This release fixes a bug introduced earlier today with HTML entities in XLPages.
This release fixes six potential XSS vulnerabilities, reported by Michael Engelke. The vulnerabilities may affect wikis open for editing and may allow the injection of external JavaScripts in their pages. Public open wikis should upgrade.
A new variable $EnableUploadGroupAuth was added; if set to 1, it allows password-protected uploads to be checked against the Group password.
It is now possible to use @_site_edit, @_site_read, @_site_admin or @_site_upload global passwords in GroupAttributes pages.
A number of other small bugs were fixed, and the documentation was updated.
The major news in this release is a fix of an AuthUser vulnerability.
The vulnerability affects only wikis that (1) rely on the AuthUser core module
for User:Password authentication, -AND- (2) where the PHP installation runs
with the variable "magic_quotes_gpc" disabled.
All PmWiki 2.1.x versions from pmwiki-2.1.beta6 on, all 2.2.betaX, 2.2.0, and
2.2.1 are affected.
The PmWiki SiteAnalyzer can detect if your wiki needs to upgrade:
http://www.pmwiki.org/wiki/PmWiki/SiteAnalyzer
If your wiki is vulnerable, you should do one of the following at the earliest
opportunity:
Alternatively, you can temporarily disable AuthUser until you upgrade.
Note that even if your wiki does not have the AuthUser vulnerability at the
moment, you are strongly encouraged to upgrade to PmWiki version 2.2.2 or
later, as some future configuration of your hosting server might put you at
risk.
This release also comes with minor updates in the local documentation; fixes
were applied for international wikis - notably global variables in
xlpage-utf-8.php and a new variable $EnableNotifySubjectEncode, which allows
e-mail clients to correctly display the Subject header; and a number of other
small bugs were fixed.
This release comes with an updated local documentation; wikiTrails now work cross-group; guiedit.php now produces valid HTML, and other small bugs were fixed. We also added $EnableRedirectQuiet, which allows redirects to take place without any mention of "redirected from page ....".
This is a summary of changes from 2.1.x to 2.2.0.
$BlocklistDownload = array('format' => 'pmwiki');
"@nopass" prior it was done by "nopass"
passwdread=nopass: by passwdread=@nopass (see PITS:00961) --isidor
$LinkWikiWords or $EnableWikiWords to 1. To get the 2.1 behavior where WikiWords are spaced and parsed but don't form links, use the following:
$EnableWikiWords = 1;
$LinkWikiWords = 0;
$EnableWSPre=0; to disable this rule.
$EnableWSPre=1; in local/config.php.
$ROSPatterns variable has changed somewhat -- replacement strings are no longer automatically passed through FmtPageName() prior to substitution (i.e., it must now be done explicitly).
(:include:) pages are now treated as relative to the included page, instead of the currently browsed page. In short, the idea is that links and page variables should be evaluated with respect to the page in which they are written, as opposed to the page in which they appear. This seems to be more in line with what authors expect. There are a number of important ramifications of this change:
{*$var} form of page variable, which always refers to "the currently displayed page". Pages such as Site.PageActions and Site.EditForm that are designed to work on "the currently browsed page" should generally switch to using {*$FullName} instead of {$FullName}.
{$var} references to be {*$var} instead.
$EnableRelativePageVars = 1; in local/config.php to see how a site will react to the new interpretation. Administrators should especially check any customized versions of the following:
(:include:) directive now has a basepage= option whereby an author can explicitly specify the page upon which relative links and page variables should be based. If no basepage= option is specified, the included page is assumed to be the base.
(:include:) and other items can set $Transition['version'] = 2001900; to automatically retain the 2.1.x defaults.
(:include:) can contain "immediate substitutions" of the form {$$option} -- these are substituted with the value of any options provided to the include directive.
$ScriptUrl and $PubDirUrl.
$EnableLinkPageRelative option allows PmWiki to generate relative urls for page links instead of absolute urls.
$EnableDrafts is set, then the "Save" button is relabeled to "Publish" and a "Save draft" button appears. In addition, an $EnablePublishAttr configuration variable adds a new "publish" authorization level to distinguish editing from publishing. See PmWiki:Drafts for more details.
{$:var} "page text variable" available that is able to grab text excerpts out of markup content. For example, {SomePage$:Xyz} will be replaced by a definition of "Xyz" in SomePage. Page text variables can be defined using definition markup, a line beginning with the variable name and a colon, or a special directive form (that doesn't display anything on output):
:Xyz: some value # definition list form Xyz: some value # colon form (:Xyz: some value:) # directive form
(:pagelist:) command can now filter pages based on the contents of page variables and/or page text variables. For example, the following directive displays only those pages that have an "Xyz" page text variable with "some value":
(:pagelist $:Xyz="some value":)
(:pagelist $Title=A* :)
(:pagelist) can be used to filter pages based on conditional markup:
(:pagelist if="auth upload {=$FullName}":) pages with upload permission
(:pagelist if="date today.. {=$Name}":) pages with names that are dates later than today
{$PageCount}, {$GroupCount}, {$GroupPageCount} variables used in pagelist templates are now {$$PageCount}, {$$GroupCount}, {$$GroupPageCount}.
{$$option} in a pagelist template to obtain the value of any 'option=' provided to the (:pagelist:) command.
(:pagelist:) directive no longer accepts parameters from urls or forms by default. In order to have it accept such parameters (which was the default in 2.1 and earlier), add a request=1 option to the (:pagelist:) directive.
count= option to pagelists now accepts negative values to count from the end of the list. Thus count=5 returns the the first five pages in the list, and count=-5 returns the last five pages in the list. In addition, ranges of pages may be specified, as in count=10..19 or count=-10..-5.
(:template first ...:) and (:template last ...:) sections to specify output for the first or last page in the list or a group. There's also a (:template defaults ...:) to allow a template to specify default options.
(:pagelist:) directives, to speed up processing on subsequent visits to the page. To enable this feature, set $PageListCacheDir to the name of a writable directory (e.g., work.d/).
(:if ...:) conditional markup now also understands (:elseif ...:) and (:else:). In addition, markup can nest conditionals by placing digits after if/elseif/else, as in (:if1 ...), (:elseif1 ...:), (:else1:), etc.
(:if date ...:) conditional markup can now perform date comparisons for dates other than the current date and time.
(:if ontrail ...:) condition allows testing if a page is listed on a trail.
{$PasswdRead}, {$PasswdEdit}, etc. variables that display the current password settings for a page (assuming the browser has attr permissions or whatever permissions are set in $PasswdVarAuth).
(:input:) markup has been internally refactored somewhat (and may still undergo some changes prior to 2.2.0 release). The new (:input select ...:) markup can be used to create select boxes, and (:input default ...:) can be used to set default control values, including for radio buttons and checkboxes.
(:input textarea:) markup now can take values from other sources, including page text variables from other pages.
focus=1 on an (:input:) control causes that control to receive the input focus when a page is loaded. If a page has multiple controls requesting the focus, then the first control with the lowest value of focus= "wins".
include_once('scripts/creole.php') to a local customization file.
{(...)} markup expression capability, which allows various simple string and data processing (e.g., formatting of dates and times). This is extensible so that recipe authors and system administrators can easily add custom expression operators.
$AutoCreate['/^Category\\./'] = array('ctime' => $Now);
$WikiWordCount'WikiWord' to -1 to indicate that 'WikiWord' should not be spaced according to $SpaceWikiWords.
[[Group.]] and [[Group/]]) will now go to the first valid entry of $PagePathFmt, instead of being hardcoded to "Group.Group". For example, to set PmWiki to default group home pages to $DefaultName, use
$PagePathFmt = array('{$Group}.$1', '$1.{$DefaultName}', '$1.$1');
This version backports from 2.2.0-beta a bugfix for $TableRowIndexMax and also support for the {*$Variable} markup.
This version fixes a bug in feeds.php that would cause feed entries to be mixed up.
This release fixes a bug in authuser.php introduced by the 2.1.24 release.
The skin template code has also been extended to allow <!--XMLHeader--> and <!--XMLFooter--> as aliases for <!--HTMLHeader--> and <!--HTMLFooter-->.
This release makes some improvements and fixes to the AuthUser
capability.
A bug in authuser.php that had trouble dealing with non-array values in $AuthUser has been fixed.
It is now possible to specify group memberships from local/config.php (remember that such entries must come before including the authuser.php script):
# alice and bob's passwords
$AuthUser'alice'? = crypt('alicepassword');
$AuthUser'bob'? = crypt('bobpassword');
# members of the @writers and @admins groups
$AuthUser'@writers'? = array('alice', 'bob');
$AuthUser'@admins'? = array('alice', 'dave');
# carol is a member of @editors and @writers
$AuthUser'carol'? = array('@editors', '@writers');
AuthUser can now read from Apache-formatted .htgroup files. The location of the .htgroup file can be done either in local/config.php or Site.AuthUser
# local/config.php:
$AuthUser'htgroup'? = '/path/to/.htgroup';
# Site.AuthUser
htgroup: /path/to/.htgroup
This release closes a potential security vulnerability for sites
that are running with 'register_globals' set to on. Details of
the vulnerability will be forthcoming on the mailing list
and site.
Sites that are running with PHP 'register_globals' and 'allow_url_fopen'
set to 'On' should upgrade to this release at the earliest
opportunity. If upgrading isn't an option, contact Pm for
a patch to older versions.
There is now a tool available to analyze PmWiki sites for security
and other configuration settings, see PmWiki:SiteAnalyzer.
Version 2.1.23 also corrects a bug that prevented PmWiki from being
able to read pagefiles created by versions of PmWiki before 0.5.6.
More minor bugfixes:
(:attachlist:) markup.
This release provides a number of very minor bugfixes and
enhancements:
The next release(s) may have a number of substantial code
enhancements and changes, so this release simply closes out
a few items before introducing those changes.
This release closes a potential cross-site scripting vulnerability
that could allow authors to inject Javascript code through the
various table markups.
The release also adds a new (:input image:) markup to generate
image input tags in forms.
Finally, this release corrects a problem with ?action=print
failing to properly set the {$Action} page variable.
This release fixes a long-standing bug with $EnableIMSCaching
(PITS:00573), whereby login/logout operations wouldn't invalidate
browser caches, causing some people to see versions of a page prior
to the login/logout taking place.
The new IMS caching code maintains a "imstime" cookie in the
visitor's browser that keeps track of the time of last login,
logout, author name change, or site modification. This cookie
is then used to determine the proper response to browser requests
containing If-Modified-Since headers. (Previously only the
time of the last site modification was available.)
Browsers which do not accept cookies will effectively act as
though IMS caching is disabled.
This release makes some improvements to skin handling -- primarily
this improves the capability of relocating skin files to other
locations, and to provide the ability for recipes to insert items
at the end of HTML output.
This release introduces a <!--HTMLFooter--> directive into
skin templates, which allows recipes and local
customizations to insert output near the end of a document
using a $HTMLFooterFmt array from PHP.
Also, the <!--HeaderText--> directive, which inserts the
contents of $HTMLHeaderFmt into the output, has now been
renamed to <!--HTMLHeader-->. PmWiki will continue to
recognize <!--HeaderText--> to preserve compatibility with
existing skins, but <!--HTMLHeader--> is preferred.
A new $SkinLibDirs array has been introduced which allows
the source locations and urls for skins to be specified from
a customization file. By default $SkinLibDirs is set as
$SkinLibDirs= array("./pub/skins/\$Skin" => "$PubDirUrl/skins/\$Skin", "$FarmD/pub/skins/\$Skin" => "$FarmPubDirUrl/skins/\$Skin");
The keys (on the left) indicate the places to look for a "skin .tmpl
file" in the filesystem, while the values (on the right) indicate the
url location of the "skin css file". Modifying the value of
$SkinLibDirs allows a skin .tmpl file to be located anywhere on the
filesystem.
As far as I can see, none of the changes introduced by this
release should have any sort of negative impact on existing
sites, so it should be safe to upgrade. (If I'm wrong, please
let me know.)
This release includes a number of feature enhancements and code cleanups
as reported or requested by administrators.
First, AuthUser's LDAP authentication system now allows the use of
a ?filter parameter, consistent with urls used for mod_auth_ldap
authorization in Apache. See the newly updated LDAP section of the
AuthUser documentation for more details.
A chicken-and-egg problem with the @_site_* authorization groups
has been resolved. It's now possible to have a page's read authorization
refer to things such as _site_edit.
Also, the RetrieveAuthPage() function -- used for retrieving pages only
if the visitor is authorized to do so -- now recognizes a special
level parameter of 'ALWAYS', which means to always authorize access
regardless of the browser or visitors current permissions. This
may be useful for allowing certain operations to take place from
within trusted scripts without having to grant full authorization
to the browser.
Hardcoded instances of the local/ directory now use a
customizable $LocalDir variable. This variable controls where
PmWiki looks for local/config.php and per-group customization
files. It may be useful for some Wiki Farm contexts. Note that
this does not change or affect the location of
$FarmD/local/farmconfig.php.
Some minor internal changes have been made to
scripts/wikistyles.php to better accommodate the
wikipublisher recipe. It's probably better if we don't try
to explain them. :-)
This release fixes a bug in handling numeric passwords, and also
allows ldaps:// authentication sources.
This version introduces the ability to nest divs and tables.
The standard (:table:) and (:div:) markups are still
available, except that a (:div:) may contain a (:table:)
and vice-versa.
As in previous versions of PmWiki, the (:div:) markup
automatically closes any previous (:div:). However, there
are now (:div1:), (:div2:), etc. markups (and the
corresponding (:div1end:), (:div2end:), ...) which can be
used to uniquely distinguish divs for nesting purposes.
To restore PmWiki's previous "non-nested" div behavior, set
$Transition'nodivnest'? = 1; in a local customization file.
Other changes in this release:
(:noaction:) directive to suppress display of page actions.
This is a minor update that prevents %define=% wikistyles
from generating empty paragraphs in the HTML output. Prior to
this release, markup lines containing only wikistyle definitions
would often generate empty paragraphs (<p></p>), this release
changes things so that a markup line beginning with %define=
and containing only wikistyle definitions will not initiate
a new paragraph.
Version 2.1.4 introduced an {$Action} page variable that would
contain the current ?action= value. Unfortunately, this page
variable conflicted with a pre-existing $Action global variable
that was being used by skins to display a human-friendly form of
the current action. Since there's not really a clean way to resolve
this, I've decided to keep {$Action} as a page variable
with the current action value (as introduced in 2.1.4), and change
the global for skins to be $ActionTitle. This will require updating
skins to use $ActionTitle instead of $Action. I apologize for the
conflict.
This release adds a Site.LocalTemplates page for the fmt=#xyz
option in pagelist and search results. The list of pages to be
searched can be customized via the $FPLTemplatePageFmt variable.
The fmt=#xyz option will now also search the current page for
a matching template before searching Site.LocalTemplates
and Site.PageListTemplates.
The 'pmwiki' skin now places a <span> around the "Recent Changes"
link in the header to make it somewhat easier to style.
This release fixes a long-standing and difficult-to-find bug with
the handling of [[~Author]] links.
This release simply changes the $NotifyListFmt variable to be
$NotifyListPageFmt (more descriptive), and adds a $NotifyList
array that can be used to specify notification entries from
a configuration file.
This release introduces a variety of improvements and bugfixes.
Vspace paragraphs are now divs:
Version 2.1.7 changes the way that PmWiki handles vertical
space in output (the infamous <p class='vspace></p> sequence).
Instead of using paragraphs, PmWiki now generates
<div class='vspace'></div> for vertical space sequences.
In addition, PmWiki is able to collapse the vspace <div> with
any subsequent paragraph tags, such that a sequence like
<div class='vspace></div><p>...paragraph text...</p>
is automatically converted to
<p class='vspace'>...paragraph text...</p>
This allows for better control over paragraph spacing. It is
expected that this change in vspace handling will not have
any detrimental effects on existing sites. Sites that have
set custom values for $HTMLVSpace will continue to use the
custom value. A site that wants to restore PmWiki's earlier
handling of vspace can do so by adding the following to
local/config.php:
$HTMLVSpace = "<p class='vspace'></p>";
Improved email notifications of changes: Version 2.1.7
incorporates a notify.php script that provides improved
capabilities for sending email notifications in response to
page changes. This script is intended to replace the previous
MailPosts capability, which is now deprecated (but will
continue to be supported in PmWiki 2.1.x). Details and
instructions for using notify.php are in the PmWiki.Notify page.
Added 'group home page' syntax: A group name followed
by only a dot or slash is automatically treated as a reference
to the group's home page, whatever it happens to be. This simplifies
some pagelist templates as well as a number of other items.
In particular, group links in pagelist output now points to the
correct locations (instead of being a page in the current group).
Several bugs and vulnerabilities have been fixed:
The primary improvement in this release is the addition of
a pagename argument to the (:if auth:) conditional markup.
Thus one can display markup based on a visitor's authorization
to a page other than the current one. For example, to test
for edit privileges to Main.WikiSandbox, one would use
(:if auth edit Main.WikiSandbox:). As before, if the
pagename is omitted the directive tests authorization to
the current page.
This release also restores the ability to have hyphens in
InterMap link names.
Lastly, the release closes a potential cross-site scripting
vulnerability in the WikiTrail markup, and provides some small
performance improvements.
This release fixes a few more bugs:
The release also adds a couple of items:
{$Action} page variable.
(:attachlist:) command now uses a natural case sort.
This release fixes a bug that prevents the lines= option from
working on sites running PHP 5.1.1 or later. It also re-fixes
a bug involving empty passwords and LDAP authentication.
This release fixes a bug with handling "nopass" passwords. It also
makes some speed improvements to large web feeds, and fixes a couple
of minor HTML tag mismatches.
This release primarily fixes a bug with passwords containing
multiple authorization groups, and in the process slightly liberalized
the formatting of "@group" and "id:name" handling. This release also
adds a new mechanism for managing and displaying FAQ pages.
This set of release notes is fairly lengthy, as it chronicles all of the changes since 2.0.13 (four months of development). A lot remains the same, but some changes warrant extra care when upgrading from a 2.0.x version to 2.1.0 (thus the major revision number change). As always, questions and issues can be mailed to the pmwiki-users mailing list.
Here's the list:
$LinkWikiWords = 1;" in a local customization file. As of 2.1.beta2, you can now leave WikiWords enabled but have links to non-existent pages display without decoration -- to do this, place the following lines in pub/css/local.css:
span.wikiword a.createlink { display:none; }
span.wikiword a.createlinktext
{ border-bottom:none; text-decoration:none; color:inherit; }
(:pagelist:) code has been substantially revised. Pagelist formatting can now be specified using markup, and several defaults are available from Site.PageListTemplates. Also, several built-in pagelist formatting functions (FPLSimple, FPLByGroup, FPLGroup) are now removed in favor of the template code. The FPLByGroup function can be restored by setting $Transition'fplbygroup'?=1; . Remark: Check to see if your page Site.PageListTemplates is not passwordprotected for viewing, otherwise the resulting pagelist will not be shown.
(:pagelist:) now also understands wildcards in group= and name= arguments, as well as excluding specific names and groups.
(:pagelist:) now has an "order=random" option.
(:searchbox:) now accepts "group=", "link=", "list=", etc. options to be passed along to the search results. It also accepts a "target=" option that identifies the page on which to send the search query.
?action=search will display the contents of the current page if it contains a (:searchresults:) directive, otherwise it uses the content of the page identified by $PageSearchForm (default is the search page for the current language translation).
$PageIndexFile='';
$EnablePageListProtect variable now defaults to true, so that read-only pages appear in pagelists only if the visitor has read authorization. Note that this can also slow down some (:pagelist:) and search commands, so if the site doesn't have any read-only pages or if you aren't worried with cloaking read-only pages from searchlists, it might be worth setting $EnablePageListProtect=0; .
(:linebreaks:) directive is honored. To turn off whitespace indentation, use DisableMarkup('^ws');.
!!Heading is silently ignored.
(:redirect:) directive is now a true markup, and can be embedded inside conditional markups or includes. It also allows redirecting to an anchor in a page, such as (:redirect PageName#anchor:). A new from= option allows the redirect to take place only from pages that match the given wildcard specification. The status= option allows a 301, 302, 303, or 307 HTTP status code to be returned.
$EnableSessionPasswords variable can be used to control whether passwords are held in PHP sessions. (This does not affect user authentication via AuthUser, however.)
$AuthId if not otherwise set by a script or cookie.
$DefaultPasswords'edit'?).
$EnableDrafts = 1. This creates a "Save as draft" button that will save a page under a "-Draft" suffix, for intermediate edits.
[[PageName |+]] markup is now available by default; this creates a link to PageName and uses that page's title as the link text.
{$variable} syntax, and can be used in markup and in $...Fmt strings. In addition, one can request a value for a specific page by placing the pagename in front of the variable, as in {pagename$variable}.
?action=atom), Dublin Core Metadata (?action=dc) output, and enclosures for podcasting. It also allows feeds to be generated from trails, groups, categories, and backlinks, and provides options (same as pagelists) for sorting and filtering the contents of the feed. Most sites can simply switch to using include_once("scripts/feeds.php"); instead of the previous rss.php include. The rss.php file has been removed from the distribution (but still works with PmWiki 2.1 for those sites that wish to continue using it).
$EnableIMSCaching variable is now much smarter, it can detect changes in local customization files as well as pages.
%class1 class2% results in class='class1 class2' instead of just class='class2' in the output.
(:include PageName#from#:) markup not working has been fixed (PITS:00560).
[[#anchor]] is used more than once in a page, only the first generates an actual anchor (to preserve XHTML validity).
(:if equal ...:) and (:if exists pagename:) conditional markups.
(:if [ group PmWiki && ! name PmWiki ] :) .
$UploadUrlFmt is now based on $PubDirUrl instead of $ScriptUrl.
Wiki administrators should note that from this release on PmWiki defaults to having WikiWords disabled.
To make sure WikiWords are enabled, use $LinkWikiWords = 1; in
the local/config.php file.
Bugs and other requests can be reported to the PmWiki Issue Tracking
System at http://www.pmwiki.org/wiki/PITS/PITS. Any help
in testing, development, and/or documentation is greatly appreciated..
Release Notes archive - notes for versions older than 2.1.0.