Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
Version 1.9.7:
SECURITY HINT: make sure you have allow_xslt = False (or just do not use
allow_xslt at all in your wiki configs, False is the internal default).
Allowing XSLT/4suite is very dangerous, see HelpOnConfiguration wiki page.
HINT: Python >= 2.5 is maybe required! See docs/REQUIREMENTS for details.
New features:
* passlib support - enhanced password hash security. Special thanks go to
the Python Software Foundation (PSF) for sponsoring development of this!
Docs for passlib: http://packages.python.org/passlib/
If cfg.passlib_support is True (default), we try to import passlib and set
it up using the configuration given in cfg.passlib_crypt_context (default
is to use sha512_crypt with default configuration from passlib).
The passlib docs recommend 3 hashing schemes that have good security, but
some of them have additional requirements:
sha512_crypt needs passlib >= 1.3.0, no other requirements.
pbkdf2_sha512 needs passlib >= 1.4.0, no other requirements.
bcrypt has additional binary/compiled package requirements, please refer to
the passlib docs.
cfg.password_scheme should be '{PASSLIB}' (default) to tell that passlib is
wanted for new password hash creation and also for upgrading existing
password hashes.
For the moin code as distributed in our download release archive, passlib
support should just work, as we have passlib 1.6.1 bundled with MoinMoin
as MoinMoin/support/passlib. If you use some other moin package, please
first check if you have moin AND passlib installed (and also find out the
passlib version you have installed).
If you do NOT want to (not recommended!) or can't use (still using python
2.4?) passlib, you can disable it your wiki config:
passlib_support = False # do not import passlib
password_scheme = '{SSHA}' # use best builtin hash (like moin < 1.9.7)
Please note that after you have used moin with passlib support and have user
profiles with passlib hashes, you can't just switch off passlib support,
because if you did, moin would not be able to log in users with passlib
password hashes. Password recovery would still work, though.
password_scheme always gives the password scheme that is wanted for new or
recomputed password hashes. The code is able to upgrade and downgrade hashes
at login time and also when setting / resetting passwords for one or all
users (via the wiki web interface or via moin account resetpw script
command).
So, if you want that everybody uses strong, passlib-created hashes,
resetting the passwords for all users is strongly recommended:
First have passlib support switched on (it is on by default), use
password_scheme = '{PASSLIB}' (also default), then reset all passwords.
Same procedure can be used to go back to weaker builtin hashes (not
recommended): First switch off passlib support, use password_scheme =
'{SSHA}', then reset all passwords.
Wiki farm admins sharing the same user_dir between multiple wikis must use
consistent password hashing / passlib configuration settings for all wikis
sharing the same user_dir. Using the builtin defaults or doing the
configuration in farmconfig.py is recommended.
Admins are advised to read the passlib docs (especially when experiencing
too slow logins or when running old passlib versions which may not have
appropriate defaults for nowadays):
http://packages.python.org/passlib/new_app_quickstart.html#choosing-a-hashhttp://packages.python.org/passlib/password_hash_api.html#choosing-the-right-rounds-value
* Password mass reset/invalidation support, see docs/resetpw/.
This is useful to make sure everybody sets a new password and moin computes
the password hash using the current configuration.
* Customizable default password checker:
Moin's default password checker used and still uses min_length=6 (minimum pw
length) and min_different=4 (minimum count of different chars in the password).
If you feel that you need to require better passwords from your users, you
can customize it now like that in your wiki config:
password_checker = lambda cfg, request, name, pw: multiconfig._default_password_checker(cfg, request, name, pw, min_length=10, min_different=7)
* Removing/disabling inactive users (moin ... account inactive)
Many wikis have a lot of inactive users, that never ever made a single edit.
See help of the command for more details, be careful.
* SystemAdmin user browser: show disabled user accounts at the bottom of
the list
* At startup, announce moin version and code path in log output (makes
support and debugging easier).
* AttachList: introduced search_term parameter (optional) for listing
attachments filtered by a regular expression on their name.
* sign release archive using GnuPG with the key of tw@waldmann-edv.de
ID 31A6CB60 (main key ID FAF7B393)
Fixes:
* logging: if the logging config file can't be read, give a helpful error msg
* logging: use info loglevel (not warning) for telling about using the builtin
default logging config
* moin script commands: warn if someone gave ... to the moin script, avoids a
strange and unhelpful 'empty module name' error message
* reorder html input fields in recoverpass form, to help browsers remember
the user name and password (not erroneously the recovery token and password)
* don't try to send password recovery email to user if email address in
user profile is empty
* cache action: fix 304 http status
* rst parser: fix safe_import for level param in __import__ call of docutils 0.10
* moin maint cleancache: also kill the i18n cache 'meta' pickle file
* sendmail: catch unicode errors when E-Mail addr has non-ascii chars
* redirect last visited: if last visited page is on same wiki, use a local
redirect, do not compute via interwiki map (fixes https: usage)
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
---------------
- /usr/bin/env police
Upstream Changes:
-----------------
Version 1.9.6:
SECURITY HINT: make sure you have allow_xslt = False (or just do not use
allow_xslt at all in your wiki configs, False is the internal default).
Allowing XSLT/4suite is very dangerous, see HelpOnConfiguration wiki page.
HINT: Python >= 2.5 is maybe required! See docs/REQUIREMENTS for details.
Fixes:
* fix remote code execution vulnerability in twikidraw/anywikidraw action
* fix path traversal vulnerability in AttachFile action
* fix XSS issue, escape page name in rss link
* escape user- or admin-defined css url
* make taintfilename more secure
* use a constant time str comparison function to prevent timing attacks
* Attachment handler: catch all Zip-related errors
Version 1.9.5:
Fixes:
* Security fix: fix virtual group bug in ACL evaluation.
* Avoid crash if #refresh processing instruction is used without arguments.
* Fix issue with non-ASCII textchas.
* Xapian indexing: remove copy.copy() that crashed on Windows/IIS/isapi-wsgi
after page save.
* Fix dictionary file reading crash under Windows.
* Work around crash of AdvancedSearch macro rendering caused by non-ascii
mimetypes.types_map entries.
* Added migration script for moin 1.8.9.
* rss_rc: Fix diffs added in RSS with diffs=1 (now they correspond to item
listed in feed and not just last page diffs). Links generated with ddiffs=1
also fixed.
* rss_rc: fix double escaping issue.
* rss_rc: respect show_names configuration option.
* rss_rc: proper support of rename, revert, page creation.
* modern/modernized theme: fix padding/width for editor preview
* group/pagelinks formatters: avoid to create unnecessary output, redirect
output of send_page call with the groups formatter, it must not be written
to the output stream
* rst parser: fix include and macro directives
* wikisync: fix unicode pagename sending for python 2.7 httplib
New features:
* add a comment_required config option (default: False) to require a
non-empty comment when saving a page
* when a save error happens, show the editor again and highlight the error
* rss_rc: several new options added: lines parameter gives ability to set
maximum size of diffs showed in RSS. show_att parameter gives ability
to show information aboout attachment-related items in RSS. page parameter
gives ability to specify set of pages for which changes RSS feed should be
generated. Configuration of defaults and limits can now be done via wiki
configuration mechanism.
* As soon as it is now possible to provide RSS for page change history,
appropriate alternate link is now added for every page (controlled by
rss_show_page_history_link configuration parameter).
* Search: "no_highlight:" search query option provided for suppressing
highlighting search results.
* Search macros: new options for FullSearch, FullSearchCached and PageList
available:
* highlight_titles option controls highlighting of matches in search
results provided by these macros. Default value is set in
search_macro_highlight_titles configuration option)
* highlight_pages option controls adding of highlight URL parameter to
page links (so search term is highlighted when user goes to one of
these pages via provided link) in search results. Default value is set
in search_macro_highlight_pages configuration option.
Usage of these options is disabled (via search_macro_parse_args
configuration option) by default due to behavioural changes introduced
in macro parameter parsing mechanism to support them. Related to
http://moinmo.in/FeatureRequests/FullSearchResultsWithoutHighlight .
Other changes:
* Remove 4suite dependency for docbook formatter, use minidom (included in
Python).
* Upgraded FCKeditor to 2.6.8.
Remove devel/py-ctypes (only needed by and supporting python24).
Remove PYTHON_VERSIONS_ACCEPTED and PYTHON_VERSIONS_INCOMPATIBLE
lines that just mirror defaults now.
Miscellaneous cleanup while editing all these files.
* no compiler languages is required to build.
* `/usr/bin/env python' shebang are also be handled with REPLACE_PYTHON.
* distutils pkg, register egg-info.
* add an patch for python27, from upstream repo.
Bump PKGREVISION.
PR#43524 by Wen Heping.
Known main issues:
* The GUI WYSIWYG editor has still some issues and limitations.
If you can't live with those, you can simply switch it off by using:
editor_force = True
editor_default = 'text' # internal default, just for completeness
Version 1.9.3:
Fixes:
* Fix XSS in Despam action (CVE-2010-0828).
* Fix XSS issues (see MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg):
* by escaping template name in messages
* by fixing other places that had similar issues
* Make moin compatible to werkzeug 0.5 .. 0.6.2 (1.9.2 had issues
with xmlrpc when used with werkzeug 0.6.x).
* MoinMoin.util.filesys: disable usage of dircache, deprecate dc* functions,
because the dircache stdlib module can't work correctly for fast updates of
directories.
* rss_rc and sisterpages actions: fix Content-Type header (mimetype)
* Fix associating OpenID identity with user, wasn't adapted to werkzeug yet.
* openidrp auth: fix undefined _ (gettext)
* Fix auth.cas and userprefs.oidserv request object usage.
* highlight parser: fixed MoinMoinBugs/LineNumberSpansForProcessInstructionsMissed
* Pygments syntax highlighting: add missing code files
* Notifications: use same email subject format for every notification
* Fix docbook formatter crashing, see MoinMoinPatch/IncludeMacroWithDocBookFormatter
* Fix regex content search for xapian search.
* Get rid of the empty line at the end of code highlights.
* GUI editor: compute editor height like the text editor does.
* Added help texts for: standalone server and moin migration.
* script.maint.cleancache: clean also i18n cache files
* Improved formatter.text_plain, see FeatureRequests/TextPlainFormatterRewrite
(fixes many issues of this formatter).
* text_html_text_moin_wiki: fixed index error for width="", see also:
MoinMoinBugs/GUI_convertor_list_index_out_of_range
* xmlrpc: disable editor backup for putPage, renamePage and revertPage
because if pages get uploaded by xmlrpc then the draft cache file can
rapidly increase in size, causing high memory usage because it needs to
get loaded into memory for updating/processing.
* Emit Content-Type header (with charset) for SlideShow action and many other
actions that just call send_title().
* ActionBase: better compatibility to moin 1.8, use request.values by
default, optionally use request.form data only
New features:
* RenamePage action: added ability to create redirect pages when renaming
(turned off by default, see show_rename_redirect config option).
* formatter/text_html: Added line number links to code blocks.
* diff action:
* Fixed whitespace in generated (html) diff view table so white-space: pre
can be used (and whitespace in diffs preserved).
* Added links to first/last revision.
* MoinMoin.widget.browser: introduced feature for sorting tables, see:
http://moinmo.in/FeatureRequests/SortableTables
* SystemAdmin user and attachment browsers: sorting feature used there now
* Scrolling the text editor to the double clicked line.
* Enable double-click-editing by default.
* WikiConfigHelp macro: make heading and description display optional,
heading level as a parameter (default 2)
* If edit ticket check fails, send the editor with the current content.
* moin import wikipage - use this script to import local files as a wiki page
Other changes:
* upgraded pygments from 1.2.2 to 1.3.1
* upgraded FCKeditor from 2.6.4.1 to 2.6.6
* added configuration snippet for ldap authentication against 2 servers
* improved script help output
* New modular group and dict data access, you can use group and dict
backend modules to access group and dict data stored anywhere you like.
* Improved Xapian indexing / search
* Improved drawing support
* Themes / static files related
* Syntax highlighting is based on the pygments library now
* Authentication improvements
* Sessions / cookies improvements
* Macros fuctions improved
* More Actions added/improved
* Improved logging / debugging / developer support
* GUI editor: improved attachment dialog
* "moin ... account homepage" script to create user homepages
A bunch of bugfixes!
For the full Changelog, see: http://moinmo.in/MoinMoinRelease1.9
ok'ed during the freeze by agc@
- Fix a Cross Site Scripting attack
- changes in caching API
Changes in 1.7.0:
- new event/notification/authentication/session framework
- OpenID support
- improvements for LDAP auth, attachment performance, logging etc
- assume that Python 2.4 and 2.5 are compatible and allow checking for
fallout.
- remove PYTHON_VERSIONS_COMPATIBLE that are obsoleted by the 2.3+
default. Modify the others to deal with the removals.
Major new features:
* quickly working standalone mode (similar to DesktopEdition)
* xapian index search (including attachments of supported mimetypes)
* WikiSynchronisation
* moin can receive email now
* wiki parser: easier link and transclusion markup (and new macro
markup)
* new parsers for: creole wiki markup, html (safe), diffs
* discussion pages
* inline comments
* hierarchical ACLs (see HelpOnAccessControlLists)
* new anti-spam feature: TextChas
* SisterSites support
* new xmlrpc methods, easier auth, multicall support
* Improved params for [[target|label|params]]:
* AdvancedSearch: make multiple categories/languages/mimetype selections
possible
* Added a configuration directive to only do one bind to the LDAP
server.
+ many bugfixes, including at least one XSS fix.
A WikiWikiWeb is a collaborative hypertext environment, with an
emphasis on easy access to and modification of information. MoinMoin
is a Python WikiClone that allows you to easily set up your own wiki,
only requiring a Python installation.
