Upstream changes:
1.3136 2015-05-24
[DOCUMENTATION]
- Remove mention of format 'with_id' from Dancer::Logger::Abstract.
(GH#112, Fabrice Gabolde)
[ENHANCEMENTS]
- Cache sessions such that they are only retrieved once per request.
(GH#1105, GH#992, Yanick Champoux)
pkgsrc change: remove RUBY_VERSION_SUPPORTED since it has default value.
## 1.2.2
- fix handshake for draft 11+ sending Sec-WebSocket-Origin instead of Origin
pkgsrc change: add support for pkg_alternatives.
unicorn 4.9.0 - TempfileReaper support in Rack 1.6
This release supports the Rack::TempfileReaper middleware found
in rack 1.6 for cleaning up disk space used by temporary files.
We also use Rack::TempfileReaper for cleaning up large temporary
files buffered with TeeInput. Users on rack 1.5 and earlier
will see no changes.
There's also a bunch of documentation/build system improvements.
This is likely to be the last Ruby 1.8-compatible release,
unicorn 5.x will require 1.9.3 or later as well as dropping lots
of cruft (the stupid "Status:" header in responses being the
most notable).
21 changes backported from master:
ISSUES: update with mailing list subscription
FAQ: add entry for Rails autoflush_log
dev: remove isolate dependency
unicorn.gemspec: depend on test-unit 3.0
remove RubyForge and Freecode references
remove mongrel.rubyforge.org references
examples: add run_once to before_fork hook example
t/t0002-parser-error.sh: relax test for rack 1.6.0
switch docs + website to olddoc
README: clarify/reduce references to unicorn_rails
gemspec: fixup olddoc migration
GNUmakefile: fix clean gem build + reduce build cruft
doc: update support status for Ruby versions
fix uninstalled testing and reduce require paths
test_socket_helper: do not depend on SO_REUSEPORT
ISSUES: add section for bugs in other projects
explain 11 byte magic number for self-pipe
Links: mark Rainbows! as historical, reference yahns
doc: document UNICORN_FD in manpage
tee_input: support for Rack::TempfileReaper middleware
support TempfileReaper in deployment and development envs
= 1.4.6 / 2015-03-2x
* Improve tests and documentation. (Dar«¿o Here«Ð«â, Seiichi Yonezawa, kyoendo,
John Voloski, Ferenc-, Renaud Martinet, Christian Haase, marocchino,
huoxito, Damir Svrtan, Amaury Medeiros, Jeremy Evans, Kashyap, shenqihui,
Ausmarton Fernandes, kami, Vipul A M, Lei Wu, 7stud, Taylor Shuler,
namusyaka, burningTyger, Cornelius Bock, detomastah, hakeda, John Hope,
Ruben Gonzalez, Andrey Deryabin, attilaolah, Anton Davydov, Nikita Penzin,
Dyego Costa)
* Remove duplicate require of sinatra/base. (Alexey Muranov)
* Escape HTML in 404 error page. (Andy Brody)
* Refactor to method call in `Stream#close` and `#callback`. (Damir Svrtan)
* Depend on latest version of Slim. (Damir Svrtan)
* Fix compatibility with Tilt version 2. (Yegor Timoschenko)
* Fix compatibility issue with Rack `pretty` method from ShowExceptions.
(Kashyap)
* Show date in local time in exception messages. (tayler1)
* Fix logo on error pages when using Ruby 1.8. (Jeremy Evans)
* Upgrade test suite to Minitest version 5 and fix Ruby 2.2 compatibility.
(Vipul A M)
3.4.14 (22 May 2015)
* Further avoid race conditions when caching.
* Only emit one warning for each line that uses the deprecated form of
unquote().
* Stop parsing and emitting invalid @supports directives.
* Add a deprecation warning for using != to compare a number with units to a
number without. Such a warning already existed for ==.
* Improve rounding of the results of color operations.
=== 2.11.3 / 2015-05-18
* 5 bug fixes:
* Be sure to unlink tempfiles after a request. Fixes#690
* Coerce the key to a string before checking. (thar be symbols). Fixes#684
* Fix hang on bad SSL handshake
* Remove `enable_SSLv3` support from JRuby
* 1 PR merged:
* Merge pull request #698 from looker/hang-handshake
=== 2.11.2 / 2015-04-11
* 2 minor features:
* Add `on_worker_fork` hook, which allows to mimic Unicorn's behavior
* Add shutdown_debug config option
* 4 bug fixes:
* Fix the Config constants not being available in the DSL. Fixes#683
* Ignore multiple port declarations
* Proper 'Connection' header handling compatible with HTTP 1.[01] protocols
* Use "Puma" instead of "puma" to reporting to New Relic
* 1 doc fixes:
* Add Gitter badge.
* 6 PRs merged:
* Merge pull request #657 from schneems/schneems/puma-once-port
* Merge pull request #658 from Tomohiro/newrelic-dispatcher-default-update
* Merge pull request #662 from basecrm/connection-compatibility
* Merge pull request #664 from fxposter/on-worker-fork
* Merge pull request #667 from JuanitoFatas/doc/gemspec
* Merge pull request #672 from chulkilee/refactor
[ Joey Hess ]
* New emailauth plugin lets users log in, without any registration,
by simply clicking on a link in an email.
* Re-remove google from openid selector; their openid provider is
gone for good.
* Make the openid selector display "Password" instead of "Other"
when appropriate, so users are more likely to click on it when
they don't have an openid.
* Converted openid-selector into a more generic loginselector helper
plugin.
* passwordauth: Don't allow registering accounts that look like openids.
* Make cgiurl output deterministic, not hash order. Closes: #785738
Thanks, Daniel Kahn Gillmor
[ Simon McVittie ]
* Do not enable emailauth by default, to avoid surprises on httpauth-only
sites. Enable it by default in openid instead, since it is essentially
a replacement for OpenIDs.
* Make the attachment plugin work with CGI.pm 4.x (Closes: #786586;
workaround for #786587 in libcgi-pm-perl)
* Add a public-domain email icon from tango-icon-theme
* Populate pagectime from either mtime or inode change time,
whichever is older, again for more reproducible builds
* debian: build the docwiki with LC_ALL=C.UTF-8 and TZ=UTC
* debian/copyright: consolidate permissive licenses
* debian/copyright: turn comments on provenance into Comment
* brokenlinks: sort the pages that link to the missing page, for
better reproducibility
* Add [[!meta date]] to news items and tips, since the git checkout
and build process can leave the checkout date in the tarball
release, leading to unstable sorting
* Sort backlinks deterministically, by falling back to sorting by href
if the link text is identical
* Add a $config{deterministic} option and use it for the docwiki
* haiku: if deterministic build is requested, return a hard-coded haiku
* polygen: if deterministic build is requested, use a well-known random seed
The TYPO3 community announces the release of TYPO3 CMS version 6.2.13
LTS, which is now ready for you to download.
This version is a maintenance release and contains bug fixes as well as
various improvements for the day-to-day administration of a TYPO3
website (Extension Manager and management of reference index).
PHP 5.6 support
- ---------------
Although the TYPO3 CMS Team aims at eventually supporting PHP 5.6 with
TYPO3 6.2 LTS, we are aware of some in-depth issues. As such, we
highly recommend to keep PHP 5.3 - 5.5 when running TYPO3 6.2 LTS for
the time being. Hopefully this should be fixed with the next release.
Image handling
- --------------
The base data used for the checksum calculation of processed files
have been changed. This should be transparent for you unless you are
having a large installation. In such case, we enjoin you to read the
details about this release (link below) and to make use of the
dedicated upgrade wizard.
Bugs Fixed
1. If the WSGI application when run under daemon mode returned response content as many small blocks, this could result in excessive memory usage in the Apache child worker process proxying the request due to many buckets being buffered until the buffer size threshold was reached. If the number of buckets reaches a builtin threshold the buffered data will now be forcibly flushed even if the size threshold hadn’t been reached.
${PYPKGPREFIX} to avoid such an instance. Some people will run apps with
different versions of python, so we can handle that accordingly with
ALTERNATIVES. Bump PKGREVISION.
(March 24, 2015)
Trac 1.0.5 provides several fixes. The following are some highlights:
Images are not rendered in the timeline (#10751).
Git tags are shown in the browser view (#11964).
Added support for journal_mode and synchronous pragmas in sqlite: database connection string (#11967).
Contao is an Open Source PHP Content Management System for people who want a
professional website that is easy to maintain. Visit the https://contao.org
for more information.
This is new Long Term Support release which replase existing Contao 3.2
and the last stable release from Contao 3.x series.
Please refer system/docs/CHANGELOG.md in detail.
Add missing DEPENDS
Upstream changes:
1.0036 2015-06-03 12:01:53 PDT
[BUG FIXES]
- Fix CGIBin test to not use CGI.pm #509
1.0035 2015-04-16 10:08:21 CEST
[BUG FIXES]
- Fixed parsing of empty query string pairs (aristotle) #500
[IMPROVEMENTS]
- Documentation updates for FCGI (otrosien) #494
- Use HTTP::Headers::Fast in Plack::Request
- Big performance optimizations on Plack::Util::header_* (aristotle) #498
- Added .webm to Plack::MIME (marlencrabapple) #503
- Use Cookie::Baker to bake cookies in Plack::Response (oalders)
- reduced the size of distribution by making binary files smaller
Changes to GoAccess 0.9.1 - Tuesday, May 26, 2015
* Added additional Nginx-specific status codes.
* Added Applebot to the list of web crawlers.
* Added Microsoft Edge to the list of browsers.
* Added the ability to highlight active panel through --hl-header.
* Ensure dump_struct is used only if using __GLIBC__.
* Ensure goaccess image has an alt attribute on the HTML output for valid HTML5.
* Ensure the config file path is displayed when something goes wrong (FATAL).
* Ensure there is a character indicator to see which panel is active.
* Fixed Cygwin compile issue attempting to use -rdynamic.
* Fixed issue where a single IP did not get excluded after an IP range.
* Fixed issue where requests show up in the wrong view even when --no-query-string is used.
* Fixed issue where some browsers were not recognized or marked as 'unknown'.
* Fixed memory leak when excluding an IP range.
* Fixed overflows on sort comparison functions.
* Fixed segfault when using on-disk storage and loading persisted data with -a.
* Removed keyphrases menu item from HTML output.
* Split iOS devices from Mac OS X.
Changes to GoAccess 0.9 - Thursday, March 19, 2015
* Added ability to double decode an HTTP referer and agent.
* Added ability to sort views through the command line on initial load.
* Added additional data values to the backtrace report.
* Added additional graph to represent the visitors metric on the HTML output.
* Added AM_PROG_CC_C_O to configure.ac
* Added 'Android Lollipop' to the list of operating systems.
* Added 'average time served' metric to all panels.
* Added 'bandwidth' metric to all panels.
* Added command line option to disable summary metrics on the CSV output.
* Added numeric formatting to the HTML output to improve readability.
* Added request method specifier to the default W3C log format.
* Added support for GeoIP Country IPv6 and GeoIP City IPv6 through --geoip-database.
* Added the ability to ignore parsing and displaying given panel(s).
* Added the ability to ignore referer sites from being counted.
A good case scenario is to ignore own domains. i.e., owndomain.tld
This also allows ignoring hosts using wildcards.
For instance, *.mydomain.tld or www.mydomain.* or www?.mydomain.tld
* Added time/hour distribution module. e.g., 00-23.
* Added 'visitors' metrics to all panels.
* Added Windows 10 (v6.4) to the real windows user agents.
* Changed AC_PREREQ macro version so it builds on old versions of autoconf.
* Changed GEOIP database load to GEOIP_MEMORY_CACHE for faster lookups.
* Changed maximum number of choices to display per panel to 366 fron 300.
* Ensure config file is read from home dir if unable to open it from %sysconfdir% path.
* Fixed array overflows when exceeding MAX_* limits on command line options.
* Fixed a SEGFAULT where sscanf could not handle special chars within the referer.
* Fixed character encoding on geolocation output (ISO-8859 to UTF8).
* Fixed issue on wild cards containing '?' at the end of the string.
* Fixed issue where a 'Nothing valid to process' error was triggered when the
number of invalid hits was equal to the number of valid hits.
* Fixed issue where outputting to a file left a zero-byte file in pwd.
* Improved parsing of operating systems.
* Refactored log parser so it allows with ease the addition of new modules. This
also attempts to decouple the core functionality from the rendering functions.
It also gives the flexibility to add children metrics to root metrics for any
module. e.g., Request A was visited by IP1, IP2, IP3, etc.
* Restyled HTML output.
Changelog:
New: Keep track of articles and videos with Pocket
New: Clean formatting for articles and blog posts with Reader View
New: Share the active tab or window in a Hello conversation
Fixed: A race condition that would cause Firefox to stop painting when switching tabs (bug 1067470)
Fixed: Fixed graphics performance when using the built-in VGA driver on Windows 7 (Bug 1165732)
Changelog:
WordPress 4.2.2 Security and Maintenance Release
Posted May 7, 2015 by Samuel Sidler. Filed under Releases, Security.
WordPress 4.2.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
Version 4.2.2 addresses two security issues:
The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.
WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue. Reported separately by Rice Adu and Tong Shi.
The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. This issue was reported by Mahadev Subedi.
Our thanks to those who have practiced responsible disclosure of security issues.
WordPress 4.2.2 also contains fixes for 13 bugs from 4.2. For more information, see the release notes or consult the list of changes.
Download WordPress 4.2.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.2.
Thanks to everyone who contributed to 4.2.2:
Aaron Jorbin, Andrew Ozz, Andrew Nacin, Boone Gorges, Dion Hulse, Ella Iseulde Van Dorpe, Gary Pendergast, Hinaloe, Jeremy Felt, John James Jacoby, Konstantin Kovshenin, Mike Adams, Nikolay Bachiyski, taka2, and willstedt.
rdPress.org
Showcase
Themes
Plugins
Mobile
Support
Get Involved
About
Blog
Hosting
Download WordPress
WordPress 4.2.2 Security and Maintenance Release
Posted May 7, 2015 by Samuel Sidler. Filed under Releases, Security.
WordPress 4.2.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
Version 4.2.2 addresses two security issues:
The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.
WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue. Reported separately by Rice Adu and Tong Shi.
The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. This issue was reported by Mahadev Subedi.
Our thanks to those who have practiced responsible disclosure of security issues.
WordPress 4.2.2 also contains fixes for 13 bugs from 4.2. For more information, see the release notes or consult the list of changes.
Download WordPress 4.2.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.2.
Thanks to everyone who contributed to 4.2.2:
Aaron Jorbin, Andrew Ozz, Andrew Nacin, Boone Gorges, Dion Hulse, Ella Iseulde Van Dorpe, Gary Pendergast, Hinaloe, Jeremy Felt, John James Jacoby, Konstantin Kovshenin, Mike Adams, Nikolay Bachiyski, taka2, and willstedt.
Share this:
WordPress 4.2.1 Security Release
Posted April 27, 2015 by Gary Pendergast. Filed under Releases, Security.
WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.
WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.
For more information, see the release notes or consult the list of changes.
Download WordPress 4.2.1 or venture over to Dashboard → Updates and simply click “Update Now”.
WordPress 4.2
An easier way to share content
Extended character support
Switch themes in the Customizer
Even more embeds
Streamlined plugin updates
Under the Hood
utf8mb4 support
Database character encoding has changed from utf8 to utf8mb4, which adds support for a whole range of new 4-byte characters.
JavaScript accessibility
You can now send audible notifications to screen readers in JavaScript with wp.a11y.speak(). Pass it a string, and an update will be sent to a dedicated ARIA live notifications area.
Shared term splitting
Terms shared across multiple taxonomies will be split when one of them is updated. Find out more in the Plugin Developer Handbook.
Complex query ordering
WP_Query, WP_Comment_Query, and WP_User_Query now support complex ordering with named meta query clauses.
What's new in Tornado 4.2
=========================
May 26, 2015
------------
Backwards-compatibility notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* ``SSLIOStream.connect`` and `.IOStream.start_tls` now validate certificates
by default.
* Certificate validation will now use the system CA root certificates instead
of ``certifi`` when possible (i.e. Python 2.7.9+ or 3.4+). This includes
`.IOStream` and ``simple_httpclient``, but not ``curl_httpclient``.
* The default SSL configuration has become stricter, using
`ssl.create_default_context` where available on the client side.
(On the server side, applications are encouraged to migrate from the
``ssl_options`` dict-based API to pass an `ssl.SSLContext` instead).
* The deprecated classes in the `tornado.auth` module, ``GoogleMixin``,
``FacebookMixin``, and ``FriendFeedMixin`` have been removed.
New modules: `tornado.locks` and `tornado.queues`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
These modules provide classes for coordinating coroutines, merged from
`Toro <http://toro.readthedocs.org>`_.
To port your code from Toro's queues to Tornado 4.2, import `.Queue`,
`.PriorityQueue`, or `.LifoQueue` from `tornado.queues` instead of from
``toro``.
Use `.Queue` instead of Toro's ``JoinableQueue``. In Tornado the methods
`~.Queue.join` and `~.Queue.task_done` are available on all queues, not on a
special ``JoinableQueue``.
Tornado queues raise exceptions specific to Tornado instead of reusing
exceptions from the Python standard library.
Therefore instead of catching the standard `queue.Empty` exception from
`.Queue.get_nowait`, catch the special `tornado.queues.QueueEmpty` exception,
and instead of catching the standard `queue.Full` from `.Queue.get_nowait`,
catch `tornado.queues.QueueFull`.
To port from Toro's locks to Tornado 4.2, import `.Condition`, `.Event`,
`.Semaphore`, `.BoundedSemaphore`, or `.Lock` from `tornado.locks`
instead of from ``toro``.
Toro's ``Semaphore.wait`` allowed a coroutine to wait for the semaphore to
be unlocked *without* acquiring it. This encouraged unorthodox patterns; in
Tornado, just use `~.Semaphore.acquire`.
Toro's ``Event.wait`` raised a ``Timeout`` exception after a timeout. In
Tornado, `.Event.wait` raises `tornado.gen.TimeoutError`.
Toro's ``Condition.wait`` also raised ``Timeout``, but in Tornado, the `.Future`
returned by `.Condition.wait` resolves to False after a timeout::
@gen.coroutine
def await_notification():
if not (yield condition.wait(timeout=timedelta(seconds=1))):
print('timed out')
else:
print('condition is true')
In lock and queue methods, wherever Toro accepted ``deadline`` as a keyword
argument, Tornado names the argument ``timeout`` instead.
Toro's ``AsyncResult`` is not merged into Tornado, nor its exceptions
``NotReady`` and ``AlreadySet``. Use a `.Future` instead. If you wrote code like
this::
from tornado import gen
import toro
result = toro.AsyncResult()
@gen.coroutine
def setter():
result.set(1)
@gen.coroutine
def getter():
value = yield result.get()
print(value) # Prints "1".
Then the Tornado equivalent is::
from tornado import gen
from tornado.concurrent import Future
result = Future()
@gen.coroutine
def setter():
result.set_result(1)
@gen.coroutine
def getter():
value = yield result
print(value) # Prints "1".
`tornado.autoreload`
~~~~~~~~~~~~~~~~~~~~
* Improved compatibility with Windows.
* Fixed a bug in Python 3 if a module was imported during a reload check.
`tornado.concurrent`
~~~~~~~~~~~~~~~~~~~~
* `.run_on_executor` now accepts arguments to control which attributes
it uses to find the `.IOLoop` and executor.
`tornado.curl_httpclient`
~~~~~~~~~~~~~~~~~~~~~~~~~
* Fixed a bug that would cause the client to stop processing requests
if an exception occurred in certain places while there is a queue.
`tornado.escape`
~~~~~~~~~~~~~~~~
* `.xhtml_escape` now supports numeric character references in hex
format (`` ``)
`tornado.gen`
~~~~~~~~~~~~~
* `.WaitIterator` no longer uses weak references, which fixes several
garbage-collection-related bugs.
* `tornado.gen.Multi` and `tornado.gen.multi_future` (which are used when
yielding a list or dict in a coroutine) now log any exceptions after the
first if more than one `.Future` fails (previously they would be logged
when the `.Future` was garbage-collected, but this is more reliable).
Both have a new keyword argument ``quiet_exceptions`` to suppress
logging of certain exception types; to use this argument you must
call ``Multi`` or ``multi_future`` directly instead of simply yielding
a list.
* `.multi_future` now works when given multiple copies of the same `.Future`.
* On Python 3, catching an exception in a coroutine no longer leads to
leaks via ``Exception.__context__``.
`tornado.httpclient`
~~~~~~~~~~~~~~~~~~~~
* The ``raise_error`` argument now works correctly with the synchronous
`.HTTPClient`.
* The synchronous `.HTTPClient` no longer interferes with `.IOLoop.current()`.
`tornado.httpserver`
~~~~~~~~~~~~~~~~~~~~
* `.HTTPServer` is now a subclass of `tornado.util.Configurable`.
`tornado.httputil`
~~~~~~~~~~~~~~~~~~
* `.HTTPHeaders` can now be copied with `copy.copy` and `copy.deepcopy`.
`tornado.ioloop`
~~~~~~~~~~~~~~~~
* The `.IOLoop` constructor now has a ``make_current`` keyword argument
to control whether the new `.IOLoop` becomes `.IOLoop.current()`.
* Third-party implementations of `.IOLoop` should accept ``**kwargs``
in their `~.IOLoop.initialize` methods and pass them to the superclass
implementation.
* `.PeriodicCallback` is now more efficient when the clock jumps forward
by a large amount.
`tornado.iostream`
~~~~~~~~~~~~~~~~~~
* ``SSLIOStream.connect`` and `.IOStream.start_tls` now validate certificates
by default.
* New method `.SSLIOStream.wait_for_handshake` allows server-side applications
to wait for the handshake to complete in order to verify client certificates
or use NPN/ALPN.
* The `.Future` returned by ``SSLIOStream.connect`` now resolves after the
handshake is complete instead of as soon as the TCP connection is
established.
* Reduced logging of SSL errors.
* `.BaseIOStream.read_until_close` now works correctly when a
``streaming_callback`` is given but ``callback`` is None (i.e. when
it returns a `.Future`)
`tornado.locale`
~~~~~~~~~~~~~~~~
* New method `.GettextLocale.pgettext` allows additional context to be
supplied for gettext translations.
`tornado.log`
~~~~~~~~~~~~~
* `.define_logging_options` now works correctly when given a non-default
``options`` object.
`tornado.process`
~~~~~~~~~~~~~~~~~
* New method `.Subprocess.wait_for_exit` is a coroutine-friendly
version of `.Subprocess.set_exit_callback`.
`tornado.simple_httpclient`
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Improved performance on Python 3 by reusing a single `ssl.SSLContext`.
* New constructor argument ``max_body_size`` controls the maximum response
size the client is willing to accept. It may be bigger than
``max_buffer_size`` if ``streaming_callback`` is used.
`tornado.tcpserver`
~~~~~~~~~~~~~~~~~~~
* `.TCPServer.handle_stream` may be a coroutine (so that any exceptions
it raises will be logged).
`tornado.util`
~~~~~~~~~~~~~~
* `.import_object` now supports unicode strings on Python 2.
* `.Configurable.initialize` now supports positional arguments.
`tornado.web`
~~~~~~~~~~~~~
* Key versioning support for cookie signing. ``cookie_secret`` application
setting can now contain a dict of valid keys with version as key. The
current signing key then must be specified via ``key_version`` setting.
* Parsing of the ``If-None-Match`` header now follows the RFC and supports
weak validators.
* Passing ``secure=False`` or ``httponly=False`` to
`.RequestHandler.set_cookie` now works as expected (previously only the
presence of the argument was considered and its value was ignored).
* `.RequestHandler.get_arguments` now requires that its ``strip`` argument
be of type bool. This helps prevent errors caused by the slightly dissimilar
interfaces between the singular and plural methods.
* Errors raised in ``_handle_request_exception`` are now logged more reliably.
* `.RequestHandler.redirect` now works correctly when called from a handler
whose path begins with two slashes.
* Passing messages containing ``%`` characters to `tornado.web.HTTPError`
no longer causes broken error messages.
`tornado.websocket`
~~~~~~~~~~~~~~~~~~~
* The ``on_close`` method will no longer be called more than once.
* When the other side closes a connection, we now echo the received close
code back instead of sending an empty close frame.
4.20 2015-05-29
[ RELEASE NOTES ]
- CGI.pm is now considered "done". See also "mature" and "legacy"
Features requests and none critical issues will be outright rejected.
The module is now in maintenance mode for critical issues only.
- This release removes the AUTOLOAD and compile optimisations from CGI.pm
that were introduced into CGI.pm twenty (20) years ago as a response to
its large size, which meant there was a significant compile time penalty.
- This optimisation is no longer relevant and makes the code difficult to
deal with as well as making test coverage metrics incorrect. Benchmarks
show that advantages of AUTOLOAD / lazy loading / deferred compile are
less than 0.05s, which will be dwarfed by just about any meaningful code
in a cgi script. If this is an issue for you then you should look at
running CGI.pm in a persistent environment (FCGI, etc)
- To offset some of the time added by removing the AUTOLOAD functionality
the dependencies have been made runtime rather than compile time. The
POD has also been split into its own file. CGI.pm now contains around
4000 lines of code, which compared to some modules on CPAN isn't really
that much
- This essentially deprecates the -compile pragma and ->compile method. The
-compile pragma will no longer do anything, whereas the ->compile method
will raise a deprecation warning. More importantly this also REMOVES the
-any pragma because as per the documentation this pragma needed to be
"used with care or not at all" and allowing arbitrary HTML tags is almost
certainly a bad idea. If you are using the -any pragma and using arbitrary
tags (or have typo's in your code) your code will *BREAK*
- Although this release should be back compatible (with the exception of any
code using the -any pragma) you are encouraged to test it throughly as if
you are doing anything out of the ordinary with CGI.pm (i.e. have bugs
that may have been masked by the AUTOLOAD feature) you may see some issues.
- References: GH #162, GH #137, GH #164
[ SPEC / BUG FIXES ]
- make the list context warning in param show the filename rather than
the package so we have more information on exactly where the warning
has been raised from (GH #171)
- correct self_url when PATH_INFO and SCRIPT_NAME are the same but we
are not running under IIS (GH #176)
- Add the multi_param method to :cgi export (thanks to xblitz for the patch
and tests. GH #167)
- Fix warning for lack of HTTP_USER_AGENT in CGI::Carp (GH #168)
- Fix imports when called from CGI::Fast, restores the import of CGI functions
into the callers namespace for users of CGI::Fast (GH leejo/cgi-fast#11 and
GH leejo/cgi-fast#12)
[ FEATURES ]
- CGI::Carp now has $CGI::Carp::FULL_PATH for displaying the full path to the
offending script in error messages
- CGI now has env_query_string() for getting the value of QUERY_STRING from
the environment and not that fiddled with by CGI.pm (which is what
query_string() does) (GH #161)
- CGI::ENCODE_ENTITIES var added to control which chracters are encoded by
the call to the HTML::Entities module - defaults to &<>"' (GH #157 - the
\x8b and \x9b chars have been removed from this list as we are concerned
more about unicode compat these days than old browser support.)
[ DOCUMENTATION ]
- Fix some typos (GH #173, GH #174)
- All *documentation* for HTML functionality in CGI has been moved into
its own namespace: CGI::HTML::Functions - although the functionality
continues to exist within CGI.pm so there are no code changes required
(GH #142)
- Add missing documentation for env variable fetching routines (GH #163)
[ TESTING ]
- Increase test coverage (GH #3)
[ INTERNALS ]
- Cwd made a TEST_REQUIRES rather than a BUILD_REQUIRES in Makefile.PL
(GH #170)
- AutoloadClass variables have been removed as AUTOLOAD was removed in
v4.14 so these are no longer necessary (GH #172 thanks to alexmv)
- Remove dependency on constant - internal DEBUG, XHTML_DTD and EBCDIC
constants changes to $_DEBUG, $_XHTML_DTD, and $_EBCDIC
* Update MESSAGES.
Changelog:
5.7.4.2
Behavioral Improvements
Saving only a custom template on a block will no longer wrap that block in a custom design DIV. Better saving and resetting of custom designs on blocks and areas.
Topics improvements: topics can now be created below other topics; the only different between topic categories and topics is that categories cannot be assigned to objects, only topics can.
We now include the page ID in the attributes dialog and panel.
Feature block now contains an instance of the rich text editor (thanks MrKarlDilkington)
Improvements to new update functionality when site can't connect to concrete5.org
Improvements to new update functionality to make it more resilient with failures, but error messaging.
Adding attributes to a page will ask for it be checked back/approved when clicking the green icon.
Theme name and description can now be translated (thanks mlocati)
Added an error notice when deleting a page type that’s in use in your site.
Bug Fixes
Some servers would redirect infinitely when activating a theme or attempting to logout. This has been fixed.
Fix bug with multiple redactor instances on the same page and in the same composer window causing problems.
Better rendering of empty areas in Firefox (thanks JeramyNS)
Fixed problems with “concrete.seo.trailing_slash” set to true leading to an inability to login, other problems.
Attributes that had already been filled out were being shown as still required in page check-in panel.
Fixed bug where full URLs were incorrectly parsed if asset caching was enabled (thanks mlocati)
Fix download file script leading to 404 errors after you go to the dashboard and hit the back button
Fixed https://www.concrete5.org/developers/bugs/5-7-4-1/dont-allow-to-create-file-sets-with-names-containing-forbidden-c/
Fix https://www.concrete5.org/developers/bugs/5-7-4-1/cant-replace-a-file-with-one-in-the-incoming-directory/
Fix XSS in conversation author object; fix author name not showing if a user didn't put in a website (thanks jaromirdalecky)
Searching files, pages and users by topics now works in the dashboard
Picture tag now properly inserted by Redactor when working with themes that use responsive images.
Fixed z-index of message author and status in conversations dashboard page.
Developer Updates
API improvements to the RedactorEditor class.
And many improvements and bugfixes including security bugfixes.
Version 8.0.3 May 1st 2015
Fix several Constrain Violation Exceptions
Fix misleading Maintenance mode message
Timezone fixes for countries with 0.5 and 0.75 offsets
Fix usage of default share folder location
Reenable trashbin after failed rename
Fix disabling of APCu
Do not show update notification on mobile
Fix "Only variables should be passed by reference" error log spam
Add timeout to curl
Makes repair errors and warnings visible for the user when upgrading on the command line or in the web UI
Cron shall not operate in case we are in maintenance mode
Disable the cache updater when doing the encryption migration
Fix "Error while updating app" error
Internal Server Error after attempting to do "occ files:scan"
Several smaller fixes
WebKitGTK+ 2.4.9 released!
This is a bug fix release in the stable 2.4 series.
What’s new in the WebKitGTK+ 2.4.9 release?
o Check TLS errors as soon as they are set in the SoupMessage to prevent any
data from being sent to the server in case of invalid certificate.
o Clear the GObject DOM bindings internal cache when frames are destroyed or web
view contents are updated.
o Add HighDPI support for non-accelerated compositing contents.
o Fix some transfer annotations used in GObject DOM bindings.
o Use latin1 instead of UTF-8 for HTTP header values.
o Fix synchronous loads when maximum connection limits are reached.
o Fix a crash ScrollView::contentsToWindow() when GtkPluginWidget doesn’t have a
parent.
o Fix a memory leak in webkit_web_policy_decision_new.
o Fix g_closure_unref runtime warning.
o Fix a crash due to empty drag image during drag and drop.
o Fix rendering of scrollbars with GTK+ >= 3.16.
o Fix the build on mingw32/msys.
o Fix the build with WebKit2 disabled.
o Fix the build with accelerated compositing disabled.
o Fix clang version check in configure.
o Fix the build with recent versions of GLib that have GMutexLocker.
o Fix the build for Linux/MIPS64EL.
Upstream changes:
== MediaWiki 1.25.1 ==
This is a bug fix release of the MediaWiki 1.25 branch.
== Changes since 1.25.1 ==
* (T100351) Fix syntax errors in extension.json of ConfirmEdit extension
== MediaWiki 1.25 ==
=== Configuration changes in 1.25 ===
* $wgPageShowWatchingUsers was removed.
* $wgLocalVirtualHosts has been added to replace $wgConf->localVHosts.
* $wgAntiLockFlags was removed.
* $wgJavaScriptTestConfig was removed.
* Edit tokens returned from User::getEditToken may change on every call. Token
validity must be checked by passing the user-supplied token to
User::matchEditToken rather than by testing for equality with a
newly-generated token.
* (T74951) The UserGetLanguageObject hook may be passed any IContextSource
for its $context parameter. Formerly it was documented as receiving a
RequestContext specifically.
* Profiling was restructured and $wgProfiler now requires an 'output' parameter.
See StartProfiler.sample for details.
* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
might be a flash policy directive configurable.
* ApiOpenSearch now supports XML output. The OpenSearchXml extension should no
longer be used. If extracts and page images are desired, the TextExtracts and
PageImages extensions are required.
* $wgOpenSearchTemplate is deprecated in favor of $wgOpenSearchTemplates.
* Edits are now prepared via AJAX as users type edit summaries. This behavior
can be disabled via $wgAjaxEditStash.
* (T46740) The temporary option $wgIncludejQueryMigrate was removed, along
with the jQuery Migrate library, as indicated when this option was provided in
MediaWiki 1.24.
* ProfilerStandard and ProfilerSimpleTrace were removed. Make sure that any
StartProfiler.php config is updated to reflect this. Xhprof is available
for zend/hhvm. Also, for hhvm, one can consider using its xenon profiler.
* Default value of $wgSVGConverters['rsvg'] now uses the 'rsvg-convert' binary
rather than 'rsvg'.
* Default value of $wgSVGConverters['ImageMagick'] now uses transparent
background with white fallback color, rather than just white background.
* MediaWikiBagOStuff class removed, make sure any object cache config
uses SqlBagOStuff instead.
* The 'daemonized' flag must be set to true in $wgJobTypeConf for any redis
job queues. This means that mediawiki/services/jobrunner service has to
be installed and running for any such queues to work.
* $wgAutopromoteOnce no longer supports the 'view' event. For keeping some
compatibility, any 'view' event triggers will still trigger on 'edit'.
* $wgExtensionDirectory was added for when your extensions directory is somewhere
other than $IP/extensions (as $wgStyleDirectory does with the skins directory).
=== New features in 1.25 ===
* (T64861) Updated plural rules to CLDR 26. Includes incompatible changes
for plural forms in Russian, Prussian, Tagalog, Manx and several languages
that fall back to Russian.
* (T60139) ResourceLoaderFileModule now supports language fallback
for 'languageScripts'.
* Added a new hook, "ContentAlterParserOutput", to allow extensions to modify the
parser output for a content object before links update.
* (T37785) Enhanced recent changes and extended watchlist are now default.
Documentation: https://meta.wikimedia.org/wiki/Help:Enhanced_recent_changes
and https://www.mediawiki.org/wiki/Manual:$wgDefaultUserOptions.
* (T69341) SVG images will no longer be base64-encoded when being embedded
in CSS. This results in slight size increase before gzip compression (due to
percent-encoding), but up to 20% decrease after it.
* Update jStorage to v0.4.12.
* MediaWiki now natively supports page status indicators: icons (or short text
snippets) usually displayed in the top-right corner of the page. They have
been in use on Wikipedia for a long time, implemented using templates and CSS
absolute positioning.
- Basic wikitext syntax: <indicator name="foo">[[File:Foo.svg|20px]]</indicator>
- Usage instructions: https://www.mediawiki.org/wiki/Help:Page_status_indicators
- Adjusting custom skins to support indicators:
https://www.mediawiki.org/wiki/Manual:Skinning#Page_status_indicators
* Edit tokens may now be time-limited: passing a maximum age to
User::matchEditToken will reject any older tokens.
* The debug logging internals have been overhauled, and are now using the
PSR-3 interfaces.
* Update CSSJanus to v1.1.1.
* Update lessphp to v0.5.0.
* Added a hook, "ApiOpenSearchSuggest", to allow extensions to provide extracts
and images for ApiOpenSearch output. The semantics are identical to the
"OpenSearchXml" hook provided by the OpenSearchXml extension.
* PrefixSearchBackend hook now has an $offset parameter. Combined with $limit,
this allows for pagination of prefix results. Extensions using this hook
should implement supporting behavior. Not doing so can result in undefined
behavior from API clients trying to continue through prefix results.
* Update jQuery from v1.11.1 to v1.11.3.
* External libraries installed via composer will now be displayed
on Special:Version in their own section. Extensions or skins that are
installed via composer will not be shown in this section as it is assumed
they will add the proper credits to the skins or extensions section. They
can also be accessed through the API via the new siprop=libraries to
ApiQuerySiteInfo.
* Update QUnit from v1.14.0 to v1.16.0.
* Update Moment.js from v2.8.3 to v2.8.4.
* Special:Tags now allows for manipulating the list of user-modifiable change
tags.
* Added 'managetags' user right and 'ChangeTagCanCreate', 'ChangeTagCanDelete',
and 'ChangeTagCanCreate' hooks to allow for managing user-modifiable change
tags.
* Added 'ChangeTagsListActive' hook, to separate the concepts of "defined" and
"active" formerly conflated by the 'ListDefinedTags' hook.
* Added TemplateParser class that provides a server-side interface to cachable
dynamically-compiled Mustache templates (currently uses lightncandy library).
* Clickable anchors for each section heading in the content are now generated
and appear in the gutter on hovering over the heading.
* Added 'CategoryViewer::doCategoryQuery' and 'CategoryViewer::generateLink' hooks
to allow extensions to override how links to pages are rendered within NS_CATEGORY
* (T19665) Special:WantedPages only lists page which having at least one red link
pointing to it.
* New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
used for conditional registration of API modules.
* New hook 'EnhancedChangesList::getLogText' to alter, remove or add to the
links of a group of changes in EnhancedChangesList.
* A full interface for StatsD metric reporting has been added to the context
interface, reachable via IContextSource::getStats().
* Move the jQuery Client library from being mastered in MediaWiki as v0.1.0 to a
proper, published library, which is now tagged as v1.0.0.
* A new message (defaulting to blank), 'editnotice-notext', can be shown to users
when they are editing if no edit notices apply to the page being edited.
* (T94536) You can now make the sitenotice appear to logged-in users only by
editing MediaWiki:Anonnotice and replacing its content with "". Setting it to
"-" (default) will continue disable it and fallback to MediaWiki:Sitenotice.
* Modifying the tagging of a revision or log entry is now available via
Special:EditTags, generally accessed via the revision-deletion-like interface
on history pages and Special:Log is likely to be more useful.
* Added 'applychangetags' and 'changetags' user rights.
* (T35235) LogFormatter subclasses are now responsible for formatting the
parameters for API log event output. Extensions should implement the new
getParametersForApi() method in their log formatters.
==== External libraries ====
* MediaWiki now requires certain external libraries to be installed. In the past
these were bundled inside the Git repository of MediaWiki core, but now they
need to be installed separately. For users using the tarball, this will be taken
care of and no action will be required. Users using Git will either need to use
composer to fetch dependencies or use the mediawiki/vendor repository which includes
all dependencies for MediaWiki core and ones used in Wikimedia deployment. Detailed
instructions can be found at:
https://www.mediawiki.org/wiki/Download_from_Git#Fetch_external_libraries
* The following libraries are now required:
** psr/log
This library provides the interfaces set by the PSR-3 standard (http://www.php-fig.org/psr/psr-3/)
which are used by MediaWiki internally via the
MediaWiki\Logger\LoggerFactory class.
See the structured logging RfC (https://www.mediawiki.org/wiki/Requests_for_comment/Structured_logging)
for more background information.
** cssjanus/cssjanus
This library was formerly bundled with MediaWiki core and has been removed.
It automatically flips CSS for RTL support.
** leafo/lessphp
This library was formerly bundled with MediaWiki core and has been removed.
It compiles LESS files into CSS.
** wikimedia/cdb
This library was formerly a part of MediaWiki core, and has been moved into a separate library.
It provides CDB functions which are used in the Interwiki and Localization caches.
More information about the library can be found at https://www.mediawiki.org/wiki/CDB.
** liuggio/statsd-php-client
This library provides a StatsD client API for logging application metrics to a remote server.
=== Bug fixes in 1.25 ===
* (T73003) No additional code will be generated to try to load CSS-embedded
SVG images in Internet Explorer 6 and 7, as they don't support them anyway.
* (T69021) On Special:BookSources, corrected validation of ISBNs (both
10- and 13-digit forms) containing "X".
* Page moving was refactored into a MovePage class. As part of that:
** The AbortMove hook was removed.
** MovePageIsValidMove is for extensions to specify whether a page
cannot be moved for technical reasons, and should not be overridden.
** MovePageCheckPermissions is for checking whether the given user is
allowed to make the move.
** Title::moveNoAuth() was deprecated. Use the MovePage class instead.
** Title::moveTo() was deprecated. Use the MovePage class instead.
** Title::isValidMoveOperation() broken down into MovePage::isValidMove()
and MovePage::checkPermissions().
* (T18530) Multiple autocomments are now formatted in an edit summary.
* (T70361) Autocomments containing "/*" are parsed correctly.
* The Special:WhatLinksHere page linked from 'Number of redirects to this page'
on action=info about a file page does not list file links anymore.
* (T78637) Search bar is not autofocused unless it is empty so that proper scrolling using arrow keys is possible.
* (T50853) Database::makeList() modified to handle 'NULL' separately when building IN clause
* (T85192) Captcha position modified in Usercreate template. As a result:
** extrafields parameter added to Usercreate.php to insert additional data
** 'extend' method added to QuickTemplate to append additional values to any field of data array
* (T86974) Several Title methods now load from the database when necessary
(instead of returning incorrect results) even when the page ID is known.
* (T74070) Duplicate search for archived files on file upload now omits the extension.
This requires the fa_sha1 field being populated.
* Removed rel="archives" from the "View history" link, as it did not pass
HTML validation.
* $wgUseTidy is now set when parserTests are run with the tidy option to match
output on wiki.
* (T37472) update.php will purge ResourceLoader cache unless --nopurge is passed to it.
* (T72109) mediawiki.language should respect $wgTranslateNumerals in convertNumber().
=== Action API changes in 1.25 ===
* (T67403) XML tag highlighting is now only performed for formats
"xmlfm" and "wddxfm".
* action=paraminfo supports generalized submodules (modules=query+value),
querymodules and formatmodules are deprecated
* action=paraminfo no longer outputs descriptions and other help text by
default. If needed, it may be requested using the new 'helpformat' parameter.
* action=help has been completely rewritten, and outputs help in HTML
rather than plain text.
* Hitting api.php without specifying an action now displays only the help for
the main module, with links to submodule help.
* API help is no longer displayed on errors.
* 'uselang' is now a recognized API parameter; "uselang=user" may be used to
explicitly select the language from the current user's preferences, and
"uselang=content" may be used to select the wiki's content language.
* Default output format for the API is now jsonfm.
* Simplified continuation will return a "batchcomplete" property in the result
when a batch of pages is complete.
* Pretty-printed HTML output now has nicer formatting and (if available)
better syntax highlighting.
* Deprecated list=deletedrevs in favor of newly-added prop=deletedrevisions and
list=alldeletedrevisions.
* prop=revisions will gracefully continue when given too many revids or titles,
rather than just ignoring the extras.
* prop=revisions will no longer die if rvcontentformat doesn't match a
revision's content model; it will instead warn and omit the content.
* If the user has the 'deletedhistory' right, action=query's revids parameter
will now recognize deleted revids.
* prop=revisions may be used as a generator, generating revids.
* (T68776) format=json results will no longer be corrupted when
$wgMangleFlashPolicy is in effect. format=php results will cleanly return an
error instead of returning invalid serialized data.
* Generators may now return data for the generated pages when used with
action=query.
* Query page data for generator=search and generator=prefixsearch will now
include an "index" field, which may be used by the client for sorting the
search results.
* ApiOpenSearch now supports XML output.
* ApiOpenSearch will now output descriptions and URLs as array indexes 2 and 3
in JSON format.
* (T76051) list=tags will now continue correctly.
* (T76052) list=tags can now indicate whether a tag is defined.
* (T75522) list=prefixsearch now supports continuation
* (T78737) action=expandtemplates can now return page properties.
* (T78690) list=allimages now accepts multiple pipe-separated values
for the 'aimime' parameter.
* prop=info with inprop=protections will now return applicable protection types
with the 'restrictiontypes' key.
* (T85417) When resolving redirects, ApiPageSet will now add the targets of
interwiki redirects to the list of interwiki titles.
* (T85417) When outputting the list of redirect titles, a 'tointerwiki'
property (like the existing 'tofragment' property) will be set.
* Added action=managetags to allow for managing the list of
user-modifiable change tags. Actually modifying the tagging of a revision or
log entry is not implemented yet.
* list=tags has additional properties to indicate 'active' status and tag
sources.
* siprop=libraries was added to ApiQuerySiteInfo to list installed external libraries.
* (T88010) Added action=checktoken, to test a CSRF token's validity.
* (T88010) Added intestactions to prop=info, to allow querying of
Title::userCan() via the API.
* Default type param for query list=watchlist and list=recentchanges has
been changed from all types (e.g. including 'external') to 'edit|new|log'.
* Added formatversion to format=json. Still "experimental" as further changes
to the output formatting might still be made.
* (T73020) Log event details are now always under a 'params' subkey for
list=logevents, and a 'logparams' subkey for list=watchlist and
list=recentchanges.
* Log event details are changing formatting:
* block events now report flags as an array rather than as a comma-separated
list.
* patrol events now report the 'auto' flag as a boolean (absent/empty string
for BC formats) rather than as an integer.
* rights events now report the old and new group lists as arrays rather than
as comma-separated lists.
* merge events use new-style formatting.
* delete/event and delete/revision events use new-style formatting.
* The root node and various other nodes will now always be an object in formats
such as json that distinguish between arrays and objects.
* Except for action=opensearch where the spec requires an array.
=== Action API internal changes in 1.25 ===
* ApiHelp has been rewritten to support i18n and paginated HTML output.
Most existing modules should continue working without changes, but should do
the following:
* Add an i18n message "apihelp-{$moduleName}-description" to replace getDescription().
* Add i18n messages "apihelp-{$moduleName}-param-{$param}" for each parameter
to replace getParamDescription(). If necessary, the settings array returned
by getParams() can use the new ApiBase::PARAM_HELP_MSG key to override the
message.
* Implement getExamplesMessages() to replace getExamples().
* Modules with submodules (like action=query) must have their submodules
override ApiBase::getParent() to return the correct parent object.
* The 'APIGetDescription' and 'APIGetParamDescription' hooks are deprecated,
and will have no effect for modules using i18n messages. Use
'APIGetDescriptionMessages' and 'APIGetParamDescriptionMessages' instead.
* Api formatters will no longer be asked to display the help screen on errors.
* ApiMain::getCredits() was removed. The credits are available in the
'api-credits' i18n message.
* ApiFormatBase has been changed to support i18n and syntax highlighting via
extensions with the new 'ApiFormatHighlight' hook. Core syntax highlighting
has been removed.
* ApiFormatBase now always buffers. Output is done when
ApiFormatBase::closePrinter is called.
* Much of the logic in ApiQueryRevisions has been split into ApiQueryRevisionsBase.
* The 'revids' parameter supplied by ApiPageSet will now count deleted
revisions as "good" if the user has the 'deletedhistory' right. New methods
ApiPageSet::getLiveRevisionIDs() and ApiPageSet::getDeletedRevisionIDs() are
provided to access just the live or just the deleted revids.
* Added ApiPageSet::setGeneratorData() and ApiPageSet::populateGeneratorData()
to allow generators to include data in the action=query result.
* New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
used for conditional registration of API modules.
* Added ApiBase::lacksSameOriginSecurity() to allow modules to easily check if
the current request was sent with the 'callback' parameter (or any future
method that breaks the same-origin policy).
* Profiling methods in ApiBase are deprecated and no longer need to be called.
* ApiResult was greatly overhauled. See inline documentation for details.
* ApiResult will automatically convert objects to strings or arrays (depending
on whether a __toString() method exists on the object), and will refuse to
add unsupported value types.
* An informal interface, ApiSerializable, exists to override the default
object conversion.
* ApiResult/ApiFormatBase "raw mode" is deprecated.
* ApiFormatXml now assumes defaults and so on instead of throwing errors when
metadata isn't set.
* (T35235) LogFormatter subclasses are now responsible for formatting log event
parameters for the API.
* Many modules have changed result data formats. While this shouldn't affect
clients not using the experimental formatversion=2, code using
ApiResult::getResultData() without the transformations for backwards
compatibility may need updating, as will code that wasn't following the old
conventions for API boolean output.
* The following methods have been deprecated and may be removed in a future
release:
* ApiBase::getDescription
* ApiBase::getParamDescription
* ApiBase::getExamples
* ApiBase::makeHelpMsg
* ApiBase::makeHelpArrayToString
* ApiBase::makeHelpMsgParameters
* ApiBase::getModuleProfileName
* ApiBase::profileIn
* ApiBase::profileOut
* ApiBase::safeProfileOut
* ApiBase::getProfileTime
* ApiBase::profileDBIn
* ApiBase::profileDBOut
* ApiBase::getProfileDBTime
* ApiBase::getResultData
* ApiFormatBase::setUnescapeAmps
* ApiFormatBase::getWantsHelp
* ApiFormatBase::setHelp
* ApiFormatBase::formatHTML
* ApiFormatBase::setBufferResult
* ApiFormatBase::getDescription
* ApiFormatBase::getNeedsRawData
* ApiMain::setHelp
* ApiMain::reallyMakeHelpMsg
* ApiMain::makeHelpMsgHeader
* ApiResult::setRawMode
* ApiResult::getIsRawMode
* ApiResult::getData
* ApiResult::setElement
* ApiResult::setContent
* ApiResult::setIndexedTagName_recursive
* ApiResult::setIndexedTagName_internal
* ApiResult::setParsedLimit
* ApiResult::beginContinuation
* ApiResult::setContinueParam
* ApiResult::setGeneratorContinueParam
* ApiResult::endContinuation
* ApiResult::size
* ApiResult::convertStatusToArray
* ApiQueryImageInfo::getPropertyDescriptions
* ApiQueryLogEvents::addLogParams
* The following classes have been deprecated and may be removed in a future
release:
* ApiQueryDeletedrevs
=== Languages updated in 1.25 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Bugzilla reports.
* Languages added:
** awa (अवधी / Awadhi), thanks to translator 1AnuraagPandey;
** bgn (بلوچی رخشانی / Western Balochi), thanks to translators
Baloch Afghanistan, Ibrahim khashrowdi and Rachitrali;
** ses (Koyraboro Senni), thanks to translator Songhay.
* (T66440) Kazakh (kk) wikis should no longer forcefully reset the user's
interface language to kk where unexpected.
* The Chinese conversion table was substantially updated to fix a lot of
bugs and ensure better reading experience for different variants.
=== Other changes in 1.25 ===
* (T45591) Links to MediaWiki.org translatable help were added to indicators,
mostly in special pages. Local custom target titles can be placed in the
relevant '(namespace-X|action name|special page name)-helppage' system
message. Extensions can use the addHelpLink() function to do the same.
* The skin autodiscovery mechanism, deprecated in MediaWiki 1.23, has been
removed. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery for
migration guide for creators and users of custom skins that relied on it.
* Javascript variables 'wgFileCanRotate' and 'wgFileExtensions' now only
available on Special:Upload.
* (T58257) Set site logo from mediawiki.skinning.interface module instead of
inline styles in the HTML.
* Removed ApiQueryUsers::getAutoGroups(). (deprecated since 1.20)
* Removed XmlDumpWriter::schemaVersion(). (deprecated since 1.20)
* Removed LogEventsList::getDisplayTitle(). (deprecated since 1.20)
* Removed Preferences::trySetUserEmail(). (deprecated since 1.20)
* Removed mw.user.name() and mw.user.anonymous() methods. (deprecated since 1.20)
* Removed 'ok' and 'err' parameters in the mediawiki.api modules. (deprecated
since 1.20)
* Removed 'async' parameter from the mw.Api#getCategories() method. (deprecated
since 1.20)
* Removed 'jquery.json' module. (deprecated since 1.24)
Use the 'json' module and global JSON object instead.
* Deprecated OutputPage::readOnlyPage() and OutputPage::rateLimited().
Also, the former will now throw an MWException if called with one or more
arguments.
* Removed hitcounters and associated code.
* The "temp" zone of the upload respository is now considered private. If it
already exists (such as under the images/ directory), please make sure that
the directory is not web readable (e.g. via a .htaccess file).
* BREAKING CHANGE: In the XML dump format used by Special:Export and
dumpBackup.php, the <model> and <format> tags now apprear before the <text>
tag, instead of after the <text> and <sha1> tags.
The new schema version is 0.10, the new schema URI is:
https://www.mediawiki.org/xml/export-0.10.xsd
* MWFunction::call() and MWFunction::callArray() were removed, having being
deprecated in 1.22.
* Deprecated the getInternalLinkAttributes, getInternalLinkAttributesObj,
and getInternalLinkAttributes methods in Linker, and removed
getExternalLinkAttributes method, which was deprecated in MediaWiki 1.18.
* Removed Sites class, which was deprecated in 1.21 and replaced by SiteSQLStore.
* Added wgRelevantArticleId to the client-side config, for use on special pages.
* Deprecated the TitleIsCssOrJsPage hook. Superseded by the
ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
* Deprecated the TitleIsWikitextPage hook. Superseded by the
ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
* Changed parsing of variables in schema (.sql) files:
** The substituted values are no longer parsed. (Formerly, several passes
were made for each variable, so depending on the order in which variables
were defined, variables might have been found inside encoded values. This
is no longer the case.)
** Variables are no longer string encoded when the /*$var*/ syntax is used.
If string encoding is necessary, use the '{$var}' syntax instead.
** Variable names must only consist of one or more of the characters
"A-Za-z0-9_".
** In source text of the form '{$A}'{$B}' or `{$A}`{$B}`, where variable A
does not exist yet variable B does, the latter may not be replaced.
However, this difference is unlikely to arise in practice.
* (T67278) RFC, PMID, and ISBN "magic links" must be surrounded by non-word
characters on both sides.
* The FormatAutocomments hook will now receive $pre and $post as booleans,
rather than as strings that must be prepended or appended to $comment.
* (T30950, T31025) RFC, PMID, and ISBN "magic links" can no longer contain
newlines; but they can contain and other non-newline whitespace.
* The 'mediawiki.action.edit' ResourceLoader module no longer generates the edit
toolbar, which has been moved to a separate 'mediawiki.toolbar' module. If you
relied on this behavior, update your scripts' dependencies.
* HTMLForm's 'vform' display style has been separated to a subclass. Therefore:
* HTMLForm::isVForm() is now deprecated.
* You can no longer do this:
$form = new HTMLForm( … );
$form->setDisplayFormat( 'vform' ); // throws exception
Instead, do this:
$form = HTMLForm::factory( 'vform', … );
* Deprecated Revision methods getRawUser(), getRawUserText() and getRawComment().
* BREAKING CHANGE: mediawiki.user.generateRandomSessionId:
The alphabet of the prior string returned was A-Za-z0-9 and now it is 0-9A-F
* (T87504) Avoid serving SVG background-images in CSS for Opera 12, which
renders them incorrectly when combined with border-radius or background-size.
* Removed maintenance script dumpSisterSites.php.
* DatabaseBase class constructors must be called using the array argument style.
Ideally, DatabaseBase:factory() should be used instead in most cases.
* Deprecated ParserOutput::addSecondaryDataUpdate and ParserOutput::getSecondaryDataUpdates.
This is a hard deprecation, with getSecondaryDataUpdates returning an empty array and
addSecondaryDataUpdate throwing an exception. These functions will be removed in 1.26,
since they interfere with caching of ParserOutput objects.
* Introduced new hook 'SecondaryDataUpdates' that allows extensions to inject custom updates.
* Introduced new hook 'OpportunisticLinksUpdate' that allows extensions to perform
updates when a page is re-rendered.
* EditPage::attemptSave has been modified not to call handleStatus itself and
instead just returns the Status object. Extension calling it should be aware of
this.
* Removed class DBObject. (unused since 1.10)
* wfDiff() is deprecated.
* The -m (maximum replication lag) option of refreshLinks.php was removed.
It had no effect since MediaWiki 1.18 and should be removed from any cron
jobs or similar scripts you may have set up.
* (T85864) The following messages no longer support raw html: redirectto,
thisisdeleted, viewdeleted, editlink, retrievedfrom, version-poweredby-others,
retrievedfrom, thisisdeleted, viewsourcelink, lastmodifiedat, laggedslavemode,
protect-summary-cascade
* All BloomCache related code has been removed. This was largely experimental.
* $wgResourceModuleSkinStyles no longer supports per-module local or remote paths. They
can only be set for the entire skin.
* Removed global function swap(). (deprecated since 1.24)
* Deprecated the ".php5" file extension entry points and the $wgScriptExtension
configuration variable. Refer to the ".php" files instead. If you want
".php5" URLs to continue to work, set up redirects. In Apache, this can be
done by enabling mod_rewrite and adding the following rules to your
configuration:
RewriteEngine On
RewriteBase /
RewriteRule ^(.*)\.php5 $1.php [R=301,L]
* The global importScriptURI and importStylesheetURI functions, as well as the
loadedScripts object, from wikibits.js (deprecated since 1.17) now emit
warnings through mw.log.warn when accessed.
== Compatibility ==
MediaWiki 1.25 requires PHP 5.3.3 or later. There is experimental support for
HHVM 3.3.0.
MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.
The supported versions are:
* MySQL 5.0.3 or later
* PostgreSQL 8.3 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)
== Upgrading ==
1.25 has several database changes since 1.24, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).
If upgrading from before 1.11, and you are using a wiki as a commons
repository, make sure that it is updated as well. Otherwise, errors may arise
due to database schema changes.
If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
new database fields are filled with data.
If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
with MediaWiki 1.21.
Don't forget to always back up your database before upgrading!
See the file UPGRADE for more detailed upgrade instructions.
For notes on 1.24.x and older releases, see HISTORY.
== Online documentation ==
Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):
https://www.mediawiki.org/wiki/Documentation
== Mailing list ==
A mailing list is available for MediaWiki user support and discussion:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
A low-traffic announcements-only list is also available:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.
== IRC help ==
There's usually someone online in #mediawiki on irc.freenode.net.
2015-05-20 Net-HTTP 6.09
Karen Etheridge (1):
No changes since 6.08_002
2015-05-02 Net-HTTP 6.08_002
Karen Etheridge (1):
fix foolish $VERSION error in 6.08_001
2015-05-01 Net-HTTP 6.08_001
Mark Overmeer (1):
resolve issues with SSL by reading bytes still waiting to be read after
the initial 1024 bytes [RT#104122]
Changelog:
The Apache Tomcat Project is proud to announce the release of version
8.0.23 of Apache Tomcat. Apache Tomcat 8.0.23 includes a numerous fixes
for issues identified in 8.0.22 as well as a number of other enhancements
and changes. The notable changes since 8.0.22 include:
Fixed corruption issues with NIO2 and TLS
Added a workaround for SPNEGO authentication and a JRE regression in Java 8 update 40 onwards
Added the new HttpHeaderSecurityFilter
Changelog:
Tomcat 7.0.62 (violetagg)
Catalina
add Allow logging of the remote port in the access log using the format pattern %{remote}p. (rjung)
fix 57765: When checking last modified times as part of the automatic deployment process, account for the fact that File.lastModified() has a resolution of one second to ensure that if a file has been modified within the last second, the latest version of the file is always used. Note that a side-effect of this change is that files with modification times in the future are treated as if they are unmodified. (markt)
fix Align redeploy resource modification checking with reload modification checking so that now, in both cases, a change in modification time rather than an increase in modification time is used to determine if the resource has changed. (markt)
fix Cleanup o.a.tomcat.util.digester.Digester from debug messages that do not give any valuable information. Patch provided by Polina Genova. (violetagg)
fix 57772: When reloading a web application and a directory representing an expanded WAR needs to be deleted, delete the directory after the web application has been stopped rather than before to avoid potential ClassNotFoundExceptions. (markt)
fix 57801: Improve the error message in the start script in case the PID read from the PID file is already owned by a process. (rjung)
fix 57824: Correct a regression in the fix for 57252 that broke request listeners for non-async requests that triggered an error that was handled by the ErrorReportingValve. (markt/violetagg)
fix 57841: Improve error logging during web application start. (markt)
fix 57856: Ensure that any scheme/port changes implemented by the RemoteIpFilter also affect HttpServletResponse.sendRedirect(). (markt)
fix 57896: Support defensive copying of "cookie" header so that unescaping double quotes in a cookie value does not corrupt original value of "cookie" header. This is an opt-in feature, enabled by org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER system property. (kkolinko)
Coyote
fix 57779: When an I/O error occurs on a non-container thread only dispatch to a container thread to handle the error if using Servlet 3+ asynchronous processing. This avoids potential deadlocks if an application is performing I/O on a non-container thread without using the Servlet 3+ asynchronous API. (markt)
fix 57833: When using JKS based keystores for NIO, ensure that the key alias is always converted to lower caes since that is what JKS key stores expect. Based on a patch by Santosh Giri Govind M. (markt)
fix 57837: Add text/css to the default list of compressable MIME types. (markt)
Jasper
fix 57845: Ensure that, if the same JSP is accessed directly and via a <jsp-file> declaration in web.xml, updates to the JSP are visible (subject to the normal rules on re-compilation) regardless of how the JSP is accessed. (markt)
fix 57855: Explicitly handle the case where a MethodExpression is invoked with null or the wrong number of parameters. Rather than failing with an ArrayIndexOutOfBoundsException or a NullPointerException throw an IllegalArgumentException with a useful error message. (markt)
Cluster
add Add new attribute that send all actions for session across Tomcat cluster nodes. (kfujino)
fix Remove unused pathname attribute in mbean definition of BackupManager. (kfujino)
fix 57338: Improve the ability of the ClusterSingleSignOn valve to handle nodes being added and removed from the Cluster at run time. (markt)
fix Avoid unnecessary call of DeltaRequest.addSessionListener() in non-primary nodes. (kfujino)
WebSocket
fix 57762: Ensure that the WebSocket client correctly detects when the connection to the server is dropped. (markt)
fix 57776: Revert the 8.0.21 fix for the permessage-deflate implementation and incorrect op-codes since the fix was unnecessary (the bug only affected trunk) and the fix broke rather than fixed permessage-deflate if an uncompressed message was converted into more than one compressed message. (markt)
fix Fix log name typo in WsRemoteEndpointImplServer class, caused by a copy-paste. (markt/kkolinko)
fix 57788: Avoid NPE when looking up a class hierarchy without finding anything. (remm)
Web applications
add 57759: Add information to the keyAlias documentation to make it clear that the order keys are read from the keystore is implementation dependent. (markt)
fix 57864: Update the documentation web application to make it clearer that hex values are not valid for cluster send options. Based on a patch by Kyohei Nakamura. (markt)
Tribes
fix Fix a concurrency issue when a backup message that has all session data and a backup message that has diff data are processing at the same time. This fix ensures that MapOwner is set to ReplicatedMapEntry. (kfujino)
fix Clarify the handling of Copy message and Copy nodes. (kfujino)
fix Copy node does not need to send the entry data. It is enough to send only the node information of the entry. (kfujino)
fix ReplicatedMap should send the Copy message when replicating. (kfujino)
fix Fix behavior of ReplicatedMap when member has disappeared. If map entrprimary, rebuild the backup members. If primary node of map entry has disappeared, backup node is promoted to primary. (kfujino)
fix When a map member has been added to ReplicatedMap, make sure to add it to backup nodes list of all other members.
Changelog:
Fixed in Firefox ESR 31.7
2015-57 Privilege escalation through IPC channel messages
2015-54 Buffer overflow when parsing compressed XML
2015-51 Use-after-free during text processing with vertical text enabled
2015-48 Buffer overflow with SVG content and CSS
2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer
2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)
- Add BUILD_DEPENDS to p5-Catalyst-Plugin-Authorization-Roles for make test
(upstream)
- Update to 0.1506
----------------
0.1506 2014-04-02
* Fix doc bugs. RT#87372
* Fix calling User->can() as a class method. RT#90715
* Fix Catalyst tutorial link. RT#47043
--------------
2.22 Thu May 14 04:04:03 CEST 2015
- ipv6 literals were not correctly parsed (analyzed by Raphael Geissert).
- delete the body when mutating request to GET request when
redirecting (reported by joe trader).
- send proxy-authorization header to proxy when using CONNECT
(reported by dzagashev@gmail.com).
- do not send Proxy-Authroization header when not using a proxy.
- when retrying a persistent request, switch persistency off.
- added t/02_ip_literals.t.
Upstream changes:
1.2.0 2015-04-14 07:13:00+0000
- [core] bundle libyaml #248 (Kazuho Oku)
- [core] implement master-worker process mode and daemon mode (bundles Server::Starter) #258#270 (Kazuho Oku)
- [file] more mime-types by default #250#254#280 (Tatsuhiko Kubo, George Liu, Kazuho Oku)
- [file][http1] fix connection being closed if the length of content is zero #276 (Kazuho Oku)
- [headers] fix heap overrun during configuration #251 (Kazuho Oku)
- [http2] do not delay sending PUSH_PROMISE #221 (Kazuho Oku)
- [http2] reduce memory footprint under high load #271 (Kazuho Oku)
- [http2] fix incorrect error sent when number of streams exceed the limit #268 (Kazuho Oku)
- [proxy] fix heap overrun when building request sent to upstream #266#269 (Moto Ishizawa, Kazuho Oku)
- [proxy] fix laggy response in case the length of content is zero #274#276 (Kazuho Oku)
- [SSL] fix potential stall while reading data from client #268 (Kazuho Oku)
- [SSL] bundle LibreSSL #236#272 (Kazuho Oku)
- [SSL] obtain source-level compatibility with BoringSSL #228 (Kazuho Oku)
- [SSL] add directive `listen.ssl.cipher-preference` for controlling the selection logic of cipher-suites #233 (Kazuho Oku)
- [SSL] disable TLS compression #252 (bisho)
- [libh2o] fix C++ compatibility (do not use empty struct) #225 (Kazuho Oku)
- [libh2o] search external dependencies using pkg-config #227 (Kazuho Oku)
- [misc] fix GCC version detection bug used for controlling compiler warnings #224 (Kazuho Oku)
- [misc] check merory allocation failures in socket pool #265 (Tatsuhiko Kubo)
1.1.1 2015-03-09 06:12:00+0000
- [proxy] fix crash on NetBSD when upstream connection is persistent #217 (Kazuho Oku)
- [misc] fix compile error on FreeBSD #211#212 (Syohei Yoshida)
1.1.0 2015-03-06 06:41:00+0000
- [core][file] send redirects appending '/' as abs-path redirects #209 (Kazuho Oku)
- [headers] add directives for manipulating response headers #204 (Kazuho Oku)
- [http2] do not send a corrupt response if header value is longer than 126 bytes #193 (Kazuho Oku)
- [http2] fix interoperability issue with nghttp2 0.7.5 and above 5c42eb1 (Kazuho Oku)
- [proxy] send `via` header to upstream #191 (Kazuho Oku)
- [proxy] resolve hostname asynchronously #207 (Kazuho Oku)
- [proxy] distribute load between upstream servers (using `rand()`) #208 (Kazuho Oku)
- [proxy] fix a bug that may cause a corrupt `location` header being forwarded #190 (Kazuho Oku)
- [reproxy] add support for `x-reproxy-url` header #187#197 (Daisuke Maki, Kazuho Oku)
1.0.1 2015-02-23 05:50:00+0000
- [core] change backlog size from 65,536 to 65,535 #183 (Tatsuhiko Kubo)
- [http2] fix assertion failure in HPACK encoder #186 (Kazuho Oku)
- [http2] add `extern` to some global variables that were not marked as such #178 (Kazuho Oku)
- [proxy] close persistent upstream connection if client abruptly closes the stream #188 (Kazuho Oku)
- [proxy] fix internal state corruption in case upstream sends response headers divided into multpile packets #189 (Kazuho Oku)
- [SSL] add host header to OCSP request #176 (Masaaki Hirose)
- [libh2o] do not require header files under `deps/` when using libh2o #173 (Kazuho Oku)
- [libh2o] fix compile error in examples when compiled with `H2O_USE_LIBUV=0` #177 (Kazuho Oku)
- [libh2o] in example, add missing / after the reference path #180 (Matthieu Garrigues)
- [misc] fix invalid HTML in sample page #175 (Deepak Prakash)
1.0.0 2015-02-18 20:01:00+0000
- [core] add redirect handler #150 (Kazuho Oku)
- [core] add `pid-file` directive for specifying the pid file #164 (Kazuho Oku)
- [core] connections accepted by host-specific listeners should not be handled by handlers of other hosts #163 (Kazuho Oku)
- [core] (FreeBSD) fix a bug that prevented the standalone server from booting when run as root #160 (Kazuho Oku)
- [core] switch to pipe-based interthread messaging #154 (Kazuho Oku)
- [core] use kqueue on all BSDs #156 (Kazuho Oku)
- [access-log] more logging directives: %H, %m, %q, %U, %V, %v #158 (Kazuho Oku)
- [access-log] bugfix: header values were not logged when specified using uppercase letters #157 (Kazuho Oku)
- [file] add application/json to defalt MIME-types #159 (Tatsuhiko Kubo)
- [http2] add support for the finalized version of HTTP/2 #166 (Kazuho Oku)
- [http2] fix issues reported by h2spec v0.0.6 #165 (Kazuho Oku)
- [proxy] merge the cookie headers before sending to upstream #161 (Kazuho Oku)
- [proxy] simplify the configuration directives (and make persistent upstream connections as default) #162 (Kazuho Oku)
- [SSL] add configuration directive to preload DH params #148 (Jeff Marrison)
- [libh2o] separate versioning scheme using H2O_LIBRARY_VERSION_* #167 (Kazuho Oku)
0.9.2 2015-02-10 04:17:00+0000
- [core] graceful shutdown on SIGTERM #119 (Kazuho Oku)
- [core] less TCP errors under high load #81 (Kazuho Oku)
- [file] add support for HEAD requests #110 (Mark Hoersken)
- [http1] MSIE workaround (send `Cache-Control: private` in place of Vary) #114 (Kazuho Oku)
- [http2] support server-push #133 (Kazuho Oku)
- [http2] fix spurious RST_STREAMS being sent #132 (Kazuho Oku)
- [http2] weight-based distribution of bandwidth #135 (Kazuho Oku)
- [proxy] added configuration directive `proxy.preserve-host` #112 (Masahiro Nagano)
- [proxy] sends X-Forwarded-For and X-Forwarded-Proto headers #112 (Masahiro Nagano)
- [proxy] stability improvements #61 (Kazuho Oku)
- [misc] adjustments to make the source code more analyzer-friendly #113,#117 (Nick Desaulniers, Maks Naumov)
0.9.1 2015-01-19 21:13:00+0000
- added configuration directives: ssl/cipher-suite, ssl/ocsp-update-interval, ssl/ocsp-max-failures, expires, file.send-gzip
- [http2] added support for draft-16 (draft-14 is also supported)
- [http2] dependency-based prioritization
- [http2] improved conformance to the specification
- [SSL] OCSP stapling (automatically enabled by default)
- [SSL] fix compile error with OpenSSL below version 1.0.1
- [file] content negotiation (serving .gz files)
- [expires] added support for Cache-Control: max-age
- [libh2o] libh2o and the header files installed by `make install`
- [libh2o] fix compile error when used from C++
- automatically setuids to nobody when run as root and if `user` directive is not set
- automatically raises RLIMIT_NOFILE
- uses all CPU cores by default
- now compiles on NetBSD and other BSD-based systems
An approximate changelog 5.0.3 to 5.1.2 (resolved issues from Jira):
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Bug ROL-2057
Missing NPE check in Roller PageServlet class
Unassigned Kohei Nozaki Major 30/Mar/15
Bug ROL-2058
No salt renewal on POST request
David Johnson Kohei Nozaki Major 30/Mar/15
Bug ROL-2059
Comment preview is invisible in Gaurav theme
David Johnson Kohei Nozaki Major 30/Mar/15
Bug ROL-2061
Wrong next month link of Calendar
David Johnson Kohei Nozaki Major 30/Mar/15
Bug ROL-2062
Missing NPE check in IndexOperation#getDocument()
David Johnson Kohei Nozaki Major 30/Mar/15
Improvement ROL-2064
Add viewport meta tag to Gaurav theme
David Johnson Kohei Nozaki Trivial 30/Mar/15
Bug ROL-2065
Gaurav sometimes displaying empty summary as unresolved "$entry.summary"
David Johnson Kohei Nozaki Minor 30/Mar/15
Bug ROL-2066
Comment URLs using https:// not saving properly in Gaurav theme
David Johnson Kohei Nozaki Trivial 30/Mar/15
Bug ROL-2067
Velocity configuration improvement
David Johnson David Johnson Major 30/Mar/15
Documentation ROL-2056
Wrong pointer (section number) in Install Guide at section 11.2
Unassigned Kohei Nozaki Minor 05/Jan/15
Bug ROL-2052
Custom stylesheets not being updated correctly when user switches between shared and custom themes.
Unassigned Glen Mazza Major 06/Oct/14
Bug ROL-2051
Roller not falling back to standard theme renditions when mobile one unavailable.
Unassigned Glen Mazza Critical 02/Oct/14
Bug ROL-1387
In creating tag aggregate counts, count tags only from published blog entries
Glen Mazza linda skrocki Major 02/Oct/14
Bug ROL-1620
Plus signs in categories lead to a 404 category RSS/Atom feeds
Glen Mazza linda skrocki Major 02/Oct/14
Bug ROL-2055
Comment search should be case insensitive
Glen Mazza Glen Mazza Minor 02/Oct/14
Bug ROL-2054
Newly saved categories not appearing on blog
Glen Mazza Glen Mazza Major 02/Oct/14
Bug ROL-1974
Roller's ROME Propono dependency needs updating to use newer JARs
David Johnson Glen Mazza Minor 25/Aug/14
Bug ROL-1973
ROME dependency used by Roller needs updating
David Johnson Glen Mazza Minor 25/Aug/14
Bug ROL-1942
Uploaded media file not selectable in media file view
Greg Huber Budi Ariyanto Major 25/Aug/14
Bug ROL-1948
getRealPath() null not handled
Unassigned Jürgen Weber Major 25/Aug/14
Task ROL-2039
Rename webpage and roller_templatecode tables
Glen Mazza Glen Mazza Major 25/Aug/14
Improvement ROL-2041
gaurav theme -- render full blog entries on main blog page if no summary given
Gaurav Saini Glen Mazza Major 25/Aug/14
Improvement ROL-1999
Switch from Referrers to storing tracking codes (e.g., Google Analytics)
Unassigned Glen Mazza Major 25/Aug/14
Bug ROL-1980
When deleting categories, Roller allows you to move its entries to invisible "root" category.
Glen Mazza Glen Mazza Major 25/Aug/14
Bug ROL-1981
Allow user to specify order of blog categories
Glen Mazza Glen Mazza Major 25/Aug/14
Task ROL-1979
Remove subcategory functionality from Roller 5.1
Glen Mazza Glen Mazza Major 25/Aug/14
Bug ROL-1554
Listing Box "Invite a new user to join..." does not have a horizontal scrolling bar
Glen Mazza Davis Nguyen Major 25/Aug/14
Improvement ROL-2038
Add dualTheme element to themes.xml descriptor
Glen Mazza Glen Mazza Blocker 25/Aug/14
Improvement ROL-1938
Switch to mobile template only in standard template's index page
Unassigned Tiger Gui Major 25/Aug/14
Improvement ROL-1937
Standard and Mobile template switch improvement patch
Unassigned Tiger Gui Major 25/Aug/14
New Feature ROL-1934
LDAP Comment Authenticator
Dave Johnson (Inactive) Nick Padilla Major 25/Jan/12 25/Aug/14
Task ROL-1977
Remove unused properties from ApplicationResources.properties
Glen Mazza Anil Gangolli Minor 25/Aug/14
Improvement ROL-1881
Add delete blog entry option to entries page
Unassigned Nicolas Muller Major 25/Aug/14
Bug ROL-1571
missing graphic alt text
Unassigned mike duigou Major 25/Aug/14
Bug ROL-1928
Missing 500-to-510-migration.vm file in Roller Mobile branch
David Johnson David Johnson Major 25/Aug/14
Task ROL-2043
Switch from YUI3 to JQuery UI for autocomplete, tabs, dialogs
Glen Mazza Glen Mazza Major 25/Aug/14
Task ROL-2022
Add Categories, demote tags from gaurav theme
Gaurav Saini Glen Mazza Major 25/Aug/14
Task ROL-2008
In "switch to (media) folder" drop-down, don't list the current folder the user is in.
Greg Huber Glen Mazza Major 25/Aug/14
Bug ROL-1273
resource item error
Glen Mazza Jian Liu Major 25/Aug/14
Task ROL-1434
lots of UI messaging needs to be converted to i18n keys in resource bundles
Glen Mazza Allen Gilliland Major 25/Aug/14
Bug ROL-2044
Member management page allows user to remove himself from blog.
Glen Mazza Glen Mazza Major 25/Aug/14
Bug ROL-1966
Search highlight problem
Glen Mazza Maciej Rumianowski Major 25/Aug/14
Bug ROL-1957
Unable to find RSD template
Unassigned Harsh Gupta Major 25/Aug/14
Bug ROL-1792
Hit count increments with <link rel="stylesheet" type="text/css" media="all" href="$model.weblog.stylesheet">
Greg Huber Greg Huber Trivial 25/Aug/14
Bug ROL-1716
a bug found when call getPopularTags with the limit=-1 (v4 m1)
Unassigned guoweizhan Major 25/Aug/14
Bug ROL-1414
Email scrambler not detecting hyphens in email addresses
Allen Gilliland linda skrocki Major 25/Aug/14
Improvement ROL-1649
Korean translation resource file
Unassigned Woonsan Ko Minor 25/Aug/14
Bug ROL-1930
Saving Template causes Null Pointer Exception
David Johnson David Johnson Blocker 25/Aug/14
Task ROL-1983
Only expose AJAX User List Servlet to admin users
Glen Mazza Glen Mazza Major 25/Aug/14
Task ROL-1986
Stop sending re-confirmation email after blogger approves comment.
Greg Huber Glen Mazza Minor 25/Aug/14
Improvement ROL-1978
Switch to more SEO-friendly hyphens instead of underscores to separate blog titles
Glen Mazza Glen Mazza Minor 25/Aug/14
Bug ROL-1616
Input fields not emptied after creating a new user
Unassigned Ronald Iwema Minor 25/Aug/14
Bug ROL-1638
Problem with themes on case sensitive file systems
Unassigned German Eichberger Major 25/Aug/14
New Feature ROL-1021
Referrer queue warning / filling up in logs. unclosed sessions.
Unassigned Rob Wilson Major 25/Aug/14
Bug ROL-1927
Roller 5 MSSQL Issues/Fixes
David Johnson Nick Padilla Major 25/Aug/14
Improvement ROL-2034
Hide Profile Password fields with SSO
Glen Mazza Jürgen Weber Major 25/Aug/14
Bug ROL-1794
file uploads with spaces in their names are 404ing (incorrect URL escaping?)
Greg Huber Dick Davies Major 25/Aug/14
Improvement ROL-1370
Support of email notifications preference for blog commentors
Unassigned linda skrocki Major 25/Aug/14
Bug ROL-1346
Weblog Calendar incorrectly assuming Sunday is first day of week for every locale.
Unassigned Vahid Zaboli Major 25/Aug/14
Test ROL-2033
Test Roller 5.1 with a weblog client
David Johnson David Johnson Major 25/Aug/14
Task ROL-2010
Update User's Guide with new app screen shots
Glen Mazza Glen Mazza Major 25/Aug/14
Bug ROL-2002
https:// URLs not being processed correctly in the comment URL field
Greg Huber Glen Mazza Major 25/Aug/14
Task ROL-1994
Switch to Apache Commons Collections 4.0
Unassigned Glen Mazza Minor 25/Aug/14
Bug ROL-1870
Duplicate bookmarks not showing
Unassigned Greg Huber Major 25/Aug/14
Bug ROL-1925
Patch for the bug of OpenID only authentication
Glen Mazza Shutra Major 25/Aug/14
Improvement ROL-929
Resign | "Are you sure?" Confirmation
Glen Mazza Greg Hamer Minor 25/Aug/14
Improvement ROL-2015
Add a description element to theme descriptor file (theme.xml)
Greg Huber Glen Mazza Major 25/Aug/14
Task ROL-1997
Switch WeblogEntry's pub status fields (DRAFT, PUBLISHED, PENDING, SCHEDULED) to an enum type
Unassigned Glen Mazza Minor 25/Aug/14
Task ROL-1995
Switch to JPA Typed Queries
Glen Mazza Glen Mazza Major 25/Aug/14
Task ROL-1984
./app/src/test/resources/WEB-INF/security.xml needs updating to Spring & Spring Security 3.x namespaces
Unassigned Glen Mazza Major 25/Aug/14
Bug ROL-1738
Charset of E-Mail Subject Needs to be configurable
Unassigned SATO Naoki Major 25/Aug/14
Bug ROL-1715
SiteModel's getWeblogsByLetterPager not documented correctly
Glen Mazza David Johnson Minor 25/Aug/14
Task ROL-2028
Separate the Basic Theme into Basic and Basic Mobile Themes
David Johnson Glen Mazza Major 25/Aug/14
Bug ROL-2018
"Notify me of new comments" not working on trunk.
Glen Mazza Glen Mazza Major 25/Aug/14
Task ROL-2000
Change current rol_ prefix for two newest tables
Unassigned Glen Mazza Minor 25/Aug/14
Bug ROL-1992
Blogroll OPML import page raising 500 Security Error
Unassigned Glen Mazza Major 25/Aug/14
Task ROL-1991
Switch publish date pop-up calendar to one with year entry option
Unassigned Glen Mazza Minor 25/Aug/14
Improvement ROL-1907
Inefficient use of key set iterator.
Unassigned Shelan Perera Minor 25/Aug/14
Bug ROL-2032
Test Roller 5.1 with blogs.apache.org database & themes
David Johnson David Johnson Major 25/Aug/14
Bug ROL-2007
Changing values in Media File Editor frequently results in permissions error.
Greg Huber Glen Mazza Major 25/Aug/14
Bug ROL-1988
Category search not working if space exists in category
Glen Mazza Glen Mazza Major 25/Aug/14
Bug ROL-1952
Roller 5.0.1 does not work with PostgreSQL 9.1
Unassigned Matthias Wimmer Major 25/Aug/14
Bug ROL-1746
Uploaded file names are lower-cased with AtomPub.
Greg Huber Tatsuya Noyori Major 25/Aug/14
Bug ROL-1596
Frontpage theme lose record!
Glen Mazza xiaojf Major 25/Aug/14
Improvement ROL-1430
French Translation (based on version 4.0 files)
Unassigned Denis Balazuc Minor 25/Aug/14
Improvement ROL-1965
Searching with locale on Multi Language blog
Glen Mazza Maciej Rumianowski Major 25/Aug/14
Bug ROL-2016
roller-startup.log not created on startup
Greg Huber Greg Huber Minor 25/Aug/14
Bug ROL-2009
Custom template theme folder creation isn't working
Unassigned Glen Mazza Major 25/Aug/14
Improvement ROL-1947
Provide a blog entry-level description field that can go into HTML header field
Dave Johnson (Inactive) Glen Mazza Major 25/Aug/14
Bug ROL-1956
ValidateSaltFilter not working on file upload
Greg Huber Matthias Wimmer Major 25/Aug/14
Bug ROL-1954
user weblogs cannot be managed when admin logs in and select any user via Server Aministration and clicks on eit
Unassigned Harsh Gupta Major 25/Aug/14
Bug ROL-1795
Posting comments with SchemeEnforcementFilter in operation.
Greg Huber Greg Huber Minor 25/Aug/14
Task ROL-2030
Replace Xinha editor with something more recent
Unassigned Glen Mazza Minor 25/Aug/14
Task ROL-1968
Upgrade Spring Security from 2.0.7 to 3.1.4
Unassigned Glen Mazza Major 25/Aug/14
Improvement ROL-1964
SearchServlet does not preserve locale
Unassigned Maciej Rumianowski Minor 25/Aug/14
Task ROL-2005
Switch to top-level folders only for Media Files
Unassigned Glen Mazza Major 25/Aug/14
Bug ROL-1739
Missing constraint on weblogentrytagagg table
Glen Mazza David Johnson Major 25/Aug/14
Bug ROL-1778
Blog entry preview before first publish not working with Derby database
Glen Mazza José Arthur Benetasso Villanova Major 25/Aug/14
Upstream changelog:
Catalina
++++++++
fix Correct typo in the message shown by HttpServlet for unexpected
HTTP method. (kkolinko)
add Allow to configure RemoteAddrValve and RemoteHostValve to adopt
behavior depending on the connector port. Implemented by
optionally adding the connector port to the string compared with
the patterns allow and deny. Configured using addConnectorPort
attribute on valve. (rjung)
fix 56608: Fix IllegalStateException for JavaScript files when
switching from Writer to OutputStream. The special handling of
this case in the DefaultServlet was broken due to a MIME type
change for JavaScript. (markt)
fix 57675: Correctly quote strings when using the extended access
log. (markt)
Coyote
++++++
fix 57234: Make SSL protocol filtering to remove insecure protocols
case insensitive. Correct spelling of filterInsecureProtocols
method. (kkolinko/schultz)
fix When applying the maxSwallowSize limit to a connection read
that many bytes first before closing the connection to give
the client a chance to read the response. (markt)
fix 57544: Fix a potential infinite loop when preparing a kept
alive HTTP connection for the next request. (markt)
add 57570: Make the processing of chunked encoding trailing headers
optional and disabled by default. (markt)
fix 57581: Change statistics byte counter in coyote Request object
to be long to allow values above 2Gb. (kkolinko)
update Update the minimum recommended version of the Tomcat Native
library (if used) to 1.1.33. (markt)
Jasper
++++++
fix Fix potential issue with BeanELResolver when running under a
security manager. Some classes may not be accessible but may
have accessible interfaces. (markt)
fix Simplify code in ProtectedFunctionMapper class of Jasper
runtime. (kkolinko)
fix 57801: Improve the error message in the start script in case
the PID read from the PID file is already owned by a process.
(rjung)
Web applications
++++++++++++++++
fix Update documentation for CGI servlet. Recommend to copy the
servlet declaration into web application instead of enabling
it globally. Correct documentation for cgiPathPrefix. (kkolinko)
update Improve Tomcat Manager documentation. Rearrange, add section
on HTML GUI, document /expire command and Server Status page.
(kkolinko)
add 54143: Add display of the memory pools usage (including PermGen)
to the Status page of the Manager web application. (kkolinko)
fix Fix several issues with status.xsd schema in Manager web
application, testing it against actual output of
StatusTransformer class. (kkolinko)
update Align algorithm that generates anchor names in Tomcat
documentation with Tomcat 7/8/9. No visible changes, but may
help with future updates to the documentation. (kkolinko)
fix 56058: Add links to the AccessLogValve documentation for
configuring reverse proxies and/or Tomcat to ensure that the
desired information is used entered in the access log when
Tomcat is running behind a reverse proxy. (markt)
fix 57503: Make clear that the JULI integration for log4j only
works with log4j 1.2.x. (markt)
update 57644: Update examples to use Apache Standard Taglib 1.2.5.
(jboynes/kkolinko)
fix 57706: Clarify the documentation for the AJP connector to make
clearer that when using tomcatAuthentication="false" the user
provided by the reverse proxy will not be associated with any
roles. (markt)
fix Correct the documentation for deployOnStartup to make clear
that if a WAR file is updated while Tomcat is stopped and
unpackWARs is true, Tomcat will not detect the changed WAR
file when it starts and will not replace the unpacked WAR file
with the contents of the updated WAR. (markt)
add 57759: Add information to the keyAlias documentation to make
it clear that the order keys are read from the keystore is
implementation dependent. (markt)
fix 57864: Update the documentation web application to make it
clearer that hex values are not valid for cluster send options.
Based on a patch by Kyohei Nakamura. (markt)
Other
+++++
add 57344: Provide sha1 checksum files for Tomcat downloads.
(kkolinko)
fix 57558: Change catalina-tasks.xml to use all jars in
${catalina.home}/lib to define Tomcat Ant tasks. This fixes
a NoClassDefFoundError with validate task. (kkolinko)
update Update to Tomcat Native Library version 1.1.33 to pick up the
Windows binaries that are based on OpenSSL 1.0.1m and APR 1.5.1.
(markt)
-------------------
6.11 2015-05-16
- Deprecated build_body and build_headers methods in Mojo::Content.
- Added headers_contain method to Mojo::Content.
- Updated jQuery to version 2.1.4.
- Fixed indentation of ASCII art in documentation browser. (jberger)
- Fixed bug where inline was not considered a reserved stash value.
6.10 2015-04-26
- Removed support for user/group switching, because it never worked
correctly, which means that this security feature has become an attack
vector itself. If you depend on this functionality, you can now use the
CPAN module Mojolicious::Plugin::SetUserGroup instead.
- Removed group and user attributes from Mojo::Server.
- Removed setuidgid method from Mojo::Server.
- Removed group and user settings from Hypnotoad.
- Removed -g/--group and -u/--user options from daemon and prefork commands.
- Added next_tick method to Mojo::Reactor::Poll.
- Improved next_tick callbacks to run in the same order in which they were
registered.
6.09 2015-04-25
- Improved HTML Living Standard compliance of Mojo::Parameters. (riche, sri)
- Fixed bug in Mojolicious::Types where the json MIME type did not specify a
charset. (kaktus)
Changelog:
Fixed Systems with first generation NVidia Optimus graphics cards may crash on start-up
Fixed Users who import cookies from Google Chrome can end up with broken websites
Fixed WebRTC H264 video streams from CiscoSpark native clients are not decoded correctly. (Fixed in Firefox ESR 38.0.1; was already fixed in Firefox 38.0)
Fixed Large animated images may fail to play and may stop other images from loading
- Nothing changed, but just a note. 'make test' fails at t/12-html_fragment_ok.t.
It is because the randomness of error output, saying either <head><title><html>
is missing (if neither of them exists). (To see, try 'make test' several times).
(upstream)
- update 2.20 to 2.22
-------------------
2.22 Mon Apr 6 15:47:11 CDT 2015
[CHANGES THAT COULD BREAK YOUR CODE]
Previously, html_ok() would not check the entire structure of a web
page to check for <html>, <head>, <title> and <body> tags. Now it
will. If you want to check fragments of HTML for validity but know
that they are not valid HTML documents on their own, use the new
html_fragment_ok().
[ENHANCEMENTS]
Added new error, elem-input-alt-missing, that warns of <input
type="image"> tags that are missing an alt="" attribute. This helps
for accessability to make sure that any images have alternate text
for screen readers.
Added ability to modify HTML::Lint's table of known tags and
attributes, so you could do this:
# Add an attribute that your company uses.
HTML::Lint::HTML4::add_attribute( 'body', 'proprietary-attribute' );
# Add the HTML 5 <canvas> tag.
HTML::Lint::HTML4::add_tag( 'canvas' );
HTML::Lint::HTML4::add_attribute( 'canvas', $_ ) for qw( height width );
[FIXES]
Test::HTML::Lint::html_ok() would not call the HTML::Lint eof()
method, which meant it wouldn't do document-wide tests.
Changelog:
Change the format of the Tomcat specific URLs for resources inside JARs that are in turn packed in a WAR. The ^/ sequence has been replaced by */ so that the resulting URLs are compliant with RFC 2396 and do not trigger exceptions when converted to URIs. The old format will continue to be accepted.
Allow logging of the remote port in the access log using the format pattern %{remote}p.
When checking last modified times as part of the automatic deployment process, account for the fact that File.lastModified() has a resolution of one second to ensure that if a file has been modified within the last second, the latest version of the file is always used. Note that a side-effect of this change is that files with modification times in the future are treated as if they are unmodified.
Align redeploy resource modification checking with reload modification checking so that now, in both cases, a change in modification time rather than an increase in modification time is used to determine if the resource has changed.
Note: There is a known issue with NIO2 and SSL/TLS in this and previous releases that can result in dropped connections. It is not recommended that NIO2 is used in production with SSL/TLS until this issue is resolved (the fix is expected in 8.0.23).
Changelog:
New New tab-based preferences
New Ruby annotation support
New Base for the next ESR release.
Changed autocomplete=off is no longer supported for username/password fields
Changed URL parser avoids doing percent encoding when setting the Fragment part of the URL, and percent decoding when getting the Fragment in line with the URL spec
Changed RegExp.prototype.source now returns "(?:)" instead of the empty string for empty regular expressions
Changed Improved page load times via speculative connection warmup
HTML5 WebSocket now available in Web Workers
HTML5 BroadcastChannel API implemented
HTML5 Implemented srcset attribute and <picture> element for responsive images
HTML5 Implemented DOM3 Events KeyboardEvent.code
HTML5 Mac OS X: Implemented a subset of the Media Source Extensions (MSE) API to allow native HTML5 playback on YouTube
HTML5 Implemented Encrypted Media Extensions (EME) API to support encrypted HTML5 video/audio playback (Windows Vista or later only)
HTML5 Automatically download Adobe Primetime Content Decryption Module (CDM) for DRM playback through EME (Windows Vista or later only)
Developer Optimized-out variables are now visible in Debugger UI
Developer XMLHttpRequest logs in the web console are now visually labelled and can be filtered separately from regular network requests
Developer WebRTC now has multistream and renegotiation support
Developer copy command added to console
Fixed Various security fixes
Fixed in Firefox 38
2015-58 Mozilla Windows updater can be run outside of application directory
2015-57 Privilege escalation through IPC channel messages
2015-56 Untrusted site hosting trusted page can intercept webchannel responses
2015-55 Buffer overflow and out-of-bounds read while parsing MP4 video metadata
2015-54 Buffer overflow when parsing compressed XML
2015-53 Use-after-free due to Media Decoder Thread creation during shutdown
2015-52 Sensitive URL encoded information written to Android logcat
2015-51 Use-after-free during text processing with vertical text enabled
2015-50 Out-of-bounds read and write in asm.js validation
2015-49 Referrer policy ignored when links opened by middle-click and context menu
2015-48 Buffer overflow with SVG content and CSS
2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer
2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)
WordPress 4.2.2 fixes a cross-site scripting vulnerability contained in an HTML
file shipped with recent Genericons packages included in the Twenty Fifteen
theme as well as a number of popular plugins by removing the file.
Version 4.2.2 also improves on a fix for a critical cross-site scripting
vulnerability introduced in 4.2.1.
The release also includes hardening for a potential cross-site scripting
vulnerability when using the Visual editor.
In addition to the security fixes, WordPress 4.2.2 contains fixes for 13 bugs
from 4.2.1, including:
o Fixes an emoji loading error in IE9 and IE10
o Fixes a keyboard shortcut for saving from the Visual editor on Mac
o Fixes oEmbed for YouTube URLs to always expect https
o Fixes how WordPress checks for encoding when sending strings to MySQL
o Fixes a bug with allowing queries to reference tables in the dbname.tablename
format
o Lowers memory usage for a regex checking for UTF-8 encoding
o Fixes an issue with trying to change the wrong index in the wp_signups table
on utf8mb4 conversion
o Improves performance of loop detection in _get_term_children()
o Fixes a bug where attachment URLs were incorrectly being forced to use https
in some contexts
o Fixes a bug where creating a temporary file could end up in an endless loop.
---------------------
VERSION 3.06
Maintenance release with a couple new features: support for "charset:
utf8" in "Source::File", add_before_option/add_after_option c/o Victor
Porton, and support for HTML5 type names c/o Wolfgang Radke.
- Adjust following depends for 'make test'
Convert DEPENDS to BUILD_DEPENDS, p5-CPAN-Changes
Add BUILD_DEPENDS p5-Test-Deep-[0-9]*
(upstream)
- Update 2.07 to 2.09
-------------------
2.09 2015-03-08
[DOCUMENTATION]
- Clarify order of use statements when using both CGI and CGI::Fast
- Replace indirect object notation with ->new
[TESTING]
- Tests for CGI imports and load order
- Add BUILD_DEPENDS+= p5-CGI-Emulate-PSGI for 'make test'
(upstream)
- Update to 0.19
--------------
0.19 2015-03-06 11:33:32 PST
- fix signal related test fails on Win32 (rkitover) #16
- Add three BUILD_DEPENDS for 'make test'.
p5-JSON-MaybeXS, p5-Module-Pluggable, p5-Test-Deep
(upstream)
- Update to 1.004
---------------
1.004 2015-03-05 05:18:44Z
- fix the Gist plugin to work with github's stricter validation
(PR #11, Tatsuhiko Miyagawa)
- removed +x permissions on files (RT#102361)
- mark the Codepeek service as deprecated (RT#101823)
TEST_TARGET?= # to skip make test (but can be enabled by 'env TEST_TARGET=test make test')
for following packages:
devel/p5-File-ShareDir-Install
time/p5-DateTime-Format-Strptime
www/p5-LWP-Protocol-https
- Add BUILD_DEPENDS for make test
Upstream changes:
1.22 2015-01-29 04:51:51+01:00 Europe/Berlin
- Fix for the fix..... don't ask
1.21 2015-01-29 04:48:58+01:00 Europe/Berlin
- Fix for failing test if Plack is not installed
1.20 2015-01-28 16:20:59+01:00 Europe/Berlin
-new method 'part_data' which preserves multipart meta information just in cause
you have a form upload with unexpected charsets, etc.
Apache Tomcat is an implementation of the Java Servlet and JavaServer Pages
technologies. The Java Servlet and JavaServer Pages specifications are
developed under the Java Community Process.
Apache Tomcat is developed in an open and participatory environment and
released under the Apache Software License. Apache Tomcat is intended to
be a collaboration of the best-of-breed developers from around the world.
We invite you to participate in this open development project.
Apache Tomcat powers numerous large-scale, mission-critical web applications
across a diverse range of industries and organizations.
This package tracks 8.x release branch.
* Remove PKG_DESTDIR_SUPPORT=destdir.
It seems that this package works fine with user-destdir.
Changelog:
Add support for Java 8 JSSE server-preferred TLS cipher suite ordering. This feature requires Java 8.
Update to Tomcat Native Library version 1.1.33 to pick up the Windows binaries that are based on OpenSSL 1.0.1m and APR 1.5.1.
Implement a new feature for AJP connectors - Tomcat Authorization. If enabled Tomcat, will take an authenticated user name from the AJP protocol and use the appropriate Realm for the request to authorize (i.e. add roles) to that user.
Update the Eclipse JDT compiler to version 4.4.2.
Changes:
Wordpress 4.2:
o Press This has been completely revamped. Clip it, edit it, publish it. Get
familiar with the new and improved Press This. From the Tools menu, add Press
This to your browser bookmark bar or your mobile device home screen. Once
installed you can share your content with lightning speed. Sharing your
favorite videos, images, and content has never been this fast or this easy.
o Now you can browse and switch installed themes in the Customizer. Browse and
preview your installed themes from the Customizer. Make sure the theme looks
great with your content, before it debuts on your site.
o More intuitive plugin update and install from the Plugins Screen. Goodbye
boring loading screen, hello smooth and simple plugin updates. Click Update Now
and watch the magic happen.
o Writing in WordPress, whatever your language, just got better. WordPress 4.2
supports a host of new characters out-of-the-box, including native Chinese,
Japanese, and Korean characters, musical and mathematical symbols, and
hieroglyphs. Don’t use any of those characters? You can still have fun — emoji
are now available in WordPress! Get creative and decorate your content with 💙,
🐸, 🐒, 🍕, and all the many other emoji.
Wordpress 4.2.1:
o fix for a critical cross-site scripting (XSS) vulnerability, which could
enable commenters to compromise a site.
* Fix X509 server certificate domain matching
* Bug 3775: Disable HTTP/1.1 pipeline feature for pinned connections
* Cleanup: Display correct error code in debugging output for IoCallback::finish
* Cleanup: Fix spelling error in debug message in parseHttpRequest()
* Cleanup: Add whitespace to make debug message in writeComplete() more readable
* Add Kerberos support for MAC OS X 10.x
* Bug 4234: comm_connect_addr uses errno incorrectly
* Fix 'access_log none' to prevent following logs being used
* Unexpected SQUID_X509_V_ERR_DOMAIN_MISMATCH errors while accessing sites with valid certificates
* Docs: Update CONTRIBUTORS
* Ensure class Lock counter remains within bounds
* Portability: Add hacks to define C++11 explicit N-bit type limits
* Fix SSL_get_peer_certificate memory leak
* Bug 4231 pt2: comm_open_uds does not provide description for newly opened FD
* Bug 4231 pt1: fd_open() not correctly handling empty descriptions
* Negotiate Kerberos authentication request size exceeds output buffer size.
* Do not increment an iterator invalidated by std::map::erase().
* Fix require-proxy-header preventing HTTPS proxying and ssl-bump
* Fix atomics check broken by C++11 #include added in v3.5 branch r13783
* Support for resuming TLS sessions
* Bug 4212: ssl_crtd crashes with corrupt database
* Fix rev.13795 ServerName class
* Add server_name ACL matching server name(s) obtained from various sources
* Bug 4226: digest_edirectory_auth: found but cannot be built
* Invalid request->clientConnectionManager object used by Ssl::PeerConnector::handleNegotiateError
* Bug 4198: assertion failed: client_side.h:364: "sslServerBump == srvBump"
* Fix cross-compile issues with SSL_get_certificate()
* Docs: RFC 7238 obsoleted by RFC 7538
* Boilerplate: reference Translator copyrights in CREDITS
* Cleanup: Place explicit size on ref-count lock counter
* Cleanup: extend SBuf debugging information
* digest_edirectory_auth: Fix -lnettle dependency error
Version 7.42.1 (28 Apr 2015)
Daniel Stenberg (28 Apr 2015)
- RELEASE-NOTES: 7.42.1 ready
- CURLOPT_HEADEROPT: default to separate
Make the HTTP headers separated by default for improved security and
reduced risk for information leakage.
Bug: http://curl.haxx.se/docs/adv_20150429.html
Reported-by: Yehezkel Horowitz, Oren Souroujon
- RELEASE-NOTES: synced with a6e0270e
- sws: init http2 state properly
It would otherwise cause problems when running tests after 1801 etc.
- curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
... as it was previouly undocumented what the pointer was.
- openssl: fix serial number output
The code extracting the cert serial number was broken and didn't display
it properly.
Bug: https://github.com/bagder/curl/issues/235
Reported-by: dkjjr89
- [Alessandro Ghedini brought this change]
curl.1: fix typo
- RELEASE-NOTES: toward 7.42.1, synced with 097460a
- [Kamil Dudka brought this change]
curl -z: do not write empty file on unmet condition
This commit fixes a regression introduced in curl-7_41_0-186-g261a0fe.
It also introduces a regression test 1424 based on tests 78 and 1423.
Reported-by: Viktor Szakats
Bug: https://github.com/bagder/curl/issues/237
- [Kamil Dudka brought this change]
docs: distribute the CURLOPT_PINNEDPUBLICKEY(3) man page, too
- connectionexists: follow-up to fd9d3a1ef1f
PROTOPT_CREDSPERREQUEST still needs to be checked even when NTLM is not
enabled.
Mistake-caught-by: Kamil Dudka
- connectionexists: fix build without NTLM
Do not access NTLM-specific struct fields when built without NTLM
enabled!
bug: http://curl.haxx.se/?i=231
Reported-by: Patrick Rapin
- dist: include {src,lib}/checksrc.whitelist
Upstream changes:
0.303 Wed Apr 29 2015
[FIXES]
- closed RT #90414 (Vincenzo Buttazzo), fixing HTTPS data transfer
- closed RT #62950 (Slaven Rezic), adding the port to the Via: header
[DOCUMENTATION]
- added many more contributors in the META file
[TEST]
- fixed t/23connect.t
0.302 Sat Jan 31 2015
[DOCUMENTATION]
- fix RT #85632 (Ashley Pond V)
- multiple documentation fixes (Ashley Pond V)
- list git contributors in the META file
[PACKAGING]
- switch to Dist::Zilla for maintaining the distribution
+devel/p5-MetaCPAN-Client version 1.013000
+devel/p5-Search-Elasticsearch version 1.19
+net/p5-Test-RequiresInternet version 0.04
+www/p5-Any-URI-Escape version 0.01
+www/p5-Hijk version 0.20
+www/p5-WWW-Mechanize-Cached version 1.48
Uses the Cache::Cache hierarchy by default to implement a caching
Mech. This lets one perform repeated requests without hammering a
server impolitely.
Please note that Cache::Cache has been superceded by CHI, but the
default has not been changed here for reasons of backwards
compatibility. For this reason, you are encouraged to provide your own
CHI caching object to override the default.
Hijk is a fast & minimal low-level HTTP client intended to be used
where you control both the client and the server, e.g. for talking to
some internal service from a frontend user-facing web application.
It is NOT a general HTTP user agent, it doesn't support redirects,
proxies, SSL and any number of other advanced HTTP features like (in
roughly descending order of feature completeness) LWP::UserAgent,
WWW::Curl, HTTP::Tiny, HTTP::Lite or Furl. This library is basically
one step above manually talking HTTP over sockets.
Having said that it's lightning fast and extensively used in
production at Booking.com where it's used as the go-to transport layer
for talking to internal services. It uses non-blocking sockets and
correctly handles all combinations of connect/read timeouts and other
issues you might encounter from various combinations of parts of your
system going down or becoming otherwise unavailable.
Upstream changes:
0.160000 2015-04-27 00:12:55+02:00 Europe/Amsterdam
[ BUG FIXES ]
* GH #868: Fix incorrect access name in $error->throw. (cdmalon)
* GH #879, #883: Fix version numbering in packaging and tests.
(Russell Jenkins)
* File serving (send_file) won't call serializer. (Russell Jenkins)
* GH #892, #510: Workaround for multiple plugins with hooks.
(Russell Jenkins, Alberto Sim玫es)
* GH #558: Remove "prefix" inconsistency with possibly missing postfixed
forward slash. (Sawyer X)
[ DOCUMENTATION ]
* GH #816, #874 Document session engine changes in migration documentation.
(Chenchen Zhao)
* GH #866, #870: Clarify that you cannot forward to a static file, why,
and two different ways of accomplishing it without forward.
(Sakshee Vijayvargia)
* GH #878: Rework example for optional named matching due to operator
precedence. (Andrew Solomon)
* GH #844: Document Simple session backend is the default. (Sawyer X)
[ ENHANCEMENT ]
* GH #869: Streaming file serving (send_file). (Russell Jenkins)
* GH #793: "prefix" now supports the path definition spec. (Sawyer X)
* GH #817, #845: Route spec under a prefix doesn't need to start with
a slash (but must without a prefix).
(Sawyer X, Russell Jenkins)
* GH #871: Use Safe.pm instead of eval with Dancer2::Serializer::Dumper.
(David Zurborg)
* GH #880: Reduce and cleanup different logging calls in order to handle
the stack frames traceback for logging classes. (Russell Jenkins)
* GH #857, #875: When failing to render in Template::Toolkit, make the
error reflect it's a TT error, not an internal one.
(valerycodes)
libraries, and ensure the socket libraries are added for both the main
library and test programs which use the static library.
While here use OPSYSVARS instead of bsd.fast.prefs.mk
Upstream changes:
1.3135 2015-04-22
[DOCUMENTATION]
- Document how to work with Dist::Zilla and the 'devel' branch.
[ENHANCEMENTS]
- Deprecate 'auto_reload' and document alternatives. (GH#1106, isync)
- Change YAML tests to be in line with new specs. (GH#1108, Slaven Rezi)
[STATISTICS]
- code churn: 12 files changed, 150 insertions(+), 50 deletions(-)
This release includes the following changes:
o openssl: show the cipher selection to use in verbose text
o gtls: implement CURLOPT_CERTINFO
o add CURLOPT_SSL_FALSESTART option (darwinssl and NSS)
o curl: add --false-start option
o add CURLOPT_PATH_AS_IS
o curl: add --path-as-is option
o curl: create output file on successful download of an empty file
This release includes the following bugfixes:
o ConnectionExists: for NTLM re-use, require credentials to match
o cookie: cookie parser out of boundary memory access
o fix_hostname: zero length host name caused -1 index offset
o http_done: close Negotiate connections when done
o sws: timeout idle CONNECT connections
o nss: improve error handling in Curl_nss_random()
o nss: do not skip Curl_nss_seed() if data is NULL
o curl-config.in: eliminate double quotes around CURL_CA_BUNDLE
o http2: move lots of verbose output to be debug-only
o dist: add extern-scan.pl to the tarball
o http2: return recv error on unexpected EOF
o build: Use default RandomizedBaseAddress directive in VC9+ project files
o build: Removed DataExecutionPrevention directive from VC9+ project files
o tool: Updated the warnf() function to use the GlobalConfig structure
o http2: Return error if stream was closed with other than NO_ERROR
o mprintf.h: remove #ifdef CURLDEBUG
o libtest: fixed linker errors on msvc
o tool: use ENABLE_CURLX_PRINTF instead of _MPRINTF_REPLACE
o curl.1: fix "The the" typo
o cmake: handle build definitions CURLDEBUG/DEBUGBUILD
o openssl: remove all uses of USE_SSLEAY
o multi: fix memory-leak on timeout (regression)
o curl_easy_setopt.3: added CURLOPT_SSL_VERIFYSTATUS
o metalink: add some error checks
o TLS: make it possible to enable ALPN/NPN without HTTP/2
o http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*
o conncontrol: only log changes to the connection bit
o multi: fix *getsock() with CONNECT
o symbols.pl: handle '-' in the deprecated field
o MacOSX-Framework: use @rpath instead of @executable_path
o GnuTLS: add support for CURLOPT_CAPATH
o GnuTLS: print negotiated TLS version and full cipher suite name
o GnuTLS: don't print double newline after certificate dates
o memanalyze.pl: handle free(NULL)
o proxy: re-use proxy connections (regression)
o mk-ca-bundle: Don't report SHA1 numbers with "-q"
o http: always send Host: header as first header
o openssl: sort ciphers to use based on strength
o openssl: use colons properly in the ciphers list
o http2: detect premature close without data transfered
o hostip: Fix signal race in Curl_resolv_timeout
o closesocket: call multi socket cb on close even with custom close
o mksymbolsmanpage.pl: use std header and generate better nroff header
o connect: Fix happy eyeballs logic for IPv4-only builds
o curl_easy_perform.3: remove superfluous close brace from example
o HTTP: don't use Expect: headers when on HTTP/2
o Curl_sh_entry: remove unused 'timestamp'
o docs/libcurl: makefile portability fix
o mkhelp: Remove trailing carriage return from every line of input
o nss: explicitly tell NSS to disable NPN/ALPN when libcurl disables it
o curl_easy_setopt.3: added a few missing options
o metalink: fix resource leak in OOM
o axtls: version 1.5.2 now requires that config.h be manually included
o HTTP: don't switch to HTTP/2 from 1.1 until we get the 101
o cyassl: detect the library as renamed wolfssl
o CURLOPT_HTTPHEADER.3: add a "SECURITY CONCERNS" section
o CURLOPT_URL.3: Added "SECURITY CONCERNS
o openssl: try to avoid accessing OCSP structs when possible
o test938: added missing closing tags
o testcurl: Allow '=' in values given on command line
o tests/certs: added make target to rebuild certificates
o tests/certs: rebuild certificates with modified key usage bits
o gtls: avoid uninitialized variable
o gtls: dereferencing NULL pointer
o gtls: add check of return code
o test1513: eliminated race condition in test run
o dict: rename byte to avoid compiler shadowed declaration warning
o curl_easy_recv/send: make them work with the multi interface
o vtls: fix compile with --disable-crypto-auth but with SSL
o openssl: adapt to ASN1/X509 things gone opaque in 1.1
o openssl: verifystatus: only use the OCSP work-around <= 1.0.2a
o curl_memory: make curl_memory.h the second-last header file loaded
o testcurl.pl: add the --notes option to supply more info about a build
o cyassl: If wolfSSL then identify as such in version string
o cyassl: Check for invalid length parameter in Curl_cyassl_random
o cyassl: default to highest possible TLS version
o Curl_ssl_md5sum: return CURLcode (fixes OOM)
o polarssl: remove dead code
o polarssl: called mbedTLS in 1.3.10 and later
o globbing: fix step parsing for character globbing ranges
o globbing: fix url number calculation when using range with step
o multi: on a request completion, check all CONNECT_PEND transfers
o build: link curl to openssl libraries when openssl support is enabled
o url: Don't accept CURLOPT_SSLVERSION unless USE_SSL is defined
o vtls: Don't accept unknown CURLOPT_SSLVERSION values
o build: Fix libcurl.sln erroneous mixed configurations
o cyassl: remove undefined reference to CyaSSL_no_filesystem_verify
o cyassl: add SSL context callback support for CyaSSL
o tool: only set SSL options if SSL is enabled
o multi: remove_handle: move pending connections
o configure: Use KRB5CONFIG for krb5-config
o axtls: add timeout within Curl_axtls_connect
o CURLOPT_HTTP200ALIASES.3: Mainly SHOUTcast servers use "ICY 200"
o cyassl: Fix library initialization return value
o cookie: handle spaces after the name in Set-Cookie
o http2: Fix missing nghttp2_session_send call in Curl_http2_switched
o cyassl: Fix certificate load check
o build-openssl.bat: Fix mixed line endings
o checksrc.bat: Check lib\vtls source
o DNS: fix refreshing of obsolete dns cache entries
o CURLOPT_RESOLVE: actually implement removals
o checksrc.bat: quotes to support an SRC_DIR with spaces
o cyassl: Remove 'Connecting to' message from cyassl_connect_step2
o cyassl: Use CYASSL_MAX_ERROR_SZ for error buffer size
o lib/transfer.c: Remove factor of 8 from sleep time calculation
o lib/makefile.m32: add missing libs to build libcurl.dll
o build: Generate source prerequisites for Visual Studio in generate.bat
o cyassl: Include the CyaSSL build config
o firefox-db2pem: fix wildcard to find Firefox default profile
o BUGS: refer to the github issue tracker now as primary
o vtls_openssl: improve several certificate error messages
o cyassl: Add support for TLS extension SNI
o parsecfg: do not continue past a zero termination
o configure --with-nss=PATH: query pkg-config if available
o configure --with-nss: drop redundant if statement
o cyassl: Fix include order
o HTTP: fix PUT regression with Negotiate
o curl_version_info.3: fixed the 'protocols' variable type
Changes:
4.1.1:
Maintenance release, fixed 21 bugs.
4.1.2:
- A serious critical cross-site scripting vulnerability, which could enable
anonymous users to compromise a site.
- Files with invalid or unsafe names could be uploaded.
- Some plugins are vulnerable to an SQL injection attack.
- A very limited cross-site scripting vulnerability could be used as part of a
social engineering attack.
- Four hardening changes, including better validation of post titles within the
Dashboard.
4.15 2015-04-20
[ RELEASE NOTES ]
- This release removes the AUTOLOAD and compile optimisations from CGI.pm
that were introduced into CGI.pm twenty (20) years ago as a response to
its large size, which meant there was a significant compile time penalty.
- This optimisation is no longer relevant and makes the code difficult to
deal with as well as making test coverage metrics incorrect. Benchmarks
show that advantages of AUTOLOAD / lazy loading / deferred compile are
less than 0.05s, which will be dwarfed by just about any meaningful code
in a cgi script. If this is an issue for you then you should look at
running CGI.pm in a persistent environment (FCGI, etc)
- To offset some of the time added by removing the AUTOLOAD functionality
the dependencies have been made runtime rather than compile time. The
POD has also been split into its own file. CGI.pm now contains around
4000 lines of code, which compared to some modules on CPAN isn't really
that much
- This essentially deprecates the -compile pragma and ->compile method. The
-compile pragma will no longer do anything, whereas the ->compile method
will raise a deprecation warning. More importantly this also REMOVES the
-any pragma because as per the documentation this pragma needed to be
"used with care or not at all" and allowing arbitrary HTML tags is almost
certainly a bad idea. If you are using the -any pragma and using arbitrary
tags (or have typo's in your code) your code will *BREAK*
- Although this release should be back compatible (with the exception of any
code using the -any pragma) you are encouraged to test it throughly as if
you are doing anything out of the ordinary with CGI.pm (i.e. have bugs
that may have been masked by the AUTOLOAD feature) you may see some issues.
- References: GH #162, GH #137, GH #164
[ SPEC / BUG FIXES ]
- make the list context warning in param show the filename rather than
the package so we have more information on exactly where the warning
has been raised from (GH #171)
- correct self_url when PATH_INFO and SCRIPT_NAME are the same but we
are not running under IIS (GH #176)
- Add the multi_param method to :cgi export (thanks to xblitz for the patch
and tests. GH #167)
- Fix warning for lack of HTTP_USER_AGENT in CGI::Carp (GH #168)
- Fix imports when called from CGI::Fast, restores the import of CGI functions
into the callers namespace for users of CGI::Fast (GH leejo/cgi-fast#11 and
GH leejo/cgi-fast#12)
[ FEATURES ]
- CGI::Carp now has $CGI::Carp::FULL_PATH for displaying the full path to the
offending script in error messages
- CGI now has env_query_string() for getting the value of QUERY_STRING from the
environment and not that fiddled with by CGI.pm (which is what query_string()
does) (GH #161)
- CGI::ENCODE_ENTITIES var added to control which chracters are encoded by the
call to the HTML::Entities module - defaults to &<>"\x8b\x9b' (GH #157)
[ DOCUMENTATION ]
- Fix some typos (GH #173, GH #174)
- All *documentation* for HTML functionality in CGI has been moved into
its own namespace: CGI::HTML::Functions - although the functionality
continues to exist within CGI.pm so there are no code changes required
(GH #142)
- Add missing documentation for env variable fetching routines (GH #163)
[ TESTING ]
- Increase test coverage (GH #3)
[ INTERNALS ]
- Cwd made a TEST_REQUIRES rather than a BUILD_REQUIRES in Makefile.PL
(GH #170)
- AutoloadClass variables have been removed as AUTOLOAD was removed in
v4.14 so these are no longer necessary (GH #172 thanks to alexmv)
- Remove dependency on constant - internal DEBUG, XHTML_DTD and EBCDIC
constants changes to $_DEBUG, $_XHTML_DTD, and $_EBCDIC
A library to support the Internationalised Domain Names in Applications
(IDNA) protocol as specified in RFC 5891. This version of the
protocol is often referred to as IDNA2008 and can produce different
results from the earlier standard from 2003.
The library is also intended to act as a suitable drop-in replacement
for the encodings.idna module that comes with the Python standard
library but currently only supports the older 2003 specification.
tnn wrote:
: As the software seems to be ...
:
: 1) completely abandoned by upstream for several years
: 2) hasn't worked in pkgsrc for at least as long
: 3) has been removed from all linux distributions I can find
:
: ... the only reasonable choice of action is to remove it.
Numerous documentation updates especially for installation and the tutorial
Numerous improvements to translations
Improves reliability of apphooks
Improves reliabiliy of Advanced Settings for pages when using apphooks
Allow page deletion after template removal
Improves upstream caching accuracy
Improves CMSAttachMenu registration
Improves handling of mistyped URLs
Improves redirection as a result of changes to page slugs, etc.
Improves performance of "watched models"
Improves frontend performance relating to resizing the sideframe
Corrects an issue where items might not be visible in structue mode menus
Limits version of django-mptt used in CMS for 3.0.x
Prevent accidental upgrades to Django 1.8, which is not yet supported
- Support for MySQL utf8mb4
- Fixing some Django deprecation warnings
- Versions passed through by reversion.post_revision_commit now contain a primary key
--------------------------------------------
2014-10-06 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-extra-numeric-character-reference): Add (?\C-m . ? ).
[emacs-w3m:12378]
2014-10-01 Herbert J. Skuhra <h.skuhra@gmail.com>
* aclocal.m4 (AC_PATH_EMACS): Work for Emacs 25.
2014-08-01 Michael Heerdegen <michael_heerdegen@web.de>
Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-input-url-next-history-element): Abolish.
(w3m-url-completion-map): Don't bind M-n key.
(w3m-input-url-default-add-completions): New function.
(w3m-input-url):
Bind minibuffer-default-add-function to it locally in minibuffer.
2014-07-29 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-input-url-provide-initial-content): New user option.
(w3m-input-url): Use it.
(w3m-input-url-next-history-element): New function.
(w3m-url-completion-map): Bind it.
[emacs-w3m:12345]
2014-07-24 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-filter.el (w3m-filter-add-name-anchors): Subdivide long regexp.
[emacs-w3m:12339]
2014-06-12 Katsumi Yamaoka <yamaoka@jpl.org>
* Makefile.in (install-lisp): Compress .el files.
* doc/Makefile.in (install): Compress info files.
* aclocal.m4 (AC_COMPRESS_INSTALL): New function.
* configure.in: Use it.
2014-06-11 Kevin Ryde <user42_kevin@yahoo.com.au>
* w3m.el (w3m-zoom-out-image, w3m-resize-image-interactive): Treat
zoom-out percentage as inverse of zoom-in, so "in" then "out" returns
to the original size.
(w3m-resize-inline-image-internal): Set w3m-image-scale property to
flonum to avoid integer round-off when resizing in and out. Use
`round' rather than `truncate' when calling "convert" so flonum
round-off 99.999 is original 100%.
2014-06-11 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-content-type-alist): Don't bug out for the case where
browse-url-browser-function is set to a function symbol that is not yet
defined. [emacs-w3m:12317]
2014-04-21 Michael Ernst <mernst@cs.washington.edu>
* w3m-util.el (w3m-beginning-of-tag, w3m-end-of-tag): Work correctly
for the case there is only whitespace between <tag> and </tag>.
2014-03-31 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-markup-urls-nobreak): Don't modify textarea.
[emacs-w3m:12308]
2014-03-26 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-relationship-estimate-rules): Update regexps for Google.
2014-02-13 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-url-encode-string): Encode `:' and `/'.
Suggested by Dan Jacobson <jidanni@jidanni.org>.
* w3m-form.el (w3m-form-make-form-data, w3m-form-parse-and-fontify):
Use car-less-than-car.
2014-02-10 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-filter.el (w3m-filter-subst-disabled-with-readonly): Relax regexp.
* w3m-form.el (w3m-form-submit): Work for a url having no query part.
2014-01-08 Mirko M. <mirko.m@hotmail.com>
* w3m-util.el (w3m-delete-frames-and-windows): Don't clear the windows
layout that used to be before visiting an emacs-w3m buffer.
[emacs-w3m:12273]
2014-01-07 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-util.el (w3m-static-if, w3m-static-when, w3m-static-unless)
(w3m-static-cond): Add edebug spec.
* octet.el: Fix edebug spec for the static-* macros.
2013-12-03 Tatsuya Kinoshita <tats@vega.ocn.ne.jp>
* mew-w3m.el (mew-w3m-region): Set point to the end of <div> tag to
prevent infinite loop.
2013-12-01 Tatsuya Kinoshita <tats@vega.ocn.ne.jp>
* mew-w3m.el (mew-w3m-region): Set point to minimum for
`mew-w3m-cite-blockquote' to work.
2013-11-05 Katsumi Yamaoka <yamaoka@jpl.org>
* mew-w3m.el (mew-w3m-cite-blockquote): New function.
(mew-w3m-region): Use it.
2013-11-26 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-filter.el (w3m-filter-subst-disabled-with-readonly): Rewrite.
* w3m-filter.el (w3m-filter-subst-disabled-with-readonly):
Fix the width of disabled select form.
2013-11-25 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-filter.el (w3m-filter-subst-disabled-with-readonly): Replace
disabled or readonly select forms, that w3m doesn't support, with
read-only input forms. [emacs-w3m:12222]
* w3m-form.el (w3m-form-parse-and-fontify): Make read-only text buttons
for image, reset, and submit forms if readonly attr is turned on.
* w3m-ems.el, w3m-form (w3m-form-make-button): Add the optional
readonly argument; make a read-only text button if it is non-nil.
2013-11-20 Katsumi Yamaoka <yamaoka@jpl.org>
Make non-link urls unbreakable. [emacs-w3m:12215]
* w3m.el (w3m-markup-urls-nobreak): New function.
(w3m-rendering-buffer): Use it.
2013-10-22 Katsumi Yamaoka <yamaoka@jpl.org>
Simplify the tab line control so as not to consume CPU.
Thanks to Michael Heerdegen for good suggestions.
* w3m-ems.el (w3m-tab-line-format, w3m-tab-timer): Abolish.
(w3m-tab-mouse-track-selected-tab): Run `w3m-tab-line' instead of using
its cache; remove unused argument `buffers'.
(w3m-tab-line): Don't use chache and timer.
2013-10-17 Katsumi Yamaoka <yamaoka@jpl.org>
Replace `w3m-external-view-current-url', `w3m-external-view-this-url',
and `w3m-view-url-with-external-browser' with
`w3m-view-url-with-browse-url' that runs `browse-url'. [emacs-w3m:12190]
* w3m.el (w3m-menubar, w3m-tab-button-menu-commands, w3m-link-map): Do.
(w3m-external-view-current-url, w3m-external-view-this-url)
(w3m-view-url-with-external-browser): Make obsolete.
(w3m-view-url-with-browse-url): New function.
(w3m-mode-map): Bind "M" to it.
* w3m-lnum.el (w3m-lnum-actions-link-alist): Bind "M" to
w3m-view-url-with-browse-url instead of w3m-external-view.
(w3m-lnum-mode-map): Use the key bound to w3m-view-url-with-browse-url
for w3m-lnum-external-view-this-url.
(w3m-lnum-external-view-this-url): Use w3m-view-url-with-browse-url
instead of w3m-external-view.
2013-10-16 Michael Heerdegen <michael_heerdegen@web.de>
* w3m-ems.el (w3m-tab-line):
Run w3m-force-window-update unconditionally. [emacs-w3m:12175]
2013-10-09 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-form.el (w3m-form-inactive): Add underline property.
(w3m-form-input-textarea): Don't use it to view read-only textarea.
2013-10-08 Katsumi Yamaoka <yamaoka@jpl.org>
Make disabled or read-only forms inatcive.
* w3m-form.el (w3m-form-parse-and-fontify): Make `select', `checkbox',
`radio', and `file' input forms inactive.
(w3m-form-input-checkbox, w3m-form-input-radio, w3m-form-input-file)
(w3m-form-input-select): Don't allow keys if it is inactive.
2013-10-08 Thorsten Jolitz <tjolitz@gmail.com>
* w3m-form.el (w3m-form-input-textarea-mode-setup): New option for
setting up the textarea input buffer in org-mode instead of text-mode.
(w3m-form-input-textarea-org-mode-map) New minor-mode-map.
(w3m-form-textarea-use-org-mode-p) New variable.
(w3m-form-textarea-toggle-major-mode) New function.
(w3m-form-input-textarea-mode-setup) Setup textarea edit buffer with
major-mode 'org-mode if `w3m-form-textarea-use-org-mode-p' is non-nil.
(w3m-form-input-textarea) Split window sensibly if
`w3m-form-textarea-use-org-mode-p' is non-nil.
(w3m-form-input-textarea-mode) Override default minor-mode map with
new minor-mode-map in case major-mode is 'org-mode.
2013-10-08 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-form.el (w3m-form-input-textarea-mode-setup):
Fix typo (unquoted `view-mode').
2013-10-04 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-form.el (w3m-form-input-textarea-mode-setup): Use view-mode to
show disabled or readonly textarea.
(w3m-form-input-textarea): Revert last change; use w3m-form-inactive
face to show disabled or readonly textarea.
2013-10-03 Katsumi Yamaoka <yamaoka@jpl.org>
Make disabled forms not editable. [emacs-w3m:12146]
* w3m.el (w3m-use-filter): Default to t.
(w3m-show-form-hint): Notice form is inactive.
* w3m-filter.el (w3m-filter-subst-disabled-with-readonly): New function
that substitutes the `disabled' attribute with the `readonly' attribute
in an html source so as to enable w3m to handle.
(w3m-filter-configuration): Add it.
* w3m-form.el (w3m-form-inactive): New face.
(w3m-fontify-textareas, w3m-form-parse-and-fontify): Use it if text is
not editable.
(w3m-form-input): Use w3m-message rather than message.
(w3m-form-input-textarea): Don't allow editing text if it is disabled.
(w3m-form-last-position): New variable.
(w3m-form-restore-last-position): New function.
(w3m-form-submit): Add it to w3m-fontify-after-hook.
2013-09-10 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-input-url): Default to `default' or "".
(w3m-download): Prompt for url endlessly instead of bugging out.
(w3m): Doc fix.
2013-09-09 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-url-completion-map): New overriding keymap.
(w3m-input-url): Use it.
Suggested by Manuel Giraud <manuel@ledu-giraud.fr>.
2013-09-06 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-ems.el (w3m-toolbar-make-buttons): Make tool-bar button use
a single icon image if Emacs built with Gtk+ is running.
cf. <http://thread.gmane.org/gmane.emacs.bugs/78021>
(w3m-toolbar-use-single-image-per-icon): Add a note to docstring.
2013-09-04 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-util.el (w3m-decode-coding-string-with-priority):
Move from w3m-ems.el and w3m-xmas.el.
* w3m-ems.el, w3m-xmas.el
(w3m-decode-coding-string-with-priority): Move to w3m-util.el.
* w3m-proc.el: Don't Fbind it.
* w3mhack.el (w3mhack-make-package):
Avoid making a hard link for w3m-load.el twice.
2013-09-03 Manuel Giraud <manuel@ledu-giraud.fr>
* w3m.el (w3m-canonicalize-url): Do uri replace before normal parsing.
2013-09-02 Katsumi Yamaoka <yamaoka@jpl.org>
Prefer uris based on w3m-uri-replace-alist to Google's feeling lucky.
Suggested by Michael Heerdegen <michael_heerdegen@web.de>.
* w3m.el (w3m-canonicalize-url): Run w3m-uri-replace before falling
back to Google's feeling lucky.
(w3m-uri-replace): Simply return nil if there is no replacement.
(w3m-goto-url): Move forward w3m-uri-replace to w3m-canonicalize-url.
2013-08-26 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-retrieve-and-render): Record failed urls as well to the
arrived database. Suggested by Dan Jacobson.
(w3m-delete-buffer): Kill form buffers before killing a page buffer.
(w3m-delete-buffer): Work around mysterious bug where window positions
aren't restored if this command is called by a mouse event. Reported
by Dan Jacobson.
2013-08-26 Dan Jacobson <jidanni@jidanni.org>
* w3m.el (w3m-toolbar): Simplify the label used for w3m-history.
2013-08-13 Kevin Ryde <user42@zip.com.au>
* w3mhack.el (w3mhack-module-list): Remove w3mhack-load-file from the
modules not to be byte compiled, so that it is byte compiled.
(w3mhack-generate-load-file): Remove no-byte-compile from w3m-load.el.
2013-08-01 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-form.el (w3m-form-parse-and-fontify): Prefer base url if any
rather than the current url when constructing urls that form buttons
specify. Thanks to Thorsten Jolitz [emacs-w3m: 12107].
2013-07-01 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m): Enable it again to fetch Gmane url and others.
(w3m-gmane-url-at-point): Update url.
2013-06-26 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-use-cookies): Default to t.
Make `w3m-input-url' offer no useless initial string.
* w3m.el (w3m-active-region-or-url-at-point, w3m-input-url)
(w3m-download, w3m-view-this-url, w3m-view-url-with-external-browser)
(w3m-goto-url, w3m-goto-url-new-session, w3m): Do.
2013-06-21 Katsumi Yamaoka <yamaoka@jpl.org>
* aclocal.m4: Make configure work for term-mode running in Emacs.
2013-06-18 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (ffap-url-regexp): Silence the byte compiler.
* mime-w3m.el: Require calist when compiling.
2013-05-30 Katsumi Yamaoka <yamaoka@jpl.org>
* mime-w3m.el: Don't use obsolete macro dont-compile.
* w3m.el (w3m-goto-mailto-url): Bind display-buffer-alist instead of
special-display-buffer-names and special-display-regexps for Emacs >=
24.3.
* w3m-ems.el (w3m-image-multi-frame-p): Exclude images that don't
specify a delay.
2013-04-19 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-filter.el (w3m-filter): Don't modify w3m-filter-rules.
2013-04-12 REN Lifeng <renlifeng@wowfly.com>
* w3m-session.el (w3m-session-rename): Don't infloop.
2013-04-11 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-filter.el (w3m-filter-configuration):
Use w3m-language rather than w3m-use-japanese-menu.
2013-04-10 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-filter.el (w3m-filter-add-name-anchors): Fix regexp matching name
anchors. Reported by Dan Jacobson <jidanni@jidanni.org>.
2013-04-08 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-form.el (w3m-form-get-by-name): Distinguish the type of forms of
the same names. Reported by Kevin Ryde <user42@zip.com.au>.
(w3m-form-resume, w3m-form-parse-and-fontify, w3m-form-input-map): Do.
2013-04-05 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-filter.el (w3m-filter-fix-tfoot-rendering): New filter.
(w3m-filter-configuration): Add it but not activate.
* w3m-ems.el (w3m-image-multi-frame-p): New alias.
(w3m-image-animate): Use it.
2013-02-04 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-retrieve-and-render): Remove workaround.
* w3m-util.el (w3m-force-window-update-later): Make 1st arg optional.
* w3m-ems.el (w3m-force-window-update): A window need to be redisplayed
for `force-window-update' to work (see the docstring).
2013-01-23 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-lnum.el (w3m-lnum-read-interactive): Replace w3m-scroll-up-1 with
w3m-scroll-up.
* w3m.el (w3m-scroll-up): Rename from w3m-scroll-up-1.
(w3m-scroll-up, w3m-scroll-up-or-next-url): Make the bottom of a page
border on the bottom of a screen when having finished scrolling
the page up.
(w3m-scroll-down): New function detached from
w3m-scroll-down-or-previous-url.
(w3m-scroll-down-or-previous-url): Move point to the top when having
finished scrolling a page down.
(w3m-mwheel-scroll-up, w3m-mwheel-scroll-down): New functions.
(w3m-mode): Bind mwheel-scroll-(up,down)-function to
w3m-mwheel-scroll-(up,down).
Suggested by Dan Jacobson <jidanni@jidanni.org>.
2013-01-11 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-retrieve-and-render): Do (sit-for 0) to update the
header-line appearance as a workaround; see the 2013-01-11 comment.
(w3m-view-this-url-1): Revert 2010-01-15 change; don't popup new
session if w3m-new-session-in-background is non-nil.
Reported by Michael Heerdegen <michael_heerdegen@web.de>.
2012-12-25 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-search.el (w3m-search-do-search): Save history position.
Reported by Dan Jacobson <jidanni@jidanni.org>.
2012-12-17 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-ems.el (w3m-ems-create-image): Abolish.
(w3m-image-animate-seconds): New user option.
(w3m-image-animate): New function.
(w3m-create-image): Use it.
* w3m.el (w3m-resize-inline-image-internal): Use w3m-image-animate.
* w3m-xmas.el (w3m-image-animate): Alias to identity.
2012-12-10 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-decode-anchor-string): Decode url used to next/prev/...
cf. http://emacs-w3m.namazu.org/ml/msg11824.html
2012-12-05 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-util.el (w3m-flet): Rewrite it using cl-letf.
2012-12-04 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-util.el (w3m-labels): Revert; use cl-labels if available.
2012-12-04 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-util.el (w3m-labels): Rewrite.
2012-11-19 Uday S Reddy <u.s.reddy@cs.bham.ac.uk>
* w3m.el (w3m-command-environment): Make the "CYGWIN" environment
variable default to "binmode" for NTEmacs.
2012-10-18 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-filter.el (w3m-filter-configuration): Work around a widget bug.
2012-10-17 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-filter.el: Change file coding system to utf-8.
(w3m-filter-configuration):
New user option, a successor to w3m-filter-rules.
(w3m-filter-rules):
Make it semi-obsolete (but still usable) and default to nil.
(w3m-filter):
Use w3m-filter-configuration in addition to w3m-filter-rules.
(w3m-filter-google-click-tracking)
(w3m-filter-google-shrink-table-width, w3m-filter-add-name-anchors):
New filters.
* w3m.el (w3m-rendering-half-dump):
Move function, that adds name anchors, to w3m-filter.el.
(w3m-create-page): Move Google click-tracking filter to w3m-filter.el.
* w3m-util.el (w3m-widget-type-convert-widget):
Don't modify default sexp values.
2012-10-10 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-bookmark.el (w3m-bookmark-buffer): Use (0 0) as the Unix epoch.
* w3m.el (w3m-create-page): Fix regexp matching Google's click-
tracking urls.
2012-07-22 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-rendering-half-dump): Add name anchors for only existing
internal links.
2012-07-19 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-util.el (w3m-flet): New macro.
2012-07-18 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-input-url): Decode url string by the coding system that
url itself specifies if any.
* w3m.el (w3m-goto-url): Allow optional save-pos argument, that leads
it to run w3m-history-store-position.
(w3m-view-parent-page, w3m-scroll-up-or-next-url)
(w3m-scroll-down-or-previous-url): Run w3m-history-store-position.
(w3m-gohome, w3m-browse-url, w3m-find-file, w3m-db-history)
(w3m-history): Run w3m-history-store-position by way of w3m-goto-url.
* w3m-util.el (w3m-labels): New macro that runs cl-labels in Emacs 24.2
and later, otherwise runs labels.
* mime-w3m.el (mime-w3m-insinuate):
* w3m-bookmark.el (w3m-bookmark-safe-string):
* w3m-proc.el (w3m-process-do-with-temp-buffer):
* w3m-rss.el (w3m-rss-parse-date-string):
* w3m-weather.el (w3m-weather-completion-table):
Replace labels with w3m-labels.
* w3mhack.el (w3mhack-nonunix-install): Don't use labels.
2012-07-13 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-input-url, w3m-header-line-insert):
Don't decode only control characters.
2012-07-12 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-input-url): Don't decode %00~%1F and %7F~%9F in url.
2012-07-11 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-url-decode-string): Allow optional regexp matching %**.
(w3m-header-line-insert): Don't decode %00~%1F and %7F~%9F in url.
* w3m.el (w3m-create-page): Show raw contents briefly, not fully, when
prompting a user for the content type.
2012-07-10 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-rendering-half-dump): Add name anchors fast.
2012-07-10 Naohiro Aota <naota@elisp.net>
* w3m.el: (w3m-data-retrieve): URL-decode data-string. It can have
"%2b%2d%3d" representing "/+=".
2012-07-08 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-rendering-half-dump): Add name anchors that w3m can
handle in nested tags.
2012-07-02 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-view-url-with-external-browser): Improve prompt string.
Suggested by Dan Jacobson <jidanni@jidanni.org>.
2012-06-25 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-active-region-or-url-at-point, w3m-print-this-url):
Try to pick #name anchor out.
* w3m-search.el (w3m-search-read-variables): Make commands that use it
error out when other processes run in the current w3m buffer.
* w3m.el (w3m-mode): Add description of some missing commands to doc.
2012-06-20 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-create-page): Safely quit session when a user hits C-g;
make sure to set w3m-current-url.
2012-06-19 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m.el (w3m-cache-header, w3m-cache-request-header)
(w3m-cache-contents, w3m-cache-request-contents)
(w3m-cache-available-p): Canonicalize given url.
(w3m-show-error-information): Show as many info as possible.
2012-06-18 Katsumi Yamaoka <yamaoka@jpl.org>
* w3m-util.el (w3m-popup-buffer): Do nothing for the current buffer.
* w3m.el (w3m-history-highlight-current-url): Extend href anchor to bol.
* w3m.el (w3m-http-status-alist): New variable.
(w3m-http-status): New variable.
(w3m-w3m-retrieve): Set it.
(w3m-retrieve): Clear it.
(w3m-download, w3m-retrieve-and-render, w3m-show-error-information):
Show http status if download or retrieving fails.
---------------
* 2.2.7 *
Bluefish 2.2.7 is mostly a bug fix release. It fixes rare crashes in the
autocompletion, the filebrowser, the htmlbar plugin preferences, and in
file-load-cancel, fixes a rare case of broken syntax highlighting after
multiple search/replace actions. It furthermore displays better
error/warning output when parsing language files. It also finally fixes
javascript regex syntax highlighting. The loading of files with corrupt
encoding has been improved, and project loading over sftp has been improved.
Various HTML5 tags have been added, and HTML5 is the default now for php,
cfml and other languages that can include html syntax. Saving and loading
of UTF-16 encoded files was broken and has been fixes. Various languages
have better support, such as javascript, css, html, pascal/deplhi, and html
has improved autocompletion. On OSX the keys for tab switching no longer
confict with some keyboard layouts, and behavior at shutdown was improved.
The upload/download feature has a new option to ignore backup files. The
home/end keys now work better on wrapped tekst. And finally the search and
replace dialog correctly shows the number of results when searching in files
on disk.
Not backwards compatible with 1.x. Now depends on php-propro and php-raphf.
Upstream changelog:
2.4.3
* Fixed bug #69357 (HTTP/1.1 100 Continue overriding subsequent 200 response
code with PUT request)
2.4.2
* Fixed bug 69076 (http\Url throws Exception on empty querystring)
* Fixed bug 69313 (http\Client doesn't send GET body)
+ Added libidn2 and UIDNA as fallbacks for IDN support
- Deferred warnings/exceptions of the client, so callbacks for the
currently failing requests will still be called
2.4.1
* Fixed build with PHP <= 5.4 (Remi)
2.4.0
* Split off pecl/apfd and pecl/json_post
2.3.2
* Fixed bug with http\QueryString::offsetSet() resetting the complete
query string
2.3.1
* Fixed build on platforms that need stddef.h to define ptrdiff_t
(e.g. CentOS 7.5)
2.3.0
+ Preliminiary HTTP2 support for http\Client (libcurl with nghttp2 support)
+ Improved performance of HTTP info parser (request/response line)
+ Improved performance of updating client observers
+ Improved performance of http\Env\Response output to streams
+ Improved the error messages of the header parser
+ Added http\Header\Parser class
+ Added http\Client::configure() method accepting an array with the following
options for libcurl:
. maxconnects (int, size of the connection cache)
. max_host_connections (int, max number of connections to a single host,
libcurl >= 7.30.0)
. max_pipeline_length (int, max number of requests in a pipeline,
libcurl >= 7.30.0)
. max_total_connections (int, max number of simultaneous open connections
of this client, libcurl >= 7.30.0)
. pipelining (bool, whether to enable HTTP/1.1 pipelining)
. chunk_length_penalty_size (int, chunk length threshold for pipelining,
libcurl >= 7.30.0)
. content_length_penalty_size (int, size threshold for pipelining,
libcurl >= 7.30.0)
. pipelining_server_bl (array, list of server software names to blacklist
for pipelining, libcurl >= 7.30.0)
. pipelining_site_bl (array, list of server host names to blacklist
for pipelining, libcurl >= 7.30.0)
. use_eventloop (bool, whether to use libevent, libcurl+libevent)
+ Added http\Client::getAvailableOptions() and
http\Client::getAvailableConfiguration() methods
+ Added support for HTTP2 if libcurl was built with nghttp2 support.
+ Added http\Client\Curl\HTTP_VERSION_2_0 constant (libcurl >= 7.33.0)
+ Added http\Client\Curl\TLS_AUTH_SRP constant (libcurl >= 7.21.4)
+ Added pinned_publickey SSL request option (libcurl >= 7.39.0)
+ Added tlsauthtype, tlsauthuser and tlsauthpass SSL request option
(libcurl >= 7.21.4)
+ Added verifystatus (a.k.a OCSP) SSL request option (libcurl >= 7.41.0)
+ Added proxyheader request option (libcurl >= 7.37.0)
+ Added unix_socket_path request option (libcurl >= 7.40.0)
* Fixed compress request option
* Fixed parsing authorities of CONNECT messages
* Fixed parsing Content-Range messages
* Fixed http\Env\Response to default to chunked encoding over streams
* Fixed superfluous output of Content-Length:0 headers
* Fixed persistent easy handles to be only created for persistent
multi handles
* Fixed the header parser to accept not-yet-complete header lines
* Fixed http\Message::toStream() crash in ZTS mode
* Fixed the message stream parser to handle intermediary data bigger than 4k
* Fixed the message stream parser to handle single header lines without EOL
* Fixed http\Message\Body to not generate stat based etags
for temporary streams
- Deprecated http\Client::enablePipelining(), use
http\Client::configure(["pipelining" => true]) instead
- Deprecated http\Client::enableEvents(), use
http\Client::configure(["use_eventloop" => true]) instead
- Removed the cookies entry from the transfer info, wich was very slow
and generated a Netscape formatted list of cookies
- Changed the header parser to reject illegal characters
2.2.1
* Fixed Bug #69000 (http\Url breaks down with very long URL query strings)
2.2.0
- var_dump(http\Message) no longer automatically creates an empty body
+ Added http\Message\Parser class
+ Made http\Client::once() and http\Client::wait() available when using events
+ Added http\Url::PARSE_MBLOC, http\Url::PARSE_MBUTF8,
http\Url::PARSE_TOIDN and http\Url::PARSE_TOPCT constants
+ Added http\Env\Response::setCookie()
+ Added http\Env\Request::getCookie()
2.1.4
* Fixed bug #68353 (QsoSSL support removed in libcurl 7.39)
* Fixed bug #68149 (duplicate content-length with libcurl < 7.23)
* Fixed bug #66891 (Unexpected HTTP 401 after NTLM authentication)
2.1.3
* Fix build with libcurl < 7.26 (Remi)
2.1.2
+ Added missing request option constants: POSTREDIR_303, AUTH_SPNEGO
(libcurl >= 7.38.0), SSL_VERSION_TLSv1_{0,1,2} (libcurl >= 7.34)
* Fixed bug #68083 (PUT method not working after DELETE)
* Fixed bug #68009 (Segmentation fault after calling exit(0) after a request)
* Fixed bug #68000 (Extension does not build on FreeBSD)
2.1.1
* Fix httpVersion retrieval on bigendian (Remi)
* Fix etag/crc32b on bigendian (Remi)
2.1.0
- Removed port and scheme guessing of http\Url for portability
* Fixed PHP-5.3 compatibility
* Fixed PHP-5.4 compatibility
* Fixed possible bus error on shutdown when using events
* Fixed sovereignty of clients when using events
* Fixed a possible crash with http\Encoding\Stream\Dechunk::decode($unencoded)
* Fixed a leak in http\Client\Curl options
* Fixed bug #67733 (Compile error with libevent 2.x)
+ Added RFC5987 support in http\Params
+ Improved synthetic HTTP message parsing performace for ~20%
+ Added request options if libcurl has builtin c-ares support:
dns_interface, dns_local_ip4, dns_local_ip6 (all libcurl >= 7.33.0)
+ Added request options:
expect_100_timeout (libcurl >= 7.36.0), tcp_nodelay
+ Added transfer info:
curlcode, tls_session (libcurl >= 7.34.0), only available during transfer
2.0.7
* General improvements to the test suite
* Fixed http\Env\Response::send() ignoring some write errors
* Fixed bug #67528 (RFC compliant default user agent)
* Fixed a garbage collector issue with JSON POSTs
* Fixed refcount issue and double free of message bodies
* Fixed use after free if the http\Client::enqueue() closure returns TRUE
* Fixed bug #67584 (http\Client\Response not initialized as response
on failure)
2.0.6
+ Added "uploaded" progress state
* Fixed bug #67089 (Segmentaion fault with ZTS)
* Fixed compatibility with PHP-5.6+
* Fixed re-use of request messages which content length remained untouched
when the body was reset
2.0.5
* Fix rare crash with uninitialized CURLOPT_HTTPHEADER
* Fix build with -Werror=format-security (Remi)
* Fix build with extenal libs needed by libcurl
2.0.4
* Removed the pecl/event conflict
* Fixed bug #66388 (Crash on POST with Content-Length:0 and untouched body)
2.0.3
* Fixed typo
2.0.2
* Fixed bug #66250 (shutdown crash as shared extension)
2.0.1
* Fixed a bug with multiple ob_start(http\Env\Response) while
replacing the body
* Fixed build on Windows with libevent2
2.0.0
Extended HTTP support. Again. Keep in mind that it's got the major version 2,
because it's incompatible with pecl_http v1.
* Introduces the http namespace.
* Message bodies have been remodeled to use PHP temporary streams instead
of in-memory buffers.
* The utterly misunderstood HttpResponse class has been reimplemented
as http\Env\Response inheriting http\Message.
* Currently, there's only one Exception class left, http\Exception.
* Errors triggered by the extension can be configured statically by
http\Object::$defaultErrorHandling or inherited http\Object->errorHandling.
* The request ecosystem has been modularized to support different libraries,
though for the moment only libcurl is supported.
Matcha SNS is Social Networking Service (SNS) software for intranet
and the Internet SNS. This software has Japanese UI only.
It is formerly known as sencha-sns.
Upstream changes:
6.07 2015-04-07
- Fixed Windows bug in "daemon.t".
6.06 2015-04-06
- Added element_count_is method to Test::Mojo. (Zoffix)
- Added "chat.pl" to example scripts.
- Improved Mojo::DOM::CSS to handle attribute selectors with single quotes
correctly.
6.05 2015-03-24
- Fixed circular require bug in Mojo::Base and Mojo::Util.
6.04 2015-03-23
- Improved Mojo::Reactor::EV and Mojo::Reactor::Poll to fail more
consistently.
- Improved Mojo::Base performance slightly.
- Fixed a few bugs in Mojo::DOM::CSS that required class, id and attribute
selectors, as well as pseudo-classes, to be in a specific order.
6.03 2015-03-16
- Added support for overriding the HTTP request method with the _method query
parameter.
- Added suggested_method method to Mojolicious::Routes::Route.
- Improved portability of some tests.
6.02 2015-03-09
- Added daemon attribute to Mojo::Server::Morbo.
- Improved portability of Mojo::Server::Morbo.
- Fixed empty template handling in Mojo::Template.
6.01 2015-03-03
- Added content_with helper to Mojolicious::Plugin::DefaultHelpers.
- Relaxed request-line handling in Mojo::Message::Request.
- Fixed code name in version command and built-in templates.
Quoting database identifiers with backticks as is done in 2.17 is
not portable, and only works with a MySQL backend. Instead, use
the DBI quote_identifier method as hinted in
https://rt.cpan.org/Public/Bug/Display.html?id=101561
Bump PKGREVISION to 1.
Upstream changes:
MediaWiki 1.24.2
This is a security and maintenance release of the MediaWiki 1.24 branch.
Changes since 1.24.1
(bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks.
(bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.
(bug T88310) SECURITY: Always expand xml entities when checking SVG's.
(bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
(bug T85855) SECURITY: Don't execute another user's CSS or JS on preview.
(bug T64685) SECURITY: Allow setting maximal password length to prevent DoS when using PBKDF2.
(bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy.
Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix loading these special pages when $wgAutoloadAttemptLowercase is false.
(bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.
(bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change and running update.php to fix.
Changelog:
Fixed in Firefox ESR 31.6
2015-40 Same-origin bypass through anchor navigation
2015-37 CORS requests should not follow 30x redirections after preflight
2015-33 resource:// documents can load privileged pages
2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)
* Bump nspr requirement.
Changelog:
New Heartbeat user rating system - your feedback about Firefox
New Yandex set as default search provider for the Turkish locale
New Bing search now uses HTTPS for secure searching
New Improved protection against site impersonation via OneCRL centralized certificate revocation
New Opportunistically encrypt HTTP traffic where the server supports HTTP/2 AltSvc
Changed Disabled insecure TLS version fallback for site security
Changed Extended SSL error reporting for reporting non-certificate errors
Changed TLS False Start optimization now requires a cipher suite using AEAD construction
Changed Improved certificate and TLS communication security by removing support for DSA
Changed Improved performance of WebGL rendering on Windows
HTML5 Implemented a subset of the Media Source Extensions (MSE) API to allow native HTML5 playback on YouTube (Windows only)
HTML5 Added support for CSS display:contents
HTML5 IndexedDB now accessible from worker threads
HTML5 New SDP/JSEP implementation in WebRTC
Developer Debug tabs opened in Chrome Desktop, Chrome for Android, and Safari for iOS
Developer New Inspector animations panel to control element animations
Developer New Security Panel included in Network Panel
Developer Debugger panel support for chrome:// and about:// URIs
Developer Added logging of weak ciphers to the web console
Fixed Various security fixes
Fixed in Firefox 37
2015-42 Windows can retain access to privileged content on navigation to unprivileged pages
2015-41 PRNG weakness allows for DNS poisoning on Android
2015-40 Same-origin bypass through anchor navigation
2015-39 Use-after-free due to type confusion flaws
2015-38 Memory corruption crashes in Off Main Thread Compositing
2015-37 CORS requests should not follow 30x redirections after preflight
2015-36 Incorrect memory management for simple-type arrays in WebRTC
2015-35 Cursor clickjacking with flash and images
2015-34 Out of bounds read in QCMS library
2015-33 resource:// documents can load privileged pages
2015-32 Add-on lightweight theme installation approval bypassed through MITM attack
2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)
[20150317]
Bugfixes
Don't lower security standards with gcc 4.9 (Riccardo Magliocchetti)
Perl/PSGI make sure that at least two params are passed to xs_input_seek (Ivan Kruglov)
Per/PSGI fixed multiple interpreters usage
spooler: fixed scandir usage
fixed exception handler arguments management
fixed 'log-master' + 'daemonize2' disables all logging
fixed http Range header management
New Features
safeexec hook
this is like 'exec' but do not exit on error even if the executed command returns a non-zero value
backported --emperor-wrapper-fallback and --emperor-wrapper-override
the --emperor-wrapper-fallback option allows you to specify an alternative binary to execute when running a vassal and the default binary_path is not found (or returns an error). (you can specify it multiple times)
The --emperor-wrapper-override is similar but 'overrides' the default wrapper (you can specify it multiple times)
added support for UNIX sockets to rsyslog
The rsyslog logger can now get a unix socket as address (arguments starting with a slash are recognized as a unix path)
forcecl transformation
this transformation works like 'fixcl' but generates the Content-Length header even if Content-Length has been listed for removal.
Flask-Limiter provides rate limiting features to flask routes. It has support
for a configurable backend for storage with current implementations for in-
memory, redis and memcache.
4.14 2015-04-01
[ RELEASE NOTES ]
- This release removes the AUTOLOAD and compile optimisations from CGI.pm
that were introduced into CGI.pm twenty (20) years ago as a response to
its large size, which meant there was a significant compile time penalty.
- This optimisation is no longer relevant and makes the code difficult to
deal with as well as making test coverage metrics incorrect. Benchmarks
show that advantages of AUTOLOAD / lazy loading / deferred compile are
less than 0.05s, which will be dwarfed by just about any meaningful code
in a cgi script. If this is an issue for you then you should look at
running CGI.pm in a persistent environment (FCGI, etc)
- To offset some of the time added by removing the AUTOLOAD functionality
the dependencies have been made runtime rather than compile time. The
POD has also been split into its own file. CGI.pm now contains around
4000 lines of code, which compared to some modules on CPAN isn't really
that much
- This essentially deprecates the -compile pragma and ->compile method. The
-compile pragma will no longer do anything, whereas the ->compile method
will raise a deprecation warning. More importantly this also REMOVES the
-any pragma because as per the documentation this pragma needed to be
"used with care or not at all" and allowing arbitrary HTML tags is almost
certainly a bad idea. If you are using the -any pragma and using arbitrary
tags (or have typo's in your code) your code will *BREAK*
- Although this release should be back compatible (with the exception of any
code using the -any pragma) you are encouraged to test it throughly as if
you are doing anything out of the ordinary with CGI.pm (i.e. have bugs
that may have been masked by the AUTOLOAD feature) you may see some issues.
- References: GH #162, GH #137, GH #164
[ FEATURES ]
- CGI::Carp now has $CGI::Carp::FULL_PATH for displaying the full path to the
offending script in error messages
- CGI now has env_query_string() for getting the value of QUERY_STRING from the
environment and not that fiddled with by CGI.pm (which is what query_string()
does) (GH #161)
- CGI::ENCODE_ENTITIES var added to control which chracters are encoded by the
call to the HTML::Entities module - defaults to &<>"\x8b\x9b' (GH #157)
[ SPEC / BUG FIXES ]
- Add the multi_param method to :cgi export (thanks to xblitz for the patch
and tests. GH #167)
- Fix warning for lack of HTTP_USER_AGENT in CGI::Carp (GH #168)
- Fix imports when called from CGI::Fast, restores the import of CGI functions
into the callers namespace for users of CGI::Fast (GH leejo/cgi-fast#11 and
GH leejo/cgi-fast#12)
[ INTERNALS ]
- Remove dependency on constant - internal DEBUG, XHTML_DTD and EBCDIC
constants changes to $_DEBUG, $_XHTML_DTD, and $_EBCDIC
[ DOCUMENTATION ]
- Add missing documentation for env variable fetching routines (GH #163)
0.9.2 (2014-12-05)
Fixes:
HTML escape SQL queries when syntax highlighting is not available
Use case-insensitive comparison to normalize filenames on Windows
Fix exception when SQL query contained non-ASCII characters
0.9.1 (2014-11-24)
Fixes:
Fix SQL queries with byte strings on Python 3
Fix displaying values whose repr() contains unprintable characters
NEWS since last version imported in pkgsrc
Version 0.10.0
---------------------------------------------------------------------------
* Make sure that we fail in the unlikely case where OpenSSL is not able
to provide us with a secure session id.
* Increase the number of key-value pairs in the session to 2048.
* Add MellonMergeEnvVars-option to store multi-valued attributes in
a single environment variable, separated with ';'.
* Bugfixes:
* Fix the [MAP] option for MellonCond.
* Fix cookie deletion for the session cookie. (Logout is not dependent
on the cookie being deleted, so this only fixes the cookie showing
up after the session is deleted.)
Version 0.9.1
---------------------------------------------------------------------------
* Bugfixes:
* Fix session offset calculation that prevented us from having
active sessions at once.
* Run mod_auth_mellon request handler before most other handlers,
so that other handlers cannot block it by accident.
Version 0.9.0
---------------------------------------------------------------------------
* Set the AssertionConsumerServiceURL attribute in authentication
requests.
* Bugfixes:
* Fix use of uninitialized data during logout.
* Fix session entry overflow leading to segmentation faults.
* Fix looking up sessions by NameID, which is used during logout.
Version 0.8.1
---------------------------------------------------------------------------
This is a security release with fixes backported from version 0.9.1.
It turned out that session overflow bugs fixes in version 0.9.0 and
0.9.1 can lead to information disclosure, where data from one session
is leaked to another session. Depending on how this data is used by the
web application, this may lead to data from one session being disclosed
to an user in a different session. (CVE-2014-8566)
In addition to the information disclosure, this release contains some
fixes for logout processing, where logout requests would crash the
Apache web server. (CVE-2014-8567)
Version 0.8.0
---------------------------------------------------------------------------
* Add support for receiving HTTP-Artifact identifiers as POST data.
* Simplify caching headers.
* Map login errors into more appropriate HTTP error codes than
400 Bad Request.
* Add MellonNoSuccessErrorPage option to redirect to a error page on login
failure.
* Turn session storage into a dynamic pool of memory, which means that
attribute values (and other items) can have arbitrary sizes as long as
they fit in the session as a whole.
* Various bugfixes:
* Fix for compatibility with recent versions of CURL.
* Fix broken option MellonDoNotVerifyLogoutSignature.
* Fix deadlock that could occur during logout processing.
* Fix some compile warnings.
* Fix some NULL derefernce bugs that may lead to segmentation faults.
* Fix a minor memory leak during IdP metadata loading.
Version 0.7.0
---------------------------------------------------------------------------
* Add MellonSPentityId to control entityId in autogenerated metadata
* Fix compatibility with Apache 2.4.
* Handle empty RelayState the same as missing RelayState.
* Add MellonSetEvnNoPrefix directive to set environment variables
without "MELLON_"-prefix.
[ Joey Hess ]
* Fix NULL ptr deref on ENOMEM in wrapper. (Thanks, igli)
[ Simon McVittie ]
* Really don't double-decode CGI submissions, even on Perl versions that
bundle an old enough Encode.pm for that not to be a problem: the
system might have a newer Encode.pm installed separately, like Fedora 20.
(Closes: #776181; thanks, Anders Kaseorg)
* If neither timezone nor TZ is set, set both to :/etc/localtime if
we're on a GNU system and that file exists, or GMT otherwise
* t/inline.t: accept translations of "Add a new post titled:"
(Closes: #779365)
* Consistently document command-line options as e.g. --refresh, not -refresh
[ Amitai Schlair ]
* In VCS-committed anonymous comments, link to url.
[ Joey Hess ]
* Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483)
-- Simon McVittie <smcv@debian.org> Sun, 29 Mar 2015 21:48:24 +0100
Updating this leaf package during the freeze for the bugfixes.
## 0.7.3 (2015-03-24)
* SECURITY FIX: http.rb failed to call the #post_connection_check method
on SSL connections. This method implements hostname verification, and
without it http.rb was vulnerable to MitM attacks. The problem was
corrected by calling #post_connection_check (CVE-2015-1828)
Version 3.4.5 (2015-03-27)
--------------------------
### Fixed
Consider the `$blnCache` flag when caching insert tags (see #7700).
### Updated
Updated TinyMCE to version 4.1.9 (see #7690).
### Fixed
Correctly calculate the max upload size in the DropZone uploader (see #7633).
### Fixed
Convert language codes to locales in the meta wizard (see #7667).
### Fixed
Replace only the `{{file}}` insert tag in the back end preview (see #7647).
### Fixed
Correctly convert date strings depending on their rgxp format (see #7721).
### Fixed
Update news and calendar feeds from the content view (see #7679).
### Fixed
Do not generally encode stand-alone ampersands (see #7684).
### Fixed
Restore some globals when catching the unused argument exception (see #7659).
### Fixed
Correctly set the CSS classes in the jQuery accordion and do not try to mess
with its ARIA handling (see #7622).
### Fixed
Handle language fragments without trailing slash when redirecting (see #7666).
### Fixed
Trigger the `load_callback` upon saving in "override all" mode (see #7670).
### Fixed
Ensure a unique language file array in the `Automator` class (see #7687).
Version 3.2.20 (2015-03-26)
---------------------------
### Fixed
Correctly convert date strings depending on their rgxp format (see #7721).
### Fixed
Update news and calendar feeds from the content view (see #7679).
### Fixed
Do not generally encode stand-alone ampersands (see #7684).
### Fixed
Restore some globals when catching the unused argument exception (see #7659).
### Fixed
Correctly set the CSS classes in the jQuery accordion and do not try to mess
with its ARIA handling (see #7622).
### Fixed
Handle language fragments without trailing slash when redirecting (see #7666).
### Fixed
Trigger the `load_callback` upon saving in "override all" mode (see #7670).
### Fixed
Ensure a unique language file array in the `Automator` class (see #7687).
# 1.8.0
- Security: implement standards compliant cookie handling by adding a
dependency on http-cookie. This breaks compatibility, but was necessary to
address a session fixation / cookie disclosure vulnerability.
(#369 / CVE-2015-1820)
Previously, any Set-Cookie headers found in an HTTP 30x response would be
sent to the redirection target, regardless of domain. Responses now expose a
cookie jar and respect standards compliant domain / path flags in Set-Cookie
headers.
changes in bozohttpd 20150320:
o fix redirection handling
o support transport stream (.ts) and video object (.vob) files
o directory listings show correct file sizes for large files
changes in bozohttpd 20140717:
o properly handle SSL errors
ok @agc.
Changelog:
31.5.3
Fixed Security fixes for issues disclosed at HP Zero Day Initiative's Pwn2Own contest
Fixed in Firefox ESR 31.5.3
2015-28 Privilege escalation through SVG navigation
31.5.2
Fixed Security fixes for issues disclosed at HP Zero Day Initiative's Pwn2Own contest
Fixed in Firefox ESR 31.5.2
2015-29 Code execution through incorrect JavaScript bounds checking elimination
Changelog:
Fixed 36.0.4: Security fixes for issues disclosed at HP Zero Day Initiative's Pwn2Own contest
Fixed in Firefox 36.0.4
2015-28 Privilege escalation through SVG navigation
Fixed in Firefox 36.0.3
2015-29 Code execution through incorrect JavaScript bounds checking elimination
Changelog:
Version 8.0.2 March 11th 2015
Prevent DB errors in certain high load situations
Fix installation and updating of apps from the app store
Fix documentation links
Fix file move/copy when out of storage space
Disable 3rd party apps during upgrade to prevent breaking ownCloud if incompatible apps are used
Fix compatibility with certain MariaDB versions
Print app upgrade information to console
Detect broken APC versions
Fix certain incompatibilities with older PHP 5.4 versions
Several smaller fixes
Since 3.1.2.1
----------------
bugfix: Users without permissions to add timeslots can add timeslots if the task is assigned to him/her.
bugfix: In tasks list, in show menu, user has no time permissions but time option is shown, and are also shown the time links in task row.
bugfix: In tasks list, if action popover button has no actions, it is shown with an empty menu.
bugfix: on template tasks add dependant task not working.
bugfix: after edit member update all childs depths.
bugfix: when deleting emails the register in objects table was not deleted.
bugfix: document level filter is not set with its current value when logging in.
feature: in single member selector when no member is selected show root node's text.
feature: upgrade by console - no need to pass the version from and version to parameters.
Since 3.1.2
----------------
bugfix: When checking mail, check for spam level in headers improved.
bugfix: Error when adding tasks.
bugfix: Cannot delete user group.
bugfix: Feng1 to Feng3 upgrade script does not fill the "enabled_dimensions" config option.
Since 3.1.1
----------------
feature: Cron process to reprocess last objects' sharing table entries
Since 3.1
----------------
bugfix: Sql error in tasks list.
bugfix: In upgrader script, if DEFAULT_LOCALIZATION not defined then define it with value "en_us".
bugfix: After adding tasks, actions buttons not working.
bugfix: Reminders on task templates are not saved.
bugfix: Can't see subtasks if parent task is not displayed.
bugfix: If email account is set as default, then the "Sender name" field is ignored.
bugfix: After change group by on tasks list the groups are still the same.
bugfix: Timezones on tasks list groups.
bugfix: When adding an event checkboxes "subscribe invited users" and "send email notifications" are not working.
bugfix: Duplicated tasks on tasks list in last month and last week when this groups are overlapping.
bugfix: Sql error table missing prefix. table im_types.
bugfix: Can't add tasks in french.
feature: in contact csv import allow to match custom properties
language: fr_ca updated.
Since 3.1-beta
----------------
bugfix: Template tasks subscribers were not copied when instantiating the tasks.
bugfix: Remove contextmenu from the email editor.
bugfix: Autoclassifying email fix in query.
bugfix: Refresh the task row after adding timeslots to tasks.
bugfix: Sql query malformed on tasks list.
bugfix: Duplicate signature sometimes when replying emails.
bugfix: When creating collaborators positioned in a workspace, the workspace is not added to the member cache, permissions are fine.
bugfix: Javascript eerror "member is undefined" in member cache js file.
Since 3.0.8
----------------
feature: hierarchy filter on documents tab.
feature: in custom reports if object name is printed now it is a link to the object.
feature: when classifying users using drag and drop the system asks if you want to add the default permissions for the users in the workspace where they are being classified.
feature: add tags selector in user add/edit form.
performance: tree node asks for childrens to the server twice after click .
bugfix: reminders on template tasks.
bugfix: after adding a client, the client tree shows the client twice.
bugfix: do not reload member trees after editing a member.
bugfix: use current time when adding timeslots from tasks list.
bugfix: permission errors when adding timeslots from tasks list.
bugfix: on tasks list after add the first task remove "There are no tasks in".
bugfix: wrong order when grouping by priority on tasks list.
bugfix: wrong signature when replying mail from a non default account.
bugfix: after add subtasks send assignment notifications.
bugfix: when dragging members to no-permissions tree children are not moved.
bugfix: cannot edit user tags.
bugfix: select milestones on templates.
bugfix: when composing an email with other email address the autosave asks if you want to send with that adddess (it must ask only when sending or saving draft).
bugfix: collaborators should not have access to mail tab
language: fr_ca updated.
Since 3.0.7
----------------
Since 3.0.6
----------------
feature: in custom reports, show name column as a link to the listed object and open the link in a new feng tab.
feature: add projects to available object types when configuring autonumeric prefixes.
feature: crpm types plugin - new dimension Client type, Project type and Project status.
feature: when replying an email of other account, a warning must appear telling that email will be sent using that account and give the posibility to change the account before sending the email.
bugfix: upgrade script to 3.0 fails when inserting in tab_panels if not all columns are specified depending in mysql server configuration.
bugfix: dont use the same "from name" when sending mails with different account.
bugfix: cannot autoclassify mails in more than one workspace.
bugfix: checklang translation tool does not show plugin missing/incomplete translation files.
bugfix: non-exec directors should not be task assingable.
bugfix: header breadcrumbs are not reloaded when deleting a workspace.
bugfix: when reordering workspaces, tags, clients and projects columns in any listing (notes, documents, etc), the values of these columns are lost for all rows, must reload the list to reappear.
bugfix: send notification when a task is assigned.
performance: ajax load on tasks list.
* gnome option is broken. Disable it.
Changelog:
What's New in SeaMonkey 2.33
SeaMonkey 2.33 contains the following major changes relative to SeaMonkey 2.32.1:
SeaMonkey-specific changes
Security notification bars now feature tracking controls.
The tracking/privacy preferences pane has been updated.
Mozilla platform changes
The Flash protected-mode sandbox has been disabled on Windows in order to evaluate the stability impact of protected mode.
Insecure RC4 ciphers are no longer accepted whenever possible.
Certificates with 1024-bit RSA keys have been phased out.
A subset of the Media Source Extensions (MSE) API has been implemented in order to allow native HTML5 playback on YouTube. Full support is on the way.
The performance of the new ES6 generator functions has been improved.
Also see Firefox 36 for Developers.
Fixed several stability issues.
Bugs fixed in this release
SeaMonkey bugs
Thunderbird bugs (including both shared MailNews- and Thunderbird-only bugs)
Relevant security fixes are listed on Security Advisories for SeaMonkey.
* Security advisories are not available yet.
1.1.0
-----
Mostly bug fix release. Highlights:
* Inline model editing on the list page
* FileAdmin refactoring and fixes
* FileUploadField and ImageUploadField will work with Required() validator
* Bug fixes
For full changes, please refer http://www.piwigo.org/releases/2.7.4 and
related pages.
This release contains these security fixes.
* SQL injection CVE-2015-1517 reported by Schleier, Sven (KPMG Management
Consulting Singapore)
* SQL injection and XSS failures reported and corrected by Steffen Rösemann
Changes before 6.5.19, please refer: http://support.sugarcrm.com/02_Documentation/01_Sugar_Editions/05_Sugar_Community_Edition/
Fixed Issues
Sugar 6.5.20 is a security update released to address certain security
vulnerabilities identified during our routine QA checks.
We strongly recommend that you install this update at the earliest
opportunity. While we have not experienced any reported incidents relating to
these vulnerabilities to date, failure to install this update could leave you
exposed to the following types of malicious third party attacks:
Unauthenticated users may retrieve contents from system-generated files.
These vulnerabilities as well as an additional issue have been addressed in
release 6.5.20 which is available for download from the Download Manager.
Administrators are strongly encouraged to upgrade their Sugar instances
running 6.5.x or earlier to 6.5.20 to prevent potential exploitation of these
weaknesses.
IMPORTANT: Liquid 2.6 is going to be the last version of Liquid which maintains explicit Ruby 1.8 compatability.
The following releases will only be tested against Ruby 1.9 and Ruby 2.0 and are likely to break on Ruby 1.8.
## 2.6.1 / 2014-01-10 / branch "2-6-stable"
Security fix, cherry-picked from master (4e14a65):
* Don't call to_sym when creating conditions for security reasons, see #273 [Bouke van der Bijl, bouk]
* Prevent arbitrary method invocation on condition objects, see #274 [Dylan Thacker-Smith, dylanahsmith]
## 2.6.0 / 2013-11-25
* ...
* Bugfix for #106: fix example servlet [gnowoel]
* Bugfix for #97: strip_html filter supports multi-line tags [Jo Liss, joliss]
* Bugfix for #114: strip_html filter supports style tags [James Allardice, jamesallardice]
* Bugfix for #117: 'now' support for date filter in Ruby 1.9 [Notre Dame Webgroup, ndwebgroup]
* Bugfix for #166: truncate filter on UTF-8 strings with Ruby 1.8 [Florian Weingarten, fw42]
* Bugfix for #204: 'raw' parsing bug [Florian Weingarten, fw42]
* Bugfix for #150: 'for' parsing bug [Peter Schröder, phoet]
* Bugfix for #126: Strip CRLF in strip_newline [Peter Schröder, phoet]
* Bugfix for #174, "can't convert Fixnum into String" for "replace" [wǒ_is神仙, jsw0528]
* Allow a Liquid::Drop to be passed into Template#render [Daniel Huckstep, darkhelmet]
* Resource limits [Florian Weingarten, fw42]
* Add reverse filter [Jay Strybis, unreal]
* Add utf-8 support
* Use array instead of Hash to keep the registered filters [Tasos Stathopoulos, astathopoulos]
* Cache tokenized partial templates [Tom Burns, boourns]
* Avoid warnings in Ruby 1.9.3 [Marcus Stollsteimer, stomar]
* Better documentation for 'include' tag (closes#163) [Peter Schröder, phoet]
* Use of BigDecimal on filters to have better precision (closes#155) [Arthur Nogueira Neves, arthurnn]
2.45.0 (2014-02-28)
===================
Firefox:
* Native events in Firefox relied on an API that Mozilla no longer
provides. As such, fall back to synthesized events on recent Firefox
versions.
Ruby changes:
* Allow switching windows when current window is closed (thanks Titus Fortner).
* Add :javascript_enabled to Android capabilities.
2.44.0 (2014-10-05)
===================
No Ruby changes in this release.
Firefox:
* Native event support for Firefox 24, 31, 32 and 33
2.43.0 (2014-09-09)
===================
* Make sure UnhandledAlertErrors includes the alert text if provided by the driver.
* Firefox
- Make sure the browser process is properly killed if silent startup hangs (#7392)
- native events support for Firefox 24, 31 and 32
* Loosen websocket dependency to ~> 1.0
* Add support for `switch_to.parent_frame` (thanks abotalov)
* Fix download location for Selenium::Server.{latest,get} (#7049 - thanks marekj)
# 1.7.3
- Security: redact password in URI from logs (#349 / OSVDB-117461)
- Drop monkey patch on MIME::Types (added `type_for_extension` method, use
the public interface instead.
# 1.7.2
- Ignore duplicate certificates in CA store on Windows
# 1.7.1
- Relax mime-types dependency to continue supporting mime-types 1.x series.
There seem to be a large number of popular gems that have depended on
mime-types '~> 1.16' until very recently.
- Improve urlencode performance
- Clean up a number of style points
# 1.7.0
- This release drops support for Ruby 1.8.7 and breaks compatibility in a few
other relatively minor ways
- Upgrade to mime-types ~> 2.0
- Don't CGI.unescape cookie values sent to the server (issue #89)
- Add support for reading credentials from netrc
- Lots of SSL changes and enhancements: (#268)
- Enable peer verification by default (setting `VERIFY_PEER` with OpenSSL)
- By default, use the system default certificate store for SSL verification,
even on Windows (this uses a separate Windows build that pulls in ffi)
- Add support for SSL `ca_path`
- Add support for SSL `cert_store`
- Add support for SSL `verify_callback` (with some caveats for jruby, OS X, #277)
- Add support for SSL ciphers, and choose secure ones by default
- Run tests under travis
- Several other bugfixes and test improvements
- Convert Errno::ETIMEDOUT to RestClient::RequestTimeout
- Handle more HTTP response codes from recent standards
- Save raw responses to binary mode tempfile (#110)
- Disable timeouts with :timeout => nil rather than :timeout => -1
- Drop all Net::HTTP monkey patches
# 1.6.8
- The 1.6.x series will be the last to support Ruby 1.8.7
- Pin mime-types to < 2.0 to maintain Ruby 1.8.7 support
- Add Gemfile, AUTHORS, add license to gemspec
- Point homepage at https://github.com/rest-client/rest-client
- Clean up and fix various tests and ruby warnings
- Backport `ssl_verify_callback` functionality from 1.7.0
== 0.6.3 / 2015-01-09
* Minor enhancements
* Expose an env helper for persistently configuring the env as needed
(Darío Javier Cravero #80)
* Expose the tempfile of UploadedFile (Sytse Sijbrandij #67)
* Bug fixes
* Improve support for arrays of hashes in multipart forms (Murray Steele #69)
* Improve test for query strings (Paul Grayson #66)
* As per spec, don't include STS header in non-https responses
* Handle bad URIs gracefully.
Some adapters (i.e. jruby-rack) will pass through bad URIs, then display
the resulting exception. This creates an attack vector for XSS attacks.
* Added more installation/usage instructions into the README
* Return 400 instead of 404 in case of InvalidURIError
* Include Content-Type in 400 response.
To stay compatible with old Rack versions.
* Skip URI parsing Request#url
URI may fail to parse some legit URL paths.
* Discard invalid Referer header.
If an invalid Referer header such as "http://example.com/bad|uri" is
provided, ignore the value of it and skip using the Host header fallback.
* refactor instantiation.
* fix typoed header name.
* clarify reaction warning, test it.
* fix base url concatenation
* Adds instantiation settings via block or hash.
Fixes .downcase being called on symbols.
Cleaned up
Cleans up hash setter. Adds block support
Adds tests for hash and block instantiation
Undoes string fix for patron/request.rb to keep with scope.
* Handle two failing specs
One is failing due to no OS support for SSLv2. This is reasonable,
so I just removed SSLv2 from the list of SSL versions to test. This
doesn't change the meaning of the test at all.
I could not find the root cause of the other spec failure, though
I suspect it is a setup problem. I have disabled the spec for now
and will revisit it later on.
* Add doc comment
* Add a way to get the Request object
* Revert request action to be a symbol, but still allow upcase and
downcase strings.
0.12.5 (February 22nd 2015)
* FIX#1794 inheritance of global prereqs (@ujifgc)
* FIX#1798 handling non-array `with` statement for params (@ujifgc)
* FIX Russian translation for password (@harrykiselev)
* FIX Prevent Padrino from overriding cache settings (@dariocravero)
* FIX sequence of execution for configuration methods in application
(@namusyaka)
* FIX translations for admin for cs (@ortiga)
* FIX exception raised when running the controller generator (@namusyaka)
* FIX#1875 lock down rack to < 1.6.0 because of sinatra conflict (@ujifgc)
Changes the behavior of Sass's @import directive to only import a file once.
This plugin changes the behavior of Sass's `@import` directive so that
if the same sass file is imported more than once, the second import
will be a no-op. This allows dependencies to behave how most people
expect them to behave and provides a considerable performance improvement
for some sass projects.
**Note**: Although this plugin is maintained by compass, it can be used
without compass in any Sass-based project.
The Compass core stylesheet library and minimum required ruby extensions. This
library can be used stand-alone without the compass ruby configuration file or
compass command line tools.
Changes from previous:
----------------------
- Ignore ECONNABORTED on accept().
- Correctly implemented the config-file option change from "nosymlink" to
"nosymlinkcheck", which was supposedly done in version 2.24.
- Removed mailto: link from default index page.
- Allow CGIs to provide both Location and Status headers. (A. Skrobov)
- Better logic for figuring out CGI SERVER_NAME environment variable. (Oleg)
- Updated for clang, and general cleanup.
Upstream changes:
Highlights
MDL-35392 - Feedback from module assign is now always shown in the gradebook
MDL-31036 - No more truncating characters in assignment quick grading
MDL-46626 - Log report export no longer contains html
MDL-23273 - Limit of responses in choice module is respected in case of synchronous submissions
Functional changes
MDL-31578 - Shibboleth can map attributes for all Moodle fields including custom attributes
MDL-47911 - Performance improvement on gradebook operations
MDL-49240 - Web service core_get_string now functions correctly
MDL-45621 - It is possible to uninstall portfolio plugins
MDL-48670 - Standard behat tests now work properly regardless of user timezone
UI changes
MDL-48533 - Backup report now links to the individual course backup summaries
MDL-49064 - left-align css class now has an RTL equivalent in bootstrap base
Security issues
A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
Fixes and improvements
MDL-42138 - Required custom profile fields are always required on signup form even when user has logged in as guest
MDL-49059 - Possible to embed YouTube videos with start time or playlist info
MDL-48544 - Block region no longer disappears if all blocks in it were hidden
MDL-48841 - Fixed bug with not being able to reset scheduled task to defaults
MDL-49167 - Fixed regression with $CFG->yuislasharguments introduced by previous minor release
MDL-47953 - Grader report shows correct number of students per page when suspended users are present
MDL-48294 - enablemobilewebservice is no longer duplicated in Site admin
MDL-48679 - Fixed bug with missing grade export URL when using grade publishing
Changelog:
Fixed 36.0.1 - Disable the usage of the ANY DNS query type (1093983)
Fixed 36.0.1 - Fixed a startup crash with EMET (1137050)
Fixed 36.0.1 - Hello may become inactive until restart (1137469)
Fixed 36.0.1 - Print preferences may not be preserved (1136855)
Fixed 36.0.1 - Hello contact tabs may not be visible (1137141)
Fixed 36.0.1 - Accept hostnames that include an underscore character ("_") (1136616)
Fixed 36.0.1 - WebGL may use significant memory with Canvas2d (1137251)
Fixed 36.0.1 - Option -remote has been restored (1080319)
Fixed 36.0.1 - Fix a top crash
