ReleaseNotes184

Tiki admins running 1.8x are strongly urged to upgrade to this version due to a vulnerability in versions 1.8 through 1.8.3 that allows individual wiki page permissions to be bypassed. Several path disclosure vulnerabilities have also been removed in the smarty_tiki area.

Terence, aka teedog, was the coordinator of this release.

Some links for more information about this release

• SF release info
• ReleaseProcess184

Upgrade instructions

Those on ReleaseNotes181 should help.

Bugs known to have been introduced in this version

None yet

Security

• Fixed custom permissions on Wiki pages could be tricked to go back to global permissions mose

Resolved bugs and misbehaviors since 1.8.3

• Fixed articles wiki plugin which ignored real number of comments and displayed 0 comments all the time 😉 luci
• Fixed version conflicts related to wiki tag restorations teedog
• admin-assignuser.php: if a default group has not been set, a blank entry should be displayed teedog
• minicallib.php: fixed a typo in a db query - gmuslera
• tiki-edit_submisson.php: fixed bugged display of the rating field when selecting article type "Review" teedog
• Bug #973561: workaround for environments where $_SERVER['SERVER_NAME'] is undefined teedog
• SF BUG 818569: RSS with authentication ohertel
• cosmetic fix: don't display reply icon in forum threads if user has no permission to post teedog
• forum stats aren't updated after moving a thread (until someone enters the affected forum) teedog
• bug #894670: wiki edit permission should not depend on global wiki view permission if individual permissions are assigned for a wiki page teedog
• bug #962993: duplicate version numbers when editing wiki pages teedog
• bug #961711: broken find function for orphan wiki pages teedog
• bug #930209: tracker categorization broken on tiki-admin_trackers.php teedog
• bug #924502: parse_url() seems to be more robust than basename(); avoid login problems when tiki-index.php is the DirectoryIndex teedog
• bug where current page gets deleted without a trace when rolling back to a previous version, resulting in the inability to undo a rollback and a gap in version numbers teedog
• bug #924985: the CATEGORY() plugin couldn't handle type=directory or type=forum teedog
• a forum home is selected even when none is set in Admin/Forums teedog
• bug #898860: the directory category removal function leaves all kinds of zombie subcategories and member sites teedog
• Rewrote large part of the buggy wiki edit-conflict code which should fix bug #872234 and several other edit-conflict related problems. teedog
• users logging in from the Tiki homepage are not sent to their group homepages teedog
• users logging in from wiki pages are always sent to the wiki homepage teedog
• inner boxes created by embedding the BOX plugin within each other had messed up line spacing teedog
• the author of a shoutbox msg changes to the shoutbox admin who edits the msg teedog
• the name inputted by an anonymous user in Live Support is lost teedog
• Path disclosure fixes in the smarty_tiki area. Damian
• Fixed overlib tooltip width in moreneat.css teedog
• Scrollbar of the textarea no longer jumps to the top after using a quicktag teedog
• Fixed bug where removing any parent categories of an object causes the object to become uncategorized even if there are other parent categories teedog

Other changes

• Diff engine replaced with LGPL codet to resolve license issue teedog