Geeklog History/Changes:
??? ??, 2013 (2.1.0)
------------
- Integrated Caching Template Library original developed by Joe Mucchiello [Tom]
- Support for themes to specify a default theme. Default themes template and css
files will be used unless they are included in the new theme directory [Tom]
- Added configruable caching support for blocks (regular and gldefault),
staticpages and articles [Tom]
- Speed increases by caching topic tree structure [Tom]
- What's Related article block now includes all Topics. Can set length of titles
[Tom]
- Articles now list what Topics they are filed under. [Tom]
- New related_topics autotag. It displays all topics an item belongs too. [Tom]
- New related_items autotag. It displays all other related items based on what
topics the defined item belongs too [Tom]
- Updated Command & Control layout. Plugins can now organized into groups. [Tom]
- New OAuth login methods supported (Google, Microsoft, Yahoo). OAuth supported
now includes 1.0, 1.0a, and 2.0 (depends on what the provider supports) [Tom]
- Javascript and css can now be loaded in a specified order. [Tom]
- Numerous fixes for multi-language support [Tom]
- Added CKEditor 4.3.2 as the default advanced editor for Geeklog [Dengen]
- New article render which fixes entities etc... from showing up where they
shouldn't [Dengen]
- New Advanced Editor System that allows developers to easily to add new
javascript editors [Dengen]
- Article, Staticpages Poll and Topic IDs can now be 128 characters long [Tom]
- User Login page now can be accessed directly without first displaying a login
error message [Tom]
- Fixed deadlock issues with the session table [Tom]
- Updated Hebrew language files, provided by LWC
- jQuery can now be included in the header [Tom]
- Updated to jQuery 1.10.2 and jQuery UI to 1.10.3 [Tom]
- Added a Filemanager [Kenji ITO]
- Added timepicker jQuery control [Dengen]
Mar 29, 2013 (2.0.0)
------------
- Fix for expiry check when 24 hour clock used [Dirk]
- Error message is displayed when user tries to access a topic that does not
exist [Tom]
- Additional checks added to make sure user has read access to topics. If not
then changed to all topics [Tom]
- Fixed SQL error dealing with article directory and all topics (bug #0001570)
[Tom]
- H tags now display correctly in articles for modern_curve theme (bug #0001569)
[Dengen]
- Owner of article can now view his own draft article if comments set to display
on same page (bug #0001568) [Tom]
- Removed leftover 'search_no_data' config option from the database
(bug #0001566) [Dirk]
- Searching for "more from topic" didn't work anymore; (bug #0001565, #0001518)
[Dirk]
Mar 8, 2013 (2.0.0rc3)
------------
- jQuery updated to version 1.9.1 [Tom]
- jQuery UI updated to version 1.10.1 [Tom]
- Fixed "Find all postings by ..." on user profile page when search doesn't
allow empty query string (bug #0001565) [Tom]
- Add comments tag to Modern Curve theme to fix jumping to comments section of
article page (bug #0001563) [Tom]
- Added index.html to tooltips directory of modern_curve theme (bug #0001562)
[Kenji]
- Removed Japanese characters in modern_curve CSS files (bug #0001561, patch
provided by taca) [Kenji]
- Fixed a bug "More.." tab in the configuration UI does not work correctly
(bug #0001560) [Dengen]
- Updated theme changes for Geeklog 2.0.0 in docs [Tom]
- Update FCKeditor to version 2.6.9 [Dirk]
- Fixed COM_nl2br() that replaces newlines with a line break tag (bug #0001141)
[Tom]
Feb 19, 2013 (2.0.0rc2)
------------
This release addresses the following security issues:
- High-Tech Bridge Security Research Lab reported an XSS in the calendar_type
parameter in the Calendar plugin (HTB23143).
- Trustwave Spiderlabs reported XSS in the install script, the Configuration,
as well as in the Admin interfaces for the Polls plugin and the Topic editor
(TWSL2013-001).
Not security-related:
- jQuery updated to version 1.9.0 [Tom] [Kenji]
- jQuery UI updated to version 1.10.0 [Tom] [Kenji]
- Illegal string offset 'phantom' when using Batch Admin mode (patch #0001558)
[Dirk]
- Optimize 2.0.0 MySQL Topic Upgrade Script (feature request #0001544) [Tom]
- Introduce DB_escapeString (feature request #0001146) [Kenji]
- For articles with 2 or more topics the incorrect topic icon may display in the
parent topic (bug #0001509) [Tom]
- Topic selection is lost when trying to contribute a story as a Story Admin
(bug #0001486) [Tom]
- Staticpage Topic Selection (bug #0001462) [Tom]
- Span-X plugin: Spam Number of Links (SNL) True, Posted many links users are
blocked. (bug #0001516) [Tom]
- Delete account oauth (bug #0001417) [Tom]
- Can save a staticpage with Add To Menu enabled but no label (bug #0001542)
[Tom]
- Space as decimal separator (bug #0001537) [Tom]
- Replying to a Comment and inputing the incorrect captcha code results in page
in a page (bug #0001527) [Tom]
- Deleting a Comment with a Notification fails (bug #0001529) [Tom]
- CC setting should be an admin option (patch #0001259) [Tom]
- Date validation in advanced search (patch #0000853) [Tom]
- Can not handle Breadcrumbs in custom function mytheme_createHTMLDocument (bug
#0001531) [Tom]
- Update Topic Control Description in Admin Article Editor about Inherit
(feature request #0001489) [Tom]
- Clicking on a user name causes a fatal error (bug #0001514) [Tom]
- Can't edit plugin comment submissions (bug #0001511) [Tom]
- User comment submission does not get deleted. (bug #0001512) [Tom]
- nl2br breaks the HTML compliance (patch #0001141) [Tom]
- Spam-X SFS default change to OFF (feature request #0001488) [Tom]
- Twitter OAuth login Authentication error (bug #0001497) [Tom]
- Trackback SQL Error (bug #0001498) [Tom]
- Articles Feeds should only be updated when needed (feature request #0001501)
[Tom]
- JavaScript error in admin/story.php (bug #0001496) [Yoshinori]
- Default Topic for Article with Multiple Topics is always Used for Anonymous
Users (bug #0001487) [Tom]
- Add HTML 5 DOCTYPE (feature request #0001426) [Yoshinori]
Dec 30, 2012 (1.8.2)
------------
- A remote service user now bypasses current password check when account is
deleted (bug #0001417) [Tom]
- Fixed Twitter OAuth login error after Twitter deactived some old URLs (bug
#0001497) [Tom]
- $dbconfig_path was not escaped in the install script (bug #0001457, patch
provided by mystral-kk)
- COM_stripslashes will now handle arrays; this was a problem during
re-authentication after a security token expired (bug #0001413) [suprsidr]
- The comment count for a story could be wrong if there was a different object
with the same id and a comment (bug #0001414) [Tom]
- Feeds with the full story text still had a '...' at the end (bug #0001431)
[Jeff Rivett, Tom]
- Allow MIME type application/x-gzip-compressed when uploading a plugin for
installation (bug #0001405) [Dirk]
- Fixed compatibility with MySQL 5.5 (bugs #0001410, #0001456). This also
raises the minimum supported MySQL version to 4.1.2 [Dirk, Tom]
Oct 2, 2012 (2.0.0rc1)
-----------
- You can create a new topic with the same id as another topic (bug #0001472)
[Tom]
- Feed Editor Field "Header-link in topic" Displays None and All Selections
Twice (bug #0001481) [Tom]
- Error when switching themes (bug #0001473) [Yoshinori]
- Config Options for Page Navigation (feature request #0001474) [Tom]
- When upgrading Staticpages Plugin for Geeklog 2.0.0 Topic Assignments are not
set properly (bug #0001475) [Tom]
- Autotags works at block always without Denim (bug #0001471) [Tom]
- The part of the page navigator should do markup by a list. (feature request
#0001422) [Tom]
- Staticpage Template page should display Access Denied message (bug #0001468)
[Tom]
- Calendar plugin install sql zipcode size is too small (feature request
#0001449) [Tom]
- Get rid of the ereg functions (patch #0000967) [Tom]
- Rework COM_siteHeader and COM_siteFooter (feature request #0001358)
[Yoshinori]
- "More ..." link in the configuration doesn't work in IE6-7 (bug #0001466)
[Tom]
Jul 13, 2012 (2.0.0b2)
------------
- rescue.php: add to $config array (feature request #0001463) [Tom]
- Crash with multi-lingual setups (bug #0001465) [Yoshinori]
- Theme: professional_css and modern_curve: Comment submit button always display
(bug #0001464) [Yoshinori]
- Staticpage Menu items only visible to logged-in users (bug #0001461) [Tom]
- Page title inconsistency when anonymous users submit (bug #0001458) [Tom]
- They can have a block and page headers and footers as blankpage will make a
static page to indexpage (bug #0001460) [Tom]
- Fails to upgrade Geeklog with MySQL-5.5.x (bug #0001456) [Tom]
- $dbconfig_path is not escaped (bug #0001457) [Tom]
- Use of microsummaries (bug #0001455) [Dirk]
- add sub-topics (feature request #0001175) [Tom]
- Breadcrumb Root not to use Site Name (feature request #0001454) [Tom]
- Multiple breadcrumbs in stories (bug #0001441) [Tom]
- PUBLIC_HTML/index.php?display=microsummary (bug #0001451) [Tom]
- Typo in function name: SEC_hasConfigAcess (bug #0001446) [Dirk]
- PUBLIC_HTML/index.php?topic=aaaa (bug #0001452) [Tom]
- Bugs crash site and to enable multiple languages (bug #0001450) [Dirk]
- Default Topic for new articles is not selected (bug #0001448) [Tom]
May 24, 2012 (2.0.0b1)
------------
- Created the function COM_createHTMLDocument which replaces COM_siteHeader and
COM_siteFooter (feature request #0001358) [Dengen]
- Fixed issue with $_CONF['left_blocks_in_footer'] and hiding the blocks
(bug #0001316) [Dengen]
- Created a new theme called denim which is based on Responsive Web Design [Dengen]
- Created a new theme called modern_curve which will eventual replace the
professional theme (feature request #0001255) [Rouslan]
- Added Emergency Rescue Tool written by Suprsidr to Geeklog Install [Tom]
- Fixed path issue and changed the order of loading the jQuery css files
in the Scripts class (bug #0001439) [Tom]
- Improve strength of password hashing (feature request #0001384) [Vinny]
- Add IP Address to entries in error.log [Tom]
- Allow markup on page navigation (feature request #0001422) [Tom]
- Failure when trying to report sitemap.xml write error (bug #0001412) [Vinny]
- List dynamic blocks on admin blocks page (feature request #0001434) [Tom]
- Admin Database command fails (bug #0001404) [Dirk]
- DB Backup fails with MySQL 5.5 or later (bug #0001410) [Dirk]
- Gravatar Image Requests (feature request #0001435) [Dirk]
- Can't install plugin by uploading a tarball from a browser in Windows. (bug
#0001405) [Dirk]
- Feed items truncated when Length of entries is 1 (bug #0001431) [Tom]
- Comments Form on same page as story (patch #0000728, provided by dengen)
- Allow Topics to have child Topics [Tom]
- Allow other objects to be associated to Topics (feature request #0001155)
[Tom]
- Allow objects like Articles, Blocks and Staticpages to be associated with
more than one Topic [Tom]
- CC setting should be an admin option (patch #0001259) [Tom]
- Delete account OAuth (bug #0001417) [Tom]
- When saving a Poll in the admin interface the vote count gets reset (bug
#0001419) [Tom]
- Scripts class including theme's style.css (bug #0001407) [Tom]
- Query failed: Syntax error "AS dateFROM" (bug #0001418) [Tom]
- Add $_CONF['linktext_maxlen'] to story configuration panel (patch #0001139)
[Tom]
- Add Breadcrumb Support (feature request #0001062) [Tom]
- Configuration Copyright Year can only accept a number (bug #0001416) [Tom]
- Articles, Blocks, Topics and Core Plugins do not handle a Group being Deleted
(bug #0001397) [Tom]
- Stripslashes() expects parameter 1 to be string, array given lib-common.php
line 5754 (bug #0001413) [Tom]
- Comment Count maybe off for Story after Comment Submission (bug #0001414)
[Tom]
- Improved logging of SQL errors to include the function name and line number
(feature request #0001377) [Dirk]
- Add Stop Forum Spam and Spam Number of Links Modules to Spam-X (feature
request #0001378) [Tom]
- Hardcoded strings in Spam-X plugin (patch #0000656) [Tom]
- Added support for MySQLi (patch #0001303, provided by mystral-kk)
Oct 9, 2011 (1.8.1)
-----------
- Fixed exact match censoring option (bug #0001392) [Tom]
- Fixed adding elements to empty Configuration arrays (bug #0001396) [Tom]
- Blank out OAuth consumer key and secret in rootdebug dumps [Dirk]
- Fixed deleting elements from Configuration arrays (bug #0001394, patch
provided by dengen)
- Avoid censoring in What's Related block (bug #0001393) [Tom, Dirk]
- Fixed error message display in admin's user editor when renaming the
userphoto failed [Dirk]
- Don't display details of a failed MS SQL query by default [Dirk]
- Updated Japanese language file, provided by the Geeklog.jp group
Sep 11, 2011 (1.8.1rc1)
------------
- Updated jQuery version to 1.6.3 [Tom]
- Fixed user passwords getting lost when saved from User Admin form (bug
#0001385) [Tom]
- Plugins can now set $_SCRIPTS in plugin_getFooter function (bug #0001383)
[Tom]
- Attempts to display the user profile of the Anonymous user will now be
redirected to the site's main page (cf. bug #0001372) [Dirk]
- Fixed some warnings raised by PHP 5.4 (statically calling non-static methods,
get_magic_quotes_gpc() being deprecated) [Dirk]
- Fixed [code] and [raw] tags no longer escaping content properly (bug #0001368)
[Dirk]
- The {contributedby_anchortag} variable now includes a rel="author" attribute
[Dirk]
- Fixed display of center block staticpage if a staticpage template is used (bug
#0001370) [Tom]
- The admin's user editor no longer loses changes when an error occured (cf. bug
#0000653) [Dirk]
- Fixed text direction issue with the paths listed on success.php (bug #0001219)
[Dirk]
- Don't display story edit icon when the user doesn't have all the necessary
permissions (bug #0001210) [Dirk]
- Fixed uploading topic images when $_CONF['path_images'] was changed (bug
#0001268) [Dirk]
- Fixed [staticpage_content:] autotag returning empty string for consecutive
calls (bug #0001266) [Dirk]
- Fixed form action URLs in Calendar templates (patch #0001360, provided by
mystral-kk)
- Fixed images not being displayed in story previews (bug #0001367) [Dirk]
- Fixed backslashes in comment titles when magic_quotes_gpc = On (bug #0000941)
[Dirk]
- Removed comment title from the URL to submit a comment (feature request
#0001031) [Dirk]
- Expiry of the security token caused PHP static pages to be escaped (bug
#0001230) [Dirk]
- New Dutch language file for the Spam-X plugin, provided by Zippo
- Updated French language files, provided by Ben
Jun 12, 2011 (1.8.0)
------------
This release includes the results from the 2010 Google Summer of Code project
to improve the Configuration (input validation, searching), implemented by
Akeda Bagus.
Changes since 1.8.0rc2:
- Fixed a path disclosure through JavaScript [Tom]
This issue was present in all previous 1.8.0 betas and release candidates,
so upgrading those to the final 1.8.0 is strongly recommended!
- Updated Italian translation for $LANG_VALIDATION [Rouslan]
- Updated Japanese language files and documentation, provided by the Geeklog.jp
group
Jun 2, 2011 (1.8.0rc2)
-----------
Changes since 1.8.0rc1:
- Fixed translation errors in the German, Serbian, and Slovenian language files
that affected the input validation for the Configuration [Dirk]
- Fixed updating the bundled plugins when upgrading from a Geeklog version
older than 1.5.0 (bug #0001354) [Dirk]
- Fixed incomplete / corrupted siteconfig.php file after an update (bug
#0001353) [Dirk]
- Suppress a warning in the XMLSitemap plugin when using an unsupported
character set [Dirk]
- Fixed plugin update using a cached version of the plugin's old functions.inc
(bug #0001345) [Dirk]
- Fixed plugin update option not reacting for some users (bug #0001344, patch
provided by dengen)
- Fixed a wrong table lock that triggered an SQL error when sending a comment
notification email (cf. bug #0000939) [Vinny]
- Static Pages plugin function plugin_getiteminfo_staticpages did not always
return correct data (bug #0001342) [Tom]
- Fixed Calendar week view date range display on Windows (bug #0001340) [Tom]
- Tweaked font size in Calendar (feature request #0001329) [Tom]
- Updated Japanese language file, provided by the Geeklog.jp group
May 8, 2011 (1.8.0rc1)
-----------
Changes since 1.8.0b2:
- Speed up template class (patch #0001302, provided by mystral-kk)
- Fixed wrong characters in Slovenian UTF-8 language file (fix provided by gape)
- LinkedIn OAuth uses full names for the username now [Dirk]
- Facebook OAuth uses full names for the username now [Tom]
- Various HTML fixes (patch #0001333, provided by dengen)
- Removed array_flip() calls from English language files (feature request
#0001336) [Rouslan]
- Fixed tooltip flicker (bug #0001337, patch provided by dengen)
- Added missing $LANG_VALIDATION['between'] language file entry [Rouslan]
- Fixed OAuth and OpenID accounts logging out after 2 minutes of inactivity
(bug #0001334) [Tom]
Apr 25, 2011 (1.8.0b2)
------------
Changes since 1.8.0b1:
- Fixed post mode being switched when plain text comment was previewed or edited
(bug #0001324) [Tom]
- Sanitize OAuth user data (bug #0001322) [Dirk]
- Fixed HTML errors in Configuration (bug #0001318, patch provided by dengen)
[Tom, Rouslan]
- Added nowrap style to some admin templates for consistency (feature request
#0001321) [Tom]
- Fixed check for wrong edit permission in the Calendar plugin (bug #0001317,
patch provided by dengen)
- Added missing jQuery widgets and effects (bug #0001312) [Tom]
- Fixed missing / in the setJavaScriptFile method (bug #0001315) [Tom]
- Display a warning when JavaScript is required but disabled, e.g. in the
comment form with advanced editor enabled (bug #0001282) [Tom]
- Make sure tooltips are always fully visible (bug #0001304) [Rouslan]
- Added missing images/right_arrow.png for the OpenID login form (bug #0001311)
[Rouslan]
- Don't load style.css if the theme doesn't use it (bug #0001309) [Rouslan]
- Fixed nesting of forms in profile.thtml (bug #0001296) [Tom]
- Fixed plugin install issue with plugins that did not support tabs (bug
#0001305) [Tom]
- Fixed validation of Configuration list entries with numerical values (bug
#0001298) [Tom]
- Fixed use of mb_strlen() instead of MBYTE_strlen() in the validator class
(bug #0001299, patch provided by mystral-kk)
- Updated Japanese language files and documentation, provided by the Geeklog.jp
group
Apr 3, 2011 (1.8.0b1)
-----------
- Added a COM_newTemplate function to allow overriding template instantiation
(feature request #0001220, patch provided by Joe Mucchiello)
- Fixed the "Mail user" form to not lose all filled-in values when an error
occured (bug #0001270) [Rouslan]
- Clean up images directory and added new icons (bug #0001276) [Tom, Rouslan]
- Added support for OAuth remote authentication, provided by Hiroshi Sakuramoto,
and added re-syncing of remote user data (feature request #0001191) [Tom]
- Updated bigdump.php (as used in the install script's Migrate option) to the
latest version (feature request #0001143) [Rouslan]
- Removed dependency on JavaScript from some admin pages (feature request
#0001243) [Rouslan]
- Added support to check version dependencies with plugins and Geeklog, and
plugins with other plugins (feature request #0001154) [Rouslan]
- Check database requirements before installing a plugin (feature request
#0001288) [Rouslan]
- Using fopen() to locate a plugin's icon may not provide the expected result
(bug #0001265) [Rouslan]
- A story's bodytext doesn't need to be evaluated when displaying the site's
index page (patch #0001204, provided by LWC)
- The status of the "Send me a copy of this email" option was lost when the
form wasn't filled out correctly (bug #0001240, patch provided by Rouslan
Placella)
- Database backup files > 2GB prevented displaying the list of db backup files
on some 32 bit systems. Added some workarounds (bug #0001257) [Dirk]
- Fixed replacing the [imageX] tags when changing a story's id (bug #0001256)
[Dirk]
- Fixed logging of SQL errors during the startup phase [Dirk]
- The load order of plugins is now configurable (feature request #0001247,
patch provided by Rouslan Placella)
- The list of plugins is now sortable by status (patch #0001249, provided by
Rouslan Placella)
- Added a PLG_getFooterCode function and corresponding {plg_footercode}
variable in footer.thtml. This will allow plugins to add code to a site's
footer, e.g. to load JavaScript code as late as possible (based on patch
#0000906, provided by hiroron) [Dirk]
- COM_onFrontpage didn't work correctly when called from a theme's functions.php
(bug #0001254, patch provided by mystral-kk)
- Introduced COM_versionCompare() to compare Geeklog version numbers, since
they can't be compared using the PHP version_compare() function (feature
request #0000866, patch provided by Rouslan Placella)
- When importing RSS feeds, accept a non-permanent guid as a link if there is
no dedicated link element, as long as the guid looks like a URL [Dirk]
- Added a noindex robots meta tag to printable story pages so they aren't
indexed by search engines [Tom]
- Autotags in Templates may not always display (bug #0001246) [Tom]
- Handle $bulkimport flag in the CUSTOM_userCreate() sample code in
lib-custom.php (bug #0001208) [Dirk]
If you are using your own CUSTOM_userCreate(), please check that you handle
this flag (set to true when doing a Batch User Import) correctly!
- Set minimum required PHP version to PHP 5.2.0 and removed all code that
ensured compatibility with PHP 4 (feature request #0001217) [Dirk]
- Minor optimization and code cleanup in CMT_saveComment (bug #0000939) [Vinny]
- Added a proper copyright header and license text (LGPLv2) to the template
class (feature request #0001128) [Dirk]
- Fixed check for availability of PECL::ZipArchive in the unpacker class
(bug #0001209) [Dirk]
- Added in Autotag usage permissions and descriptions. Allowed HTML now
displays autotag descriptions as tooltips (feature request #0001042) [Tom]
- Added in COM_Tooltip function for displaying tooltips [Tom]
- Moved handling of the [story:] and [user:] autotags to lib-story.php and
lib-user.php, respectively (preparations for feature request #0001115) [Dirk]
Calendar Plugin
---------------
- Fixed a minor display issue in the batchdelete.thtml (patch #0001244, provided
by Rouslan Placella)
Links Plugin
------------
- Fixed encoding of link categories in URLs (bug #0001173) [Tom]
Note: This fix changes the URLs of categories with spaces in their names
from using a '+' sign to using '%20'.
- Fixed text above the list of links, which was referring to a menu entry that
no longer exists (bug #0001216)
Polls Plugin
------------
- Updated the default poll (feature request #0001277) [Rouslan]
- Fixed voters do not get counted correctly when updating a poll with multiple
questions. (patch #0001056, provided by Erisco)
Static Pages Plugin
-------------------
- Removed unwanted piece of HTML on "empty" static pages (bug #0001192)
[Rouslan]
- Added a noindex robots meta tag to printable pages so they aren't indexed by
search engines [Tom]
XMLSitemap Plugin
-----------------
- Removed an unused xmlsitemap.edit permission that existed in some installs
(left by all fresh installs with Geeklog version 1.6.0 through to 1.7.0)
[Dirk]
Feb 20, 2011 (1.7.2)
------------
Note: This will be the last Geeklog version to work on PHP 4. We will provide
security fixes for this version until 2012. Future versions of Geeklog will
require PHP 5.2.0 or later. For details, please see
http://www.geeklog.net/article.php/end-of-php4-support
- PostgreSQL fixes:
* It wasn't possible for several Geeklog instances to share a Postgres
database (bug #0001251) [Rouslan]
* Fixed dbSave [Dirk]
* Fixed error reporting [Dirk]
* Fixed compatibility with PHP 4 [Dirk]
- Fixed replacing the [imageX] tags when changing a story's id (bug #0001256)
[Dirk]
- Fixed Static Pages plugin to work with PHP 4 (bug #0001239) [Tom]
Jan 2, 2011 (1.7.1sr1)
-----------
This release addresses the following security issue:
Aung Khant of the YGN Ethical Hacker Group reported an XSS in the admin's
configuration panel.
Oct 31, 2010 (1.7.1)
------------
- Fixed description of $index parameter for STORY_renderArticle (bug #0001203)
[Dirk]
- The number of successfully imported users was always reported as 0 for the
"Batch Add" option in the User Manager (bug #0001211) [Ivy, Dirk]
- Fixed a bug in the MS SQL changeDESCRIBE method to properly prefix the proper
sql query string [Randy]
- Updated Hebrew language files, provided by LWC
- New Italian language files for the Links plugin, provided by Rouslan Placella
- Updated Italian language files for the Static Pages plugin, provided by
Rouslan Placella
Calendar Plugin
---------------
- Fixed an SQL error when returning search results for the Personal Calendar
(bug #0001195) [Dirk]
Oct 10, 2010 (1.7.1rc1)
------------
- If content from an Autotag produces another Autotag it will be executed (to a
maximum of 5 times) [Tom]
- Themes can now have their own display functions for the start and end of
Blocks. (Feature #0001188) [Tom]
- Reverted a change in 1.7.0 that would send a Content-Type header when calling
COM_refresh since this conflicts with some plugins (e.g. the Forum) [Dirk]
- Fixed wrong view after posting a comment on a poll (bug #0001080, patch
provided by Wojtek Szkutnik)
- Fixed language in the dropdown for the permanent cookie in the Configuration
(bug #0001117, patch provided by Eric Brisco)
- Added cancel and delete buttons to comment edit and submission forms when
needed. (Feature #0000981) [Tom]
- Reverted parts of the changes for bug #0001057: Do _not_ escape curly braces
when displaying a block's content (bug #0001156). If you run into the problem
that words in curly braces inside blocks are interpreted as template
variables, simply add a space after the opening and/or the closing brace
[Dirk]
- Autotags can now be inserted directly into template files.
(Feature #0001181) [Tom]
- Plugins are able to control moderation and return a string to be displayed.
(Feature #0000619 patch provided by jmucchiello)
- Admin lists can now display a 0 in a column instead of being blank
(bug #0001060 patch provided by jmucchiello)
- Fixed "Show & Hide Boxes" option in My Account (reported by Pushkar) [Dirk]
- Display the topic name (instead of the topic id) in the list of draft stories
(bug #0001171) [Dirk]
- Fixed COM_formatTimeString to correctly handle intervals bigger than 4 weeks
(bug #0001158) [Dirk]
- Call PLG_templateSetVars for the Advanced Search form [Dirk]
- Make sure we keep the current status of the user's Advanced Editor option
even when Advanced Editor is disabled for the site (Thanks, Markus) [Dirk]
- Comment submissions for plugins were missing the type [Dirk]
- In the Group Editor, hide the 'Apply "Default Group" change' option until the
state of the "Default Group" checkbox changes (feature request #0001116,
patch provided by Dushyant Tiwari)
- Fixed handling of $LANG_DIRECTION in the install script (cf. bug #0000871)
- Fixed query highlighting in articles - didn't work for queries that contained
characters filtered by COM_applyFilter [Dirk]
- Updated Japanese language file, provided by the Geeklog.jp group
- New and updated French (France) language files, provided by Ben
- Updated Hebrew language file for the Links plugin, provided by LWC
Static Pages Plugin
-------------------
- Call up the Advanced Editor when enabled (bug #0001147, patch provided by
Samuel Leathers)
- A Static Page can now be marked as a template and used by other Static Pages.
(Feature #0001085) [Tom]
May 9, 2010 (1.7.0)
-----------
Geeklog 1.7.0 now supports PostgreSQL, implemented by Stan Palatnik during the
2009 Google Summer of Code.
Changes since 1.7.0rc1:
- Security: The autologin (using the long-term session cookie) was vulnerable
to dictionary attacks. This issue was originally reported by Bookoo of the
Nine Situations Group in one of his reports in April 2009 but apparently
overlooked by the Geeklog Team. Thanks to geeklog.net user Jack for pointing
this out.
- Fixed a typo in the install check that prevented Geeklog from detecting if it
was installed in a subdirectory (bug #0001148) [Dirk]
- New and updated German language files, provided by Markus Wollschläger
- New and updated Slovenian language files, provided by Mateja B.
May 2, 2010 (1.7.0rc1)
-----------
Changes since 1.7.0b1:
- Fixed call to undefined function WS_makeId() when using very long story ids
(bug #0001140) [Dirk]
- Fixed cloning of a story (bug #0001127, patch provided by Eric Brisco)
- The installation script now recommends setting permissions to 666 for files
and 777 for directories that need to be writable (bug #0001126, patch
provided by Eric Brisco)
- Fixed dynamic renumbering of config items when an item is deleted (bug
#0001074, patch provided by Eric Brisco)
- Fixed COM_featuredCheck to ensure there's only one featured story on the front
page [Tom]
- Fixed Last 10 Comments display in user profiles [Tom]
- Updated Estonian language file, provided by Artur Räpp
- Updated Hebrew language files, provided by LWC
- Updated Italian language files, provided by Rouslan Placella
- Updated Japanese language files and documentation, provided by the
Geeklog.jp group
- Updated Slovak language files, provided by Miroslav Fikar
Calendar Plugin
---------------
- Added call to PLG_itemPreSave to support the CAPTCHA plugin (feature request
#0001091) [Dirk]
Links Plugin
------------
- Added call to PLG_itemPreSave to support the CAPTCHA plugin (feature request
#0001091) [Dirk]
- Fixed wrong speedlimit warning when not all required fields are filled in
when submitting a link [Dirk]
- Treat the pre-populated partial link URL "http://" as if no URL was submitted
and prevent it from being used in the spam check [Dirk]
Polls Plugin
------------
- Fixed MS SQL upgrade (bug #0001144)
Spam-X Plugin
-------------
- Removed 'admin_override' entry from language files (bug #0001114)
Static Pages Plugin
-------------------
- Fixed Page Title when Advanced Editor is enabled (bug #0001113)
Apr 4, 2010 (1.7.0b1)
-----------
- Fixed paths for image upload in FCKeditor (bug #0000931) and disabled Flash
upload [Dirk]
- Updated FCKeditor to version 2.6.6 [Dirk]
- Raised minimum required PHP version to PHP 4.4.0 [Dirk]
- Fixed an old bug that would create a new topic when you tried to change the
topic ID [Stan, Dirk]
- Introduced an optional page title for stories (feature request #0001096,
patch provided by Vlad Voicu)
- A new right called htmlfilter.skip allows user groups to skip any html
filtering on posts (feature request #0000952) [Tom]
- Allow empty database passwords only for local installs (bug #0000923, patch
provided by Chetan)
- New Plugin API PLG_getWhatsNewComment for adding comments from plugins to the
Whats New Block and the User Profile page (feature request #0000835) [Tom]
- Truncated stories in Feeds now will have any open html tags closed.
(bug #0000749) [Tom]
- Introduced a [user:] autotag that links to a user's profile (feature request
#0001081, patch provided by Akeda Bagus)
- The "Users" entry in the Admins block now displays the number of active users
only, i.e. it only counts users that logged in at least once [Dirk]
- Fixed display of list of allowed HTML tags and available autotags in
advanced story editor mode (bug #0001020, patch provided by Chetan)
- Fixed sort by date in search results (bug #0001002) [Sami]
- Since we can now re-authenticate expired security tokens, we don't need to
display the token expiry notice any longer. Exception: Users who logged in
through OpenID can't re-authenticate and will still get the message [Dirk]
- Block Names can no longer be empty [Dirk]
- When you had more than 50 blocks per side, disabling a block on one page of
the block list would also disable all blocks on all the other pages of the
list (reported by cesar)
On closer inspection, the same effect could also be triggered when using the
list's search or dropdown to only display a certain amount of entries. The
same problems also existed in the lists for Feeds, Plugins, and Weblog
Directory Services. All fixed now [Dirk]
- Fixed links to comment pages (bug #0001061) [Tom]
- Improved comment readability by adding a paragraph tag around "Plain Old Text"
comments and some padding in threaded mode (bug #0000833) [Dirk]
- Hide the "Logout" link when editing a comment or comment submission
(bug #0000893) [Dirk]
- CR and LF are now removed from the submitted password when a user logs in
(for bug #0000799) [Dirk]
- Changed the label for the $_CONF['disable_autolinks'] config option to read
"Disable Autotags" and updated the documentation (bug #0000912) [Dirk]
- Allow Spam-X to skip filtering of submitted content from certain user groups
(feature request #0001018) [Tom]
- Changed the 'gravatar_rating' config option to a dropdown since it only
supports four options anyway [Dirk]
- For anonymous comment submissions, use "Your Name" instead of "Username" in
the comment submission form (feature request #0001039) [Dirk]
- CUSTOM_group_change() was being called with wrong parameters (bug #0001051)
[Blaine]
- Added clickjacking protection for the printer-friendly version of articles
[Dirk]
- When a login is required to view some part of the site, we now display a
login form. This replaces the simple "Login required" message [Dirk]
- Hide "New user" option from "Login required" form when new user registration
is disabled (bug #0000933) [Dirk]
- Show the block name in the list of blocks (feature request #0000819) [Dirk]
- Added an option (under My Account > Layout & Language) for users to select
whether they want to use the Advanced Editor or not. The option is on by
default but only available when Advanced Editor has been enabled in the
Configuration (feature request #0000984) [Dirk]
- Added support for textarea input fields in the Configuration (feature request
#0000905) [Dirk]
- Blocks could not contain words in curly braces as they were mistaken for
template variables (bug #0001057) [Dirk]
- Allow groups to be marked as a Default Group. New users will automatically be
added to all default groups (feature request #0000798) [Dirk]
- Make sure all onclick events in the Configuration return false (bug #0001054)
- Moved hard-coded sort direction indicator (asc/desc) for search results to
the language files [Dirk]
- Changed the 'default_perm_cookie_timeout' config option to a dropdown so that
it's consistent with the "Remember me for" dropdown in My Account [Dirk]
- Raised minimum required MySQL version to MySQL 4.0.18 [Dirk]
- Fixed a non-feature where canceling out of the story editor would select that
story's topic in the admin's list of stories [Dirk]
- Fixed problem uninstalling plugins - missing globals (bug #0001048)
- Added an option to create a copy of a story (feature request #0000811) [Dirk]
- Prepare database for storing IPv6 addresses (feature request #0000971) [Dirk]
- Implemented re-authentication when trying to submit a form with an expired
security token. This will allow the user to save changes even when the token
has expired [Dirk]
- Hide meta tag entry fields from the Story and Topic editors when meta tag
support is disabled [Dirk]
- Fixed topic selection for the Daily Digest (bug #0001041, patch provided by
Ben)
- Changed the 'menu_elements' and 'notification' config options to dropdowns
since there's only a fixed number of keywords that these two options recognize
[Dirk]
- Fixed delete option for dynamically added config options: Back in 1.5.1, we
renamed our JavaScript remove() function to gl_cfg_remove() but forgot to
update the dynamically created function calls (cf. bug #0000681) [Dirk]
Calendar Plugin
---------------
- Added support for a CAPTCHA in the submission form (bug #0001091, patch
provided by tuxcanfly)
- Fixed an old bug in the event submission form: The text of the "Submit" button
must match the text $LANG12[8] to be recognized. Changed the form to always
use that string instead of the one from the Calendar plugin's language file
(originally reported by kokaku in 2006(!) and again by Tereso Ramos in 2010).
Links Plugin
------------
- A link to an invalid Link Category could lead to an endless loop for users
with Links Admin permissions (bug #0001090; reported and patch provided by
Akeda Bagus)
- Allow autotags in the Links and Link Category description (feature request
#0001079, patch provided by Akeda Bagus)
- Added support for a CAPTCHA in the submission form (bug #0001091, patch
provided by tuxcanfly)
- Added a link to "New category" from the Links editor [Dirk]
- Fixed localization of "Root" category (bug #0001047) [Dirk]
Polls Plugin
------------
- Added What's New Block Support for Polls and Poll comments
(feature request #0000835) [Tom]
- Poll Topics now have a created and a modified date (bug #0000761) [Tom]
- Fixed display of the edit icon in the Poll block - didn't check for polls.edit
permissions (but wouldn't let you edit the poll) [Dirk]
- Fixed wrong "access denied" message when attempting to view comments on a poll
that the user is not allowed to view (bug #0001044) [Dirk]
- Fixed comment bar Refresh button (bug #0001044) [Dirk]
- Hide meta tag entry fields from Polls editor when meta tag support is
disabled [Dirk]
Spam-X Plugin
-------------
- Fixed "Edit IP of URL Blacklist" module (bug #0001102, reported and patch
provided by Abhishek Shrivastava)
- A new right called spamx.skip allows SPAM-X to skip filtering of submitted
content from certain user groups (bug #0001018) [Tom]
- Make sure the Notification Email config option can be disabled [Dirk]
- List $_CONF['site_url'] as a non-editable entry in the SLV whitelist to
indicate that the site's URL is whitelisted automatically [Dirk]
Static Pages Plugin 1.6.2
-------------------
- Introduced an optional page title for static pages (feature request #0001096,
patch provided by Vlad Voicu)
- Fixed SQL error in the search when multi-language support was enabled (bug
#0001099) [Dirk]
- Added What's New Block Support for Static Page comments
(feature request #0000835) [Tom]
- Added modified date column. What's New Block Support for Static Page now
allows you to use created or modified date [Tom]
- Added clickjacking protection for the printer-friendly version [Dirk]
- Fixed SQL compatibility with MS SQL (bug #0001050)
- Added a draft flag (feature request #0000884) [Dirk]
- Removed the sp_uid field since it's simply a duplicate of owner_id [Dirk]
- Display number of comments in Static Page editor [Dirk]
- Fixed wrong "access denied" message when attempting to view comments on a page
that the user is not allowed to view (bug #0001043) [Dirk]
- Fixed comment bar Refresh button (bug #0001043) [Dirk]
- Hide meta tag entry fields from Static Page editor when meta tag support is
disabled [Dirk]
- Avoid a pair of empty brackets on the printer-friendly version for Static
Pages which have comments disabled [Dirk]
- Added a config option to define the default sort order for the admin's list
of Static Pages (feature request #0000812) [Dirk]
- Made the initial size of the Static Pages edit area (when using FCKeditor)
larger (feature request #0001037) [Dirk]
- If a page does not exist and the user has staticpages.edit rights, send them
to the Static Page Editor (feature request #0000975) [Dirk]
- Added a Comment Default config option (feature request #0000966) [Dirk]
- Added support for query highlighting [Dirk]
Jan 2, 2011 (1.6.1sr2)
-----------
This release addresses the following security issue:
Aung Khant of the YGN Ethical Hacker Group reported an XSS in the admin's
configuration panel.
May 9, 2010 (1.6.1sr1)
------------
This release addresses the following security issue:
The autologin (using the long-term session cookie) is vulnerable to dictionary
attacks. This issue was originally reported by Bookoo of the Nine Situations
Group in one of his reports in April 2009 but apparently overlooked by the
Geeklog Team. Thanks to geeklog.net user Jack for pointing this out.
Nov 22, 2009 (1.6.1)
------------
Changes since 1.6.1rc1:
- It wasn't possible to email a user via their profile page - checked the wrong
field for '@' characters (cf. bug #0000992; reported by rayleigh) [Dirk]
- Fixed use of wrong constant in unpacker.class.php [Blaine]
- Updated the age-old help texts and added help files for comment and user
submissions as well as the draft stories list [Dirk]
- The success message at the end of the install recommended setting
db-config.php and siteconfig.php to 755. These files don't need to be
executable, so recommend 644 instead (bug #0001036) [Dirk]
- Updated Estonian language files, provided by Artur Räpp
- Updated German language files, provided by Markus Wollschläger
- Updated Japanese language files, provided by the Geeklog.jp group
Static Pages Plugin
-------------------
- Content in curly braces in a static page was mistaken for template variables
in the static pages editor (bug #0001038) [Dirk]
- Added missing code to handle $_SP_CONF['includesearchcenterblocks'] and
$_SP_CONF['includesearchphp'] options that was accidentally left out when
merging Tom's patch [Dirk]
- Removed reference to undeclared variable in SP_render_content (bug #0001032)
[Dirk]
Nov 8, 2009 (1.6.1rc1)
-----------
Changes since 1.6.1b1:
- Moved hard coded green color for the search result byline (when using "Google"
style) to the stylesheet (new class "searchresult-byline") [Dirk]
- "Refine search" lost the status of the "Titles Only" checkbox [Dirk]
Note: This fix requires a change in search/searchform.thtml
- Improved display of the "Sort by" and "Show n results" dropdowns on the
search results page (feature request #0000910) [Sami, LWC]
- The search results page used HTML tags even when XHTML was requested
(bug #0001022, patch provided by taca)
- Fixed wrong path reported in case of a missing 'data' directory (reported by
Markus Wollschläger) [Dirk]
- When a plugin returns 0 items for its entry in the Admins Block, don't display
that as 'N/A' (bug #0001025) [Dirk]
- Fixed a bug in the Group Editor that didn't let you add groups to other groups
unless your $_TABLES['groups'] happened to be called "groups" (bug #0000998)
[Dirk]
- Updated Hebrew language files, provided by LWC
Links Plugin
------------
- When URL rewriting is enabled, return rewritten URLs for search results [Dirk]
Static Pages Plugin
-------------------
- Fixed use of wrong CSS class for the entries for the What's New block [Tom]
Nov 1, 2009 (1.6.1b1)
-----------
- The user's time zone selection (from My Account) is actually used now [Dirk]
- Modernized the "timezone hack", made the config option a dropdown, and moved
all timezone-related code into a new TimeZoneConfig class [Dirk]
- Fixed an old bug that could cause SQL errors when a user changed their "Show
& hide boxes" settings [Dirk]
- Searching by author threw an error on PHP 4 (bug #0001008) [Dirk]
- Moved the functionality of the toinnodb.php script into the Database Backups
admin panel [Dirk]
- Added an option to optimze tables to the Database Backups admin panel [Dirk]
- Added a notice about the expiry time for the security token (and the potential
loss of changes) to most editors. This is meant as an intermediate step
until we get around to updating the editors and provide a more user friendly
solution. [Dirk]
- Fixed display of text excerpt for search results on PHP 4 (bug #0001004)
[Dirk]
- The comment speed limit was being ignored (bug #0001003) [Dirk]
- Added an icon to make the plugin update option somewhat more obvious [Dirk]
(icon "stock_update-data.png" taken from Gnome 2.18 icon theme set by
AMAZIGH Aneglus, released under the GPL)
- Allow bigger values for a topic's Sort Order field (feature request #0001011)
[Dirk]
- When a Story Admin did not have permission to edit a story, Geeklog threw a
"call to a member function on a non-object" error when trying to display a
proper "access denied" message (reported by Chase and Cesar) [Dirk]
- Allow external apps to contribute to search results (feature request #0000985)
[Sami]
- Remember current sort/limit in search results (bug #0001007) [Sami]
- Don't display the comment form for a story when comments aren't enabled for it
(bug #0000994) [Dirk]
- Fixed a long-standing quirk of the submission handling where the "Submissions"
entry in the Admins Block wasn't updated after accepting / rejecting a
submission [Dirk]
- Fixed creation of multiple plugin groups in plugin autoinstall [Randy, Dirk]
- Added new option $_CONF['article_comment_close_enabled'] to enable/disable
automatically closing stories for comments after a certain amount of days
(bug #0000959). Changed handling of comment_expire field in gl_stories such
that 0 means the story is always open for comments [Dirk]
- The "Admin Group" checkbox in the Group Editor didn't work (bug #0000995,
reported & fix provided by Tsuchi)
- Setting $_CONF['article_comment_close_days'] to a high value (to work around
bugs with the "Disable Comments" option in 1.6.0) may result in values outside
of the range of the year dropdown for that option, in which case it reverted
to the previous(!) year and caused comments to be closed immediately [Dirk]
- When viewing your own profile page, you now get an "edit" link that takes you
to "My Account" [Dirk]
- Additional checks in "Mail Story to a Friend", "Send mail to user", and
"Mail Users" dialogs to make sure users don't enter email addresses into the
name fields (bug #0000992) [Dirk]
- Added an option to send a copy to self to the "Mail Story to a Friend" dialog
and made the look of this and the "Send mail to user" dialogs more consistent
[Dirk]
- Display the number of stories in the current topic in the Topic Editor
(feature request #0000806) [Dirk]
- Call CUSTOM_userCheck from admin/user.php (bug #0000925) [Dirk]
- You can now have one featured story per topic (feature request #0000750,
patch provided by Tom Homer)
- Changing the Post Mode in Advanced Editor mode selected the wrong tab
(bug #0000980, patch provided by dengen)
- Made the former $cc parameter for COM_mail an optional array of additional
email headers (using a string for that parameter still works as CC:) [Dirk]
- Fixed reply notification for the very first comment (bug #0000973)
[dengen, Dirk]
- When an anonymous commenter left a name, use it in the comment notification
email (bug #0000960) [Dirk]
- Removed the CSRF token from all links to edit a comment. We only need it in
the actual comment editor and it caused problems on the moderation page [Dirk]
- For anonymous comments, use the anonymous user's name from the database, not
from the language file (cf. bug #0000960) [Dirk]
- The session and password cookies are now created with the HttpOnly flag set
to make it somewhat harder to read them from JavaScript (requires browser
support) [Dirk]
- Fixed visibility of the "Send Ping" links in the Story Admin's list of stories
and the Story Options block [Dirk]
- The install script was switching back to English in some upgrade scenarios
(bug #0000969, patch provided by taca)
- Added a workaround to not lose the XMLSitemap priorities for Locales where
the comma is used as the decimal separator [Dirk]
- Keep track of actual upper/lowercase spelling of plugin names in the
XMLSitemap plugin [mystral-kk, Dirk]
- Added support for a CUSTOM_renderMenu function when rendering the top menu
(feature request #0000845) [Dirk]
- In the install script, always open db-config.php and siteconfig.php in
binary mode to avoid EOL character mixup on Windows (bug #0000730) [Dirk]
- Avoid SQL error with certain db dumps during migration (bug #0000955) [Dirk]
- Plugin migration was only called when the plugin also needed an upgrade
(bug #0000947) [Dirk]
- The Migrate option in the install script now also works on an existing
database (feature request #0000945) [Dirk]
- Comment notifications used the phrase "Read the full article" when pointing
to the new comment post (bug #0000940) [Dirk]
- Send correct content type and character set header in the install script
(bug #0000964, patch provided by taca)
- The "Remember Me For" option under My Account did not recognize the "(don't)"
option any more (bug #0000961) [Dirk]
- Send a notification when a comment goes into the submission queue [Dirk]
- Added a link back to the story to the "Mail Story to a Friend" form [Dirk]
- Only list [code], [raw] tags when story.* permissions are required [Dirk]
- [page_break] was not listed when all HTML was allowed for Root users [Dirk]
- Added support for meta tags and meta keywords, provided by Tom Homer
- When an error occurs in bigdump.php (during migration) keep the selected
language when sending the user back to migrate.php (bug #0000943) [Dirk]
- Use COM_getUserDateTimeFormat, i.e. the user's preferred format, for
displaying the date and time in search results [Dirk]
- When disabling a feed, delete the feed file [Dirk]
- Moved leftover hard-coded text from admin/sectest.php to the language files
[Dirk]
- When creating Pingback excerpts, convert the other site's content to our
site's character set, when necessary [Dirk]
- New function COM_getTextContent converts HTML into continuous text. Used for
a more accurate "read more" count for articles and to improve the text
excerpts for search results and pingbacks [Dirk]
- Use COM_numberFormat to format the number of registered and anonymous users
displayed in the Who's Online block [Dirk]
- Use $LANG_ADMIN['na'] instead of hard-coding 'N/A' in several places [Dirk]
- For Remote Users, display their service name in the User Editor [Dirk]
Calendar Plugin 1.1.1
---------------
- Keep track of the user id for submitted events (bug #0000993) [Dirk]
- Reintroduced {event_begin_anchortag} and {event_end_anchortag} variables
in event.php [Dirk]
- The number of hits for an event was reset when editing the event [Dirk]
- When cloning an event, the number of hits for the clone should be 0 [Dirk]
- Avoid triggering a false spam report when submitting an event with the default
"http://" entry for the link still in place (bug #0000946) [Dirk]
Links Plugin
------------
- Display the number of links in the current category in the Category Editor.
Note: Does not (yet) count links in sub-categories [Dirk]
- Link titles in autotags showed up with backslashes before quotes (bug
#0000986) [Dirk]
Polls Plugin
------------
- Fixed display of the Polls block when it only contained polls not visible
for anonymous visitors (bug #0000996) [Dirk]
- When upgrading from Geeklog 1.5.2, the length of the poll IDs was not extended
to 40 characters - only fresh installs of Geeklog 1.6.0 and upgrades from
older versions worked correctly (cf. feature request #0000754) [Dirk]
- Added support for meta tags and meta keywords, provided by Tom Homer
- Introduced [poll:], [poll_vote:], and [poll_result:] autotags, allowing to
embed polls where autotags are allowed, provided by Tom Homer
Static Pages Plugin 1.6.1
-------------------
- Certain types or all Static Pages can now be excluded from the search results
(feature request #0000979, provided by Tom Homer)
- New and updated Static Pages are now listed in the What's New block
(feature request #0000908, provided by Tom Homer)
- Fresh installs of the plugin in Geeklog 1.6.0 accidentally used a wrong name
for the plugin's admin group. Silently fix that during the upgrade [Dirk]
- Made the list of pages sortable by author (feature request #0000978) [Dirk]
- List available autotags in the static pages editor [Dirk]
- Added support for meta tags and meta keywords, provided by Tom Homer
Aug 30, 2009 (1.6.0sr2)
------------
This release addresses the following security issue:
- Unauthorized file uploads were possible through FCKeditor.
Uploaded files still had to go through FCKeditor's filter, so it was not
possible to upload scripts (and the integrity of the Geeklog site as such was
not in danger). There were, however, reports that this was used to host
malware.
This update prevents use of the upload feature when FCKeditor is disabled and
disables it for anonymous users. It also doesn't allow uploading of archive
files any more. Furthermore, you need some sort of "edit" permission now to
be able to upload files through FCKeditor (this is meant as an interim
measure - we will probably introduce a separate "upload" permission in future
Geeklog versions).
Not security-related:
- Fixed installation using InnoDB tables [Dirk]
- Links plugin: Fixed wrong function name in the autoinstall.php file
(bug #0000954)
- Fixed an SQL error (due to a missing global declaration; not exploitable) when
the commentcode field was auto-updated (reported by Jokke_K) [Dirk]
This release also includes updated Hebrew (provided by LWC) and German language
files.
Jul 30, 2009 (1.6.0sr1)
------------
This release addresses the following security issues:
- Gerendi Sandor Attila reported an XSS in the forms to email a user and to
email a story to a friend.
- The "Mail Story to a Friend" function didn't check story permissions, so that
it was possible to email a story even if you didn't have the permissions to
view it on the site.
Not security-related:
- Fixed an SQL error (due to a non-initialized variable; not exploitable) when
the story submission queue was off (reported by Dieter Thomas) [Dirk]
- Fixed calls to a nonexistent function COM_outputMessageAndAbort (should have
been COM_displayMessageAndAbort) [Dirk]
Jul 19, 2009 (1.6.0)
------------
Geeklog 1.6.0 incorporates the following projects implemented during
the 2008 Google Summer of Code:
+ Site migration support and easier plugin installation, by Matt West
+ Improved search, by Sami Barakat
+ Comment moderation and editable comments, by Jared Wenerd
Changes since 1.6.0rc2:
- Updated language file for formal German, provided by Markus Wollschläger
- Updated Japanese language file and documentation, provided by the
Geeklog.jp group
Jul 12, 2009 (1.6.0rc2)
------------
Changes since 1.6.0rc1:
- Updated FCKeditor to version 2.6.4.1 [Dirk]
- Fixed advanced search not using start and end dates (bug #0000924, patch
provided by dengen)
- Fixed auto-detection of table prefix during migration when the SQL dump
contained CREATE TABLE IF NOT EXISTS requests (bug #0000922) [Dirk]
- When an error occurs in bigdump.php (during migration) send the user back to
migrate.php (bug #0000919) [Dirk]
- Fixed warning in migration script when no backups are available (bug #0000918,
patch provided by hiroron)
- Updated Estonian language files, provided by Artur Räpp
- Updated Hebrew language files, provided by LWC
- Updated Japanese language files and documentation, provided by the
Geeklog.jp group
Jun 28, 2009 (1.6.0rc1)
------------
Changes since 1.6.0b3:
- Fixed include path for db-config.php in bigdump.php (bug #0000915) [Dirk]
- Improved detection of UTF-8 database dumps in migration (bug #0000916) [Dirk]
- Fixed typos in the install script (bugs #0000913 and #0000914) [Dirk]
Jun 21, 2009 (1.6.0b3)
------------
Changes since 1.6.0b2:
- Fixed IE6 and Safari compatibility issue with sort and limit combo boxes in
search results (part of bug #0000874) [Sami]
- Fixed HTML in the Configuration (bug #0000907) [Dirk]
- Added a more prominent reminder to remove the install script [Dirk]
- Made the link to a comment's parent object from the comment bar work properly
for plugins [Dirk]
- Allow searching by topic (without a query string) again (reported by Markus
Wollschläger) [Dirk]
- Fixed handling of $_CONF['comment_close_rec_stories'] (bug #0000899) [Dirk]
- Improved selection of text portion displayed in search results [Dirk]
- Fixed an error that occured after deleting a trackback [Dirk]
- Replace autotags in search results (bug #0000887) [Dirk]
- Don't insist on an email address when editing a Remote User (bug #0000885)
[Dirk]
- Added a config option to send an X-FRAME-OPTIONS HTTP header to prevent
"clickjacking" (requires browser support) [Dirk]
- Prevent XSS in the install script (reported independently by Nemesis and MaXe)
[Dirk]
- Removed old plugin API function plugin_commentsupport from the Calendar,
Polls, and Static Pages plugins [Dirk]
- Updated Japanese language files and Japanese documentation,
provided by the Geeklog.jp group
Calendar plugin
---------------
- Fixed leap year check [Sean Clark]
Polls plugin
------------
- Implemented PLG_getCommentUrlId [Dirk]
- Update polls comments when changing a poll's ID so the comments don't become
orphaned (part of bug #0000901) [Dirk]
Static Pages plugin
-------------------
- Another attempt to fix a compatibility issue with PHP 4 (parse error)
[Ben, Dirk]
- Implemented PLG_getCommentUrlId [Dirk]
- Update static pages comments when changing a page's ID so the comments don't
become orphaned (part of bug #0000901) [Dirk]
- When deleting a static page, also delete its comments (bug #0000901) [Dirk]
XMLSitemap plugin
-----------------
- Add the Polls plugin to the sitemap by default (part of bug #0000898) [Dirk]
- When manually adding or removing plugins, automatically add/remove
corresponding entries for priority and frequency (part of bug #0000898) [Dirk]
May 31, 2009 (1.6.0b2)
------------
Changes since 1.6.0b1:
- Various fixes to the new search (work in progress) [Sami]
- The list of Comment Submissions now tries to provide a link to a comment's
parent object (article, poll, ...). If not available, it displays an excerpt
from the comment [Dirk]
- Plugin comments lost their type when being saved in the comment submission
queue (they were treated as comments on stories) [Dirk]
- SQL errors now trigger the standard error handler ("Unfortunately, an error
has occurred ..."). Details are available in error.log, as usual [Tony, Dirk]
- Removed the $_CONF['search_no_data'] config option and moved the text to the
language files (bug #0000873) [Dirk]
- All bundled plugins now include a check to see if they support the DBMS the
site is running on [Dirk]
- A fresh install didn't check if the bundled plugins are compatible with the
Geeklog version about to be installed [Dirk]
- Users couldn't change their password or delete their account (reported by
Tom Homer) [Dirk]
- Fixed plugin postinstall from the install script [Dirk]
- Made COM_createImage recognize https:// URLs (bug #0000881) [Dirk]
- Fixed notices in the config class (reported by tgc and others) [Dirk]
- Fixed empty entries in the "Type" dropdown on the Advanced Search page.
Requires an updated search/searchform.thtml template (part of bug #0000874)
- Ensure PLG_templateSetVars (and therefore CUSTOM_templateSetVars) is called
properly when the "Skip Preview" option is disabled (bug #0000880) [Dirk]
- Fixed handling of multi-byte encoded texts when limiting the content of feed
entries to a certain amount of characters (reported by alank) [Dirk]
- Added a verbose logging option to the search class and make it default to off
[Dirk]
- lib-custom.php was missing from the 1.6.0b1 tarball
- Updated Spanish language file, provided by Juan Pablo Novillo
Polls plugin
------------
- Display a message when a plugin comment is queued [Dirk]
- If you knew a poll's ID, you could find out the poll's title even if you did
not have access to the poll [Dirk]
- Fixed (mostly) blank page when calling up a non-existing poll ID (reported
by scarecrow) [Dirk]
Static Pages plugin
-------------------
- Display a message when a plugin comment is queued [Dirk]
- Fixed handling of "entire page" centerblocks in a multi-language environment:
Need to allow one per language (reported by Norbert Ortmann) [Dirk]
- Fixed a typo that prevented the [staticpage:] autotag from working [Dirk]
XMLSitemap plugin
-----------------
- Added an option to exclude plugins from inclusion in the sitemap. Defaults
to the Links plugin [Dirk]
- Remove sitemap files when uninstalling the plugin [Dirk]
- Don't include Links in the sitemap.xml automatically [Dirk]
- Fixed "missing argument 2" error when changing config options (reported by
Markus Wollschläger) [Dirk]
May 1, 2009 (1.6.0b1)
-----------
- New XMLSitemap plugin that creates a XML sitemaps file as supported by all
major search engines, provided by mystral-kk
- Don't allow to add/remove users to/from the All Users and Logged-in Users
groups via the group editor (bugs #0000863 and #0000864) [Dirk]
- Cosmetic changes to the form to add/remove users to/from groups, for
consistency with the other admin panels [Dirk]
- Document where CUSTOM_templateSetVars is actually called from (bug #0000862)
[Dirk]
- Added option to search by titles only (feature request #0000840) [Sami]
- The "Plugins" entry in the Admins Block now displays the number of enabled
plugins (previously included the disabled plugins) [Dirk]
- Added a config option to enable/disable automatically turning URLs in text
postings into clickable URLs [Dirk]
- Changed some default settings [Dirk]:
* Webservices are now disabled
* Cronjob emulation is off
* Default sort for topics is alphabetically
* Default comment mode is nested
These settings are _not_ changed when upgrading from an earlier version.
- Experimental: Compress HTML output before sending it to the browser (disabled
by default; has to be supported by both the browser and the webserver) [Dirk]
- Added canonical link for article directory [Dirk]
- Moved hard-coded texts from admin/sectest.php to the language files (bug
#0000716) [Dirk]
- Added an option to send a copy of the email to a user to self (feature request
#0000771, based on a patch by Roshan Singh)
- COM_checkList would use the table name for the name of the checkbox array in
the HTML(!). Added a new parameter for the name (pointed out by Bookoo in
the exploit for usersettings.php, cf. Geeklog 1.5.2sr4) [Dirk]
- Fixed wrong use of COM_allowedHTML and COM_checkHTML in plugins: Functions
were called without specific permissions, so they defaulted to 'story.edit'.
I.e. as a Story Admin, you could use the admin_html set in events, but as a
Calendar admin, you could not ... (bug #0000785) [Dirk]
- Added missing finish() calls for some templates, e.g. header.thtml
(bug #0000855) [Dirk]
- Moved documentation to docs/english so that it can be translated
(feature request #0000770) [Dirk]
- New plugin API function PLG_pluginStateChange [Dirk]
- Fixed dropdown for the "censor mode", which has more than the two options
offered previously (bug #0000692) [Mike, Maciej Cupial]
- Slightly faster template class (feature request #0000760, patches provided
by dengen and mystral-kk)
- Use a more efficient implementation of Story::hasContent (bug #0000858, patch
provided by Maciej Cupial)
- Make sure formerly optional config items can be disabled (bug #0000846) [Dirk]
- New plugin API function PLG_getDocumentationUrl (feature request #0000848)
[Dirk]
- Fresh installs + MySQL only: Changed some tinyint fields that are only used
as flags to tinyint(1) from tinyint(3) (bug #0000857)
- Fixed one of the predefined date format strings (bug #0000854)
- Replace Wiki-style formatting in the Daily Digest and when emailing a story
to a friend (bug #0000837, patch provided by Pawel Szczur)
- New plugin API function PLG_configChange (feature request #0000694) [Dirk]
- Fixed layout of Batch Add and Batch Admin options of the User Manager [Dirk]
- On a login failure, the user registration form showed up even when new user
registration was disabled (bug #0000843)
- The Wiki-style format broke national special characters, e.g. Japanese and
German umlauts (bug #0000823) [Dirk]
- Introduced new plugin API function PLG_migrate [Dirk]
- Allow switching the DOCTYPE from the Configuration. Requires a theme that
uses {doctype} instead of a hard-coded DOCTYPE declaration (feature request
#0000745) [Dirk]
- The notification email about new user submissions didn't include information
about the remote service used (if any) [Dirk]
- Define {xmlns} when using XHTML for XHTML compliance. Updated header.thtml
and article/printable.thtml template files to include that variable [Dirk]
- Fixed wrong use of '&' when sending a trackback (bug #0000825)
- Removed incomplete PDF generator (never enabled in any shipped version) [Dirk]
- Fixed a problem with words being merged together in newsfeeds when the article
was written with CR as the line separator [Dirk]
- Made url rewriting work on setups that only set $_SERVER['ORIG_PATH_INFO']
(bug #0000816)
- Fixed duplicate plugin entries when a plugin has more than one entry for the
admin or user menu (bug #0000820)
- {contributedby_user} and {contributedby_fullname} weren't set in the story
templates (bug #0000821) [Dirk]
- Reinstated old definitions of the {start_contributedby_anchortag},
{end_contributedby_anchortag}, and {contributedby_author} variables, i.e. the
two anchortag variables are set again and _author contains the name only (bug
#0000821) [Dirk]
- Auto-deleting a story didn't delete trackbacks for that story [Dirk]
- Ensure consistent template variable names for the Permission Editor [Dirk]
- Added new permission 'group.assign', now required to be able to assign a user
to a group. Part of the Group Admin (not User Admin) permissions by default
(feature request #0000190) [Dirk]
- Raised minimum required PHP version to PHP 4.3.0 and removed all workarounds
that ensured compatibility with PHP 4.1.0 [Dirk]
- Added a filename mask config option for the names of the database backups
[Dirk]
- Removed $_CONF['pagetitle'] hack. Use COM_siteHeader('menu', $pagetitle)
instead [Dirk]
- Added canonical link for articles [Dirk]
- Moved hard-coded "Reminders" column title to the language file (bug #0000817)
- Hide archive option radiobutton from the story editor when no archive topic
is defined (feature request #0000807) [Dirk]
- Display group names with an uppercase first letter everywhere [Dirk]
- Added an ISO 8601-ish format to the gl_dateformats table [Dirk]
- Let users with user.mail permissions only email groups that they are in
themselves [Dirk]
- Gave the Groups and User editors a facelift. Requires a new template file,
admin/lists/inline.thtml [Dirk]
- Introduced list of "advanced HTML" tags that are allowed when FCKeditor is
enabled. Needed for images (bug #0000757) [Blaine]
- Add new permissions plugin.install and plugin.upload for more fine-grained
control to the plugin admin panel (bug #0000637) [Dirk]
- Introduced new plugin API function PLG_itemDeleted [Dirk]
- Changed API for PLG_itemSaved to make it simpler and easier to use [Dirk]
- Updated FCKeditor to version 2.6.4 [Blaine]
- Usersettings.php - can not change password when custom membership is enabled.
Modified CUSTOM_userCheck to return both a error message string and Error
code. Updated users.php and usersettings,php (bug #0000776) [Blaine]
- Implemented extended API for PLG_getItemInfo [mystral-kk, Dirk]
- Fixed inconsistencies and various small mistakes when displaying "Access
denied" messages on the admin pages [Dirk]
- Added a print.css stylesheet to be used by the printable template files
(feature request #0000766) [Dirk]
- Re-introduced the path hints in the install script when it can't find
db-config.php [Dirk]
- Added a note about the max. dimensions of a userphoto in the About You pane
of a user's My Account page (feature request #0000629) [Dirk]
- Display a message when no topics exist and don't let the user enter the story
editors (bug #0000738) [Dirk]
- Added a configuration option to control the JPEG quality (Feature request
#0000720) [Dirk]
- Updated Hebrew language file for the install script, provided by LWC
- New Serbian (Latin) language files, provided by Aleksandar Scepanovic
Calendar plugin
---------------
- Added migration support [Dirk]
- Removed extra double quote from upcoming events block (bug #0000827)
- Added auto installation support [Dirk]
- Added support for PLG_getItemInfo, PLG_itemSaved, PLG_itemDeleted [Dirk]
Links plugin
------------
- Added migration support [Dirk]
- Added category default permissions [Dirk]
- Added auto installation support [Dirk]
- Added support for PLG_getItemInfo, PLG_itemSaved, PLG_itemDeleted [Dirk]
- Introduced function LINKS_getCategorySQL and fixed visibility of link
categories in the Top 10 Links list and site statistics [Dirk]
- Added an option to allow opening external links in a new window (feature
request #0000693). Use with care, please [Dirk]
- Only external links are marked with class="ext-link" [Dirk]
Polls plugin
------------
- Added migration support [Dirk]
- Set the page title when viewing a poll [Dirk]
- Added auto installation support [Dirk]
- Added support for PLG_getItemInfo, PLG_itemSaved, PLG_itemDeleted [Dirk]
- Extended length of poll IDs to 40 characters (feature request #0000754) [Dirk]
Spam-X
------
- Added migration support [Dirk]
- Added auto installation support [Dirk]
Static Pages plugin
-------------------
- Added migration support [Dirk]
- The printable.thtml template file now uses the {xmlns} variable [Dirk]
- Added canonical link [Dirk]
- Added auto installation support [Dirk]
- Added support for PLG_getItemInfo, PLG_itemSaved, PLG_itemDeleted [Dirk]
- The printable.thtml template file uses the HTML Strict doctype and print.css
now [Dirk]
- Display "successfully saved" and "successfully deleted" messages, just like
every other plugin and built-in function does (bug #0000644) [Dirk]
May 9, 2010 (1.5.2sr6)
------------
This release addresses the following security issue:
The autologin (using the long-term session cookie) is vulnerable to dictionary
attacks. This issue was originally reported by Bookoo of the Nine Situations
Group in one of his reports in April 2009 but apparently overlooked by the
Geeklog Team. Thanks to geeklog.net user Jack for pointing this out.
Jul 30, 2009 (1.5.2sr5)
------------
This release addresses the following security issues:
- Gerendi Sandor Attila reported an XSS in the forms to email a user and to
email a story to a friend.
- The "Mail Story to a Friend" function didn't check story permissions, so that
it was possible to email a story even if you didn't have the permissions to
view it on the site.
Apr 18, 2009 (1.5.2sr4)
------------
This release addresses the following security issue:
Bookoo of the Nine Situations Group posted another SQL injection exploit,
targetting an old bug in usersettings.php. As with the previous issues, this
allowed an attacker to extract the password hash for any account and is fixed
with this release.
Apr 13, 2009 (1.5.2sr3)
------------
This release addresses the following security issue:
Bookoo of the Nine Situations Group posted another SQL injection exploit, this
time targetting the webservices API. As with the previous issue, this allowed
an attacker to extract the password hash for any account and is fixed with this
release.
Not security-related:
- Re-introduced function get_SPX_Ver in the install script, which is still
needed when upgrading from old Geeklog releases (reported by Sheila) [Dirk]
Apr 4, 2009 (1.5.2sr2)
-----------
This release addresses the following security issue:
Bookoo of the Nine Situations Group posted an SQL injection exploit for glFusion
that also works with Geeklog. This issue allowed an attacker to extract the
password hash for any account and is fixed with this release.
Mar 30, 2009 (1.5.2sr1)
------------
This release addresses the following security issue:
Fernando Munoz reported a possible XSS in the query form on most admin panels
that we are fixing with this release (bug #0000841).
Feb 8, 2009 (1.5.2)
-----------
- The default replacement text for censored text was supposed to read
"censored", not "censormode" [Dirk]
- Fixed problem with extra backslashes appearing in a story's title during the
story preview when magic_quotes_gpc = On (bug #0000790) [Mike, Dirk]
- Added missing page title when viewing a single comment [Dirk]
- Sort groups in the group dropdowns non-case sensitive [Dirk]
- Display a message when sending the email to report an abusive comment failed
[Dirk]
- Display a message when sending the email for a new password failed [Dirk]
- Updated Estonian language file for the Calendar plugin, provided by Artur Räpp
- Updated Japanese language file, provided by the Geeklog.jp group
Static Pages plugin
-------------------
- Fixed parse error when saving a static page (reported by greenteagod). This
problem was only introduced in 1.5.2rc1 [Dirk]
Jan 24, 2009 (1.5.2rc1)
------------
- Fixed various issues with COM_makeClickableLinks (bug #0000767, #0000793,
#0000796) [Sami]
- The comment submission form didn't show the user's full name when
$_CONF['show_fullname'] was enabled [Dirk]
- Comments were always showing the username, even when $_CONF['show_fullname']
was enabled (reported and patch provided by mystral-kk, bug #0000800)
- Fixed story preview losing the story when the sid already existed (bug
#0000789) [Dirk]
- Fixed wrong use of str_replace in STORY_extractLinks (bug #0000794) [Dirk]
- Added "Send Pings" to the Story Options block (if enabled and allowed for the
current user) [Dirk]
- Don't let the user enable plugins when there's no functions.inc for the
plugin [Dirk]
- When the install script can't find db-config.php, that message was always
displayed in English, i.e. you could not change the language for that screen
[Dirk]
- When upgrading from a Geeklog version prior to 1.5.0, the plugin config.php
files are no longer renamed [Dirk]
- Admin lists allowed non-sortable columns to be sortable (reported and patch
provided by hiroron, bug #0000791)
- Fixed STORY_getItemInfo - need to check the draft flag and for a publish date
in the future [mystral-kk, Dirk]
- Fixed wrong use of COM_isAnonUser in COM_getPermSQL (since 1.5.0) [Dirk]
- When calling COM_getYearFormOptions with a $startoffset parameter, the list
of years was off by one (bug #0000783; patch provided by hiroron)
- Fixed updating feeds after changing topic permissions (bug #0000779) [Dirk]
- The security token was missing from the trackback editor template file
(reported and patch provided by hiroron, bug #0000778)
- Removed rel="tag" from topic links in lib-story.php as that would indicate a
Microformat with a slightly different meaning [Dirk]
- Don't include X-Originating-IP header in emails sent from the site's admin
area (bug #0000701) [Dirk]
- Check if COM_errorLog exists before using it in the config class (for possible
problems during installation, bug #0000768) [Dirk]
- Fixed filling out the Site Email / No-Reply Email fields in the install
script, which was overwriting the correct values from config.php during
upgrades (bug #0000759) [Dirk]
- Set language direction in templates for printable versions of articles and
static pages. Also set $LANG_DIRECTION to 'ltr' now if the language file does
not already define it (bug #0000762) [Dirk]
- Removing an element from the middle of the censorlist caused the censoring
to act up (bug #0000763) [Dirk]
- Saving a story tried to update a feed of type 'geeklog' instead of 'article'
(reported by Tom Homer)
- Delete a feed's file when deleting a feed (bug #0000758) [Dirk]
- When using gdlib, use imagecopyresampled instead or imagecopyresized to scale
images. This should result in better image quality (part of Feature request
#0000720) [Dirk]
- The {start_storylink_anchortag} variable in the story templates was missing
a '>' (reported by Michael Brusletten) [Dirk]
- Display a "Service" column in the Admin's list of users when remote auth is
activated [Dirk]
- Introduced new function COM_showMessageText to display a free-form text in a
"System Message" box (feature request #0000676) [Dirk]
- Introduced new function COM_showMessageFromParameter for easy and consistent
display of messages passed in the URL, including plugin messages (second
attempt to fix bug #0000618) [Dirk]
- Display confirmation message when emailing a story (feature request #0000689)
[Dirk]
- Implemented new function COM_renderWikiText to convert wiki-formatted text
to (X)HTML (feature request #0000643) [Dirk]
- Added support for CUSTOM_formatEmailAddress and CUSTOM_emailEscape functions
(feature request #0000727) [Dirk]
- Fixed 'cookiedomain' being reported as changed in the Configuration
(bug #0000638) [Dirk]
- Reverted fix for bug #0000618 (COM_showMessage automatically picking up a
'plugin' parameter) as it's causing problems when displaying more than one
message on the same page [Dirk]
- Added missing check for allowed IP addresses in downloader class
(bug #0000709) [Dirk]
- Force a refresh after uninstalling a plugin so that the plugin's entry
disappears from the Admins block [Dirk]
- Fixed an issue with story expiry dates on PHP 4/Windows (reported by zeb)
[Mike]
- Updated Hebrew language file for the install script and Spam-X plugin,
provided by LWC
- Updated Japanese language files, provided by the Geeklog.jp group
- Updated Polish language files, provided by Robert Stadnik
- Updated Slovenian language file for the Links plugin, provided by gape
Calendar plugin
---------------
- Fix for calendar plugin - unable to add personal event [Blaine]
- Make {event_url} available in eventdetails.thtml [Dirk]
Links plugin
------------
- Missing parentheses my have resulted in incorrect search results [Dirk]
- Added urlencoded versions of {link_actual_url} and {link_name} [Dirk]
- Prevent overwriting existing links when changing the link ID [Dirk]
Polls plugin
------------
- Lowered the default number of questions per poll to 5 and the number of
answers per question to 8 to avoid running into Suhosin's default
post.max_vars limit (for new installs only) [Dirk]
- Fixed SQL error when poll questions contained single quotes (bug #0000756)
[Dirk]
- Fixed handling of poll IDs in Polls editor (bug #0000753) [Dirk]
Static Pages plugin
-------------------
- The owner of a static page changed to the user who last edited it
(bug #0000777) [Dirk]
- Fixed call to WS_makeId when sp_id was longer than STATICPAGE_MAX_ID_LENGTH
(found by Marc Maier) [Dirk]
Sep 22, 2008 (1.5.1)
------------
- Fixed protection against direct execution in various include files which may
have failed on non-case sensitive file systems (reported by Mark Evans) [Dirk]
- Saving a story as someone other than the owner will revert the story to your
ownership. (bug #0000742) [Mike]
- Fixed searching for non-installed plugins when open_basedir restrictions are
in effect (bug #0000741)
- Fix for first change of password issue (bug #0000724) [Mike]
- Fixed failure to switch language with new query highlighting URLs
(bug #0000733) [Dirk]
- Fixed bug with HTML Encoding of default comment title for articles
(bug #0000737) [Mike]
- Fixed another case where a duplicate of a story submission was left in the
submission queue after approving the story [Mike]
- Fixed problem with the MySQL class not recognizing UTF-8 when the character
set name was written in uppercase (bug #0000731) [Dirk]
- Updated Hebrew language files, provided by LWC
- Updated Estonian language files, provided by Artur Räpp
- Updated Japanese language files, provided by the Geeklog.jp group
- Updated Slovenian language files, provided by gape
Sep 7, 2008 (1.5.1rc1)
-----------
- Added missing slash in the install script (bug #0000715) [Dirk]
- CSRF token not passed to draft list (bug #0000726) [Ted Powell]
- If root debugging is enabled, hide anything in the array stack that has a key
containing 'cookie' or 'pass'. And added option to override this.
(bug #0000722) [Mike]
- Prevent direct execution of the FCKeditor upload script (reported by t0pP8uZz) [Dirk]
- Renamed the "Restore" option in the Configuration to "Enable" [Dirk]
- Provided better error handling for database backups (bug #0000714) [Mike]
- Provided auto-detection of -left and -right overrides for any given block
template. This allows any block to auto-style to left and right for themes
without the need for the theme to work it out, or talk to the database.
("Bug" #0000684) [Mike]
- Fixed handling of corrupted config value db entries, e.g. after importing
Calendar event_types with the wrong character set (bug #0000690) [Dirk]
- Fixed handling of HTML entities in the Configuration (bug #0000710)
[Sami, Dirk]
- Story image upload: Only add a link to the unscaled image if such an image
actually exists [Dirk]
- Removed unused code from lib-story.php [Dirk]
- COM_siteFooter no-longer creates two sets of right blocks. (bug #0000698)
[Mike]
- Microsummaries work in topics, reported by Joe. [Mike]
- Added DB_checkTableExists and changed INST_checkTableExists to use it. [Mike]
- Changed REPLACE INTO for DB_save for MSSQL compat [Mike]
- Re-introduced function get_SP_Ver in the install script, which is still needed
when upgrading from old Geeklog releases (reported by libexec) [Dirk]
- Fixed issue where you can post a comment to an unpublished story (bug
#0000705) [mystral-kk/Mike]
- Fixed make clickable links with quotes (bug #0000691) plus truncated long
urls. [Sami]
- Fixed table prefix issues with constraints (bug #0000702) [Mike/Sami]
- Fixed error when attempting to highlight a search query that contained a
slash [Dirk]
- Updated FCKeditor to v2.6.3 [Blaine]
- Moved remove() (config JavaScript) to gl_cfg_remove (bug #0000681) [Mike]
- Change for CUSTOM_usercreate to support passing in $batchimport,
set true if called via the Admin->Users Batch_Add [Blaine]
- Fix for date formatting in RSS fields (bug #0000696) [mystral-kk]
- A small tweak to the Professional theme's commentbar to make the "Post a
comment" option easier to find [Dirk]
- Renamed the syndication feed type "geeklog" to "article" since that's what
they are nowadays [Dirk]
- New option "All Frontpage Stories" for article feeds: skip stories that have
the "Show only in topic" option set (feature request #0000652) [Dirk]
- If there is a feed for a topic, there will now be a "Subscribe to ..." option
in the Story Options block for every story for that topic (feature request
#0000154) [Dirk]
- Cop-out fix for bug #0000671: Don't display the icon for external links when
the text direction is 'rtl' (e.g. Hebrew) [Dirk, Mike]
- Keep letter case intact when highlighting a search query string (patch
provided by Sami Barakat)
- Provide nicer URLs to story search results when URL rewriting is enabled
(bug #0000665, based on a patch by Sami Barakat) [Dirk]
- Better support for plugin messages (bug #0000618) [Blaine]
- Introduced new variable {page_title_and_site_name} for header.thtml so that
we can have "Site Name - Site Slogan" in the frontpage's title again [Dirk]
- Fixed SQL error(s) for story submissions by users with story.submit but no
further Story Admin permissions (reported by Orion) [Dirk]
- End a user's session when they are being banned [Dirk]
- Signatures in HTML-formatted comments weren't XHTML compliant [Dirk]
- Minor cleanups in style.css - no actual layout changes (bug #0000683) [Dirk]
- Allow creation of banned users, i.e. ban the user on account creation [Dirk]
- Minor improvements in the error handling, e.g. preventing Geeklog from
creating error.log files outside the logs directory [Dirk]
- Send a HTTP status code 503 "Service Unavailable" when the site is disabled
[Dirk]
- Hide the database password when the database backup failed and we're logging
the mysqldump command [Dirk]
- Disable OpenID login when new registrations are disabled [Dirk]
- Allow to unset Configuration options again after they have been "restored",
i.e. enabled (bug #0000664) [Dirk]
- Adopted hack to allow multilingual blocks (bug #0000626) [Dirk]
- Fixed SQL error in story submissions (reported by Chase) [Mike]
- Stories with a publishing date in the future and stories with the draft flag
set were accessible if you knew their story id (bug #0000678) [Mike]
- Enabled siteconfig.php to override database config in core, primarily for
rootdebug. [bug 0000673] [Mike]
- Allow remote users to use the webservices (bug #0000640). Due to the
authentication method it is not possible for OpenID users to use the
webservices. Other remote users will have to use username@servicename for
their username when logging in through the webservices [Dirk]
- Fix to template.class to better handle full path being passed in [Blaine]
- Updated PLG_uninstall to supress errors for table drop. [bug 0000668] [Mike]
- Fixed INST_checkTableExists for MS SQL Support. [bug 0000668] [Mike]
- Hardcode an ltr div around HTML tags in the allowed html tag list. Plus minor
HTML compliance issues. [bug 0000669] [Mike]
- Plaintext stories have nl2br applied in syndication feeds to provide correct
formatting in feed readers. [bug 0000662] [Mike]
- Changed SEC_createToken so that it will only return one token per page
(effectively making it a singleton). This fixes the problem of not being able
to delete comments when you also have trackbacks for the same article
[Mike, Dirk]
- Approving a story submission by saving it from the Admin's story editor left
a duplicate in the submission queue, unless you changed the story ID at the
same time [Dirk, Mark Evans]
- Fixed user submission queue (reported by greenteagod) [Dirk]
- Updated Hebrew language files, provided by LWC
Calendar plugin
---------------
- Fixed tags in the German language files for the Calendar [Dirk]
- Fixed date comparison ("End date is before start date.", bug #0000703) [Dirk]
- Fixed Admin delete links in day and week view (bug #0000680) [Dirk]
- Search for an event's "author" didn't work [Dirk]
- Calendar block now includes events from the current day (in progress or all
day events, bug 0000604, patch from forums) (really) [Mike]
Links plugin
------------
- Fixed passing the category on multi-page link lists [Dirk]
- Fixed new category silently overwriting an existing category if they had the
same id (part 2 of bug #0000659) [Dirk]
- Fixed SQL error when trying to change a category id to an already existing id
(part 1 of bug #0000659) [Dirk]
Polls plugin
------------
- For multi-question polls, make the "Vote" button read "Start Poll" in the
polls block (bug #0000633) [Dirk]
- Fixed display of "Results" link while a poll is open [Dirk]
Static Pages plugin
-------------------
- Menu entries were not language-aware (in multi-language setups), i.e. all the
menu entries were always displayed (bug #0000713) [Dirk]
- Removed unused 'config_data' entry from the plugin uninstall function
(bug #0000666) [Dirk]
- Fixed printer friendly version of a static page not working when url_rewrite
is enabled (bug #0000661) [Dirk]
June 15, 2008 (1.5.0)
-------------
Geeklog 1.5.0 incorporates the following projects implemented during
the 2007 Google Summer of Code:
+ New user-friendly install script by Matt West
+ New Configuration GUI (replacing config.php) by Aaron Blankstein
+ New Webservices API based on the Atom Publishing Protocol by Ramnath R. Iyer
Changes since 1.5.0rc2:
- Users that used a different theme than the site default would see the site
switch temporarily back to the site's default theme when changing a config
option. This was a side effect of the fix for bug #0000648 [Dirk]
- In a tradeoff between security and convenience, we decided to go with
security: The install script will no longer display the database credentials
from db-config.php. The downside is that you will have to enter them again
when doing a database upgrade or re-running the install (reported by Mark
Evans) [Dirk]
- Links plugin: The word "Root" wasn't taken from the language file for the page
title of the public list of links (reported by Markus Wollschläger) [Dirk]
- Fixed remaining places where the Admin panels had inconsistent layouts:
Calendar list of events, Polls editor (bug #0000650) [Dirk]
- Updated Hebrew language file, provided by LWC
- Updated German language files, provided by Markus Wollschläger
- Some Korean language files had a mixture of CR/LF and LF as line separators
(bug #0000655) [Dirk]
June 8, 2008 (1.5.0rc2)
------------
Changes since 1.5.0rc1:
- Hide the | separator for static pages with page format "blank page" (reported
by Tetsuko Komma) [Dirk]
- Hardcoded all URL entry fields in the templates and the date selection in the
calendar plugin to dir="ltr" (reported by LWC) [Dirk]
- Fixed handling of UTF-8 languages in the install script (reported by Tetsuko
Komma) [Dirk]
- Ensure consistent display of the admin lists (bug #0000650) [Dirk]
- Sanitize the language in the install help (reported by Mark Evans) [Dirk]
- Moved the hard-coded CSS for the System Message to the stylesheet [Dirk]
- Added a workaround for the Yulup Atompub client that sometimes sends Text
nodes within XHTML nodes [Dirk]
- Made the Install / Upgrade buttons in the install script a bit wider to
provide more space for the Japanese and German translations [Dirk]
- Fixed bug #0000647: All modifications of usersettings should go through
CUSTOM_usercheck [Blaine]
- Removed hard-coded
tags from the functions for the Admin, User, and
Topics blocks. Added new blockheader-list.thtml, blockfooter-list.thtml
template files for those blocks [Blaine]
- Removed the fake {blockid} for the block templates as it was actually derived
from the block title, resulting in layout changes when you changed the block
title. It also didn't work properly with non-ASCII languages. Updated
style.css and the block templates accordingly [Blaine]
- Fixed setting the site's default language and default theme (bugs #0000646
and #0000648) [Aaron, Dirk]
- The bundled plugins don't need to read their config.php any more. This also
avoids confusion if renaming the old config.php failed during the upgrade
[Dirk]
- Fixed SQL error in the Mail Utility when using the option to override user
settings (reported by Michael Brusletten) [Dirk]
- Fixed problems with the text direction in the install script (reported by LWC)
[Dirk]
- Updated Estonian language files, provided by Artur Räpp
- Updated Hebrew language files, provided by LWC
- Updated Japanese language files, provided by Takahiro Kambe, Tetsuko Komma,
and the Geeklog.jp group
Note: Only the UTF-8 versions of the Japanese language files are supported
from now on. The euc-jp versions have been removed from the distribution.
- Updated Polish language files, provided by Robert Stadnik
- Updated Slovenian language file, provided by gape
May 25, 2008 (1.5.0rc1)
------------
Changes since 1.5.0b2:
- Fixed story date/time when using the timezone hack (bug #0000639) [Dirk]
- Fixed MS SQL upgrade [Mike]
- Added code to beautify the language names in the install script [Dirk]
- Ensure the "After Saving ..." options work as advertised [Dirk]
- Fixed handling of empty form submission and display of error messages in the
batch user import [Dirk]
- Fixed text for the account reminder emails [Dirk]
- Display value in the "Months since registration" column on the Batch User
Admin screen without decimals again (as in 1.4.1) [Dirk]
- Removed unused poll-vote, poll-vote-results classes from the Professional
theme's stylesheet; added empty required-field, missing-field classes for
future use (cf. bug #0000635) [Dirk]
- Updated Chinese language files, provided by Samuel M. Stone
- Updated Estonian language files, provided by Artur Räpp
- Updated Slovenian language file, provided by gape
Calendar plugin
---------------
- Fixed missing ] in the headline of the day and week view [Dirk]
- Fixed the template for the personal event editor (extra
tag) [Dirk]
- Bugfix: In some cases, personal events would end up in the submission queue
for site events [Dirk]
- Fixed "Delete old entries" option (delete checkboxes were missing) [Dirk]
May 20, 2008 (1.5.0b2)
------------
Changes since 1.5.0b1:
- {story_title} is now available in the article.thtml template file [Dirk]
- Bugfix: When saving a (new) topic with one or more required fields missing,
don't go back into the topic editor as that would cause a confusing "access
denied" message [Dirk]
- Hard-coded the text direction as "ltr" for some input fields and the date/time
selection in the story editor (bug #0000150). Also removed "text-align:left"
for the HTML body from the Professional theme's style sheet as it interferes
with the ability to switch the text direction (reported by LWC) [Dirk]
- Removed references to config.php from the documentation, some READMEs, and
some source files (bug #0000627) [Dirk]
- Don't include the (internal) 'subgroup' and 'fieldset' entries in the $_CONF
arrays [Dirk]
- COM_numberFormat wouldn't handle decimals correctly (bug #0000624) [Dirk]
- Make sure the XHTML constant is defined if the theme doesn't already define
it (bug #0000622) [Dirk]
- Fixed invalid tags in some language files (bug #0000621) [Dirk]
- The URL sent in a user registration notification contained an & where it
should have been a simple & [Dirk]
- Updated German language files, provided by Markus Wollschläger
Links plugin
------------
- Fixed the "Validate Links" link from the list of categories [Dirk]
Polls plugin
------------
- Bugfix: When saving a (new) poll with one or more required fields missing,
don't go back into the polls editor as that would cause a confusing "access
denied" message [Dirk]
- Renamed 'open' column in the gl_polltopics table to 'is_open' as "open" is
a reserved keyword in MS SQL server [Matt]
- Fixed duplicate sort_order value in the Polls config [Dirk]
- Cosmetic changes in the Polls topic and results (bug #0000625) [Dirk]
Static Pages plugin
-------------------
- Moved the print and edit icons to the bottom of a static page in the default
staticpage.thtml template file. Also removed the icons from the default
centerblock.thtml template file and defined the {lastupdate} and {hits}
variables there (bug #0000628) [Dirk]
- Removed an extra } from the Static Pages staticpage.thtml template file
(reported by Markus Wollschläger) [Dirk]
May 5, 2008 (1.5.0b1)
-----------
- Updated FCKeditor to v2.6 [Blaine]
- LDAP remote authentication module, provided by Jessica Blank / MTV Networks
- The {lang_attribute} can only properly be set in a multi-language setup
(bug #0000616) [Dirk]
- Removed Blogger remote authentication option. Blogger.com have changed their
authentication process, so this module no longer works.
- Emails sent from Geeklog now have an X-Originating-IP header to help track
spam or abuse [Dirk]
- The topic editor allowed you to enter topic IDs with more than 20 characters
(reported by Markus Wollschläger) [Dirk]
- Ease restriction that email addresses have to be unique: Remote accounts can
have non-unique addresses, on-site accounts can't [Dirk]
- Bug: Email user form doesn't display correctly with " in subject when sending
is failed due to incomplete fields. [Mike]
- Bugs: Ensure that site_url, site_admin_url, layout_url and xhtml available to
all templates. [Mike]
- Support for [raw][/raw] tag in HTML post mode. All the benefits of code and
pre, with none of the ugly styling. [Mike]
- Added an Atom self-link to RSS feeds. Sounds odd, but it is recommended by
[Mike]
- Improved support for podcasts in portal blocks and fixed an error where REALLY
long syndication feeds could blow portal blocks up. [Mike]
- Only use the multi-byte string functions when the current character set is
UTF-8 (reported by Rick78) [Dirk]
- COM_hit() is now called from COM_siteFooter() instead of doing the UPDATE SQL
directly (reported by Joe Mucchiello) [Dirk]
- New function SEC_encryptPassword() to be used when we have to encrypt a
password. This is only a wrapper for md5() for now but should it make easier
for us to use some other method in the future [Dirk]
- Incorporated patches by Joe Mucchiello for places in the code where the
template library was used incorrectly.
- By defining the constant XHTML as ' /', themes can now be XHTML compliant
(patches provided by dengen from geeklog.jp)
- Added batch admin feature to send out account reminders [Blaine]
- Hide "Create Account" link in the story submission form when new account
registration has been disabled (reported by Markus Wollschläger) [Dirk]
- Updated COM_startBlock to set a unique {blockid} template variable [Blaine]
- Fixed checking of "Show Admin lists" in Group Admin when going to 2nd page of
results [Oliver]
- Created new function for Admin-Menu display and removed that functionality
from ADMIN_list-functions. [Oliver]
- Fixed missing N/A display when no plugin version number was available
(reported by Machinari) [Dirk]
- Avoid division by zero error when $_CONF['limitnews'] == 0
(reported by Samuel M. Stone) [Dirk]
- Bugfix: Atom always assumes 0.3 and doesn't handle article dates. (Reported by
mystral-kk on the forums). [Mike]
- Added OpenID 1.1 support, provided by Choplair
- Pass site_name into story templates so advanced linking to items like digg.com
can be templated cross-site. [Mike]
- Revamped DB Backups option. It now lists all backups (all .sql files), and
lets you download and delete backups from there [Dirk]
- Fixed checking for errors when sending Pingbacks or Pings [Mike, Dirk]
- When receiving a Pingback, optionally create an excerpt from the text of the
site that sent the Pingback [Dirk]
- Portal blocks now use the HTTP Last-Modified and ETag headers to only request
feeds when they have changed [Dirk]
- The {read_more_class} variable now contains class="story-read-more-link" (if
defined) for consistency with the class name used in {readmore_link} [Dirk]
- Changed the Security Check to only check if any Root users have their password
as "password" [Dirk]
- Made admin/sectest.php recognize 403 status codes (reported by THX100) [Dirk]
- All plugin API's, where not doing very, very plugin specific activities now
call a matching CUSTOM_ function. [Mike]
- Integrated support for passing parameters to phpblock functions (Patch #643 by
Joe Mucchiello) [Mike]
- Fixed numerous HTML errors in admin pages [Oliver]
- Added a missing blank between the day's name and the date in the Older Stories
block (reported by Jeruvy's girlfriend, via IRC) [Dirk]
- fixed bug [#648] sending new password email returns "Ok" message although
it fails when SMTP Server cannot be reached [Oliver]
- Need to include parameters in the URL when sending Pingbacks, e.g. to
Serendipity [Dirk]
- When sending Pingbacks, also search for if the linked
site does not send an X-Pingback header [Dirk]
- When sending Pingbacks for a story that had identical link texts for different
URLs, only the last of those links was pinged [Dirk]
- Implemented new Autouninstall for plugins. Plugins runs a function that passes
a specific array to a core function that removes all given element of the
plugin. The function inside the plugin can handle aditional removals that
the core code cannot [Oliver]
- Fixed search by date in Calendar (reported and patch provided by Jeffrey Hare)
- Only allow autotags in normal blocks (bug #653) [Dirk]
- Added {story_topic_image_no_align} and {story_anchortag_and_image_no_align}
in stories so that you have access to the topic image without the alignment
(feature request #410) [Dirk]
- Show autotags in story editor to Admin even if all HTML is allowed [Oliver]
- Allow comments to be closed, i.e. display the existing comments but don't
accept any new ones [Dirk]
- Introduced COM_getCharset which returns the currently used character set (to
avoid code duplication). It should be save to simply use $LANG_CHARSET in
most cases, though [Dirk]
- Added optional Wikitext postmode for stories [Oliver]
- Added optional noreply-email address option to config.php to prevent
spammers retrieving the admin's email address from registering online [Oliver]
- Added support for "Microsummaries" to index.php.
See (http://wiki.mozilla.org/Microsummaries) [Mike]
- Story "Rewrite" - significant re-structure of story code to fix all issues
with posting HTML special characters etc. [Mike]
- Added ability to have Body Text in user submitted stories. To deactivate,
edit layout\theme\submit\submitstory.thtml and submitstory_advanced.thtml
[Mike]
- fixing the dimension-resizing of uploaded images. If an image would be within
the max width after resizing, the max height might still be off. This is
solved with the new code. [Oliver]
- Removed tzcode table and started using PEAR::Date instead since all timezone
information is stored in there. [Oliver]
- Added timezone selector to preferences page [Oliver]
- Fixed COM_getLangSQL() to escape the underscore character '_' which happens
to be a wildcard character when used with LIKE. In a multi-language setup,
this may accidentally display unwanted items (reported by Kenji Ito) [Dirk]
- Addressed problems with the text direction (ltr/rtl) and the hard-coded
English text in admin/sectest.php (reported by LWC) [Dirk]
- Due to a language file change, the login form in users.php ("Try Logging in
Again") now asked for a "new password" (reported by Laugh) [Dirk]
- Remove the "Are you secure?" (getBent) block from the database as its
functionality has been moved to admin/sectest.php (reported by LWC) [Dirk]
- Added config option what should be displayed after user saving [Oliver]
- Added config option what should be displayed after story saving [Oliver]
- Images in articles (inc. topic icon) aligned with float [Oliver]
- New Czech language file for the Calendar and Links plugins, provided
by Ondrej Rusek
- New Danish language file for the Calendar plugin, provided by dirtyjensen
- Updated Dutch language files, provided by Ronald Edelschaap
- New Dutch language file for the Calendar plugin, provided by John van Gaal
- Updated French Canadian language files for Geeklog and the Static Pages plugin
and new language files for the Calendar, Links, and Polls plugins, provided
by Jean-Francois Allard
- Updated Hebrew language file, provided by LWC
- Updated Japanese language files for Geeklog and all the plugins, provided
by the Geeklog Japan group
- New Korean language files for Geeklog and most of the plugins, provided
by Tetsuko Komma and Kim Younghie
- Updated Spanish (UTF-8) language file and new Spanish (UTF-8) language files
for all the plugins, provided by Jose R. Valverde
Calendar plugin (1.0.2)
---------------
- Calendar block now includes events from the current day (in progress or all
day events, bug 0000604, patch from forums)
- Fixed deleting events submissions from the Events editor [Dirk]
- The global $_STATES has been removed from Geeklog. The state in an event's
details is now a simple text entry field.
- The form to add an event to the personal calendar was missing the site footer
(reported by Mark Evans) [Dirk]
- Fixed Calendar feeds: The first parameter to the getFeedContent function is
the feed's ID, not the feed limit (bug #659) [Dirk]
- Highlight search queries [Dirk]
- Autouninstall implemented [Oliver]
- Added Batch-Delete functionality [Oliver]
- Added config option what should be displayed after event saving [Oliver]
Links plugin (2.0.0)
------------
- Fixed deleting link submissions from the Links editor (didn't work in at least
all 1.4.x versions) [Dirk]
- Added owner_id field to submissions to record submitter and align with
stories behavior [Oliver]
- Autouninstall implemented [Oliver]
- Added "Report Broken Link" function [Oliver]
- Added Link Verification to Link Admin [Oliver]
- Added config option what should be displayed after link saving [Oliver]
- Added Link sub-category options [Euan]
Polls plugin (2.0.1)
------------
- Autouninstall implemented [Oliver]
- Added Support for multiple questions grouped into a survey [Oliver]
- Added Support for closing polls [Oliver]
- Added Support for hiding poll results of open polls [Oliver]
- Added config option what should be displayed after event poll [Oliver]
Spam-X plugin (1.1.1)
-------------
- Fixed the "edit" modules not working with the French language files (reported
bye Joe) [Dirk]
- Autouninstall implemented [Oliver]
- Fixed an error with the SLV module when $_CONF['site_url'] was empty
(reported by AA6QN) [Dirk]
- Added support for blocking entire IP ranges, using either CIDR notation or
simple x.x.x.x-y.y.y.y ranges [Dirk]
Static Pages plugin (1.5.0)
-------------------
- Bugfix: In a multi-language setup, we need to be able to see all topics for
the centerblock option [Dirk]
- Bugfix: Allow the static pages "page format" setting to override
$_CONF['show_right_blocks'] (reported by Simon Lord) [Dirk]
- New Static pages Autotag: staticpage_content to return the contents of a
static page instead of a link to a static page [Oliver]
- Now using a template to display static pages [Oliver]
- Autouninstall implemented [Oliver]
- The static pages editor was looking for the advanced editor template in the
wrong place, due to an uninitialized variable (reported by k74) [Dirk]
- Allow static pages to replace tags also on PHP-generated content [Oliver]
- Added config option what should be displayed after page saving [Oliver]
- Added comments feature [Oliver]
Dec 31, 2006 (1.4.1)
------------
- Changed the default character set in config.php back to iso-8859-1 [Dirk]
- Removed display of the site URL from admin/sectest.php. On sites not installed
in the webroot, it did not display the site's actual URL, which only causes
confusion (reported by Dazzy) [Dirk]
- Fixed conflict between the Spam-X DeleteComment and SLVreport action
modules which prevented the count of deleted spams from being incremented
[Dirk]
- Fixed max. allowed length for a user's homepage (128) and location (96) in the
preferences/profile.thtml template file (reported by burjans) [Dirk]
- Fixed page title after a successful batch import of users (which read "Error")
[Dirk]
- Back in Geeklog 1.4.0, a counter was added to the Spam-X plugin to count all
deleted spam posts. The counter was only added in fresh installs of 1.4.0,
though, but not when upgrading from an earlier version. Fixed that [Dirk]
- In lists created from the Links and Calendar plugins, use "links-new-plugin"
as the CSS class name [Oliver]
- Updated Estonian language file, provided by Artur Räpp
- Updated Russian language file, provided by Alexander Yurchenko
- New Russian language file for the Calendar plugin, provided by Alexander
Yurchenko
- Updated Turkish language file, provided by Kemal Cellat
Dec 17, 2006 (1.4.1rc1)
------------
- Improved handling of UTF-8 feeds (feature request #631) [Mike, Dirk]
- Fixes for the remaining MS SQL issues (bugs #620, #621, #622, #624)
[Randy Kolenko, Dirk]
- Initialize SQL request arrays to prevent PHP errors (e.g. with static pages),
reported by ldfoo [Dirk]
- Escape the '#' sign in spam checks since we're using it as the separator
character for the regexp [Dirk]
- Mark Evans provided a set of patches that let plugins hook into the user
registration, story and comment submission as well as the contact user and
email story forms. These hooks can be used to add CAPTCHAs to those forms,
but may also come in handy for other plugin applications.
Also modified several template files to include a {captcha} variable to ease
installation of Mark's CAPTCHA plugin.
- Update the timestamp for the last run of PLG_runScheduledTask before calling
the function to minimize the risk of the call being triggered more than once
(bug #628) [Dirk]
- In a multi-language setup, allow one static page per language to take over
the index page (bug #625) [Dirk]
- sectest.php didn't perform the test for the install script and default
passwords on some setups (reported by Christian Weiske) [Dirk]
- Fixed "delete account" option (reported by Paul Lelgemann) [Dirk]
- Fixed counting of comments in several places where comments were counted
without taking the type of the parent object into account (e.g. when a story
and a poll happened to use the same id, their comment counts would have been
messed up) [Dirk]
- Editing a story did reset the trackback count (reported by T. Marquez) [Dirk]
- In the admin's story editor, set the debug option for the image upload only
when $_CONF['debug_image_upload'] = true (thus avoiding the "Warning: File #x
on the HTML form was empty" messages in error.log) [Dirk]
- Renamed [calendar:] autotag back to [event:] for backward compatibility. It
also makes more sense this way, since it does provide a link to an event, not
a link to a calendar (bug #619) [Dirk]
- Need to check if field 'etids' is NULL (for MySQL 4) for the Daily Digest
(bug #595) [Dirk]
- Removed the outer table from the layout and merged several style declarations
into the body-tag declaration [Oliver]
- The spam check for comment posts did not include the comment title (reported
by Laugh) [Dirk]
- When multi-language support is enabled, allow language-specific overrides
of the locale settings, e.g. $_CONF['date_en'] and $_CONF['date_de'] to
overwrite $_CONF['date'] depending on the current language [Dirk]
- When installing the Geeklog database using InnoDB tables, create a
'database_engine' entry in gl_vars, so that plugins know to use InnoDB for
their tables. Updated the bundled plugins to act accordingly [Dirk]
- DB_query will now (optionally) accept an array of SQL request strings from
which it will pick the one applicable for the currently used database type
[Vinny, Dirk]
- Provide some more meta information in header.thtml [Dirk]
+ added optional {lang_id} variable and lang attribute
+ added a hreflang attribute to the feed links
+ added , , links
(via the {rel_links} variable)
- COM_isFrontpage has been deprecated, as it had its return values inverted
(returns false when on the site's index page). Use COM_onFrontpage instead
from now on [Dirk]
- Fixed check for new stories from archive topic [Dirk]
- Call PLG_templateSetVars() from STORY_renderArticle() so we can have custom
variables in the story templates [Dirk]
- Updated Chinese language files (traditional and simplified), provided by
Samuel M. Stone
- Updated Japanese language files for Geeklog and all the plugins, provided
by the Geeklog Japan group
- Updated Ukrainian language files (Windows-1251, KOI8-U, and UTF-8 encoding)
for Geeklog and all the plugins, provided by Vitaliy Biliyenko
Nov 5, 2006 (1.4.1b2)
-----------
- Fixed potential SQL injection in the story editor preview (required Story
Admin permissions) [Dirk]
- Added multi-language support in static pages centerblocks and search [Dirk]
- When cloning a static page, keep the original's "wrap in a block" setting
[Dirk]
- Spam-X stats: Removed MT-Blacklist entry, added SLV whitelist entry [Dirk]
- Don't add empty "No Title" links in portal blocks when the feed has less than
the configured max. number of entries (bug #610) [Dirk]
- Added support for COM_mail to use a parm for a CC: distribution list [Blaine]
- Fixed bug #603, hardcoded mysql_error() [Oliver]
- Fixed bug #604, delete trackbacks of a story when story is deleted [Oliver]
- Allow users to switch the language again, even when the default character set
is not UTF-8. It is, however, not possible to mix UTF-8 and other charsets.
Also, "UTF-8" is not displayed in the language dropdown any more [Dirk]
- Corrected SQL for group counting in Admin menu for root admin to fix bug #573
[Oliver]
- Properly encode non-ASCII characters in email headers (subject, names),
loosely based on patch #489 and code from Cal Henderson's book [Dirk]
- Removed the Calendar styles and moved them to a dedicated file in the
plugin's directory [Oliver]
- Sorted all stylesheet definitions alphabetically and split semantics and
classes [Oliver]
- When making a topic the archive topic, update all existing stories in that
topic to "archived" status (and likewise revert that status if the topic
loses its archive topic status) [Dirk]
- Don't count archived stories as new stories in the What's New block [Dirk]
- Moved the defines for STORY_ARCHIVE_ON_EXPIRE and STORY_DELETE_ON_EXPIRE to
lib-story.php (from config.php) where they make more sense [Dirk]
- COM_getPermSQL was using the current user's group information when called for
another user. In Geeklog, this only happens for the Daily Digest, though
(bug #594) [Dirk]
- When comments are disabled for a story, don't show any existing comments in
the What's New block, in search results or via comment.php (bug #597) [Dirk]
- When trackbacks are disabled for a story, don't list any existing trackbacks
in the What's New block [Dirk]
- In the Admin's User Editor, disabled the checkboxes for the All Users,
Logged-in Users, and Remote Users groups to prevent accidental change of
group membership [Dirk]
- When deleting a topic, also delete all Trackbacks attached to stories in that
topic and update the Older Stories block and the feeds [Dirk]
- Fixed approve / delete of draft stories from moderation.php [Dirk]
- Strip blanks from the name of a PHP block function when saving a PHP block
[Dirk]
- Fixed / added multi-language support in the article directory, What's New
block, and the search for stories and comments [Dirk]
- Fixed an SQL error when changing a story's ID [Dirk]
- Call SET NAMES 'utf8' when using UTF-8 as the site's character set (with
MySQL), as pointed out by several people [Dirk]
- Removed wrong parameter when calling up the comment form again when the
comment's title was missing. This bug existed for both story and polls
comments. (bug #591) [Dirk]
- Users who were only in the Syndication Admin group didn't have access to
Command and Control (moderation.php) [Dirk]
- For Block, Group, Polls, Story and Topic Admins only display the number of
the respective entries they can actually see (instead of the number of all
entries, e.g. topics, in the system) [Dirk]
- Fixed highlighting parse error when the search term contained an apostrophe
(bug #590) [Dirk]
- Improved (and subsequently fixed) Pingback spam detection which now also uses
the $_CONF['check_trackback_link'] settings [Dirk]
- directory.php was still using $LANG30 instead of $LANG_MONTH (bug #583) [Dirk]
- When upgrading the database from 1.4.0, only update those plugins that are
actually installed (disabled or not) [Dirk]
- CSS Changes to support better scaling of Font size - using browser Text-Size
adjustment. Removed many extra font-size declarations. [Blaine]
- Don't allow viewing of a Banned user profile unless user admin [Blaine]
- Only call CUSTOM_loginErrorHandler when custom_registration is enabled
(bug #584) [Blaine]
- Fixed SQL error with some older MySQL versions when calling up the Batch User
Delete option [Oliver]
- Comments always displayed the comment author's full name, even when
$_CONF['show_fullname'] was set to 0 [Dirk]
- Fixed 404 (caused by a request for a file named '(none)') in the user profile
display when a user doesn't have a userphoto [Dirk]
- New Estonian language files for Geeklog and most of the plugins, provided
by Artur Räpp
- Updated Hebrew language file, provided by LWC
- Updated Japanese language files for Geeklog and all the plugins, provided
by the Geeklog Japan group
- New Russian language files for the Spam-X plugin, provided by Pavel Kovalenko
- Updated Slovenian language files for Geeklog and all the plugins, provided
by gape
Calendar plugin
---------------
- Created a dedicated stylesheet file and include the file only if the URL
contains the word 'calendar' [Oliver]
- Tweaked the Calendar search result listing: Removed the Event Description
(usually too long for the result listing), replaced Location (which is only a
part of the address and not very helpful) with Event Type, minimized Date &
Time display for events lasting only one day (don't list date twice) [Dirk]
Links plugin
------------
- Renamed classes block-vote-results to poll-vote-results and block-vote to
poll-vote [Oliver]
- Removed duplicate "Other" entry from the Link submission form [Dirk]
- In the Admin's list of links, only display an edit icon for links that the
current user can actually edit (they did get a proper error message when
trying to edit such a link, though) [Dirk]
- Don't return the number of links in the links submission queue if the
current user does not have links.moderate permissions [Dirk]
- Filter out special characters from link IDs. They were properly escaped
before storing them in the database but caused problems when using them
(bug #565) [Dirk]
Sep 17, 2006 (1.4.1b1)
------------
- Changes to templates and CSS to remove deprecated HTML (align= and valign=)
Removed un-used CSS declarations, redundant font-family declarations
Removed use of font-size percentage and used more acceptable EM units [Blaine]
- Don't display an "edit" link in a story if the current user doesn't have
edit permissions for the story's topic (bug #558) [Dirk]
- Added a new script to check the site's security (admin/sectest.php). This
replaces the "get bent" PHP block, but also performs additional checks [Dirk]
- Created a Batch Delete function for users that easily identifies inactive or
old users and allows mass-deletion of those [Oliver]
- Updated FCKeditor to version 2.3.1 [Blaine]
- Added ability to filter out Admin related groups on the Group Admin page
Allows users to easily see only user groups. When editing non-core groups,
You can select if this group is an Admin Group [Blaine]
- Added ability to multi-select submission queue items on the moderation page
and delete them all at once [Blaine]
- Always make "Submissions" the first entry in the Admins Only block to keep
the correspondence between the other entries and the icons on the moderation
page undisturbed (and because it's an important entry) [Dirk]
- Fixed 'emailstoriesperdefault' config option (bug #553) [Dirk]
- Added support for Microsoft SQL Server, provided by Randy Kolenko
- Introduced $_CONF['disallow_domains'] as a blacklist of domain names that are
not allowed for new users during signup. Both 'disallow_domains' and
'allow_domains' can also contain regular expressions [Dirk]
- Introduced DB_lockTable / DB_unlockTable to encapsulate the LOCK / UNLOCK
requests when updating the comments table [Dirk]
- Fixed bug: [#540] Blocking the last Root user or yourself should not be
possible [Oliver]
- Fixed bug: [#546] The phrase "Story Stats" is hardcoded [Oliver]
- Added a spam check to the email user form [Dirk]
- Use the same piece of code to compare plugin version numbers in lib-admin.php
and admin/plugins.php to avoid the "update" button not appearing for some
version numbers (bug #542) [Dirk]
- Re-implemented $_CONF['allow_domains'] whitelist (when the user submission
queue is enabled) that was inexplicably missing from 1.4.0 [Dirk]
- Merged User Preferences and Account information into one page, like the
Story editor with tabs etc. [Blaine, Oliver]
- Tried to make "3 new stories in the last 1 day" sound less awkward by going
back one unit, i.e. "3 new stories in the last 24 hours", in the What's New
block (likewise for 1 week, 1 month, etc.) [Dirk]
- Introduced config options to set the default for the story's draft flag
and frontpage option (feature request #163) [Dirk]
- Introduced $_CONF['hide_main_page_navigation'] to hide the "Google paging"
from index.php (may be useful for some layouts) [Dirk]
- Allow (optional) usage of autotags in "normal" blocks (can be enabled /
disabled per block) [Dirk]
- Introduced a {story_counter} variable in the story templates. It's 0 on the
article page and in previews, but 1 for the first story, 2 for the second,
etc. on the index page (per page, i.e. starts with 1 again on the second page)
[Dirk]
- Require that users enter their current password when changing their password,
email address or "Remember me for" setting. Redesigned the Account Information
page and added a note about this requirement. [Dirk]
- Prevent accidental banning of users when the Admin edits a user's information
using a theme that wasn't updated for Geeklog 1.4.0+ [Dirk]
- $_CONF['show_fullname'] now works as expected, i.e. when setting it to = 1,
a user's full name will be displayed everywhere in Geeklog instead of the
username (assuming the users entered their full name) [Dirk]
- Fixed a bug in the article directory where December was not listed when no
stories had been posted in that month (reported by Kino and Ivy of geeklog.jp)
- Replace Geeklog's [imageX] tags before extracting the What's Related links
from a story to prevent the (verbatim) tag to show up in the block [Dirk]
- Update story ids in the gl_trackback table when a story's id is changed [Mike]
- Implemented new plugin API function, PLG_spamAction, to perform the spam
actions in case spam has been detected through some other means (e.g.
trackbacks from sites that don't link back to us) [Dirk]
- Implemented new plugin API function, plugin_enablestatechange_, to inform
plugins when they are about to be enabled / disabled (Patch #405) [Dirk]
- Support backslashes in comment and submissions in HTML mode [Mike]
- Added breadcrumb functionality to the navbar class (v1.1) [Blaine]
- Enhancements to navbar templates and CSS for a more 3D TAB'ed look [Blaine]
- Changed several
s to
s + CSS in the Professional theme [Oliver]
- Introduced generic function to delete a user's photo to avoid code
duplication and slightly different error handling in various places [Dirk]
- Made the new user registration form remember the user's input so that they
don't have to retype everything in case of an error [Dirk]
- In the Admin's user list, banned users are indicated by striked-through
entries (based on a hack by Andy Maloney) [Dirk]
- Added new setting $_CONF['onlyrootfeatures']. This is for sites where two or
more story admins can feature stories that the other admins cannot see. The
setting prevents that one admin does not see that there is another recent
story featured and sets one by himself, "stealing" the feature from the other.
- Changed "Reply"-button to "Post a comment" [Oliver]
- Implemented an error handler to supress all PHP level errors and display a
much more userfriendly error text to the end user. Prevents all path exposure,
prevents "white error page" mystery debugging fun. [Mike]
- Full sweep of all code for $_REQUEST/$_GET/$_POST and $_COOKIE use. Made sure
that COM_applyFilter, or other safe usage is made of the variables. [Mike]
- Added an option to hide the "No News To Display" message on the index page
(new config option $_CONF['hide_no_news_msg']) [Dirk]
- Added an option to check if the sites sending trackbacks are actually linking
to our site (see $_CONF['check_trackback_link'] in config.php) [Dirk]
- Made it impossible to save two syndication feeds with identical filenames
[Oliver]
- Stories with comments/trackbacks disabled, do not show comment/trackback
url in RSS feeds [Mike]
- Added email confirmation fields for new user and usersettings [Oliver]
- Allow changing of group ownership for "gldefault" blocks. Requires a change
in admin/block/defaultblockeditor.thtml to enable the group dropdown. On a
fresh install, all the blocks (with the exception of "Are you secure?") are
now owned by the Block Admin group [Dirk]
- Users created by a User Admin should not be queued for approval, even when
$_CONF['usersubmission'] = 1 [Dirk]
- Introduced 'syndication.edit' permission and 'Syndication Admin' group so
that access to the Content Syndication panel no longer requires 'Root'
permissions [Dirk]
- For the "Submissions" entry in the Admins Only block, only count story and
event submissions when the current user has story.moderate or event.moderate
permissions, respectively [Dirk]
- On admin/moderation.php, list the stories that have their draft flag set only
when the current user has story.edit permission [Dirk]
- Fixed empty lines in a Group Admin's list of groups when that Group Admin
was not a member of all groups [Dirk]
- Renamed the misnamed CUSTOM_runSheduledTask function (in lib-custom.php) to
CUSTOM_runScheduledTask. Don't forget to make that change in your copy of
lib-custom.php if you're using that functionality! [Dirk]
- Improved error log contents when unable to acquire a feed reader for a portal
block. [Mike]
- Extended plugin API for feed extensions to include feed id and the topic (for
adding topic/feed specific data) [Mike]
- Don't attempt to rename a non-existing user photo when
$_CONF['allow_username_change'] is enabled (reported and fix suggested by
Yusuke Sakata) [Dirk]
- Made changes to ensure compatibility with MS SQL, as suggested by
Randy Kolenko [Dirk]
- The "last login date" column in the Admin's list of users now uses
$_CONF['shortdate'] so that it includes the year [Dirk]
- Fixed batch user import (which set all imported users to status "Awaiting
Authorization" instead of "Awaiting Activation") [Mike]
- Fixed admin lists google paging for use in static pages etc. [Oliver]
- Added support for a custom login error handler function,
CUSTOM_loginErrorHandler [Blaine]
- Format the user agent string according to the RFCs 1945 / 2068 / 2616, i.e.
"Geeklog/1.4.1" when trying to detect a Trackback URL [Dirk]
- Made the search option on the Admin pages behave like the site search, i.e.
it doesn't require you to pad queries with '*' any longer [Dirk]
- In story search results, show/hide the "Author" and "Views" columns based on
the $_CONF['contributedbyline'] and $_CONF['hideviewscount'] settings [Dirk]
- Introduced $_CONF['title_trim_length'] to make the max. title length of items
in the What's New block configurable (feature request #525). Also implemented
a new function COM_truncate (based on a patch by Yusuke Sakata) that properly
handles truncation of multi-byte text strings if the mb_ functions are
available [Dirk]
- Added a JavaScript confirmation box to most delete buttons/links. If you'd
rather not have such a confirmation, use {delete_option_no_confirmation}
instead of {delete_option} in the admin templates [Dirk]
- Fixed RSS Feed parser to create RFC 822 dates in en_GB or en_US locale as per
the RFC spec [Mike]
- Removed obsolete "do not use spaces" warning from user editor (bug #530)
[Dirk]
- Show fullname/username according to config.php settings in stories [Oliver]
- Added possibility to change the css-class for admin list headers and fields
[Oliver]
- Added unified new style class to stats.php/style.css to have all lists on
the page look the same [Oliver]
- Added multi-language support, based on earlier works by Euan McKay and LWC.
Also see http://wiki.geeklog.net/wiki/index.php/Multi-Language_Support
- Changed the default path for topic icons to /images/topics [Dirk]
- Fixed an SQL error when calling up the Admin's list of stories without any
topics [Dirk]
- Removed the public_html/portal.php script, as it is no longer needed [Dirk]
- Remove uninstalled plugins from the global $_PLUGINS array immediately
(just in case the array would be used to trigger any actions) [Dirk]
- The "Topic" column in the list of feeds was empty for feeds that are only
linked from a topic page [Dirk]
- Only use the mb_substr workaround in the calendar when the current character
set is UTF-8 (bug #524) [Dirk]
- Fixed SQL error on MySQL 5 when listing the members of a group (bug #527)
[Dirk]
- When emailing a story, don't include the text "Comment on this story at ..."
when comments have been switched off for that story [Dirk]
- Fixed wrong wording of some of the "access denied" messages when trying to
access Admin panels without proper privileges [Dirk]
- Fixed display of Admin block for users that only had certain Admin privileges
[Dirk]
- New Afrikaans language file, provided by Renier Maritz
- Updated Hebrew language file, provided by LWC
The Hebrew language file was also renamed to hebrew_utf-8.php for consistency
with the other UTF-8 language files.
- Updated Turkish language file, provided by Kemal Cellat
Calendar plugin (1.0.0)
---------------
- Bugfix: Replace autotags in the event description [Dirk]
- Added an option to switch between 24 hour and 12 hour am/pm mode for entering
and editing events [Dirk]
- Implemented plugin_enablestatechange API function to enable/disable plugin
feeds and blocks when the plugin is enabled/disabled [Dirk]
- Added calendar plugin initial version [Oliver]
Links plugin (1.0.1)
------------
- Implemented plugin_enablestatechange API function to enable/disable plugin
feeds when the plugin is enabled/disabled [Dirk]
- Changed the english language file from "Web Resources" to "Links"
- Fixed hard-coded link to the "admin" directory when editing a link (reported
by Ronnie Rigl) [Dirk]
- Optimized SQL requests for the plugin's What's New section [Dirk]
- Re-introduced {button_links} header variable [Dirk]
- Added an option to hide the Top Ten Links on the first page [Dirk]
- Made the page title on the Web Resources page more informative by adding the
category and page number [Dirk]
- The edit icon (only visible for Links Admins) now uses the same image type
as the current theme (was previously hardcoded to "edit.gif") [Dirk]
- Hide the "Web Resources" link from the menu when login is required to see
the links (for consistency with the Polls plugin) [Dirk]
- Added a title attribute to the links on the site stats page that contains
the link's actual URL [Dirk]
- Fixed site link in search results which wasn't using portal.php [Dirk]
- The Admin's search option now also searches the link description [Dirk]
- Removed extra tags from the What's New section (bug #526) [Dirk]
Polls plugin (1.1.0)
------------
- Fixed call to undefined function polllist when calling up a non-existing
poll [Dirk]
- Implemented plugin_enablestatechange API function to enable/disable the poll
block when the plugin is enabled/disabled [Dirk]
- Fixed search [Dirk]
- Added a remark field for polls answers [Oliver]
- Re-introduced {button_polls} header variable [Dirk]
- Added an option to hide the link to the polls from the menu (for consistency
with the Links plugin) [Dirk]
- Fixed poll URLs on the site stats page [Dirk]
- Remove the polls block when uninstalling the Polls plugin (another part of
bug #520) [Dirk]
Spam-X plugin (1.1.0)
-------------
- Added SLV (Spam Link Verification) modules [Dirk]
- The MT-Blacklist modules are not being shipped with Geeklog any longer. The
MT-Blacklist entries are removed from the database during the upgrade [Dirk]
- Allow special characters (e.g. backslashes) in the Admin modules (e.g. the
Personal Blacklist module) [Dirk]
- Moved spam actions to plugin_spamaction_spamx API function [Dirk]
- Fixed potential problems with the checkforSpam function's return code in case
of unusual configurations (e.g. $_CONF['spamx'] = 0) [Dirk, Tom Willet]
- Made the plugin's internal log flag a proper config option. So you can now
disable logging to spamx.log from the plugin's config.php [Dirk]
- Mass delete by IP now uses stored IP address [Mike]
Static Pages plugin (1.4.3)
-------------------
- Make sure autotags are replaced even when execution of PHP code is disabled
(reported by LWC) [Dirk]
- Added a help URL for the block display of static pages [Oliver]
- Added ability in staticpage editor to enable/disable Advanced Editor mode
so you can use FCKeditor and then if need basic html edit mode [Blaine]
- Fixed default sorting order for the list of static pages [Dirk]
- Allow to show/hide update date/time and hits [Oliver]
- When creating a new page, don't set the default group ownership to the Static
Page Admin group if the current user is not a member of that group. Instead,
pick a group with staticpages.edit permission that the user is a member of
[Dirk]
- Fixed paging for the list of static pages (bug #528) [Dirk]
January 8, 2008 (1.4.0sr6)
---------------
MustLive pointed out a possible XSS in the form to email an article to a
friend that we're fixing with this release.
July 23, 2006 (1.4.0sr5-1)
-------------
This release fixes display problems in the comment preview that were only
introduced in Geeklog 1.4.0sr5 (as a result of the fix for the XSS).
The complete 1.4.0sr5-1 tarball also includes the following language files:
- New Afrikaans language file, provided by Renier Maritz
- Updated Hebrew language file, provided by LWC
- Updated Turkish language file, provided by Kemal Cellat
July 16, 2006 (1.4.0sr5)
-------------
JPCERT/CC informed us about a possible XSS in the comment handling that we're
fixing with this release.
June 30, 2006 (1.4.0sr4)
-------------
Two exploits have been released by "rgod" for insecure Geeklog installations
and for a bug in the "mcpuk" file manager that we've been shipping as part of
FCKeditor in all 1.4.0 releases.
- Some of the files outside of the public_html directory were not protected
against direct execution. If Geeklog was installed such that those files were
accessible from a URL (which has always been strongly discouraged in the
installation instructions) then those files could be used to load and
execute malicious code from a remote server.
More information: http://www.geeklog.net/article.php/so-called-exploit
In this release, we've added the missing execution prevention for all files
outside of public_html. We would still, however, suggest that you fix your
Geeklog install if the files outside of public_html are accessible from a URL.
- The "mcpuk" file manager that we've integrated into FCKeditor allowed the
upload of arbitrary PHP code (even if FCKeditor was disabled in Geeklog's
config.php). Depending on your webserver's configuration, it was then possible
to execute that uploaded code.
More information:
http://www.geeklog.net/article.php/exploit-for-fckeditor-filemanager
The file manager has been removed from this release. You will therefore no
longer be able to upload files, e.g. images, through FCKeditor. Future
versions of Geeklog will ship with an updated version of FCKeditor and its
included file manager.
May 28, 2006 (1.4.0sr3)
------------
The Security Science Researchers Institute Of Iran reported the following
security issues:
- Possible SQL injection and authentication bypass in auth.inc.php
- Possible XSS in getimage.php
- Path disclosure in getimage.php and the functions.php of some themes,
e.g. the Professional theme
An internal code review also revealed a possible SQL injection in story
submissions.
Mar 5, 2006 (1.4.0sr2)
-----------
Security issues:
- Konstantin Dyakoff found an old bug in the session handling that would allow
anyone to log in as any user.
- HTML was not stripped from the Location field in a user's profile.
Feb 19, 2006 (1.4.0sr1)
------------
Security issues:
- James Bercegay of GulfTech Security Research reported several issues with
Geeklog's cookie handling that made it vulnerable to SQL injections, arbitrary
file access, and even injection and execution of arbitrary code.
Bugfixes:
- Fixed bug in page-break combined with url rewrite (bug #521) [Oliver]
- Fixed Story [page_break] showing only intro on first page [Oliver]
- Fixed install script for the Spam-X plugin which was trying to include an SQL
file that doesn't exist - and wasn't needed (part of bug #520) [Dirk]
- Updated Hebrew language file, provided by LWC
- New Russian language files for the Links and Polls plugins, provided by
Volodymyr V. Prokurashko
- Fixed Static pages dutch language file [Oliver]
- New Polish language file for the Links plugin, provided by Robert Stadnik
- Added UTF-8 English versions of the Links, Polls, Static Pages, and Spam-X
language files [Dirk]
- Added all UTF-8 Language files for core [Oliver]
Feb 5, 2006 (1.4.0)
------------
- Prevent execution of PHP code in "normal" blocks [Dirk]
- Added missing navbar images - used for CSS based buttons as part of the
standard Plugin CSS [Blaine]
- Set options in FCKConfig to have Firefox browsers by default not using the
and font tags to format Bold and Italic [Blaine]
- Fixed another bug in google pagination of admin-lists [Oliver]
- Fixed "wrap static page in a block" and "exit type" options in the static
page editor. Also link to the "rewritten" URL from the list of static pages
when URL rewriting is on [Dirk]
- Fixed JavaScript error in the Admin's story editor (bug #479) [Dirk]
- Fixed hard-coded paths in the check.php script and added tests for missing
directories (reported by Markus Wollschlaeger) [Dirk]
- A humble attempt to add some semantics [Dirk]
+ Added rel="category tag" to a story's topic link
+ Added rel="self bookmark" for a comment's permalink
- Cosmetics: Moved the number of links per category out of the actual link to
the category [Dirk]
- On MySQL 5, the drop-down list of link categories presented to a user when
submitting a new link came out wrong (while the one in the Admin's link
editor worked just fine). Moved the working code into a new function in the
plugin's functions.inc and changed the code to use it in both cases now [Dirk]
- Fixed an SQL error when the "length of entries" field in the Feed Editor was
left empty [Dirk]
- Fixed date and time defaulting to the current date and time when creating
a new event as an Admin user (adding a workaround for changes of strtotime()
behavior in PHP 5) [Dirk]
- Fixed SQL error on MySQL 5 when creating a new topic (bug #517) [Dirk]
- In HTTP requests, format the user agent string according to the RFCs 1945 /
2068 / 2616, i.e. "Geeklog/1.4.0" [Dirk]
- Updated Japanese language files, provided by Yusuke Sakata
- Updated Ukrainian (Windows-1251) language file, provided by Vitaliy Biliyenko
Jan 22, 2006 (1.4.0rc2)
------------
- header.thtml now specifies the CSS Class Declaration to use for the body.
This addresses the issue with FCKeditor when displayed, its CSS was
over-riding the main site tag and the site margin padding was being
affected [Blaine]
- Removed CSS for the Forum plugin from style.css [Blaine]
- Fixed "Cannot modify header ..." message when logging in from the admin
pages (reported by Samuel M. Stone). This also fixes confusing intermittent
displays during the login (e.g. only some of the "Command and Control" icons
showing up, messages about missing permissions flashing up) [Dirk]
- Removed Geeklog version number from feed files due to security concerns
(pointed out by Samuel M. Stone) [Dirk]
- Login through the admin pages didn't work with register_globals=off [Dirk]
- Fixed admin lists so pagination works also in static pages [Oliver]
- Pass GeekLog as user agent when fetching RSS feeds [Mike]
- Made the image upload work with out-of-the-box PHP 5 configurations [Dirk]
- Fixed handling of HTML entities in Pingbacks [Dirk]
- Fixed Spam-X Mass Delete Trackback Spam module to update the story's trackback
count when deleting trackbacks [Dirk]
- Fixed a possible SQL error when saving a block (reported by BDUB) [Dirk]
- Fixed story titles in the What's New block when they contained HTML entities
(entities where sometimes cut off and/or encoded twice) [Dirk]
- Fixed a typo in all the plugin install script which set the group description
to "grp_desc" instead of $grp_desc (found by Ingo Schaefer) [Dirk]
- Improved autodetect of Trackback URLs [Dirk]
- The submit story form was not selecting the advanced Editor if user was not
logged in or did not have Story Editor permissions [Blaine]
- Added missing CSS class name "list-feed" for portal blocks [Dirk]
- Fixed user submission queue (reported by Andrew Lawlor) [Dirk]
- Fixed handling of integer fields in the Admin's story editor (reported by
Ron Ackerman) [Dirk]
- Fixed handling of checkboxes in the static pages editor (reported by
Ron Ackerman) [Dirk]
- Fixed SQL error when saving a static page that had had more than 1000 hits
(reported by Euan McKay) [Dirk]
- Removed visible table border from advanced comment editor form [Blaine]
- Moved some hard-coded text strings from the advanced editor into the
language files [Blaine]
- Updated Chinese language files, provided by Samuel M. Stone
- Updated Japanese language files, provided by Yusuke Sakate
Dec 31, 2005 (1.4.0rc1)
------------
- Added support for Advanced Editor in the Add Comment Feature [Blaine]
- Fixed SQL error in search on MySQL 5 (fix suggested by dariball) [Dirk]
- Added trackback.php and pingback.php to the included robots.txt [Dirk]
- Added a few more calls to COM_numberFormat all over the place (links and polls
plugins, Admins Only block, ...) [Dirk]
- Fixed test for a Geeklog 1.3.9 database in the install script [Dirk]
- When emailing a story, make sure all fields are filled in [Dirk]
- Don't lose the current topic selection when a Story Admin uses the Contribute
link [Dirk]
- Fixed highlighting of search query in comments when register_globals = off
[Dirk]
- When the entries in the Admin's block are not sorted, make sure the icons in
Command and Control are in the same order as the block entries [Dirk]
- Allow topic icons to be uploaded to and retrieved from a 'topics' directory
outside of the document root [Dirk]
- Added a workaround to produce abbreviated day names in the calendar for UTF-8
language files (reported by Euan McKay) [Dirk]
- The Spam-X plugin now uses the same "universal" install script as the other
three preinstalled plugins [Dirk]
- Added more allowable HTML tags and attributes if Advanced_Editor enabled
config.php setting [Blaine]
- Added logic to detect if Javascript was not enabled and Advanced Editor was
enabled.
User will be prompted with alert and able to use the default editor [Blaine]
- Changed spam handling for Trackbacks and Pingbacks to check for spam on the
unfiltered Trackback/Pingback content [Dirk]
- When editing a link submission with a new link category (i.e. the submitter
selected "other" and entered a non-existing category), make sure that new
category actually shows up in the links editor [Dirk]
- In the Admin's list of stories, show the display name of the topic (i.e. the
same as in the Topics block) instead of the topic ID [Dirk]
- Hide the edit icon in the Admin's list of stories when the current user
doesn't have edit access to a story (since they only got a note saying they
can't edit that story anyway) [Dirk]
- Fixed alternating row colors in admin lists if one row has no data [Oliver]
- Made it impossible to switch off blocks if there is no access [Oliver]
- Fixed handling of items in the submission queues (it was only possible to
approve / delete the first item in a queue) [Dirk]
- Grant users with 'plugin.edit' permission access to the plugin editor [Dirk]
- Changed admin-lists 'default-filter' to require 'AND' [Oliver]
- Fixed admin lists for events & static pages for non-root users [Oliver]
- Fixed invalid language string in submit.php [Oliver]
- Fixed problems with the query highlighting code escaping double quotes [Dirk]
- In the list of plugins, display only the plugin's current version number as
long as it's in sync with the code version or the plugin hasn't implemented
the chkVersion API function [Dirk]
- Limit length of a new user's username to 16 characters in the
admin/user/edituser.thtml template file [Dirk]
- Don't display the current user's userphoto when creating a new user in
admin/user.php [Dirk]
- Fixed sanity checks in USER_addGroup and USER_delGroup [Trinity, Dirk]
- Allowed the Links-entry from the top menu to be hidden by config.php in links
[Oliver]
- Fixed small HTML validation issues with adv. editor and admin lists [Oliver]
- Fixed comment bug that allowed comments to be saved even when user did not
have the correct story/topic permissions. [Vinny]
- Send the character set as an HTTP header from COM_siteHeader now [Oliver]
- Fixed updating Links feeds [Mike]
- Corrected RSS handling of GUID or LINK [Mike]
- Fixed date format in Atom feeds [Mike]
- Fixed loss of sort setting when browsing the user list [Oliver]
- Fixed block title of the site stats (reported by Tom Willet) [Dirk]
- Fixed an SQL error when approving the default story submission ("Are you
secure?") after a fresh install (reported by suvi) [Dirk]
- Fixed warnings that exposed the full path to Geeklog when attempting SQL
injections on the advanced search [Mike]
- The "Mail Users" icon was missing from Command and Control [Dirk]
- In Command and Control, show the Trackback icon only when at least one of the
Trackback, Pingback, or Ping features is enabled (in addition to 'story.ping'
permissions for the current user) [Dirk]
- Replaced the delete_event.gif icon (in layout/professional/images/icons) with
a PNG, since the Professional theme uses PNGs now and the icon wouldn't show
up otherwise [Dirk]
- The block around the list of backups was missing the title [Dirk]
- Don't emit the Trackback and Pingback headers when trackbacks have been
disabled for a story [Dirk]
- Introduced {lang_trackback_comments_no_link} (in trackback/trackback.thtml)
so that you can have an article page entirely without links back to itself
(for picky spiders such as the one for Google News) [Dirk]
- Call COM_refresh when creating a user with usersubmission = 1 [Mike]
- Fixed sorting of Trackbacks in the What's New block [Dirk]
- The search by author or by date switched to searching for everything on
page 2 of the results [Dirk]
- For the Links plugin, the "last x days" text in the What's New block was
missing [Dirk]
- Fixed an SQL error when creating new blocks [Mike]
- The feed reader will now also follow redirects [Mike]
- Updated Chinese traditional and simplified language files, and new Chinese
language files for the Links, Polls, and Static Pages plugins, provided by
Samuel M. Stone
- German language files now exist in 4 combinations (formal / informal German,
ISO-8859-15 / UTF-8 encoding) for Geeklog, the Links, Polls and Static Pages
plugins [Dirk]
- Updated Japanese language files, provided by Yusuke Sakate
- New Ukrainian language files (Windows-1251) for Geeklog and all four plugins,
provided by Vitaliy Biliyenko
- New Ukrainian language files (UTF-8 and KOI8-U encoding) for Geeklog, the
Spam-X, and Static Pages plugins, provided by Yaroslav Fedevych
Nov 20, 2005 (1.4.0b1)
------------
- Introduced {start_storylink_anchortag} and {end_storylink_anchortag} template
variables in the story and commentbar template files which only produce a
link to the story when not on article.php, thus avoiding links back to the
article page itself, which the spider for Google News doesn't seem to like
(feature request #486) [Dirk]
- Added a workaround for image uploads using GD when ImageCreateTrueColor is
not available (patch #468) [Dirk]
- Allow a subject to be passed as a parameter for the "contact user" form
(based on patch #497) [Dirk]
- Added support for right-to-left languages (based on patch #488) [Dirk]
- Update Feeds and Older Stories block when changing topic settings [Dirk]
- Added a hits counter to events and added a Top Ten Events section to the
site stats [Dirk]
- Introduced $_CONF['show_topic_icon'], i.e. the default setting whether to
show topic icons or not [Dirk]
- The "Older Stories" block now only lists articles that appeared on the
frontpage (i.e. have not been set to "Show only in topic", bug #408) [Dirk]
- Fixed problems with query highlighting in stories scrambling links in
autotags (bug #492) [Dirk]
- Group names are now unique (as they should have been from the beginning). The
install script takes care of existing duplicate group names when upgrading
to 1.4.0 (bug #367) [Dirk]
- Allow for more topic IDs in the user's preferences (bug #490) [Dirk]
- Replace autotags in the Daily Digest (bug #484) [Dirk]
- Explicitly link to /docs/index.html for the documentation link in the Admin's
block (bug #504) [Dirk]
- Added an option to enable / disable trackbacks per story (just like you can
enable / disable comments per story) [Dirk]
- Changed COM_optionList to check for language arrays which override the text
strings that are embedded in the database (for comment mode, featured story,
post mode, etc.) Bug #227 [Dirk]
- Fixed Bug #174 -- quotes in titles are no longer double htmlentized [Vinny]
- The default permissions for new objects (stories, topics, blocks, etc.) can
now be set in config.php (feature request #90) [Dirk]
- Added an "Active users" entry to the site statistics. If Geeklog is configured
to track a user's last login, this will display the number of users who
logged into the site during the last 4 weeks. Otherwise, it displays the
number of user accounts with status = 3 (i.e. have logged into their account
at least once and haven't been banned) [Dirk]
- Introduced a new plugin API function so that the plugin's summary (e.g.
number of items) can be properly integrated with the "Site Stats" section.
Modified stats/sitestatistics.thtml, removed stats/stats.thtml, added
stats/singlesummary.thtml template files [Dirk]
- Introduced a generic function, USER_getPhoto, which provides the user's photo,
if available. The function also supports getting the user's avatar from
gravatar.com (if enabled in config.php) [Dirk]
- The texts in the What's New block ("x new stories in the last y hours",
"last 2 weeks", etc.) now properly reflect the actual settings of the
$_CONF['newXXXinterval'] variables (bug #390) [Oliver, Dirk]
- Introduced a method to signal a forced update for feeds in case the content
of one of the feed entries has changed - so far, we only checked if entries
had been added or removed (bug #277) [Dirk]
- Added $_CONF['show_right_blocks'] option which, if set = true, will display
right-side blocks on all pages (also addresses feature request #31) [Dirk]
- Fixed bug #454, SQL error when reading comments. [Vinny]
- Leave off the "page=1" parameter on the "Google paging" navigation bar for
links that point back to the first page [Dirk]
- The default feed for a new site is now in RSS 2.0 format and named
"geeklog.rss" [Mike, Dirk]
- Added time of the day to the name of the database backups to allow several
backups a day [Oliver]
- When the search returns no results, the search form is now pre-populated
with the last search query, so that it can be changed easily. On successful
searches, a "refine search" link will appear that also takes you back to a
pre-populated search form (to refine your search, obviously) [Dirk]
- Changed search to only return a certain amount of hits per page, thus
avoiding timeouts on servers where the script execution time is limited
(bug #274) [Dirk]
A new config variable, $_CONF['num_search_results'], defines the number of
search results to be returned per page (and per type). The search form also
includes a drop-down menu where this can be changed for every search.
Plugins will have to indicate if they support this "paged" search. Otherwise,
Geeklog will fake the paging for the plugin, so that the plugin does a full
search for every page, but Geeklog will only display the hits for the current
page (such a plugin can therefore still cause a timeout until it is changed
to support "paged" searching).
- Added a permanent link to comments (in the professional theme) [Vinny]
- Added new icons for the admin sections and made sure each admin section
now has an icon in admin/moderation.php [Dirk]
The new icons have been taken from the Gnome project (some of them modified
by Jakub Steiner). They are released under the GPL.
- Introduced global variable $_IMAGE_TYPE that specifies the image type to
use. Defaults to 'gif'. Themes can override it to use other images types,
e.g. PNG, for all images [Dirk]
- Added option to upload topic icons (Feature Request #415, Patch #423),
provided by Alford Deeley (machinari)
- Changed the Admin's "Command and Control" center such that there is an icon
for every entry in the Admin's block [Dirk]
- Removed duplicate code for creating a "topic SQL" query in moderation.php
(use COM_getTopicSQL instead) [Dirk]
- Added the ability to allow users to login via defined remote services (ships
with Blogger and LiveJournal support) [Mike]
- Added the ability to ban users, and to tell when a user has logged in at least
once [Mike]
- Added edit-icon, List-Sorting, searching, Limits & alternating row colors
in admin menus for groups, syndication, staticpages, trackback
(where not yet done) [Oliver]
- Added function to allow user-defined scaling of images in articles by using
[unscaledX] instead of [imageX] [Oliver]
- Removed $_CONF['whosonline_fullname'] option - use $_CONF['show_fullname']
instead [Dirk]
- Fixed bug where extra slashes appeared when previewing comments [Vinny]
- Removed the "lastvisit" cookies, as they are obviously not used [Dirk]
- Removed redundant changepwd-button & code from /admin/user.php (Bug #9)
[Oliver]
- Added new feature to insert a feed-links into header depending on topic, to
be chosen from /admin/syndication.php in the form of
[Oliver]
- Added options to google-Navigation so it can be used by plugins and work with
url-rewriting (feature request #315). [Oliver]
- Userlist now also shows Registration Date and if $_CONF['lastlogin']= true it
shows the last login date instead. [Oliver]
- Added option in config.php to hide "Viewed: x" line with
$_CONF['viewscountline'] just as the $_CONF['contributedbyline'] [Oliver]
- Added function COM_numberFormat to format displayed numbers with custom
decimal & thousand - separators and fixed decimal places if necessary
Includes the respecitve 3 new config.php values in locale section.
(Feature Request #298) [Oliver]
- Default Blocks showed always in all Topics before. Now you can choose to show
them in All/only one topic/only on homepage like other blocks (feature #326)
[Oliver]
- A Story can now break over several pages in the body-text. The tag
[page_break] will split the bodytext in pieces that can be opened with the
std. COM_printPageNavigation. Introtext is removed for pages>1 [Oliver]
- Added field for old password check in /usersettings.php (bug #230) [Oliver]
- Added password confirmation to /admin/user.php and /usersettings.php
(bug #230) [Oliver]
- Made the alternating row colors in the Admin's trackback functions compatible
with the scheme used in other places (list of users, etc.). Also changed the
list of weblog directory services so that editing is now done by clicking on
the number of the service [Dirk]
- Stories are no longer forced to be featured _and_ on frontpage (bug #362)
[Oliver]
- Changed links locations in User-list, added user-photo indicator [Oliver]
- Don't update a story's date any more when unchecking the 'draft' flag
(bug #400) [Dirk]
- Don't use "rewritten" URLs in the static pages editor any more (bug #403).
Also updated the list of static pages to use alternating colors for the
rows [Dirk]
- Use "\r\n" when sending trackback pings (bug #407) [Dirk]
- Allow autotags to optionally have a space after the tag name [Blaine]
Valid tags are:
[story:20040101093000103 here] or [story: 20040101093000103 here]
- Fixed inconsistent use of {site_url} and {layout_url} in some of the
professional theme's admin template files - using {layout_url} everywhere
now when referring to icons (bug #395) [Dirk]
- Event titles containing quotes were cut off at the first quote in the event
editor, i.e. both the admin's event editor and the editor for personal events.
(bug #399) [Dirk]
- Modified PLG_templateSetVars API to also check for a custom function [Blaine]
Users can now set header template using CUSTOM_templatesetvars()
- Added new CSS declarations as recommened CSS for plugins [Blaine]
- Added a basic scheduler Plugin API plugin_runScheduledTask [Blaine]
Interval is set in config.php - $_CONF['cron_schedule_interval']
- Enhanced the Group Admin interface display [Blaine]
- Enhanced the User Admin display and made the headings sortable [Blaine]
- Geeklog will now properly handle html special characters (such as quotes and
ampersands) in comment titles (bug #174) [Vinny]
- Hide 'edit' option for articles in preview (bug #347) [Dirk]
- Changed admin/user.php to use file() for the batch import [Dirk]
- Implemented pinging weblog directory services like blo.gs and weblogs.com
(Feature Request #35). By default, we ping pingomatic.com [Dirk]
- Complete overhaul of the Plugin Comment API to reduce the likelyhood of
plugins introducing security problems. Older plugins that use the comment
API will no longer work. [Vinny]
- Refactored Comment code out of lib-common.php and into lib-comment.php, also
some changes to comment.php [Vinny]
- Introduced a 'story.ping' permission that enables users to send Pings,
Pingbacks, and Trackbacks for a story (or plugin item). Members of the Story
Admin group have that permission by default.
- Overhauled install script: It will now abort the installation if the minumum
requirements (PHP 4.1.0, MySQL 3.23.2) are not met. It also displays a warning
message if register_long_arrays is off (PHP 5 only, bug #360). Another
warning message is displayed if "public_html" is part of the URL.
When upgrading, it now tries to identify the Geeklog version that was used
previously (only really works for versions 1.3.8 - 1.3.11) [Dirk]
- Fixed date in comment preview (bug #370) [Dirk]
- Incorporated the new syndication framework for reading and writing feeds of
different formats (RSS, RDF, Atom), provided by Michael Jervis (patch #352).
This contribution also addresses Task #19 ("RSS import class") and Feature
Request #67 ("Limiting number of entries in RSS feeds").
Please note that the feed writer classes, system/classes/*.feed.class.php,
are now obsolete and can be removed. Please also note this adds new PEAR
package requirements for Net_URL and HTTP_Request.
- Added support for sending and receiving trackback comments (Feature Request
#34) Also implemented Pingback support in pretty much the same way. Once
received, Geeklog treats Trackbacks and Pingbacks the same and stores them
in the gl_trackback table. [Dirk]
Both can be switched off in config.php: $_CONF['trackback_enabled'] = false;
and $_CONF['pingback_enabled'] = false;
- Added a new script, directory.php, that implements a date-based listing of
all the stories on a site [Dirk]
A link to the directory is available as a new option, 'directory', for the
$_CONF['menu_elements'] config variable, so that it can be added to the menu.
- The column headline for event search results was not displayed [Dirk]
- Added logos to syndication feeds. [Mike]
- Added config option to disable new accounts (Patch #426 from Alford Deeley)
[Mike]
- Alphabet Sort on Admin Menu and C&C Block [Mike]
- New Farsi (Persian) language file, provided by Hesam.H
- Updated Japanese language file, provided by Yusuke Sakata
- New Farsi (Persian) language file for the static pages plugin,
provided by Hesam.H
Links plugin 1.0.0
------------
- Added ID-editor and Autotags-feature [link: ... ] [Oliver]
- Added Category-Specific Feeds [Oliver]
- Added Edit-Icon, List-Sorting, searching, Limits & etc for admin menu [Oliver]
- Moved links functionality into a plugin [Trinity, Oliver]
Polls plugin 1.0.0
------------
- Polls moved to a plugin [Trinity]
Spam-X plugin 1.0.3
-------------
- The LogView module now automatically truncates the Spam-X logfile to 100KB
[Tom Willet]
- The IP Blacklist module now supports regular expressions [Mike]
- Added a Mass Delete module for Trackback comments [Dirk]
- Added an "admin override" option, so that postings by members of the 'spamx
Admin' group will not be checked for spam [Dirk]
July 16, 2006 (1.3.11sr7)
-------------
JPCERT/CC informed us about a possible XSS in the comment handling that we're
fixing with this release.
May 28, 2006 (1.3.11sr6)
------------
The Security Science Researchers Institute Of Iran reported the following
security issues:
- Possible SQL injection and authentication bypass in auth.inc.php
- Possible XSS in getimage.php
- Path disclosure in getimage.php and the functions.php of some themes,
e.g. the Professional theme
An internal code review also revealed a possible SQL injection in story
submissions.
Mar 5, 2006 (1.3.11sr5)
-----------
Security issue:
- Konstantin Dyakoff found an old bug in the session handling that would allow
anyone to log in as any user.
Feb 19, 2006 (1.3.11sr4)
------------
Security issues:
- James Bercegay of GulfTech Security Research reported several issues with
Geeklog's cookie handling that made it vulnerable to SQL injections, arbitrary
file access, and even injection and execution of arbitrary code.
- Prevent execution of PHP code in "normal" blocks
Dec 12, 2005 (1.3.11sr3)
------------
Security issues:
- Fixed comment bug that allowed comments to be saved even when user did not
have the correct story/topic permissions (reported by LWC) [Vinny]
- Fixed a path disclosure in case someone tampered with the start date or end
date in advanced search (reported by r0t3d3Vil) [Mike]
Feeding malformed dates to the search caused a warning message to be displayed
that disclosed the path to the Geeklog install on the server. It was NOT
possible to use this for SQL injections.
Bugfixes:
- Fixed the problems (introduced in 1.3.11sr2) editing static pages when
$_CONF['url_rewrite'] = true (bug #491) [Dirk]
- The "Reply" button didn't work when viewing individual comments [Vinny]
- Fixed the definition of the 'expire' field (in table gl_stories), which
caused an SQL error when doing a fresh install on MySQL 5
(reported by Johannes) [Dirk]
- Fixed and updated the Hebrew language file [LWC, Dirk]
- New Ukrainian language file (Windows-1251), provided by Vitaliy Biliyenko
- New Ukrainian language files (UTF-8 and KOI8-U encoding) for Geeklog, the
Spam-X, and Static Pages plugins, provided by Yaroslav Fedevych
Oct 9, 2005 (1.3.11sr2)
-----------
This release provides security enhancements and better spam protection
originally developed for Geeklog 1.3.12. It also addresses a few bugs where
the bugfix could be integrated with a reasonable amount of work (other bugfixes
will have to wait for the 1.3.12 release).
Security and Spam protection:
- Added speedlimit to login attempts, defaults to allowing three tries in a
five minute period. [Vinny]
See new config options $_CONF['login_attempts'] and $_CONF['login_speedlimit']
- Changed the spam handling to update the speed limit when spam is detected
(i.e. handle spam posts as if they were successful posts and make the
submitter wait for the speed limit to expire). Also send a 403 "Forbidden"
HTTP response code when displaying the "spam detected" message [Dirk]
To quote RFC2616: "403 Forbidden: The server understood the request, but is
refusing to fulfill it. Authorization will not help and the request SHOULD
NOT be repeated."
- Filter linefeeds in the To:, From:, and Subject: fields of an email in
COM_mail [Dirk]
- When a new user account is created and the user submission queue is enabled
in config.php, ensure that the user is properly "queued" even in the
unlikely event that the account creation fails halfway through (reported by
LWC) [Dirk]
- When $_CONF['emailstoryloginrequired'] = 1, hide the links to the "email
story" form from anonymous users [Dirk]
- When emailing a story, check the user's message that is sent with the story
for spam [Dirk]
- Added a robots.txt file to the distribution. By default, it excludes
comment.php, submit.php, and the docs directory from being spidered [Dirk]
- Added a spam check to the user profile [Dirk]
- Story, event, and link submissions are now also checked for spam [Dirk]
- This release also includes the Spam-X plugin version 1.0.2
Please note that MT-Blacklist (used by Spam-X) has recently been discontinued.
For the time being, we provide the last version of the blacklist for download
from geeklog.net (the Spam-X plugin as included in this release is configured
to get it from there for the initial import). There will, however, be no
updates the blacklist. For details, please see
http://www.geeklog.net/article.php/mt-blacklist-discontinued
Bugfixes:
- Fixed an error message thrown up by PHP 5.0.5 or later when viewing the
article page (bug #483) [Dirk]
- Fixed bug with topic-specific blocks not showing up on the article page when
URL rewriting was enabled (bug #401) [Dirk]
- Fixed missing site header when trying to submit an event without required
fields. Also fixed that it would redirect you to the story submission form
then (bug #409) [Dirk]
- Make sure {menu_elements} is rendered using the menuitem_none.thtml template
when no menu elements are to be displayed (bug #378) [Dirk]
- Quote names in email addresses as soon as they contain any non-alphanumeric
characters (apart from the blank). This also addresses bug #368 [Dirk]
- Allow single quotes in passwords (bug #396, also previously reported as
bug #349 / #996354) [Dirk]
- When $_CONF['profileloginrequired'] was set to 1, the actual message that
you have to log in before being able to see a user profile was not wrapped
in the Geeklog framework (reported by Sean C) [Dirk]
- Fix: Made a story's archive/expire date work with the timezone hack [Dirk]
- COM_applyFilter will now accept negative numbers if the isnumeric parameter
is true. Needed to fix problems with pollbooth.php (and others) [Vinny]
- Upgraded included kses class to version 0.2.2 which fixes problems with
Japanese and Thai characters (among other things), thus addressing bugs #94
and #119 [Dirk]
- Fixed SQL error when using the [staticpage:] autotag (bug #373) [Dirk]
- Added a missing stripslashes call to remove backslashes when a topic's name
was displayed in the index page's title (bug #369) [Dirk]
- Link tags are now translated in printer friendly mode (Bug #411) [Mike]
- Removed the entry from the Professional theme's
header.thtml as "INDEX,FOLLOW" is the default anyway. For finer control,
we now ship a robots.txt [Dirk]
Improvements:
- Don't check for auto-archived stories when no archive topic has been
defined yet [Dirk]
- Added support for a custom_usercheck function. Custom registration code that
requires certain information can now abort the creation of a new account if
that information is missing. The function is called after Geeklog has checked
that the username and email address of the new user are okay (valid and not
in the database yet), but before the user has been added to the database
[Dirk]
- Saved one SQL request for a story's printable view [Dirk]
Language files:
- Made sure all language files refer to Geeklog's [image] tags as [imageX],
[imageX_right], and [imageX_left] (bug #381) [Dirk]
- New Catalan language file, provided by an anonymous user
- New Russian (UTF-8) language file, provided by Konstantin Boyandin
- Updated Hebrew language file, provided by LWC
- Updated Hellenic (Greek) language file, provided by MzOzD
- Updated Italian language file, provided by Marcello Teodori
- Updated Japanese (UTF-8) language file, provided by Yusuke Sakata
- Updated Portuguese (Brazil) language file, provided by Alcides Soares Filho
- Updated Russian language file, provided by Konstantin Boyandin
- New Japanese (UTF-8) language file for the Static Pages plugin, provided by
Yusuke Sakata
- Updated Italian language file for the Static Pages plugin, provided by
Marcello Teodori
- Updated Japanese language file for the Static Pages plugin, provided by
Yusuke Sakata
Aug 21, 2005 (Spam-X plugin 1.0.2)
------------
- Changed the display name of the plugin to "Spam-X" to avoid potential
confusion with the email spam filter of the same name.
"SpamX" is a registered trademark of Hendrickson Software Components.
- Added a new module to filter posts based on the IP address of the poster
[Tom Willet]
- Added a new module to filter posts based on the IP address of the
spamvertised site [Tom Willet]
- Added a new module to filter posts based on characteristics of the HTTP header
[Dirk]
- Fixed the Mass Delete Spam Comments module [Tom Willet]
- The Spam-X plugin's examine modules run the post through html_entity_decode()
now in case the spammers try to obfuscate their posts by using HTML entities
[Tom Willet, Dirk]
- The Mail Admin action module now also reports the HTTP headers of the post
that triggered the spam filter [Dirk]
- Added a simple stats function (reports the number of posts deleted as spam,
and - to the Spam-X Admin only - the number of entries for each module) [Dirk]
- Implemented an update function for the plugin [Dirk]
- New Farsi (Persian) language file, provided by Hesam.H
- New Italian language file, provided by Marcello Teodori
- New Spanish language file, provided by vivi1123
Jul 3, 2005 (1.3.11sr1)
-----------
This release addresses the following security issue:
Stefan Esser found an SQL injection that can, under certain circumstances,
be exploited to extract user data such as the user's password hash.
Dec 31, 2004 (1.3.11)
------------
Geeklog 1.3.11 addresses the following security issues:
1. It was possible to submit stories anonymously even if anonymous submissions
were turned off in config.php (reported by Barry Wong).
These stories still ended up in the submission queue, though, unless you
disabled it in config.php.
2. Some of the parameters in link and event submissions weren't filtered,
leaving them open to potential SQL injections.
3. The links for the What's Related block were created from the unfiltered story
text, opening the possibility of XSS attacks (reported by Vincent Furia).
Bugfixes:
- Added a missing stripslashes() call for the topic name in the What's Related
block (bug #351) [Dirk]
(affected file: system/lib-story.php)
- Fixed problems in the story editor when editing plain-text posts with
uploaded images (bug #356) [Dirk]
(affected file: public_html/admin/story.php)
- When changing a story ID, update the story ID in any comments to that story,
too (bug #357) [Dirk]
(affected file: public_html/admin/story.php)
- Fixed handling of autotags that started with the same substring, e.g. for
2 tags 'mytag' and 'mytagtwo', the second tag would not be recognized
(reported by Dr. Shakagee) [Dirk]
(affected file: system/lib-plugins.php)
- Fixed caching of $_GROUPS [Dirk]
(affected files: system/lib-security.php, public_html/lib-common.php)
- Made a minor optimization to save one SQL request when displaying the comment
bar for anonymous users [Dirk]
(affected file: public_html/lib-common.php)
- Updated Slovenian language file, provided by gape.
(affected file: language/slovenian.php)
Dec 22, 2004 (1.3.11rc1)
------------
- Fixed "archive" option being activated too early on certain non-featured
stories (bug #345) [Blaine]
- Added missing handling of autotags in static pages being displayed as center
blocks (reported by Jill) [Dirk]
- Fixed size of the 'sid' field in the gl_comments table. It should be 40
characters, to be able to hold the long story IDs introduced in 1.3.10
(reported by Douglas Santos) [Dirk]
- When using mogrify (ImageMagick) to resize uploaded images, the name of the
image is now enclosed in double quotes instead of single quotes, which
caused the command to fail on Windows [Dirk]
- The emails sent from the Spam-X plugin's MailAdmin action now also include
the IP address of the spam poster [Dirk]
- SEC_getFeatureGroup() should not overwrite $_GROUPS if not operating on the
current user (bug #331) [Dirk]
- Introduced a {camera_icon} variable in story and comment templates that
displays the little camera icon if the author has uploaded a user photo, just
like in the Who's Online block (suggested by Laurence Whitworth) [Dirk]
- The parent link in top-level comments took the user to the homepage rather
than to the article page (bug #346) [Vinny]
- Stories submitted for the archive topic will automatically be saved with
frontpage = 0 when approved, i.e. only be displayed in the topic [Dirk]
- Avoid emitting an extra tag after the last section in the What's New
block (bug #330) [Dirk]
- Update comment count in Older Stories block when a new comment is posted
(bug #317). Also optimized the code to collect the contents of the Older
Stories block [Dirk]
- Fixed extra being emitted in the calendar for events that aren't
visible for the current user (bug #268) [Dirk]
- (Event) Admins can now delete events directly from the calendar's day and
week views (just like events in the personal calendar) [Dirk]
- Fixed usersettings.php so that it displays the "benefits" message again when
called up by an anonymous user. Also made it go to the user's preferences
when called without a 'mode' parameter [Dirk]
- Added {layout_url} to the available theme variables in the submission forms.
Also added {separator} for those who prefer correct spelling ;-) [Dirk]
- More parameter filtering and permission checks in submit.php [Dirk]
- Fixed over-zealous parameter filtering in links.php which prevented
categories with apostrophes from working [Dirk]
- Fixed broken URLs when editing a plain-text story that contained uploaded
images (reported by LWC) [Dirk]
- The PEAR classes that ship with Geeklog actually require PHP 4.2.x now.
However, the missing functions in older PHP versions (minimum requirement
for Geeklog itself is now PHP 4.1.0) are provided by the PEAR PHP_Compat
package, which we will have to ship with Geeklog from now on. Added the
necessary code to lib-common.php to load PHP_Compat, if required [Dirk]
Many thanks to Tom Willet for providing a test setup.
- Fixed "quick add form" for personal events, so that it stores the new event
directly now [Dirk]
- Fixed handling of 12am/pm in events, event submissions, and when passing the
time from the calendar to the event submission forms [Dirk]
- Improved handling of personal events / personal calendar, especially for
(Event) Admins [Dirk]
- Fixed What's Related links when magic_quotes_qpc = on [Vinny, Dirk]
- Fixed use of an undefined variable $U in COM_showBlocks and warning messages
for undefined array indexes in COM_getCurrentURL (reported by irawen) [Dirk]
- Allow empty search query strings so that the "More by " and "More
from " options work again [Dirk]
- When deleting a poll, also delete any comments to that poll [Dirk]
- Delete comments and story images when deleting stories from a deleted topic
(bug #339) [Dirk]
- When deleting a story, added an extra check for type='article' when deleting
the story's comments [Dirk]
- Set current user as the owner when cloning an event (bug #338) [Dirk]
- Start time, end time, and event location weren't copied over when adding a
site event to the personal calendar (bug #336) [Dirk]
- Fixed wrong use of htmlentities() on comment title (bug #335) [Dirk]
- Changed "read more" word count so that it ignores HTML tags (bug #333) [Dirk]
- Updated Slovenian language file, provided by gape.
- Updated Dutch language file, provided by Ko de Pree.
- Updated Dutch language file for the Static Pages plugin,
provided by Ko de Pree.
- New French language files for the Spam-X plugin, provided by Alain Ponton.
Nov 28, 2004 (1.3.10)
------------
- Allow omission of the link text for the [story:], [event:], and [staticpage:]
autotags. Geeklog will then use the title (of the story / event / static page)
as the link text [Dirk]
(affected files: system/lib-plugins.php, plugins/staticpages/functions.inc)
- Updated Chinese language files (all 4 of them), provided by Samuel M. Stone
Nov 21, 2004 (1.3.10rc3)
------------
- Changed wording of the error message if the "backups" directory is not
writable [Dirk]
- Fixed comments for the DB_result (in lib-database.php) and dbResult
(in mysql.class.php) functions (bug #320) [Dirk]
- Display a success message when using the "changepw" option in admin/user.php
[Dirk]
- When changing a username, make sure to change the name of the user's photo,
too (bug #321) [Dirk]
- Links in "plain text" stories and comments are now made clickable (i.e.
enclosed in tags) when the post is saved instead of when it's displayed,
as in the previous release candidates. This also fixes bug #308. [Dirk]
- Added $_CONF['disable_autolinks'] config option to disable autolinks [Dirk]
- Removed ViewBlacklist.Admin.class.php from the Spam-X plugin [Tom Willet]
- Overhauled handling of personal events [Dirk]:
+ Fixed deleting personal events (again).
+ The upcoming events block now links to the event details of personal
events (just like it already did for site events).
+ Added stricter checks for permissions, user IDs, and the personal calendars
being activated in the first place.
- Added a check for allow_url_fopen if reading a (RSS) feed fails and report it
in error.log if it is off [Dirk]
- When deleting a story (automatically), make sure we're only deleting comments
belonging to that story (i.e. added a check for type = 'article') [Dirk]
- Added {event_type}, {lang_event_type}, and {edit_icon} in all the themes'
calendar/eventdetails.thtml template file [Dirk]
- Fixed some URLs in the calendar (missing slash) [Dirk]
- Comment IDs don't have to be numeric (in comment.php) [Vinny]
- The Static Pages plugin now takes $_CONF['showfirstasfeatured'] into account
when displaying static pages in center blocks (reported by eyecravedvd) [Dirk]
- Forgot to declare $_CONF as global when fixing bug #301 (bug #302) [Dirk]
- Updated Chinese language files (all 4 of them), provided by Samuel M. Stone
- Updated Japanese language files (euc-jp and UTF-8), provided by Yusuke Sakata
- Updated Polish language file, provided by Robert Stadnik
- Updated Slovenian language file, provided by gape
- Updated Spanish language file, provided by Angel Romero
- Updated Swedish language file, provided by Markus Berg
Oct 24, 2004 (1.3.10rc2)
------------
- Fixed plugin update function [Blaine]
- Set the target encoding in Geeklog's RSS parser (bug #301) [Dirk]
- Set the {topic_icon} variable to an empty string for the "Home" link in the
Topics block (reported by jhwhite) [Dirk]
- Fixed News Box Configuration, i.e. the ability to disable blocks [Vinny]
- In the story template files, the number of comments now only is a link when
there actually is a comment on the story [Dirk]
- Hard-coded the English word 'delete' in the URLs to delete a comment [Dirk]
- For the list of a user's recent comments, use 'mode=view' to link directly
to a comment now [Dirk]
- Fixed comment id in comment notification emails [Dirk]
- Fixed display of the number of static pages that the user has access to (in
the Admin Block) [Dirk]
- COM_makeClickableLinks did not recognize links with the 'http:' at the
start of a line [Dirk]
- Re-introduced between plugin sections in the What's New block, pretty
much reverting the change suggested by feature request #292 [Dirk]
- Introduced function COM_formatEmailAddress that creates a (more or less)
RFC(2)822 compliant email address from a name and an address [Dirk]
This function is now used for formatting the site address, as well as for
addresses entered by the user in profiles.php and admin/mail.php.
- The Spam-X plugin's MailAdmin action didn't send any email notifications,
since the call to COM_mail was commented out ... [Dirk]
- admin/mail.php and admin/group.php use the complete URL to the script in
the tag in story search results (bug #260) [Dirk]
- Added a second parameter to function COM_makeList that is used as a CSS
class name in the list it returns (use {list_class_name} to get the actual
class name, and {list_class} to get class="classname"). Changed the existing
calls to COM_makeList to include class names, so that you can now use the
following class names in your stylesheet to style lists: list-feed,
list-new-comments, list-new-links, list-new-plugins, list-older-stories,
list-personal-events, list-site-events, list-story-options, list-whats-related
(the names should be self-explanatory) [Dirk]
- Moved the docs directory to public_html/docs and added a link to it from the
Admin's block (can be switched off in config.php by setting the new option
$_CONF['link_documentation'] = 0) [Dirk]
- Replaced 'ppmtojpeg' with 'pnmtojpeg' when using NetPBM for scaling
uploaded JPEG images (bug #257) [Dirk]
- Added a check (and a warning message) for PHP 4.1.0 to the install script,
as that is our new minimum requirement [Dirk]
- Rewrote install/success.php and added a link to install/check.php [Dirk]
- Added the 'data' and 'pdfs' directory to install/check.php [Dirk]
- Integrated the "welcome email hack": If the file 'welcome_email.txt' exists
in the 'data' directory, the contents of that file are sent out as the
welcome email to new users (instead of the hard-coded welcome message) [Dirk]
- Introduced a 'data' directory ($_CONF['path_data'], defaulting to
/path/to/geeklog/data) and use it for the batch user import, as Geeklog's
base directory may not be writable on some setups (bug #77) [Dirk]
- Sort list of older polls by date (newest first) and added paging [Dirk]
- Make sure the old userphoto is deleted when uploading a new one (bug #228).
So far, the old photo was not removed when the file type changed (e.g. from
.gif to .jpg) [Dirk]
- Don't assume the uploaded file in usersettings.php is always the userphoto -
it may in fact belong to a plugin (bug #179). This bug prevented plugins from
uploading their own files through the plugin API [Dirk]
- Fixed repeating events in the personal calendar's day view (bug #232) [Dirk]
- COM_siteHeader() now accepts a page title (to go between the page's
... tags) as the second parameter, replacing the
$_CONF['pagetitle'] hack (which still works but should be avoided) [Dirk]
- In the site's page title, replace the site slogan with more meaningful
information, where possible, e.g. "Submit a Story" on the story submission
form, "Search Results", etc. (feature request #95) [Dirk]
- Fixed deleting events from the personal calendar (bug #199) [Dirk]
- Carry over the date and time from the calendar when Admins add a new event
(bug #132) [Dirk]
- Don't display "Site Events" headline in the Upcoming Events block when
personal calendars are off (feature request #151) [Dirk]
- Removed hard-coded am/pm formatted hours from the calendar's day view
(calendar/dayview/dayview.thtml) and replaced them with {xx_hour} variables,
where 'xx' is 0-23, which will be replaced with the hours formatted
according to the $_CONF['timeonly'] config variable [Dirk]
- Themes can now use a couple of CSS class names to style the small calendar (of
the previous and next month) in month view: .smallcal, .smallcal-headline,
.smallcal-week-even, .smallcal-week-odd, .smallcal-week-empty,
.smallcal-day-even, .smallcal-day-odd, and .smallcal-day-empty [Dirk]
- Improvements to the Story Archive Feature, UI tweaks, Language Extraction,
Added new field to the topics table. Admin now sets the archive topic in
the Topic Editor. Only one topic can be used - logic enforced. [Blaine]
- Don't emit the