TWiki Release 4.3.2 (Georgetown), 2009-09-02

Introduction

TWiki-4.3.0 released on 2009-03-30 introduces security enhancements, usability enhancements, feature enhancements, and adds extensions to strengthen TWiki as an enterprise collaboration platform.

TWiki-4.3.1 released on 2009-04-29 introduces security enhancements. This release also introduces use of ISO date format by default.

TWiki-4.3.2 released on 2009-09-02 introduces security enhancements (CSRF fix). WYSIWYG editing is enhanced as well, the TinyMCEPlugin is upgraded with latest tinyMCE Javascript library.

It is highly recommended to upgrade to TWiki-4.3.2. Users will find this release much more stable and secure in daily use.

Pre-installed Extensions

TWiki-4.3.2 ships with:

  • Plugins: CommentPlugin, EditTablePlugin, EmptyPlugin, HeadlinesPlugin, InterwikiPlugin, PreferencesPlugin, RenderListPlugin, SlideShowPlugin, SmiliesPlugin, SpreadSheetPlugin, TablePlugin, TinyMCEPlugin, TWikiNetSkinPlugin, TwistyPlugin, WysiwygPlugin
  • Contribs: BehaviourContrib, JSCalendarContrib, MailerContrib, TipsContrib, TWikiUserMappingContrib, TwistyContrib
  • Skins: ClassicSkin, PatternSkin, TWikiNetSkin,

Note: HeadlinesPlugin, TWikiNetSkin and TWikiNetSkinPlugin are new in TWiki-4.3.0.

New Features Highlights

  • Security Enhancements
  • Usability Enhancements
    • Replace question mark links with red-links to point to non-existing topics
    • Use ISO date format by default - added in TWiki-4.3.1
  • Enterprise Collaboration Enhancements
    • Pre-installed HeadlinesPlugin to show headline newsfeeds in TWiki topics
    • Pre-installed TWikiNetSkin, TWikiNetSkinPlugin for corporate look and feel
  • Search Enhancements
    • Add footer parameter to Formatted Search
    • Add number of topics to Formatted Search
  • Miscellaneous Feature Enhancements
    • Control over variable expansion at topic creation time
    • 17 new TWikiDocGraphics images
    • Include URL supports list of domains to exclude from proxy
    • Adding Korean language
  • Plugin Enhancements
    • SpreadSheetPlugin: 5 new functions

See the full list of bug fixes at the bottom of this topic.

Important Changes

1. Added protection against CSRF (cross-site request forgery) in TWiki 4.3.2 patch release

TWiki protects content updates with a one-time-use crypt token to guard against CSRF exploits. This means that it is no longer possible to hit the browser back button to fix a typo; you get an "invalid crypt token" error message if you try to save again. Workaround: Instead of browser back button, hit the "Edit" button to fix a typo.

There is a balance between security and user convenience. A TWiki administrator can enable and disable the crypt token based CSRF protection with the {CryptToken}{Enable} configure setting. For mission critical public TWiki sites it is recommended to enable the crypt token; for firewalled TWiki sites it is usually OK to disable it.

Deprecation Notices

The %MAINWEB% and %TWIKIWEB% variables have been deprecated. For compatibility reasons they are unlikely to ever be removed completely, but you should use the %USERSWEB% and %SYSTEMWEB% variables instead.

In Func getOopsUrl and permissionsSet have been declared deprecated. There is no plan to remove them yet.

TWiki-4.3.0 Minor Release - Details

TWiki-4.3.0 was built from SVN http://svn.twiki.org/svn/twiki/branches/TWikiRelease04x03 revision 17948 (2009-03-30)

Highlights

  • Security:
    • Review code for robustness and security
    • Secure configure script with taint mode turned on
  • Rendering:
    • %TOC% does not distinguish two headlines that have the same text
    • TablePlugin produces bad links for sorting when using "short" URLs
    • %SCRIPTSUFFIX% is added twice in %TOC% links
    • Incorrect Content-length breaks HTTP headers, a.o. pound fail results
    • TablePlugin: Date sorting is broken
    • Bullet lists in form fields are not rendered properly
    • TWiki Forms expand variables like $nop, $quote $percnt
    • TwistyPlugin: Twisty can't be placed in TWiki table cells
  • Users and groups:
    • TWikiGroups shows all members twice
  • Editing:
    • WysiwygPlugin: Bolding single character within a word introduces spaces around bolded character
  • Miscellaneous:
    • configure's get more extensions does not work well without LWP
    • CommentPlugin: Lost data if it's targeted before/after a missing anchor
    • Plugin installation fails on windows: extender.pl line 684
    • Statistics script does not handle properly topics with special characters

Enhancements

Item2927 Topic moved message too visible
Item6283 upgrade tinyMCE to latest version in TinyMCEPlugin
Item3647 Usability: Control over variable expansion in topic templates
Item5025 InterwikiPlugin: Allow special characters in "Page" of Site:Page
Item6148 HeadlinesPlugin: Support for {PROXY}{HOST} and {PROXY}{PORT} configure settings
Item6176 Search: Add footer parameter to Formatted Search
Item6180 HeadlinesPlugin: Support for {PROXY}{SkipProxyForDomains} configure setting, USERAGENTNAME plugin setting
Item6184 Search: Add Number of Topics to Formatted Search
Item6189 Usability: Replace question mark links with red links to point to non-existing topics
Item6199 Enhancement: Add TWikiNetSkin to Distribution
Item6200 Enhancement: Add HeadlinesPlugin to Distribution
Item6222 SpreadSheetPlugin: New functions $EMPTY(), $INSERTSTRING(), $LEFTSTRING(), $RIGHTSTRING(), $SUBSTRING() functions
Item6226 Include: Specify a list of domains to exclude from proxy with {PROXY}{SkipProxyForDomains} setting
Item6227 Documentation: 17 new TWikiDocGraphics images
Item6228 Security: Option to send signed e-mail with S/MIME

Fixes

Item6253 $WORKINGDAYS is returning invalid results
Item6259 Prevent GUI-based rename of TWiki web and Main web
Item6267 FORMFIELD expands $title to field name if $title exists in field value
Item6295 Preferences For Raw Edit or Wysiwyg Edit
Item1607 %TOC% does not distinguish two headlines that have the same text
Item2525 TablePlugin produces bad links for sorting when using "short" URLs
Item4835 SpreadSheetPlugin: SUBSTITUTE error when text=old and replace is empty
Item5176 %SCRIPTSUFFIX% is added twice in %TOC% links
Item5471 SpreadSheetPlugin: The character 0 cannot be replaced using the REPLACE-funtion
Item5910 TablePlugin: %TOC% variable creates links with unecessary query string
Item5914 TWiki::Request::url() must support -rewrite, -absolute and -relative
Item5920 TWikiGroups shows all members twice
Item5939 Rogue <p /> below </html> on every topic in every web
Item5960 Incorrect Content-length breaks HTTP headers, a.o. pound fail results
Item5961 WysiwygPlugin: Bolding single character within a word introduces spaces around bolded character
Item5991 JSCalendarContrib: Does not work correctly in IE7
Item5994 Secure configure script with taint mode turned on
Item6005 EditTablePlugin: "label"-formatted cell changed in unexpected way
Item6022 %ENCODE{}% treats % as safe character
Item6026 With header format emtpy table is initialized with one column only
Item6031 TablePlugin: Date sorting is broken.
Item6041 TinyMCE bug with Firefox 3 and bulleted lists
Item6050 statistics script fails when cuid is not equal login name (as login name is what's in the log files...)
Item6054 TwistyPlugin: No longer possible to have a twisty on one line without linebreak
Item6060 configure's get more extensions does not work well without LWP
Item6061 TWiki::Func::getContext documention
Item6138 Bullet lists in form fields are not rendered properly
Item6163 CommentPlugin: Lost data if it's targeted before/after a missing anchor.
Item6167 TWiki Forms expand variables like $nop, $quote $percnt
Item6170 Plugin installation fails on windows: extender.pl line 684
Item6171 Per RFC 5321, single quote is allwed in e-mail addresses
Item6178 Statistics script does not handle properly topics with special characters
Item6185 Missing newline in Formatted Search if footer used
Item6186 Review code for robustness and security
Item6208 WebChanges does not work on Windows
Item6220 TwistyPlugin: Twisty can't be placed in TWiki table cells
Item6223 Users can't edit content in Main web

TWiki 4.3.1 Patch Release - Details

TWiki-4.3.1 was built from SVN http://svn.twiki.org/svn/twiki/branches/TWikiRelease04x03 revision 18054 (2009-04-29)

Highlights

  • Security:
    • TWiki:Codev/SecurityAlert-CVE-2009-1339: A remote user may gain TWiki admin privileges with a specially crafted image tag. This cross-site request forgery vulnerability existed because TWiki allowed HTTP GET to save content.
  • Usability:
    • Use of ISO format date promoted in this release
  • Handling URLPARAM:
    • The handling of URLPARAM for empty or missing was corrected in this release.

Enhancements

Item6239 Fix TWIKIWEB to SYSTEMWEB, MAINWEB to USERSWEB
Item6254 Feature: Use ISO Date Format by Default

Fixes

Item5453 Value of "0" improperly handled in ENCODE variable
Item6232 Use of uninitialized value $1 in concatenation (.) or string at lib/TWiki.pm
Item6240 unhelpful error message when sysCommand fails
Item6243 URLPARAM "empty or missing"
Item6251 CSRF vulnerability CVE-2009-1339: Possible to gain TWiki admin privileges with a specially crafted image tag

TWiki 4.3.2 Patch Release - Details

TWiki-4.3.2 was built from SVN http://svn.twiki.org/svn/twiki/branches/TWikiRelease04x03 revision 18148 (2009-09-02)

Highlights

Enhancements

Item2927 Topic moved message too visible
Item6283 upgrade TinyMCEPlugin with latest tinyMCE WYSIWYG editor
Item6315 HeadlinesPlugin: New touch parameter for HEADLINES variable

Fixes

Item6253 SpreadSheetPlugin: $WORKINGDAYS is returning invalid results
Item6259 Prevent GUI-based rename of TWiki web and Main web
Item6267 FORMFIELD expands $title to field name if $title exists in field value
Item6295 Preferences for raw edit or WYSIWYG edit
Item6296 Crypt token based CSRF fix for TWiki
Item6308 viewfile adds trailing newline to attachments

Related Topic: TWikiHistory, TWikiInstallationGuide, TWikiUpgradeGuide

Topic revision: r3 - 02 Sep 2009 - 09:46:51 - TWikiContributor
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
Note: Please contribute updates to this topic on TWiki.org at TWiki:TWiki.TWikiReleaseNotes04x03