Loading...
 

ReleaseNotes1910

Regression bugs introduced in 1.9.10.1 (which were ok inĀ 1.9.9)

Image
Copy to clipboard
(07:01:41) peter__: Hello (07:03:16) peter__: Just installed Tiki and now have the problem that the registration code as image does not show up (tiki-random_number). Any suggestions? (07:04:35) sylvieg: check you have imagick or gd installed (07:05:32) peter__: gd is installed and for example pictures are shown in galleries. (07:17:38) marclaporte: peter__: which version? (07:17:55) marclaporte: I saw a bug fix to that file recently (dunno if related) (07:29:47) lphuberdeau_: problem introduced in 1.9.10 or 1.9.10.1 with the additional checks (07:30:06) lphuberdeau_: fix is in CVS, was waiting for more reports before making an other release (07:32:51) lphuberdeau_: tiki-login_validate.php and tiki-random_num_img.php were modified since the release (07:33:58) marclaporte: you can get them here: http://tikiwiki.cvs.sourceforge.net/tikiwiki/tiki/?pathrev=BRANCH-1-9 (08:29:06) peter__: lphuberdeau_: Thanks for the hint! (08:39:48) peter__: Report: tiki-login_validate.php and tiki-random_num_img.php from CVS fixed the problem with the registration code image. Thanks.


This was a bug introduced while making Tiki more secure (a little too secure in this casesmile). Below are the tweaks needed to be done to 1.9.10.1:

http://tikiwiki.cvs.sourceforge.net/tikiwiki/tiki/tiki-login_validate.php?r1=1.9.2.10&r2=1.9.2.11&pathrev=BRANCH-1-9
http://tikiwiki.cvs.sourceforge.net/tikiwiki/tiki/tiki-random_num_img.php?r1=1.5.2.3&r2=1.5.2.4&pathrev=BRANCH-1-9

Security

  • Improving input sanitizer. Thank you to Fortify software for reporting a cross-site scripting (XSS) vulnerability in tiki-edit_article.php.
    Note: Until you upgrade, workaround is to not permit non-trusted users to add/edit articles, or to deactivate the articles feature altogether.
  • New pre-emptive securitycheck.php script. This check, which is now part of the release procedures, checks every single potentially dangerous file (.php, .sh, etc) to make sure it follows some basic checks (such as: a feature check, permission check, verify that it can't be called directly if it shouldn't, etc.). If you are not using feature X you will no longer potentially be affected in a security issue which is discovered in a feature using that file. If you are using that feature, you can turn it off until you upgrade.
  • Adding feature and permission checks to all files to comply with the securitycheck.php script described above.
  • Developer scripts now have extra protection to make sure they can't be run from the web (on a badly configured server).
  • Some useless files were deleted.

Fixes

  • Fix a username/password/registration bug issue which was introduced in 1.9.9.
  • Image Gallery: Fixed the next-prev glitch which was introduced recently.
  • Various fixes to Live Support feature.
  • Various fixes to InterTiki feature
  • Forums: Prevent forum pruning from removing comments as well, or from other forums.
  • Fixes to "thumbnail" plugin

Enhancements

  • Better handling of usernames with special characters
  • tiki-contact.php has anti-bot protection
  • Some administrative fixes and enhancements to the release, security and developer scripts.
  • New "superscript" plugin to make easy superscript in wiki page, without using html, like subscript plugin.


Full Changelog

For all changes, see: http://tikiwiki.org/changelog

Created by: Last Modification: Friday 20 September 2019 16:15:34 GMT-0000 by drsassafras
List Slides