Foswiki Release 2.1.8

See Release Dates for the complete list of available releases.

Download

GPG Signatures and MD5 checksums are provided for verifying the integrity of the files for the primary download packages.

File GPG MD5 Description
download Foswiki-2.1.8.tgz GPG MD5 tar gz version of Foswiki
download Foswiki-2.1.8.zip GPG MD5 zip version of Foswiki

Upgrade packages

If you already have an earlier version of Foswiki 2.1.X installed, you can extract an upgrade package on top of the installation. The major.minor part of the release should not be changed by an upgrade package.

ALERT! Upgrade packages must not be used to upgrade older releases.

File GPG MD5 Description
download Foswiki-upgrade-2.1.8.tgz GPG MD5 upgrade tar gz version of Foswiki
download Foswiki-upgrade-2.1.8.zip GPG MD5 upgrade zip version of Foswiki

%STARTSECTION{"download-none"}%
<blockquote class="foswikiAlert"> *This release has not been built yet!*  This is a draft of the release announcement.  If you want an early start to testing, see Development.GitBasedInstall.</blockquote>
%ENDSECTION{"download-none"}%

%STARTSECTION{"download-topic"}%
%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
  release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  url="%PUBURLPATH%/%BASEWEB%/%BASETOPIC%"
  upgraded=""
  upgrade=""
}%
%ENDSECTION{"download-topic"}%

%STARTSECTION{"download-topic-upgrade"}%
%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
  release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  url="%PUBURLPATH%/%BASEWEB%/%BASETOPIC%"
  upgraded="upgrade-"
  upgrade="upgrade"
}%
%ENDSECTION{"download-topic-upgrade"}%

%STARTSECTION{"download-sourceforge"}%
%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
  release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  url="http://sourceforge.net/projects/foswiki/files/foswiki/%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  upgraded=""
  upgrade=""
}%
%ENDSECTION{"download-sourceforge"}%

%STARTSECTION{"download-sourceforge-upgrade"}%
%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
  release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  url="http://sourceforge.net/projects/foswiki/files/foswiki/%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  upgraded="upgrade-"
  upgrade="upgrade"
}%
%ENDSECTION{"download-sourceforge-upgrade"}%

%STARTSECTION{"download-github"}%
%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
  release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  url="https://github.com/foswiki/distro/releases/download/%FORMFIELD{"ReleaseTag" topic="%BASETOPIC%"}%"
  upgraded=""
  upgrade=""
}%
%ENDSECTION{"download-github"}%

%STARTSECTION{"download-github-upgrade"}%
%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
  release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  url="https://github.com/foswiki/distro/releases/download/%FORMFIELD{"ReleaseTag" topic="%BASETOPIC%"}%"
  upgraded="upgrade-"
  upgrade="upgrade"
}%
%ENDSECTION{"download-github-upgrade"}%

%STARTSECTION{"download"}%
%TABLE{sort="off"}%
| *File* | *GPG* | *MD5* | *Description* |
| [[%url%/Foswiki-%upgraded%%release%.tgz][%ICON{download}% Foswiki-%upgraded%%release%.tgz]] | [[%url%/Foswiki-%upgraded%%release%.tgz.asc][GPG]] | [[%url%/Foswiki-%release%.md5][MD5]] | %upgrade% tar gz version of Foswiki |
| [[%url%/Foswiki-%upgraded%%release%.zip][%ICON{download}% Foswiki-%upgraded%%release%.zip]] | [[%url%/Foswiki-%upgraded%%release%.zip.asc][GPG]] | [[%url%/Foswiki-%release%.md5][MD5]] | %upgrade% zip version of Foswiki |%IF{"'%upgraded%'='' and '%FORMFIELD{"VMImage" topic="%BASETOPIC%"}%'='1'" then="
| [[%url%/Foswiki-%release%-vmware.%FORMFIELD{"VMFormat" topic="%BASETOPIC%"}%][%ICON{download}% Foswiki-%release%-vmware.%FORMFIELD{"VMFormat" topic="%BASETOPIC%"}%]] | [[%url%/Foswiki-%release%-vmware.%FORMFIELD{"VMFormat" topic="%BASETOPIC%"}%.asc][GPG]] | [[%url%/Foswiki-%release%-vmware.md5][MD5]] | [[Support.VirtualMachineImages][VM Image (instructions)]] |"}%%ENDSECTION{"download"}%

%STARTSECTION{"upgrade-header"}%
---++ Upgrade packages

%IF{"'%BASETOPIC%'/UpgradeFrom=''" 
   else="These packages can be used to upgrade __Foswiki Release %FORMFIELD{"UpgradeFrom" topic="%BASETOPIC%"}% or newer__. See [[#Upgrade_Instructions]] for further information"
   then="If you already have an earlier version of Foswiki %FORMFIELD{"ReleaseMajor" topic="%BASETOPIC%"}%.%FORMFIELD{"ReleaseMinor" topic="%BASETOPIC%"}%.X installed, you can extract an upgrade package on top of the installation. The =major.minor= part of the release should not be changed by an upgrade package."}%

%X% Upgrade packages must not be used to upgrade older releases.

%ENDSECTION{"upgrade-header"}%

Other downloads/installers

https://hub.docker.com/r/timlegge/docker-foswiki

Getting help & providing feedback

Don't forget to use the upgrade or installation guides. If you need help, there are several options:

We want to hear from you! Especially if you have noticed a bug, have some ideas we could use, or just want to contribute:

Highlights of this maintenance release

This release contains 61 fixes relative to 2.1.7, including 9 critical security related fixes.

Most notable are:

  • CVE-2023-33756: SpreadSheetPlugin's EVAL feature exposes information about paths and files on the server
  • CVE-2023-24698: Local file inclusion vulnerability in viewfile

But also:

  • directories in working directory are created as world writable 777 permissions
  • possible XSS attack in attachment comments
  • restricted allowed protocols to http and https, i.e. forbid file protocol for local file inclusion
  • prevent symlink attacks by defaulting to a secure location for temporary files
  • update to jquery-ui 1.13.2
  • backport patch to earlier jQuery versons to fix a potential XSS vulnerability
  • possible XSS vulnerability in topic title field

Reverse proxing Foswiki

Foswiki can now properly be run behind a reverse proxy reading a X-Forwarded-For http header. This resulted in mixed content before while rendering HTML.

Macro parser

Under certain conditions a deep recursion can be triggered using otherwise innocend markup code.

RCS storage

While Foswiki defaults to its own plain file storage format, there are still a lot of installs that still use RCS for file versioning. Given that this part of the code preceeds the shift to unicode ages ago, there still was an error in the RCS store not properly encoding topic information.

Change notifications

Changes are send out to subscribers using a mailnotify service. This however must be run as admin user to fully read all changes. Still people are only informed about changes that they actually have view rights to. In addition this release fixes sending out emails in the user's preferend language. There was an error reading these preferences before.

JSON-RPC API

The JSON-RPC is one of the most important web apis of Foswiki with a mandatory topic parameter. This parameter - as in other service endpoints - specifies the location within the knowledge base to operate on. It thus determins the context of any other internal operations such as the calculation of the preference stack. The jsonrpc endpoint sometimes failed to properly set the required context in previous releases.

Uploading multiple files

Foswiki now supports uploading multiple files in one request

Session cookies

Session cookies now have a same-site policy for better security.

Internationalization

Foswiki now always creates a proper I18N service internally, even though only one language (english) is being used. This makes sure that its internal I18N api is instantiated proplerly for other plugins to use, such as Extensions.MultiLingualPlugin.

See the full set of release notes at System.ReleaseNotes02x01

Full Changelog: FoswikiRelease02x01x07...FoswikiRelease02x01x08

Detailed list

Security

Item15135 directories in working directory are created as world writable 777 permissions
Item15141 possible XSS attack in attachment comments
Item15158 update to jquery-ui 1.13.2
Item15163 Local file inclusion vulnerability in viewfile
Item15182 restricted allowed protocols to http and https
Item15190 potential XSS vulnerability in jQuery
Item15192 SpreadSheetPlugin's EVAL feature exposes infromation about paths and files on the server
Item15198 Default to a secure location for temporary files not vulnerable to symlink attacks
Item15200 possible XSS vulnerability in topic title field

Fixes

Item14380 Foswiki should have option to use X-Forwarded-For to determine Client IP in reverse proxy configuration.
Item14580 DIFF_TEXT rarely used ... and buggy
Item15074 remove hardcoded options from build.pl of some extensions
Item15075 deep recursion on innocent code
Item15076 RCS store does not properly encode topic information
Item15077 broken api to show/hide tabs in jquery tabpane
Item15078 body zone merged to script zone
Item15080 make {DefaultDateFormat} a text field
Item15081 handle hash changes of own tabpane only
Item15090 mailnotify script must run as admin user
Item15091 only notify people of topics that they have view access to
Item15113 jsonrpc doesn't set the web-topic context properly
Item15129 FORMFIELD rev parameter broken
Item15131 natedit doesn't validate mandatory formfields properly
Item15136 Foswiki::Meta::save() sets topic and web too late when copying a topic
Item15137 REVINFO doesn't return the top revision info with a zero rev parameter
Item15142 better default labels for twisty links
Item15145 add support for uploading multiple files in one request
Item15146 require packages during compile time, not during runtime
Item15160 Permissions editor can only auto-complete users and groups found in a topic of the users web
Item15162 perl error when parsing email address of an empty header
Item15173 add same-site policy to cookies
Item15174 jquery.stars in +values mode
Item15175 page with multiple jquery.loader mix their options
Item15176 mailer fails to load language preferences for users
Item15178 wrong set of permissions selecting "registered users" access in natedit
Item15179 always load a proper I18N class when internationalisation is enabled
Item15180 broken SCRIPTURL macro for json-rpc links
Item15183 Fix version number of EditRowPlugin
Item15184 don't translate < and > to their html entity counterparts
Item15185 email tests fail on newer Email::MIME
Item15186 random unit test failures in rcs store
Item15189 Redirectto parameter breaks preview function
Item15191 an uploaded html file is secured by appending txt multiple times
Item15201 fix detection of edge browser
Item15203 improve detection of module versions

Enhancements

Item15138 IconSearchPath can't be set to empty
Item15139 add optional t parameter to jquery.loader to prevent browser caching
Item15140 a natedit formfield cannot be checked for mandatoryness
Item15144 remove unused files from TwistyPlugin
Item15147 in spec files, all {Module} settings are expert level
Item15148 core's RELEASE and VERSION scheme should follow standards established in skins and extensions
Item15149 improve perl doc renderer
Item15153 report version numbers not release strings exploring installed extensions in configure
Item15154 keep images and links in rss and atom feeds
Item15155 add spaceOutWikiWord() to foswiki javascript API
Item15157 update to jquery.validate 1.19.5
Item15181 update to jquery-3.6.3, remove previous jquery-3.x packages
Item15187 remove stray quote from TML citations
Item15194 make edit toolbar more configurable
Item15199 add showcompleted and hidecompleted javascript events when the twisty opened/closed
Item9012 make TwistyPlugin's mode attributes more meaningful

Installation

Please refer to the INSTALL.html which can be found the downloaded tgz/zip. It can be also found on Foswiki.org in the System.InstallationGuide

Upgrade Instructions

In-place upgrade from any release prior to Foswiki 2.1.0 is not recommended. Older Foswiki installations should install Foswiki as a new release, configure, and then migrate data to the new installation.
  • See System.UpgradeGuide for details on upgrading from older versions of Foswiki
  • See System.SystemRequirements for the latest System Requirements.
  • Be sure to take a backup!
  • The upgrade packages excludes files "commonly" modified, for example, WebHome, WebPreferences, AdminGroup, etc. If your installation has modified other topics, or template files, those updates will be lost!
  • If you use tar, then you can extract the upgrade package on top of your installation by using: (Be sure to run this as your web server user to avoid changing file ownership.)
cd /var/www/foswiki
tar --strip-components=1 -zxf /path/to/Foswiki-upgrade-2.x.x.tgz
cd tools
./configure --save
  • Similarly, if you are using the zip upgrade package, then
cd /var/www/foswiki
unzip -o /path/to/Foswiki-upgrade-2.x.x.zip
cd tools
./configure --save

License

  • This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
  • This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
  • See the GNU General Public License for more details, published at http://www.gnu.org/copyleft/gpl.html

Release Details

I Attachment Action Size Date Who Comment
Foswiki-2.1.8.md5md5 Foswiki-2.1.8.md5 manage 224 bytes 06 Aug 2023 - 14:12 MichaelDaum  
Foswiki-2.1.8.sha1sha1 Foswiki-2.1.8.sha1 manage 256 bytes 06 Aug 2023 - 14:12 MichaelDaum  
Foswiki-2.1.8.tgztgz Foswiki-2.1.8.tgz manage 14 MB 06 Aug 2023 - 14:12 MichaelDaum  
Foswiki-2.1.8.tgz.ascasc Foswiki-2.1.8.tgz.asc manage 833 bytes 06 Aug 2023 - 14:12 MichaelDaum  
Foswiki-2.1.8.zipzip Foswiki-2.1.8.zip manage 17 MB 06 Aug 2023 - 14:12 MichaelDaum  
Foswiki-2.1.8.zip.ascasc Foswiki-2.1.8.zip.asc manage 833 bytes 06 Aug 2023 - 14:12 MichaelDaum  
Foswiki-upgrade-2.1.8.tgztgz Foswiki-upgrade-2.1.8.tgz manage 14 MB 06 Aug 2023 - 14:12 MichaelDaum  
Foswiki-upgrade-2.1.8.tgz.ascasc Foswiki-upgrade-2.1.8.tgz.asc manage 833 bytes 06 Aug 2023 - 14:12 MichaelDaum  
Foswiki-upgrade-2.1.8.zipzip Foswiki-upgrade-2.1.8.zip manage 17 MB 06 Aug 2023 - 14:12 MichaelDaum  
Foswiki-upgrade-2.1.8.zip.ascasc Foswiki-upgrade-2.1.8.zip.asc manage 833 bytes 06 Aug 2023 - 14:12 MichaelDaum  
Topic revision: r3 - 10 Aug 2023, MichaelDaum - This page was cached on 28 Nov 2024 - 04:54.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy