MoinMoin Version History ======================== Please note: Starting from the MoinMoin version you used previously, you should read all more recent entries (or at least everything marked with HINT). This release has known bugs (see MoinMoin:MoinMoinBugs), but we think it is already better than the previous stable release. Our release policy is not trying to make a "perfect release" (as that release might NEVER get released), but to make progress and don't delay releases too much. Version 1.9.10 aka "the end of spam release" (2018-09-09) SECURITY HINT: make sure you have allow_xslt = False (or just do not use allow_xslt at all in your wiki configs, False is the internal default). Allowing XSLT/4suite is very dangerous, see HelpOnConfiguration wiki page. HINT: Python 2.7 is required! See docs/REQUIREMENTS for details. HINT: please read the changelog below carefully before upgrading to 1.9.10. This release has some fundamental changes you (and your wiki users) should be aware of beforehands. Fixes: * security fix for CVE-2017-5934, XSS in GUI editor related code * fix wrong digestmod of hmac.new calls (incorporate 1.9.9 patch) * fix broken table attribute processing (wikiutil.escape) * fix AttributeError in multifile action * read text attachments using universal newlines (including \r line seps) * anywikidraw / twikidraw: check write permissions early * fix exec_cmd for windows: preexec_fn is UNIX only New features: * added a convenient way to create a user account via the superuser's "Settings" -> "Switch User" form: just type in the new user's name there, switch to the account and fill out the email address. You do not need to set a password, the account will not be usable until the users claims it via the "forgot my password" functionality on the login page (and sets a password). * you now can also type in an existing user's name there to switch to the account, instead of selecting it (convenient if you have many users). * newaccount action by default only available for superusers. This is to avoid spam bots creating huge amounts of crap accounts on internet connected wikis. This is done via a new cfg.actions_superuser = ['newaccount', ] default. If you prefer to have newaccount action available for every visitor (not advisable for internet connected wikis), use this in your wiki config: actions_superuser = FarmConfig.actions_superuser[:] actions_superuser.remove('newaccount') For internet connected wikis, a safer way is to let potential new users ask for an account. Everyone in the superuser list can easily create a new account (wiki username and email address needed). If you run a public MoinMoin wiki on the internet, document the way to get an account on your front page. * support tel: urls Other changes: * safer internal default ACL: Known and All now only have read permissions. This is to avoid that you accidentally give r/w permissions to the world when running a wiki on the internet. Considering there are lots of spam bots out there, that can create a ton of spam pages in little time, we advise you to keep the safer default for internet connected wikis and only allow specific users / groups read/write access. See also the updated sample configs / the HelpOnAccessControlLists help page. * disable the gui editor / enforce the text editor by default fckeditor 2.6.11 as we bundle it (latest available version, but years old) might have security issues meanwhile as it is not maintained any more. also, there ever have been major issues with MoinMoin's integration of that "gui editor" (as our documentation pointed out since long). if you want to give wiki users the choice to choose the gui editor nevertheless, you can re-enable it in your wiki config: editor_force = False editor_ui = 'freechoice' * change log_reverse_dns_lookups default to False. * update / upgrade bundled software: * upgrade werkzeug to 0.14.1 * upgrade passlib to 1.7.1 * upgrade parsedatetime to 2.4 * moved MoinMoin 1.9.x development to GitHub: https://github.com/moinwiki/moin-1.9/ * update mailing list address and download URL in pypi metadata * enabled Travis CI to run the unit tests for PRs / branches * fixed some stuff found by PyCharm Code Inspection * make build reproducible Version 1.9.9 aka "The undead MoinMoin Halloween Release" 2016-10-31 Fixes: * security: fix XSS in AttachFile view (multifile related) CVE-2016-7148 * security: fix XSS in GUI editor's attachment dialogue CVE-2016-7146 * security: fix XSS in GUI editor's link dialogue CVE-2016-9119 * catch IOError for zipfile errors (sometimes triggered by zipfile.is_zipfile false positives, see http://bugs.python.org/issue28494 ). Other changes: * update moin.spec, setup.py: py27 only Version 1.9.9rc1: Fixes: * add meta "viewport" for small device viewports * add meta X-UA-Compatible IE=Edge, make IE happy on intranets New features: * AttachFile multifile operation: support copying multiple files to another page * cfg.xmlrpc_overwrite_user is a new setting to control whether the xmlrpc code overwrites an already authenticated user before processing a request. True (default): behaviour as in 1.9.8 and before False: use this if you want to use GivenAuth (e.g. http basic auth) for xmlrpc requests. Other changes: * upgraded bundled 3rd party code: * werkzeug 0.11.11 * passlib 1.6.5 * pygments 2.1.3 * parsedatetime 2.1 * FCKEditor 2.6.11 * removed some bundled stuff we needed due to stdlib issues in older Pythons: * MoinMoin.support.difflib * MoinMoin.support.tarfile * MoinMoin.support.HeaderFixed (-> email.header) * SubProcess: reimplement exec_cmd, remove our stdlib hacks * remove own usage of python_compatibility module which we needed to support older Pythons. the module is still there, in case some 3rd party moin extensions used it. Version 1.9.8: New features: * cfg.recovery_token_lifetime to determine how long the password recovery token will be valid, default is 12 [h]. Check this setting to be adequate before doing (global) password resets, so your users have enough time to react before the toke times out! * cfg.log_events_format can be used to configure the format of the records written to /event-log: 0 = dot not create event-log entries (saves disk space, disk I/O) 1 = standard (like in moin <= 1.9.7) [default] 2 = extended (add infos about username, wikiname, url) * add a tool to output the contents of the event-log to CSV: moin export eventlog --file=output.csv Output encoding is utf-8, columns are in this order: time, event, username, ip, wikiname, pagename, url, referrer, ua time: UNIX timestamp (float) * reimplement cfg.log_timing - if True, emits INFO level log output like: "timing: