[pmwiki-users] PmWiki 2.2.35 released: Security update

Rogutės Sparnuotos rogutes at googlemail.com
Fri Nov 11 12:07:57 CST 2011


If your site can be edited by anyone you do not entirely trust (or could
have been in its lifetime), you must do one of these:
1. Upgrade.
2. Patch scripts/pagelist.php (look at Petko's commits in svn).
3. Disable pagelists and search.
4. Disable editing, but grep for abnormalities beforehand, e.g.
   grep -Pr 'order=[^-\w]+' wiki.d

Bad things will happen otherwise.

-- 
--  Rogutės Sparnuotos

Hladůvka Jiří (2011-11-11 18:17):
> Hello,
> the site which I administer work nice with version 2.2.25
> From version Version 2.2.32 they do not show correctly Slovak characters
> as "á", "ť" and others. I always have to go back to 2.2.25.
> The pages are mostly built on pagelists and disabling the pagelists
> would totaly destroy their functionality.
> 
> citation:
> "Migration of existing wikis from an older encoding to UTF-8
> shouldn't be rushed: it is not trivial and will be documented in the
> future. "
> 
> Can you estimate some date when the documentation is ready, please?
> Will this remove my problem with national Slovak and Czech characters?
> 
> Thanks for your excelent work, Petko,
> best regards,
> Jiri
> 
> 
> Dne 11.11.2011 16:26, Petko Yotov napsal(a):
> >Hello. PmWiki version 2.2.35 was published today, and is available at :
> >
> >   http://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.35.tgz
> >   http://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.35.zip
> >    svn://www.pmwiki.org/pmwiki/tags/latest
> >
> >This release fixes a critical PHP injection vulnerability discovered today.
> >PmWiki versions 2.2.X, 2.1.X, 2.0.X and 2.0.beta33 and newer are vulnerable.
> >When you upgrade, please read carefully the Release notes for all PmWiki
> >versions since yours.
> >
> >If you cannot upgrade, it is recommended to disable Searches at the earliest
> >opportunity (even if your wiki skin doesn't have a search form). Add to
> >config.php such a line:
> >
> >   if ($action == 'search') $action = 'browse';
> >
> >If your old version wiki allows editing by not entirely trusted visitors, even
> >on limited pages like a WikiSandbox, you should also disable PageLists. Add to
> >config.php this line:
> >
> >   $EnablePageList = 0;
> >
> >This version has an important change for international wikis: the XLPage()
> >function no longer loads encoding scripts such as xlpage-utf-8.php. When you
> >upgrade, you need to include those scripts from config.php, before calling
> >XLPage():
> >
> >   include_once("scripts/xlpage-utf-8.php"); # if your wiki uses UTF-8
> >   XLPage('bg','PmWikiBg.XLPage');
> >
> >All links can now have tooltip titles. Previously, only images and external
> >links could have tooltip titles, now this feature is enabled for internal
> >links. To set a tooltip title, add it in quotes after the link address:
> >
> >   [[Main.HomePage"This is a tooltip title"]]
> >   [[Main.HomePage"This is a tooltip title"|Home]]
> >   [[http://www.pmwiki.org"Home of PmWiki"]]
> >   Attach:image.jpg"Tooltip title of the image"
> >
> >The following new upload extensions were added: svg, xcf, ogg, flac, ogv, mp4,
> >webm, odg, epub. A couple of minor optimizations were added (MarkupExpressions
> >and rendering of page history) and the documentation was updated.
> >
> >Thanks,
> >Petko
> >
> >--
> >Change log     :  http://www.pmwiki.org/wiki/PmWiki/ChangeLog
> >Release notes  :  http://www.pmwiki.org/wiki/PmWiki/ReleaseNotes
> >If you upgrade :  http://www.pmwiki.org/wiki/PmWiki/Upgrades




More information about the pmwiki-users mailing list