Loading...
 

ReleaseNotes1910

Official files on SourceForge:
https://sourceforge.net/project/showfiles.php?group_id=64258&package_id=112134

Tiki 1.9.10.1 (a quickfix of never released 1.9.10) was released by Louis-Philippe Huberdeau and Marc Laporte on 2008-02-23.

Compared to 1.9.9, this release contains 78 code commits by franck, lphuberdeau, luciash, marclaporte, mose, nkoth and sylvieg from 2007-12-22 to 2008-02-23.

The main purposes of this release are:

  1. Fix bugs introduced in 1.9.9
  2. Deal with a Cross Site Scripting (XSS) vulnerability reported by Fortify Software .
  3. Make TikiWiki more secure against future potential vulnerabilities (hardened TikiWiki)

Regression bugs introduced in 1.9.10.1 (which were ok in 1.9.9)

Image
(07:01:41) peter__: Hello
(07:03:16) peter__: Just installed Tiki and now have the problem that the registration code as image does not show up (tiki-random_number). Any suggestions?
(07:04:35) sylvieg: check you have imagick or gd installed
(07:05:32) peter__: gd is installed and for example pictures are shown in galleries.
(07:17:38) marclaporte: peter__: which version?
(07:17:55) marclaporte: I saw a bug fix to that file recently (dunno if related)
(07:29:47) lphuberdeau_: problem introduced in 1.9.10 or 1.9.10.1 with the additional checks
(07:30:06) lphuberdeau_: fix is in CVS, was waiting for more reports before making an other release
(07:32:51) lphuberdeau_: tiki-login_validate.php and tiki-random_num_img.php were modified since the release
(07:33:58) marclaporte: you can get them here: http://tikiwiki.cvs.sourceforge.net/tikiwiki/tiki/?pathrev=BRANCH-1-9
(08:29:06) peter__: lphuberdeau_: Thanks for the hint!
(08:39:48) peter__: Report: tiki-login_validate.php and tiki-random_num_img.php from CVS fixed the problem with the registration code image. Thanks.


This was a bug introduced while making Tiki more secure (a little too secure in this casesmile). Below are the tweaks needed to be done to 1.9.10.1:

http://tikiwiki.cvs.sourceforge.net/tikiwiki/tiki/tiki-login_validate.php?r1=1.9.2.10&r2=1.9.2.11&pathrev=BRANCH-1-9
http://tikiwiki.cvs.sourceforge.net/tikiwiki/tiki/tiki-random_num_img.php?r1=1.5.2.3&r2=1.5.2.4&pathrev=BRANCH-1-9

Security

  • Improving input sanitizer. Thank you to Fortify software for reporting a cross-site scripting (XSS) vulnerability in tiki-edit_article.php .
    Note: Until you upgrade, workaround is to not permit non-trusted users to add/edit articles, or to deactivate the articles feature altogether.
  • New pre-emptive securitycheck.php script. This check, which is now part of the release procedures, checks every single potentially dangerous file (.php, .sh, etc) to make sure it follows some basic checks (such as: a feature check, permission check, verify that it can't be called directly if it shouldn't, etc.). If you are not using feature X you will no longer potentially be affected in a security issue which is discovered in a feature using that file. If you are using that feature, you can turn it off until you upgrade.
  • Adding feature and permission checks to all files to comply with the securitycheck.php script described above.
  • Developer scripts now have extra protection to make sure they can't be run from the web (on a badly configured server).
  • Some useless files were deleted.

Fixes

  • Fix a username/password/registration bug issue which was introduced in 1.9.9.
  • Image Gallery : Fixed the next-prev glitch which was introduced recently.
  • Various fixes to Live Support feature .
  • Various fixes to InterTiki feature
  • Forums : Prevent forum pruning from removing comments as well, or from other forums.
  • Fixes to "thumbnail" plugin

Enhancements

  • Better handling of usernames with special characters
  • tiki-contact.php has anti-bot protection
  • Some administrative fixes and enhancements to the release, security and developer scripts.
  • New "superscript" plugin to make easy superscript in wiki page, without using html, like subscript plugin.


Full Changelog

For all changes, see: http://tikiwiki.org/changelog

Subscribe to Tiki Newsletters! [Toggle] [Toggle Vertically]

Delivered fresh to your email inbox!
Newsletter subscribe icon
Don't miss major announcements and other news!
Contribute to Tiki

Why Register? [Toggle] [Toggle Vertically]

Register at tiki.org and you'll be able to use it at any *.tiki.org site, thanks to the InterTiki feature. A valid email address is required to receive site notifications and occasional newsletters. You can opt out of these items at any time.

Shoutbox [Toggle] [Toggle Vertically]

Torsten Fabricius, 09:54 UTC, Wed 19 Feb 2014: Hello everybody, please mind the ((TikiFestSysadmin2014)) in August. Mainly meant for the Sysadmins, which are located in and near Germany (and France), active community members from Canada are expected to be attending.
luciash d' being, 12:28 UTC, Wed 01 Jan 2014: Happy New Year ! :-)
luciash d' being, 14:00 UTC, Sun 27 Oct 2013: @ricks99: there is a regression bug in Tiki resetting the avatars to the default one imho
Rick, 16:56 UTC, Wed 31 Jul 2013: What happened to the avatars?
Jonny Bradley, 12:44 UTC, Wed 10 Apr 2013: Biggest TikiFest in ages starts tomorrow [Link]