Skip to content


Subversion checkout URL

You can clone with
Download ZIP

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
Checking mergeability… Don’t worry, you can still create the pull request.
Commits on Jan 13, 2010
@splitbrain fixed information leakage in ACL plugin FS#1847 a46c097
@splitbrain another fix for FS#1847 + msg increased 98842eb
Commits on Jan 17, 2010
@splitbrain Added CRSF security token checks in ACL plugin 2be6d35
@splitbrain increased conf/msg for recent CSRF problem SA38205 cb4a075
Commits on Aug 29, 2010
@splitbrain Merge branch 'master' into stable
Commits on Oct 07, 2010
@adrianheine adrianheine Merge branch 'master' into stable d9c8ae6
@adrianheine adrianheine Merge branch 'master' into stable e9fe686
@adrianheine adrianheine Include VERSION file 3ce9b71
@adrianheine adrianheine Merge branch 'master' into stable e8b9cf5
Commits on Oct 27, 2010
@splitbrain Merge branch 'master' into stable 55b3c9e
@splitbrain Version upped to rc2010-10-27 "Busy Wednesday" 0ae96b5
Commits on Nov 07, 2010
@splitbrain Merge branch 'master' into stable 7a94cad
@splitbrain Release 2010-11-07 "Anteater" fd38208
Commits on Nov 11, 2010
@splitbrain maintain the list of removed files in the repository
this is mainly for use with plugin:upgrade and thus will be
cherrypicked into the current stable branch as well.
Commits on Jan 16, 2011
@michitux michitux preg_quote namespaces in auth_aclcheck
Like ids namespaces are now preg_quoted in the acl check (and therefore
the escaping of "*" has been removed). When plugins call the ACL check
function with strange ids the regex fails otherwise (in the case of the
include plugin errors like "Warning: preg_grep() [function.preg-grep]:
Compilation failed: missing terminating ] for character class at offset
47" have been reported by two users).

I've run the acl tests after this change and everything passes so this
shouldn't break anything but please test this especially with protected
wikis as this change modifies the code that handles namespace
permissions. Furthermore permissions for a namespace foobar are no
longer applied to namespaces with names like, I hope nobody has
used that "feature".

When you are using per-user namespaces, user registration is open and
either write or read protection for these namespaces is important to
you this is a security fix for you: When someone wants to get access to
the namespace of a user "" he can register as "fooxbar" (where
"x" is an arbitrary character) and will have access to the user
namespace of the user "" as when a page in "" is checked
it will match the rule for "fooxbar".
@michitux michitux Fix several security issues in the XML-RPC interface
For locks and getRevisions there hasn't been any acl check. In many
other cases the id hadn't been cleaned before the acl check was done
which means that many acl rules that should be applied weren't applied.
So e.g. when you have read permissions for the root namespace but not
for a subnamespace you could add a leading ":" and the permissions for
the root namespace will be used instead of the permissions for the
subnamespace. This did not apply to writing pages and reading media
files, but writing and deleting media files have been concerned as well
as reading both plain and html versions of pages.

This only concerns installations where XML-RPC is enabled (default is
disabled) and XML-RPC is allowed for all or untrusted users.
@splitbrain increased msg count 5b3c2bb
@splitbrain 2010-11-07a Security Fix
This security update fixes problems in the XMLRPC interface where
ACLs where not checked correctly sometimes, making it possible to access
information that should not have been accessible.

This only affects users who have enabled the XMLRPC interface (default
is off).

This update also includes a fix that caused errors in the general ACL
checking function under certain conditions. No exploits are known for
this problem though.
Commits on Apr 22, 2011
@adrianheine adrianheine Release preparations 23d2737
@adrianheine adrianheine Merge branch 'master' into stable
@adrianheine adrianheine Release candidate rc2011-04-22 "Rincewind RC1" e68653d
Commits on May 08, 2011
@adrianheine adrianheine Merge branch 'master' into stable
@adrianheine adrianheine Release candidate rc2011-05-08 "Rincewind RC2" 7ee92f4
Commits on May 25, 2011
@adrianheine adrianheine Merge branch 'master' into stable 2d79e53
@adrianheine adrianheine Release 2011-05-25 "Rincewind" 7099f31
Commits on Jun 14, 2011
@kazmiya kazmiya fixed email subject encoding bug ($enc_subj typo) 781f882
@michitux michitux Fix lowercasing of words in the indexer FS#2270
On certain PHP installations (it has been reproduced with PHP version
5.2.0-8+etch11) the indexer failed to lowercase words in the indexer
so the fulltext search was partially broken.
@splitbrain only allow configured URL schemes in external links
This fixes a problem where JavaScript could be introduced through
specially crafted RSS feeds on a lower level than the commit from
yesterday (1ca2719)

This also fixes a problem where JavaScript links could be introduced by
specifying it as an RSS URL: the resulting error message displays a
link to the broken feed URL. This patch makes sure there's no working
link for unknown protocols.
@michitux michitux Force search index update after fixing the lowercasing of words
This increases the indexer version in order to force a rebuild of the
search index in order to "repair" the search index that might contain
uppercase words
@splitbrain release preparations 74b83a9
@splitbrain 2011-05-25a "Rincewind"
Hotfix Release
Commits on Nov 10, 2011
@adrianheine adrianheine Merge branch 'master' into stable
@adrianheine adrianheine Release candidate rc2011-11-10 "Angua RC1" 61d7a0b
Commits on Jan 25, 2012
@splitbrain Merge branch 'master' into stable
* master: (75 commits)
  release preparations
  Romanian language update
  removed 'view original' button from new media manager again (was added in b8a84c0) and made a link around the image instead, as that is a more minor change (as it should be during the RC phase) and is what was originally planned
  corrected old mediaupload introduction text
  Removed obsolete Opera fix that now causes harm FS#2429
  don't limit download sizes in plugin manager
  Disable E_STRICT error reporting
  Make Sitemapper functions static as they were used as static functions
  Make this dummy file empty like all others
  Update copyright year
  Remove testing md5 hash from installer
  Slovak language update
  localization: removed strings from old flashuploader
  Polish language update
  readded missing "view original" button to the new media manager
  always show full filename as tooltip in mediamanager
  Fix sorting in media manager search (FS#2423)
  make the installer check for new media dirs
  do not rely on tmpfile() in the AJAX uploader backend FS#2417
  Galician language update
@splitbrain 2012-01-25 "Angua" 2aff502
Commits on Apr 19, 2012
@splitbrain escape target error message (SECURITY) FS#2487 FS#2488
The error message when a non-existant editor was tried to load wasn't
escaped correctly, allowing to introduce arbitrary JavaScript to the
output, leading to a XSS vulnerability.

Note: the reported second XCRF vulnerability is the same bug, the xploit
code simply uses JavaScript to extract a valid CSRF token from the site
@adrianheine adrianheine Release preparations 8f13c97
@adrianheine adrianheine Hotfix release 2012-01-25a "Angua" c0c314b
Commits on Apr 26, 2012
@housemaister housemaister patch for Verbindungscms password algorithm 6d115b6
@housemaister housemaister added example of mysql.conf.php for vcms 9d1c842
Something went wrong with that request. Please try again.