ 1. Includes Ulf Harnhammar's kses HTML filter to address possible Javascript
+ injections and CSS defacements.
+
+ When upgrading from an earlier version, please make sure to copy over the
+ $_CONF['user_html'] and $_CONF['admin_html'] arrays from the included
+ config.php to your own copy of that file.
+
+ 2. While almost all of the alleged SQL injection issues could not be
+ reproduced, this release includes an update to the MySQL class to not
+ report SQL errors in the browser any more (but only in Geeklog's error.log).
+ This will avoid disclosing any sensitive information as part of the error
+ message.
+
+ Please note that at the moment we do NOT recommend to use Geeklog with
+ MySQL 4.1 (which, at the time of this writing, is in alpha state and should
+ not be used on production sites anyway).
+
+ An upcoming release of Geeklog will address the remaining SQL issues,
+ including any problems with MySQL 4.1.
+
May 26, 2003 (1.3.7sr2)
Index: install.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/install.html,v
retrieving revision 1.23.2.1
retrieving revision 1.23.2.2
diff -C2 -d -r1.23.2.1 -r1.23.2.2
*** install.html 12 Oct 2003 08:35:20 -0000 1.23.2.1
--- install.html 5 Dec 2003 19:38:44 -0000 1.23.2.2
***************
*** 139,143 ****
<li>Unpack the tarball *within* your web tree by running the following in your shell (this assumes you have ssh access and that you are working with the tarball <i>on the designated server </i>- this can be locally or hosted elsewhere):<br>
<br>
! <code>tar -zxvf geeklog-1.3.8-1sr1.tar.gz</code><br>
<br>
<b>FTP, Windows Users:</b> unpack the tarball on your <i>local computer</i> and upload the result to your designated server. Everything uploads as ASCII except the images.<br>
--- 139,143 ----
<li>Unpack the tarball *within* your web tree by running the following in your shell (this assumes you have ssh access and that you are working with the tarball <i>on the designated server </i>- this can be locally or hosted elsewhere):<br>
<br>
! <code>tar -zxvf geeklog-1.3.8-1sr3.tar.gz</code><br>
<br>
<b>FTP, Windows Users:</b> unpack the tarball on your <i>local computer</i> and upload the result to your designated server. Everything uploads as ASCII except the images.<br>
More information about the geeklog-cvs
mailing list