Version 1.3.0 (released ??-???-????)
* updated dependency requirements
- minimum Python version is now 3.6 (#138)
- minimum Subversion version now 1.14.0 with py3 bindings
- minimum Pygments version now 1.1
- minimum MySQL version now ????? (#213)
- now using passlib (instead of fcrypt) for standalone authn support (#361)
* removed support for mod_python-based deployments (#234)
* removed support for ASP-based deployments (#235)
* make-database now requires --force to destroy existing DB (#212)
* removed deprecated checkout_magic option/behavior (#215)
* new 'allow_mojibake' option (#216)
* require explicit match for web-friendly images in 'binary_mime_types' (#216)
* fix a problem on CVS checkout files with rcsparse (#272)
* new 'max_context' option, for GNU diffutils 3.8 and newer (#293)
* fix problems on diff view when hr_intraline is set (#275)
* new 'root_path_locale' option (Tigris #500)
* support Unicode root path both in CVS and Subversion (Tigris #500)
* fix encoding problems on diff view and generating patch (#301)
* new 'image' view for limited as-is image display (#360)
Version 1.2.3 (released 04-Jan-2023)
* security fix: escape revision view copy paths (#311) [CVE-2023-22464]
Version 1.2.2 (released 03-Jan-2023)
* security fix: escape revision view changed paths (#311) [CVE-2023-22456]
* standalone.py defaults to UTF-8 output now, too
* fix viewvc-install error handling bug
* fix a problem on CVS checkout files with rcsparse (#272)
Version 1.2.1 (released 26-Mar-2020)
* security fix: escape subdir lastmod file name (#211) [CVE-2020-5283]
Version 1.2.0 (released 17-Mar-2020)
* bumped minimum supported Python version to 2.4
* implemented support for property diffs (Tigris #383)
* allow user-configurable cvsgraph display (Tigris #336)
* allow rNNNN syntax for Subversion revision numbers (Tigris #441)
* display revision numbers in CVS tag/branch selector (Tigris #546)
* allow roots to have optional context (#58)
* use a more secure temporary file generator (#159)
* fix problems with make-database and special characters (#141, #182)
* fix bogus default ci_when value in cvsdb (#200)
* standalone query interface removed (#206)
* GUI support (--gui) removed from standalone.py
Version 1.1.30 (released 04-Jan-2023)
* security fix: escape revision view copy paths (#311) [CVE-2023-22464]
Version 1.1.29 (released 03-Jan-2023)
* security fix: escape revision view changed paths (#311) [CVE-2023-22456]
Version 1.1.28 (released 26-Mar-2020)
* security fix: escape subdir lastmod file name (#211) [CVE-2020-5283]
* fix standalone.py first request failure (#195)
Version 1.1.27 (released 06-Jun-2019)
* suppress stack traces (with option to show) (#140)
* distinguish text/binary/image files by icons (#166, #175)
* colorize alternating file content lines (#167)
* link to the instance root from the ViewVC logo (#168)
* display directory and root counts, too (#169)
* fix double fault error in standalone.py (#157)
* support timezone offsets with minutes piece (#176)
--- NOTE: Issue references below this point are from Tigris.org ---
Version 1.1.26 (released 24-Jan-2017)
* security fix: escape nav_data name [CVE-2017-5938]
Version 1.1.25 (released 15-Sep-2016)
* fix _rev2optrev assertion on long input
Version 1.1.24 (released 02-Oct-2015)
* fix minor bug in human_readable boolean calculation
* allow hr_funout option to apply to unidiff diffs, too
* fix infinite loop in rcsparse
* fix iso8601 timezone offset handling (#542)
* add support for renamed roots (#544)
* fix minor buglet in viewvc-install error message
Version 1.1.23 (released 04-Nov-2014)
* fix annotate bug triggered by files with trailing blank lines (#533)
* fix markup display of files with trailing blank lines (#533)
* add support for root-relative svnauthz access files (#535)
* fix cvsdb MySQL-python argument conversion error (#539)
* fix double-escaping of revision links (#541)
* fix bug that prevented mod_python 3.4+ deployment (#540)
Version 1.1.22 (released 14-Jan-2014)
* minor directory sorting logic fix (re: show_subdir_lastmod)
* fix display of show_subdir_lastmod details (#532)
* pay attention to chardet's detection confidence
* linkify line numbers in markup/annotate view
Version 1.1.21 (released 13-Sep-2013)
* fix markup/annotate exception with Python < 2.7 (#527)
Version 1.1.20 (released 24-Apr-2013)
* fix tab-to-space handling regression in markup view
* fix regression in root lookup handling (#526)
Version 1.1.19 (released 22-Apr-2013)
* improve root lookup performance (#523)
* new 'max_filesize_kbytes' config option and handling (#524)
* tarball generation improvements:
- preserve Subversion symlinks in generated tarballs (#487)
- reduce memory usage of tarball generation logic
- fix double compression of generated tarballs (#525)
* file content handling improvements:
- expanded support for encoding detection and transcoding (#11)
- fix tab-to-space conversion bugs in markup, annotate, and diff views
- fix handling of trailing whitespace in diff view
* add support for timestamp display in ISO8601 format (#46)
Version 1.1.18 (released 28-Feb-2013)
* fix exception raised by BDB-backed SVN repositories (#519)
* hide revision-less files when rcsparse is in use
* include branchpoints in branch views using rcsparse (#347)
* miscellaneous cvsdb improvements:
- add --port option to make-database (#521)
- explicitly name columns in queries (#522)
- update MySQL syntax to avoid discontinued "TYPE=" terms
Version 1.1.17 (released 25-Oct-2012)
* fix exception caused by uninitialized variable usage (#516)
Version 1.1.16 (released 24-Oct-2012)
* security fix: escape "extra" diff info (#515) [CVE-2012-4533]
* add 'binary_mime_types' configuration option and handling (#510)
* fix 'select for diffs' persistence across log pages (#512)
* remove lock status and filesize check on directories in remote SVN views
* fix bogus 'Annotation of' page title for non-annotated view (#514)
Version 1.1.15 (released 22-Jun-2012)
* security fix: complete remote SVN authz support (#353) [CVE-2012-3356]
* security fix: log message leak with unreadable copy source [CVE-2012-3357]
* fix several instances of incorrect information in remote SVN views
* increase performance of some revision metadata lookups in remote SVN views
* fix RSS feed regression introduced in 1.1.14
Version 1.1.14 (released 12-Jun-2012)
* fix annotation of svn files with non-URI-safe paths (#504)
* handle file:/// Subversion rootpaths as local roots (#446)
* fix bug caused by trying to case-normalize anon usernames (#505)
* speed up log handling by reusing tokenization results (#506)
* add support for custom revision log markup rules (#246)
Version 1.1.13 (released 23-Jan-2012)
* fix svndbadmin failure on deleted paths under Subversion 1.7 (#499)
* fix annotation of files in svn roots with non-URI-safe paths
* fix stray annotation warning in markup display of images
* more gracefully handle attempts to display binary content (#501)
Version 1.1.12 (released 03-Nov-2011)
* fix path display in patch and certain diff views (#485)
* fix broken cvsdb glob searching (#486)
* allow svn revision specifiers to have leading r's (#441, #448)
* allow environmental override of configuration location (#494)
* fix exception HTML-escaping non-string data under WSGI (#454)
* add links to root logs from roots view (#470)
* use Pygments lexer-guessing functionality (#495)
Version 1.1.11 (released 17-May-2011)
* security fix: remove override of cvsdb row limit [CVE-2009-5024]
* fix broken standalone.py -c and -d options handling
* add --help option to standalone.py
* fix stack trace when asked to checkout a directory (#478)
* improve memory usage and speed of revision log markup (#477)
* fix broken annotation view in CVS keyword-bearing files (#479)
* warn users when query results are incomplete (#433)
* avoid parsing errors on RCS newphrases in the admin section (#483)
* make rlog parsing code more robust in certain error cases (#444)
Version 1.1.10 (released 15-Mar-2011)
* fix stack trace in Subversion revision info logic (#475, #476)
Version 1.1.9 (released 18-Feb-2011)
* vcauth universal access determinations (#425)
* rework svn revision info cache for performance
* make revision log "extra pages" count configurable
* fix Subversion 1.4.x revision log compatibility code regression
* display sanitized error when authzfile is malformed
* restore markup of URLs in file contents (#455)
* optionally display last-committed metadata in roots view (#457)
Version 1.1.8 (released 02-Dec-2010)
* fix slowness triggered by allow_compress=1 configuration (#467)
* allow use of 'fcrypt' for Windows standalone.py authn support (#471)
* yield more useful error on directory markup/annotate request (#472)
Version 1.1.7 (released 09-Sep-2010)
* display Subversion revision properties in the revision view (#453)
* fix exception in 'standalone.py -r REPOS' when run without a config file
* fix standalone.py server root deployments (--script-alias='')
* add rudimentary Basic authn support to standalone.py (Unix-only) (#49)
* fix obscure "unexpected NULL parent pool" Subversion bindings error
* enable path info / link display in remote Subversion root revision view
* fix vhost name case handling inconsistency (#466)
* use svn:mime-type property charset param as encoding hint
* markup Subversion revision references in log messages (#313)
* add rudimentary support for FastCGI-based deployments (#464)
* fix query script WSGI deployment
* add configuration to fix query script cross-linking to ViewVC
Version 1.1.6 (released 02-Jun-2010)
* add rudimentary support for WSGI-based deployments (#397)
* fix exception caused by trying to HTML-escape non-string data (#454)
* fix incorrect RSS feed Content-Type header (#449)
* fix RSS
encoding problem (#451)
* allow 'svndbadmin purge' to work on missing repositories (#452)
Version 1.1.5 (released 29-Mar-2010)
* security fix: escape user-provided search_re input [CVE-2010-0132]
Version 1.1.4 (released 10-Mar-2010)
* security fix: escape user-provided query form input [CVE-2010-0736]
* fix standalone.py failure (when per-root options aren't used) (#445)
* fix annotate failure caused by ignored svn_config_dir (#447)
Version 1.1.3 (released 22-Dec-2009)
* security fix: support per-root authz config in root listing [CVE-2010-0004]
* security fix: validate configured query.py authorizer [CVE-2010-0005]
* fix URL-ification of truncated log messages (#3)
* fix regexp input validation (#426, #427, #440)
* add support for configurable tab-to-spaces conversion
* fix not-a-sequence error in diff view
* allow viewvc-install to work when templates-contrib is absent
* minor template improvements/corrections
* expose revision metadata in diff view (#431)
* markup file/directory item property URLs and email addresses (#434)
* make ViewVC cross copies in Subversion history by default
* fix bug that caused standalone.py failure under Python 1.5.2 (#442)
* fix support for per-vhost overrides of authorizer parameters (#411)
* fix root name identification in query.py interface
Version 1.1.2 (released 11-Aug-2009)
* security fix: validate the 'view' parameter [CVE-2009-3618]
* security fix: avoid printing illegal parameter names/values [CVE-2009-3619]
* add optional support for character encoding detection (#400)
* fix username case handling in svnauthz module (#419)
* fix cvsdbadmin/svnadmin rebuild error on missing repos (#420)
* don't drop leading blank lines from colorized file contents (#422)
* add file.ezt template logic for optionally hiding binary file contents
Version 1.1.1 (released 03-Jun-2009)
* fix broken query form (missing required template variables) (#416)
* fix bug in cvsdb which caused rebuild operations to lose data (#417)
* fix cvsdb purge/rebuild repos lookup to error on missing repos
* fix misleading file contents view page title
Version 1.1.0 (released 13-May-2009)
* add support for full content diffs (#153)
* make many more data dictionary items available to all views
* various rcsparse and tparse module fixes
* add daemon mode to standalone.py (#235)
* rework helper application configuration options (#229, #62)
* teach standalone.py to recognize Subversion repositories via -r option
* now interpret relative paths in "viewvc.conf" as relative to that file
* add 'purge' subcommand to cvsdbadmin and svndbadmin (#271)
* fix orphaned data bug in cvsdbadmin/svndbadmin rebuild (#271)
* add support for query by log message (#22, #121)
* fix bug parsing 'svn blame' output with too-long author names (#221)
* fix default standalone.py port to be within private IANA range (#234)
* add unified configury of allowed views; checkout view disabled by default
* add support for ranges of revisions to svndbadmin (#224)
* make the query handling more forgiving of malformatted subdirs (#244)
* add support for per-root configuration overrides (#371)
* add support for optional email address mangling (#290)
* extensible path-based authorization subsystem (#268), supporting:
- Subversion authz files (new)
- regexp-based path hiding (for compat with 1.0.x)
- file glob top-level directory hiding (for compat with 1.0.x)
* allow default file view to be "markup" (#305)
* add support for displaying file/directory properties (#39)
* pagination improvements
* add gzip output encoding support for template-driven pages
* fix cache control bugs (#259)
* add RSS feed URL generation for file history
* add support for remote creation of ViewVC checkins database
* add integration with Pygments for syntax highlighting
* preserve executability of Subversion files in tarballs (#233)
* add ability to set Subversion runtime config dir (#351, #339)
* show RSS/query links only for roots found in commits database (#357)
* recognize Subversion svn:mime-type property values (#364)
* hide CVS files when viewing tags/branches on which they don't exist
* allow hiding of errorful entries from the directory view (#105)
* fix directory view sorting UI
* tolerate malformed Accept-Language headers (#396)
* allow MIME type mapping overrides in ViewVC configuration (#401)
* fix exception in rev-sorted remote Subversion directory views (#409)
* allow setting of page sizes for log and dir views individually (#402)
Version 1.0.14 (released 24-Jan-2017)
* security fix: escape nav_data name [CVE-2017-5938]
* fix bug that prevented mod_python 3.4+ deployment (issue #540)
Version 1.0.13 (released 24-Oct-2012)
* security fix: escape "extra" diff info (#515) [CVE-2012-4533]
* security fix: remove override of cvsdb row limit [CVE-2009-5024]
* fix obscure "unexpected NULL parent pool" Subversion bindings error
* fix svndbadmin failure on deleted paths under Subversion 1.7 (issue #499)
Version 1.0.12 (released 02-Jun-2010)
* fix exception caused by trying to HTML-escape non-string data (issue #454)
Version 1.0.11 (released 29-Mar-2010)
* security fix: escape user-provided search_re input [CVE-2010-0132]
Version 1.0.10 (released 10-Mar-2010)
* security fix: escape user-provided query form input [CVE-2010-0736]
* fix errors viewing remote Subversion paths with URI-unsafe characters
* fix regexp input validation (issue #426, #427, #440)
Version 1.0.9 (released 11-Aug-2009)
* security fix: validate the 'view' parameter [CVE-2009-3618]
* security fix: avoid printing illegal parameter names/values [CVE-2009-3619]
Version 1.0.8 (released 05-May-2009)
* fix directory view sorting UI
* tolerate malformed Accept-Language headers (#396)
* fix directory log views in revision-less Subversion repositories
* fix exception in rev-sorted remote Subversion directory views (#409)
Version 1.0.7 (released 14-Oct-2008)
* fix regression in the 'as text' download view (#373)
Version 1.0.6 (released 16-Sep-2008)
* security fix: validate content_type (#354) [CVE-2005-4831, CVE-2008-4325]
* fix bug in regexp search filter when used with sticky tag (#346)
* fix bug in handling of certain 'co' output (#348)
* fix regexp search filter template bug
* fix annotate code syntax error
* fix mod_python import cycle (#369)
Version 1.0.5 (released 28-Feb-2008)
* security fix: query: omit commits of solely forbidden files [CVE-2008-1290]
* security fix: disallow navigation to hidden CVSROOT folder [CVE-2008-1291]
* security fix: multiple forbidden path exposures [CVE-2008-1292]
* new 'forbiddenre' regexp-based path authorization feature
* fix root name conflict resolution inconsistencies (#287)
* fix an oversight in the CVS 1.12.9 loginfo-handler support
* fix RSS feed content type to be more specific (#306)
* fix entity escaping problems in RSS feed data (#238)
* fix bug in tarball generation for remote Subversion repositories
* fix query interface file-count-limiting logic
* fix query results plus/minus count to ignore forbidden files
* fix blame error caused by 'svn' unable to create runtime config dir
Version 1.0.4 (released 10-Apr-2007)
* fix some markup bugs in query views (#266)
* fix loginfo-handler's support for CVS 1.12.9 (#151, #257)
* make viewvc-install able to run from an arbitrary location
* update viewvc-install's output for readability
* fix bug writing commits to non-MyISAM databases (#262)
* allow long paths in generated tarballs (#12)
* fix bug interpreting EZT substitute patterns
* fix broken markup view disablement
* fix broken directory view link generation in directory log view
* fix Windows-specific viewvc-install bugs
* fix broke query result links for Subversion deleted items (#296)
* fix some output XHTML validation buglets
* fix database query cache staleness problems (#180)
Version 1.0.3 (released 13-Oct-2006)
* security fix: declare charset for views [CVE-2006-5442]
* fix bug in path shown for Subversion deleted-under-copy items (#265)
Version 1.0.2 (released 29-Sep-2006)
* minor documentation fixes
* fix Subversion annotate functionality on Windows (#18)
* fix annotate assertions on uncanonicalized #include paths (#208)
* make RSS URL method match the method used to generate it (#245)
* fix Subversion annotation to run non-interactively, preventing hangs
* fix bug in custom syntax highlighter fallback logic
* fix bug in PHP CGI hack to avoid force-cgi-redirect errors
Version 1.0.1 (released 20-Jul-2006)
* fix exception on log page when use_pagesize is enabled
* fix an XHTML validation bug in the footer template (#239)
* fix handling of single-component CVS revision numbers (#237)
* fix bug in download-as-text URL link generation (#241)
* fix query.cgi bug, missing 'rss_href' template data item (#249)
* no longer omit empty Subversion directories from tarballs (#250)
* use actual modification time for Subversion directories in tarballs
Version 1.0 (released 01-May-2006)
* add support for viewing Subversion repositories
* add support for running on MS Windows
* generate strict XHTML output
* add support for caching by sending "Last-Modified", "Expires",
"ETag", and "Cache-Control" headers
* add support for Mod_Python on Apache 2.x and ASP on IIS
* Several changes to standalone.py:
- -h commandline option to specify hostname for non local use.
- -r commandline option may be repeated to use more than repository
before actually installing ViewCVS.
- New GUI field to test paging.
* add new, better-integrated query interface
* add integrated RSS feeds
* add new "root_as_url_component" option to embed root names as
path components in ViewCVS URLs for a more natural URL scheme
in ViewCVS configurations with multiple repositories.
* add new "use_localtime" option to display local times instead of UTC times
* add new "root_parents" option to make it possible to add and
remove repositories without modifying the ViewCVS configuration
* add new "template_dir" option to facilitate switching between sets of
templates
* add new "sort_group_dirs" option to disable grouping of
directories in directory listings
* add new "port" option to connect to a MySQL database on a nonstandard port
* make "default_root" option optional. When no root is specified,
show a page listing all available repositories
* add "default_file_view" option to make it possible for relative
links and image paths in checked out HTML files to work without
the need for special /*checkout*/ prefixes in URLs. Deprecate
"checkout_magic" option and disable by default
* add "limit_changes" option to limit number of changed files shown per
commit by default in query results and in the Subversion revision view
* hide CVS "Attic" directories and add simple toggle for showing
dead files in directory listings
* show Unified, Context and Side-by-side diffs in HTML instead of
in bare text pages
* make View/Download links work the same for all file types
* add links to tip of selected branch on log page
* allow use of "Highlight" program for colorizing
* enable enscript colorizing for more file types
* add sorting arrows for directory views
* get rid of popup windows for checkout links
* obfuscate email addresses in html output by encoding @ symbol
with an HTML character reference
* add paging capability
* Improvements to templates
- add new template authoring guide
- increase coverage, use templates to produce HTML for diff pages,
markup pages, annotate pages, and error pages
- move more common page elements into includes
- add new template variables providing ViewCVS URLs for more
links between related pages and less URL generation inside
templates
* add new [define] EZT directive for assigning variables within templates
* add command line argument parsing to install script to allow
non-interactive installs
* add stricter parameter validation to lower likelihood of cross-site
scripting vulnerabilities
* add support for cvsweb's "mime_type=text/x-cvsweb-markup" URLs
* fix incompatibility with enscript 1.6.3
* fix bug in parsing FreeBSD rlog output
* work around rlog assumption all two digit years in RCS files are
relative to the year 1900.
* change loginfo-handler to cope with spaces in filenames and
support a simpler command line invocation from CVS
* make cvsdbadmin work properly when invoked on CVS subdirectory
paths instead of top-level CVS root paths
* show diff error when comparing two binary files
* make regular expression search skip binary files
* make regular expression search skip nonversioned files in CVS
directories instead of choking on them
* fix tarball generator so it doesn't include forbidden modules
* output "404 Not Found" errors instead of "403 Forbidden" errors
to not reveal whether forbidden paths exist
* fix sorting bug in directory view
* reset log and directory page numbers when leaving those pages
* reset sort direction in directory listing when clicking new columns
* fix "Accept-Language" handling for Netscape 4.x browsers
* fix file descriptor leak in standalone server
* clean up zombie processes from running enscript
* fix mysql "Too many connections" error in cvsdbadmin
* get rid of mxDateTime dependency for query database
* store query database times in UTC instead of local time
* fix daylight saving time bugs in various parts of the code
Version 0.9.4 (released 17-Aug-2005)
* security fix: query: omit forbidden/hidden modules
Version 0.9.3 (released 17-May-2005)
* security fix: disallow bad "content-type" input [CVE-2004-1062]
* security fix: disallow bad "sortby" and "cvsroot" input [CVE-2002-0771]
* security fix: omit forbidden/hidden modules from tarballs [CVE-2004-0915]
Version 0.9.2 (released 15-Jan-2002)
* fix redirects to Attic for diffs
* fix diffs that have no changes (causing an infinite loop)
Version 0.9.1 (released 26-Dec-2001)
* fix a problem with some syntax in ndiff.py which isn't compatible
with Python 1.5.2 (causing problems at install time)
* remove a debug statement left in the code which continues to
append lines to /tmp/log
Version 0.9 (released 23-Dec-2001)
* create templates for the rest of the pages: markup pages, graphs,
annotation, and diff.
* add multiple language support and dynamic selection based on the
Accept-Language request header
* add support for key/value files to provide a way for user-defined
variables within templates
* add optional regex searching for file contents
* add new templates for the navigation header and the footer
* EZT changes:
- add formatting into print directives
- add parameters to [include] directives
- relax what can go in double quotes
- [include] directives are now relative to the current template
- throw an exception for unclosed blocks
* changes to standalone.py: add flag for regex search
* add more help pages
* change installer to optionally show diffs
* fix to log.ezt and log_table.ezt to select "Side by Side" properly
* create dir_alternate.ezt for the flipped rev/name links
* various UI tweaks for the directory pages
Version 0.8 (released 10-Dec-2001)
* add EZT templating mechanism for generating output pages
* big update of cvs commit database
- updated MySQL support
- new CGI
- better database caching
- switch from old templates to new EZT templates (and integration
of look-and-feel)
* optional usage of CVSGraph is now builtin
* standalone server (for testing) is now provided
* shifted some options from viewcvs.conf to the templates
* the help at the top of the pages has been shifted to separate help
pages, so experienced users don't have to keep seeing it
* paths in viewcvs.conf don't require trailing slashes any more
* tweak the colorizing for Pascal and Fortran files
* fix file readability problem where the user had access via the
group, but the process' group did not match that group
* some Daylight Savings Time fixes in the CVS commit database
* fix tarball generation (the file name) for the root dir
* changed default human-readable-diff colors to "stoplight" metaphor
* web site and doc revamps
* fix the mime types on the download, view, etc links
* improved error response when the cvs root is missing
* don't try to process vhosts if the config section is not present
* various bug fixes and UI tweaks