[geeklog-cvs] geeklog-1.3/docs changes.html,1.18.2.3,1.18.2.4 config.html,1.23.2.1,1.23.2.2 history,1.120.2.3,1.120.2.4 install.html,1.23.2.2,1.23.2.3

dhaun at geeklog.net dhaun at geeklog.net
Sun Jan 18 16:45:11 EST 2004 

Update of /usr/cvs/geeklog/geeklog-1.3/docs
In directory geeklog_prod:/tmp/cvs-serv6541

Modified Files:
      Tag: geeklog_1_3_8_1_1
	changes.html config.html history install.html 
Log Message:
Updated documentation


Index: changes.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/changes.html,v
retrieving revision 1.18.2.3
retrieving revision 1.18.2.4
diff -C2 -d -r1.18.2.3 -r1.18.2.4
*** changes.html	5 Dec 2003 19:38:44 -0000	1.18.2.3
--- changes.html	18 Jan 2004 21:45:09 -0000	1.18.2.4
***************
*** 23,26 ****
--- 23,44 ----
  of files that have been changed since the last release.</p>
  
+ <h2><a name="changes138-1sr4">Geeklog 1.3.8-1sr4</a></h2>
+ <p>This release addresses the following security issues:</p>
+ 
+ <ol>
+ <li>It was possible for users in the Group Admin and User Admin groups to
+     become a member of the Root group (reported by Samuel M. Stone,
+     bug #135).</li>
+ <li>Being admin for a certain area (e.g. Story Admin for stories) made it
+     possible to delete all objects in that area (e.g. stories) even if the user
+     was not supposed to have access to them, provided the id of the object was
+     known.</li>
+ <li>It was possible to delete other people's personal events if you knew the
+     event ID.</li>
+ <li>It was possible to browse through the comments of a story even if the user
+     did not have access to the actual story (reported by Peter Roozemaal).</li>
+ </ol>
+ 
+ 
  <h2><a name="changes138-1sr3">Geeklog 1.3.8-1sr3</a></h2>
  <p>This release addresses the following security-related issues:</p>

Index: config.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/config.html,v
retrieving revision 1.23.2.1
retrieving revision 1.23.2.2
diff -C2 -d -r1.23.2.1 -r1.23.2.2
*** config.html	5 Dec 2003 19:38:44 -0000	1.23.2.1
--- config.html	18 Jan 2004 21:45:09 -0000	1.23.2.2
***************
*** 220,224 ****
  <tr>
    <td valign="top"><a name="desc_cookie_ip">cookie_ip</a></td>
!   <td valign="top">1</td>
    <td valign="top">Session ID to contain IP address of user as well as random number. This is more secure but will more than likely require dialed up users to login each and every time. (0=no, 1=yes)</td></tr>
  <tr>
--- 220,224 ----
  <tr>
    <td valign="top"><a name="desc_cookie_ip">cookie_ip</a></td>
!   <td valign="top">0</td>
    <td valign="top">Session ID to contain IP address of user as well as random number. This is more secure but will more than likely require dialed up users to login each and every time. (0=no, 1=yes)</td></tr>
  <tr>
***************
*** 231,248 ****
    <td valign="top">Session cookie timeout (in seconds).</td></tr>
  <tr>
    <td valign="top"><a name="desc_cookie_session">cookie_session</a></td>
    <td valign="top">gl_session</td>
!   <td valign="top">What the session ID is stored as in the cookie.</td></tr>
  <tr>
    <td valign="top"><a name="desc_cookie_name">cookie_name</a></td>
    <td valign="top">geeklog</td>
!   <td valign="top">The name of the cookie.</td></tr>
  <tr>
!   <td valign="top"><a name="desc_cookie_path">cookie_path</a></td>
!   <td valign="top">/</td>
!   <td valign="top">Cookie path.</td></tr>
  </table>
  
- 
  <h3><a name="login">Login settings</a></h3>
  
--- 231,285 ----
    <td valign="top">Session cookie timeout (in seconds).</td></tr>
  <tr>
+   <td valign="top"><a name="desc_cookie_path">cookie_path</a></td>
+   <td valign="top">/</td>
+   <td valign="top">Cookie path (see the <a href="http://www.php.net/manual/en/function.setcookie.php">PHP manual</a> for details).</td></tr>
+ <tr>
+   <td valign="top"><a name="desc_cookiedomain">cookiedomain</a></td>
+   <td valign="top"><i>(empty)</i></td>
+   <td valign="top">The domain that the cookie is available. Geeklog will attempt to guess the correct value for this setting (based on the 'site_url' variable). See the <a href="http://www.php.net/manual/en/function.setcookie.php">PHP manual</a> for details.</td></tr>
+ <tr>
+   <td valign="top"><a name="desc_cookiesecure">cookiesecure</a></td>
+   <td valign="top">0</td>
+   <td valign="top">Only set to 1 if your site uses HTTPS (see the <a href="http://www.php.net/manual/en/function.setcookie.php">PHP manual</a> for details).</td></tr>
+ </table>
+ 
+ <h3><a name="cookie">Cookie Names</a></h3>
+ 
+ <p>These variables define the names of all of Geeklog's cookies. They can easily be changed in case there's a name collision with the cookies used by some other software package that you may use on your site.</p>
+ 
+ <table border="1" width="100%">
+ <tr><th width="8%">Variable</th>
+     <th width="29%">Default Value</th>
+     <th width="63%">Description</th></tr>
+ <tr>
    <td valign="top"><a name="desc_cookie_session">cookie_session</a></td>
    <td valign="top">gl_session</td>
!   <td valign="top">Name of the cookie that stores the session ID.</td></tr>
  <tr>
    <td valign="top"><a name="desc_cookie_name">cookie_name</a></td>
    <td valign="top">geeklog</td>
!   <td valign="top">Name of the permanent cookie.</td></tr>
  <tr>
!   <td valign="top"><a name="desc_cookie_password">cookie_password</a></td>
!   <td valign="top">password</td>
!   <td valign="top">Name of the password cookie.</td></tr>
! <tr>
!   <td valign="top"><a name="desc_cookie_theme">cookie_theme</a></td>
!   <td valign="top">theme</td>
!   <td valign="top">Name of the theme cookie.</td></tr>
! <tr>
!   <td valign="top"><a name="desc_cookie_language">cookie_language</a></td>
!   <td valign="top">language</td>
!   <td valign="top">Name of the language cookie.</td></tr>
! <tr>
!   <td valign="top"><a name="desc_cookie_lastvisit">cookie_lastvisit</a></td>
!   <td valign="top">LastVisit</td>
!   <td valign="top">Name of the cookie that stores the time of the last visit (used in session handling).</td></tr>
! <tr>
!   <td valign="top"><a name="desc_cookie_lastvisittemp">cookie_lastvisittemp</a></td>
!   <td valign="top">LastVisitTemp</td>
!   <td valign="top">Name of a temporary cookie that stores the time of the last visit (used in session handling).</td></tr>
  </table>
  
  <h3><a name="login">Login settings</a></h3>
  
***************
*** 315,319 ****
    <td valign="top"><a name="desc_usersubmission">usersubmission</a></td>
    <td valign="top">1</td>
!   <td valign="top">Enable (1) or disable (0) the user submission queue</td></tr>
  <tr>
    <td valign="top"><a name="desc_allow_domains">allow_domains</a></td>
--- 352,357 ----
    <td valign="top"><a name="desc_usersubmission">usersubmission</a></td>
    <td valign="top">1</td>
!   <td valign="top">Enable (1) or disable (0) the user submission queue (i.e.
!       new users must be approved before they receive their password)</td></tr>
  <tr>
    <td valign="top"><a name="desc_allow_domains">allow_domains</a></td>

Index: history
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/history,v
retrieving revision 1.120.2.3
retrieving revision 1.120.2.4
diff -C2 -d -r1.120.2.3 -r1.120.2.4
*** history	5 Dec 2003 19:38:44 -0000	1.120.2.3
--- history	18 Jan 2004 21:45:09 -0000	1.120.2.4
***************
*** 1,4 ****
--- 1,21 ----
  GeekLog History/Changes:
  
+ January 21, 2004 (1.3.8-1sr4)
+ ----------------
+ 
+ This release addresses the following security-related issues:
+ 
+ 1. It was possible for users in the Group Admin and User Admin groups to
+    become a member of the Root group (reported by Samuel M. Stone, bug #135).
+ 2. Being admin for a certain area (e.g. Story Admin for stories) made it
+    possible to delete all objects in that area (e.g. stories) even if the
+    user was not supposed to have access to them, provided the id of the object
+    was known.
+ 3. It was possible to delete other people's personal events if you knew the
+    event ID.
+ 4. It was possible to browse through the comments of a story even if the user
+    did not have access to the actual story (reported by Peter Roozemaal).
+ 
+ 
  December 5, 2003 (1.3.8-1sr3)
  ----------------

Index: install.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/install.html,v
retrieving revision 1.23.2.2
retrieving revision 1.23.2.3
diff -C2 -d -r1.23.2.2 -r1.23.2.3
*** install.html	5 Dec 2003 19:38:44 -0000	1.23.2.2
--- install.html	18 Jan 2004 21:45:09 -0000	1.23.2.3
***************
*** 139,143 ****
  			<li>Unpack the tarball *within* your web tree by running the following in your shell (this assumes you have ssh access and that you are working with the tarball <i>on the designated server </i>- this can be locally or hosted elsewhere):<br>
  				<br>
! 				<code>tar -zxvf geeklog-1.3.8-1sr3.tar.gz</code><br>
  				<br>
  				<b>FTP, Windows Users:</b> unpack the tarball on your <i>local computer</i> and upload the result to your designated server. Everything uploads as ASCII except the images.<br>
--- 139,143 ----
  			<li>Unpack the tarball *within* your web tree by running the following in your shell (this assumes you have ssh access and that you are working with the tarball <i>on the designated server </i>- this can be locally or hosted elsewhere):<br>
  				<br>
! 				<code>tar -zxvf geeklog-1.3.8-1sr4.tar.gz</code><br>
  				<br>
  				<b>FTP, Windows Users:</b> unpack the tarball on your <i>local computer</i> and upload the result to your designated server. Everything uploads as ASCII except the images.<br>

More information about the geeklog-cvs mailing list