[geeklog-cvs] geeklog-1.3/docs changes.html,1.9,1.10 history,1.62,1.63 install.html,1.10,1.11

dhaun at geeklog.net dhaun at geeklog.net
Mon Jan 13 08:22:39 EST 2003 

Update of /usr/cvs/geeklog/geeklog-1.3/docs
In directory internal.geeklog.net:/tmp/cvs-serv17446/docs

Modified Files:
	changes.html history install.html 
Log Message:
Updated documentation


Index: changes.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/changes.html,v
retrieving revision 1.9
retrieving revision 1.10
diff -C2 -d -r1.9 -r1.10
*** changes.html	28 Dec 2002 13:28:34 -0000	1.9
--- changes.html	13 Jan 2003 13:22:37 -0000	1.10
***************
*** 20,26 ****
  <p>This document is intended to give a quick overview over the most import
  and / or obvious changes. For a detailed list of changes, please consult the
! <a href="history">ChangeLog</a>.</p>
  
! <h2>Geeklog 1.3.7</h2>
  
  <h3>New Features</h3>
--- 20,54 ----
  <p>This document is intended to give a quick overview over the most import
  and / or obvious changes. For a detailed list of changes, please consult the
! <a href="history">ChangeLog</a>. The file <tt>docs/changed-files</tt> has a list
! of files that have been changed since the last release.</p>
  
! <h2>Geeklog 1.3.7sr1</h2>
! 
! <h3>Security issues</h3>
! 
! <p>The main purpose of this release is to fix the following security issues.
! All users are strongly recommended to upgrade to this version.</p>
! <ol>
! <li>Javascript code could be injected in the homepage field of a user's profile (reported by Jin Yean Tan).</li>
! <li>Javascript code could be injected in certain URLs to be used in a cross-site scripting attack (reported by Jin Yean Tan).</li>
! <li>Comments could be deleted by anybody if they knew the comment id (which is not normally visible).</li>
! <li>A StoryAdmin could manipulate stories even if s/he did not have access to them (e.g. when s/he was not a member of a certain group). The same applied to Admins for events, links, polls, topics, and blocks (reported by Kobaz).</li>
! </ol>
! 
! <h3>Other Bugfixes</h3>
! 
! <ul>
! <li>Fixed possible causes for endless loops with the redirect in index.php: No redirect will be done if $HTTP_SERVER_VARS['HTTP_HOST'] is not set. Also, the comparison of the configured and actual server name is not case-sensitive any more.</li>
! <li>Fixed image resizing when using ImageMagick.</li>
! <li>The new user notification email (introduced in Geeklog 1.3.7) was always
!  sent out, even if 'user' was not listed in $_CONF['notification'].
! <li>The Admin menu will now be displayed for users who have Admin access to plugins only, but not to one of the core Admin features.</li>
! <li>The default for the daily digest is now back to "off", i.e. new users will not receive it automatically. To enable the daily digest for new users again, set $_CONF['emailstoriesperdefault'] = 1 in config.php.</li>
! </ul>
! 
! <p>Documentation and hard-coded links (version check, link to Geeklog in a site's footer) have been updated to point to <a href="http://www.geeklog.net/">www.geeklog.net</a>.</p>
! 
! 
! <h2><a name="changes137">Geeklog 1.3.7</a></h2>
  
  <h3>New Features</h3>
***************
*** 96,100 ****
  
  
! <h2>Geeklog 1.3.6</h2>
  
  <h3>New Features</h3>
--- 124,128 ----
  
  
! <h2><a name="changes136">Geeklog 1.3.6</a></h2>
  
  <h3>New Features</h3>

Index: history
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/history,v
retrieving revision 1.62
retrieving revision 1.63
diff -C2 -d -r1.62 -r1.63
*** history	9 Jan 2003 10:31:52 -0000	1.62
--- history	13 Jan 2003 13:22:37 -0000	1.63
***************
*** 1,7 ****
  GeekLog History/Changes:
  
! January 1?, 2003 (1.3.7sr1)
  ----------------
  
  - {copyright_notice} in the site's footer (footer.thtml) will now use the
    current year for the copyright notice. You can override this by setting
--- 1,22 ----
  GeekLog History/Changes:
  
! January 13, 2003 (1.3.7sr1)
  ----------------
  
+ Security issues:
+ 
+ 1. Javascript code could be used in the homepage link of a user's profile
+    (reported by Jin Yean Tan).
+ 2. Javascript code could be injected in several URLs so that these could then
+    be used for a cross-site scripting attack (reported by Jin Yean Tan).
+ 3. Anybody could delete comments, provided they knew the comment id.
+ 4. A StoryAdmin could manipulate any story, even if permissions should have
+    prevented that. The same applied to Admins for links, events, polls, topics,
+    and blocks (reported by Kobaz).
+ 
+ - The new user notification email was always sent out, even if 'user' was not
+   listed in $_CONF['notification'].
+ - In admin/database.php, added a check to test if function is_executable() is
+   available (since it is not available on Windows).
  - {copyright_notice} in the site's footer (footer.thtml) will now use the
    current year for the copyright notice. You can override this by setting

Index: install.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/install.html,v
retrieving revision 1.10
retrieving revision 1.11
diff -C2 -d -r1.10 -r1.11
*** install.html	28 Dec 2002 13:28:34 -0000	1.10
--- install.html	13 Jan 2003 13:22:37 -0000	1.11
***************
*** 139,143 ****
  			<li>Unpack the tarball *within* your web tree by running the following in your shell (this assumes you have ssh access and that you are working with the tarball <i>on the designated server </i>- this can be locally or hosted elsewhere):<br>
  				<br>
! 				<code>tar -zxvf geeklog-1.3.6.tar.gz</code><br>
  				<br>
  				<b>FTP, Windows Users:</b> unpack the tarball on your <i>local computer</i> and upload the result to your designated server. Everything uploads as ASCII except the images.<br>
--- 139,143 ----
  			<li>Unpack the tarball *within* your web tree by running the following in your shell (this assumes you have ssh access and that you are working with the tarball <i>on the designated server </i>- this can be locally or hosted elsewhere):<br>
  				<br>
! 				<code>tar -zxvf geeklog-1.3.7sr1.tar.gz</code><br>
  				<br>
  				<b>FTP, Windows Users:</b> unpack the tarball on your <i>local computer</i> and upload the result to your designated server. Everything uploads as ASCII except the images.<br>
***************
*** 284,288 ****
  				If you are upgrading from 1.2.5-1 or a more recent version, the second step of the installation script should have an option to convert your database to the current version.<br>
  				<br>
!         Please note that there were no database changes between versions 1.3.5, 1.3.5sr1, and 1.3.5sr2, so when upgrading from any of those versions, simply select "1.3.5" as your current version.<br>
  				<br>
  			<li>The rest of the upgrade process is identical to the install process. Once you successfully run the install script, you should be ready to go after restoring any files with custom code.
--- 284,288 ----
  				If you are upgrading from 1.2.5-1 or a more recent version, the second step of the installation script should have an option to convert your database to the current version.<br>
  				<br>
!         Please note that there were no database changes between versions 1.3.5, 1.3.5sr1, and 1.3.5sr2. So when upgrading from any of those versions, simply select "1.3.5" as your current version. Also, there were no database changes between versions 1.3.7 and 1.3.7sr1, so you don't need to run the install script at all when upgrading from 1.3.7 to 1.3.7sr1.<br>
  				<br>
  			<li>The rest of the upgrade process is identical to the install process. Once you successfully run the install script, you should be ready to go after restoring any files with custom code.
***************
*** 331,334 ****
--- 331,336 ----
  						<p><code>INDEX stories_tid(tid),</code></p>
  						<p>Make sure you remove the entire line, including the comma. Once those lines are removed, you need to drop all the tables that were created by the installation script and re-run the installation script.</p>
+ 
+ <p><strong>Note:</strong> In December 2002, several <a href="http://security.e-matters.de/advisories/042002.html">security issues</a> have been found in MySQL. To fix these, MySQL AB has released <a href="http://www.mysql.com/documentation/mysql/bychapter/manual_News.html#News-3.23.54">MySQL version 3.23.54</a>. It may be a good idea to upgrade your MySQL installation (or ask your hosting service to do so).</p>
  					</td>
  				</tr>
***************
*** 376,380 ****
  						<p><b>I've set up my site successfully, but get the following error message on the top:</b></p>
  <p><code>
! Warning: fopen("/some/path/logs/error.log", "a") - Permission denied in /some/path/public_html/lib-common.php on line 1318
  </code></p>
  					</td>
--- 378,382 ----
  						<p><b>I've set up my site successfully, but get the following error message on the top:</b></p>
  <p><code>
! Warning: fopen("/some/path/logs/error.log", "a") - Permission denied in /some/path/public_html/lib-common.php on line 1440
  </code></p>
  					</td>
***************
*** 416,420 ****
  							<p>If you still have problems, please do one or more of the following:</p>
  							<p>1) Go to <a href="http://www.geeklog.net">http://www.geeklog.net</a> and check out the Support section. The Support section includes a <a href="http://www.geeklog.net/staticpages/index.php?page=20011218115325696">FAQ</a> and a <a href="http://www.geeklog.net/search.php">search system</a> (try searching for the error message, if you get one).</p>
! 							<p>2) Visit the mailing list archives at <a href="http://lists.geeklog.net/listinfo/geeklog-users">http://lists.geeklog.net/listinfo/geeklog-users</a>. You can also <a href="http://lists.geeklog.net/listinfo/geeklog-users">subscribe to the mailing list</a> and post your question to the Geeklog community</p>
  							<p>3) Try the chat room at <b>irc.freenode.net, channel #geeklog</b>. Please have all your path information in config.php and lib-common.php readily available.</p>
  							<p>4) Try entering the text of the error message on Google. Chances are you will find someone else who had the same problem and fixed it.  And sometimes searching for a specific error will cause Google to bring up broken pages that have the same error.</p>
--- 418,422 ----
  							<p>If you still have problems, please do one or more of the following:</p>
  							<p>1) Go to <a href="http://www.geeklog.net">http://www.geeklog.net</a> and check out the Support section. The Support section includes a <a href="http://www.geeklog.net/staticpages/index.php?page=20011218115325696">FAQ</a> and a <a href="http://www.geeklog.net/search.php">search system</a> (try searching for the error message, if you get one).</p>
! 							<p>2) Visit the mailing list archives at <a href="http://lists.geeklog.net/pipermail/geeklog-users/">http://lists.geeklog.net/pipermail/geeklog-users/</a>. You can also <a href="http://lists.geeklog.net/listinfo/geeklog-users">subscribe to the mailing list</a> and post your question to the Geeklog community.</p>
  							<p>3) Try the chat room at <b>irc.freenode.net, channel #geeklog</b>. Please have all your path information in config.php and lib-common.php readily available.</p>
  							<p>4) Try entering the text of the error message on Google. Chances are you will find someone else who had the same problem and fixed it.  And sometimes searching for a specific error will cause Google to bring up broken pages that have the same error.</p>

More information about the geeklog-cvs mailing list