changes.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
    <title>Geeklog Documentation - Changes</title>
    <link rel="stylesheet" type="text/css" href="../docstyle.css" title="Dev Stylesheet"/>
</head>

<body>
<p><a href="https://www.geeklog.net/" style="background:transparent"><img src="../images/newlogo.gif" alt="Geeklog"
                                                                          width="243" height="90"/></a></p>
<div class="menu"><a href="index.html">Geeklog Documentation</a> - Changes</div>

<h1><a name="changes">Changes</a></h1>

<p>This document is intended to give a quick overview over the most important
    and / or obvious changes. For a detailed list of changes, please consult the
    <a href="../history">ChangeLog</a>. The file <span class="tt">docs/changed-files</span> has a
    list of files that have been changed since the last release.</p>


<h2><a name="changes220">Geeklog 2.2.0</a></h2>

<p>Geeklog 2.2.0 major new features include ...</p>

<h3>New Features and Improvements</h3>

<ul>
    <li>Dropped support for Live Journal authentication.</li>
    <li>Added Akismet module for the Spam-X plugin.</li>
    <li>Added reCAPTCHA plugin with support for Invisible reCAPTCHA.</li>
    <li>Dropped COM_siteHeader and COM_siteFooter functions.  Please use COM_createHTMLDocument instead.</li>
    <li>Added Two Factor Authentication option.</li>
</ul>


<h2><a name="changes213">Geeklog 2.1.3</a></h2>

<p>Geeklog 2.1.3 is mainly a bug fix release.</p>

<h3>New Features and Improvements</h3>

<ul>
    <li>Numerous bug and security fixes.</li>
</ul>


<h2><a name="changes212">Geeklog 2.1.2</a></h2>

<p>Geeklog 2.1.2 major new features include a number of new administration tools along with the support of URL Routing
    and detecting a mobile user.</p>

<p>The Geeklog minimum requirements have changed slightly since, Geeklog now supports PHP 7 and the default settings for
    MySQL 5.7. The minimum requirements are:</p>

<ul>
    <li>PHP 5.3.3 or higher</li>
    <li>MySQL 4.1.2 or higher (MySQL 5 recommended)</li>
    <li>PostgreSQL 9.1.7 or later</li>
</ul>

<p>This Geeklog release no longer supports Microsoft SQL Server (mssql). The Professional and Professional CSS themes
    also have been removed. Geeklog ships with jQuery v3.1.1, jQuery UI v1.12.1, CKEditor v4.6.1, UIkit v2.27.2,
    Filemanager v2.2.0, and OAuth class v1.152.</p>

<h3>Major New Features and Improvements</h3>

<ul>
    <li>Added description, multiple answers per question to the Poll Plugin (code provided by Ivy, feature request
        #629)
    </li>
    <li>Added "Related Articles Section" to the article view (code provided by Andreas, feature request #444)</li>
    <li>Added Language override feature (feature request #669)</li>
    <li>Added an admin page for comments (feature request #586)</li>
    <li>Now install files are (optionally) deleted on successful install or upgrade (feature request #635)</li>
    <li>Added URL-routing feature which enables you to use public_html/index.php as a pseudo-front controller (feature
        requests #211, #326)
    </li>
    <li>The way topics display is now controlled by $_CONF['url_rewrite'] (regardless of the value of
        $_CONF['url_routing'])
    </li>
    <li>Added new modules for the Spam-X plugin (feature request #585, files provided by Dirk Haun)</li>
    <li>Added an ability to change article template file with the topic (feature request #275, code provided by
        @hostellerie)
    </li>
    <li>Added the ability to search poll comments (feature request #394)</li>
    <li>Added a new config option $_CONF['gravatar_identicon'] to specify a default gravatar icon type (bug #579)</li>
    <li>Added ability for Geeklog to detect device type (mobile or computer) of visitor. This can be used by blocks to
        display only for a certain device type
    </li>
    <li>Blocks can display based on visitor device type</li>
    <li>Template variable {device_mobile} added which returns true if viewing device is considered mobile (phone and
        tablet)
    </li>
    <li>Remove PEAR settings. PEAR libraries are now managed by way of composer</li>
    <li>New Denim Curve theme which is a child theme of Denim and based on the look of the Modern Curve theme</li>
    <li>New Geeklog Database backup which now works without using an external program</li>
    <li>Improved Geeklog Install process which now includes upgrade messages</li>
    <li>Support for MySQL databases which use a 4 byte character set (utf8mb4_xxx_ci)</li>
    <li>COM_switchLocaleSettings now overrides $_CONF['meta_description'],$_CONF['meta_keywords'], $_CONF['site_name'],
        $_CONF['owner_name'], and $_CONF['site_slogan'].
    </li>
    <li>Updates to a number of libraries including Pear, Uikit, OAuth, jQuery, and jQuery UI</li>
    <li>Numerous bug and security fixes.</li>
</ul>


<h2><a name="changes211">Geeklog 2.1.1</a></h2>

<p>Geeklog 2.1.1 major new feature is the inclusion of the UIkit framework. It is "a lightweight and modular front-end
    framework
    for developing fast and powerful web interfaces".</p>

<p>This Geeklog release now ships with jQuery v1.11.3, jQuery UI v1.11.4, CKEditor v4.5.4, UIkit v2.24.0, Filemanager
    v2.2.0, and OAuth class v1.411.</p>

<h3>Major New Features and Improvements</h3>

<ul>
    <li>Integrated UIkit framework into Geeklog core.</li>
    <li>Support for multiple theme templates with plugins.</li>
    <li>Numerous bug and security fixes.</li>
</ul>


<h2><a name="changes210">Geeklog 2.1.0</a></h2>

<p>Geeklog 2.1.0 major new features include and an updated template library and a new advanced editor system. A large
    number of bugs have also been fixed related to child topics which was introduced in Geeklog 2.0.0.</p>

<p>This Geeklog release now ships with jQuery 1.10.2 and jQuery UI to 1.10.3.</p>

<h3>Major New Features and Improvements</h3>

<ul>
    <li>Integrated Caching Template Library original developed by Joe Mucchiello.</li>
    <li>Support for themes to specify a default theme.</li>
    <li>Added configurable caching support for blocks (regular and gldefault), staticpages and articles.</li>
    <li>Speed increases by caching topic tree structure.</li>
    <li>New OAuth login methods supported (Google, Microsoft, Yahoo).</li>
    <li>New Advanced Editor System that allows developers to easily to add new javascript editors.</li>
    <li>Added CKEditor 4.3.2 as the default advanced editor for Geeklog.</li>
    <li>Numerous fixes for multi-language support.</li>
    <li>Added a File Manager.</li>
</ul>


<h2><a name="changes200">Geeklog 2.0.0</a></h2>

<p><strong>Note:</strong> Geeklog 2.0.0 manages topics differently. Topic
    assignments for articles and blocks are now stored in their own database table.
    This means the article and block tables have changed slightly. Plugins that
    modify blocks directly or have a centerblock may not be compatible with
    Geeklog 2.0.0. Please check to see if the plugins you have installed are
    compatible before you upgrade. If they are not then disable them if you still
    wish to upgrade. We expect most plugin authors to upgrade their plugins to
    support Geeklog 2.0.0 soon after the release.</p>

<p>The theme engine has also been updated. Geeklog 2.0.0 introduces
    a new function that allows a page to be generated all at once instead of in specific
    parts as it was before. Only themes and
    plugins that have been updated to use the new function for display can take
    advantage of the new features this brings to Geeklog and themes.
</p>

<p>This Geeklog release now ships with jQuery 1.7.2 and jQuery UI 1.8.20.</p>

<h3>New Features and Improvements</h3>

<ul>
    <li>Improved strength of password hashing.</li>
    <li>Allow Topics to have child Topics.</li>
    <li>Allow Articles, Blocks and other Plugin objects to be associated with more than one Topic.</li>
    <li>Topic Breadcrumb support.</li>
    <li>Emergency Rescue Tool is included with the Geeklog Install.</li>
    <li>Added support for MySQLi.</li>
    <li>Add Stop Forum Spam and Spam Number of Links Modules to Spam-X.</li>
    <li>A new theme called Denim which is based on Responsive Web Design.</li>
    <li>A new theme called Modern Curve.</li>
    <li>Comments Form on same page as article.</li>
</ul>


<h2><a name="changes182">Geeklog 1.8.2</a></h2>

<p>Geeklog 1.8.2 is a maintenance release. There were no changes in the database, the templates, or the language files
    in this release, so upgrades should be straightforward.</p>

<h3>Bugfixes</h3>
<ul>
    <li>Fixed compatibility with MySQL 5.5 (upgrade, database backup). For this fix, we also had to raise the minimum
        supported MySQL version to 4.1.2.
    </li>
    <li>Fixed Twitter OAuth login.</li>
</ul>


<h2><a name="changes181">Geeklog 1.8.1</a></h2>

<p>Geeklog 1.8.1 is a maintenance release and a recommended update for all
    users of Geeklog 1.8.0. There were no changes in the database, the templates,
    or the language files (other than some updated translations) in this release,
    so upgrades should be straightforward.</p>

<p>This Geeklog release now ships with jQuery 1.6.3.</p>

<h3>Bugfixes</h3>

<ul>
    <li>Fixed information leakage:
        <ul>
            <li>The "<a href="config.html#desc_rootdebug">rootdebug</a>" option,
                when enabled, also dumped the OAuth consumer key and secret. You now
                have to additionally set the rootdebug option to "force" to make them
                show up in the variable dump.
            </li>
            <li>The MS SQL driver was displaying detailed SQL error messages by
                default.
            </li>
        </ul>
    </li>
    <li>Fixed a regression in Geeklog 1.8.0 that made the <code>[code]</code> and
        <code>[raw]</code> tags not escape content properly.
    </li>
    <li>Fixed some problems with adding and removing elements to/from arrays in
        the Configuration.
    </li>
    <li>The admin's User Editor no longer loses changes when an error occured.</li>
    <li>Fixed images not being displayed in the story preview (when editing an
        existing story).
    </li>
    <li>Plugins can now set <code>$_SCRIPTS</code> in the
        <code>plugin_getFooter()</code> function.
    </li>
    <li>Fixed some warnings raised by PHP 5.4.</li>
</ul>


<h2><a name="changes180">Geeklog 1.8.0</a></h2>

<p><strong>Note:</strong> Geeklog 1.8.0 now <strong>requires PHP 5.2.0</strong>
    or later. We will provide legacy PHP 4 support for <a
            href="#changes1.7.2">Geeklog 1.7.2</a> for a limited time, but would strongly
    suggest that you switch to PHP 5.2 or later as soon as possible.</p>

<p>For details, please see the <a href="https://www.geeklog.net/article.php/end-of-php4-support">announcement</a> on the
    Geeklog homepage.</p>

<h3>New Features and Improvements</h3>

<ul>
    <li>Improved Configuration with input validation and a search function. These
        improvements were implemented by Akeda Bagus as part of the Google Summer
        of Code 2010.
    </li>
    <li>OAuth support, allowing users to log into a Geeklog site with their
        Facebook, Twitter, or LinkedIn account. This functionality was originally
        developed by Hiroshi Sakuramoto (Hiroron) of Geeklog Japan.
    </li>
    <li>New icons in the default theme (taken from the Tango, Gnome, and Humanity
        icon themes).
    </li>
    <li>Ships with <a href="http://jquery.com/">jQuery</a>, which is now the
        "official" JavaScript library for Geeklog.
    </li>
    <li>Autotags now have permissions and a description (tooltip).</li>
    <li>Revamped Plugins admin panel, which also lets you change the plugin load
        order. Plugins can now also indicate dependencies on other plugins.
    </li>
</ul>


<h2><a id="changes172" name="changes172">Geeklog 1.7.2</a></h2>

<p><strong>Note:</strong> Geeklog 1.7.2 is the last Geeklog version to work on
    PHP 4. We will be providing security fixes, if required, for this version until
    2012. New features will only be added to Geeklog 1.8.0 and later versions,
    which will require at least PHP 5.2.0 to run. Please see <a
            href="https://www.geeklog.net/article.php/end-of-php4-support">the announcement</a> on geeklog.net
    for details.</p>

<h3>Bugfixes</h3>

<ul>
    <li>Fixed PostgreSQL support (multiple Geeklog instances sharing one Postgres
        database; dbSave function; error reporting; PHP 4 compatibility).
    </li>
    <li>Fixed replacing the <code>[imageX]</code> tags when changing a story id.</li>
    <li>Fixed a PHP 4 compatibility issue in the Static Pages plugin.</li>
</ul>


<h2><a name="changes171sr1">Geeklog 1.7.1sr1</a></h2>

<p>This release fixes an XSS in the admin's configuration panel, reported by
    Aung Khant of the YGN Ethical Hacker Group.</p>


<h2><a name="changes171">Geeklog 1.7.1</a></h2>

<h3>New Features and Improvements</h3>

<ul>
    <li>A Static Page can now be marked as a template and used by other Static
        Pages.
    </li>
    <li>Themes can now have their own display functions for the start and end of
        blocks.
    </li>
    <li>Please also see the list of <a href="theme.html#changes">theme changes</a>.</li>
</ul>

<h3>Bugfixes</h3>

<ul>
    <li>In Geeklog 1.7.0, comment submissions for plugins were missing the type,
        i.e. the comments were not recognized as plugin comments.
    </li>
    <li>Changing anything in My Account while Advanced Editor was disabled for the
        site also disabled the user's setting for the Advanced Editor.
    </li>
    <li>Fixed the "Show &amp; Hide Boxes" option in My Account.</li>
    <li>Reverted a change from Geeklog 1.7.0: Curly braces in block content are not
        escaped any longer. To avoid words in curly braces being interpreted as
        template variables (e.g. for JavaScript code), add a space after the opening
        or before the closing brace.
    </li>
    <li>Reverted a change from Geeklog 1.7.0 that would send a Content-Type header
        when calling <code>COM_refresh()</code> since this conflicts with some
        plugins (e.g. the Forum).
    </li>
</ul>

<h2><a name="changes170">Geeklog 1.7.0</a></h2>

<h3>New Features and Improvements</h3>

<ul>
    <li>Geeklog now supports <strong>PostgreSQL</strong> databases. This feature
        was implemented by Stan Palatnik during the 2009 Google Summer of Code.
    </li>
    <li>When the security token (CSRF protection) expires, the user will now be
        asked to <a href="http://wiki.geeklog.net/index.php/Re-Authentication_for_expired_Tokens">authenticate again</a>.
        On successful re-authentication, the
        operation will be repeated and no changes will be lost.
    </li>
    <li>The options to skip spam checks and HTML filtering are now permissions and
        no longer restricted to the Root group.
    </li>
    <li>Groups can now be marked as a default group. New users will automatically
        be added to all default groups.
    </li>
    <li>Comments in plugins can now be listed in the What's New block and in a
        user's profile (through a new Plugin API function - requires changes in
        plugins).
    </li>
    <li>Pages that require authentication now display a login form.</li>
    <li>When the Advanced Editor is enabled for the site, users can now enable or
        disable it for themselves in their settings under My Account.
    </li>
    <li>There is now an option to create copies of existing stories (like the
        options to copy existing static pages and calendar entries).
    </li>
    <li>A new <code>[user:]</code> autotag is available to easily create links to
        a user's profile.
    </li>
</ul>

<h3>Other changes</h3>

<ul>
    <li><strong>Security:</strong> Fixed a vulnerability to dictionary attacks in the
        autologin, originally reported by Bookoo of the Nine Situations Group.
    </li>
    <li>The minimum requirements for Geeklog are now <strong>PHP 4.4.0</strong>
        and <strong>MySQL 4.0.18</strong>.
    </li>
    <li>Ships with <a href="http://www.fckeditor.net/">FCKeditor</a> 2.6.6</li>
    <li>Please also see the list of <a href="theme.html#changes">theme changes</a>.</li>
</ul>

<p>This release also includes a number of patches and improvements made by
    students applying for participation in the Google Summer of Code 2010. Thank
    you!</p>


<h2><a name="changes161sr2">Geeklog 1.6.1sr2</a></h2>

<p>This release fixes an XSS in the admin's configuration panel, reported by
    Aung Khant of the YGN Ethical Hacker Group.</p>


<h2><a name="changes161sr1">Geeklog 1.6.1sr1</a></h2>

<p>This release fixes a vulnerability to dictionary attacks in the autologin,
    originally reported by Bookoo of the Nine Situations Group.</p>


<h2><a name="changes161">Geeklog 1.6.1</a></h2>

<h3>New Features and Improvements</h3>

<ul>
    <li>Geeklog now lets you enter meta descriptions and meta keywords for the main
        page, for stories, topics, static pages, and polls. Please note that these
        meta tags <a href="http://www.mattcutts.com/blog/keywords-meta-tag-in-web-search/">may not be used</a> by some
        search engines.
    </li>
    <li>You can now have one featured story per topic (for stories set to "Show
        only in Topic").
    </li>
    <li>New <a href="polls.html#autotags">autotags</a> now allow you to embed polls
        in stories and everywhere else where autotags are allowed.
    </li>
    <li>The Migrate option in the install script can now also be applied to an
        existing database (i.e. you don't need to import a database dump to update
        your URLs and paths).
    </li>
    <li>The Database Backup admin panel now includes options to optimize the
        database and convert tables to InnoDB (MySQL only).
    </li>
    <li>Improved <a href="http://wiki.geeklog.net/index.php/Timezone_Support">timezone support</a> and let users
        actually set their own timezone.
    </li>
    <li>Minor security enhancements:
        <ul>
            <li>"Important" cookies (like the session cookies) are now created with
                the HttpOnly flag set. This will help avoid some XSS attacks,
                provided your browser supports this flag.
            </li>
            <li>Template errors will now trigger the <a
                    href="https://www.geeklog.net/faqman/index.php?op=view&amp;t=65">standard error handler</a> instead
                of
                exposing the template path.
            </li>
            <li>Fixed inclusion protection for some of the Spam-X class files.</li>
        </ul>
    </li>
</ul>

<p>Please also see the list of <a href="theme.html#changes">theme changes</a>.</p>

<h3>Bugfixes</h3>

<ul>
    <li>Fixed automatic <a href="config.html#desc_article_comment_close_enabled">closing of stories for comments</a>
        after a certain amount of days. If you need to
        re-open comments on stories that were closed due to this bug, you can use
        this SQL request:<br/>
        <code style="margin-left:2em">UPDATE gl_stories SET commentcode = 0, comment_expire = 0 WHERE commentcode =
            1;</code></li>
    <li>The comment speed limit was being ignored.</li>
    <li>Fixed a bug in the Group Editor that didn't let you add groups to other
        groups (this problem was only introduced in Geeklog 1.6.0).
    </li>
    <li>The admin group for the Static Pages plugin was created with a wrong name
        in Geeklog 1.6.0 (fresh installs only).
    </li>
    <li>Several tweaks and minor fixes (e.g. compatibility with PHP 4) in the
        search.
    </li>
</ul>

<h2><a name="changes160sr2">Geeklog 1.6.0sr2</a></h2>

<p>This release addresses the following security issue:</p>
<ul>
    <li>Unauthorized file uploads were possible through FCKeditor.<br/>
        Uploaded files still had to go through FCKeditor's filter, so it was not possible to upload scripts (and the
        integrity of the Geeklog site as such was not in danger). There were, however, reports that this was used to
        host malware.<br/>
        This update prevents use of the upload feature when FCKeditor is disabled and disables it for anonymous users.
        It also doesn't allow uploading of archive files any more. Furthermore, you need some sort of "edit" permission
        now to be able to upload files through FCKeditor (this is meant as an interim measure - we will probably
        introduce a separate "upload" permission in future Geeklog versions).
    </li>
</ul>

<p>Other fixes:</p>
<ul>
    <li>Fixed installation using InnoDB tables.</li>
    <li>Fixed a (non-exploitable) SQL error when auto-updating a story's
        commentcode field.
    </li>
    <li>Fixed a wrong function name in the Links plugin.</li>
</ul>


<h2><a name="changes160sr1">Geeklog 1.6.0sr1</a></h2>

<p>This release addresses the following security issues:</p>
<ol>
    <li>Gerendi Sandor Attila reported an XSS in the forms to email a user and to
        email a story to a friend.
    </li>
    <li>The "Mail Story to a Friend" function didn't check story permissions, so
        that it was possible to email a story even if you didn't have the
        permissions to view it on the site.
    </li>
</ol>

<p>Other fixes:</p>
<ul>
    <li>Fixed an SQL error when submitting a story and the story submission queue
        was off.
    </li>
    <li>Fixed calls to a nonexistent function <code>COM_outputMessageAndAbort</code>.</li>
</ul>


<h2><a name="changes160">Geeklog 1.6.0</a></h2>

<h3>Results from the Summer of Code</h3>

<p>This release incorporates the following projects implemented during the
    the 2008 Google Summer of Code:</p>

<ul>
    <li>Site migration support and easier plugin installation, by Matt West</li>
    <li>Improved search, by Sami Barakat</li>
    <li>Comment moderation and editable comments, by Jared Wenerd</li>
</ul>

<h3>Other changes</h3>

<ul>
    <li>The minimum PHP version required by Geeklog is now <strong>PHP 4.3.0</strong>. Given that the PHP team ended
        support for PHP 4 in August 2008, you should be
        looking into upgrading to PHP 5 anyway.
    </li>
    <li>Includes <a href="http://www.fckeditor.net/">FCKeditor</a> 2.6.4.1</li>
    <li>Includes a new plugin, <a href="http://wiki.geeklog.net/index.php/XMLSitemap_Plugin">XMLSitemap</a>, that
        automatically generates a <a
                href="http://www.sitemaps.org/">XML sitemap file</a>, as supported by all
        major search engines. Plugin written and provided by mystral-kk.
    </li>
    <li>Several <a href="http://wiki.geeklog.net/index.php/New_Plugin_API_Functions_in_Geeklog_1.6.0">new plugin API
        functions</a> have been added and existing
        functions have been extended.
    </li>
    <li>The included documentation has been moved to <span class="tt">docs/english</span> to allow
        for translations. Links to the documentation from within Geeklog will link
        to existing translations for the current language automatically (or fall
        back to the English documentation if no suitable translation can be found).
    </li>
    <li>There were a variety of <a href="theme.html#changes">theme changes</a> to
        support new functionality and fix inconsistencies in the layout.
    </li>
</ul>

<p>This release also includes a number of patches and improvements made by
    students applying for participation in the Google Summer of Code 2009. Thank
    you!</p>


<h2><a name="changes152sr6">Geeklog 1.5.2sr6</a></h2>

<p>This release fixes a vulnerability to dictionary attacks in the autologin,
    originally reported by Bookoo of the Nine Situations Group.</p>


<h2><a name="changes152sr5">Geeklog 1.5.2sr5</a></h2>

<p>This release addresses the following security issues:</p>
<ol>
    <li>Gerendi Sandor Attila reported an XSS in the forms to email a user and to
        email a story to a friend.
    </li>
    <li>The "Mail Story to a Friend" function didn't check story permissions, so
        that it was possible to email a story even if you didn't have the
        permissions to view it on the site.
    </li>
</ol>


<h2><a name="changes152sr4">Geeklog 1.5.2sr4</a></h2>

<p>Bookoo of the Nine Situations Group posted another SQL injection exploit, targetting an old bug in usersettings.php.
    As with the previous issues, this allowed an attacker to extract the password hash for any account and is fixed with
    this release.</p>


<h2><a name="changes152sr3">Geeklog 1.5.2sr3</a></h2>

<p>Bookoo of the Nine Situations Group posted another SQL injection exploit, this time targetting the webservices API.
    As with the previous issue, this allowed an attacker to extract the password hash for any account and is fixed with
    this release.</p>


<h2><a name="changes152sr2">Geeklog 1.5.2sr2</a></h2>

<p>Bookoo of the Nine Situations Group posted an SQL injection exploit for glFusion that also works with Geeklog. This
    issue allowed an attacker to extract the password hash for any account and is fixed with this release.</p>


<h2><a name="changes152sr1">Geeklog 1.5.2sr1</a></h2>

<p>Fernando Mu&ntilde;oz reported a possible <a href="http://en.wikipedia.org/wiki/XSS"
                                                title="Click to look up 'XSS' on Wikipedia"
                                                style="text-decoration: none; color: black; border-bottom: 1px dotted black;">XSS</a>
    in the query form on most admin panels that we are fixing with this release.</p>


<h2><a name="changes152">Geeklog 1.5.2</a></h2>

<h3>Bugfixes</h3>

<ul>
    <li>Fixed a bug in the story preview where the story content was lost when
        previewing a story with a duplicate story ID.
    </li>
    <li>Fixed another bug in the story preview that caused extra backslashes to
        appear in the story's title.
    </li>
    <li>The Trackback editor didn't work since the security token was missing from
        the editor template.
    </li>
    <li>Fixed issues with clickable links in plain text postings.</li>
    <li>Fixed various problems with updating feeds, e.g. when changing topic
        permissions.
    </li>
</ul>

<h3>Fixes in the bundled Plugins</h3>

<ul>
    <li>Calendar: You couldn't add a new event to your personal calendar.</li>
    <li>Links: Changing a link's ID to one that was already in use overwrote the
        other link.
    </li>
    <li>Polls: Changing a poll's ID created a new poll. Also fixed an SQL error
        when the poll question contained single quotes.
    </li>
    <li>Static Pages: Saving a static page changed the owner to the user who saved
        it.
    </li>
</ul>

<h3>Other Changes</h3>

<ul>
    <li>Improved image quality when using gdlib to rescale uploaded images.</li>
    <li>Theme changes are documented in the <a href="theme.html#changes">theme
        documentation</a>, as usual. There are 4 bugfixes (one of which is in the
        templates for the Polls plugin) that should be applied to all themes for
        the 1.5.x series.
    </li>
</ul>


<h2><a name="changes151">Geeklog 1.5.1</a></h2>

<p>Geeklog 1.5.1 is mostly a bugfix release and a recommended upgrade for users
    of Geeklog 1.5.0. There were also a few minor feature additions.</p>

<h3>Bugfixes</h3>

<h4>Security related</h4>

<ul>
    <li>The upload script for FCKeditor could be <a
            href="https://www.geeklog.net/article.php/file-uploads">called directly</a>
        to upload various media files (but not executable scripts), as reported
        by t0pP8uZz.
    </li>
    <li>The protection in various include files against direct execution did not
        work properly on non-case sensitive file systems, e.g. on Windows
        (reported by Mark Evans).
    </li>
    <li>It was possible to view stories with a publication date in the future and
        stories that had the draft flag set if you knew their story ID.
    </li>
    <li>It was possible to post comments on unpublished stories if you knew their
        story ID.
    </li>
    <li>When a database backup fails, the database password is no longer logged to
        <span class="tt">error.log</span>.
    </li>
</ul>

<h4>Other Bugfixes</h4>

<ul>
    <li>All right-side blocks were rendered twice, which not only took more time
        than necessary, but could also affect the functionality of add-ons like
        the Chatterblock or Shoutbox.
    </li>
    <li>Fixed handling of security tokens (for CSRF protection) that prevented
        you from deleting comments on a story that had trackbacks.
    </li>
    <li>Other fixes were applied to the user submission queue, story submissions,
        the list of draft stories and the support for MS SQL.
    </li>
</ul>

<h4>Fixes in the bundled Plugins</h4>

<ul>
    <li>Calendar: Fixed display of events in the Upcoming Events block for the
        current day (really this time ...).
    </li>
    <li>Links: Fixed SQL error when trying to change a category and fixed new
        categories silently overwriting existing categories with the same ID.
    </li>
    <li>Static Pages: Fixed printer friendly version when <span class="tt">url_rewrite</span> is
        enabled.
    </li>
</ul>

<h3>New Features and Improvements</h3>

<ul>
    <li>Includes <a href="http://www.fckeditor.net/">FCKeditor</a> 2.6.3</li>
    <li>In multi-language setups, blocks can now also be multi-lingual.</li>
    <li>New "Subscribe to ..." feed story option when there is a separate feed for
        a story's topic.
    </li>
    <li>New option "All Frontpage Stories" for article feeds (skip stories that have
        the "Show only in topic" option set).
    </li>
    <li>Allow to unset Configuration options again after they have been "restored",
        e.g. after accidental activation.
    </li>
    <li>Configuration options can now be overwritten in <span class="tt">siteconfig.php</span>.
        This is mostly useful for the <code>$_CONF['rootdebug']</code> option.
    </li>
    <li>Remotely authenticated users can now use the webservices (they need to use
        <span class="tt">username@servicename</span> for their username).<br/>
        <strong>Note:</strong> OpenID users can <em>not</em> use the webservices,
        due to technical issues with the authentication method.
    </li>
    <li>Improved compatibility of the webservices (i.e. AtomPub).</li>
</ul>

<h3>Theme Changes</h3>

<p>There was one mandatory theme change: The template file for configuration
    items, <span class="tt">admin/config/config_element.thtml</span> has to be updated (copy
    from the Professional theme). All other theme changes in this release are
    optional - see the <a href="theme.html#changes">theme documentation</a> for
    details.</p>


<h2><a name="changes150">Geeklog 1.5.0</a></h2>

<h3>Results from the Summer of Code</h3>

<p>This release incorporates the following projects implemented during the
    the 2007 Google Summer of Code:</p>

<ul>
    <li>New user-friendly install script by Matt West</li>
    <li>New Configuration GUI (replacing config.php) by Aaron Blankstein</li>
    <li>New Webservices API based on the Atom Publishing Protocol by Ramnath R. Iyer</li>
</ul>

<h3>Other New Features and Improvements</h3>

<ul>
    <li>OpenID support: You can now allow users to log into your site using an
        OpenID, so that they don't need to create a new account with your site but
        still get all the benefits of a normal registered user.
    </li>
    <li>New LDAP remote authentication module.</li>
    <li>The Links plugin now has hierarchical (sub-)categories.</li>
    <li>Updated <a href="http://www.fckeditor.net/">FCKeditor</a> to version 2.6.</li>
    <li>Rewrite of the underlying story code. Amongst other things, this should
        finally resolve all outstanding issues with the handling of special
        characters, HTML entities, etc. in stories. Also introduces a new
        <code>[raw]</code> tag as an inline complement to <code>[code]</code> when
        you want to post pieces of code (e.g. HTML) "as is", so that they are not
        interpreted.
    </li>
    <li>Comments can now be closed, i.e. existing comments will still be displayed
        but no new comment can be posted.
    </li>
    <li>The Polls plugin now allows for multiple questions per poll.</li>
    <li>The Static Pages plugin now supports comments.</li>
    <li>The database backup admin panel now lets you delete and download
        backups.
    </li>
    <li>The default Professional theme is now HTML 4.01 Strict compliant. Geeklog
        now also <a href="theme.html#xhtml">supports XHTML</a> (given an XHTML
        compliant theme).
    </li>
</ul>

<h3>Security</h3>

<ul>
    <li>Geeklog now includes protection against <a href="https://www.geeklog.net/article.php/csrf">cross-site request
        forgery</a> attacks.
    </li>
    <li>Lukasz Pilorz reported <a href="https://www.geeklog.net/article.php/kses">security issues in kses</a>, the HTML
        filter we're using in Geeklog.
    </li>
</ul>


<h2><a name="changes141">Geeklog 1.4.1</a></h2>

<h3>New Features</h3>

<ul>
    <li>Support for Microsoft SQL Server. Starting with this release, Geeklog can
        now also be installed on Microsoft SQL Server, so it's no longer restricted
        to just MySQL. The MS SQL support was developed by Randy Kolenko.
        Thanks, Randy!<br/>
        Please note that any third-party plugins will have to offer support for
        MS SQL before they can be installed on Microsoft SQL Server. The bundled
        plugins (Calendar, Links, Polls, Spam-X, Static Pages) have already been
        updated accordingly.
    </li>
    <li><a href="calendar.html">Calendar plugin</a>. The formerly built-in calendar
        and events have now been moved into a separate plugin. This complements the
        move of the <a href="polls.html">polls</a> and <a href="links.html">links</a> sections into plugins in Geeklog
        1.4.0 and makes Geeklog more modular as you
        can now easily disable or replace functionality that you don't need for
        your site.
    </li>
    <li><a href="http://wiki.geeklog.net/wiki/index.php/Multi-Language_Support">Multi-language support</a>. It is now
        possible to build truly multi-lingual sites
        with Geeklog where not only the navigation but also the content of the site
        changes with the language.
    </li>
    <li>Ships with <a href="http://www.fckeditor.net/">FCKeditor</a> 2.3.1, which once
        again includes a file manager for uploading images.
    </li>
    <li>A function for mass-deletion of old or inactive users. The list automatically
        searches for users that have never logged in, only used the site for a very
        short time or have not been online since a very long time. The time span can
        be varied, and found users can be selectively deleted.
    </li>
</ul>

<h3>Security</h3>

<p>In the light of the security issues discovered in Geeklog 1.4.0 and earlier
    versions, the Geeklog source code has undergone a code review. We have
    identified and addressed several minor issues and introduced new measures to
    enhance security in this release. As a welcome side effect, the code reviews
    have also uncovered a few bugs and inconsistencies that we also fixed in this
    release.</p>

<h3>Spam Protection</h3>

<p>With this release we are finally removing support for the <a
        href="https://www.geeklog.net/article.php/mt-blacklist-discontinued">discontinued</a> MT-Blacklist. In its
    place, we are now using a system called Spam Link Verification (SLV) run by Russ Jones at <a
            href="http://www.linksleeve.org/">www.linksleeve.org</a>. SLV could be described as a community-driven,
    automatically updated blacklist. See the documentation of the <a href="spamx.html" rel="nofollow">Spam-X plugin</a>
    for details.</p>


<h2><a name="changes140sr6">Geeklog 1.4.0sr6</a></h2>

<p>MustLive pointed out a possible <a href="http://en.wikipedia.org/wiki/XSS"
                                      title="Click to look up 'XSS' on Wikipedia"
                                      style="text-decoration: none; color: black; border-bottom: 1px dotted black;">XSS</a>
    in the form to email an article to a friend that we're fixing with this release.</p>


<h2><a name="changes140sr5-1">Geeklog 1.4.0sr5-1</a></h2>

<p>This release fixes display problems in the comment preview that were only
    introduced in Geeklog 1.4.0sr5.</p>


<h2><a name="changes140sr5">Geeklog 1.4.0sr5</a></h2>

<p>JPCERT/CC informed us about a possible <a href="http://en.wikipedia.org/wiki/XSS"
                                             title="Click to look up 'XSS' on Wikipedia"
                                             style="text-decoration: none; color: black; border-bottom: 1px dotted black;">XSS</a>
    in the comment handling that we're fixing with this release.</p>


<h2><a name="changes140sr4">Geeklog 1.4.0sr4</a></h2>

<p>Two exploits have been released by "rgod" for insecure Geeklog installations and for a bug in the "mcpuk" file
    manager that we've been shipping as part of FCKeditor in all previous 1.4.0 releases.</p>

<ul>
    <li>Some of the files outside of the public_html directory were not protected
        against direct execution. If Geeklog was installed such that those files
        were accessible from a URL (which has always been strongly discouraged in
        the installation instructions) then those files could be used to load and
        execute malicious code from a remote server.
        <br/><br/>
        More information: <a
                href="https://www.geeklog.net/article.php/so-called-exploit">So-called
            Geeklog "exploit" posted</a>
        <br/><br/>
        In this release, we've added the missing execution prevention for all files
        outside of public_html. We would still, however, suggest that you fix your
        Geeklog install if the files outside of public_html are accessible from a
        URL (see our <a
                href="https://www.geeklog.net/faqman/index.php?op=view&amp;t=56">FAQ</a> for
        details).
    </li>
    <li>The "mcpuk" file manager that we've integrated into FCKeditor allowed the
        upload of arbitrary PHP code (even if FCKeditor was disabled in Geeklog's
        config.php). Depending on your webserver's configuration, it was then
        possible to execute that uploaded code.
        <br/><br/>
        More information: <a href="https://www.geeklog.net/article.php/exploit-for-fckeditor-filemanager">Exploit for
            FCKeditor's mcpuk file manager</a>
        <br/><br/>
        The file manager has been removed from this release. You will therefore no
        longer be able to upload files, e.g. images, through FCKeditor. Future
        versions of Geeklog will ship with an updated version of FCKeditor and its
        included file manager.
    </li>
</ul>

<p>Note: This release also includes the <a
        href="https://www.geeklog.net/article.php/fighting-trackback-spam">updated
    lib-trackback.php</a> for better protection against Trackback spam.</p>


<h2><a name="changes140sr3">Geeklog 1.4.0sr3</a></h2>

<p>This release addresses the following security issues:</p>
<ol>
    <li>Possible SQL injection and authentication bypass in <span class="tt">auth.inc.php</span>
        (reported by the Security Science Researchers Institute Of Iran).
    </li>
    <li>Possible XSS in <span class="tt">getimage.php</span>
        (reported by the Security Science Researchers Institute Of Iran).
    </li>
    <li>Path disclosure in <span class="tt">getimage.php</span> and the <span class="tt">functions.php</span> of
        some themes, e.g. the Professional theme
        (reported by the Security Science Researchers Institute Of Iran).
    </li>
    <li>Possible SQL injection in story submissions.</li>
</ol>


<h2><a name="changes140sr2">Geeklog 1.4.0sr2</a></h2>

<p>This release addresses the following security issues:</p>
<ul>
    <li>Konstantin Dyakoff found an old bug in the session handling that would
        allow anyone to log in as any user.
    </li>
    <li>HTML was not stripped from the Location field in a user's profile.</li>
</ul>


<h2><a name="changes140sr1">Geeklog 1.4.0sr1</a></h2>

<p>This release addresses the following security issues:</p>
<ul>
    <li>James Bercegay of GulfTech Security Research reported several issues with
        Geeklog's cookie handling that made it vulnerable to SQL injections,
        arbitrary file access, and even injection and execution of arbitrary
        code.
    </li>
</ul>


<h2><a name="changes140">Geeklog 1.4.0</a></h2>

<p>
    <small>(Geeklog 1.4.0 was originally supposed to be called 1.3.12, so any
        references you may find to a version 1.3.12 apply to version 1.4.0)
    </small>
</p>

<h3>New Features</h3>

<ul>
    <li>Geeklog now officially works with <code>register_globals = off</code>.
        Please note that some plugins may still require it to be <code>on</code>,
        though.
    </li>
    <li>Added support for sending and receiving <a
            href="http://en.wikipedia.org/wiki/Trackback">Trackback</a> and <a
            href="http://en.wikipedia.org/wiki/Pingback">Pingback</a> comments. Both
        are supported for stories, but there is also a new plugin API so that
        plugins can use this feature, too. Trackback and Pingback can be disabled
        in <span class="tt">config.php</span>.
    </li>
    <li>Added the ability to "ping" weblog directory services to advertise site
        updates (preconfigured to ping <a
                href="http://pingomatic.com">Ping-o-Matic</a>). As with Trackback and
        Pingback, this is supported for stories, but plugins can also make use of
        this feature via the plugin API.
    </li>
    <li>New syndication framework so that Geeklog can now <strong>read and
        write</strong> feeds in different formats (currently supported: RSS, RDF,
        and Atom).
    </li>
    <li>New administrator controlled user status. Including banning and
        administrator activation of accounts.
    </li>
    <li>New Remote Authentication system to allow people with accounts on remote
        services such as Blogger.com or LiveJournal.com to login to your site
        without having to directly register on your site. (Remote accounts can be
        banned as normal accounts).
    </li>
    <li>The Admin sections have been revamped to provide a more consistent look and
        sortable lists. "Command and Control" (<span class="tt">moderation.php</span>) now also
        comes with a new set of icons and has one icon for every Admin section.
        Furthermore, the Admin block and Command and Control can be <a
                href="config.html#desc_sort_admin">sorted</a> alphabetically.
    </li>
    <li>Ships with <a href="http://www.fckeditor.net/">FCKeditor</a> (WYSIWYG
        editor). To <a href="config.html#desc_advanced_editor">enable</a>, set
        <code>$_CONF['advanced_editor'] = true;</code> in your
        <span class="tt">config.php</span>.
    </li>
    <li>The search now only displays a specified amount of results per page to
        avoid running into timeouts when searching through large databases.<br/>
        <strong>Note:</strong> Plugins will have to be updated to support the "paged" search.
        Until then, Geeklog fakes the paged results for plugin searches, which
        means that a plugin that hasn't been updated will still search through the
        entire database, but Geeklog will only display the results for the current
        result page.
    </li>
    <li>Introduced an "Article Directory", providing an overview of all past
        articles, sorted by year and month.
    </li>
    <li>The default permissions for new objects (stories, topics, blocks, etc.) can
        now be set in config.php.
    </li>
</ul>

<h3>Compatibility</h3>

<ul>
    <li>Due to the changes, themes will have to be updated to work with Geeklog
        1.4.0. See the <a href="theme.html#changes">list of theme changes</a> for
        details.
    </li>
    <li>The plugin API for comments has changed. Plugins using comments will have
        to be updated to work with Geeklog 1.4.0.
    </li>
</ul>

<h3>More Information</h3>

<p>We have posted a series of stories on the Geeklog homepage that highlight and explain some of the new features:</p>
<ul>
    <li><a href="https://www.geeklog.net/article.php/advanced-editor">Geeklog's Advanced Editor</a></li>
    <li><a href="https://www.geeklog.net/article.php/remote-authentication">Remote Authentication</a></li>
    <li><a href="https://www.geeklog.net/article.php/trackback-pingback">Trackback and Pingback</a></li>
    <li><a href="https://www.geeklog.net/article.php/ping">Sending a Ping</a></li>
    <li><a href="https://www.geeklog.net/article.php/comment-plugin-api">New Comment Plugin API</a></li>
</ul>


<h2><a name="changes1311sr7">Geeklog 1.3.11sr7</a></h2>

<p>JPCERT/CC informed us about a possible <a href="http://en.wikipedia.org/wiki/XSS"
                                             title="Click to look up 'XSS' on Wikipedia"
                                             style="text-decoration: none; color: black; border-bottom: 1px dotted black;">XSS</a>
    in the comment handling that we're fixing with this release.</p>


<h2><a name="changes1311sr6">Geeklog 1.3.11sr6</a></h2>

<p>This release addresses the following security issues:</p>
<ol>
    <li>Possible SQL injection and authentication bypass in <span class="tt">auth.inc.php</span>
        (reported by the Security Science Researchers Institute Of Iran).
    </li>
    <li>Possible XSS in <span class="tt">getimage.php</span>
        (reported by the Security Science Researchers Institute Of Iran).
    </li>
    <li>Path disclosure in <span class="tt">getimage.php</span> and the <span class="tt">functions.php</span> of
        some themes, e.g. the Professional theme
        (reported by the Security Science Researchers Institute Of Iran).
    </li>
    <li>Possible SQL injection in story submissions.</li>
</ol>


<h2><a name="changes1311sr5">Geeklog 1.3.11sr5</a></h2>

<ul>
    <li>Konstantin Dyakoff found an old bug in the session handling that would
        allow anyone to log in as any user.
    </li>
</ul>


<h2><a name="changes1311sr4">Geeklog 1.3.11sr4</a></h2>

<p>This release addresses the following security issues:</p>
<ul>
    <li>James Bercegay of GulfTech Security Research reported several issues with
        Geeklog's cookie handling that made it vulnerable to SQL injections,
        arbitrary file access, and even injection and execution of arbitrary
        code.
    </li>
</ul>


<h2><a name="changes1311sr3">Geeklog 1.3.11sr3</a></h2>

<p>This release addresses the following security issues:</p>

<ol>
    <li>Provided you knew the story id, it was possible to submit comments for
        stories even if you did not have access to those stories
        (reported by LWC). The same problem also existed with poll comments.
    </li>
    <li>Supplying an illegal start or end date to the advanced search resulted in a
        warning message that disclosed the path to the Geeklog install on the
        server (reported by r0t3d3Vil).<br/>
        It was <strong>not</strong> possible to use this for SQL injections.
    </li>
</ol>

<p>Also included in this release are bugfixes, e.g. for the problems editing
    static pages when URL rewriting was enabled, that were introduced in
    1.3.11sr2.</p>


<h2><a name="changes1311sr2">Geeklog 1.3.11sr2</a></h2>

<p>This release provides security enhancements and better spam protection
    originally developed for Geeklog 1.3.12. It also addresses a few bugs where
    the bugfix could be integrated with a reasonable amount of work (other bugfixes
    will have to wait for the 1.3.12 release).</p>

<h3>Security and Spam protection</h3>
<ul>
    <li>There is now a speed limit for login attempts, defaulting to three tries
        in a five minute period (<a
                href="config.html#desc_login_attempts">configurable</a> in
        <span class="tt">config.php</span>).
    </li>
    <li>Linefeeds are filtered from the To:, From:, and Subject: fields of any
        email sent through <code>COM_mail</code>.
    </li>
    <li>When a new user account is created and the user submission queue is enabled
        in <span class="tt">config.php</span>, Geeklog now ensures that the new account is properly
        queued even in the unlikely event that the account creation fails halfway
        through.
    </li>
    <li>When a post is identified as spam, it now also triggers the speed limit
        (ie. posters will have to wait for the speed limit to expire before they
        can make another submission).
    </li>
    <li>Spam posts now get a 403 "Forbidden" HTTP response code.</li>
    <li>Spam checks are now done for comments, story, link, and event submissions,
        the message sent with the "email story to a friend" option, and for the
        contents of the user profile.
    </li>
    <li><a href="https://www.geeklog.net/article.php/spam-x-1.0.2"
           rel="nofollow">Spam-X plugin 1.0.2</a> included.
    </li>
</ul>

<p>Please note that MT-Blacklist (used by Spam-X) has recently been <a
        href="https://www.geeklog.net/article.php/mt-blacklist-discontinued">discontinued</a>. The
    Spam-X plugin as included in this release is configured to get the last version
    of the blacklist from geeklog.net, but there will be no more updates.</p>

<h3>Bugfixes</h3>
<ul>
    <li>Fixed an error message thrown up by PHP 5.0.5 or later when viewing the
        article page (bug #483).
    </li>
    <li>Quote names in email addresses as soon as they contain any non-alphanumeric
        characters, apart from the blank (bug #368). This should help when trying
        to email users with special characters in their name.
    </li>
    <li>Upgraded included kses class to version 0.2.2 which fixes problems with
        Japanese and Thai characters (bugs #94 and #119).
    </li>
    <li>Fixed SQL error when using the [staticpage:] autotag (bug #373).</li>
</ul>
<p>For a complete list of bugfixes, please see the Changelog.</p>

<h3>Improvements</h3>
<ul>
    <li>Added support for a <code>custom_usercheck</code> function (for the
        custom registration code). See the included <span class="tt">lib-custom.php</span> for
        details.
    </li>
    <li>Improved handling of the auto-archive option in <span class="tt">index.php</span>, which
        should slightly improve page load times.
    </li>
    <li>Includes several new and updated language files.</li>
    <li>Includes updated PEAR classes.</li>
</ul>


<h2><a name="changes1311sr1">Geeklog 1.3.11sr1</a></h2>
<p>This release addresses the following security issue:</p>
<ul>
    <li>Stefan Esser found an SQL injection that can, under certain circumstances,
        be exploited to extract user data such as the user's password hash.
    </li>
</ul>

<h2><a name="changes1311">Geeklog 1.3.11</a></h2>

<p>Geeklog 1.3.11 is a <strong>bugfix and security release</strong> over Geeklog 1.3.10 and is meant to replace 1.3.10.
    The change in the version number was necessary since one of the bugfixes involves a change in the database.</p>

<h3>Security issues</h3>
<ol>
    <li>It was possible to submit stories anonymously even if anonymous submissions
        were turned off in <span class="tt">config.php</span> (reported by Barry Wong).<br/>
        These stories still ended up in the submission queue, though, unless you
        disabled it in <span class="tt">config.php</span>.
    </li>
    <li>Some of the parameters in link and event submissions weren't filtered,
        leaving them open to potential SQL injections.
    </li>
    <li>The links for the What's Related block were created from the unfiltered
        story text, opening the possibility of XSS attacks (reported by Vincent
        Furia).
    </li>
</ol>

<h3>Bugfixes</h3>
<ul>
    <li>Fixes the length of the 'sid' field in the gl_comments table. Using story
        IDs longer than 20 characters prevented comment posts from being associated
        with the story.
    </li>
    <li>Ensures compatibility with PHP 4.1.x (includes updated PEAR packages).</li>
    <li>Fixes the archiving option being activated too early (bug #345).</li>
    <li>Properly deletes comments and story images when deleting entire topics
        (bug #339).
    </li>
    <li>Deletes comments when deleting polls.</li>
    <li>Fixes several bugs in the calendar and improves overall handling of both
        the site calendar and the personal calendars (bugs #268, #336, #338, and
        others).
    </li>
    <li>Fixes "More by <em>author</em>" and "More from <em>topic</em>" links in
        articles.
    </li>
    <li>Various other fixes, see <span class="tt">docs/history</span> for details.</li>
</ul>

<p>We strongly advise users of Geeklog 1.3.10 to upgrade to 1.3.11 ASAP. Upgrading should be relatively painless, as
    there weren't any changes in the themes, language files, or config.php over 1.3.10.</p>


<h2><a name="changes1310">Geeklog 1.3.10</a></h2>

<h3>New Default Theme</h3>

<p>This release comes with a new default theme: We've chosen the Professional
    theme, kindly provided by Victor B. Gonzalez (of <a href="http://aeonserv.com">Aeonserv</a> fame). The theme has
    been modified slightly and is now fully HTML 4.01 and CSS compliant.</p>

<p>We've also decided to remove the old set of themes (Classic, Clean, Digital Monochrome, Gameserver, Smooth Blue,
    XSilver, Yahoo) from the distribution. They are now available as a separate tarball.</p>

<h3>New Features</h3>

<ul>
    <li><a href="spamx.html" rel="nofollow">Spam-X plugin</a> included. Tom Willet
        has kindly provided his spam detection plugin, which is now part of the
        default Geeklog install.<br/>
        The plugin has been modified slightly to store the blacklists in the
        database. Users of the previous version of the plugin will have to import
        their personal blacklist via the plugin's admin panel.
    </li>
    <li>Story Archive feature: It is now possible to move stories to an "archive"
        topic or have them deleted automatically at a given time.
    </li>
    <li>Customizable menu bar: The site's menu bar can now be <a
            href="config.html#desc_menu_elements">configured</a> in config.php, i.e.
        you can choose which entries should be displayed there and in which order.
        It's also possible to add custom entries by providing a function in
        lib-custom.php.
    </li>
    <li>Clickable links in text postings: URLs in non-HTML postings are now
        recognized by Geeklog and displayed as clickable links.
    </li>
    <li>Editable story IDs: The IDs of stories can now be changed (like the IDs of
        static pages) to provide more readable URLs (and further improve the
        chances of being picked up by seach engines, especially when used with
        URL rewriting).
    </li>
    <li>Autolinks are a new form of links that can be used in stories and comments.
        An autolink takes the form
        <code>[<em>name</em>:<em>id</em> <em>link text</em>]</code> where <em>name</em> is
        the tag name, <em>id</em> is the ID of an object the link should be pointing
        to, and <em>link text</em> is used as the text of the link.<br/>
        Example: <code>[story:email-bug About the email bug]</code> would be
        translated into <code>&lt;a href="http://example.com/article.php/email-bug"&gt;About the email
            bug&lt;/a&gt;</code><br/>
        For the built-in autotags, the <em>link text</em> is optional and Geeklog
        will use the title of the object (story / event / static page) if it is not
        given.<br/>
        Predefined autotags are <code>[story:]</code> to link to stories and
        <code>[event:]</code> to link to events. Plugins can define their own
        autotags to provide links to objects under their control. The Static Pages
        plugin already provides a <code>[staticpage:]</code> autotag.
    </li>
    <li>Customizable welcome email: The email that is sent out to users
        registering with your site is now fully customizable by providing the
        text in a text file (/path/to/geeklog/data/welcome_email.txt).
    </li>
    <li>Timezone hack: The popular "<a
            href="https://www.geeklog.net/forum/viewtopic.php?showtopic=40196">timezone
        hack</a>" is now included. It lets you set the site's timezone for when
        your server is located in another timezone.
    </li>
</ul>

<h3>Other Improvements</h3>

<ul>
    <li>Various changes have been made to improve the overall performance.</li>
    <li>On fresh installs, there is now an option to use InnoDB tables (instead of
        MyISAM) if your MySQL version supports them (as of MySQL 4.0, or 3.x "Max"
        builds). Existing databases can be converted to InnoDB by using the script
        <span class="tt">admin/install/toinnodb.php</span>.<br/>
        <strong>Warning:</strong> Using InnoDB tables makes database backups
        somewhat more complicated. Small and medium-sized sites should work just
        fine with MyISAM tables, so if in doubt <em>don't</em> use InnoDB
        tables.
    </li>
    <li>The calendar's week can now either start on a Sunday or a Monday.</li>
    <li>The Static Pages plugin now has an option to display a printer-friendly
        version of a static page.
    </li>
</ul>

<h3>Comments</h3>

<ul>
    <li>The comment code has undergone major changes to improve performance and
        add improvements like the ability to link to individual comments,
        paging comments, etc.
    </li>
    <li>Users can now report abusive comments to the site admin.</li>
    <li>The site admin can get an email notification when a new comment is
        posted (similar to the notification emails for new stories, links,
        events, and users).
    </li>
    <li>The IP addresses of comment posters are now tracked and can be looked up
        directly by linking to a Whois service (or you can install Tom Willet's
        <a href="http://sf.net/project/showfiles.php?group_id=68255&amp;package_id=95743">NetTools</a>, which include a
        Whois function).
    </li>
</ul>

<h3>Security-related fixes</h3>

<p><strong>Note:</strong> All of the following bugs were problems with
    Geeklog's permissions system and fall into the "information leakage" category,
    i.e. under certain circumstances, site content was visible to persons who
    shouldn't be able to see it. None of these bugs were exploitable in the sense
    that they could be used to gain privileges or cause damage to Geeklog or the
    environment it's running in.</p>

<ul>
    <li>Group Admins were able to list the members of all groups, even if they were
        not members of those groups.
    </li>
    <li>Group Admins were given a list of all the groups in the system, even if
        they were not members of those groups (bug #280).
    </li>
    <li>Story and Event Admins were always given a list of all the stories / all
        the events, even when they didn't have read access to them (bug #269).
    </li>
    <li>It was possible to request comments from stories even if the user didn't
        have permission to read the story (provided you knew both the story and
        the comment id).
    </li>
    <li>Event permissions in the calendar's day and week view weren't checked
        properly, so that events may have been visible to users who shouldn't
        have been able to see them.
    </li>
    <li>It was possible to add any event to the personal calender, even if you
        didn't have permissions to see it in the site calendar (provided you knew
        the event id).
    </li>
</ul>

<h3>Other bugfixes</h3>

<ul>
    <li>Previewing and saving a story submission left the submitted story in the
        submission queue, but did additionally save it as a new story.
    </li>
    <li>Deleting an event from the personal calendar didn't work (bug #199).</li>
    <li>Old userphotos weren't removed when the new photo had a different file
        type, e.g. when changing from a .gif to a .jpg (bug #228).
    </li>
    <li>Scaling images didn't work when the image exceeded the max. height but
        not the max. width (bug #242).
    </li>
    <li>Keeping an unscaled image wasn't possible when using gdlib to rescale
        images (bug #197).
    </li>
    <li>When using gdlib, GIF images were converted to PNG format, but Geeklog
        was still trying to display the GIF version. Since the LZW patent has
        now <a href="http://www.unisys.com/about__unisys/lzw">expired</a>, it is
        safe to use GIF images again and the PNG conversion has been dropped.
    </li>
    <li>The tarball also includes updated PEAR packages which should address the
        email problems some users were having (bug #246).<br/>
        <strong>Note:</strong> These are the same PEAR packages that already
        shipped with Geeklog 1.3.9sr2.
    </li>
</ul>

<p>Please note that there have also been <a href="theme.html#changes">theme
    changes</a>, some of which are important to make the new features work (e.g.
    the editable story IDs and the story archive options)!</p>

<p>This release contains various improvements provided by the Geeklog community
    (see the <span class="tt">docs/history</span> file for proper credits). Thank you!</p>

<h2><a name="changes139sr3">Geeklog 1.3.9sr3</a></h2>
<p>This release addresses the following security issues:</p>

<ol>
    <li>It was possible to submit stories anonymously even if anonymous submissions
        were turned off in <span class="tt">config.php</span> (reported by Barry Wong).<br/>
        These stories still ended up in the submission queue, though, unless you
        disabled it in <span class="tt">config.php</span>.
    </li>
    <li>Some of the parameters in link and event submissions weren't filtered,
        leaving them open to potential SQL injections.
    </li>
</ol>


<h2><a name="changes139sr2">Geeklog 1.3.9sr2</a></h2>
<p>This release addresses the following security issues:</p>

<ol>
    <li>Fixed a cross site scripting vulnerability caused by using the variable
        <code>$topic</code> in the language files (bug #293).
    </li>
    <li>Prevent comment posts on stories or polls were comment posting has been
        disabled.
    </li>
</ol>

<h3>Other fixes</h3>
<ul>
    <li>Fixed <span class="tt">lib-plugins.php</span> to work properly with PHP 5.</li>
    <li>The complete tarball also includes updated PEAR packaged that fix
        some of the reported email problems.
    </li>
</ul>


<h2><a name="changes139sr1">Geeklog 1.3.9sr1</a></h2>
<p>This release addresses the following security issues:</p>

<ol>
    <li>It was possible to post anonymous comments, even when anonymous comment
        posting had been switched off in config.php.<br/>
        This bug was apparently exploited by spammers to send hundreds of spam
        posts to certain Geeklog sites.
    </li>
    <li>Added additional speed limit checks for comments and submissions.</li>
    <li>If none of the topics were visible for anonymous users, the site's index
        page may still have displayed some stories for anonymous users, depending
        on the stories' permissions.
    </li>
    <li>Users still got Daily Digest emails for topics from which they had been
        removed (bug #178).
    </li>
    <li>It was possible to subscribe to the Daily Digest for all topics, even if
        the user did not have access to certain topics.
    </li>
    <li>Comments to stories were sometimes listed in a user's profile, even if the
        user viewing the profile didn't have permissions to access the story the
        comments belonged to.
    </li>
</ol>

<h3>Other fixes</h3>
<ul>
    <li>Fixed an SQL error in <code>COM_showTopics</code> if users excluded topics
        from their preferences.
    </li>
    <li>Fixed sporadic "Duplicate entry '...' for key 1." messages in error.log,
        caused by the handling of pseudo-session ids for anonymous users.
    </li>
    <li>Fixed incorrect author names in Daily Digest (bug #207).</li>
    <li>The <code>plugin_profileblocksedit_<em>plugin-name</em></code> Plugin API
        function wasn't working due to a missing piece of code in
        usersettings.php.
    </li>
    <li><code>COM_extractLinks</code> will now ignore anchor tags that do not
        contain "<code>href</code>" (bug #183).
    </li>
</ul>


<h2><a name="changes139">Geeklog 1.3.9</a></h2>

<h3>New Features</h3>

<ul>
    <li>Geeklog now uses PEAR::Mail to send all emails. This gives you the option
        to send emails via PHP's built-in mail() function (as before), via
        sendmail or via SMTP.
    </li>
    <li>There is a new admin option called Content Syndication that lets you
        create and configure (RSS) feeds. In addition to the standard feed
        containing all the new stories, you can now create feeds per topic, for
        upcoming events, and for links.<br/>
        This feature is extensible in that plugins can provide additional feeds.
        It is also possible to provide feeds in formats other than RSS 0.91 by
        providing additional feed classes.
    </li>
    <li>Admins can change the block order easily from the list of blocks now.</li>
    <li>There is an alternative interface to adding users to groups (requires
        JavaScript).
    </li>
    <li>Users in the Group Admin group can now only assign other users to groups
        of which they themselves are a member.
    </li>
    <li>Image upload can now also use the GD library to scale images.</li>
    <li>Comments now use templates.</li>
    <li>To accomodate strict webhosts who don't allow file uploads to the standard
        image directory, you can now set a new configuration variable,
        <code>$_CONF['path_images']</code> to point to a directory outside of your
        webtree where article images and user profile pictures will be saved.
    </li>
    <li>Geeklog now supports URL rewriting for story URLs, i.e. you can have URLs
        like <span class="tt">https://www.geeklog.net/article.php/20031229225326631</span> which
        are known to be picked up by Google.
    </li>
    <li>Plugins can add their own section to Geeklog's What's New block.</li>
    <li>All URL fields can now hold up to 255 characters (requires theme updates).</li>
</ul>

<p>Please see the <a href="theme.html#changes">themes documentation</a> for a
    complete list of theme changes.</p>

<p>Also included is the <a href="staticpages.html">Static Pages plugin 1.4</a>,
    which now has, among other improvements, a second option to include PHP in
    static pages without having to use the PHP <code>return</code> statement.</p>


<h3>Bugfixes</h3>

<ul>
    <li>Words from a search query are now properly highlighted in comments. Also
        fixed a problem with highlighting when the search query contained '*'
        characters.
    </li>
    <li>Various fixes in the search class.</li>
    <li>Fixed a bug that let users register with an empty username.</li>
    <li>When batch-importing users, those users were all subscribed to the
        Daily Digest automatically (uses the $_CONF['emailstoriesperdefault']
        setting instead now).
    </li>
    <li>Fixed option to delete comments, which previously was only available to
        users in the Root group (e.g. Admin). Now those users that have story.edit
        permissions for the actual story can delete comments.
    </li>
    <li>Deleting a group may have left orphaned entries in the group_assignments
        table (this has been fixed now). When upgrading to 1.3.9, the install
        script will remove any orphaned entries from the database.
    </li>
</ul>

<p>There have also been a lot of changes to improve security, especially
    against SQL injections.</p>


<h2><a name="changes138-1sr6">Geeklog 1.3.8-1sr6</a></h2>
<p>This release addresses the following security issues:</p>

<ol>
    <li>Fixed a cross site scripting vulnerability caused by using the variable
        <code>$topic</code> in the language files (bug #293).
    </li>
    <li>Prevent comment posts on stories or polls were comment posting has been
        disabled.
    </li>
</ol>


<h2><a name="changes138-1sr5">Geeklog 1.3.8-1sr5</a></h2>
<p>This release addresses the following security issue:</p>

<ol>
    <li>It was possible to post anonymous comments, even when anonymous comment
        posting had been switched off in config.php.<br/>
        This bug was apparently exploited by spammers to send hundreds of spam
        posts to certain Geeklog sites.
    </li>
</ol>


<h2><a name="changes138-1sr4">Geeklog 1.3.8-1sr4</a></h2>
<p>This release addresses the following security issues:</p>

<ol>
    <li>It was possible for users in the Group Admin and User Admin groups to
        become a member of the Root group (reported by Samuel M. Stone,
        bug #135).
    </li>
    <li>Being admin for a certain area (e.g. Story Admin for stories) made it
        possible to delete all objects in that area (e.g. stories) even if the user
        was not supposed to have access to them, provided the id of the object was
        known.
    </li>
    <li>It was possible to delete other people's personal events if you knew the
        event ID.
    </li>
    <li>It was possible to browse through the comments of a story even if the user
        did not have access to the actual story (reported by Peter Roozemaal).
    </li>
    <li>Due to an XSS issue, it was possible to change someone's account settings
        (including the password) if you got them to click on a specially crafted
        link (reported by Jelmer, fix suggested by Vincent Furia).
    </li>
    <li>The comment display suffered from the possibility of an SQL injection
        (reported by Jelmer).
    </li>
    <li>It was possible to inject Javascript code in the calendar (reported by
        Jelmer).
    </li>
    <li>It was possible to execute (but not save) Javascript code in the comment
        preview (reported by Jelmer).
    </li>
</ol>


<h2><a name="changes138-1sr3">Geeklog 1.3.8-1sr3</a></h2>
<p>This release addresses the following security-related issues:</p>

<ol>
    <li>As "dr.wh0" pointed out, the category field for link submissions was not
        filtered at all. Although you probably can't cause too much harm with
        those 32 characters, this has now been fixed.
    </li>
    <li>Vincent Furia found that the restrictions for the form to email users
        could be circumvented and could even be used to spam users.
        In addition to fixing theses issues, there is now also a speed limit
        on that form (defaults to the speed limit for story submissions).
    </li>
    <li>There was a way to post comments anonymously even when posting for
        anonymous users had been disabled.
    </li>
    <li>It was possible to post comments under someone else's username.</li>
</ol>


<h2><a name="changes138-1sr2">Geeklog 1.3.8-1sr2</a></h2>

<p>Jouko Pynnonen found a way to trick the new "forgot password" feature, introduced in 1.3.8, into letting an attacker
    change the password for <em>any</em> account. This release addresses this issue - there were no other changes.</p>

<p>Obviously, we strongly recommend to upgrade as soon as possible.</p>


<h2><a name="changes138-1sr1">Geeklog 1.3.8-1sr1</a></h2>

<p>The purpose of this release is to address some of the security issues reported in September and early October 2003.
    We strongly recommend upgrading to this version.</p>

<h3>Security issues</h3>
<ol>
    <li>By including Ulf Harnhammar's <a href="http://sourceforge.net/projects/kses/" title="kses homepage">kses</a>
        HTML filter, this release addresses a variety of possible Javascript injection and CSS defacement issues.
    </li>
    <li>Details of SQL errors will not be reported in the browser any more (but only in Geeklog's error.log file). This
        will avoid disclosing any sensitive information as part of the error message (which is so far the only problem
        we have found with the alleged SQL injection issues that have been reported).
    </li>
</ol>

<p>Please note that at the moment we do <strong>not</strong> recommend to use Geeklog with MySQL 4.1 (which, at the time
    of this writing, is in alpha state and should not be used on production sites anyway). An upcoming release of
    Geeklog will include more thorough filtering of SQL injections attempts, thus also fixing the problems with MySQL
    4.1.</p>

<h3>Other fixes</h3>
<ul>
    <li>Fixed the auto-detection of the value for the <code>$_CONF['cookiedomain']</code> variable if the URL included a
        port number (such as <span class="tt">example.com:8080</span>). This will fix the login problems some users were
        reporting.
    </li>
    <li>The full 1.3.8-1sr1 tarball also includes updated French (Canada) and Turkish language files.</li>
</ul>


<h2><a name="changes138-1">Geeklog 1.3.8-1</a></h2>

<p>Geeklog 1.3.8-1 is a bugfix release over Geeklog 1.3.8. It contains a
    variety of (mostly minor) bugfixes. None of those fixes are security-related.</p>

<h3>Bugfixes</h3>

<ul>
    <li>Fixes to the new search to restore pre-1.3.8 behavior (display search form
        again if no results are returned, handling of
        <span class="tt">$_CONF['searchloginrequired']</span>, etc.). Also fixed the search by
        date.
    </li>
    <li>Fixed problems in the install script when trying to identify the MySQL
        version. The install script failed silently on PHP 4.0.4 and earlier
        versions.
    </li>
    <li>Fixed a problem with the What's Related block on stories that contain
        images.
    </li>
    <li>Skip user "Anonymous" when sending out the Daily Digest.</li>
    <li>Prevent admin from changing a user's email address to one that's already
        used by another user.
    </li>
    <li>Update RSS feed and Older Stories block when deleting a story.</li>
</ul>

<p>The full 1.3.8-1 tarball also includes new and updated language files
    (see the Changelog for details).</p>


<h2><a name="changes138">Geeklog 1.3.8</a></h2>

<h3>New Features</h3>

<p>Geeklog 1.3.8 Includes the <strong>Static Pages 1.3 plugin</strong> which
    replaces <em>both</em> the Static Pages 1.1 and 1.2 plugins. See the <a
            href="staticpages.html">Static Pages documentation</a> for details.</p>

<ul>
    <li>The search function has been rewritten. You can now search for the
        exact phrase, all the words, or any of the words from a query. Search
        words are also highlighted in stories.
    </li>
    <li>New Privacy options: Users can decide whether they want to receive
        email from other users and/or admins and whether they want to show up in
        the Who's Online block.
    </li>
    <li>You can now get a list of all users who are in a certain group (from the
        Admin's group editor).
    </li>
    <li>When scaling is configured for images in stories, you can now keep the
        unscaled image (has to be enabled in config.php first). In that case, the
        scaled-down image in the story will serve as a thumbnail and link to the
        unscaled image.
    </li>
    <li>You can now make one topic the default topic. The topic selection in the
        story submission form will then default to that topic. However, when
        browsing by topic (index.php?topic=Geeklog etc.) new story submissions will
        default to the current topic.
    </li>
    <li>You can give your users the ability to change their username and delete
        their account. Both features have to be enabled in config.php.
    </li>
    <li>Extended Plugin API: Plugins can now display content in Geeklog's
        center area, add their own information to the user profile, and add
        information to the site's header (<code>&lt;head&gt;</code> section).
    </li>
    <li>There's a new API for custom registration forms (see
        <span class="tt">lib-custom.php</span> for sample code).
    </li>
    <li>There have been quite a few theme changes in order to move most larger
        portions of hard-coded HTML to template files and to give theme designers
        more control over the layout. Please consult the <a
                href="theme.html#changes138">themes documentation</a> for a list of changes.
    </li>
</ul>

<h3>Bugfixes</h3>

<ul>
    <li>The "forgot password" function has been rewritten. Instead of resetting
        your old password and sending you a new one, you will now receive an
        email with a unique link in it. If you follow this link, you can enter a
        new password directly. Otherwise, you can simply ignore the email and your
        old password will remain valid.
    </li>
    <li>Topic access was not always checked properly. If Story Admins report
        getting access denied messages after upgrading to 1.3.8, check your topic
        permissions carefully.
    </li>
    <li>The poll editor let you enter one answer too many (i.e. when the max.
        number of answers was set to 10 you could actually enter 11). Please check
        your existing polls or you may lose the last answer if you exceeded the
        max. number of answers in a poll (adjust $_CONF['maxanswers'] accordingly,
        if necessary).
    </li>
    <li>Geeklog should install and run again on old versions of MySQL
        (specifically, 3.22.xx). Please note that some of these old versions aren't
        even supported by MySQL AB any more and MySQL installs older than 3.23.54
        are having security issues.
    </li>
</ul>


<h2><a name="changes137sr5">Geeklog 1.3.7sr5</a></h2>
<p>This release addresses the following security issues:</p>

<ol>
    <li>It was possible for users in the Group Admin and User Admin groups to
        become a member of the Root group (reported by Samuel M. Stone,
        bug #135).
    </li>
    <li>Being admin for a certain area (e.g. Story Admin for stories) made it
        possible to delete all objects in that area (e.g. stories) even if the user
        was not supposed to have access to them, provided the id of the object was
        known.
    </li>
    <li>It was possible to delete other people's personal events if you knew the
        event ID.
    </li>
    <li>It was possible to browse through the comments of a story even if the user
        did not have access to the actual story (reported by Peter Roozemaal).
    </li>
    <li>Due to an XSS issue, it was possible to change someone's account settings
        (including the password) if you got them to click on a specially crafted
        link (reported by Jelmer, fix suggested by Vincent Furia).
    </li>
    <li>The comment display suffered from the possibility of an SQL injection
        (reported by Jelmer).
    </li>
    <li>It was possible to inject Javascript code in the calendar (reported by
        Jelmer).
    </li>
    <li>It was possible to execute (but not save) Javascript code in the comment
        preview (reported by Jelmer).
    </li>
</ol>


<h2><a name="changes137sr4">Geeklog 1.3.7sr4</a></h2>
<p>This release addresses the following security-related issues:</p>

<ol>
    <li>As "dr.wh0" pointed out, the category field for link submissions was not
        filtered at all. Although you probably can't cause too much harm with
        those 32 characters, this has now been fixed.
    </li>
    <li>Vincent Furia found that the restrictions for the form to email users
        could be circumvented and could even be used to spam users.
    </li>
    <li>There was a way to post comments anonymously even when posting for
        anonymous users had been disabled.
    </li>
    <li>It was possible to post comments under someone else's username.</li>
</ol>


<h2><a name="changes137sr3">Geeklog 1.3.7sr3</a></h2>

<p>The purpose of this release is to address some of the security issues reported in September and early October 2003.
    If you don't plan to upgrade to the latest version of Geeklog (1.3.8-1sr1, at the time of this writing), we strongly
    suggest you upgrade to at least 1.3.7sr3 instead.</p>

<h3>Security issues</h3>
<ol>
    <li>By including Ulf Harnhammar's <a href="http://sourceforge.net/projects/kses/" title="kses homepage">kses</a>
        HTML filter, this release addresses a variety of possible Javascript injection and CSS defacement issues.
    </li>
    <li>Details of SQL errors will not be reported in the browser any more (but only in Geeklog's error.log file). This
        will avoid disclosing any sensitive information as part of the error message (which is so far the only problem
        we have found with the alleged SQL injection issues that have been reported).
    </li>
</ol>

<p>Please note that at the moment we do <strong>not</strong> recommend to use Geeklog with MySQL 4.1 (which, at the time
    of this writing, is in alpha state and should not be used on production sites anyway). An upcoming release of
    Geeklog will include more thorough filtering of SQL injections attempts, thus also fixing the problems with MySQL
    4.1.</p>


<h2><a name="changes137sr2">Geeklog 1.3.7sr2</a></h2>

<h3>Security issues</h3>

<p>The purpose of this release is to fix the following security issues.
    All users are <em>strongly</em> encouraged to upgrade to this version ASAP.</p>
<ol>
    <li>It was possible to obtain valid session ids for every account on a Geeklog
        site, including the Admin account (reported by SCAN Associates).
    </li>
    <li>Using Internet Explorer, it was possible to upload an image with embedded
        PHP code and execute it (reported by SCAN Associates).
    </li>
    <li>Story permissions could override topic permissions, resulting in the display
        of stories to users who shouldn't have access to them (reported by Andrew
        Lawlor). This was already fixed with the new <span class="tt">index.php</span>, released
        2003-05-15.
    </li>
    <li>Added a warning in <span class="tt">config.php</span> that adding any of the following
        tags to the list of allowable HTML can make the site vulnerable to
        scripting attacks:<br/>
        <code>&lt;img&gt; &lt;span&gt; &lt;marquee&gt; &lt;script&gt;
            &lt;embed&gt; &lt;object&gt; &lt;iframe&gt;</code><br/>
        (pointed out by Joat Dede).
    </li>
</ol>

<p>This update also includes fixes for the notorious "permission denied"
    error messages that some users would get in the Admin area (e.g. when trying
    to save a story and being "only" a user with Story Admin permissions).</p>

<p>The full 1.3.7sr2 tarball also includes various new and updated language
    files (see the Changelog for details).</p>


<h2><a name="changes137sr1">Geeklog 1.3.7sr1</a></h2>

<h3>Security issues</h3>

<p>The main purpose of this release is to fix the following security issues.
    All users are strongly recommended to upgrade to this version.</p>
<ol>
    <li>Javascript code could be injected in the homepage field of a user's profile (reported by Jin Yean Tan).</li>
    <li>Javascript code could be injected in certain URLs to be used in a cross-site scripting attack (reported by Jin
        Yean Tan).
    </li>
    <li>Comments could be deleted by anybody if they knew the comment id (which is not normally visible).</li>
    <li>A StoryAdmin could manipulate stories even if s/he did not have access to them (e.g. when s/he was not a member
        of a certain group). The same applied to Admins for events, links, polls, topics, and blocks (reported by
        Kobaz).
    </li>
</ol>

<h3>Other Bugfixes</h3>

<ul>
    <li>Fixed possible causes for endless loops with the redirect in index.php: No redirect will be done if
        $HTTP_SERVER_VARS['HTTP_HOST'] is not set. Also, the comparison of the configured and actual server name is not
        case-sensitive any more.
    </li>
    <li>Fixed image resizing when using ImageMagick.</li>
    <li>The new user notification email (introduced in Geeklog 1.3.7) was always
        sent out, even if 'user' was not listed in $_CONF['notification'].
    </li>
    <li>The Admin menu will now be displayed for users who have Admin access to plugins only, but not to one of the core
        Admin features.
    </li>
    <li>The default for the daily digest is now back to "off", i.e. new users will not receive it automatically. To
        enable the daily digest for new users again, set $_CONF['emailstoriesperdefault'] = 1 in config.php.
    </li>
</ul>

<p>Documentation and hard-coded links (version check, link to Geeklog in a site's footer) have been updated to point to
    <a href="https://www.geeklog.net/">www.geeklog.net</a>.</p>


<h2><a name="changes137">Geeklog 1.3.7</a></h2>

<h3>New Features</h3>

<ul>
    <li>A notification email can now be sent when a new story, link, or event
        has been submitted or a new user has registered with the site (see the
        <a href="config.html#submission">submission settings</a> for details).<br/>
        Please note that this feature doesn't tie in with Geeklog's security
        features - it's really more of a hack, since many people asked for this
        functionality.
    </li>
    <li>Following the "X stories in last 24 hours" link in the What's New block
        will now display just those new stories.
    </li>
    <li>User photos are now resized, just like images in stories (if the use
        of an image library is configured). The max. dimensions for user photos
        can be set with a separate set of config variables in
        <span class="tt">config.php</span>.
    </li>
    <li>The plugin menu now lists all plugins which exist in the file system
        but haven't been installed yet. It also provides a link to the install
        script of those plugins for easy installation.
    </li>
    <li>Several new config variables have been added to config.php (notification,
        showfirstasfeatured, dateonly, timeonly, skip_preview, upcomingeventsrange,
        emailstoryloginrequired, hideemailicon, hideprintericon, hidenewstories,
        hidenewcomments, hidenewlinks, max_photo_width, max_photo_height,
        max_photo_size). Please see the <a
                href="config.html">config documentation</a> for details.
    </li>
    <li>Theme changes: Please consult the <a href="theme.html#changes137">themes
        documentation</a> for a list of changes.
    </li>
</ul>


<h3>Bugfixes</h3>

<ul>
    <li>Added sanity checks in the Admin story editor to prevent the loss of all
        stories when using an incomplete language file (or when manipulating the
        URL).
    </li>
    <li>Fixed a nasty bug in lib-security.php that let any user with UserAdmin
        permissions change the Root user's password, thus effectively becoming
        root.
    </li>
    <li>Fixed problems with blocks disappearing when they were set to
        "homeonly".
    </li>
    <li>Fixed problems with multiple [code] ... [/code] sections in stories
        and comments.
    </li>
    <li>Fixed double line spacing in [code] sections and HTML-formatted comments
        on PHP 4.2.0 and up.
    </li>
    <li>Fixed problems with slashes and HTML entities in emails sent by
        Geeklog.
    </li>
    <li>Fixes and improvements to the plugin API.</li>
</ul>

<p><strong>Contributors:</strong> Blaine Lang, Vincent Furia, and Kenn Osborne
    have contributed to this release. Thank you!</p>

<h3><a name="addindex">Speeding up Geeklog (a bit)</a></h3>

<p>If you're upgrading from 1.3.6 or older versions, you may want to run the
    script called <span class="tt">addindex.php</span> that you will find in the <span class="tt">install</span>
    directory. This script adds index fields to some of Geeklog's database tables
    which should improve overall access times a bit.</p>

<p>This has been implemented as a separate script (and not as part of the
    upgrade process of the install script) since it may take some time to run,
    depending on how many users / stories / etc. you have in your database. Some
    people may even run into timeouts, e.g. when their hosting service limits the
    execution time of PHP scripts. If that happens to you - <strong>Don't
        Panic</strong>. Simply run the script again (and again and ...) until it
    reports that it didn't add any fields to any tables.</p>

<p>Please note that you do <em>not</em> need to run this script if you're doing
    a fresh install of Geeklog 1.3.7. A database created during a fresh install
    already has the new index fields.</p>


<h2><a name="changes136">Geeklog 1.3.6</a></h2>

<h3>New Features</h3>

<ul>
    <li>Images in articles can now be resized automatically during upload
        (provided you have either ImageMagick or netpbm installed). See the
        <a href="config.html#image">configuration description</a> for details.
    </li>
    <li>The contents of a static page entitled "Frontpage" will be displayed
        before the first story on the front page of a Geeklog site. If the static
        page additionally carries the label "nonews", then it will completely
        replace the news on the front page.
    </li>
    <li>User submission queue: When activated (in <span class="tt"><a
            href="config.html#submission">config.php</a></span>), new users will need to
        be approved by an admin before they receive their password.
    </li>
    <li>The submission queues can be switched off separately, either completely
        (in <span class="tt"><a href="config.html#submission">config.php</a></span>) or only for
        certain groups of users (by using the new features story.submit,
        links.submit, and event.submit).
    </li>
    <li>When posting source code (e.g. PHP, HTML, ...), you can now use the
        [code] ... [/code] pseudo tags to enclose those portions of your posting
        that should be reproduced verbatim.
    </li>
    <li>The links section now uses a categorized and paged display (can be
        <a href="config.html#links">switched off</a> separately and even back to the
        pre-1.3.6 style listing).
    </li>
    <li>Anonymous users can now be <a href="config.html#login">blocked</a> from
        almost every part of the site (e.g. links section, site stats, ...), if
        needed.
    </li>
    <li>A Geeklog site can now be disabled easily (e.g. for maintenance) by
        setting a flag in <span class="tt"><a href="config.html#site">config.php</a></span>.
    </li>
    <li>Theme changes: Please consult the <a href="theme.html#changes136">themes
        documentation</a> for a list of changes.
    </li>
</ul>

<h3>Bugfixes</h3>

<ul>
    <li>Several fixes have been made to ensure that permissions are taken into
        account properly (e.g. not revealing titles of stories that the user has no
        access to).
    </li>
    <li>Several fixes have been made to make sure that Geeklog can now be
        properly localized (provided you have a language file that is up to date
        and have chosen the proper <a href="config.html#languages_locale">locale
            settings</a> for your country and language).
    </li>
    <li>The variable $_CONF['site_admin_url'] is now used properly so that you
        can rename Geeklog's <span class="tt">admin</span> directory if needed.
    </li>
    <li>New RDF parser will now import most (if not all) RDF news feeds
        properly
    </li>
</ul>

<h3>Notes</h3>

<ul>
    <li>Since there are a lot of new variables in <span class="tt">config.php</span>, it is
        recommended you start with a fresh copy of that file instead of copying
        over your old <span class="tt">config.php</span> from your previous installation.
    </li>
    <li>Please note that currently only the English, German, Italian, Polish,
        and Japanese language files are up to date. Using one of the other
        language files may result in your Geeklog site not working properly.
    </li>
</ul>

<p><strong>Contributors:</strong> Gene Wood, Blaine Lang, Tom Willet, and
    Roger Webster have contributed to this release. Thank you!</p>

<div class="footer">
    <a href="http://wiki.geeklog.net">The Geeklog Documentation Project</a><br/>
    All trademarks and copyrights on this page are owned by their respective owners. Geeklog is copyleft.
</div>

</body>
</html>