Version 1.3.0 (released ??-???-????) * updated dependency requirements - minimum Python version is now 3.6 (#138) - minimum Subversion version now 1.14.0 with py3 bindings - minimum Pygments version now 1.1 - minimum MySQL version now ????? (#213) - now using passlib (instead of fcrypt) for standalone authn support (#361) * removed support for mod_python-based deployments (#234) * removed support for ASP-based deployments (#235) * make-database now requires --force to destroy existing DB (#212) * removed deprecated checkout_magic option/behavior (#215) * new 'allow_mojibake' option (#216) * require explicit match for web-friendly images in 'binary_mime_types' (#216) * fix a problem on CVS checkout files with rcsparse (#272) * new 'max_context' option, for GNU diffutils 3.8 and newer (#293) * fix problems on diff view when hr_intraline is set (#275) * new 'root_path_locale' option (Tigris #500) * support Unicode root path both in CVS and Subversion (Tigris #500) * fix encoding problems on diff view and generating patch (#301) * new 'image' view for limited as-is image display (#360) Version 1.2.3 (released 04-Jan-2023) * security fix: escape revision view copy paths (#311) [CVE-2023-22464] Version 1.2.2 (released 03-Jan-2023) * security fix: escape revision view changed paths (#311) [CVE-2023-22456] * standalone.py defaults to UTF-8 output now, too * fix viewvc-install error handling bug * fix a problem on CVS checkout files with rcsparse (#272) Version 1.2.1 (released 26-Mar-2020) * security fix: escape subdir lastmod file name (#211) [CVE-2020-5283] Version 1.2.0 (released 17-Mar-2020) * bumped minimum supported Python version to 2.4 * implemented support for property diffs (Tigris #383) * allow user-configurable cvsgraph display (Tigris #336) * allow rNNNN syntax for Subversion revision numbers (Tigris #441) * display revision numbers in CVS tag/branch selector (Tigris #546) * allow roots to have optional context (#58) * use a more secure temporary file generator (#159) * fix problems with make-database and special characters (#141, #182) * fix bogus default ci_when value in cvsdb (#200) * standalone query interface removed (#206) * GUI support (--gui) removed from standalone.py Version 1.1.30 (released 04-Jan-2023) * security fix: escape revision view copy paths (#311) [CVE-2023-22464] Version 1.1.29 (released 03-Jan-2023) * security fix: escape revision view changed paths (#311) [CVE-2023-22456] Version 1.1.28 (released 26-Mar-2020) * security fix: escape subdir lastmod file name (#211) [CVE-2020-5283] * fix standalone.py first request failure (#195) Version 1.1.27 (released 06-Jun-2019) * suppress stack traces (with option to show) (#140) * distinguish text/binary/image files by icons (#166, #175) * colorize alternating file content lines (#167) * link to the instance root from the ViewVC logo (#168) * display directory and root counts, too (#169) * fix double fault error in standalone.py (#157) * support timezone offsets with minutes piece (#176) --- NOTE: Issue references below this point are from Tigris.org --- Version 1.1.26 (released 24-Jan-2017) * security fix: escape nav_data name [CVE-2017-5938] Version 1.1.25 (released 15-Sep-2016) * fix _rev2optrev assertion on long input Version 1.1.24 (released 02-Oct-2015) * fix minor bug in human_readable boolean calculation * allow hr_funout option to apply to unidiff diffs, too * fix infinite loop in rcsparse * fix iso8601 timezone offset handling (#542) * add support for renamed roots (#544) * fix minor buglet in viewvc-install error message Version 1.1.23 (released 04-Nov-2014) * fix annotate bug triggered by files with trailing blank lines (#533) * fix markup display of files with trailing blank lines (#533) * add support for root-relative svnauthz access files (#535) * fix cvsdb MySQL-python argument conversion error (#539) * fix double-escaping of revision links (#541) * fix bug that prevented mod_python 3.4+ deployment (#540) Version 1.1.22 (released 14-Jan-2014) * minor directory sorting logic fix (re: show_subdir_lastmod) * fix display of show_subdir_lastmod details (#532) * pay attention to chardet's detection confidence * linkify line numbers in markup/annotate view Version 1.1.21 (released 13-Sep-2013) * fix markup/annotate exception with Python < 2.7 (#527) Version 1.1.20 (released 24-Apr-2013) * fix tab-to-space handling regression in markup view * fix regression in root lookup handling (#526) Version 1.1.19 (released 22-Apr-2013) * improve root lookup performance (#523) * new 'max_filesize_kbytes' config option and handling (#524) * tarball generation improvements: - preserve Subversion symlinks in generated tarballs (#487) - reduce memory usage of tarball generation logic - fix double compression of generated tarballs (#525) * file content handling improvements: - expanded support for encoding detection and transcoding (#11) - fix tab-to-space conversion bugs in markup, annotate, and diff views - fix handling of trailing whitespace in diff view * add support for timestamp display in ISO8601 format (#46) Version 1.1.18 (released 28-Feb-2013) * fix exception raised by BDB-backed SVN repositories (#519) * hide revision-less files when rcsparse is in use * include branchpoints in branch views using rcsparse (#347) * miscellaneous cvsdb improvements: - add --port option to make-database (#521) - explicitly name columns in queries (#522) - update MySQL syntax to avoid discontinued "TYPE=" terms Version 1.1.17 (released 25-Oct-2012) * fix exception caused by uninitialized variable usage (#516) Version 1.1.16 (released 24-Oct-2012) * security fix: escape "extra" diff info (#515) [CVE-2012-4533] * add 'binary_mime_types' configuration option and handling (#510) * fix 'select for diffs' persistence across log pages (#512) * remove lock status and filesize check on directories in remote SVN views * fix bogus 'Annotation of' page title for non-annotated view (#514) Version 1.1.15 (released 22-Jun-2012) * security fix: complete remote SVN authz support (#353) [CVE-2012-3356] * security fix: log message leak with unreadable copy source [CVE-2012-3357] * fix several instances of incorrect information in remote SVN views * increase performance of some revision metadata lookups in remote SVN views * fix RSS feed regression introduced in 1.1.14 Version 1.1.14 (released 12-Jun-2012) * fix annotation of svn files with non-URI-safe paths (#504) * handle file:/// Subversion rootpaths as local roots (#446) * fix bug caused by trying to case-normalize anon usernames (#505) * speed up log handling by reusing tokenization results (#506) * add support for custom revision log markup rules (#246) Version 1.1.13 (released 23-Jan-2012) * fix svndbadmin failure on deleted paths under Subversion 1.7 (#499) * fix annotation of files in svn roots with non-URI-safe paths * fix stray annotation warning in markup display of images * more gracefully handle attempts to display binary content (#501) Version 1.1.12 (released 03-Nov-2011) * fix path display in patch and certain diff views (#485) * fix broken cvsdb glob searching (#486) * allow svn revision specifiers to have leading r's (#441, #448) * allow environmental override of configuration location (#494) * fix exception HTML-escaping non-string data under WSGI (#454) * add links to root logs from roots view (#470) * use Pygments lexer-guessing functionality (#495) Version 1.1.11 (released 17-May-2011) * security fix: remove override of cvsdb row limit [CVE-2009-5024] * fix broken standalone.py -c and -d options handling * add --help option to standalone.py * fix stack trace when asked to checkout a directory (#478) * improve memory usage and speed of revision log markup (#477) * fix broken annotation view in CVS keyword-bearing files (#479) * warn users when query results are incomplete (#433) * avoid parsing errors on RCS newphrases in the admin section (#483) * make rlog parsing code more robust in certain error cases (#444) Version 1.1.10 (released 15-Mar-2011) * fix stack trace in Subversion revision info logic (#475, #476) Version 1.1.9 (released 18-Feb-2011) * vcauth universal access determinations (#425) * rework svn revision info cache for performance * make revision log "extra pages" count configurable * fix Subversion 1.4.x revision log compatibility code regression * display sanitized error when authzfile is malformed * restore markup of URLs in file contents (#455) * optionally display last-committed metadata in roots view (#457) Version 1.1.8 (released 02-Dec-2010) * fix slowness triggered by allow_compress=1 configuration (#467) * allow use of 'fcrypt' for Windows standalone.py authn support (#471) * yield more useful error on directory markup/annotate request (#472) Version 1.1.7 (released 09-Sep-2010) * display Subversion revision properties in the revision view (#453) * fix exception in 'standalone.py -r REPOS' when run without a config file * fix standalone.py server root deployments (--script-alias='') * add rudimentary Basic authn support to standalone.py (Unix-only) (#49) * fix obscure "unexpected NULL parent pool" Subversion bindings error * enable path info / link display in remote Subversion root revision view * fix vhost name case handling inconsistency (#466) * use svn:mime-type property charset param as encoding hint * markup Subversion revision references in log messages (#313) * add rudimentary support for FastCGI-based deployments (#464) * fix query script WSGI deployment * add configuration to fix query script cross-linking to ViewVC Version 1.1.6 (released 02-Jun-2010) * add rudimentary support for WSGI-based deployments (#397) * fix exception caused by trying to HTML-escape non-string data (#454) * fix incorrect RSS feed Content-Type header (#449) * fix RSS encoding problem (#451) * allow 'svndbadmin purge' to work on missing repositories (#452) Version 1.1.5 (released 29-Mar-2010) * security fix: escape user-provided search_re input [CVE-2010-0132] Version 1.1.4 (released 10-Mar-2010) * security fix: escape user-provided query form input [CVE-2010-0736] * fix standalone.py failure (when per-root options aren't used) (#445) * fix annotate failure caused by ignored svn_config_dir (#447) Version 1.1.3 (released 22-Dec-2009) * security fix: support per-root authz config in root listing [CVE-2010-0004] * security fix: validate configured query.py authorizer [CVE-2010-0005] * fix URL-ification of truncated log messages (#3) * fix regexp input validation (#426, #427, #440) * add support for configurable tab-to-spaces conversion * fix not-a-sequence error in diff view * allow viewvc-install to work when templates-contrib is absent * minor template improvements/corrections * expose revision metadata in diff view (#431) * markup file/directory item property URLs and email addresses (#434) * make ViewVC cross copies in Subversion history by default * fix bug that caused standalone.py failure under Python 1.5.2 (#442) * fix support for per-vhost overrides of authorizer parameters (#411) * fix root name identification in query.py interface Version 1.1.2 (released 11-Aug-2009) * security fix: validate the 'view' parameter [CVE-2009-3618] * security fix: avoid printing illegal parameter names/values [CVE-2009-3619] * add optional support for character encoding detection (#400) * fix username case handling in svnauthz module (#419) * fix cvsdbadmin/svnadmin rebuild error on missing repos (#420) * don't drop leading blank lines from colorized file contents (#422) * add file.ezt template logic for optionally hiding binary file contents Version 1.1.1 (released 03-Jun-2009) * fix broken query form (missing required template variables) (#416) * fix bug in cvsdb which caused rebuild operations to lose data (#417) * fix cvsdb purge/rebuild repos lookup to error on missing repos * fix misleading file contents view page title Version 1.1.0 (released 13-May-2009) * add support for full content diffs (#153) * make many more data dictionary items available to all views * various rcsparse and tparse module fixes * add daemon mode to standalone.py (#235) * rework helper application configuration options (#229, #62) * teach standalone.py to recognize Subversion repositories via -r option * now interpret relative paths in "viewvc.conf" as relative to that file * add 'purge' subcommand to cvsdbadmin and svndbadmin (#271) * fix orphaned data bug in cvsdbadmin/svndbadmin rebuild (#271) * add support for query by log message (#22, #121) * fix bug parsing 'svn blame' output with too-long author names (#221) * fix default standalone.py port to be within private IANA range (#234) * add unified configury of allowed views; checkout view disabled by default * add support for ranges of revisions to svndbadmin (#224) * make the query handling more forgiving of malformatted subdirs (#244) * add support for per-root configuration overrides (#371) * add support for optional email address mangling (#290) * extensible path-based authorization subsystem (#268), supporting: - Subversion authz files (new) - regexp-based path hiding (for compat with 1.0.x) - file glob top-level directory hiding (for compat with 1.0.x) * allow default file view to be "markup" (#305) * add support for displaying file/directory properties (#39) * pagination improvements * add gzip output encoding support for template-driven pages * fix cache control bugs (#259) * add RSS feed URL generation for file history * add support for remote creation of ViewVC checkins database * add integration with Pygments for syntax highlighting * preserve executability of Subversion files in tarballs (#233) * add ability to set Subversion runtime config dir (#351, #339) * show RSS/query links only for roots found in commits database (#357) * recognize Subversion svn:mime-type property values (#364) * hide CVS files when viewing tags/branches on which they don't exist * allow hiding of errorful entries from the directory view (#105) * fix directory view sorting UI * tolerate malformed Accept-Language headers (#396) * allow MIME type mapping overrides in ViewVC configuration (#401) * fix exception in rev-sorted remote Subversion directory views (#409) * allow setting of page sizes for log and dir views individually (#402) Version 1.0.14 (released 24-Jan-2017) * security fix: escape nav_data name [CVE-2017-5938] * fix bug that prevented mod_python 3.4+ deployment (issue #540) Version 1.0.13 (released 24-Oct-2012) * security fix: escape "extra" diff info (#515) [CVE-2012-4533] * security fix: remove override of cvsdb row limit [CVE-2009-5024] * fix obscure "unexpected NULL parent pool" Subversion bindings error * fix svndbadmin failure on deleted paths under Subversion 1.7 (issue #499) Version 1.0.12 (released 02-Jun-2010) * fix exception caused by trying to HTML-escape non-string data (issue #454) Version 1.0.11 (released 29-Mar-2010) * security fix: escape user-provided search_re input [CVE-2010-0132] Version 1.0.10 (released 10-Mar-2010) * security fix: escape user-provided query form input [CVE-2010-0736] * fix errors viewing remote Subversion paths with URI-unsafe characters * fix regexp input validation (issue #426, #427, #440) Version 1.0.9 (released 11-Aug-2009) * security fix: validate the 'view' parameter [CVE-2009-3618] * security fix: avoid printing illegal parameter names/values [CVE-2009-3619] Version 1.0.8 (released 05-May-2009) * fix directory view sorting UI * tolerate malformed Accept-Language headers (#396) * fix directory log views in revision-less Subversion repositories * fix exception in rev-sorted remote Subversion directory views (#409) Version 1.0.7 (released 14-Oct-2008) * fix regression in the 'as text' download view (#373) Version 1.0.6 (released 16-Sep-2008) * security fix: validate content_type (#354) [CVE-2005-4831, CVE-2008-4325] * fix bug in regexp search filter when used with sticky tag (#346) * fix bug in handling of certain 'co' output (#348) * fix regexp search filter template bug * fix annotate code syntax error * fix mod_python import cycle (#369) Version 1.0.5 (released 28-Feb-2008) * security fix: query: omit commits of solely forbidden files [CVE-2008-1290] * security fix: disallow navigation to hidden CVSROOT folder [CVE-2008-1291] * security fix: multiple forbidden path exposures [CVE-2008-1292] * new 'forbiddenre' regexp-based path authorization feature * fix root name conflict resolution inconsistencies (#287) * fix an oversight in the CVS 1.12.9 loginfo-handler support * fix RSS feed content type to be more specific (#306) * fix entity escaping problems in RSS feed data (#238) * fix bug in tarball generation for remote Subversion repositories * fix query interface file-count-limiting logic * fix query results plus/minus count to ignore forbidden files * fix blame error caused by 'svn' unable to create runtime config dir Version 1.0.4 (released 10-Apr-2007) * fix some markup bugs in query views (#266) * fix loginfo-handler's support for CVS 1.12.9 (#151, #257) * make viewvc-install able to run from an arbitrary location * update viewvc-install's output for readability * fix bug writing commits to non-MyISAM databases (#262) * allow long paths in generated tarballs (#12) * fix bug interpreting EZT substitute patterns * fix broken markup view disablement * fix broken directory view link generation in directory log view * fix Windows-specific viewvc-install bugs * fix broke query result links for Subversion deleted items (#296) * fix some output XHTML validation buglets * fix database query cache staleness problems (#180) Version 1.0.3 (released 13-Oct-2006) * security fix: declare charset for views [CVE-2006-5442] * fix bug in path shown for Subversion deleted-under-copy items (#265) Version 1.0.2 (released 29-Sep-2006) * minor documentation fixes * fix Subversion annotate functionality on Windows (#18) * fix annotate assertions on uncanonicalized #include paths (#208) * make RSS URL method match the method used to generate it (#245) * fix Subversion annotation to run non-interactively, preventing hangs * fix bug in custom syntax highlighter fallback logic * fix bug in PHP CGI hack to avoid force-cgi-redirect errors Version 1.0.1 (released 20-Jul-2006) * fix exception on log page when use_pagesize is enabled * fix an XHTML validation bug in the footer template (#239) * fix handling of single-component CVS revision numbers (#237) * fix bug in download-as-text URL link generation (#241) * fix query.cgi bug, missing 'rss_href' template data item (#249) * no longer omit empty Subversion directories from tarballs (#250) * use actual modification time for Subversion directories in tarballs Version 1.0 (released 01-May-2006) * add support for viewing Subversion repositories * add support for running on MS Windows * generate strict XHTML output * add support for caching by sending "Last-Modified", "Expires", "ETag", and "Cache-Control" headers * add support for Mod_Python on Apache 2.x and ASP on IIS * Several changes to standalone.py: - -h commandline option to specify hostname for non local use. - -r commandline option may be repeated to use more than repository before actually installing ViewCVS. - New GUI field to test paging. * add new, better-integrated query interface * add integrated RSS feeds * add new "root_as_url_component" option to embed root names as path components in ViewCVS URLs for a more natural URL scheme in ViewCVS configurations with multiple repositories. * add new "use_localtime" option to display local times instead of UTC times * add new "root_parents" option to make it possible to add and remove repositories without modifying the ViewCVS configuration * add new "template_dir" option to facilitate switching between sets of templates * add new "sort_group_dirs" option to disable grouping of directories in directory listings * add new "port" option to connect to a MySQL database on a nonstandard port * make "default_root" option optional. When no root is specified, show a page listing all available repositories * add "default_file_view" option to make it possible for relative links and image paths in checked out HTML files to work without the need for special /*checkout*/ prefixes in URLs. Deprecate "checkout_magic" option and disable by default * add "limit_changes" option to limit number of changed files shown per commit by default in query results and in the Subversion revision view * hide CVS "Attic" directories and add simple toggle for showing dead files in directory listings * show Unified, Context and Side-by-side diffs in HTML instead of in bare text pages * make View/Download links work the same for all file types * add links to tip of selected branch on log page * allow use of "Highlight" program for colorizing * enable enscript colorizing for more file types * add sorting arrows for directory views * get rid of popup windows for checkout links * obfuscate email addresses in html output by encoding @ symbol with an HTML character reference * add paging capability * Improvements to templates - add new template authoring guide - increase coverage, use templates to produce HTML for diff pages, markup pages, annotate pages, and error pages - move more common page elements into includes - add new template variables providing ViewCVS URLs for more links between related pages and less URL generation inside templates * add new [define] EZT directive for assigning variables within templates * add command line argument parsing to install script to allow non-interactive installs * add stricter parameter validation to lower likelihood of cross-site scripting vulnerabilities * add support for cvsweb's "mime_type=text/x-cvsweb-markup" URLs * fix incompatibility with enscript 1.6.3 * fix bug in parsing FreeBSD rlog output * work around rlog assumption all two digit years in RCS files are relative to the year 1900. * change loginfo-handler to cope with spaces in filenames and support a simpler command line invocation from CVS * make cvsdbadmin work properly when invoked on CVS subdirectory paths instead of top-level CVS root paths * show diff error when comparing two binary files * make regular expression search skip binary files * make regular expression search skip nonversioned files in CVS directories instead of choking on them * fix tarball generator so it doesn't include forbidden modules * output "404 Not Found" errors instead of "403 Forbidden" errors to not reveal whether forbidden paths exist * fix sorting bug in directory view * reset log and directory page numbers when leaving those pages * reset sort direction in directory listing when clicking new columns * fix "Accept-Language" handling for Netscape 4.x browsers * fix file descriptor leak in standalone server * clean up zombie processes from running enscript * fix mysql "Too many connections" error in cvsdbadmin * get rid of mxDateTime dependency for query database * store query database times in UTC instead of local time * fix daylight saving time bugs in various parts of the code Version 0.9.4 (released 17-Aug-2005) * security fix: query: omit forbidden/hidden modules Version 0.9.3 (released 17-May-2005) * security fix: disallow bad "content-type" input [CVE-2004-1062] * security fix: disallow bad "sortby" and "cvsroot" input [CVE-2002-0771] * security fix: omit forbidden/hidden modules from tarballs [CVE-2004-0915] Version 0.9.2 (released 15-Jan-2002) * fix redirects to Attic for diffs * fix diffs that have no changes (causing an infinite loop) Version 0.9.1 (released 26-Dec-2001) * fix a problem with some syntax in ndiff.py which isn't compatible with Python 1.5.2 (causing problems at install time) * remove a debug statement left in the code which continues to append lines to /tmp/log Version 0.9 (released 23-Dec-2001) * create templates for the rest of the pages: markup pages, graphs, annotation, and diff. * add multiple language support and dynamic selection based on the Accept-Language request header * add support for key/value files to provide a way for user-defined variables within templates * add optional regex searching for file contents * add new templates for the navigation header and the footer * EZT changes: - add formatting into print directives - add parameters to [include] directives - relax what can go in double quotes - [include] directives are now relative to the current template - throw an exception for unclosed blocks * changes to standalone.py: add flag for regex search * add more help pages * change installer to optionally show diffs * fix to log.ezt and log_table.ezt to select "Side by Side" properly * create dir_alternate.ezt for the flipped rev/name links * various UI tweaks for the directory pages Version 0.8 (released 10-Dec-2001) * add EZT templating mechanism for generating output pages * big update of cvs commit database - updated MySQL support - new CGI - better database caching - switch from old templates to new EZT templates (and integration of look-and-feel) * optional usage of CVSGraph is now builtin * standalone server (for testing) is now provided * shifted some options from viewcvs.conf to the templates * the help at the top of the pages has been shifted to separate help pages, so experienced users don't have to keep seeing it * paths in viewcvs.conf don't require trailing slashes any more * tweak the colorizing for Pascal and Fortran files * fix file readability problem where the user had access via the group, but the process' group did not match that group * some Daylight Savings Time fixes in the CVS commit database * fix tarball generation (the file name) for the root dir * changed default human-readable-diff colors to "stoplight" metaphor * web site and doc revamps * fix the mime types on the download, view, etc links * improved error response when the cvs root is missing * don't try to process vhosts if the config section is not present * various bug fixes and UI tweaks