Upstream changes:
MediaWiki 1.20.1
This is a security release of the MediaWiki 1.20 branch
Changes since 1.20
(bug 42202) Validate options to prevent html injection
(bug 40995) Prevent session fixation in Special:UserLogin (CVE-2012-5391)
(bug 41400) Prevent linker regex from exceeding PCRE backtrack limit
Javscript Lint fixes
(bug 40632) Remove CleanupPresentationalAttributes feature
[Database] Fixed case where trx idle callbacks might be lost.
MediaWiki 1.20
MediaWiki 1.20 is a stable release.
PHP 5.3 now required
Since 1.20, the lowest supported version of PHP is now 5.3.2. Please upgrade PHP if you have not done so prior to upgrading MediaWiki.
Configuration changes in 1.20
$wgGitRepositoryViewers defines a mapping from Git remote repository to the Gitweb instance URL used in Special:Version.
$wgUsePathInfo = true; is no longer needed to make $wgArticlePath work on servers using like nginx, lighttpd, and apache over fastcgi. MediaWiki now always extracts path info from REQUEST_URI if it's available.
The user right 'upload_by_url' is no longer given to sysops by default. This only affects installations which have $wgAllowCopyUploads set to true.
Removed f-prot support from $wgAntivirusSetup.
New variable $wgDBerrorLogTZ to provide dates in the error log in a different timezone than the wiki timezone set by $wgLocaltimezone.
New variables $wgDBssl and $wgDBcompress to enable SSL and compression for database connections, if either are available for the selected DB type.
$wgUseCombinedLoginLink now defaults to false, making MediaWiki output separate login and create account links by default.
New features in 1.20
Added TitleIsAlwaysKnown hook which gets called when determining if a page exists.
Added NamespaceIsMovable hook which gets called when determining if pages in a certain namespace can be moved.
Added SpecialPageBeforeExecute hook which gets called before SpecialPage::execute.
Added SpecialPageAfterExecute hook which gets called after SpecialPage::execute.
Added ORMTable, ORMRow and ORMResult classes for additional abstraction of database interaction.
Added CacheHelper and associated SpecialCachedPage and CachedAction helper classes.
(bug 32341) Add upload by URL domain limitation.
&useskin=default will now always display the default skin. Useful for users with a preference for the non-default skin to look at something using the default skin.
(bug 27619) Remove preference option to display broken links as link?
(bug 34896) jQuery JSON plugin upgraded to v2.3 (2011-09-17).
(bug 34302) Add CSS classes to email fields in user preferences.
Introduced $wgDebugDBTransactions to trace transaction status (currently PostgreSQL only).
(bug 23795) Add parser itself to ParserMakeImageParams hook.
Introduce a cryptographic random number generator source api for use when generating various tokens.
(bug 30963) Option on Special:Prefixindex and Special:Allpages to not show redirects.
(bug 18062) New message when edit or create the local page of a shared file.
(bug 22870) Separate interface message when creating a page.
(bug 17615) nosummary option should be reassigned on preview/captcha.
(bug 34355) Add a variable and parser function for the namespace number.
(bug 35649) Special:Version now shows hashes of extensions checked out from git.
(bug 35728) Git revisions are now linked on Special:Version.
"Show Changes" on default messages shows now diff against default message text
(bug 23006) create #speciale parser function.
generateSitemap can now optionally skip redirect pages.
(bug 27757) New API command just for retrieving tokens (not page-based).
Added GitViewers hook for extensions using external git repositories to have a web-based repository viewer linked to from Special:Version.
Memcached debug logs can now be sent to their own file logs by setting $wgDebugLogFile['memcached'] to some filepath.
(bug 35685) api.php URL and other entry point URLs are now listed on Special:Version
Edit notices can now be translated.
jQuery upgraded to 1.8.2.
jQuery UI upgraded to 1.8.23.
QUnit upgraded from v1.2.0 to v1.10.0.
(bug 37604) jquery.cookie upgraded to 2011 version.
(bug 22887) Add warning and tracking category for preprocessor errors
(bug 31704) Allow selection of associated namespace on the watchlist
(bug 5445) Now remove autoblocks when a user is unblocked.
Added $wgLogExceptionBacktrace, on by default, to allow logging of exception backtraces.
Added device detection for determining device capabilities.
QUnit.newMwEnvironment now supports passing a custom setup and/or teardown function. Arguments signature has changed. First arguments is now an options object of which 'config' can be a property. Previously 'config' itself was the first and only argument.
New getCreator and getOldestRevision methods added to WikiPage class
(bug 4220) the XML dump format schema now have unique identity constraints for page and revision identifiers. Patch by Elvis Stansvik.
cleanupSpam.php now can delete spam pages if --delete was specified instead of blanking them.
Added new hook ChangePasswordForm to allow adding of additional fields in Special:ChangePassword
Added new function getDomain to AuthPlugin for getting a user's domain
(bug 23427) New magic word {{PAGEID}} which gives the current page ID. Will be null on previewing a page being created.
(bug 37627) UserNotLoggedIn() exception to show a generic error page whenever a user is not logged in.
Watched status in changes lists are no longer indicated by <strong></strong> tags with class "mw-watched". Instead, each line now has a class "mw-changeslist-line-watched" or "mw-changeslist-line-not-watched", and the title itself is surrounded by <span></span> tags with class "mw-title".
Added ContribsPager::reallyDoQuery hook allowing extensions to data to MyContribs
Added new hook ParserAfterParse to allow extensions to affect parsed output after the parse is complete but before block level processing, link holder replacement, and so on.
(bug 34678) Added InternalParseBeforeSanitize hook which gets called during Parser's internalParse method just before the parser removes unwanted/dangerous HTML tags.
Added new hook AfterFinalPageOutput to allow modifications to buffered page output before sent to the client.
(bug 36783) Implement jQuery Promise interface in mediawiki.api module.
Make dates in sortable tables sort according to the page content language instead of the site content language
(bug 37926) Deleterevision will no longer allow users to delete log entries, the new deletelogentry permission is required for this.
(bug 14237) Allow PAGESINCATEGORY to distinguish between 'all', 'pages', 'files' and 'subcats'
(bug 38362) Make Special:Listuser includeable on wiki pages.
Added support in jquery.localize for placeholder attributes.
(bug 38151) Implemented mw.user.getRights for getting and caching the current user's user rights.
Session storage can now configured independently of general object cache storage, by using $wgSessionCacheType. $wgSessionsInMemcached has been renamed to $wgSessionsInObjectCache, with the old name retained for backwards compatibility. When this feature is enabled, the expiry time can now be configured with $wgObjectCacheSessionExpiry.
Added a Redis client for object caching.
Implemented mw.user.getGroups for getting and caching user groups.
(bug 37830) Added $wgRequirePasswordforEmailChange to control whether password confirmation is required for changing an email address or not.
HTMLForm mutators can now be chained (they return $this)
A new message, "api-error-filetype-banned-type", is available for formatting API upload errors due to the file extension blacklist.
New hook 'ParserTestGlobals' allows to set globals before running parser tests.
Allow importing pages as subpage.
Add lang and hreflang attributes to language links on Login page.
(bug 22749) Create Special:MostInterwikis.
Show change tags when transclude Special:Recentchanges(linked) or Special:Newpages.
(bug 23226) Add |class= parameter to image links in order to add class(es) to HTML img tag.
(bug 39431) SVG animated status is now shown in long description.
(bug 39376) jquery.form upgraded to 3.14.
SVG files will now show the actual width in the SVG's specified units in the metadata box.
Added ResourceLoader module "jquery.jStorage" (v0.3.0, http://jStorage.info/).
(bug 39273) Added AJAX support for "Show changes" (diff) in LivePreview.
Added ResourceLoader module "jquery.badge".
mw.util.$content now points to the overall content area in the skin rather than just page text content area. If you need the old behaviour please use $( '#mw-content-text').
jsMessage has been replaced with a floating bubble notification system complete with auto-hide, multi-message support, and message replacement tags.
jquery.messageBox which appears to be unused by both core and extensions has been removed.
(bug 34939) Made link parsing insensitive ([HttP://]).
(bug 40072) Add CSS classes to items in output of ChangesList pages.
Added $wgCopyUploadProxy global to define which proxy to use for copy uploads.
(bug 40448) mediawiki.legacy.mwsuggest has been replaced with a new module, mediawiki.searchSuggest, based on SimpleSeach from Extension:Vector.
Upstream changes:
Moodle 2.3.3 release notes
Highlights
MDL-35297 - Upgrading books from earlier versions now works correctly
MDL-21801 - References to the non-functional Powerpoint import option have been removed from the Lesson module
MDL-33166 - A capability has been introduced to consistently exempt specific users from forum auto-subscriptions and forced subscriptions
MDL-34607 - Folder resources now show files in sorted order
MDL-33646 - Viewing an empty book shows a friendly notice rather than an error messsage
Functional changes
MDL-34794 - Course reset now works with the new Assignment module
MDL-35370 - Blank answers in Cloze type quiz questions are treated accordingly, when an answer of zero is expected
MDL-33374 - When adding or updating a user profile, the action button displays 'Create user' and 'Update user' relatively
MDL-27786 - The title field of a new calendar event is now labelled "Event title" instead of "Name"
MDL-28235 - The close button on help dialogues have changed to provide greater accessibility. (Note: if debugging is turned on, a string error will appear during the upgrade process. This is expected and will be resolved once the upgrade process is complete.)
API changes
MDL-30667 - Maximum upload limits are enforced consistently in relation to various system variables
MDL-35395 - A method has been added so forms can work around form change checking when necessary
MDL-35442 - Local plugins now have settings and uninstall links on the plugins overview page
Security issues
MSA-12-0057 Access issue through repository
MSA-12-0058 Possible form data manipulation issue
MSA-12-0059 Information leak in Database activity module
MSA-12-0060 Cross-site scripting vulnerability in YUI2
MSA-12-0061 Remote code execution through Portfolio API
MSA-12-0062 Information leak in Database activity module
MSA-12-0063 Information leak in Check Permissions page
Fixes and improvements
MDL-35411 - Submissions and feedback are now saved with imported/restored assignments
MDL-35397 - Notifications page 'many other contributors' link leads to appropriate credits page
MDL-35726 - Feedback forms work correctly when grading a series of assignments
MDL-35754 - Quizzes in pop-up windows now work correctly
Also added Slovak language files.
Version 3.0.1 (2012-11-29)
--------------------------
### Fixed
Exclude the undo module from the list of allowable back end modules (see #5056).
### Fixed
`Validator::isAlias()` did not support Unicode characters (see #5033).
### Fixed
Group the search results by their parent IDs when searching the extended tree
view, e.g. the article tree (see #5051).
### Fixed
Correctly generate the debug bar markup on XHTML pages (see #5031).
### Fixed
Handle radial gradients when importing style sheets (see #4640).
### Fixed
More abstract and effective algorithm to determin the number of files in the
"purge data" maintenance module (see #5028).
### Fixed
Fixed two wrong class paths (see #5027).
### Fixed
Correctly add event images to the templates (see #5002).
### Changed
Replaced the automatic copyright notice with a meta generator tag.
### Fixed
Do not strip tags from passwords (see #4977).
### Fixed
Correctly show the number of returned rows in the debug bar (see #4981).
### Fixed
Correctly add the RSS feed base URLs (see #4994).
### Fixed
Fixed an issue in the mediaelement.js MooTools adapter (see #4917).
### Fixed
Correctly assing the classes "first" and "last" in the (mini) calendar if the
week does not start on Sunday (see #4970).
### Fixed
Correctly handle URL parameters appended to the empty domain (see #4972).
Version 2.11.7 (2012-11-29)
---------------------------
### Fixed
Only execute runonce files after the DB tables have been created (see #5061).
### Fixed
Add an empty option in the TimePeriod widget if there are none (see #5067).
### Fixed
Handle auto_items in the `Frontend::addToUrl()` method (see #5037).
### Fixed
Do not use `specialchars()` in the "page" insert tag (see #4687).
### Fixed
Set the return path when sending e-mails (see #5004).
### Fixed
Handle border color names when importing style sheets (see #5034).
### Fixed
Prevent the "Illegal string offset" error in back end widgets (see #4979).
### Fixed
Handle dependencies when updating extensions (see #3804).
### Fixed
Switched all comments of the example website to "moderated" (see #4995).
### Fixed
Replaced the automatic copyright notice with a meta generator tag.
### Fixed
Remove HTML tags when overriding the page title (see #4955).
### Fixed
Decode entities in meta tags like "description" (see #4949).
### Fixed
Remove newsletter subscriptions when a member closes his account (see #4943).
### Fixed
Prevent deleting referenced content elements using "edit multiple" (see #4898).
### Updated
Updated SwiftMailer to version 4.2.1 (see #4935).
### Fixed
Set the file permissions depending on the server's umask setting (see #4941).
### Fixed
Correctly handle external image URLs in the image element (see #4923).
### Fixed
Fixed the too eager IP address anonymization (see #4924).
### Fixed
Fixed the automatic page alias generator (see #4880).
* Change to 4.5 branch
Changelog:
Version 4.5.3 Nov 27th 2012
Fix the new from url button
Fix a memory overflow with downloading of big files via WebDAV
Better error output in case of DB problems
Fix problems with uploading files who have special characters in the name
Improved reverse proxy and load balancer support
Fix wrong folder size calculation
Improved share link generation
Fix the syncing of the Shared folder
Fix Sharing by link from within Shared folder
Several LDAP integration fixes
Fix support for PostgreSQL
Several WebDAV fixes
Fix drag and drop uploading
Improved translations
Several Gallery fixes
Several Contacts fixes
Smaller fixes
Version 4.5.2 Nov 14th 2012
Fix syncing of shared folder
Various sharing bugs fixed
Fix bug with deleting users
Fix check if resharing is allowed
Fix webdavauth app
Several ldap fixes
Fix data migration
Fix folder uploads
Fix generatino of etags
Fix user specific mount configuration
Several PostgreSQL fixes
Improved performance of file updates
Fix some php warnings
Fix filesize calculation
Add visual feedback if password is set
Various smaller fixes
Several critical security fixes
XSS vulnerability in user_webdavauth (oC-SA-2012-003)
Code Execution in /lib/migrate.php (oC-SA-2012-004)
Code Execution in /lib/filesystem.php (oC-SA-2012-005)
Changes with nginx 1.2.5 13 Nov 2012
*) Feature: the "optional_no_ca" parameter of the "ssl_verify_client"
directive.
Thanks to Mike Kazantsev and Eric O'Connor.
*) Feature: the $bytes_sent, $connection, and $connection_requests
variables can now be used not only in the "log_format" directive.
Thanks to Benjamin Grossing.
*) Feature: resolver now randomly rotates addresses returned from cache.
Thanks to Anton Jouline.
*) Feature: the "auto" parameter of the "worker_processes" directive.
*) Bugfix: "cache file ... has md5 collision" alert.
*) Bugfix: OpenSSL 0.9.7 compatibility.
Changes with nginx 1.2.4 25 Sep 2012
*) Bugfix: in the "limit_req" directive; the bug had appeared in 1.1.14.
Thanks to Charles Chen.
*) Bugfix: nginx could not be built by gcc 4.7 with -O2 optimization if
the --with-ipv6 option was used.
*) Bugfix: a segmentation fault might occur in a worker process if the
"map" directive was used with variables as values.
*) Bugfix: a segmentation fault might occur in a worker process if the
"geo" directive was used with the "ranges" parameter but without the
"default" parameter; the bug had appeared in 0.8.43.
Thanks to Zhen Chen and Weibin Yao.
*) Bugfix: in the -p command-line parameter handling.
*) Bugfix: in the mail proxy server.
*) Bugfix: of minor potential bugs.
Thanks to Coverity.
*) Bugfix: nginx/Windows could not be built with Visual Studio 2005
Express.
Thanks to HAYASHI Kentaro.
- Fixed WymEditor
- Fixed Norwegian translations
- Fixed a bug that could lead to slug clashes
- Fixed page change form (jQuery and permissions)
- Fixed placeholder field permission checks
ChangeLog since 2.0.0
2.0.2a (2012-11-15)
-------------------
Enhancements
- improved user rights editor in calendar module
- disable alarms for newly subsribed calendars
Bug fixes
- fixed typos in Spanish (Spain) translation
- fixed display of raw source for tasks
- fixed title display of cards with a photo
- fixed null address in reply-to header of messages
- fixed scrolling for calendar/addressbooks lists
- fixed display of invitations on BlackBerry devices
- fixed sogo-tool rename-user for MySQL database
- fixed corrupted attachments in Webmail
- fixed parsing of URLs that can throw an exception
- fixed password encoding in user sources
2.0.2 (2012-10-24)
------------------
New features
- added support for SMTP AUTH
- sogo configuration can now be set in /etc/sogo/sogo.conf
- added support for GNU TLS
Enhancements
- speed up of the parsing of IMAP traffic
- minor speed up of the web interface
- speed up the scrolling of the message list in the mail module
- speed up the deletion of a large amounts of entries in the contacts module
- updated the timezone files to the 2012.g edition
- openchange backend: miscellaneous speed up of the synchronization
operations
- open file descriptors are now closed when the process starts
Bug fixes
- the parameters included in the url of remote calendars are now taken into
account
- fixed an issue occurring with timezone definitions providing multiple entries
- openchange backend: miscellaneous crashes during certain Outlook
operations, which have appeared in version 2.0.0, have been fixed
- fixed issues occuring on OpenBSD and potentially other BSD flavours
2.0.1 (2012-10-10)
-------------------
Enhancements
- deletion of contacts is now performed in batch, which speeds up the
operation for large numbers of items
- scalability enhancements in the OpenChange backend that enables the first
synchronization of mailboxes in a more reasonable time and using less
memory
- the task list is now sortable
Bug Fixes
- improved support of IE 9
* Patches are synced with xulrunner-17.0, and regen patches
* Update Mozilla Lightning to 1.9
Changelog:
SeaMonkey-specific changes
None (see changes page for minor changes).
Mozilla platform changes
OS X 10.6 is now the minimum supported Mac version.
JavaScript Maps and Sets are now iterable.
SVG FillPaint and StrokePaint have been implemented.
The sandbox attribute has been implemented for iframes, enabling increased security.
Fixed several stability issues.
Security fixes
Fixed in SeaMonkey 2.14
MFSA 2012-106 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer
MFSA 2012-105 Use-after-free and buffer overflow issues found using Address Sanitizer
MFSA 2012-103 Frames can shadow top.location
MFSA 2012-101 Improper character decoding in HZ-GB-2312 charset
MFSA 2012-100 Improper security filtering for cross-origin wrappers
MFSA 2012-99 XrayWrappers exposes chrome-only properties when not in chrome compartment
MFSA 2012-97 XMLHttpRequest inherits incorrect principal within sandbox
MFSA 2012-96 Memory corruption in str_unescape
MFSA 2012-94 Crash when combining SVG text on path with CSS
MFSA 2012-93 evalInSanbox location context incorrectly applied
MFSA 2012-92 Buffer overflow while rendering GIF images
MFSA 2012-91 Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11)
* Add --enable-pulseaudio configure option (functionality is not tested)
Changelog:
NEW
First revision of the Social API and support for Facebook Messenger
NEW
Click-to-play blocklisting implemented to prevent vulnerable plugin versions from running without the user's permission (see blog post)
CHANGED
Updated Awesome Bar experience with larger icons
CHANGED
Mac OS X 10.5 is no longer supported
DEVELOPER
JavaScript Maps and Sets are now iterable
DEVELOPER
SVG FillPaint and StrokePaint implemented
DEVELOPER
Improvements that make the Web Console, Debugger and Developer Toolbar faster and easier to use
DEVELOPER
New Markup panel in the Page Inspector allows easy editing of the DOM
HTML5
Sandbox attribute for iframes implemented, enabling increased security
FIXED
Over twenty performance improvements, including fixes around the New Tab page
FIXED
Pointer lock doesn't work in web apps (769150)
FIXED
Page scrolling on sites with fixed headers (780345)
As discussed on pkgsrc-users, x11/ftlk (1.1) is no longer maintained,
and 1.3 is believed to be almost entirely compatible.
Patch from Tim Larson, who has build-tested these packages on
NetBSD/amd64.
TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core
2012-11-08 54eab24 [RELEASE] Release of TYPO3 4.7.6 (TYPO3 Release Team)
2012-11-08 f5d3162 #42696 [SECURITY] Fix SQL injection and XSS in record history (Oliver Hader)
2012-11-08 07c3d63 #42774 [SECURITY] XSS in TCA Tree (Oliver Hader)
2012-11-08 7b916d0 #42776 [SECURITY] Fix potential XSS in t3lib_BEfunc::getFuncCheck (Helmut Hummel)
2012-11-08 389452e [TASK] Raise submodule pointer (TYPO3 Release Team)
2012-11-07 3f2929d #39677 [BUGFIX] No sorting in TypoScript Object Browser when browsing (Nicole Cordes)
2012-11-02 b69dc9d #42281 [BUGFIX] Translated non-published page in workspace breaks live workspace (Oliver Hader)
2012-11-02 9330ab6 #38024 [BUGFIX] Illegal string offsets in t3lib_stdgraphic (Wouter Wolters)
2012-11-01 8098997 [TASK] Use correct branch for travis integration build (Helmut Hummel)
2012-11-01 24f4a8d#37578 [BUGFIX] PHP 5.4 warning in CLI context in switch back user (Christian Kuhn)
2012-10-31 dc73a91 #39662 [BUGFIX] RTE: Link class not always set in Firefox (Stanislas Rolland)
2012-10-31 ba8ead7 #42046 [BUGFIX] Restore display of mount points path (Francois Suter)
2012-10-29 fbd5057 #40733 [BUGFIX] Wrong call to TSFE in FrontendEditing (Steffen Ritter)
2012-10-29 4bf3cca #42054 [BUGFIX] PHP warning: open_basedir restriction (Xavier Perseguers)
2012-10-28 19f0cbb #42454 [BUGFIX] Fix usage of fileadminDir (Helmut Hummel)
2012-10-27 dd20440 #42444 [TASK] Fix generation of ext_emconf.php (Wouter Wolters)
2012-10-22 ce6ab74 #41980 [TASK] Clean-up EXT: aboutmodules, adapt to "TYPO3 CMS" (Felix Kopp)
2012-10-22 3440228 #38699 [BUGFIX] t3lib_div::unlink_tempfile does not always work on Windows (Stanislas Rolland)
2012-10-22 689f1fb #33504 [BUGFIX] New form wizard not loading in IE8 (Sebastian Schawohl)
2012-10-19 74c10e0 [BUGFIX] Unit test for saltedpasswords fail (Xavier Perseguers)
2012-10-18 bfb12db #36087 [BUGFIX] RTE: Link to disabled page doesn't show in FE, link icon does (Stanislas Rolland)
2012-10-18 9d621aa #29685 [BUGFIX] RTE: Words containing umlauts not added to personal dictionary (Stanislas Rolland)
2012-10-17 bd4645c #38406 [BUGFIX] Extension Import not working with postgresql and DBAL (Ernesto Baschny)
TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core
2012-11-08 948f241 [RELEASE] Release of TYPO3 4.6.14 (TYPO3 Release Team)
2012-11-08 c150b27 #42696 [SECURITY] Fix SQL injection and XSS in record history (Oliver Hader)
2012-11-08 b02026d #42774 [SECURITY] XSS in TCA Tree (Oliver Hader)
2012-11-08 f22dc79 #42776 [SECURITY] Fix potential XSS in t3lib_BEfunc::getFuncCheck (Helmut Hummel)
2012-11-08 72153cc [TASK] Raise submodule pointer (TYPO3 Release Team)
2012-11-07 3ea5e0b #39677 [BUGFIX] No sorting in TypoScript Object Browser when browsing (Nicole Cordes)
2012-11-02 5de1807 #42281 [BUGFIX] Translated non-published page in workspace breaks live workspace (Oliver Hader)
2012-11-02 93bb671 #38024 [BUGFIX] Illegal string offsets in t3lib_stdgraphic (Wouter Wolters)
2012-11-01 84cb9b6 #37578 [BUGFIX] PHP 5.4 warning in CLI context in switch back user (Christian Kuhn)
2012-10-29 76d0b9c #28248 [BUGFIX] t3lib_div: adjust substUrlsInPlainText to also work on URLs at end of sentence (Robert Heel)
2012-10-29 3ff27f4 #40733 [BUGFIX] Wrong call to TSFE in FrontendEditing (Steffen Ritter)
2012-10-29 9767b86 #42054 [BUGFIX] PHP warning: open_basedir restriction (Xavier Perseguers)
2012-10-27 7381250 #42444 [TASK] Fix generation of ext_emconf.php (Wouter Wolters)
2012-10-22 ccebb50 #38699 [BUGFIX] t3lib_div::unlink_tempfile does not always work on Windows (Stanislas Rolland)
2012-10-22 2a0929b #33504 [BUGFIX] New form wizard not loading in IE8 (Sebastian Schawohl)
2012-10-19 b32e08c [BUGFIX] Fix case of tests folder (Xavier Perseguers)
2012-10-19 22bef48 [BUGFIX] Unit test for saltedpasswords fail (Xavier Perseguers)
2012-10-18 9ed2c6f #36087 [BUGFIX] RTE: Link to disabled page doesn't show in FE, link icon does (Stanislas Rolland)
2012-10-18 2e48486 #29685 [BUGFIX] RTE: Words containing umlauts not added to personal dictionary (Stanislas Rolland)
2012-10-17 a3a7417 #38406 [BUGFIX] Extension Import not working with postgresql and DBAL (Ernesto Baschny)
2012-10-17 a5fc128 #25021 [BUGFIX] Creating new pages via drag'n'drop respects page TS (Philipp Kitzberger)
Security fix for TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core.
2012-11-08 c211c0e [RELEASE] Release of TYPO3 4.5.21 (TYPO3 Release Team)
2012-11-08 5245e09 #42696 [SECURITY] Fix SQL injection and XSS in record history (Oliver Hader)
2012-11-08 ab335bc #42774 [SECURITY] XSS in TCA Tree (Oliver Hader)
2012-11-08 a768d97 #42776 [SECURITY] Fix potential XSS in t3lib_BEfunc::getFuncCheck (Helmut Hummel)
2012-11-08 ba187e5 [TASK] Raise submodule pointer (TYPO3 Release Team)
2012-11-07 b4f7658 #39677 [BUGFIX] No sorting in TypoScript Object Browser when browsing (Nicole Cordes)
2012-11-02 dba123b #42281 [BUGFIX] Translated non-published page in workspace breaks live workspace (Oliver Hader)
2012-11-02 fc6f82f #38024 [BUGFIX] Illegal string offsets in t3lib_stdgraphic (Wouter Wolters)
2012-11-01 ded3a6e #37578 [BUGFIX] PHP 5.4 warning in CLI context in switch back user (Christian Kuhn)
2012-10-29 c05e759 #28248 [BUGFIX] t3lib_div: adjust substUrlsInPlainText to also work on URLs at end of sentence (Robert Heel)
2012-10-29 d4c539d #40733 [BUGFIX] Wrong call to TSFE in FrontendEditing (Steffen Ritter)
2012-10-27 7b28c0e #42444 [TASK] Fix generation of ext_emconf.php (Wouter Wolters)
2012-10-22 7f0696f #38699 [BUGFIX] t3lib_div::unlink_tempfile does not always work on Windows (Stanislas Rolland)
2012-10-22 f50483d #27020 [BUGFIX] TCEForms.Suggest wizard in IRRE records (Nicole Cordes)
2012-10-19 b77171c [BUGFIX] Fix case of tests folder (Xavier Perseguers)
2012-10-19 2490737 [BUGFIX] Unit test for saltedpasswords fail (Xavier Perseguers)
2012-10-18 9a14bcf #36087 [BUGFIX] RTE: Link to disabled page doesn't show in FE, link icon does (Stanislas Rolland)
2012-10-18 f8fc399 #29685 [BUGFIX] RTE: Words containing umlauts not added to personal dictionary (Stanislas Rolland)
2012-10-17 17b1d65 #38406 [BUGFIX] Extension Import not working with postgresql and DBAL (Ernesto Baschny)
Drupal 7.17, 2012-11-07
-----------------------
- Changed the default value of the '404_fast_html' variable to have a DOCTYPE
declaration.
- Made it possible to use associative arrays for the 'items' variable in
theme_item_list().
- Fixed a bug which prevented required form elements without a title from being
given an "error" class when the form fails validation.
- Prevented duplicate HTML IDs from appearing when two forms are displayed on
the same page and one of them is submitted with invalid data (minor markup
change).
- Fixed a bug which prevented Drupal 6 to Drupal 7 upgrades on sites which had
stale data in the Upload module's database tables.
- Fixed a bug in the States API which prevented certain types of form elements
from being disabled when requested.
- Allowed aggregator feed items with author names longer than 255 characters to
have a truncated version saved to the database (rather than causing a fatal
error).
- Allowed aggregator feed items to have URLs longer than 255 characters
(schema change which results in several columns in the Aggregator module's
database tables changing from VARCHAR to TEXT fields).
- Added hook_taxonomy_term_view() and standardized the process for rendering
taxonomy terms to invoke hook_entity_view() and otherwise make it consistent
with other entities (API change: http://drupal.org/node/1808870).
- Added hook_entity_view_mode_alter() to allow modules to change entity view
modes on display (API addition: http://drupal.org/node/1833086).
- Fixed a bug which made database queries running a "LIKE" query on blob fields
fail on PostgreSQL databases. This caused errors during the Drupal 6 to
Drupal 7 upgrade.
- Changed the hook_menu() entry for Drupal's rss.xml page to prevent extra path
components from being accidentally passed to the page callback function (data
structure change).
- Removed a non-standard "name" attribute from Drupal's default Content-Type
header for file downloads.
- Fixed the theme settings form to properly clean up submitted values in
$form_state['values'] when the form is submitted (data structure change).
- Fixed an inconsistency by removing the colon from the end of the label on
multi-valued form fields (minor string change).
- Added support for 'weight' in hook_field_widget_info() to allow modules to
control the order in which widgets are displayed in the Field UI.
- Updated various tables in the OpenID and Book modules to use the default
"empty table" text pattern (string change).
- Added proxy server support to drupal_http_request().
- Added "lang" attributes to language links, to better support screen readers.
- Fixed double occurrence of a "ul" HTML tag on secondary local tasks in the
Seven theme (markup change).
- Fixed bugs which caused taxonomy vocabulary and shortcut set titles to be
double-escaped. The fix replaces the taxonomy vocabulary overview page and
"Edit shortcuts" menu items' title callback entries in hook_menu() with new
functions that do not escape HTML characters (data structure change).
- Modified the Update manager module to allow drupal.org to collect usage
statistics for individual modules and themes, rather than only for entire
projects.
- Modified the node listing database query on Drupal's default front page to
add table aliases for better query altering (this is a data structure change
affecting code which implements hook_query_alter() on this query).
- Improved the translatability of the "Field type(s) in use" message on the
modules page (admin-facing string change).
- Fixed a regression which caused a "call to undefined function
drupal_find_base_themes()" fatal error under rare circumstances.
- Numerous API documentation improvements.
- Additional automated test coverage.
Contao Open Source CMS 3.0.0 is new major release since Contao (as
TYPOlight) was publicly released.
Major changes from 2.11.
* Use PHP namespace and more flexible to extend.
* Improve performance with mapper class loader.
* Better support for mobile devices and responsive design
* Database supported file management and handling of file's meta data.
* jQuery support coexist with MooTools.
* Directories in URL path.
* HTML5 based audio/video player (also YouTube).
* Improve ease to use.
* Display of what has changed.
* Complete fix for CSRF.
Changelog:
Version 4.0.8 Oct 10th 2012
Show Login Button when user and password are autocompleted
Sanitize LDAP base, user and groups
Security: Fix for insufficiently Random Values (CVE-2008-4107)
Security: Fixed multiple XSS vulnerabilities (CVE-2012-5056)
Security: Fixed a HTTP header injection (CVE-2012-5057)
Security: Fixed an Auth bypass in /lib/base.php (CVE-2012-5336)