-
Notifications
You must be signed in to change notification settings - Fork 19
/
changes.html
2119 lines (1775 loc) · 90.9 KB
/
changes.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Geeklog Documentation - Changes</title>
<link rel="stylesheet" type="text/css" href="../docstyle.css" title="Dev Stylesheet"/>
</head>
<body>
<p><a href="https://www.geeklog.net/" style="background:transparent"><img src="../images/newlogo.gif" alt="Geeklog"
width="243" height="90"/></a></p>
<div class="menu"><a href="index.html">Geeklog Documentation</a> - Changes</div>
<h1><a name="changes">Changes</a></h1>
<p>This document is intended to give a quick overview over the most important
and / or obvious changes. For a detailed list of changes, please consult the
<a href="../history">ChangeLog</a>. The file <span class="tt">docs/changed-files</span> has a
list of files that have been changed since the last release.</p>
<h2><a name="changes220">Geeklog 2.2.0</a></h2>
<p>Geeklog 2.2.0 major new features include ...</p>
<h3>New Features and Improvements</h3>
<ul>
<li>Dropped support for Live Journal authentication.</li>
<li>Added Akismet module for the Spam-X plugin.</li>
<li>Added reCAPTCHA plugin with support for Invisible reCAPTCHA.</li>
<li>Dropped COM_siteHeader and COM_siteFooter functions. Please use COM_createHTMLDocument instead.</li>
<li>Added Two Factor Authentication option.</li>
</ul>
<h2><a name="changes213">Geeklog 2.1.3</a></h2>
<p>Geeklog 2.1.3 is mainly a bug fix release.</p>
<h3>New Features and Improvements</h3>
<ul>
<li>Numerous bug and security fixes.</li>
</ul>
<h2><a name="changes212">Geeklog 2.1.2</a></h2>
<p>Geeklog 2.1.2 major new features include a number of new administration tools along with the support of URL Routing
and detecting a mobile user.</p>
<p>The Geeklog minimum requirements have changed slightly since, Geeklog now supports PHP 7 and the default settings for
MySQL 5.7. The minimum requirements are:</p>
<ul>
<li>PHP 5.3.3 or higher</li>
<li>MySQL 4.1.2 or higher (MySQL 5 recommended)</li>
<li>PostgreSQL 9.1.7 or later</li>
</ul>
<p>This Geeklog release no longer supports Microsoft SQL Server (mssql). The Professional and Professional CSS themes
also have been removed. Geeklog ships with jQuery v3.1.1, jQuery UI v1.12.1, CKEditor v4.6.1, UIkit v2.27.2,
Filemanager v2.2.0, and OAuth class v1.152.</p>
<h3>Major New Features and Improvements</h3>
<ul>
<li>Added description, multiple answers per question to the Poll Plugin (code provided by Ivy, feature request
#629)
</li>
<li>Added "Related Articles Section" to the article view (code provided by Andreas, feature request #444)</li>
<li>Added Language override feature (feature request #669)</li>
<li>Added an admin page for comments (feature request #586)</li>
<li>Now install files are (optionally) deleted on successful install or upgrade (feature request #635)</li>
<li>Added URL-routing feature which enables you to use public_html/index.php as a pseudo-front controller (feature
requests #211, #326)
</li>
<li>The way topics display is now controlled by $_CONF['url_rewrite'] (regardless of the value of
$_CONF['url_routing'])
</li>
<li>Added new modules for the Spam-X plugin (feature request #585, files provided by Dirk Haun)</li>
<li>Added an ability to change article template file with the topic (feature request #275, code provided by
@hostellerie)
</li>
<li>Added the ability to search poll comments (feature request #394)</li>
<li>Added a new config option $_CONF['gravatar_identicon'] to specify a default gravatar icon type (bug #579)</li>
<li>Added ability for Geeklog to detect device type (mobile or computer) of visitor. This can be used by blocks to
display only for a certain device type
</li>
<li>Blocks can display based on visitor device type</li>
<li>Template variable {device_mobile} added which returns true if viewing device is considered mobile (phone and
tablet)
</li>
<li>Remove PEAR settings. PEAR libraries are now managed by way of composer</li>
<li>New Denim Curve theme which is a child theme of Denim and based on the look of the Modern Curve theme</li>
<li>New Geeklog Database backup which now works without using an external program</li>
<li>Improved Geeklog Install process which now includes upgrade messages</li>
<li>Support for MySQL databases which use a 4 byte character set (utf8mb4_xxx_ci)</li>
<li>COM_switchLocaleSettings now overrides $_CONF['meta_description'],$_CONF['meta_keywords'], $_CONF['site_name'],
$_CONF['owner_name'], and $_CONF['site_slogan'].
</li>
<li>Updates to a number of libraries including Pear, Uikit, OAuth, jQuery, and jQuery UI</li>
<li>Numerous bug and security fixes.</li>
</ul>
<h2><a name="changes211">Geeklog 2.1.1</a></h2>
<p>Geeklog 2.1.1 major new feature is the inclusion of the UIkit framework. It is "a lightweight and modular front-end
framework
for developing fast and powerful web interfaces".</p>
<p>This Geeklog release now ships with jQuery v1.11.3, jQuery UI v1.11.4, CKEditor v4.5.4, UIkit v2.24.0, Filemanager
v2.2.0, and OAuth class v1.411.</p>
<h3>Major New Features and Improvements</h3>
<ul>
<li>Integrated UIkit framework into Geeklog core.</li>
<li>Support for multiple theme templates with plugins.</li>
<li>Numerous bug and security fixes.</li>
</ul>
<h2><a name="changes210">Geeklog 2.1.0</a></h2>
<p>Geeklog 2.1.0 major new features include and an updated template library and a new advanced editor system. A large
number of bugs have also been fixed related to child topics which was introduced in Geeklog 2.0.0.</p>
<p>This Geeklog release now ships with jQuery 1.10.2 and jQuery UI to 1.10.3.</p>
<h3>Major New Features and Improvements</h3>
<ul>
<li>Integrated Caching Template Library original developed by Joe Mucchiello.</li>
<li>Support for themes to specify a default theme.</li>
<li>Added configurable caching support for blocks (regular and gldefault), staticpages and articles.</li>
<li>Speed increases by caching topic tree structure.</li>
<li>New OAuth login methods supported (Google, Microsoft, Yahoo).</li>
<li>New Advanced Editor System that allows developers to easily to add new javascript editors.</li>
<li>Added CKEditor 4.3.2 as the default advanced editor for Geeklog.</li>
<li>Numerous fixes for multi-language support.</li>
<li>Added a File Manager.</li>
</ul>
<h2><a name="changes200">Geeklog 2.0.0</a></h2>
<p><strong>Note:</strong> Geeklog 2.0.0 manages topics differently. Topic
assignments for articles and blocks are now stored in their own database table.
This means the article and block tables have changed slightly. Plugins that
modify blocks directly or have a centerblock may not be compatible with
Geeklog 2.0.0. Please check to see if the plugins you have installed are
compatible before you upgrade. If they are not then disable them if you still
wish to upgrade. We expect most plugin authors to upgrade their plugins to
support Geeklog 2.0.0 soon after the release.</p>
<p>The theme engine has also been updated. Geeklog 2.0.0 introduces
a new function that allows a page to be generated all at once instead of in specific
parts as it was before. Only themes and
plugins that have been updated to use the new function for display can take
advantage of the new features this brings to Geeklog and themes.
</p>
<p>This Geeklog release now ships with jQuery 1.7.2 and jQuery UI 1.8.20.</p>
<h3>New Features and Improvements</h3>
<ul>
<li>Improved strength of password hashing.</li>
<li>Allow Topics to have child Topics.</li>
<li>Allow Articles, Blocks and other Plugin objects to be associated with more than one Topic.</li>
<li>Topic Breadcrumb support.</li>
<li>Emergency Rescue Tool is included with the Geeklog Install.</li>
<li>Added support for MySQLi.</li>
<li>Add Stop Forum Spam and Spam Number of Links Modules to Spam-X.</li>
<li>A new theme called Denim which is based on Responsive Web Design.</li>
<li>A new theme called Modern Curve.</li>
<li>Comments Form on same page as article.</li>
</ul>
<h2><a name="changes182">Geeklog 1.8.2</a></h2>
<p>Geeklog 1.8.2 is a maintenance release. There were no changes in the database, the templates, or the language files
in this release, so upgrades should be straightforward.</p>
<h3>Bugfixes</h3>
<ul>
<li>Fixed compatibility with MySQL 5.5 (upgrade, database backup). For this fix, we also had to raise the minimum
supported MySQL version to 4.1.2.
</li>
<li>Fixed Twitter OAuth login.</li>
</ul>
<h2><a name="changes181">Geeklog 1.8.1</a></h2>
<p>Geeklog 1.8.1 is a maintenance release and a recommended update for all
users of Geeklog 1.8.0. There were no changes in the database, the templates,
or the language files (other than some updated translations) in this release,
so upgrades should be straightforward.</p>
<p>This Geeklog release now ships with jQuery 1.6.3.</p>
<h3>Bugfixes</h3>
<ul>
<li>Fixed information leakage:
<ul>
<li>The "<a href="config.html#desc_rootdebug">rootdebug</a>" option,
when enabled, also dumped the OAuth consumer key and secret. You now
have to additionally set the rootdebug option to "force" to make them
show up in the variable dump.
</li>
<li>The MS SQL driver was displaying detailed SQL error messages by
default.
</li>
</ul>
</li>
<li>Fixed a regression in Geeklog 1.8.0 that made the <code>[code]</code> and
<code>[raw]</code> tags not escape content properly.
</li>
<li>Fixed some problems with adding and removing elements to/from arrays in
the Configuration.
</li>
<li>The admin's User Editor no longer loses changes when an error occured.</li>
<li>Fixed images not being displayed in the story preview (when editing an
existing story).
</li>
<li>Plugins can now set <code>$_SCRIPTS</code> in the
<code>plugin_getFooter()</code> function.
</li>
<li>Fixed some warnings raised by PHP 5.4.</li>
</ul>
<h2><a name="changes180">Geeklog 1.8.0</a></h2>
<p><strong>Note:</strong> Geeklog 1.8.0 now <strong>requires PHP 5.2.0</strong>
or later. We will provide legacy PHP 4 support for <a
href="#changes1.7.2">Geeklog 1.7.2</a> for a limited time, but would strongly
suggest that you switch to PHP 5.2 or later as soon as possible.</p>
<p>For details, please see the <a href="https://www.geeklog.net/article.php/end-of-php4-support">announcement</a> on the
Geeklog homepage.</p>
<h3>New Features and Improvements</h3>
<ul>
<li>Improved Configuration with input validation and a search function. These
improvements were implemented by Akeda Bagus as part of the Google Summer
of Code 2010.
</li>
<li>OAuth support, allowing users to log into a Geeklog site with their
Facebook, Twitter, or LinkedIn account. This functionality was originally
developed by Hiroshi Sakuramoto (Hiroron) of Geeklog Japan.
</li>
<li>New icons in the default theme (taken from the Tango, Gnome, and Humanity
icon themes).
</li>
<li>Ships with <a href="http://jquery.com/">jQuery</a>, which is now the
"official" JavaScript library for Geeklog.
</li>
<li>Autotags now have permissions and a description (tooltip).</li>
<li>Revamped Plugins admin panel, which also lets you change the plugin load
order. Plugins can now also indicate dependencies on other plugins.
</li>
</ul>
<h2><a id="changes172" name="changes172">Geeklog 1.7.2</a></h2>
<p><strong>Note:</strong> Geeklog 1.7.2 is the last Geeklog version to work on
PHP 4. We will be providing security fixes, if required, for this version until
2012. New features will only be added to Geeklog 1.8.0 and later versions,
which will require at least PHP 5.2.0 to run. Please see <a
href="https://www.geeklog.net/article.php/end-of-php4-support">the announcement</a> on geeklog.net
for details.</p>
<h3>Bugfixes</h3>
<ul>
<li>Fixed PostgreSQL support (multiple Geeklog instances sharing one Postgres
database; dbSave function; error reporting; PHP 4 compatibility).
</li>
<li>Fixed replacing the <code>[imageX]</code> tags when changing a story id.</li>
<li>Fixed a PHP 4 compatibility issue in the Static Pages plugin.</li>
</ul>
<h2><a name="changes171sr1">Geeklog 1.7.1sr1</a></h2>
<p>This release fixes an XSS in the admin's configuration panel, reported by
Aung Khant of the YGN Ethical Hacker Group.</p>
<h2><a name="changes171">Geeklog 1.7.1</a></h2>
<h3>New Features and Improvements</h3>
<ul>
<li>A Static Page can now be marked as a template and used by other Static
Pages.
</li>
<li>Themes can now have their own display functions for the start and end of
blocks.
</li>
<li>Please also see the list of <a href="theme.html#changes">theme changes</a>.</li>
</ul>
<h3>Bugfixes</h3>
<ul>
<li>In Geeklog 1.7.0, comment submissions for plugins were missing the type,
i.e. the comments were not recognized as plugin comments.
</li>
<li>Changing anything in My Account while Advanced Editor was disabled for the
site also disabled the user's setting for the Advanced Editor.
</li>
<li>Fixed the "Show & Hide Boxes" option in My Account.</li>
<li>Reverted a change from Geeklog 1.7.0: Curly braces in block content are not
escaped any longer. To avoid words in curly braces being interpreted as
template variables (e.g. for JavaScript code), add a space after the opening
or before the closing brace.
</li>
<li>Reverted a change from Geeklog 1.7.0 that would send a Content-Type header
when calling <code>COM_refresh()</code> since this conflicts with some
plugins (e.g. the Forum).
</li>
</ul>
<h2><a name="changes170">Geeklog 1.7.0</a></h2>
<h3>New Features and Improvements</h3>
<ul>
<li>Geeklog now supports <strong>PostgreSQL</strong> databases. This feature
was implemented by Stan Palatnik during the 2009 Google Summer of Code.
</li>
<li>When the security token (CSRF protection) expires, the user will now be
asked to <a href="http://wiki.geeklog.net/index.php/Re-Authentication_for_expired_Tokens">authenticate again</a>.
On successful re-authentication, the
operation will be repeated and no changes will be lost.
</li>
<li>The options to skip spam checks and HTML filtering are now permissions and
no longer restricted to the Root group.
</li>
<li>Groups can now be marked as a default group. New users will automatically
be added to all default groups.
</li>
<li>Comments in plugins can now be listed in the What's New block and in a
user's profile (through a new Plugin API function - requires changes in
plugins).
</li>
<li>Pages that require authentication now display a login form.</li>
<li>When the Advanced Editor is enabled for the site, users can now enable or
disable it for themselves in their settings under My Account.
</li>
<li>There is now an option to create copies of existing stories (like the
options to copy existing static pages and calendar entries).
</li>
<li>A new <code>[user:]</code> autotag is available to easily create links to
a user's profile.
</li>
</ul>
<h3>Other changes</h3>
<ul>
<li><strong>Security:</strong> Fixed a vulnerability to dictionary attacks in the
autologin, originally reported by Bookoo of the Nine Situations Group.
</li>
<li>The minimum requirements for Geeklog are now <strong>PHP 4.4.0</strong>
and <strong>MySQL 4.0.18</strong>.
</li>
<li>Ships with <a href="http://www.fckeditor.net/">FCKeditor</a> 2.6.6</li>
<li>Please also see the list of <a href="theme.html#changes">theme changes</a>.</li>
</ul>
<p>This release also includes a number of patches and improvements made by
students applying for participation in the Google Summer of Code 2010. Thank
you!</p>
<h2><a name="changes161sr2">Geeklog 1.6.1sr2</a></h2>
<p>This release fixes an XSS in the admin's configuration panel, reported by
Aung Khant of the YGN Ethical Hacker Group.</p>
<h2><a name="changes161sr1">Geeklog 1.6.1sr1</a></h2>
<p>This release fixes a vulnerability to dictionary attacks in the autologin,
originally reported by Bookoo of the Nine Situations Group.</p>
<h2><a name="changes161">Geeklog 1.6.1</a></h2>
<h3>New Features and Improvements</h3>
<ul>
<li>Geeklog now lets you enter meta descriptions and meta keywords for the main
page, for stories, topics, static pages, and polls. Please note that these
meta tags <a href="http://www.mattcutts.com/blog/keywords-meta-tag-in-web-search/">may not be used</a> by some
search engines.
</li>
<li>You can now have one featured story per topic (for stories set to "Show
only in Topic").
</li>
<li>New <a href="polls.html#autotags">autotags</a> now allow you to embed polls
in stories and everywhere else where autotags are allowed.
</li>
<li>The Migrate option in the install script can now also be applied to an
existing database (i.e. you don't need to import a database dump to update
your URLs and paths).
</li>
<li>The Database Backup admin panel now includes options to optimize the
database and convert tables to InnoDB (MySQL only).
</li>
<li>Improved <a href="http://wiki.geeklog.net/index.php/Timezone_Support">timezone support</a> and let users
actually set their own timezone.
</li>
<li>Minor security enhancements:
<ul>
<li>"Important" cookies (like the session cookies) are now created with
the HttpOnly flag set. This will help avoid some XSS attacks,
provided your browser supports this flag.
</li>
<li>Template errors will now trigger the <a
href="https://www.geeklog.net/faqman/index.php?op=view&t=65">standard error handler</a> instead
of
exposing the template path.
</li>
<li>Fixed inclusion protection for some of the Spam-X class files.</li>
</ul>
</li>
</ul>
<p>Please also see the list of <a href="theme.html#changes">theme changes</a>.</p>
<h3>Bugfixes</h3>
<ul>
<li>Fixed automatic <a href="config.html#desc_article_comment_close_enabled">closing of stories for comments</a>
after a certain amount of days. If you need to
re-open comments on stories that were closed due to this bug, you can use
this SQL request:<br/>
<code style="margin-left:2em">UPDATE gl_stories SET commentcode = 0, comment_expire = 0 WHERE commentcode =
1;</code></li>
<li>The comment speed limit was being ignored.</li>
<li>Fixed a bug in the Group Editor that didn't let you add groups to other
groups (this problem was only introduced in Geeklog 1.6.0).
</li>
<li>The admin group for the Static Pages plugin was created with a wrong name
in Geeklog 1.6.0 (fresh installs only).
</li>
<li>Several tweaks and minor fixes (e.g. compatibility with PHP 4) in the
search.
</li>
</ul>
<h2><a name="changes160sr2">Geeklog 1.6.0sr2</a></h2>
<p>This release addresses the following security issue:</p>
<ul>
<li>Unauthorized file uploads were possible through FCKeditor.<br/>
Uploaded files still had to go through FCKeditor's filter, so it was not possible to upload scripts (and the
integrity of the Geeklog site as such was not in danger). There were, however, reports that this was used to
host malware.<br/>
This update prevents use of the upload feature when FCKeditor is disabled and disables it for anonymous users.
It also doesn't allow uploading of archive files any more. Furthermore, you need some sort of "edit" permission
now to be able to upload files through FCKeditor (this is meant as an interim measure - we will probably
introduce a separate "upload" permission in future Geeklog versions).
</li>
</ul>
<p>Other fixes:</p>
<ul>
<li>Fixed installation using InnoDB tables.</li>
<li>Fixed a (non-exploitable) SQL error when auto-updating a story's
commentcode field.
</li>
<li>Fixed a wrong function name in the Links plugin.</li>
</ul>
<h2><a name="changes160sr1">Geeklog 1.6.0sr1</a></h2>
<p>This release addresses the following security issues:</p>
<ol>
<li>Gerendi Sandor Attila reported an XSS in the forms to email a user and to
email a story to a friend.
</li>
<li>The "Mail Story to a Friend" function didn't check story permissions, so
that it was possible to email a story even if you didn't have the
permissions to view it on the site.
</li>
</ol>
<p>Other fixes:</p>
<ul>
<li>Fixed an SQL error when submitting a story and the story submission queue
was off.
</li>
<li>Fixed calls to a nonexistent function <code>COM_outputMessageAndAbort</code>.</li>
</ul>
<h2><a name="changes160">Geeklog 1.6.0</a></h2>
<h3>Results from the Summer of Code</h3>
<p>This release incorporates the following projects implemented during the
the 2008 Google Summer of Code:</p>
<ul>
<li>Site migration support and easier plugin installation, by Matt West</li>
<li>Improved search, by Sami Barakat</li>
<li>Comment moderation and editable comments, by Jared Wenerd</li>
</ul>
<h3>Other changes</h3>
<ul>
<li>The minimum PHP version required by Geeklog is now <strong>PHP 4.3.0</strong>. Given that the PHP team ended
support for PHP 4 in August 2008, you should be
looking into upgrading to PHP 5 anyway.
</li>
<li>Includes <a href="http://www.fckeditor.net/">FCKeditor</a> 2.6.4.1</li>
<li>Includes a new plugin, <a href="http://wiki.geeklog.net/index.php/XMLSitemap_Plugin">XMLSitemap</a>, that
automatically generates a <a
href="http://www.sitemaps.org/">XML sitemap file</a>, as supported by all
major search engines. Plugin written and provided by mystral-kk.
</li>
<li>Several <a href="http://wiki.geeklog.net/index.php/New_Plugin_API_Functions_in_Geeklog_1.6.0">new plugin API
functions</a> have been added and existing
functions have been extended.
</li>
<li>The included documentation has been moved to <span class="tt">docs/english</span> to allow
for translations. Links to the documentation from within Geeklog will link
to existing translations for the current language automatically (or fall
back to the English documentation if no suitable translation can be found).
</li>
<li>There were a variety of <a href="theme.html#changes">theme changes</a> to
support new functionality and fix inconsistencies in the layout.
</li>
</ul>
<p>This release also includes a number of patches and improvements made by
students applying for participation in the Google Summer of Code 2009. Thank
you!</p>
<h2><a name="changes152sr6">Geeklog 1.5.2sr6</a></h2>
<p>This release fixes a vulnerability to dictionary attacks in the autologin,
originally reported by Bookoo of the Nine Situations Group.</p>
<h2><a name="changes152sr5">Geeklog 1.5.2sr5</a></h2>
<p>This release addresses the following security issues:</p>
<ol>
<li>Gerendi Sandor Attila reported an XSS in the forms to email a user and to
email a story to a friend.
</li>
<li>The "Mail Story to a Friend" function didn't check story permissions, so
that it was possible to email a story even if you didn't have the
permissions to view it on the site.
</li>
</ol>
<h2><a name="changes152sr4">Geeklog 1.5.2sr4</a></h2>
<p>Bookoo of the Nine Situations Group posted another SQL injection exploit, targetting an old bug in usersettings.php.
As with the previous issues, this allowed an attacker to extract the password hash for any account and is fixed with
this release.</p>
<h2><a name="changes152sr3">Geeklog 1.5.2sr3</a></h2>
<p>Bookoo of the Nine Situations Group posted another SQL injection exploit, this time targetting the webservices API.
As with the previous issue, this allowed an attacker to extract the password hash for any account and is fixed with
this release.</p>
<h2><a name="changes152sr2">Geeklog 1.5.2sr2</a></h2>
<p>Bookoo of the Nine Situations Group posted an SQL injection exploit for glFusion that also works with Geeklog. This
issue allowed an attacker to extract the password hash for any account and is fixed with this release.</p>
<h2><a name="changes152sr1">Geeklog 1.5.2sr1</a></h2>
<p>Fernando Muñoz reported a possible <a href="http://en.wikipedia.org/wiki/XSS"
title="Click to look up 'XSS' on Wikipedia"
style="text-decoration: none; color: black; border-bottom: 1px dotted black;">XSS</a>
in the query form on most admin panels that we are fixing with this release.</p>
<h2><a name="changes152">Geeklog 1.5.2</a></h2>
<h3>Bugfixes</h3>
<ul>
<li>Fixed a bug in the story preview where the story content was lost when
previewing a story with a duplicate story ID.
</li>
<li>Fixed another bug in the story preview that caused extra backslashes to
appear in the story's title.
</li>
<li>The Trackback editor didn't work since the security token was missing from
the editor template.
</li>
<li>Fixed issues with clickable links in plain text postings.</li>
<li>Fixed various problems with updating feeds, e.g. when changing topic
permissions.
</li>
</ul>
<h3>Fixes in the bundled Plugins</h3>
<ul>
<li>Calendar: You couldn't add a new event to your personal calendar.</li>
<li>Links: Changing a link's ID to one that was already in use overwrote the
other link.
</li>
<li>Polls: Changing a poll's ID created a new poll. Also fixed an SQL error
when the poll question contained single quotes.
</li>
<li>Static Pages: Saving a static page changed the owner to the user who saved
it.
</li>
</ul>
<h3>Other Changes</h3>
<ul>
<li>Improved image quality when using gdlib to rescale uploaded images.</li>
<li>Theme changes are documented in the <a href="theme.html#changes">theme
documentation</a>, as usual. There are 4 bugfixes (one of which is in the
templates for the Polls plugin) that should be applied to all themes for
the 1.5.x series.
</li>
</ul>
<h2><a name="changes151">Geeklog 1.5.1</a></h2>
<p>Geeklog 1.5.1 is mostly a bugfix release and a recommended upgrade for users
of Geeklog 1.5.0. There were also a few minor feature additions.</p>
<h3>Bugfixes</h3>
<h4>Security related</h4>
<ul>
<li>The upload script for FCKeditor could be <a
href="https://www.geeklog.net/article.php/file-uploads">called directly</a>
to upload various media files (but not executable scripts), as reported
by t0pP8uZz.
</li>
<li>The protection in various include files against direct execution did not
work properly on non-case sensitive file systems, e.g. on Windows
(reported by Mark Evans).
</li>
<li>It was possible to view stories with a publication date in the future and
stories that had the draft flag set if you knew their story ID.
</li>
<li>It was possible to post comments on unpublished stories if you knew their
story ID.
</li>
<li>When a database backup fails, the database password is no longer logged to
<span class="tt">error.log</span>.
</li>
</ul>
<h4>Other Bugfixes</h4>
<ul>
<li>All right-side blocks were rendered twice, which not only took more time
than necessary, but could also affect the functionality of add-ons like
the Chatterblock or Shoutbox.
</li>
<li>Fixed handling of security tokens (for CSRF protection) that prevented
you from deleting comments on a story that had trackbacks.
</li>
<li>Other fixes were applied to the user submission queue, story submissions,
the list of draft stories and the support for MS SQL.
</li>
</ul>
<h4>Fixes in the bundled Plugins</h4>
<ul>
<li>Calendar: Fixed display of events in the Upcoming Events block for the
current day (really this time ...).
</li>
<li>Links: Fixed SQL error when trying to change a category and fixed new
categories silently overwriting existing categories with the same ID.
</li>
<li>Static Pages: Fixed printer friendly version when <span class="tt">url_rewrite</span> is
enabled.
</li>
</ul>
<h3>New Features and Improvements</h3>
<ul>
<li>Includes <a href="http://www.fckeditor.net/">FCKeditor</a> 2.6.3</li>
<li>In multi-language setups, blocks can now also be multi-lingual.</li>
<li>New "Subscribe to ..." feed story option when there is a separate feed for
a story's topic.
</li>
<li>New option "All Frontpage Stories" for article feeds (skip stories that have
the "Show only in topic" option set).
</li>
<li>Allow to unset Configuration options again after they have been "restored",
e.g. after accidental activation.
</li>
<li>Configuration options can now be overwritten in <span class="tt">siteconfig.php</span>.
This is mostly useful for the <code>$_CONF['rootdebug']</code> option.
</li>
<li>Remotely authenticated users can now use the webservices (they need to use
<span class="tt">username@servicename</span> for their username).<br/>
<strong>Note:</strong> OpenID users can <em>not</em> use the webservices,
due to technical issues with the authentication method.
</li>
<li>Improved compatibility of the webservices (i.e. AtomPub).</li>
</ul>
<h3>Theme Changes</h3>
<p>There was one mandatory theme change: The template file for configuration
items, <span class="tt">admin/config/config_element.thtml</span> has to be updated (copy
from the Professional theme). All other theme changes in this release are
optional - see the <a href="theme.html#changes">theme documentation</a> for
details.</p>
<h2><a name="changes150">Geeklog 1.5.0</a></h2>
<h3>Results from the Summer of Code</h3>
<p>This release incorporates the following projects implemented during the
the 2007 Google Summer of Code:</p>
<ul>
<li>New user-friendly install script by Matt West</li>
<li>New Configuration GUI (replacing config.php) by Aaron Blankstein</li>
<li>New Webservices API based on the Atom Publishing Protocol by Ramnath R. Iyer</li>
</ul>
<h3>Other New Features and Improvements</h3>
<ul>
<li>OpenID support: You can now allow users to log into your site using an
OpenID, so that they don't need to create a new account with your site but
still get all the benefits of a normal registered user.
</li>
<li>New LDAP remote authentication module.</li>
<li>The Links plugin now has hierarchical (sub-)categories.</li>
<li>Updated <a href="http://www.fckeditor.net/">FCKeditor</a> to version 2.6.</li>
<li>Rewrite of the underlying story code. Amongst other things, this should
finally resolve all outstanding issues with the handling of special
characters, HTML entities, etc. in stories. Also introduces a new
<code>[raw]</code> tag as an inline complement to <code>[code]</code> when
you want to post pieces of code (e.g. HTML) "as is", so that they are not
interpreted.
</li>
<li>Comments can now be closed, i.e. existing comments will still be displayed
but no new comment can be posted.
</li>
<li>The Polls plugin now allows for multiple questions per poll.</li>
<li>The Static Pages plugin now supports comments.</li>
<li>The database backup admin panel now lets you delete and download
backups.
</li>
<li>The default Professional theme is now HTML 4.01 Strict compliant. Geeklog
now also <a href="theme.html#xhtml">supports XHTML</a> (given an XHTML
compliant theme).
</li>
</ul>
<h3>Security</h3>
<ul>
<li>Geeklog now includes protection against <a href="https://www.geeklog.net/article.php/csrf">cross-site request
forgery</a> attacks.
</li>
<li>Lukasz Pilorz reported <a href="https://www.geeklog.net/article.php/kses">security issues in kses</a>, the HTML
filter we're using in Geeklog.
</li>
</ul>
<h2><a name="changes141">Geeklog 1.4.1</a></h2>
<h3>New Features</h3>
<ul>
<li>Support for Microsoft SQL Server. Starting with this release, Geeklog can
now also be installed on Microsoft SQL Server, so it's no longer restricted
to just MySQL. The MS SQL support was developed by Randy Kolenko.
Thanks, Randy!<br/>
Please note that any third-party plugins will have to offer support for
MS SQL before they can be installed on Microsoft SQL Server. The bundled
plugins (Calendar, Links, Polls, Spam-X, Static Pages) have already been
updated accordingly.
</li>
<li><a href="calendar.html">Calendar plugin</a>. The formerly built-in calendar
and events have now been moved into a separate plugin. This complements the
move of the <a href="polls.html">polls</a> and <a href="links.html">links</a> sections into plugins in Geeklog
1.4.0 and makes Geeklog more modular as you
can now easily disable or replace functionality that you don't need for
your site.
</li>
<li><a href="http://wiki.geeklog.net/wiki/index.php/Multi-Language_Support">Multi-language support</a>. It is now
possible to build truly multi-lingual sites
with Geeklog where not only the navigation but also the content of the site
changes with the language.
</li>
<li>Ships with <a href="http://www.fckeditor.net/">FCKeditor</a> 2.3.1, which once
again includes a file manager for uploading images.
</li>
<li>A function for mass-deletion of old or inactive users. The list automatically
searches for users that have never logged in, only used the site for a very
short time or have not been online since a very long time. The time span can
be varied, and found users can be selectively deleted.
</li>
</ul>
<h3>Security</h3>
<p>In the light of the security issues discovered in Geeklog 1.4.0 and earlier
versions, the Geeklog source code has undergone a code review. We have
identified and addressed several minor issues and introduced new measures to
enhance security in this release. As a welcome side effect, the code reviews
have also uncovered a few bugs and inconsistencies that we also fixed in this
release.</p>
<h3>Spam Protection</h3>
<p>With this release we are finally removing support for the <a
href="https://www.geeklog.net/article.php/mt-blacklist-discontinued">discontinued</a> MT-Blacklist. In its
place, we are now using a system called Spam Link Verification (SLV) run by Russ Jones at <a
href="http://www.linksleeve.org/">www.linksleeve.org</a>. SLV could be described as a community-driven,
automatically updated blacklist. See the documentation of the <a href="spamx.html" rel="nofollow">Spam-X plugin</a>
for details.</p>
<h2><a name="changes140sr6">Geeklog 1.4.0sr6</a></h2>
<p>MustLive pointed out a possible <a href="http://en.wikipedia.org/wiki/XSS"
title="Click to look up 'XSS' on Wikipedia"
style="text-decoration: none; color: black; border-bottom: 1px dotted black;">XSS</a>
in the form to email an article to a friend that we're fixing with this release.</p>
<h2><a name="changes140sr5-1">Geeklog 1.4.0sr5-1</a></h2>
<p>This release fixes display problems in the comment preview that were only
introduced in Geeklog 1.4.0sr5.</p>
<h2><a name="changes140sr5">Geeklog 1.4.0sr5</a></h2>
<p>JPCERT/CC informed us about a possible <a href="http://en.wikipedia.org/wiki/XSS"
title="Click to look up 'XSS' on Wikipedia"
style="text-decoration: none; color: black; border-bottom: 1px dotted black;">XSS</a>
in the comment handling that we're fixing with this release.</p>
<h2><a name="changes140sr4">Geeklog 1.4.0sr4</a></h2>
<p>Two exploits have been released by "rgod" for insecure Geeklog installations and for a bug in the "mcpuk" file
manager that we've been shipping as part of FCKeditor in all previous 1.4.0 releases.</p>
<ul>
<li>Some of the files outside of the public_html directory were not protected
against direct execution. If Geeklog was installed such that those files
were accessible from a URL (which has always been strongly discouraged in
the installation instructions) then those files could be used to load and
execute malicious code from a remote server.
<br/><br/>
More information: <a
href="https://www.geeklog.net/article.php/so-called-exploit">So-called
Geeklog "exploit" posted</a>
<br/><br/>
In this release, we've added the missing execution prevention for all files
outside of public_html. We would still, however, suggest that you fix your
Geeklog install if the files outside of public_html are accessible from a
URL (see our <a
href="https://www.geeklog.net/faqman/index.php?op=view&t=56">FAQ</a> for
details).
</li>
<li>The "mcpuk" file manager that we've integrated into FCKeditor allowed the
upload of arbitrary PHP code (even if FCKeditor was disabled in Geeklog's
config.php). Depending on your webserver's configuration, it was then
possible to execute that uploaded code.
<br/><br/>
More information: <a href="https://www.geeklog.net/article.php/exploit-for-fckeditor-filemanager">Exploit for
FCKeditor's mcpuk file manager</a>
<br/><br/>
The file manager has been removed from this release. You will therefore no
longer be able to upload files, e.g. images, through FCKeditor. Future
versions of Geeklog will ship with an updated version of FCKeditor and its
included file manager.
</li>
</ul>
<p>Note: This release also includes the <a
href="https://www.geeklog.net/article.php/fighting-trackback-spam">updated
lib-trackback.php</a> for better protection against Trackback spam.</p>
<h2><a name="changes140sr3">Geeklog 1.4.0sr3</a></h2>
<p>This release addresses the following security issues:</p>
<ol>
<li>Possible SQL injection and authentication bypass in <span class="tt">auth.inc.php</span>
(reported by the Security Science Researchers Institute Of Iran).
</li>
<li>Possible XSS in <span class="tt">getimage.php</span>
(reported by the Security Science Researchers Institute Of Iran).
</li>
<li>Path disclosure in <span class="tt">getimage.php</span> and the <span class="tt">functions.php</span> of
some themes, e.g. the Professional theme
(reported by the Security Science Researchers Institute Of Iran).
</li>
<li>Possible SQL injection in story submissions.</li>
</ol>
<h2><a name="changes140sr2">Geeklog 1.4.0sr2</a></h2>
<p>This release addresses the following security issues:</p>
<ul>
<li>Konstantin Dyakoff found an old bug in the session handling that would
allow anyone to log in as any user.
</li>
<li>HTML was not stripped from the Location field in a user's profile.</li>
</ul>
<h2><a name="changes140sr1">Geeklog 1.4.0sr1</a></h2>
<p>This release addresses the following security issues:</p>
<ul>
<li>James Bercegay of GulfTech Security Research reported several issues with
Geeklog's cookie handling that made it vulnerable to SQL injections,
arbitrary file access, and even injection and execution of arbitrary
code.
</li>
</ul>
<h2><a name="changes140">Geeklog 1.4.0</a></h2>
<p>
<small>(Geeklog 1.4.0 was originally supposed to be called 1.3.12, so any
references you may find to a version 1.3.12 apply to version 1.4.0)
</small>
</p>
<h3>New Features</h3>
<ul>
<li>Geeklog now officially works with <code>register_globals = off</code>.
Please note that some plugins may still require it to be <code>on</code>,
though.
</li>
<li>Added support for sending and receiving <a
href="http://en.wikipedia.org/wiki/Trackback">Trackback</a> and <a
href="http://en.wikipedia.org/wiki/Pingback">Pingback</a> comments. Both
are supported for stories, but there is also a new plugin API so that
plugins can use this feature, too. Trackback and Pingback can be disabled
in <span class="tt">config.php</span>.
</li>
<li>Added the ability to "ping" weblog directory services to advertise site
updates (preconfigured to ping <a
href="http://pingomatic.com">Ping-o-Matic</a>). As with Trackback and
Pingback, this is supported for stories, but plugins can also make use of
this feature via the plugin API.
</li>
<li>New syndication framework so that Geeklog can now <strong>read and
write</strong> feeds in different formats (currently supported: RSS, RDF,
and Atom).
</li>
<li>New administrator controlled user status. Including banning and
administrator activation of accounts.
</li>
<li>New Remote Authentication system to allow people with accounts on remote
services such as Blogger.com or LiveJournal.com to login to your site
without having to directly register on your site. (Remote accounts can be
banned as normal accounts).
</li>