TWiki Release 4.3.2 (Georgetown), 2009-09-02
Introduction
TWiki-4.3.0 released on 2009-03-30 introduces security enhancements, usability enhancements, feature enhancements, and adds extensions to strengthen TWiki as an enterprise collaboration platform.
TWiki-4.3.1 released on 2009-04-29 introduces security enhancements. This release also introduces use of ISO date format by default.
TWiki-4.3.2 released on 2009-09-02 introduces security enhancements (CSRF fix). WYSIWYG editing is enhanced as well, the TinyMCEPlugin is upgraded with latest tinyMCE Javascript library.
It is highly recommended to upgrade to TWiki-4.3.2. Users will find this release much more stable and secure in daily use.
Pre-installed Extensions
TWiki-4.3.2 ships with:
- Plugins: CommentPlugin, EditTablePlugin, EmptyPlugin, HeadlinesPlugin, InterwikiPlugin, PreferencesPlugin, RenderListPlugin, SlideShowPlugin, SmiliesPlugin, SpreadSheetPlugin, TablePlugin, TinyMCEPlugin, TWikiNetSkinPlugin, TwistyPlugin, WysiwygPlugin
- Contribs: BehaviourContrib, JSCalendarContrib, MailerContrib, TipsContrib, TWikiUserMappingContrib, TwistyContrib
- Skins: ClassicSkin, PatternSkin, TWikiNetSkin,
Note: HeadlinesPlugin, TWikiNetSkin and TWikiNetSkinPlugin are new in TWiki-4.3.0.
New Features Highlights
- Security Enhancements
- Reduced risk of XSS (cross-site scripting)
- Reduced risk CSRF (cross-site request forgery) - added in TWiki-4.3.1
- S/MIME support to sign administrative e-mails
- Usability Enhancements
- Replace question mark links with red-links to point to non-existing topics
- Use ISO date format by default - added in TWiki-4.3.1
- Enterprise Collaboration Enhancements
- Pre-installed HeadlinesPlugin to show headline newsfeeds in TWiki topics
- Pre-installed TWikiNetSkin, TWikiNetSkinPlugin for corporate look and feel
- Search Enhancements
- Add footer parameter to Formatted Search
- Add number of topics to Formatted Search
- Miscellaneous Feature Enhancements
- Control over variable expansion at topic creation time
- 17 new TWikiDocGraphics images
- Include URL supports list of domains to exclude from proxy
- Adding Korean language
- Plugin Enhancements
- SpreadSheetPlugin: 5 new functions
See the full list of bug fixes at the bottom of this topic.
Important Changes
1. Added protection against CSRF (cross-site request forgery) in TWiki 4.3.2 patch release
TWiki protects content updates with a one-time-use crypt token to guard against CSRF exploits. This means that it is no longer possible to hit the browser back button to fix a typo; you get an "invalid crypt token" error message if you try to save again. Workaround: Instead of browser back button, hit the "Edit" button to fix a typo.
There is a balance between security and user convenience. A TWiki administrator can enable and disable the crypt token based CSRF protection with the {CryptToken}{Enable} configure setting. For mission critical public TWiki sites it is recommended to enable the crypt token; for firewalled TWiki sites it is usually OK to disable it.
Deprecation Notices
The %MAINWEB% and %TWIKIWEB% variables have been deprecated. For compatibility reasons they are unlikely to ever be removed completely, but you should use the %USERSWEB% and %SYSTEMWEB% variables instead.
In Func getOopsUrl and permissionsSet have been declared deprecated. There is no plan to remove them yet.
TWiki-4.3.0 Minor Release - Details
TWiki-4.3.0 was built from SVN http://svn.twiki.org/svn/twiki/branches/TWikiRelease04x03 revision 17948 (2009-03-30)
Highlights
- Security:
- Review code for robustness and security
- Secure configure script with taint mode turned on
- Rendering:
- %TOC% does not distinguish two headlines that have the same text
- TablePlugin produces bad links for sorting when using "short" URLs
- %SCRIPTSUFFIX% is added twice in %TOC% links
- Incorrect Content-length breaks HTTP headers, a.o. pound fail results
- TablePlugin: Date sorting is broken
- Bullet lists in form fields are not rendered properly
- TWiki Forms expand variables like $nop, $quote $percnt
- TwistyPlugin: Twisty can't be placed in TWiki table cells
- Users and groups:
- TWikiGroups shows all members twice
- Editing:
- WysiwygPlugin: Bolding single character within a word introduces spaces around bolded character
- Miscellaneous:
- configure's get more extensions does not work well without LWP
- CommentPlugin: Lost data if it's targeted before/after a missing anchor
- Plugin installation fails on windows: extender.pl line 684
- Statistics script does not handle properly topics with special characters
Enhancements
| Item2927 | Topic moved message too visible |
| Item6283 | upgrade tinyMCE to latest version in TinyMCEPlugin |
| Item3647 | Usability: Control over variable expansion in topic templates |
| Item5025 | InterwikiPlugin: Allow special characters in "Page" of Site:Page |
| Item6148 | HeadlinesPlugin: Support for {PROXY}{HOST} and {PROXY}{PORT} configure settings |
| Item6176 | Search: Add footer parameter to Formatted Search |
| Item6180 | HeadlinesPlugin: Support for {PROXY}{SkipProxyForDomains} configure setting, USERAGENTNAME plugin setting |
| Item6184 | Search: Add Number of Topics to Formatted Search |
| Item6189 | Usability: Replace question mark links with red links to point to non-existing topics |
| Item6199 | Enhancement: Add TWikiNetSkin to Distribution |
| Item6200 | Enhancement: Add HeadlinesPlugin to Distribution |
| Item6222 | SpreadSheetPlugin: New functions $EMPTY(), $INSERTSTRING(), $LEFTSTRING(), $RIGHTSTRING(), $SUBSTRING() functions |
| Item6226 | Include: Specify a list of domains to exclude from proxy with {PROXY}{SkipProxyForDomains} setting |
| Item6227 | Documentation: 17 new TWikiDocGraphics images |
| Item6228 | Security: Option to send signed e-mail with S/MIME |
Fixes
| Item6253 | $WORKINGDAYS is returning invalid results |
| Item6259 | Prevent GUI-based rename of TWiki web and Main web |
| Item6267 | FORMFIELD expands $title to field name if $title exists in field value |
| Item6295 | Preferences For Raw Edit or Wysiwyg Edit |
| Item1607 | %TOC% does not distinguish two headlines that have the same text |
| Item2525 | TablePlugin produces bad links for sorting when using "short" URLs |
| Item4835 | SpreadSheetPlugin: SUBSTITUTE error when text=old and replace is empty |
| Item5176 | %SCRIPTSUFFIX% is added twice in %TOC% links |
| Item5471 | SpreadSheetPlugin: The character 0 cannot be replaced using the REPLACE-funtion |
| Item5910 | TablePlugin: %TOC% variable creates links with unecessary query string |
| Item5914 | TWiki::Request::url() must support -rewrite, -absolute and -relative |
| Item5920 | TWikiGroups shows all members twice |
| Item5939 | Rogue <p /> below </html> on every topic in every web |
| Item5960 | Incorrect Content-length breaks HTTP headers, a.o. pound fail results |
| Item5961 | WysiwygPlugin: Bolding single character within a word introduces spaces around bolded character |
| Item5991 | JSCalendarContrib: Does not work correctly in IE7 |
| Item5994 | Secure configure script with taint mode turned on |
| Item6005 | EditTablePlugin: "label"-formatted cell changed in unexpected way |
| Item6022 | %ENCODE{}% treats % as safe character |
| Item6026 | With header format emtpy table is initialized with one column only |
| Item6031 | TablePlugin: Date sorting is broken. |
| Item6041 | TinyMCE bug with Firefox 3 and bulleted lists |
| Item6050 | statistics script fails when cuid is not equal login name (as login name is what's in the log files...) |
| Item6054 | TwistyPlugin: No longer possible to have a twisty on one line without linebreak |
| Item6060 | configure's get more extensions does not work well without LWP |
| Item6061 | TWiki::Func::getContext documention |
| Item6138 | Bullet lists in form fields are not rendered properly |
| Item6163 | CommentPlugin: Lost data if it's targeted before/after a missing anchor. |
| Item6167 | TWiki Forms expand variables like $nop, $quote $percnt |
| Item6170 | Plugin installation fails on windows: extender.pl line 684 |
| Item6171 | Per RFC 5321, single quote is allwed in e-mail addresses |
| Item6178 | Statistics script does not handle properly topics with special characters |
| Item6185 | Missing newline in Formatted Search if footer used |
| Item6186 | Review code for robustness and security |
| Item6208 | WebChanges does not work on Windows |
| Item6220 | TwistyPlugin: Twisty can't be placed in TWiki table cells |
| Item6223 | Users can't edit content in Main web |
TWiki 4.3.1 Patch Release - Details
TWiki-4.3.1 was built from SVN http://svn.twiki.org/svn/twiki/branches/TWikiRelease04x03 revision 18054 (2009-04-29)
Highlights
- Security:
- TWiki:Codev/SecurityAlert-CVE-2009-1339: A remote user may gain TWiki admin privileges with a specially crafted image tag. This cross-site request forgery vulnerability existed because TWiki allowed HTTP GET to save content.
- Usability:
- Use of ISO format date promoted in this release
- Handling URLPARAM:
- The handling of URLPARAM for empty or missing was corrected in this release.
Enhancements
| Item6239 | Fix TWIKIWEB to SYSTEMWEB, MAINWEB to USERSWEB |
| Item6254 | Feature: Use ISO Date Format by Default |
Fixes
| Item5453 | Value of "0" improperly handled in ENCODE variable |
| Item6232 | Use of uninitialized value $1 in concatenation (.) or string at lib/TWiki.pm |
| Item6240 | unhelpful error message when sysCommand fails |
| Item6243 | URLPARAM "empty or missing" |
| Item6251 | CSRF vulnerability CVE-2009-1339: Possible to gain TWiki admin privileges with a specially crafted image tag |
TWiki 4.3.2 Patch Release - Details
TWiki-4.3.2 was built from SVN http://svn.twiki.org/svn/twiki/branches/TWikiRelease04x03 revision 18148 (2009-09-02)
Highlights
- Security:
- TWiki:Codev/SecurityAuditTokenBasedCsrfFix: Hardening TWiki content update with a crypt token based fix against cross-site request forgery vulnerabilities.
Enhancements
| Item2927 | Topic moved message too visible |
| Item6283 | upgrade TinyMCEPlugin with latest tinyMCE WYSIWYG editor |
| Item6315 | HeadlinesPlugin: New touch parameter for HEADLINES variable |
Fixes
| Item6253 | SpreadSheetPlugin: $WORKINGDAYS is returning invalid results |
| Item6259 | Prevent GUI-based rename of TWiki web and Main web |
| Item6267 | FORMFIELD expands $title to field name if $title exists in field value |
| Item6295 | Preferences for raw edit or WYSIWYG edit |
| Item6296 | Crypt token based CSRF fix for TWiki |
| Item6308 | viewfile adds trailing newline to attachments |
Related Topic: TWikiHistory, TWikiInstallationGuide, TWikiUpgradeGuide
TWiki Web
Users
Groups
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
Sandbox |
|
Copyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback
Note: Please contribute updates to this topic on TWiki.org at TWiki:TWiki.TWikiReleaseNotes04x03