Skip to content

Releases: foswiki/distro

Foswiki-2.1.9

18 Dec 14:59
68d6d5e
Compare
Choose a tag to compare

Highlights

This maintenance release addresses 57 bugs fixed since 2.1.8, focusing on performance enhancements and bug fixes.

Performance Improvements

  • Optimized caching mechanisms across the codebase to reduce disk I/O requests
  • Combined and obfuscated CSS and JS assets to minimize parallel requests for rendering a single page
  • Reduced calls to commonTagsHandler for each plugin installed to improve normal rendering process

Fixes

  • Resolved an issue preventing users from changing attachment properties in topics
  • Addressed a bug in the standard store implementation returning incorrect information for old revisions

New Features

  • Improved main web layout by separating user profile pages from main content, allowing for greater customization and flexibility

Deprecation

  • Removed support for outdated Microsoft browsers to simplify code maintenance and improve security
  • Deprecated and removed unnecessary JavaScript code to enhance overall performance and maintainability

See the full set of release notes at https://foswiki.org/System/ReleaseNotes02x01

Full Changelog: FoswikiRelease02x01x08...FoswikiRelease02x01x09

Foswiki-2.1.8

06 Aug 13:21
Compare
Choose a tag to compare

Highlights of this maintenance release

This release contains 61 fixes relative to 2.1.7, including 9 critical security related fixes.

Most notable are:

  • CVE-2023-33756: SpreadSheetPlugin's EVAL feature exposes infromation about paths and files on the server
  • CVE-2023-24698: Local file inclusion vulnerability in viewfile

But also:

  • directories in working directory are created as world writable 777 permissions
  • possible XSS attack in attachment comments
  • restricted allowed protocols to http and https, i.e. forbid file protocol for local file inclusion
  • prevent symlink attacks by defaulting to a secure location for temporary files
  • update to jquery-ui 1.13.2
  • backport patch to earlier jQuery versons to fix a potential XSS vulnerability
  • possible XSS vulnerability in topic title field

Reverse proxing Foswiki

Foswiki can now properly be run behind a reverse proxy reading a X-Forwarded-For http header. This resulted in mixed content before
while rendering HTML.

Macro parser

Under certain conditions a deep recursion can be triggered using otherwise innocend markup code.

RCS storage

While Foswiki defaults to its own plain file storage format, there are still a lot of installs that still use RCS for file versioning.
Given that this part of the code preceeds the shift to unicode ages ago, there still was an error in the RCS store not properly
encoding topic information.

Change notifications

Changes are send out to subscribers using a mailnotify service. This however must be run as admin user to fully read all changes. Still people are only informed about changes that they actually have view rights to. In addition this release fixes sending out emails in the user's preferend language. There was an error reading these preferences before.

JSON-RPC API

The JSON-RPC is one of the most important web apis of Foswiki with a mandatory topic parameter. This parameter - as in other service endpoints - specifies the location within the knowledge base to operate on. It thus determins the context of any other internal operations such as the calculation of the preference stack. The jsonrpc endpoint sometimes failed to properly set the required context in previous releases.

Uploading multiple files

Foswiki now supports uploading multiple files in one request

Session cookies

Session cookies now have a same-site policy for better security.

Internationalization

Foswiki now always creates a proper I18N service internally, even though only one language (english) is being used. This makes sure that its internal I18N api is instantiated proplerly for other plugins to use, such as MultiLingualPlugin.

See the full set of release notes at https://foswiki.org/System/ReleaseNotes02x01.

Full Changelog: FoswikiRelease02x01x07...FoswikiRelease02x01x08

Foswiki-2.1.7

28 Mar 10:51
Compare
Choose a tag to compare

Important changes in Foswiki 2.1.7

Multiple cross-site scripting vulnerability in jQuery and jQuery UI

These fixes are described in

  • CVE-2021-41182: XSS in the altField option of the Datepicker widget in jQuery UI < 1.30.0
  • CVE-2021-41183: XSS in *Text options of the Datepicker widget in jQuery UI < 1.30.0
  • CVE-2021-41184: XSS in the of option of the .position() util in jQuery UI &kt; 1.30.0
  • CVE-2016-7103: XSS in closeText option of Dialog in jQuery UI < 1.12.0
  • Fixes for CVE-2015-9251 and CVE-2019-11358 have been backported from jquery-3.x to jquery-2.x which is being used by default

Regular Expression Denial of Service vulnerability in jquery.validate

Details in CVE-2021-21252

Possible server site request forgery exposing the session id

For decades Foswiki and TWiki had ways to access the session id of a user and make it available on a wiki page using the %SESSIONID macro. Anybody that has got access to a session id can use this session in behalf of the user that is associated with it.
There are multiple ways to leak this information to the outside using this macro. Therefore the two related macros %SESSIONID and %SESSIONVAR are deprecated for security reasons and have been disabled by default using the new {Sessions}{HideSessionVariable} setting. Note that these macros will be removed completely in the next minor release.

QUERY macro does not check access rights

While macros such as %FORMFIELD only allowed access only to information the current user has got view rights for, the %QUERY macro does not.

Reimplementation of LiveQuery using mutation observer

The LiveQuery module is at the core of Foswiki's javascript framework, alas was abandoned upstream. In the meantime modern browsers now all support a feature called "mutation observer" to monitor changes to the DOM in an efficient standardized way. Thus a new module called Observer has been implemented on this base to initialize javascript modules in a declarative way as it has been done before using LiveQuery.

Foswiki 2.1.6

02 Mar 15:21
FoswikiRelease02x01x06
Compare
Choose a tag to compare

Highlights of this maintenance release

  • Contains 11 fixes relative to 2.1.5
  • Corrects a significant security vulnerability where an attacker can compromise User Registration

See ReleaseNotes02x01 for complete release notes.

For users

  • Corrects an issue where the EditRowPlugin makes tables "shaky".
  • Improved documentation of System.Macros and PreferenceSettings.
  • Corrects issues with autocomplete and language translations in NatEditPlugin
  • Corrects an issue where the html language is the server locale and not the user's chosen language.

For administrators:

  • Corrects a significant vulnerability related to User Registration.
  • Corrects a significant issue where NatEditPlugin would discard ACLs not supported by the Permissions tab.
  • Improves security of the Main and Sandbox operational topics.
  • Improves compatibility with the CaptchaPlugin and User Registration.

Foswiki 2.1.5

22 Jan 15:57
FoswikiRelease02x01x05
Compare
Choose a tag to compare

Highlights of this maintenance release

  • Contains 48 fixes relative to 2.1.4, 5 of which are enhancements.
  • Corrects a major issue that prevented Foswiki from being hosted on a Windows server

See ReleaseNotes02x01 for complete release notes.

For users

  • Corrects an issue where Excel is unable to open a Foswiki page that required authentication.
  • Corrects an issue where some formfields would reset to default when special characters are in the selection.
  • Corrects some display / layout issues in tables, and the NatEdit window.
  • Corrects an urgent issue where history of a topic is unavailable if the underlying .txt file is edited.

For administrators:

  • Several cosmetic configure issues resolved.
  • UpdatesPlugin was failing to show the extensions needing update.
  • Correct broken ScriptURL when the Forwarded header contains a list of proxies.
  • Fix perl Regular Expression syntax that will fail in upcoming perl 5.28

Foswiki 2.1.5 RC

09 Jan 05:07
FoswikiRelease02x01x05_RC
Compare
Choose a tag to compare
Foswiki 2.1.5 RC Pre-release
Pre-release

Highlights of this maintenance release

  • Contains 45 fixes relative to 2.1.4, 5 of which are enhancements.
  • Corrects a major issue that prevented Foswiki from being hosted on a Windows server

See ReleaseNotes02x01 for complete release notes.

For users

  • Corrects an issue where Excel is unable to open a Foswiki page that required authentication.
  • Corrects an issue where some formfields would reset to default when special characters are in the selection.
  • Corrects some display / layout issues in tables, and the NatEdit window.
  • Corrects an urgent issue where history of a topic is unavailable if the underlying .txt file is edited.

For administrators:

  • Several cosmetic configure issues resolved.
  • UpdatesPlugin was failing to show the extensions needing update.
  • Correct broken ScriptURL when the Forwarded header contains a list of proxies.

Foswiki 2.1.5 Beta 2

19 Dec 01:30
FoswikiRelease02x01x05_Beta2
Compare
Choose a tag to compare
Foswiki 2.1.5 Beta 2 Pre-release
Pre-release

Highlights of this maintenance release

  • Contains 42 fixes relative to 2.1.4, 5 of which are enhancements.
  • Corrects a major issue that prevented Foswiki from being hosted on a Windows server

See ReleaseNotes02x01 for complete release notes.

For users

  • Corrects an issue where Excel is unable to open a Foswiki page that required authentication.
  • Corrects an issue where some formfields would reset to default when special characters are in the selection.
  • Corrects some display / layout issues in tables, and the NatEdit window.

For administrators:

  • Several cosmetic configure issues resolved.
  • UpdatesPlugin was failing to show the extensions needing update.
  • Correct broken ScriptURL when the Forwarded header contains a list of proxies.

Foswiki 2.1.5 Beta 1

17 Dec 03:32
FoswikiRelease02x01x05_Beta1
Compare
Choose a tag to compare
Foswiki 2.1.5 Beta 1 Pre-release
Pre-release

Highlights of this maintenance release

  • Contains 40 fixes relative to 2.1.4, 5 of which are enhancements.
  • Corrects a major issue that prevented Foswiki from being hosted on a Windows server

See ReleaseNotes02x01 for complete release notes.

For users

  • Corrects an issue where Excel is unable to open a Foswiki page that required authentication.
  • Corrects an issue where some formfields would reset to default when special characters are in the selection.

For administrators:

  • Several cosmetic configure issues resolved.
  • UpdatesPlugin was failing to show the extensions needing update.
  • Correct broken ScriptURL when the Forwarded header contains a list of proxies.

Foswiki 2.1.4

03 Jun 05:00
Compare
Choose a tag to compare

Highlights of this maintenance release

  • Contains 31 fixes relative to 2.1.3
  • Fixes 2 security issues and some minor cosmetic issues

Note: This release was re-uploaded on June 1st, due to a version string error. Purely cosmetic issue during the build process.

See ReleaseNotes02x01 for complete release notes.

For users

  • Rendering issues with EditRowPlugin resolved

For administrators:

  • Several cosmetic configure issues resolved.
  • Improved compatibility with Perl 5.25.x / 5.26.0
  • Improved operation with foswiki behind a reverse proxy.

Foswiki 2.1.4-RC3

25 May 01:05
FoswikiRelease02x01x04_RC3
Compare
Choose a tag to compare
Foswiki 2.1.4-RC3 Pre-release
Pre-release

Highlights of this maintenance release

  • Contains 31 fixes relative to 2.1.3
  • Fixes 2 security issues and some minor cosmetic issues

See ReleaseNotes02x01 for complete release notes.

For users

  • Rendering issues with EditRowPlugin resolved

For administrators:

  • Several cosmetic configure issues resolved.
  • Improved compatibility with Perl 5.25.x / 5.26.0
  • Improved operation with foswiki behind a reverse proxy.