Foswiki Release 2.1.8

See Release Dates for the complete list of available releases.

Download

GPG Signatures and MD5 checksums are provided for verifying the integrity of the files for the primary download packages.

File	GPG	MD5	Description
Foswiki-2.1.8.tgz	GPG	MD5	tar gz version of Foswiki
Foswiki-2.1.8.zip	GPG	MD5	zip version of Foswiki

Upgrade packages

If you already have an earlier version of Foswiki 2.1.X installed, you can extract an upgrade package on top of the installation. The major.minor part of the release should not be changed by an upgrade package.

Upgrade packages must not be used to upgrade older releases.

File	GPG	MD5	Description
Foswiki-upgrade-2.1.8.tgz	GPG	MD5	upgrade tar gz version of Foswiki
Foswiki-upgrade-2.1.8.zip	GPG	MD5	upgrade zip version of Foswiki

%STARTSECTION{"download-none"}%
<blockquote class="foswikiAlert"> *This release has not been built yet!*  This is a draft of the release announcement.  If you want an early start to testing, see Development.GitBasedInstall.</blockquote>
%ENDSECTION{"download-none"}%

%STARTSECTION{"download-topic"}%
%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
  release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  url="%PUBURLPATH%/%BASEWEB%/%BASETOPIC%"
  upgraded=""
  upgrade=""
}%
%ENDSECTION{"download-topic"}%

%STARTSECTION{"download-topic-upgrade"}%
%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
  release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  url="%PUBURLPATH%/%BASEWEB%/%BASETOPIC%"
  upgraded="upgrade-"
  upgrade="upgrade"
}%
%ENDSECTION{"download-topic-upgrade"}%

%STARTSECTION{"download-sourceforge"}%
%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
  release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  url="http://sourceforge.net/projects/foswiki/files/foswiki/%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  upgraded=""
  upgrade=""
}%
%ENDSECTION{"download-sourceforge"}%

%STARTSECTION{"download-sourceforge-upgrade"}%
%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
  release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  url="http://sourceforge.net/projects/foswiki/files/foswiki/%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  upgraded="upgrade-"
  upgrade="upgrade"
}%
%ENDSECTION{"download-sourceforge-upgrade"}%

%STARTSECTION{"download-github"}%
%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
  release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  url="https://github.com/foswiki/distro/releases/download/%FORMFIELD{"ReleaseTag" topic="%BASETOPIC%"}%"
  upgraded=""
  upgrade=""
}%
%ENDSECTION{"download-github"}%

%STARTSECTION{"download-github-upgrade"}%
%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
  release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  url="https://github.com/foswiki/distro/releases/download/%FORMFIELD{"ReleaseTag" topic="%BASETOPIC%"}%"
  upgraded="upgrade-"
  upgrade="upgrade"
}%
%ENDSECTION{"download-github-upgrade"}%

%STARTSECTION{"download"}%
%TABLE{sort="off"}%
| *File* | *GPG* | *MD5* | *Description* |
| [[%url%/Foswiki-%upgraded%%release%.tgz][%ICON{download}% Foswiki-%upgraded%%release%.tgz]] | [[%url%/Foswiki-%upgraded%%release%.tgz.asc][GPG]] | [[%url%/Foswiki-%release%.md5][MD5]] | %upgrade% tar gz version of Foswiki |
| [[%url%/Foswiki-%upgraded%%release%.zip][%ICON{download}% Foswiki-%upgraded%%release%.zip]] | [[%url%/Foswiki-%upgraded%%release%.zip.asc][GPG]] | [[%url%/Foswiki-%release%.md5][MD5]] | %upgrade% zip version of Foswiki |%IF{"'%upgraded%'='' and '%FORMFIELD{"VMImage" topic="%BASETOPIC%"}%'='1'" then="
| [[%url%/Foswiki-%release%-vmware.%FORMFIELD{"VMFormat" topic="%BASETOPIC%"}%][%ICON{download}% Foswiki-%release%-vmware.%FORMFIELD{"VMFormat" topic="%BASETOPIC%"}%]] | [[%url%/Foswiki-%release%-vmware.%FORMFIELD{"VMFormat" topic="%BASETOPIC%"}%.asc][GPG]] | [[%url%/Foswiki-%release%-vmware.md5][MD5]] | [[Support.VirtualMachineImages][VM Image (instructions)]] |"}%%ENDSECTION{"download"}%

%STARTSECTION{"upgrade-header"}%
---++ Upgrade packages

%IF{"'%BASETOPIC%'/UpgradeFrom=''" 
   else="These packages can be used to upgrade __Foswiki Release %FORMFIELD{"UpgradeFrom" topic="%BASETOPIC%"}% or newer__. See [[#Upgrade_Instructions]] for further information"
   then="If you already have an earlier version of Foswiki %FORMFIELD{"ReleaseMajor" topic="%BASETOPIC%"}%.%FORMFIELD{"ReleaseMinor" topic="%BASETOPIC%"}%.X installed, you can extract an upgrade package on top of the installation. The =major.minor= part of the release should not be changed by an upgrade package."}%

%X% Upgrade packages must not be used to upgrade older releases.

%ENDSECTION{"upgrade-header"}%

Other downloads/installers

https://hub.docker.com/r/timlegge/docker-foswiki

Getting help & providing feedback

Don't forget to use the upgrade or installation guides. If you need help, there are several options:

• The IRC channel
• foswiki-discuss mailing list
• Support forum
• Paid support

We want to hear from you! Especially if you have noticed a bug, have some ideas we could use, or just want to contribute:

• File a new task for bug reports
• Create, review or comment on feature proposals to help influence the future of Foswiki
• Chat with other users, developers, translators, and testers on our friendly IRC channel
• If E-mail is more your thing, try our foswiki-discuss mailing list

Highlights of this maintenance release

This release contains 61 fixes relative to 2.1.7, including 9 critical security related fixes.

Most notable are:

• CVE-2023-33756: SpreadSheetPlugin's EVAL feature exposes information about paths and files on the server
• CVE-2023-24698: Local file inclusion vulnerability in viewfile

But also:

• directories in working directory are created as world writable 777 permissions
• possible XSS attack in attachment comments
• restricted allowed protocols to http and https, i.e. forbid file protocol for local file inclusion
• prevent symlink attacks by defaulting to a secure location for temporary files
• update to jquery-ui 1.13.2
• backport patch to earlier jQuery versons to fix a potential XSS vulnerability
• possible XSS vulnerability in topic title field

Reverse proxing Foswiki

Foswiki can now properly be run behind a reverse proxy reading a X-Forwarded-For http header. This resulted in mixed content before while rendering HTML.

Macro parser

Under certain conditions a deep recursion can be triggered using otherwise innocend markup code.

RCS storage

While Foswiki defaults to its own plain file storage format, there are still a lot of installs that still use RCS for file versioning. Given that this part of the code preceeds the shift to unicode ages ago, there still was an error in the RCS store not properly encoding topic information.

Change notifications

Changes are send out to subscribers using a mailnotify service. This however must be run as admin user to fully read all changes. Still people are only informed about changes that they actually have view rights to. In addition this release fixes sending out emails in the user's preferend language. There was an error reading these preferences before.

JSON-RPC API

The JSON-RPC is one of the most important web apis of Foswiki with a mandatory topic parameter. This parameter - as in other service endpoints - specifies the location within the knowledge base to operate on. It thus determins the context of any other internal operations such as the calculation of the preference stack. The jsonrpc endpoint sometimes failed to properly set the required context in previous releases.

Uploading multiple files

Foswiki now supports uploading multiple files in one request

Session cookies

Session cookies now have a same-site policy for better security.

Internationalization

Foswiki now always creates a proper I18N service internally, even though only one language (english) is being used. This makes sure that its internal I18N api is instantiated proplerly for other plugins to use, such as Extensions.MultiLingualPlugin.

See the full set of release notes at System.ReleaseNotes02x01

Full Changelog: FoswikiRelease02x01x07...FoswikiRelease02x01x08

Detailed list

Security

Item15135	directories in working directory are created as world writable 777 permissions
Item15141	possible XSS attack in attachment comments
Item15158	update to jquery-ui 1.13.2
Item15163	Local file inclusion vulnerability in viewfile
Item15182	restricted allowed protocols to http and https
Item15190	potential XSS vulnerability in jQuery
Item15192	SpreadSheetPlugin's EVAL feature exposes infromation about paths and files on the server
Item15198	Default to a secure location for temporary files not vulnerable to symlink attacks
Item15200	possible XSS vulnerability in topic title field

Fixes

Item14380	Foswiki should have option to use X-Forwarded-For to determine Client IP in reverse proxy configuration.
Item14580	DIFF_TEXT rarely used ... and buggy
Item15074	remove hardcoded options from build.pl of some extensions
Item15075	deep recursion on innocent code
Item15076	RCS store does not properly encode topic information
Item15077	broken api to show/hide tabs in jquery tabpane
Item15078	body zone merged to script zone
Item15080	make {DefaultDateFormat} a text field
Item15081	handle hash changes of own tabpane only
Item15090	mailnotify script must run as admin user
Item15091	only notify people of topics that they have view access to
Item15113	jsonrpc doesn't set the web-topic context properly
Item15129	FORMFIELD rev parameter broken
Item15131	natedit doesn't validate mandatory formfields properly
Item15136	Foswiki::Meta::save() sets topic and web too late when copying a topic
Item15137	REVINFO doesn't return the top revision info with a zero rev parameter
Item15142	better default labels for twisty links
Item15145	add support for uploading multiple files in one request
Item15146	require packages during compile time, not during runtime
Item15160	Permissions editor can only auto-complete users and groups found in a topic of the users web
Item15162	perl error when parsing email address of an empty header
Item15173	add same-site policy to cookies
Item15174	jquery.stars in +values mode
Item15175	page with multiple jquery.loader mix their options
Item15176	mailer fails to load language preferences for users
Item15178	wrong set of permissions selecting "registered users" access in natedit
Item15179	always load a proper I18N class when internationalisation is enabled
Item15180	broken SCRIPTURL macro for json-rpc links
Item15183	Fix version number of EditRowPlugin
Item15184	don't translate < and > to their html entity counterparts
Item15185	email tests fail on newer Email::MIME
Item15186	random unit test failures in rcs store
Item15189	Redirectto parameter breaks preview function
Item15191	an uploaded html file is secured by appending txt multiple times
Item15201	fix detection of edge browser
Item15203	improve detection of module versions

Enhancements

Item15138	IconSearchPath can't be set to empty
Item15139	add optional t parameter to jquery.loader to prevent browser caching
Item15140	a natedit formfield cannot be checked for mandatoryness
Item15144	remove unused files from TwistyPlugin
Item15147	in spec files, all {Module} settings are expert level
Item15148	core's RELEASE and VERSION scheme should follow standards established in skins and extensions
Item15149	improve perl doc renderer
Item15153	report version numbers not release strings exploring installed extensions in configure
Item15154	keep images and links in rss and atom feeds
Item15155	add spaceOutWikiWord() to foswiki javascript API
Item15157	update to jquery.validate 1.19.5
Item15181	update to jquery-3.6.3, remove previous jquery-3.x packages
Item15187	remove stray quote from TML citations
Item15194	make edit toolbar more configurable
Item15199	add showcompleted and hidecompleted javascript events when the twisty opened/closed
Item9012	make TwistyPlugin's mode attributes more meaningful

Installation

Please refer to the INSTALL.html which can be found the downloaded tgz/zip. It can be also found on Foswiki.org in the System.InstallationGuide

Upgrade Instructions

• See System.UpgradeGuide for details on upgrading from older versions of Foswiki
• See System.SystemRequirements for the latest System Requirements.
• Be sure to take a backup!
• The upgrade packages excludes files "commonly" modified, for example, WebHome, WebPreferences, AdminGroup, etc. If your installation has modified other topics, or template files, those updates will be lost!
• If you use tar, then you can extract the upgrade package on top of your installation by using: (Be sure to run this as your web server user to avoid changing file ownership.)

cd /var/www/foswiki
tar --strip-components=1 -zxf /path/to/Foswiki-upgrade-2.x.x.tgz
cd tools
./configure --save

• Similarly, if you are using the zip upgrade package, then

cd /var/www/foswiki
unzip -o /path/to/Foswiki-upgrade-2.x.x.zip
cd tools
./configure --save

• After upgrade, restart the web server, clear the foswiki page cache, clear your browser cache.
• If things are not fully working, verify file system permissions and ownership. See System.InstallationGuide#Step_2:_Confirm_file_and_directory_ownership_and_permissions

License

• This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
• This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
• See the GNU General Public License for more details, published at http://www.gnu.org/copyleft/gpl.html

Release Details

• Build date 2023-08-06
• Publish date 2023-08-06
• Built from github commit 7c089985e3