| [ Index ] |
|
Code source de GeekLog 1.4.1 |
1 GeekLog History/Changes: 2 3 Dec 31, 2006 (1.4.1) 4 ------------ 5 6 - Changed the default character set in config.php back to iso-8859-1 [Dirk] 7 - Removed display of the site URL from admin/sectest.php. On sites not installed 8 in the webroot, it did not display the site's actual URL, which only causes 9 confusion (reported by Dazzy) [Dirk] 10 - Fixed conflict between the Spam-X DeleteComment and SLVreport action 11 modules which prevented the count of deleted spams from being incremented 12 [Dirk] 13 - Fixed max. allowed length for a user's homepage (128) and location (96) in the 14 preferences/profile.thtml template file (reported by burjans) [Dirk] 15 - Fixed page title after a successful batch import of users (which read "Error") 16 [Dirk] 17 - Back in Geeklog 1.4.0, a counter was added to the Spam-X plugin to count all 18 deleted spam posts. The counter was only added in fresh installs of 1.4.0, 19 though, but not when upgrading from an earlier version. Fixed that [Dirk] 20 - In lists created from the Links and Calendar plugins, use "links-new-plugin" 21 as the CSS class name [Oliver] 22 23 - Updated Estonian language file, provided by Artur Räpp 24 - Updated Russian language file, provided by Alexander Yurchenko 25 - New Russian language file for the Calendar plugin, provided by Alexander 26 Yurchenko 27 - Updated Turkish language file, provided by Kemal Cellat 28 29 30 Dec 17, 2006 (1.4.1rc1) 31 ------------ 32 33 - Improved handling of UTF-8 feeds (feature request #631) [Mike, Dirk] 34 - Fixes for the remaining MS SQL issues (bugs #620, #621, #622, #624) 35 [Randy Kolenko, Dirk] 36 - Initialize SQL request arrays to prevent PHP errors (e.g. with static pages), 37 reported by ldfoo [Dirk] 38 - Escape the '#' sign in spam checks since we're using it as the separator 39 character for the regexp [Dirk] 40 - Mark Evans provided a set of patches that let plugins hook into the user 41 registration, story and comment submission as well as the contact user and 42 email story forms. These hooks can be used to add CAPTCHAs to those forms, 43 but may also come in handy for other plugin applications. 44 Also modified several template files to include a {captcha} variable to ease 45 installation of Mark's CAPTCHA plugin. 46 - Update the timestamp for the last run of PLG_runScheduledTask before calling 47 the function to minimize the risk of the call being triggered more than once 48 (bug #628) [Dirk] 49 - In a multi-language setup, allow one static page per language to take over 50 the index page (bug #625) [Dirk] 51 - sectest.php didn't perform the test for the install script and default 52 passwords on some setups (reported by Christian Weiske) [Dirk] 53 - Fixed "delete account" option (reported by Paul Lelgemann) [Dirk] 54 - Fixed counting of comments in several places where comments were counted 55 without taking the type of the parent object into account (e.g. when a story 56 and a poll happened to use the same id, their comment counts would have been 57 messed up) [Dirk] 58 - Editing a story did reset the trackback count (reported by T. Marquez) [Dirk] 59 - In the admin's story editor, set the debug option for the image upload only 60 when $_CONF['debug_image_upload'] = true (thus avoiding the "Warning: File #x 61 on the HTML form was empty" messages in error.log) [Dirk] 62 - Renamed [calendar:] autotag back to [event:] for backward compatibility. It 63 also makes more sense this way, since it does provide a link to an event, not 64 a link to a calendar (bug #619) [Dirk] 65 - Need to check if field 'etids' is NULL (for MySQL 4) for the Daily Digest 66 (bug #595) [Dirk] 67 - Removed the outer table from the layout and merged several style declarations 68 into the body-tag declaration [Oliver] 69 - The spam check for comment posts did not include the comment title (reported 70 by Laugh) [Dirk] 71 - When multi-language support is enabled, allow language-specific overrides 72 of the locale settings, e.g. $_CONF['date_en'] and $_CONF['date_de'] to 73 overwrite $_CONF['date'] depending on the current language [Dirk] 74 - When installing the Geeklog database using InnoDB tables, create a 75 'database_engine' entry in gl_vars, so that plugins know to use InnoDB for 76 their tables. Updated the bundled plugins to act accordingly [Dirk] 77 - DB_query will now (optionally) accept an array of SQL request strings from 78 which it will pick the one applicable for the currently used database type 79 [Vinny, Dirk] 80 - Provide some more meta information in header.thtml [Dirk] 81 + added optional {lang_id} variable and lang attribute 82 + added a hreflang attribute to the feed links 83 + added <link rel="home">, <link rel="search">, <link rel="contents"> links 84 (via the {rel_links} variable) 85 - COM_isFrontpage has been deprecated, as it had its return values inverted 86 (returns false when on the site's index page). Use COM_onFrontpage instead 87 from now on [Dirk] 88 - Fixed check for new stories from archive topic [Dirk] 89 - Call PLG_templateSetVars() from STORY_renderArticle() so we can have custom 90 variables in the story templates [Dirk] 91 92 - Updated Chinese language files (traditional and simplified), provided by 93 Samuel M. Stone 94 - Updated Japanese language files for Geeklog and all the plugins, provided 95 by the Geeklog Japanese group 96 - Updated Ukrainian language files (Windows-1251, KOI8-U, and UTF-8 encoding) 97 for Geeklog and all the plugins, provided by Vitaliy Biliyenko 98 99 100 Nov 5, 2006 (1.4.1b2) 101 ----------- 102 103 - Fixed potential SQL injection in the story editor preview (required Story 104 Admin permissions) [Dirk] 105 - Added multi-language support in static pages centerblocks and search [Dirk] 106 - When cloning a static page, keep the original's "wrap in a block" setting 107 [Dirk] 108 - Spam-X stats: Removed MT-Blacklist entry, added SLV whitelist entry [Dirk] 109 - Don't add empty "No Title" links in portal blocks when the feed has less than 110 the configured max. number of entries (bug #610) [Dirk] 111 - Added support for COM_mail to use a parm for a CC: distribution list [Blaine] 112 - Fixed bug #603, hardcoded mysql_error() [Oliver] 113 - Fixed bug #604, delete trackbacks of a story when story is deleted [Oliver] 114 - Allow users to switch the language again, even when the default character set 115 is not UTF-8. It is, however, not possible to mix UTF-8 and other charsets. 116 Also, "UTF-8" is not displayed in the language dropdown any more [Dirk] 117 - Corrected SQL for group counting in Admin menu for root admin to fix bug #573 118 [Oliver] 119 - Properly encode non-ASCII characters in email headers (subject, names), 120 loosely based on patch #489 and code from Cal Henderson's book [Dirk] 121 - Removed the Calendar styles and moved them to a dedicated file in the 122 plugin's directory [Oliver] 123 - Sorted all stylesheet definitions alphabetically and split semantics and 124 classes [Oliver] 125 - When making a topic the archive topic, update all existing stories in that 126 topic to "archived" status (and likewise revert that status if the topic 127 loses its archive topic status) [Dirk] 128 - Don't count archived stories as new stories in the What's New block [Dirk] 129 - Moved the defines for STORY_ARCHIVE_ON_EXPIRE and STORY_DELETE_ON_EXPIRE to 130 lib-story.php (from config.php) where they make more sense [Dirk] 131 - COM_getPermSQL was using the current user's group information when called for 132 another user. In Geeklog, this only happens for the Daily Digest, though 133 (bug #594) [Dirk] 134 - When comments are disabled for a story, don't show any existing comments in 135 the What's New block, in search results or via comment.php (bug #597) [Dirk] 136 - When trackbacks are disabled for a story, don't list any existing trackbacks 137 in the What's New block [Dirk] 138 - In the Admin's User Editor, disabled the checkboxes for the All Users, 139 Logged-in Users, and Remote Users groups to prevent accidental change of 140 group membership [Dirk] 141 - When deleting a topic, also delete all Trackbacks attached to stories in that 142 topic and update the Older Stories block and the feeds [Dirk] 143 - Fixed approve / delete of draft stories from moderation.php [Dirk] 144 - Strip blanks from the name of a PHP block function when saving a PHP block 145 [Dirk] 146 - Fixed / added multi-language support in the article directory, What's New 147 block, and the search for stories and comments [Dirk] 148 - Fixed an SQL error when changing a story's ID [Dirk] 149 - Call SET NAMES 'utf8' when using UTF-8 as the site's character set (with 150 MySQL), as pointed out by several people [Dirk] 151 - Removed wrong parameter when calling up the comment form again when the 152 comment's title was missing. This bug existed for both story and polls 153 comments. (bug #591) [Dirk] 154 - Users who were only in the Syndication Admin group didn't have access to 155 Command and Control (moderation.php) [Dirk] 156 - For Block, Group, Polls, Story and Topic Admins only display the number of 157 the respective entries they can actually see (instead of the number of all 158 entries, e.g. topics, in the system) [Dirk] 159 - Fixed highlighting parse error when the search term contained an apostrophe 160 (bug #590) [Dirk] 161 - Improved (and subsequently fixed) Pingback spam detection which now also uses 162 the $_CONF['check_trackback_link'] settings [Dirk] 163 - directory.php was still using $LANG30 instead of $LANG_MONTH (bug #583) [Dirk] 164 - When upgrading the database from 1.4.0, only update those plugins that are 165 actually installed (disabled or not) [Dirk] 166 - CSS Changes to support better scaling of Font size - using browser Text-Size 167 adjustment. Removed many extra font-size declarations. [Blaine] 168 - Don't allow viewing of a Banned user profile unless user admin [Blaine] 169 - Only call CUSTOM_loginErrorHandler when custom_registration is enabled 170 (bug #584) [Blaine] 171 - Fixed SQL error with some older MySQL versions when calling up the Batch User 172 Delete option [Oliver] 173 - Comments always displayed the comment author's full name, even when 174 $_CONF['show_fullname'] was set to 0 [Dirk] 175 - Fixed 404 (caused by a request for a file named '(none)') in the user profile 176 display when a user doesn't have a userphoto [Dirk] 177 178 - New Estonian language files for Geeklog and most of the plugins, provided 179 by Artur Räpp 180 - Updated Hebrew language file, provided by LWC 181 - Updated Japanese language files for Geeklog and all the plugins, provided 182 by the Geeklog Japanese group 183 - New Russian language files for the Spam-X plugin, provided by Pavel Kovalenko 184 - Updated Slovenian language files for Geeklog and all the plugins, provided 185 by gape 186 187 Calendar plugin 188 ------------ 189 - Created a dedicated stylesheet file and include the file only if the URL 190 contains the word 'calendar' [Oliver] 191 - Tweaked the Calendar search result listing: Removed the Event Description 192 (usually too long for the result listing), replaced Location (which is only a 193 part of the address and not very helpful) with Event Type, minimized Date & 194 Time display for events lasting only one day (don't list date twice) [Dirk] 195 196 Links plugin 197 ------------ 198 - Renamed classes block-vote-results to poll-vote-results and block-vote to 199 poll-vote [Oliver] 200 - Removed duplicate "Other" entry from the Link submission form [Dirk] 201 - In the Admin's list of links, only display an edit icon for links that the 202 current user can actually edit (they did get a proper error message when 203 trying to edit such a link, though) [Dirk] 204 - Don't return the number of links in the links submission queue if the 205 current user does not have links.moderate permissions [Dirk] 206 - Filter out special characters from link IDs. They were properly escaped 207 before storing them in the database but caused problems when using them 208 (bug #565) [Dirk] 209 210 211 Sep 17, 2006 (1.4.1b1) 212 ------------ 213 214 - Changes to templates and CSS to remove deprecated HTML (align= and valign=) 215 Removed un-used CSS declarations, redundant font-family declarations 216 Removed use of font-size percentage and used more acceptable EM units [Blaine] 217 - Don't display an "edit" link in a story if the current user doesn't have 218 edit permissions for the story's topic (bug #558) [Dirk] 219 - Added a new script to check the site's security (admin/sectest.php). This 220 replaces the "get bent" PHP block, but also performs additional checks [Dirk] 221 - Created a Batch Delete function for users that easily identifies inactive or 222 old users and allows mass-deletion of those [Oliver] 223 - Updated FCKeditor to version 2.3.1 [Blaine] 224 - Added ability to filter out Admin related groups on the Group Admin page 225 Allows users to easily see only user groups. When editing non-core groups, 226 You can select if this group is an Admin Group [Blaine] 227 - Added ability to multi-select submission queue items on the moderation page 228 and delete them all at once [Blaine] 229 - Always make "Submissions" the first entry in the Admins Only block to keep 230 the correspondence between the other entries and the icons on the moderation 231 page undisturbed (and because it's an important entry) [Dirk] 232 - Fixed 'emailstoriesperdefault' config option (bug #553) [Dirk] 233 - Added support for Microsoft SQL Server, provided by Randy Kolenko 234 - Introduced $_CONF['disallow_domains'] as a blacklist of domain names that are 235 not allowed for new users during signup. Both 'disallow_domains' and 236 'allow_domains' can also contain regular expressions [Dirk] 237 - Introduced DB_lockTable / DB_unlockTable to encapsulate the LOCK / UNLOCK 238 requests when updating the comments table [Dirk] 239 - Fixed bug: [#540] Blocking the last Root user or yourself should not be 240 possible [Oliver] 241 - Fixed bug: [#546] The phrase "Story Stats" is hardcoded [Oliver] 242 - Added a spam check to the email user form [Dirk] 243 - Use the same piece of code to compare plugin version numbers in lib-admin.php 244 and admin/plugins.php to avoid the "update" button not appearing for some 245 version numbers (bug #542) [Dirk] 246 - Re-implemented $_CONF['allow_domains'] whitelist (when the user submission 247 queue is enabled) that was inexplicably missing from 1.4.0 [Dirk] 248 - Merged User Preferences and Account information into one page, like the 249 Story editor with tabs etc. [Blaine, Oliver] 250 - Tried to make "3 new stories in the last 1 day" sound less awkward by going 251 back one unit, i.e. "3 new stories in the last 24 hours", in the What's New 252 block (likewise for 1 week, 1 month, etc.) [Dirk] 253 - Introduced config options to set the default for the story's draft flag 254 and frontpage option (feature request #163) [Dirk] 255 - Introduced $_CONF['hide_main_page_navigation'] to hide the "Google paging" 256 from index.php (may be useful for some layouts) [Dirk] 257 - Allow (optional) usage of autotags in "normal" blocks (can be enabled / 258 disabled per block) [Dirk] 259 - Introduced a {story_counter} variable in the story templates. It's 0 on the 260 article page and in previews, but 1 for the first story, 2 for the second, 261 etc. on the index page (per page, i.e. starts with 1 again on the second page) 262 [Dirk] 263 - Require that users enter their current password when changing their password, 264 email address or "Remember me for" setting. Redesigned the Account Information 265 page and added a note about this requirement. [Dirk] 266 - Prevent accidental banning of users when the Admin edits a user's information 267 using a theme that wasn't updated for Geeklog 1.4.0+ [Dirk] 268 - $_CONF['show_fullname'] now works as expected, i.e. when setting it to = 1, 269 a user's full name will be displayed everywhere in Geeklog instead of the 270 username (assuming the users entered their full name) [Dirk] 271 - Fixed a bug in the article directory where December was not listed when no 272 stories had been posted in that month (reported by Kino and Ivy of geeklog.jp) 273 - Replace Geeklog's [imageX] tags before extracting the What's Related links 274 from a story to prevent the (verbatim) tag to show up in the block [Dirk] 275 - Update story ids in the gl_trackback table when a story's id is changed [Mike] 276 - Implemented new plugin API function, PLG_spamAction, to perform the spam 277 actions in case spam has been detected through some other means (e.g. 278 trackbacks from sites that don't link back to us) [Dirk] 279 - Implemented new plugin API function, plugin_enablestatechange_, to inform 280 plugins when they are about to be enabled / disabled (Patch #405) [Dirk] 281 - Support backslashes in comment and submissions in HTML mode [Mike] 282 - Added breadcrumb functionality to the navbar class (v1.1) [Blaine] 283 - Enhancements to navbar templates and CSS for a more 3D TAB'ed look [Blaine] 284 - Changed several <table>s to <div>s + CSS in the Professional theme [Oliver] 285 - Introduced generic function to delete a user's photo to avoid code 286 duplication and slightly different error handling in various places [Dirk] 287 - Made the new user registration form remember the user's input so that they 288 don't have to retype everything in case of an error [Dirk] 289 - In the Admin's user list, banned users are indicated by striked-through 290 entries (based on a hack by Andy Maloney) [Dirk] 291 - Added new setting $_CONF['onlyrootfeatures']. This is for sites where two or 292 more story admins can feature stories that the other admins cannot see. The 293 setting prevents that one admin does not see that there is another recent 294 story featured and sets one by himself, "stealing" the feature from the other. 295 - Changed "Reply"-button to "Post a comment" [Oliver] 296 - Implemented an error handler to supress all PHP level errors and display a 297 much more userfriendly error text to the end user. Prevents all path exposure, 298 prevents "white error page" mystery debugging fun. [Mike] 299 - Full sweep of all code for $_REQUEST/$_GET/$_POST and $_COOKIE use. Made sure 300 that COM_applyFilter, or other safe usage is made of the variables. [Mike] 301 - Added an option to hide the "No News To Display" message on the index page 302 (new config option $_CONF['hide_no_news_msg']) [Dirk] 303 - Added an option to check if the sites sending trackbacks are actually linking 304 to our site (see $_CONF['check_trackback_link'] in config.php) [Dirk] 305 - Made it impossible to save two syndication feeds with identical filenames 306 [Oliver] 307 - Stories with comments/trackbacks disabled, do not show comment/trackback 308 url in RSS feeds [Mike] 309 - Added email confirmation fields for new user and usersettings [Oliver] 310 - Allow changing of group ownership for "gldefault" blocks. Requires a change 311 in admin/block/defaultblockeditor.thtml to enable the group dropdown. On a 312 fresh install, all the blocks (with the exception of "Are you secure?") are 313 now owned by the Block Admin group [Dirk] 314 - Users created by a User Admin should not be queued for approval, even when 315 $_CONF['usersubmission'] = 1 [Dirk] 316 - Introduced 'syndication.edit' permission and 'Syndication Admin' group so 317 that access to the Content Syndication panel no longer requires 'Root' 318 permissions [Dirk] 319 - For the "Submissions" entry in the Admins Only block, only count story and 320 event submissions when the current user has story.moderate or event.moderate 321 permissions, respectively [Dirk] 322 - On admin/moderation.php, list the stories that have their draft flag set only 323 when the current user has story.edit permission [Dirk] 324 - Fixed empty lines in a Group Admin's list of groups when that Group Admin 325 was not a member of all groups [Dirk] 326 - Renamed the misnamed CUSTOM_runSheduledTask function (in lib-custom.php) to 327 CUSTOM_runScheduledTask. Don't forget to make that change in your copy of 328 lib-custom.php if you're using that functionality! [Dirk] 329 - Improved error log contents when unable to acquire a feed reader for a portal 330 block. [Mike] 331 - Extended plugin API for feed extensions to include feed id and the topic (for 332 adding topic/feed specific data) [Mike] 333 - Don't attempt to rename a non-existing user photo when 334 $_CONF['allow_username_change'] is enabled (reported and fix suggested by 335 Yusuke Sakata) [Dirk] 336 - Made changes to ensure compatibility with MS SQL, as suggested by 337 Randy Kolenko [Dirk] 338 - The "last login date" column in the Admin's list of users now uses 339 $_CONF['shortdate'] so that it includes the year [Dirk] 340 - Fixed batch user import (which set all imported users to status "Awaiting 341 Authorization" instead of "Awaiting Activation") [Mike] 342 - Fixed admin lists google paging for use in static pages etc. [Oliver] 343 - Added support for a custom login error handler function, 344 CUSTOM_loginErrorHandler [Blaine] 345 - Format the user agent string according to the RFCs 1945 / 2068 / 2616, i.e. 346 "Geeklog/1.4.1" when trying to detect a Trackback URL [Dirk] 347 - Made the search option on the Admin pages behave like the site search, i.e. 348 it doesn't require you to pad queries with '*' any longer [Dirk] 349 - In story search results, show/hide the "Author" and "Views" columns based on 350 the $_CONF['contributedbyline'] and $_CONF['hideviewscount'] settings [Dirk] 351 - Introduced $_CONF['title_trim_length'] to make the max. title length of items 352 in the What's New block configurable (feature request #525). Also implemented 353 a new function COM_truncate (based on a patch by Yusuke Sakata) that properly 354 handles truncation of multi-byte text strings if the mb_ functions are 355 available [Dirk] 356 - Added a JavaScript confirmation box to most delete buttons/links. If you'd 357 rather not have such a confirmation, use {delete_option_no_confirmation} 358 instead of {delete_option} in the admin templates [Dirk] 359 - Fixed RSS Feed parser to create RFC 822 dates in en_GB or en_US locale as per 360 the RFC spec [Mike] 361 - Removed obsolete "do not use spaces" warning from user editor (bug #530) 362 [Dirk] 363 - Show fullname/username according to config.php settings in stories [Oliver] 364 - Added possibility to change the css-class for admin list headers and fields 365 [Oliver] 366 - Added unified new style class to stats.php/style.css to have all lists on 367 the page look the same [Oliver] 368 - Added multi-language support, based on earlier works by Euan McKay and LWC. 369 Also see http://wiki.geeklog.net/wiki/index.php/Multi-Language_Support 370 - Changed the default path for topic icons to /images/topics [Dirk] 371 - Fixed an SQL error when calling up the Admin's list of stories without any 372 topics [Dirk] 373 - Removed the public_html/portal.php script, as it is no longer needed [Dirk] 374 - Remove uninstalled plugins from the global $_PLUGINS array immediately 375 (just in case the array would be used to trigger any actions) [Dirk] 376 - The "Topic" column in the list of feeds was empty for feeds that are only 377 linked from a topic page [Dirk] 378 - Only use the mb_substr workaround in the calendar when the current character 379 set is UTF-8 (bug #524) [Dirk] 380 - Fixed SQL error on MySQL 5 when listing the members of a group (bug #527) 381 [Dirk] 382 - When emailing a story, don't include the text "Comment on this story at ..." 383 when comments have been switched off for that story [Dirk] 384 - Fixed wrong wording of some of the "access denied" messages when trying to 385 access Admin panels without proper privileges [Dirk] 386 - Fixed display of Admin block for users that only had certain Admin privileges 387 [Dirk] 388 389 - New Afrikaans language file, provided by Renier Maritz 390 - Updated Hebrew language file, provided by LWC 391 The Hebrew language file was also renamed to hebrew_utf-8.php for consistency 392 with the other UTF-8 language files. 393 - Updated Turkish language file, provided by Kemal Cellat 394 395 Calendar plugin (1.0.0) 396 --------------- 397 - Bugfix: Replace autotags in the event description [Dirk] 398 - Added an option to switch between 24 hour and 12 hour am/pm mode for entering 399 and editing events [Dirk] 400 - Implemented plugin_enablestatechange API function to enable/disable plugin 401 feeds and blocks when the plugin is enabled/disabled [Dirk] 402 - Added calendar plugin initial version [Oliver] 403 404 Links plugin (1.0.1) 405 ------------ 406 - Implemented plugin_enablestatechange API function to enable/disable plugin 407 feeds when the plugin is enabled/disabled [Dirk] 408 - Changed the english language file from "Web Resources" to "Links" 409 - Fixed hard-coded link to the "admin" directory when editing a link (reported 410 by Ronnie Rigl) [Dirk] 411 - Optimized SQL requests for the plugin's What's New section [Dirk] 412 - Re-introduced {button_links} header variable [Dirk] 413 - Added an option to hide the Top Ten Links on the first page [Dirk] 414 - Made the page title on the Web Resources page more informative by adding the 415 category and page number [Dirk] 416 - The edit icon (only visible for Links Admins) now uses the same image type 417 as the current theme (was previously hardcoded to "edit.gif") [Dirk] 418 - Hide the "Web Resources" link from the menu when login is required to see 419 the links (for consistency with the Polls plugin) [Dirk] 420 - Added a title attribute to the links on the site stats page that contains 421 the link's actual URL [Dirk] 422 - Fixed site link in search results which wasn't using portal.php [Dirk] 423 - The Admin's search option now also searches the link description [Dirk] 424 - Removed extra <small> tags from the What's New section (bug #526) [Dirk] 425 426 Polls plugin (1.1.0) 427 ------------ 428 - Fixed call to undefined function polllist when calling up a non-existing 429 poll [Dirk] 430 - Implemented plugin_enablestatechange API function to enable/disable the poll 431 block when the plugin is enabled/disabled [Dirk] 432 - Fixed search [Dirk] 433 - Added a remark field for polls answers [Oliver] 434 - Re-introduced {button_polls} header variable [Dirk] 435 - Added an option to hide the link to the polls from the menu (for consistency 436 with the Links plugin) [Dirk] 437 - Fixed poll URLs on the site stats page [Dirk] 438 - Remove the polls block when uninstalling the Polls plugin (another part of 439 bug #520) [Dirk] 440 441 Spam-X plugin (1.1.0) 442 ------------- 443 - Added SLV (Spam Link Verification) modules [Dirk] 444 - The MT-Blacklist modules are not being shipped with Geeklog any longer. The 445 MT-Blacklist entries are removed from the database during the upgrade [Dirk] 446 - Allow special characters (e.g. backslashes) in the Admin modules (e.g. the 447 Personal Blacklist module) [Dirk] 448 - Moved spam actions to plugin_spamaction_spamx API function [Dirk] 449 - Fixed potential problems with the checkforSpam function's return code in case 450 of unusual configurations (e.g. $_CONF['spamx'] = 0) [Dirk, Tom Willet] 451 - Made the plugin's internal log flag a proper config option. So you can now 452 disable logging to spamx.log from the plugin's config.php [Dirk] 453 - Mass delete by IP now uses stored IP address [Mike] 454 455 Static Pages plugin (1.4.3) 456 ------------------- 457 - Make sure autotags are replaced even when execution of PHP code is disabled 458 (reported by LWC) [Dirk] 459 - Added a help URL for the block display of static pages [Oliver] 460 - Added ability in staticpage editor to enable/disable Advanced Editor mode 461 so you can use FCKEditor and then if need basic html edit mode [Blaine] 462 - Fixed default sorting order for the list of static pages [Dirk] 463 - Allow to show/hide update date/time and hits [Oliver] 464 - When creating a new page, don't set the default group ownership to the Static 465 Page Admin group if the current user is not a member of that group. Instead, 466 pick a group with staticpages.edit permission that the user is a member of 467 [Dirk] 468 - Fixed paging for the list of static pages (bug #528) [Dirk] 469 470 471 July 23, 2006 (1.4.0sr5-1) 472 ------------- 473 474 This release fixes display problems in the comment preview that were only 475 introduced in Geeklog 1.4.0sr5 (as a result of the fix for the XSS). 476 477 The complete 1.4.0sr5-1 tarball also includes the following language files: 478 479 - New Afrikaans language file, provided by Renier Maritz 480 - Updated Hebrew language file, provided by LWC 481 - Updated Turkish language file, provided by Kemal Cellat 482 483 484 July 16, 2006 (1.4.0sr5) 485 ------------- 486 487 JPCERT/CC informed us about a possible XSS in the comment handling that we're 488 fixing with this release. 489 490 491 June 30, 2006 (1.4.0sr4) 492 ------------- 493 494 Two exploits have been released by "rgod" for insecure Geeklog installations 495 and for a bug in the "mcpuk" file manager that we've been shipping as part of 496 FCKeditor in all 1.4.0 releases. 497 498 - Some of the files outside of the public_html directory were not protected 499 against direct execution. If Geeklog was installed such that those files were 500 accessible from a URL (which has always been strongly discouraged in the 501 installation instructions) then those files could be used to load and 502 execute malicious code from a remote server. 503 504 More information: http://www.geeklog.net/article.php/so-called-exploit 505 506 In this release, we've added the missing execution prevention for all files 507 outside of public_html. We would still, however, suggest that you fix your 508 Geeklog install if the files outside of public_html are accessible from a URL. 509 510 - The "mcpuk" file manager that we've integrated into FCKeditor allowed the 511 upload of arbitrary PHP code (even if FCKeditor was disabled in Geeklog's 512 config.php). Depending on your webserver's configuration, it was then possible 513 to execute that uploaded code. 514 515 More information: 516 http://www.geeklog.net/article.php/exploit-for-fckeditor-filemanager 517 518 The file manager has been removed from this release. You will therefore no 519 longer be able to upload files, e.g. images, through FCKeditor. Future 520 versions of Geeklog will ship with an updated version of FCKeditor and its 521 included file manager. 522 523 524 May 28, 2006 (1.4.0sr3) 525 ------------ 526 527 The Security Science Researchers Institute Of Iran reported the following 528 security issues: 529 530 - Possible SQL injection and authentication bypass in auth.inc.php 531 - Possible XSS in getimage.php 532 - Path disclosure in getimage.php and the functions.php of some themes, 533 e.g. the Professional theme 534 535 An internal code review also revealed a possible SQL injection in story 536 submissions. 537 538 539 Mar 5, 2006 (1.4.0sr2) 540 ----------- 541 542 Security issues: 543 544 - Konstantin Dyakoff found an old bug in the session handling that would allow 545 anyone to log in as any user. 546 - HTML was not stripped from the Location field in a user's profile. 547 548 549 Feb 19, 2006 (1.4.0sr1) 550 ------------ 551 552 Security issues: 553 554 - James Bercegay of GulfTech Security Research reported several issues with 555 Geeklog's cookie handling that made it vulnerable to SQL injections, arbitrary 556 file access, and even injection and execution of arbitrary code. 557 558 Bugfixes: 559 560 - Fixed bug in page-break combined with url rewrite (bug #521) [Oliver] 561 - Fixed Story [page_break] showing only intro on first page [Oliver] 562 - Fixed install script for the Spam-X plugin which was trying to include an SQL 563 file that doesn't exist - and wasn't needed (part of bug #520) [Dirk] 564 565 - Updated Hebrew language file, provided by LWC 566 - New Russian language files for the Links and Polls plugins, provided by 567 Volodymyr V. Prokurashko 568 - Fixed Static pages dutch language file [Oliver] 569 - New Polish language file for the Links plugin, provided by Robert Stadnik 570 - Added UTF-8 English versions of the Links, Polls, Static Pages, and Spam-X 571 language files [Dirk] 572 - Added all UTF-8 Language files for core [Oliver] 573 574 575 Feb 5, 2006 (1.4.0) 576 ------------ 577 578 - Prevent execution of PHP code in "normal" blocks [Dirk] 579 - Added missing navbar images - used for CSS based buttons as part of the 580 standard Plugin CSS [Blaine] 581 - Set options in FCKConfig to have Firefox browsers by default not using the 582 <span> and font tags to format Bold and Italic [Blaine] 583 - Fixed another bug in google pagination of admin-lists [Oliver] 584 - Fixed "wrap static page in a block" and "exit type" options in the static 585 page editor. Also link to the "rewritten" URL from the list of static pages 586 when URL rewriting is on [Dirk] 587 - Fixed JavaScript error in the Admin's story editor (bug #479) [Dirk] 588 - Fixed hard-coded paths in the check.php script and added tests for missing 589 directories (reported by Markus Wollschlaeger) [Dirk] 590 - A humble attempt to add some semantics [Dirk] 591 + Added rel="category tag" to a story's topic link 592 + Added rel="self bookmark" for a comment's permalink 593 - Cosmetics: Moved the number of links per category out of the actual link to 594 the category [Dirk] 595 - On MySQL 5, the drop-down list of link categories presented to a user when 596 submitting a new link came out wrong (while the one in the Admin's link 597 editor worked just fine). Moved the working code into a new function in the 598 plugin's functions.inc and changed the code to use it in both cases now [Dirk] 599 - Fixed an SQL error when the "length of entries" field in the Feed Editor was 600 left empty [Dirk] 601 - Fixed date and time defaulting to the current date and time when creating 602 a new event as an Admin user (adding a workaround for changes of strtotime() 603 behavior in PHP 5) [Dirk] 604 - Fixed SQL error on MySQL 5 when creating a new topic (bug #517) [Dirk] 605 - In HTTP requests, format the user agent string according to the RFCs 1945 / 606 2068 / 2616, i.e. "Geeklog/1.4.0" [Dirk] 607 608 - Updated Japanese language files, provided by Yusuke Sakata 609 - Updated Ukrainian (Windows-1251) language file, provided by Vitaliy Biliyenko 610 611 612 Jan 22, 2006 (1.4.0rc2) 613 ------------ 614 615 - header.thtml now specifies the CSS Class Declaration to use for the body. 616 This addresses the issue with FCKEditor when displayed, its CSS was 617 over-riding the main site <body> tag and the site margin padding was being 618 affected [Blaine] 619 - Removed CSS for the Forum plugin from style.css [Blaine] 620 - Fixed "Cannot modify header ..." message when logging in from the admin 621 pages (reported by Samuel M. Stone). This also fixes confusing intermittent 622 displays during the login (e.g. only some of the "Command and Control" icons 623 showing up, messages about missing permissions flashing up) [Dirk] 624 - Removed Geeklog version number from feed files due to security concerns 625 (pointed out by Samuel M. Stone) [Dirk] 626 - Login through the admin pages didn't work with register_globals=off [Dirk] 627 - Fixed admin lists so pagination works also in static pages [Oliver] 628 - Pass GeekLog as user agent when fetching RSS feeds [Mike] 629 - Made the image upload work with out-of-the-box PHP 5 configurations [Dirk] 630 - Fixed handling of HTML entities in Pingbacks [Dirk] 631 - Fixed Spam-X Mass Delete Trackback Spam module to update the story's trackback 632 count when deleting trackbacks [Dirk] 633 - Fixed a possible SQL error when saving a block (reported by BDUB) [Dirk] 634 - Fixed story titles in the What's New block when they contained HTML entities 635 (entities where sometimes cut off and/or encoded twice) [Dirk] 636 - Fixed a typo in all the plugin install script which set the group description 637 to "grp_desc" instead of $grp_desc (found by Ingo Schaefer) [Dirk] 638 - Improved autodetect of Trackback URLs [Dirk] 639 - The submit story form was not selecting the advanced Editor if user was not 640 logged in or did not have Story Editor permissions [Blaine] 641 - Added missing CSS class name "list-feed" for portal blocks [Dirk] 642 - Fixed user submission queue (reported by Andrew Lawlor) [Dirk] 643 - Fixed handling of integer fields in the Admin's story editor (reported by 644 Ron Ackerman) [Dirk] 645 - Fixed handling of checkboxes in the static pages editor (reported by 646 Ron Ackerman) [Dirk] 647 - Fixed SQL error when saving a static page that had had more than 1000 hits 648 (reported by Euan McKay) [Dirk] 649 - Removed visible table border from advanced comment editor form [Blaine] 650 - Moved some hard-coded text strings from the advanced editor into the 651 language files [Blaine] 652 653 - Updated Chinese language files, provided by Samuel M. Stone 654 - Updated Japanese language files, provided by Yusuke Sakate 655 656 657 Dec 31, 2005 (1.4.0rc1) 658 ------------ 659 660 - Added support for Advanced Editor in the Add Comment Feature [Blaine] 661 - Fixed SQL error in search on MySQL 5 (fix suggested by dariball) [Dirk] 662 - Added trackback.php and pingback.php to the included robots.txt [Dirk] 663 - Added a few more calls to COM_numberFormat all over the place (links and polls 664 plugins, Admins Only block, ...) [Dirk] 665 - Fixed test for a Geeklog 1.3.9 database in the install script [Dirk] 666 - When emailing a story, make sure all fields are filled in [Dirk] 667 - Don't lose the current topic selection when a Story Admin uses the Contribute 668 link [Dirk] 669 - Fixed highlighting of search query in comments when register_globals = off 670 [Dirk] 671 - When the entries in the Admin's block are not sorted, make sure the icons in 672 Command and Control are in the same order as the block entries [Dirk] 673 - Allow topic icons to be uploaded to and retrieved from a 'topics' directory 674 outside of the document root [Dirk] 675 - Added a workaround to produce abbreviated day names in the calendar for UTF-8 676 language files (reported by Euan McKay) [Dirk] 677 - The Spam-X plugin now uses the same "universal" install script as the other 678 three preinstalled plugins [Dirk] 679 - Added more allowable HTML tags and attributes if Advanced_Editor enabled 680 config.php setting [Blaine] 681 - Added logic to detect if Javascript was not enabled and Advanced Editor was 682 enabled. 683 User will be prompted with alert and able to use the default editor [Blaine] 684 - Changed spam handling for Trackbacks and Pingbacks to check for spam on the 685 unfiltered Trackback/Pingback content [Dirk] 686 - When editing a link submission with a new link category (i.e. the submitter 687 selected "other" and entered a non-existing category), make sure that new 688 category actually shows up in the links editor [Dirk] 689 - In the Admin's list of stories, show the display name of the topic (i.e. the 690 same as in the Topics block) instead of the topic ID [Dirk] 691 - Hide the edit icon in the Admin's list of stories when the current user 692 doesn't have edit access to a story (since they only got a note saying they 693 can't edit that story anyway) [Dirk] 694 - Fixed alternating row colors in admin lists if one row has no data [Oliver] 695 - Made it impossible to switch off blocks if there is no access [Oliver] 696 - Fixed handling of items in the submission queues (it was only possible to 697 approve / delete the first item in a queue) [Dirk] 698 - Grant users with 'plugin.edit' permission access to the plugin editor [Dirk] 699 - Changed admin-lists 'default-filter' to require 'AND' [Oliver] 700 - Fixed admin lists for events & static pages for non-root users [Oliver] 701 - Fixed invalid language string in submit.php [Oliver] 702 - Fixed problems with the query highlighting code escaping double quotes [Dirk] 703 - In the list of plugins, display only the plugin's current version number as 704 long as it's in sync with the code version or the plugin hasn't implemented 705 the chkVersion API function [Dirk] 706 - Limit length of a new user's username to 16 characters in the 707 admin/user/edituser.thtml template file [Dirk] 708 - Don't display the current user's userphoto when creating a new user in 709 admin/user.php [Dirk] 710 - Fixed sanity checks in USER_addGroup and USER_delGroup [Trinity, Dirk] 711 - Allowed the Links-entry from the top menu to be hidden by config.php in links 712 [Oliver] 713 - Fixed small HTML validation issues with adv. editor and admin lists [Oliver] 714 - Fixed comment bug that allowed comments to be saved even when user did not 715 have the correct story/topic permissions. [Vinny] 716 - Send the character set as an HTTP header from COM_siteHeader now [Oliver] 717 - Fixed updating Links feeds [Mike] 718 - Corrected RSS handling of GUID or LINK [Mike] 719 - Fixed date format in Atom feeds [Mike] 720 - Fixed loss of sort setting when browsing the user list [Oliver] 721 - Fixed block title of the site stats (reported by Tom Willet) [Dirk] 722 - Fixed an SQL error when approving the default story submission ("Are you 723 secure?") after a fresh install (reported by suvi) [Dirk] 724 - Fixed warnings that exposed the full path to Geeklog when attempting SQL 725 injections on the advanced search [Mike] 726 - The "Mail Users" icon was missing from Command and Control [Dirk] 727 - In Command and Control, show the Trackback icon only when at least one of the 728 Trackback, Pingback, or Ping features is enabled (in addition to 'story.ping' 729 permissions for the current user) [Dirk] 730 - Replaced the delete_event.gif icon (in layout/professional/images/icons) with 731 a PNG, since the Professional theme uses PNGs now and the icon wouldn't show 732 up otherwise [Dirk] 733 - The block around the list of backups was missing the title [Dirk] 734 - Don't emit the Trackback and Pingback headers when trackbacks have been 735 disabled for a story [Dirk] 736 - Introduced {lang_trackback_comments_no_link} (in trackback/trackback.thtml) 737 so that you can have an article page entirely without links back to itself 738 (for picky spiders such as the one for Google News) [Dirk] 739 - Call COM_refresh when creating a user with usersubmission = 1 [Mike] 740 - Fixed sorting of Trackbacks in the What's New block [Dirk] 741 - The search by author or by date switched to searching for everything on 742 page 2 of the results [Dirk] 743 - For the Links plugin, the "last x days" text in the What's New block was 744 missing [Dirk] 745 - Fixed an SQL error when creating new blocks [Mike] 746 - The feed reader will now also follow redirects [Mike] 747 748 - Updated Chinese traditional and simplified language files, and new Chinese 749 language files for the Links, Polls, and Static Pages plugins, provided by 750 Samuel M. Stone 751 - German language files now exist in 4 combinations (formal / informal German, 752 ISO-8859-15 / UTF-8 encoding) for Geeklog, the Links, Polls and Static Pages 753 plugins [Dirk] 754 - Updated Japanese language files, provided by Yusuke Sakate 755 - New Ukrainian language files (Windows-1251) for Geeklog and all four plugins, 756 provided by Vitaliy Biliyenko 757 - New Ukrainian language files (UTF-8 and KOI8-U encoding) for Geeklog, the 758 Spam-X, and Static Pages plugins, provided by Yaroslav Fedevych 759 760 761 Nov 20, 2005 (1.4.0b1) 762 ------------ 763 764 - Introduced {start_storylink_anchortag} and {end_storylink_anchortag} template 765 variables in the story and commentbar template files which only produce a 766 link to the story when not on article.php, thus avoiding links back to the 767 article page itself, which the spider for Google News doesn't seem to like 768 (feature request #486) [Dirk] 769 - Added a workaround for image uploads using GD when ImageCreateTrueColor is 770 not available (patch #468) [Dirk] 771 - Allow a subject to be passed as a parameter for the "contact user" form 772 (based on patch #497) [Dirk] 773 - Added support for right-to-left languages (based on patch #488) [Dirk] 774 - Update Feeds and Older Stories block when changing topic settings [Dirk] 775 - Added a hits counter to events and added a Top Ten Events section to the 776 site stats [Dirk] 777 - Introduced $_CONF['show_topic_icon'], i.e. the default setting whether to 778 show topic icons or not [Dirk] 779 - The "Older Stories" block now only lists articles that appeared on the 780 frontpage (i.e. have not been set to "Show only in topic", bug #408) [Dirk] 781 - Fixed problems with query highlighting in stories scrambling links in 782 autotags (bug #492) [Dirk] 783 - Group names are now unique (as they should have been from the beginning). The 784 install script takes care of existing duplicate group names when upgrading 785 to 1.4.0 (bug #367) [Dirk] 786 - Allow for more topic IDs in the user's preferences (bug #490) [Dirk] 787 - Replace autotags in the Daily Digest (bug #484) [Dirk] 788 - Explicitly link to /docs/index.html for the documentation link in the Admin's 789 block (bug #504) [Dirk] 790 - Added an option to enable / disable trackbacks per story (just like you can 791 enable / disable comments per story) [Dirk] 792 - Changed COM_optionList to check for language arrays which override the text 793 strings that are embedded in the database (for comment mode, featured story, 794 post mode, etc.) Bug #227 [Dirk] 795 - Fixed Bug #174 -- quotes in titles are no longer double htmlentized [Vinny] 796 - The default permissions for new objects (stories, topics, blocks, etc.) can 797 now be set in config.php (feature request #90) [Dirk] 798 - Added an "Active users" entry to the site statistics. If Geeklog is configured 799 to track a user's last login, this will display the number of users who 800 logged into the site during the last 4 weeks. Otherwise, it displays the 801 number of user accounts with status = 3 (i.e. have logged into their account 802 at least once and haven't been banned) [Dirk] 803 - Introduced a new plugin API function so that the plugin's summary (e.g. 804 number of items) can be properly integrated with the "Site Stats" section. 805 Modified stats/sitestatistics.thtml, removed stats/stats.thtml, added 806 stats/singlesummary.thtml template files [Dirk] 807 - Introduced a generic function, USER_getPhoto, which provides the user's photo, 808 if available. The function also supports getting the user's avatar from 809 gravatar.com (if enabled in config.php) [Dirk] 810 - The texts in the What's New block ("x new stories in the last y hours", 811 "last 2 weeks", etc.) now properly reflect the actual settings of the 812 $_CONF['newXXXinterval'] variables (bug #390) [Oliver, Dirk] 813 - Introduced a method to signal a forced update for feeds in case the content 814 of one of the feed entries has changed - so far, we only checked if entries 815 had been added or removed (bug #277) [Dirk] 816 - Added $_CONF['show_right_blocks'] option which, if set = true, will display 817 right-side blocks on all pages (also addresses feature request #31) [Dirk] 818 - Fixed bug #454, SQL error when reading comments. [Vinny] 819 - Leave off the "page=1" parameter on the "Google paging" navigation bar for 820 links that point back to the first page [Dirk] 821 - The default feed for a new site is now in RSS 2.0 format and named 822 "geeklog.rss" [Mike, Dirk] 823 - Added time of the day to the name of the database backups to allow several 824 backups a day [Oliver] 825 - When the search returns no results, the search form is now pre-populated 826 with the last search query, so that it can be changed easily. On successful 827 searches, a "refine search" link will appear that also takes you back to a 828 pre-populated search form (to refine your search, obviously) [Dirk] 829 - Changed search to only return a certain amount of hits per page, thus 830 avoiding timeouts on servers where the script execution time is limited 831 (bug #274) [Dirk] 832 A new config variable, $_CONF['num_search_results'], defines the number of 833 search results to be returned per page (and per type). The search form also 834 includes a drop-down menu where this can be changed for every search. 835 Plugins will have to indicate if they support this "paged" search. Otherwise, 836 Geeklog will fake the paging for the plugin, so that the plugin does a full 837 search for every page, but Geeklog will only display the hits for the current 838 page (such a plugin can therefore still cause a timeout until it is changed 839 to support "paged" searching). 840 - Added a permanent link to comments (in the professional theme) [Vinny] 841 - Added new icons for the admin sections and made sure each admin section 842 now has an icon in admin/moderation.php [Dirk] 843 The new icons have been taken from the Gnome project (some of them modified 844 by Jakub Steiner). They are released under the GPL. 845 - Introduced global variable $_IMAGE_TYPE that specifies the image type to 846 use. Defaults to 'gif'. Themes can override it to use other images types, 847 e.g. PNG, for all images [Dirk] 848 - Added option to upload topic icons (Feature Request #415, Patch #423), 849 provided by Alford Deeley (machinari) 850 - Changed the Admin's "Command and Control" center such that there is an icon 851 for every entry in the Admin's block [Dirk] 852 - Removed duplicate code for creating a "topic SQL" query in moderation.php 853 (use COM_getTopicSQL instead) [Dirk] 854 - Added the ability to allow users to login via defined remote services (ships 855 with Blogger and LiveJournal support) [Mike] 856 - Added the ability to ban users, and to tell when a user has logged in at least 857 once [Mike] 858 - Added edit-icon, List-Sorting, searching, Limits & alternating row colors 859 in admin menus for groups, syndication, staticpages, trackback 860 (where not yet done) [Oliver] 861 - Added function to allow user-defined scaling of images in articles by using 862 [unscaledX] instead of [imageX] [Oliver] 863 - Removed $_CONF['whosonline_fullname'] option - use $_CONF['show_fullname'] 864 instead [Dirk] 865 - Fixed bug where extra slashes appeared when previewing comments [Vinny] 866 - Removed the "lastvisit" cookies, as they are obviously not used [Dirk] 867 - Removed redundant changepwd-button & code from /admin/user.php (Bug #9) 868 [Oliver] 869 - Added new feature to insert a feed-links into header depending on topic, to 870 be chosen from /admin/syndication.php in the form of 871 <link rel="alternate" type="application/{format}+xml" ....> [Oliver] 872 - Added options to google-Navigation so it can be used by plugins and work with 873 url-rewriting (feature request #315). [Oliver] 874 - Userlist now also shows Registration Date and if $_CONF['lastlogin']= true it 875 shows the last login date instead. [Oliver] 876 - Added option in config.php to hide "Viewed: x" line with 877 $_CONF['viewscountline'] just as the $_CONF['contributedbyline'] [Oliver] 878 - Added function COM_numberFormat to format displayed numbers with custom 879 decimal & thousand - separators and fixed decimal places if necessary 880 Includes the respecitve 3 new config.php values in locale section. 881 (Feature Request #298) [Oliver] 882 - Default Blocks showed always in all Topics before. Now you can choose to show 883 them in All/only one topic/only on homepage like other blocks (feature #326) 884 [Oliver] 885 - A Story can now break over several pages in the body-text. The tag 886 [page_break] will split the bodytext in pieces that can be opened with the 887 std. COM_printPageNavigation. Introtext is removed for pages>1 [Oliver] 888 - Added field for old password check in /usersettings.php (bug #230) [Oliver] 889 - Added password confirmation to /admin/user.php and /usersettings.php 890 (bug #230) [Oliver] 891 - Made the alternating row colors in the Admin's trackback functions compatible 892 with the scheme used in other places (list of users, etc.). Also changed the 893 list of weblog directory services so that editing is now done by clicking on 894 the number of the service [Dirk] 895 - Stories are no longer forced to be featured _and_ on frontpage (bug #362) 896 [Oliver] 897 - Changed links locations in User-list, added user-photo indicator [Oliver] 898 - Don't update a story's date any more when unchecking the 'draft' flag 899 (bug #400) [Dirk] 900 - Don't use "rewritten" URLs in the static pages editor any more (bug #403). 901 Also updated the list of static pages to use alternating colors for the 902 rows [Dirk] 903 - Use "\r\n" when sending trackback pings (bug #407) [Dirk] 904 - Allow autotags to optionally have a space after the tag name [Blaine] 905 Valid tags are: 906 [story:20040101093000103 here] or [story: 20040101093000103 here] 907 - Fixed inconsistent use of {site_url} and {layout_url} in some of the 908 professional theme's admin template files - using {layout_url} everywhere 909 now when referring to icons (bug #395) [Dirk] 910 - Event titles containing quotes were cut off at the first quote in the event 911 editor, i.e. both the admin's event editor and the editor for personal events. 912 (bug #399) [Dirk] 913 - Modified PLG_templateSetVars API to also check for a custom function [Blaine] 914 Users can now set header template using CUSTOM_templatesetvars() 915 - Added new CSS declarations as recommened CSS for plugins [Blaine] 916 - Added a basic scheduler Plugin API plugin_runScheduledTask [Blaine] 917 Interval is set in config.php - $_CONF['cron_schedule_interval'] 918 - Enhanced the Group Admin interface display [Blaine] 919 - Enhanced the User Admin display and made the headings sortable [Blaine] 920 - Geeklog will now properly handle html special characters (such as quotes and 921 ampersands) in comment titles (bug #174) [Vinny] 922 - Hide 'edit' option for articles in preview (bug #347) [Dirk] 923 - Changed admin/user.php to use file() for the batch import [Dirk] 924 - Implemented pinging weblog directory services like blo.gs and weblogs.com 925 (Feature Request #35). By default, we ping pingomatic.com [Dirk] 926 - Complete overhaul of the Plugin Comment API to reduce the likelyhood of 927 plugins introducing security problems. Older plugins that use the comment 928 API will no longer work. [Vinny] 929 - Refactored Comment code out of lib-common.php and into lib-comment.php, also 930 some changes to comment.php [Vinny] 931 - Introduced a 'story.ping' permission that enables users to send Pings, 932 Pingbacks, and Trackbacks for a story (or plugin item). Members of the Story 933 Admin group have that permission by default. 934 - Overhauled install script: It will now abort the installation if the minumum 935 requirements (PHP 4.1.0, MySQL 3.23.2) are not met. It also displays a warning 936 message if register_long_arrays is off (PHP 5 only, bug #360). Another 937 warning message is displayed if "public_html" is part of the URL. 938 When upgrading, it now tries to identify the Geeklog version that was used 939 previously (only really works for versions 1.3.8 - 1.3.11) [Dirk] 940 - Fixed date in comment preview (bug #370) [Dirk] 941 - Incorporated the new syndication framework for reading and writing feeds of 942 different formats (RSS, RDF, Atom), provided by Michael Jervis (patch #352). 943 This contribution also addresses Task #19 ("RSS import class") and Feature 944 Request #67 ("Limiting number of entries in RSS feeds"). 945 Please note that the feed writer classes, system/classes/*.feed.class.php, 946 are now obsolete and can be removed. Please also note this adds new PEAR 947 package requirements for Net_URL and HTTP_Request. 948 - Added support for sending and receiving trackback comments (Feature Request 949 #34) Also implemented Pingback support in pretty much the same way. Once 950 received, Geeklog treats Trackbacks and Pingbacks the same and stores them 951 in the gl_trackback table. [Dirk] 952 Both can be switched off in config.php: $_CONF['trackback_enabled'] = false; 953 and $_CONF['pingback_enabled'] = false; 954 - Added a new script, directory.php, that implements a date-based listing of 955 all the stories on a site [Dirk] 956 A link to the directory is available as a new option, 'directory', for the 957 $_CONF['menu_elements'] config variable, so that it can be added to the menu. 958 - The column headline for event search results was not displayed [Dirk] 959 - Added logos to syndication feeds. [Mike] 960 - Added config option to disable new accounts (Patch #426 from Alford Deeley) 961 [Mike] 962 - Alphabet Sort on Admin Menu and C&C Block [Mike] 963 964 - New Farsi (Persian) language file, provided by Hesam.H 965 - Updated Japanese language file, provided by Yusuke Sakata 966 967 - New Farsi (Persian) language file for the static pages plugin, 968 provided by Hesam.H 969 970 Links plugin 1.0.0 971 ------------ 972 - Added ID-editor and Autotags-feature [link: ... ] [Oliver] 973 - Added Category-Specific Feeds [Oliver] 974 - Added Edit-Icon, List-Sorting, searching, Limits & etc for admin menu [Oliver] 975 - Moved links functionality into a plugin [Trinity, Oliver] 976 977 Polls plugin 1.0.0 978 ------------ 979 - Polls moved to a plugin [Trinity] 980 981 Spam-X plugin 1.0.3 982 ------------- 983 - The LogView module now automatically truncates the Spam-X logfile to 100KB 984 [Tom Willet] 985 - The IP Blacklist module now supports regular expressions [Mike] 986 - Added a Mass Delete module for Trackback comments [Dirk] 987 - Added an "admin override" option, so that postings by members of the 'spamx 988 Admin' group will not be checked for spam [Dirk] 989 990 991 July 16, 2006 (1.3.11sr7) 992 ------------- 993 994 JPCERT/CC informed us about a possible XSS in the comment handling that we're 995 fixing with this release. 996 997 998 May 28, 2006 (1.3.11sr6) 999 ------------ 1000 1001 The Security Science Researchers Institute Of Iran reported the following 1002 security issues: 1003 1004 - Possible SQL injection and authentication bypass in auth.inc.php 1005 - Possible XSS in getimage.php 1006 - Path disclosure in getimage.php and the functions.php of some themes, 1007 e.g. the Professional theme 1008 1009 An internal code review also revealed a possible SQL injection in story 1010 submissions. 1011 1012 1013 Mar 5, 2006 (1.3.11sr5) 1014 ----------- 1015 1016 Security issue: 1017 1018 - Konstantin Dyakoff found an old bug in the session handling that would allow 1019 anyone to log in as any user. 1020 1021 1022 Feb 19, 2006 (1.3.11sr4) 1023 ------------ 1024 1025 Security issues: 1026 1027 - James Bercegay of GulfTech Security Research reported several issues with 1028 Geeklog's cookie handling that made it vulnerable to SQL injections, arbitrary 1029 file access, and even injection and execution of arbitrary code. 1030 - Prevent execution of PHP code in "normal" blocks 1031 1032 1033 Dec 12, 2005 (1.3.11sr3) 1034 ------------ 1035 1036 Security issues: 1037 1038 - Fixed comment bug that allowed comments to be saved even when user did not 1039 have the correct story/topic permissions (reported by LWC) [Vinny] 1040 - Fixed a path disclosure in case someone tampered with the start date or end 1041 date in advanced search (reported by r0t3d3Vil) [Mike] 1042 Feeding malformed dates to the search caused a warning message to be displayed 1043 that disclosed the path to the Geeklog install on the server. It was NOT 1044 possible to use this for SQL injections. 1045 1046 Bugfixes: 1047 1048 - Fixed the problems (introduced in 1.3.11sr2) editing static pages when 1049 $_CONF['url_rewrite'] = true (bug #491) [Dirk] 1050 - The "Reply" button didn't work when viewing individual comments [Vinny] 1051 - Fixed the definition of the 'expire' field (in table gl_stories), which 1052 caused an SQL error when doing a fresh install on MySQL 5 1053 (reported by Johannes) [Dirk] 1054 1055 - Fixed and updated the Hebrew language file [LWC, Dirk] 1056 - New Ukrainian language file (Windows-1251), provided by Vitaliy Biliyenko 1057 - New Ukrainian language files (UTF-8 and KOI8-U encoding) for Geeklog, the 1058 Spam-X, and Static Pages plugins, provided by Yaroslav Fedevych 1059 1060 1061 Oct 9, 2005 (1.3.11sr2) 1062 ----------- 1063 1064 This release provides security enhancements and better spam protection 1065 originally developed for Geeklog 1.3.12. It also addresses a few bugs where 1066 the bugfix could be integrated with a reasonable amount of work (other bugfixes 1067 will have to wait for the 1.3.12 release). 1068 1069 Security and Spam protection: 1070 1071 - Added speedlimit to login attempts, defaults to allowing three tries in a 1072 five minute period. [Vinny] 1073 See new config options $_CONF['login_attempts'] and $_CONF['login_speedlimit'] 1074 - Changed the spam handling to update the speed limit when spam is detected 1075 (i.e. handle spam posts as if they were successful posts and make the 1076 submitter wait for the speed limit to expire). Also send a 403 "Forbidden" 1077 HTTP response code when displaying the "spam detected" message [Dirk] 1078 To quote RFC2616: "403 Forbidden: The server understood the request, but is 1079 refusing to fulfill it. Authorization will not help and the request SHOULD 1080 NOT be repeated." 1081 - Filter linefeeds in the To:, From:, and Subject: fields of an email in 1082 COM_mail [Dirk] 1083 - When a new user account is created and the user submission queue is enabled 1084 in config.php, ensure that the user is properly "queued" even in the 1085 unlikely event that the account creation fails halfway through (reported by 1086 LWC) [Dirk] 1087 - When $_CONF['emailstoryloginrequired'] = 1, hide the links to the "email 1088 story" form from anonymous users [Dirk] 1089 - When emailing a story, check the user's message that is sent with the story 1090 for spam [Dirk] 1091 - Added a robots.txt file to the distribution. By default, it excludes 1092 comment.php, submit.php, and the docs directory from being spidered [Dirk] 1093 - Added a spam check to the user profile [Dirk] 1094 - Story, event, and link submissions are now also checked for spam [Dirk] 1095 - This release also includes the Spam-X plugin version 1.0.2 1096 1097 Please note that MT-Blacklist (used by Spam-X) has recently been discontinued. 1098 For the time being, we provide the last version of the blacklist for download 1099 from geeklog.net (the Spam-X plugin as included in this release is configured 1100 to get it from there for the initial import). There will, however, be no 1101 updates the blacklist. For details, please see 1102 http://www.geeklog.net/article.php/mt-blacklist-discontinued 1103 1104 Bugfixes: 1105 1106 - Fixed an error message thrown up by PHP 5.0.5 or later when viewing the 1107 article page (bug #483) [Dirk] 1108 - Fixed bug with topic-specific blocks not showing up on the article page when 1109 URL rewriting was enabled (bug #401) [Dirk] 1110 - Fixed missing site header when trying to submit an event without required 1111 fields. Also fixed that it would redirect you to the story submission form 1112 then (bug #409) [Dirk] 1113 - Make sure {menu_elements} is rendered using the menuitem_none.thtml template 1114 when no menu elements are to be displayed (bug #378) [Dirk] 1115 - Quote names in email addresses as soon as they contain any non-alphanumeric 1116 characters (apart from the blank). This also addresses bug #368 [Dirk] 1117 - Allow single quotes in passwords (bug #396, also previously reported as 1118 bug #349 / #996354) [Dirk] 1119 - When $_CONF['profileloginrequired'] was set to 1, the actual message that 1120 you have to log in before being able to see a user profile was not wrapped 1121 in the Geeklog framework (reported by Sean C) [Dirk] 1122 - Fix: Made a story's archive/expire date work with the timezone hack [Dirk] 1123 - COM_applyFilter will now accept negative numbers if the isnumeric parameter 1124 is true. Needed to fix problems with pollbooth.php (and others) [Vinny] 1125 - Upgraded included kses class to version 0.2.2 which fixes problems with 1126 Japanese and Thai characters (among other things), thus addressing bugs #94 1127 and #119 [Dirk] 1128 - Fixed SQL error when using the [staticpage:] autotag (bug #373) [Dirk] 1129 - Added a missing stripslashes call to remove backslashes when a topic's name 1130 was displayed in the index page's title (bug #369) [Dirk] 1131 - Link tags are now translated in printer friendly mode (Bug #411) [Mike] 1132 - Removed the <meta name="ROBOTS"> entry from the Professional theme's 1133 header.thtml as "INDEX,FOLLOW" is the default anyway. For finer control, 1134 we now ship a robots.txt [Dirk] 1135 1136 Improvements: 1137 1138 - Don't check for auto-archived stories when no archive topic has been 1139 defined yet [Dirk] 1140 - Added support for a custom_usercheck function. Custom registration code that 1141 requires certain information can now abort the creation of a new account if 1142 that information is missing. The function is called after Geeklog has checked 1143 that the username and email address of the new user are okay (valid and not 1144 in the database yet), but before the user has been added to the database 1145 [Dirk] 1146 - Saved one SQL request for a story's printable view [Dirk] 1147 1148 Language files: 1149 1150 - Made sure all language files refer to Geeklog's [image] tags as [imageX], 1151 [imageX_right], and [imageX_left] (bug #381) [Dirk] 1152 1153 - New Catalan language file, provided by an anonymous user 1154 - New Russian (UTF-8) language file, provided by Konstantin Boyandin 1155 - Updated Hebrew language file, provided by LWC 1156 - Updated Hellenic (Greek) language file, provided by MzOzD 1157 - Updated Italian language file, provided by Marcello Teodori 1158 - Updated Japanese (UTF-8) language file, provided by Yusuke Sakata 1159 - Updated Portuguese (Brazil) language file, provided by Alcides Soares Filho 1160 - Updated Russian language file, provided by Konstantin Boyandin 1161 1162 - New Japanese (UTF-8) language file for the Static Pages plugin, provided by 1163 Yusuke Sakata 1164 - Updated Italian language file for the Static Pages plugin, provided by 1165 Marcello Teodori 1166 - Updated Japanese language file for the Static Pages plugin, provided by 1167 Yusuke Sakata 1168 1169 1170 Aug 21, 2005 (Spam-X plugin 1.0.2) 1171 ------------ 1172 1173 - Changed the display name of the plugin to "Spam-X" to avoid potential 1174 confusion with the email spam filter of the same name. 1175 "SpamX" is a registered trademark of Hendrickson Software Components. 1176 - Added a new module to filter posts based on the IP address of the poster 1177 [Tom Willet] 1178 - Added a new module to filter posts based on the IP address of the 1179 spamvertised site [Tom Willet] 1180 - Added a new module to filter posts based on characteristics of the HTTP header 1181 [Dirk] 1182 - Fixed the Mass Delete Spam Comments module [Tom Willet] 1183 - The Spam-X plugin's examine modules run the post through html_entity_decode() 1184 now in case the spammers try to obfuscate their posts by using HTML entities 1185 [Tom Willet, Dirk] 1186 - The Mail Admin action module now also reports the HTTP headers of the post 1187 that triggered the spam filter [Dirk] 1188 - Added a simple stats function (reports the number of posts deleted as spam, 1189 and - to the Spam-X Admin only - the number of entries for each module) [Dirk] 1190 - Implemented an update function for the plugin [Dirk] 1191 1192 - New Farsi (Persian) language file, provided by Hesam.H 1193 - New Italian language file, provided by Marcello Teodori 1194 - New Spanish language file, provided by vivi1123 1195 1196 1197 Jul 3, 2005 (1.3.11sr1) 1198 ----------- 1199 1200 This release addresses the following security issue: 1201 1202 Stefan Esser found an SQL injection that can, under certain circumstances, 1203 be exploited to extract user data such as the user's password hash. 1204 1205 1206 Dec 31, 2004 (1.3.11) 1207 ------------ 1208 1209 Geeklog 1.3.11 addresses the following security issues: 1210 1211 1. It was possible to submit stories anonymously even if anonymous submissions 1212 were turned off in config.php (reported by Barry Wong). 1213 These stories still ended up in the submission queue, though, unless you 1214 disabled it in config.php. 1215 2. Some of the parameters in link and event submissions weren't filtered, 1216 leaving them open to potential SQL injections. 1217 3. The links for the What's Related block were created from the unfiltered story 1218 text, opening the possibility of XSS attacks (reported by Vincent Furia). 1219 1220 Bugfixes: 1221 1222 - Added a missing stripslashes() call for the topic name in the What's Related 1223 block (bug #351) [Dirk] 1224 (affected file: system/lib-story.php) 1225 - Fixed problems in the story editor when editing plain-text posts with 1226 uploaded images (bug #356) [Dirk] 1227 (affected file: public_html/admin/story.php) 1228 - When changing a story ID, update the story ID in any comments to that story, 1229 too (bug #357) [Dirk] 1230 (affected file: public_html/admin/story.php) 1231 - Fixed handling of autotags that started with the same substring, e.g. for 1232 2 tags 'mytag' and 'mytagtwo', the second tag would not be recognized 1233 (reported by Dr. Shakagee) [Dirk] 1234 (affected file: system/lib-plugins.php) 1235 - Fixed caching of $_GROUPS [Dirk] 1236 (affected files: system/lib-security.php, public_html/lib-common.php) 1237 - Made a minor optimization to save one SQL request when displaying the comment 1238 bar for anonymous users [Dirk] 1239 (affected file: public_html/lib-common.php) 1240 - Updated Slovenian language file, provided by gape. 1241 (affected file: language/slovenian.php) 1242 1243 1244 Dec 22, 2004 (1.3.11rc1) 1245 ------------ 1246 1247 - Fixed "archive" option being activated too early on certain non-featured 1248 stories (bug #345) [Blaine] 1249 - Added missing handling of autotags in static pages being displayed as center 1250 blocks (reported by Jill) [Dirk] 1251 - Fixed size of the 'sid' field in the gl_comments table. It should be 40 1252 characters, to be able to hold the long story IDs introduced in 1.3.10 1253 (reported by Douglas Santos) [Dirk] 1254 - When using mogrify (ImageMagick) to resize uploaded images, the name of the 1255 image is now enclosed in double quotes instead of single quotes, which 1256 caused the command to fail on Windows [Dirk] 1257 - The emails sent from the Spam-X plugin's MailAdmin action now also include 1258 the IP address of the spam poster [Dirk] 1259 - SEC_getFeatureGroup() should not overwrite $_GROUPS if not operating on the 1260 current user (bug #331) [Dirk] 1261 - Introduced a {camera_icon} variable in story and comment templates that 1262 displays the little camera icon if the author has uploaded a user photo, just 1263 like in the Who's Online block (suggested by Laurence Whitworth) [Dirk] 1264 - The parent link in top-level comments took the user to the homepage rather 1265 than to the article page (bug #346) [Vinny] 1266 - Stories submitted for the archive topic will automatically be saved with 1267 frontpage = 0 when approved, i.e. only be displayed in the topic [Dirk] 1268 - Avoid emitting an extra <br> tag after the last section in the What's New 1269 block (bug #330) [Dirk] 1270 - Update comment count in Older Stories block when a new comment is posted 1271 (bug #317). Also optimized the code to collect the contents of the Older 1272 Stories block [Dirk] 1273 - Fixed extra <br> being emitted in the calendar for events that aren't 1274 visible for the current user (bug #268) [Dirk] 1275 - (Event) Admins can now delete events directly from the calendar's day and 1276 week views (just like events in the personal calendar) [Dirk] 1277 - Fixed usersettings.php so that it displays the "benefits" message again when 1278 called up by an anonymous user. Also made it go to the user's preferences 1279 when called without a 'mode' parameter [Dirk] 1280 - Added {layout_url} to the available theme variables in the submission forms. 1281 Also added {separator} for those who prefer correct spelling ;-) [Dirk] 1282 - More parameter filtering and permission checks in submit.php [Dirk] 1283 - Fixed over-zealous parameter filtering in links.php which prevented 1284 categories with apostrophes from working [Dirk] 1285 - Fixed broken URLs when editing a plain-text story that contained uploaded 1286 images (reported by LWC) [Dirk] 1287 - The PEAR classes that ship with Geeklog actually require PHP 4.2.x now. 1288 However, the missing functions in older PHP versions (minimum requirement 1289 for Geeklog itself is now PHP 4.1.0) are provided by the PEAR PHP_Compat 1290 package, which we will have to ship with Geeklog from now on. Added the 1291 necessary code to lib-common.php to load PHP_Compat, if required [Dirk] 1292 Many thanks to Tom Willet for providing a test setup. 1293 - Fixed "quick add form" for personal events, so that it stores the new event 1294 directly now [Dirk] 1295 - Fixed handling of 12am/pm in events, event submissions, and when passing the 1296 time from the calendar to the event submission forms [Dirk] 1297 - Improved handling of personal events / personal calendar, especially for 1298 (Event) Admins [Dirk] 1299 - Fixed What's Related links when magic_quotes_qpc = on [Vinny, Dirk] 1300 - Fixed use of an undefined variable $U in COM_showBlocks and warning messages 1301 for undefined array indexes in COM_getCurrentURL (reported by irawen) [Dirk] 1302 - Allow empty search query strings so that the "More by <author>" and "More 1303 from <topic>" options work again [Dirk] 1304 - When deleting a poll, also delete any comments to that poll [Dirk] 1305 - Delete comments and story images when deleting stories from a deleted topic 1306 (bug #339) [Dirk] 1307 - When deleting a story, added an extra check for type='article' when deleting 1308 the story's comments [Dirk] 1309 - Set current user as the owner when cloning an event (bug #338) [Dirk] 1310 - Start time, end time, and event location weren't copied over when adding a 1311 site event to the personal calendar (bug #336) [Dirk] 1312 - Fixed wrong use of htmlentities() on comment title (bug #335) [Dirk] 1313 - Changed "read more" word count so that it ignores HTML tags (bug #333) [Dirk] 1314 1315 - Updated Slovenian language file, provided by gape. 1316 - Updated Dutch language file, provided by Ko de Pree. 1317 - Updated Dutch language file for the Static Pages plugin, 1318 provided by Ko de Pree. 1319 - New French language files for the Spam-X plugin, provided by Alain Ponton. 1320 1321 1322 Nov 28, 2004 (1.3.10) 1323 ------------ 1324 1325 - Allow omission of the link text for the [story:], [event:], and [staticpage:] 1326 autotags. Geeklog will then use the title (of the story / event / static page) 1327 as the link text [Dirk] 1328 (affected files: system/lib-plugins.php, plugins/staticpages/functions.inc) 1329 1330 - Updated Chinese language files (all 4 of them), provided by Samuel M. Stone 1331 1332 1333 Nov 21, 2004 (1.3.10rc3) 1334 ------------ 1335 1336 - Changed wording of the error message if the "backups" directory is not 1337 writable [Dirk] 1338 - Fixed comments for the DB_result (in lib-database.php) and dbResult 1339 (in mysql.class.php) functions (bug #320) [Dirk] 1340 - Display a success message when using the "changepw" option in admin/user.php 1341 [Dirk] 1342 - When changing a username, make sure to change the name of the user's photo, 1343 too (bug #321) [Dirk] 1344 - Links in "plain text" stories and comments are now made clickable (i.e. 1345 enclosed in <a> tags) when the post is saved instead of when it's displayed, 1346 as in the previous release candidates. This also fixes bug #308. [Dirk] 1347 - Added $_CONF['disable_autolinks'] config option to disable autolinks [Dirk] 1348 - Removed ViewBlacklist.Admin.class.php from the Spam-X plugin [Tom Willet] 1349 - Overhauled handling of personal events [Dirk]: 1350 + Fixed deleting personal events (again). 1351 + The upcoming events block now links to the event details of personal 1352 events (just like it already did for site events). 1353 + Added stricter checks for permissions, user IDs, and the personal calendars 1354 being activated in the first place. 1355 - Added a check for allow_url_fopen if reading a (RSS) feed fails and report it 1356 in error.log if it is off [Dirk] 1357 - When deleting a story (automatically), make sure we're only deleting comments 1358 belonging to that story (i.e. added a check for type = 'article') [Dirk] 1359 - Added {event_type}, {lang_event_type}, and {edit_icon} in all the themes' 1360 calendar/eventdetails.thtml template file [Dirk] 1361 - Fixed some URLs in the calendar (missing slash) [Dirk] 1362 - Comment IDs don't have to be numeric (in comment.php) [Vinny] 1363 - The Static Pages plugin now takes $_CONF['showfirstasfeatured'] into account 1364 when displaying static pages in center blocks (reported by eyecravedvd) [Dirk] 1365 - Forgot to declare $_CONF as global when fixing bug #301 (bug #302) [Dirk] 1366 1367 - Updated Chinese language files (all 4 of them), provided by Samuel M. Stone 1368 - Updated Japanese language files (euc-jp and UTF-8), provided by Yusuke Sakata 1369 - Updated Polish language file, provided by Robert Stadnik 1370 - Updated Slovenian language file, provided by gape 1371 - Updated Spanish language file, provided by Angel Romero 1372 - Updated Swedish language file, provided by Markus Berg 1373 1374 1375 Oct 24, 2004 (1.3.10rc2) 1376 ------------ 1377 1378 - Fixed plugin update function [Blaine] 1379 - Set the target encoding in Geeklog's RSS parser (bug #301) [Dirk] 1380 - Set the {topic_icon} variable to an empty string for the "Home" link in the 1381 Topics block (reported by jhwhite) [Dirk] 1382 - Fixed News Box Configuration, i.e. the ability to disable blocks [Vinny] 1383 - In the story template files, the number of comments now only is a link when 1384 there actually is a comment on the story [Dirk] 1385 - Hard-coded the English word 'delete' in the URLs to delete a comment [Dirk] 1386 - For the list of a user's recent comments, use 'mode=view' to link directly 1387 to a comment now [Dirk] 1388 - Fixed comment id in comment notification emails [Dirk] 1389 - Fixed display of the number of static pages that the user has access to (in 1390 the Admin Block) [Dirk] 1391 - COM_makeClickableLinks did not recognize links with the 'http:' at the 1392 start of a line [Dirk] 1393 - Re-introduced <br> between plugin sections in the What's New block, pretty 1394 much reverting the change suggested by feature request #292 [Dirk] 1395 - Introduced function COM_formatEmailAddress that creates a (more or less) 1396 RFC(2)822 compliant email address from a name and an address [Dirk] 1397 This function is now used for formatting the site address, as well as for 1398 addresses entered by the user in profiles.php and admin/mail.php. 1399 - The Spam-X plugin's MailAdmin action didn't send any email notifications, 1400 since the call to COM_mail was commented out ... [Dirk] 1401 - admin/mail.php and admin/group.php use the complete URL to the script in 1402 the <form action="..."> now (instead of relying on PHP_SELF) [Dirk] 1403 - Fixed parse error in the Dutch language file (reported by NeoNecro) [Dirk] 1404 - Allow the dot '.' in IDs (in addition to letters, digits, the dash, and the 1405 underscore) [Dirk] 1406 1407 1408 Oct 17, 2004 (1.3.10rc1) 1409 ------------ 1410 - Added new functionality to [autotags] - New plugin API's added [Blaine] 1411 - Added [autotag] hooks for stories [Bline] 1412 - When a plugin had its icon only in the admin directoy, the plugin editor 1413 did not find it and displayed a generic icon instead [Dirk] 1414 - In admin/mail.php, apply htmlspecialchars() on the email addresses before 1415 displaying them, as the '<foo@example.com>' part will be interpreted as 1416 HTML by some browsers (pointed out by LWC) [Dirk] 1417 - When using gdlib for image resizing, GIF images were converted to PNG, but 1418 Geeklog was still trying to display the GIF (reported by Tom Willet). Since 1419 the LZW patent has now expired (see http://www.unisys.com/about__unisys/lzw), 1420 it is safe to use GIF images again, so the PNG conversion was dropped [Dirk] 1421 - Fixed link to the Anonymous user's profile in comment/thread.thtml [Dirk] 1422 - Added Location field to the user profile [Blaine] 1423 - In the light of bug #293, removed all variable names from the language files, 1424 leaving only the $_CONF config variables [Dirk] 1425 - Fixed an error message when plugins didn't return an array from 1426 plugin_getmenuitems_xxx (reported by computerade) [Dirk] 1427 - When sending emails from the admin/mail.php, some user's names weren't set 1428 in their email address (reported by LWC) [Dirk] 1429 - Removed an extra <br> from before and between data provided by plugins in 1430 the What's New block (feature request #292) [Dirk] 1431 - When creating a new user from admin/user.php, don't determine the uid before 1432 actually creating the database entries to avoid race conditions / collisions 1433 with other user accounts created at the same time (bug #243) [Dirk] 1434 Also took the opportunity to refactor and move the almost identical code 1435 from users.php and admin/user.php into a new function USER_createAccount in 1436 system/lib-user.php. 1437 - usersettings.php was missing a default case for unsupported values of 'mode' 1438 (bug #287). This only displayed a blank page and was not exploitable [Dirk] 1439 - Fixed hard-coded default group names in the Admin sections (e.g. when a user 1440 had story.edit permissions but was not in the Story Admin group, any new 1441 story created by that user would default to being owned by the Story Admin 1442 group nonetheless) [Dirk] 1443 - Introduced new plugin API functions plugin_user_changed_xxx and 1444 plugin_group_changed_xxx to inform plugins when a user's information 1445 (profile or settings) or a group (new, edit, delete) has been changed [Dirk] 1446 - COM_checkHTML and COM_allowedHTML now accept an additional parameter in form 1447 of a comma-separated list of permissions. If the current user has at least 1448 one of those permissions, they are assumed to be an "Admin" and the functions 1449 will use the $_CONF['admin_html'] list of HTML tags for them (bugs #114 and 1450 #118) [Dirk] 1451 - COM_allowedHTML now has an option to only return the list of allowed HTML 1452 tags without the "Allowed HTML" text (bug #118) [Dirk] 1453 - For the poll block, always use the block title stored in the database (bug 1454 #205) [Dirk] 1455 - It is now again possible to have a different number of stories per page 1456 for individual topics. Users have to set their preferred number of stories 1457 per page to 0 (zero) in their preferences, though, as the user preferences 1458 will always override this setting (bug #190) [Dirk] 1459 - The Professional theme, kindly provided by Victor B. Gonzalez, is our new 1460 default theme now. 1461 - In the calendar's day and week view, event permissions weren't checked 1462 properly, so that some events were displayed to user who shouldn't have 1463 been able to see them (reported by Willem Jan) [Dirk] 1464 - Don't update a story's hit counter as long as the draft flag is set or the 1465 publishing date is in the future (feature request #282) [Dirk] 1466 - Introduced new function COM_sanitizeID() to filter special characters out of 1467 user-editable IDs as used for stories, polls, topics, and static pages (also 1468 fixes bug #181). Allowed characters are letters a-z (both upper and lower 1469 case), digits 0-9, the dash '-', and the underscore '_' [Dirk] 1470 - The Upcoming Events block didn't use the help URL, even if it was set 1471 (reported by Wolfgang M. Schmitt) [Dirk] 1472 - Geeklog now comes with Tom Willet's Spam-X plugin pre-installed. The plugin 1473 now stores the blacklists in the database and uses a new plugin API 1474 function to filter comment posts [Tom Willet, Tony, Blaine, Dirk] 1475 - Plugins can now offer their own tags to allow easy linking to their content. 1476 These tags take the form [name:id link text], where 'name' is a name 1477 associated with the plugin, 'id' is a unique id referring to one of the 1478 objects under the plugin's control, and 'link text' is text used in the <a> 1479 tag that Geeklog creates from these tags. 1480 Built-in tags are [story:] to link to a story and [event:] to link to an 1481 event [Blaine, Dirk] 1482 Example: [story:email-bug About the email bug] would be translated into 1483 <a href="http://example.com/article.php/email-bug">About the email bug</a> 1484 - portal.php now sends a 301 HTTP status code for the links instead of a 302. 1485 While a 302 status code would actually make more sense, Google does have a 1486 tendency to list search results with the URL of the portal script but with 1487 the content of the linked site, thus giving the impression that the content 1488 is actually located on another site. Sending a 301 avoids this problem [Dirk] 1489 - Group Admins should not even see the groups of which they are not a member 1490 (bug #280) [Dirk] 1491 - Prevent Group Admins from listing the members of a group unless they are a 1492 member of that group themselves [Dirk] 1493 - Introduced $_CONF['left_blocks_in_footer'] config option that makes the 1494 {left_blocks} variable available in footer.thtml (disabling it in header.thtml 1495 at the same time). This is really only useful for two-column layouts where 1496 you want the side blocks in the right column [Dirk] 1497 - Polls linked from the stats page now display the result of the poll instead 1498 of letting the user vote on them (feature request #267) [Dirk] 1499 - In the Admin's list of events and stories, don't list items for which the 1500 Admin doesn't have read access (bug #269). [Dirk] 1501 - Story IDs are now editable (just like the IDs of static pages). [Dirk] 1502 Important: Update the story editor template (admin/story/storyeditor.thtml)! 1503 - Fixed a bug that reset every user's password request as soon as some user 1504 changed their account information (bug #265) [Dirk] 1505 - Added support for URL rewriting to portal.php [Dirk] 1506 - The links for the What's Related block are stored in the 'related' field in 1507 the gl_stories table again. Parsing the story for links every time it is 1508 rendered uses too much CPU power (with apologies to groklaw.net) [Dirk] 1509 - Added theme variable {story_link} to commentbar.thtml to link back to original 1510 story the comments are derived from. [Vinny] 1511 - Introduced new file system/lib-story.php for story-related functions and 1512 moved COM_article, COM_whatsRelated, COM_extractLinks, as well as the code 1513 to delete article images into that file (functions were renamed accordingly: 1514 STORY_renderArticle, STORY_whatsRelated, STORY_extractLinks) [Dirk] 1515 - Fixed URLs to userphotos and story images when $_CONF['path_images'] had been 1516 changed (but was still inside of $_CONF['path_html']) [Dirk] 1517 - Added a script to convert an existing database to InnoDB tables (if the MySQL 1518 version supports them): admin/install/toinnodb.php [Dirk] 1519 - Added missing closing </a> tag in story search results (bug #260) [Dirk] 1520 - Added a second parameter to function COM_makeList that is used as a CSS 1521 class name in the list it returns (use {list_class_name} to get the actual 1522 class name, and {list_class} to get class="classname"). Changed the existing 1523 calls to COM_makeList to include class names, so that you can now use the 1524 following class names in your stylesheet to style lists: list-feed, 1525 list-new-comments, list-new-links, list-new-plugins, list-older-stories, 1526 list-personal-events, list-site-events, list-story-options, list-whats-related 1527 (the names should be self-explanatory) [Dirk] 1528 - Moved the docs directory to public_html/docs and added a link to it from the 1529 Admin's block (can be switched off in config.php by setting the new option 1530 $_CONF['link_documentation'] = 0) [Dirk] 1531 - Replaced 'ppmtojpeg' with 'pnmtojpeg' when using NetPBM for scaling 1532 uploaded JPEG images (bug #257) [Dirk] 1533 - Added a check (and a warning message) for PHP 4.1.0 to the install script, 1534 as that is our new minimum requirement [Dirk] 1535 - Rewrote install/success.php and added a link to install/check.php [Dirk] 1536 - Added the 'data' and 'pdfs' directory to install/check.php [Dirk] 1537 - Integrated the "welcome email hack": If the file 'welcome_email.txt' exists 1538 in the 'data' directory, the contents of that file are sent out as the 1539 welcome email to new users (instead of the hard-coded welcome message) [Dirk] 1540 - Introduced a 'data' directory ($_CONF['path_data'], defaulting to 1541 /path/to/geeklog/data) and use it for the batch user import, as Geeklog's 1542 base directory may not be writable on some setups (bug #77) [Dirk] 1543 - Sort list of older polls by date (newest first) and added paging [Dirk] 1544 - Make sure the old userphoto is deleted when uploading a new one (bug #228). 1545 So far, the old photo was not removed when the file type changed (e.g. from 1546 .gif to .jpg) [Dirk] 1547 - Don't assume the uploaded file in usersettings.php is always the userphoto - 1548 it may in fact belong to a plugin (bug #179). This bug prevented plugins from 1549 uploading their own files through the plugin API [Dirk] 1550 - Fixed repeating events in the personal calendar's day view (bug #232) [Dirk] 1551 - COM_siteHeader() now accepts a page title (to go between the page's 1552 <title>...</title> tags) as the second parameter, replacing the 1553 $_CONF['pagetitle'] hack (which still works but should be avoided) [Dirk] 1554 - In the site's page title, replace the site slogan with more meaningful 1555 information, where possible, e.g. "Submit a Story" on the story submission 1556 form, "Search Results", etc. (feature request #95) [Dirk] 1557 - Fixed deleting events from the personal calendar (bug #199) [Dirk] 1558 - Carry over the date and time from the calendar when Admins add a new event 1559 (bug #132) [Dirk] 1560 - Don't display "Site Events" headline in the Upcoming Events block when 1561 personal calendars are off (feature request #151) [Dirk] 1562 - Removed hard-coded am/pm formatted hours from the calendar's day view 1563 (calendar/dayview/dayview.thtml) and replaced them with {xx_hour} variables, 1564 where 'xx' is 0-23, which will be replaced with the hours formatted 1565 according to the $_CONF['timeonly'] config variable [Dirk] 1566 - Themes can now use a couple of CSS class names to style the small calendar (of 1567 the previous and next month) in month view: .smallcal, .smallcal-headline, 1568 .smallcal-week-even, .smallcal-week-odd, .smallcal-week-empty, 1569 .smallcal-day-even, .smallcal-day-odd, and .smallcal-day-empty [Dirk] 1570 - Improvements to the Story Archive Feature, UI tweaks, Language Extraction, 1571 Added new field to the topics table. Admin now sets the archive topic in 1572 the Topic Editor. Only one topic can be used - logic enforced. [Blaine] 1573 - Don't emit the <br><br> in article.php when the story's body text is empty 1574 (based on patch #147, provided by Andy Maloney) [Dirk] 1575 - Set {article_url} variable when displaying the story in article.php [Dirk] 1576 - Fixed missing </select> tags for the comment display mode and sort order 1577 drop-down menus in usersettings.php (patch #255, provided by machinari) [Dirk] 1578 - Hard-coded the names of the pseudo image tags in story.php, i.e. they are 1579 always [imageX], [imageX_left], and [imageX_right] now, independent of 1580 the current language file (bug #139) [Dirk] 1581 - Added the Auto-Archive Management feature. Optionally allows the Story Editor 1582 to archive or delete a story when the expire date is reached [Blaine] 1583 - Improved the commentbar to logically support comments viewed from comment.php 1584 [Vinny] 1585 - Removed a bug in comment.php that allowed a story/comment mismatch during 1586 display. This was not exploitable. [Vinny] 1587 - Integrated the timezone hack to compensate for time differences when your 1588 webserver is located in another timezone (original timezone hack by Yew Loong, 1589 with additions by "Joe" as well as several other geeklog.net users) [Dirk] 1590 - The calendar can now be configured so that the week starts on either a 1591 Sunday or a Monday - see new config variable $_CONF['week_start'] 1592 (based on a patch by bond_anton) [Dirk] 1593 - Sort the admin's list of events by date (newest first). Also added paging, 1594 a row number and parameter filtering. Paging and the row number require 1595 theme changes in admin/event/eventlist.thtml and listitem.thtml [Dirk] 1596 - Incorporated a patch provided by Drago Goricanec to sort the Admin's user 1597 list by uid [Dirk] 1598 - Introduced 2 config options for the Who's Online block: 1599 - $_CONF['whosonline_fullname'] will display the user's full name, 1600 - $_CONF['whosonline_anonymous'] does not display the names of registered 1601 users to anonymous visitors of the site. 1602 Both options are disabled by default [Dirk] 1603 - Added support for single quotes and nested tags to COM_extractLinks [Vinny] 1604 - The admin_html and user_html are now merged recursively (bug #240) [Vinny] 1605 - Remove colons from email addresses, as they have a special meaning, 1606 according to RFC(2)822, that we didn't intend (bug #6) [Dirk] 1607 - Fixed compilation of regexp if the search query ended or started with a 1608 space (the resulting error message would also expose the path to article.php), 1609 (bug #251) [Dirk] 1610 - Sort the admin's list of polls by date (newest first). Also added paging, 1611 a row number and parameter filtering. Paging and the row number require 1612 theme changes in admin/poll/polllist.thtml and listitem.thtml [Dirk] 1613 - Added paging to the plugin editor (for more than 25 installed plugins). 1614 A {google_paging} variable is needed in admin/plugins/pluginlist.thtml for 1615 the paging links to show up [Dirk] 1616 - Emails sent from the Admin's mail form (admin/mail.php) were always sent 1617 with the site name and site email address, even if you entered something else 1618 in the form. Also made admin/mail/mailform.thtml slightly less ugly [Dirk] 1619 - When deleting a topic, keep the blocks assigned to that topic (bug #247). 1620 They're assigned to 'all topics' and disabled, but kept around now. The same 1621 applies for topic feeds, which weren't handled at all before [Dirk] 1622 - Make sure upload errors for user photos and story images are displayed in a 1623 Geeklog block, not on a blank screen [Dirk] 1624 - Fixed description of DB_insertId() in lib-database.php and dbInsertId() in 1625 mysql.class.php: The functions take a resource, describing the opened link to 1626 the database, not a record set (pointed out by lgonze on IRC). [Dirk] 1627 - Plugins are now getting the key type passed to their search function, so that 1628 they can perform a search for "exact phrase", "all of these words", or 1629 "any of these words" as selected from the search form. [Dirk] 1630 - Use URL rewriting for the link to a story's printer-friendly version, when 1631 activated (bug #201) [Dirk] 1632 - Resizing an image didn't work when the image height exceeded the max. height 1633 but the image width was still below the max. width (bug #242) [Dirk] 1634 - Keeping the unscaled image when using GDlib didn't work (bug #197) [Dirk] 1635 - Added a workaround for the Zeus webserver so that blocks marked "homeonly" 1636 properly appear there (bug #244) [Dirk] 1637 - Previewing a story submission from admin/story.php before saving it left the 1638 original story submission in the submission queue while also adding it as a 1639 new story. This has been fixed now [Dirk] 1640 - Added {article_url} variable for article/printable.thtml so that we can 1641 print the proper URL to the article if URL rewriting is on [Dirk] 1642 - Added filtering for the $order parameter in article.php [Dirk] 1643 - Added {link_actual_url} variable in links.php, holding the actual URL of 1644 a link (not Geeklog's redirect URL via portal.php). Updated template 1645 file links/linkdetails.thtml in all default themes to use {link_actual_url} 1646 in a title attribute for the links [Dirk] 1647 - The event description now honors linefeeds to allow some basic text 1648 formatting [Dirk] 1649 - Escape all PCRE special characters in the code to highlight search query 1650 words (bug #200). Also moved the code to its own function, COM_highlightQuery, 1651 in lib-common.php [Dirk] 1652 - The contents and order of the menu entries, i.e. of the {menu_elements} 1653 variable in header.thtml, is now configurable in config.php (new config 1654 variable $_CONF['menu_elements']). It also includes an option to add custom 1655 entries by implementing a function CUSTOM_menuEntries() that returns the 1656 additional entries [Dirk] 1657 - Use an UPDATE request when increasing the number of times a story has been 1658 emailed [Dirk] 1659 - When an error occurs while creating a backup, the complete command line 1660 used to call mysqldump is now added to error.log [Dirk] 1661 - Added 'view' mode to allow links directly to a single comment (and optionally 1662 its children) in comments.php. [Vinny] 1663 - Added a few variables to be used in the eventdetails.thtml template file: 1664 {event_state_name} (full name of the state), {event_state_only} and 1665 {event_state_name_only} (abbreviated and full state name without the comma), 1666 {event_edit} (link to edit the event, if allowed for the current user), 1667 {edit_icon} (same, but with the edit icon instead of a text link), 1668 {lang_event_type} and {event_type} for the event type [Dirk] 1669 - Registered users can now report abusive comments to the site admin (inspired 1670 by Feature Request #171, which actually requested this for the forums). 1671 Requires new text strings in the language files and a new template file, 1672 comment/reportcomment.thtml [Dirk] 1673 - Bugfix: New users created through the batch import didn't get the email with 1674 their password [Dirk] 1675 - Moved function to create and send a password to lib-user.php to avoid having 1676 identical code in users.php, admin/user.php, and admin/moderation.php [Dirk] 1677 - Added {topic_image} variable (available in the topicoption.thtml and 1678 topicoption_off.thtml template files) so that you can use topic images in 1679 the Topics block (feature request #152) [Dirk] 1680 - COM_undoSpecialChars() now also handles (bug #192) [Dirk] 1681 - Fixed handling of HTML entities in [code] sections (bug #159) [Dirk] 1682 - Added an option to look up IP addresses (new variable $_CONF['ip_lookup'] in 1683 config.php, pointing to a service that does IP address lookups) [Dirk] 1684 - Fixed problems with the database backup when there were spaces in the path to 1685 the backups directory (bug #185). [Dirk] 1686 - Added email notification for new comments (feature request #155) [Dirk] 1687 - Added tracking of IP addresses of comment posters (as suggested by Michael 1688 Jervis) [Dirk] 1689 - Altered COM_article to improve performance by reducing queries. [Vinny] 1690 - Reduced DB queries in COM_showTopics to improve performance. [Vinny] 1691 - Cached enabled plugins to reduce db queries and improve performance. [Vinny] 1692 - Fixed SEC_inGroup not using $_GROUPS cache in several instances. [Vinny] 1693 - mysql.class.php now only runs mysql_connect once per page load. [Vinny] 1694 - The "Google paging" now has additional links to jump to the first and last 1695 page (patch provided by Niels Leenheer). [Dirk] 1696 - Introduced function COM_makeClickableLinks to turn URLs in text-only posts 1697 into clickable links (i.e. it's adding <a> tags around URLs). [Dirk] 1698 - Changed the comment insert, delete, display algorithms for improved 1699 efficiency. They now use a modified preorder tree traversal method. [Vinny] 1700 - Comment limit now applies to all the comments displayed, not just the top 1701 level comments. [Vinny] 1702 - Added pagination ability to comments ({pagenav} template variable in 1703 startcomment.thtml). [Vinny] 1704 - Fixed typo in timer.class.php that broke the ->restart() function. [Vinny] 1705 - Make sure the database backup files are always sorted by (last modified) date 1706 (found & fixed by Alexander Schmacks). [Dirk] 1707 - Make sure the user's preferred comment limit is used when changing the 1708 comment display via the comment bar (bug #176). [Vinny] 1709 - When URL rewriting is activated, the "rewritten" URLs are now also used 1710 in all (RSS) feeds containing links to articles. [Dirk] 1711 - Experimental: On a fresh install, use InnoDB tables (instead of MyISAM) if 1712 the MySQL version running on the server supports them (usually as of 1713 MySQL 4.0). This should avoid locks on tables where hit counters and the 1714 actual data are stored in the same table, e.g. stories (suggested by 1715 Marc Von Ahn). [Dirk] 1716 - Fixed bug in the install script when upgrading from 1.3.8 or earlier: 1717 Check to see if the static pages plugin is installed before attempting to 1718 update its tables (reported by Rob Griffiths). [Dirk] 1719 - Implemented a change to DB_fetchArray, suggested by Niels Leenheer: 1720 Geeklog will now, by default, only return associative array indices. In case 1721 the numeric indices are needed, a new (optional) second parameter for 1722 DB_fetchArray has to be set to "true". [Dirk] 1723 - Removed extra quotes in SQL statements in admin/block.php to ensure 1724 compatibility with old MySQL versions (reported by Elmer Masters). [Dirk] 1725 - In admin/database.php, if the is_executable function is not available (e.g. 1726 on Windows), do at least a file_exists to check if the mysqldump executable 1727 exists in the path given in config.php. [Dirk] 1728 - Introduced function COM_getTopicSQL which returns part of an SQL request to 1729 check for a user's topic access [Dirk] 1730 (This was actually introduced in 1.3.9sr1 but missing from the changelog) 1731 1732 Language files 1733 -------------- 1734 - New Bosnian language file, provided by Kenan Hodzic 1735 - Updated Croatian language file, provided by Roberto Bilic 1736 - New Indonesian language file, provided by Piotr Sobis 1737 - Updated Norwegian language file, provided by Torfinn Ingolfsen 1738 1739 Static Pages Plugin 1.4.1 1740 ------------------------- 1741 - Added a printable version for static pages (based on a concept by 1742 Jannetta S Lewis). Requires a new template file, printable.thtml, located 1743 in the static pages' template directory [Dirk] 1744 - Added support for autolinks and provide a [staticpage:] autotag [Dirk] 1745 - Added an option to sort the static pages that are added to a site's menu 1746 (see {plg_menu_elements} in header.thtml) by id, label, title, or date [Dirk] 1747 - The block templates used to wrap a static page in a block can now be 1748 overridden, using '_staticpages_block' and '_staticpages_centerblock' as the 1749 index for the $_BLOCK_TEMPLATE array [Dirk] 1750 - The plugin now checks for template files in the current theme's directory 1751 (layout/THEMENAME/staticpages) first before using the default template files 1752 from plugin/staticpages/templates [Dirk] 1753 - When displaying a static page, the plugin no longer checks if the current 1754 user is a member of the Root group, so that "Root" users shouldn't see static 1755 pages that are for anonymous users only [Dirk] 1756 This change was actually supposed to be in Static Pages 1.4 (Geeklog 1.3.9), 1757 but somehow didn't make it ... 1758 - For center blocks, ignore the "blank page" setting, unless it's for a page 1759 that is supposed to replace the entire frontpage (bug #234) [Dirk] 1760 - The static pages editor doesn't display a "delete" button for new and 1761 cloned pages any more (since, obviously, you can't delete what hasn't been 1762 saved yet ...). [Dirk] 1763 - Bugfix: Fresh installs of Geeklog 1.3.9 only allowed 20 characters for the 1764 static page ID, while installs upgraded from an earlier version allowed up 1765 to 40 characters [Dirk] 1766 - New Portuguese (Brazil) language file, provided by Alcides Soares Filho. 1767 1768 1769 Mar 5, 2006 (1.3.9sr5) 1770 ----------- 1771 1772 This release addresses the following security issues: 1773 1774 - Konstantin Dyakoff found an old bug in the session handling that would allow 1775 anyone to log in as any user. 1776 - James Bercegay of GulfTech Security Research reported several issues with 1777 Geeklog's cookie handling that made it vulnerable to SQL injections, arbitrary 1778 file access, and even injection and execution of arbitrary code. 1779 - Prevent execution of PHP code in "normal" blocks 1780 1781 1782 Jul 3, 2005 (1.3.9sr4) 1783 ----------- 1784 1785 This release addresses the following security issue: 1786 1787 Stefan Esser found an SQL injection that can, under certain circumstances, 1788 be exploited to extract user data such as the user's password hash. 1789 1790 1791 Dec 31, 2004 (1.3.9sr3) 1792 ------------ 1793 1794 This release addresses 2 security issues: 1795 1796 1. It was possible to submit stories anonymously even if anonymous submissions 1797 were turned off in config.php (reported by Barry Wong). 1798 These stories still ended up in the submission queue, though, unless you 1799 disabled it in config.php. 1800 2. Some of the parameters in link and event submissions weren't filtered, 1801 leaving them open to potential SQL injections. 1802 1803 1804 Oct 8, 2004 (1.3.9sr2) 1805 ----------- 1806 1807 This release addresses 2 security issues: 1808 1809 - Fixed a cross site scripting vulnerability caused by using the $topic 1810 variable in the language files ($LANG05[3]) where it should have been 1811 using '%s' instead (bug #293) [Vinny, Dirk] 1812 - It was possible to post comments to stories or polls for which comment 1813 posting had been switched off [Dirk] 1814 This was only a problem if you allowed anonymous posts or when spammers 1815 went through the trouble of actually signing up for an account before 1816 posting. 1817 1818 Non-security related fixes: 1819 1820 - Fixed lib-plugins.php to be compatible with PHP 5 [Dirk] 1821 - Includes updated PEAR packages to resolve email problems some users were 1822 having (especially with safe_mode being on). 1823 1824 1825 Jun 1, 2004 (1.3.9sr1) 1826 ----------- 1827 1828 This release addresses the following security issues: 1829 1830 - It was possible to post anonymous comments, even when anonymous comment 1831 posting had been switched off in config.php [Vinny, Dirk] 1832 - Added additional speed limit checks for comments and submissions [Vinny] 1833 - It was still possible to read the comments to stories, even when the user 1834 didn't have access to the story's topic (provided they knew the story id) 1835 [Vinny, Dirk] 1836 - If none of the topics were visible for anonymous users, the site's index 1837 page may still have displayed some stories for anonymous users, depending on 1838 the stories' permissions [Vinny, Dirk] 1839 - Users still got Daily Digest emails for topics from which they had been 1840 removed (bug #178) [Dirk] 1841 - It was possible to subscribe to the Daily Digest for all topics, even if the 1842 user did not have access to certain topics [Dirk] 1843 - Don't list stories or comments in the user profile if the current user isn't 1844 allowed to see the topics they were posted under (bug #208) [Dirk] 1845 1846 Non-security related fixes: 1847 1848 - Fixed an SQL error in COM_showTopics if users excluded topics in their 1849 preferences (reported by Rob Young) [Dirk] 1850 - Fixed sporadic "Duplicate entry '...' for key 1." messages in error.log 1851 (caused by the handling of pseudo-session ids for anonymous users) [Dirk] 1852 - Fixed incorrect author names in Daily Digest (bug #207) [Dirk] 1853 - The plugin_profileblocksedit_<plugin-name> Plugin API function wasn't working 1854 due to a missing piece of code in usersettings.php [Dirk] 1855 - COM_extractLinks will now ignore anchor tags that do not contain "href" 1856 (bug #183) [Vinny] 1857 1858 1859 Mar 14, 2004 (1.3.9) 1860 ------------ 1861 1862 - Custom Registration function hook to custom_useredit added in the edituser() 1863 when creating a new user from the admin screen. The custom function was not 1864 being called if this was a new user [file: admin/user.php]. 1865 - Fixed wrong use of DB_count in COM_showPoll in lib-common.php. This may have 1866 prevented people from voting on other polls once they voted on any poll on 1867 a site [file: lib-common.php]. 1868 1869 - Updated Danish language file, provided by ZooN. 1870 - Updated Hebrew language file, provided by Tal Vizel (please note that this 1871 file was made for 1.3.8-1 and is missing a few of the texts added in 1.3.9). 1872 1873 1874 Mar 7, 2004 (1.3.9rc3) 1875 ----------- 1876 1877 - Fixed call to CUSTOM_mail and added a sample implementation in 1878 lib-custom.php (commented out by default). 1879 - Made an attempt to recover from duplicate session ids for anonymous users. 1880 - Adding new topics always resulted in a "Please fill in the Topic ID and Topic 1881 Name fields" error message, even if you did fill in both fields (this bug was 1882 only introduced in 1.3.9rc2). 1883 - Filter out backslashes. 1884 - Comment titles were cut off at the first single or double quote (when 1885 submitting a new comment). 1886 - The text string $LANG04[89] in all language files must be enclosed in 1887 double quotes, not single quotes. 1888 1889 - Updated Hebrew language file, provided by Tal Vizel. 1890 - Updated Polish language file, provided by Robert Stadnik. 1891 - Updated Polish language file for the Static Pages plugin, provided by 1892 Robert Stadnik 1893 - Updated Russian language file, provided by Denis Kuznetsov. 1894 - Updated Slovenian language file, provided by gape. 1895 - Included UTF-8 versions of the Croatian and Japanese language files, 1896 provided by Samuel Stone. 1897 1898 1899 Feb 29, 2004 (1.3.9rc2) 1900 ------------ 1901 1902 - The new Admin interface for handling blocks (introduced in 1.3.9rc1) will 1903 renumber the block order in steps of 10, which can lead to order numbers 1904 > 255 if you have many blocks. Changed the 'blockorder' field in the 1905 "gl_blocks" table from TINYINT to SMALLINT to compensate. 1906 If you are upgrading from 1.3.9rc1, you will need to run the following SQL 1907 request manually: 1908 1909 ALTER TABLE gl_blocks CHANGE blockorder blockorder smallint(5) unsigned NOT NULL default '1'; 1910 1911 Replacing "gl_blocks" with the proper table name, if you are using a table 1912 prefix other than 'gl_'. This step is not necessary when upgrading from 1.3.8 1913 or earlier versions. 1914 - The Group Admin restrictions introduced in 1.3.9rc1 didn't even let the 1915 Admin assign unassigned features to groups (e.g. there was no way to add 1916 the staticpages.PHP feature to the Static Page Admin group on a fresh 1917 1.3.9rc1 install). 1918 - When normal users tried to submit an event, they were redirected to the 1919 story submission form (this bug was only introduced in 1.3.9rc1). 1920 - Cosmetic changes in the beautifying of language names (in the user's 1921 preferences). 1922 - Fixed COM_extractLinks to work with links that follow [IMAGE] tags and more 1923 generally handle the extraction of links better and more efficiently. 1924 - If a function CUSTOM_mail() exists, it will be called instead of COM_mail(), 1925 to allow users to implement their own function to send emails, if necessary. 1926 - The Static Pages plugin now supports the "exact phrase", "all of these words", 1927 and "any of these words" search options. 1928 - Included a simplified custom registration example and made the naming 1929 convention for the custom registration functions more consistent. 1930 - Fixed display problems with comments in nested and threaded mode. 1931 Please note that the template file comment/comment.thtml has changed (again) 1932 since 1.3.9rc1! 1933 - Don't rely on the Who's Online block being active when handling sessions 1934 for anonymous users. 1935 - Removed some unused code that handled the obsolete "layout" blocks. 1936 - Try to guess the correct path separator when running on PHP < 4.3.0. 1937 - When upgrading from a pre-1.3.9 install, the install script choked on 1938 single quotes in the site name or site slogan. 1939 - More parameter filtering. 1940 1941 - Included UTF-8 versions of the English, German, Finnish, and Chinese 1942 (traditional and simplified) language files, provided by Samuel Stone. 1943 - Added new Croatian language file, provided by Roberto Bilic. 1944 - Added new Finnish language file, provided by Jussi Josefsson. 1945 - Added new Hebrew language file, provided by Tal Vizel. 1946 - Updated Dutch language file, provided by Wim Niemans. 1947 1948 1949 Feb 16, 2004 (1.3.9rc1) 1950 ------------ 1951 1952 - Use COM_getYearFormOptions() etc. for the event submission form in 1953 submit.php, thus avoiding duplicated code. 1954 - Plugins can now add their new entries to the What's New block by implementing 1955 the new plugin_whatsnewsupported and plugin_getwhatsnew API functions. 1956 This section can be enabled/disabled with the new $_CONF['hidenewplugins'] 1957 config variable. 1958 - When a user is deleted, make sure we assign any objects that require Admin 1959 access (blocks, topics, ...) to a user from the Root group. 1960 - Slightly revamped the install script and made it catch (or silently ignore) 1961 the most popular problems with the path to Geeklog ... 1962 - Removed the hard-coded from {welcome_msg} and added it to the 1963 header.thtml of the Classic, XSilver, and Yahoo themes (the other themes 1964 either look fine without it or didn't use {welcome_msg} anyway). 1965 - Added a missing stripslashes() call for link titles returned from a search. 1966 - Fixed bug when highlighting search queries that contained a '*' (reported 1967 by wlparks). 1968 - Fixed a bug/typo introduced in 1.3.8-1sr4 that prevented you from deleting 1969 story submissions from the Admin's story editor (reported by James Bothe). 1970 - Changed all url fields in the database to hold up to 255 characters per URL. 1971 Please note that the template files in most themes will limit the max. 1972 number of characters to 96 or 128 characters. See docs/theme.html for more 1973 information on how to update the themes. 1974 - Fixed problems batch-importing users with single quotes in their names 1975 (bug #141). 1976 - The permissions for the "Group Admin" group have been changed such that 1977 members of that group now only have access to groups of which they themselves 1978 are a member of. When creating new groups, the rights (permissions) to chose 1979 from are also limited to those that the Group Admin users have themselves. 1980 These changes should make the Group Admin group more useful. 1981 Note: Group admins can still see all the existing groups and who is a member 1982 of those groups. 1983 - Fixed search class so that the simplified and the advanced search return 1984 the same results (as long as none of the advanced options are used). 1985 - Added new config variable $_CONF['allowed_protocols'] which lets you specify 1986 the protocols that are allowed to be used in a link (feature request #109). 1987 Note: The kses class has a hard-coded list of allowed protocols to which 1988 the above will be added. It is currently not possible to remove any of the 1989 predefined protocols. 1990 - Introduced variable {allowed_menu_elements} in header.thtml which only 1991 includes those menu elements that the current user is allowed to use 1992 (i.e. honoring the $_CONF['XXXloginrequired'] settings). 1993 - COM_accessLog() now logs the user's uid and IP address automatically. 1994 - The option to stay logged in for 1 year has been removed and an option to 1995 not stay logged in (after the session has expired) has been added. 1996 - Fixed display of default blocks in the user preferences. 1997 - If the user chose not to see certain topics (by selecting them from the 1998 "Excluded Items" list in the preferences) then don't list those topics in 1999 the Topics block. 2000 - After saving your account information, you are now redirected to your 2001 profile page, so that you can see your changes as they would be displayed 2002 for other users of the site. 2003 - Integrated Vincent Furia's patches to use Geeklog's URL rewriting for links 2004 to stories (i.e. article.php). 2005 - In the story templates, you can now use {article_url} as the URL to the 2006 article.php with the current story (e.g. for a "link to this story" link). 2007 - There is a new file, system/lib-user.php, for user-related code that is 2008 used by usersettings.php, admin/user.php, and admin/moderation.php. 2009 - All template files that let you enter a URL are now using {max_url_length} 2010 for the maxlength attribute. 2011 - Access to admin/mail.php is now granted to all users with 'user.mail' 2012 permissions (previously, users with that permission without being in the 2013 'Mail Admin' group would see the "Mail Users" entry in the Admin block but 2014 were refused access to it). 2015 - The list of group names in the Mail Users form is now sorted alphabetically. 2016 - Any unauthorized attempts to access the admin pages are now properly logged 2017 in access.log. 2018 - Fixed problems when resizing userphotos for user names that have spaces in 2019 them (reported by Per on geeklog-users). 2020 - Now accomodate strict webhosts who don't allow file uploads to the standard 2021 image directory, you can now set a new configuration variable, 2022 $_CONF['path_images'] to point to a directory outside of your webtree where 2023 article images and user profile pictures will be saved and served from. 2024 - Don't append a '-' to the page title if $_CONF['site_slogan'] is empty 2025 (feature request #88). 2026 - COM_getMonthFormOptions() now always lists the month names instead of only 2027 the numbers. COM_getYearFormOptions() also lists the previous year. 2028 - Changed admin/event.php to use the COM_getMonthFormOptions() etc. functions 2029 from lib-common.php, thus avoiding duplicated code. 2030 - In the calendar/calendar.thtml template file, you can now use {start_block} 2031 and {end_block} to wrap the calendar in a block. 2032 - Fixed a few display problems in case of errors in calendar_event.php. Also 2033 made calendar.php display messages sent from calendar_event.php. 2034 - Make sure the custom registration form is properly called from all relevent 2035 places (bug #57). 2036 - Single quotes are now silently stripped from topic IDs (bug #113). 2037 - Fixed search displaying all the links for an empty search string, e.g. when 2038 searching for "more from" some user (bug #87). 2039 - Fixed link from search results that contained a '/' (bug #115). 2040 - Comments from a story that has been marked as "draft" are no longer returned 2041 from a search (bug #128). 2042 - The Admin's link list now uses "google paging", 50 links per page (bug #104). 2043 Note: Requires a change in the admin/link/linklist.thtml template file. 2044 - (Block)Admins can now change the order of blocks and enable / disable blocks 2045 directly from the Admin's list of blocks (based on a concept by stratosfear). 2046 - An alternative interface to adding (multiple) users to a group is now 2047 available from the Admin's list of groups. This feature requires JavaScript. 2048 - Fixed display of permissions in the "Access" column of the Admin's list of 2049 stories (didn't take Topic permissions into account). 2050 - Fixed handling of "0" as a poll answer (bug #73). 2051 - Added a check and warning message in admin/moderation.php if register_globals 2052 is "off". 2053 - Changed function COM_isEmail() to use PEAR::Mail/RFC822 to check for valid 2054 email addresses. 2055 - Added an edit icon to each theme (images/edit.gif). Variable {edit_icon} can 2056 be used as an alternative to {edit_link}, i.e. as an icon that Story Admins 2057 can click on to edit a story. 2058 - You can now enable debug messages (to error.log) for the image upload by 2059 setting $_CONF['debug_image_upload'] = true in config.php. 2060 - When deleting a group, delete all references to that group from the 2061 group_assignments table (bug #50). The install script will remove any 2062 orphaned entries when upgrading the database to 1.3.9. 2063 - The option to delete comments was only available to users in the Root group 2064 (e.g. Admin). Since comments don't have permissions, comments can now be 2065 deleted by users with Story Admin permissions for the story they are 2066 commenting on (or Poll Admin permissions for comments on polls; bug #27). 2067 - Display a generic (and localised) error message when there is a problem 2068 importing an (RSS) feed - details will be available in error.log. Also checks 2069 for empty (but existing) feeds now. 2070 - When the user submission queue is activated, you now have an "edit" link 2071 that takes you to the Admin's user editor (the profile link is now on the 2072 username). Contributed by Ed Magin. 2073 - COM_siteHeader() now uses output buffering for the eval(), preventing the 2074 header from being output directly. 2075 Note: This may require changes in 3rd party scripts, e.g. the Geeklog/Gallery 2076 integration. 2077 - The install script will set the 'date' field for links to sensible values 2078 now (reconstructed from the date that's encoded in the link id). 2079 - The author exclusion list in the preferences is now a (multi-select) listbox. 2080 - A proper error message is now displayed if the Admin creates a new user or 2081 changes an existing account with an email address that already exists (that 2082 test was already introduced in 1.3.8-1 but the error message was confusing), 2083 thus closing bug #24. Also checks for valid email addresses now. 2084 - You can now use {author_fullname} and {author_photo} variables in comment 2085 templates (feature request #35). 2086 - Remove extra backslashes from new links in What's New block (bug #59). 2087 - The [code] tag is now displayed in the list of allowed HTML tags. 2088 - Image upload can now use the GD library (contributed by Rob Coenen). 2089 If possible, GIF images will be converted to PNGs during upload. However, 2090 some versions of the GD library may not allow to read GIF images at all. 2091 - Geeklog now uses PEAR::Mail to send all emails. 2092 In config.php, you can select whether emails should be sent via PHP's mail() 2093 function, sendmail, or SMTP. 2094 - Introduced /path/to/geeklog/system/pear as the directory to hold the PEAR 2095 packages used by Geeklog. Currently, those are PEAR, Mail, Net_SMTP, and 2096 Net_Socket. These packages will be included in the releases from now on. 2097 - Introduced function COM_mail(). From now on, all Geeklog email will be sent 2098 from this function (instead of using PHP's mail() function directly). 2099 - When users try to register with an empty username or invalid email address, 2100 make sure we're displaying a custom registration form (if one exists) when 2101 displaying the error message (part 1 of bug #57). 2102 - Prevent users from registering with an empty username (bug #56). 2103 - Use $_CONF['emailstoriesperdefault'] when batch-adding users. Until now, 2104 new users were subscribed to the Daily Digest automatically (bug #55). 2105 - Added an 'edit' link to links/linkdetails.thtml, so that (Link) Admins can 2106 edit links easily (contributed by Euan McKay). 2107 - What's Related applied COM_checkHTML() on the entire block instead of on the 2108 individual items, thus stripping out HTML from the template file (bug #52). 2109 - Words from a search query are now properly highlighted in comments when the 2110 words occured only in the comments (but not in the story). 2111 - Integrated Vincent Furia's new comment code to use templates for comments 2112 (instead of hard-coded HTML). 2113 New template files: comment/comment.thtml, comment/thread.thtml. 2114 Updated: comment/startcomment.thtml 2115 - New Admin interface for content syndication (RSS feeds etc.). This lets you 2116 create feeds for all the stories and per topic as well as for links and 2117 (upcoming) events. Plugins can also provide feeds (through extensions of the 2118 Plugin API). Additional feed formats (other than RSS 0.91) can be implemented 2119 as new classes (xxx.feed.class.php). 2120 Includes new admin/syndication template directory. 2121 - Don't display the "delete" button in the Admin's Event editor when we're 2122 editing a new event (reported by Simon Lord). 2123 2124 Static Pages Plugin 1.4 2125 ----------------------- 2126 2127 - It is now possible to disable the use of PHP in static pages entirely by 2128 setting $_SP_CONF['allow_php'] = 0 in the static pages' config.php file. 2129 If you don't plan on using PHP in static pages, it is recommended that you 2130 do that as an additional security measure. 2131 - You can now use "plain PHP" code in a static page, i.e. it doesn't need to 2132 be written such that it returns all output in a 'return' statement. The 2133 PHP checkbox has been replaced with a dropdown menu offering "do not execute 2134 PHP", "execute PHP (return)" [that's the old way], and "execute PHP" [new]. 2135 - The ID of a static page can now have up to 40 characters. 2136 - When displaying a static page, the plugin no longer checks if the current 2137 user is a member of the Root group, so that "Root" users shouldn't see static 2138 pages that are for anonymous users only. 2139 - The option to wrap static pages in a block can now be applied to each page 2140 individually. $_SP_CONF['in_block'] is only used as the default setting 2141 for new pages. 2142 - Static pages to be displayed after the featured story (in a center block) are 2143 now displayed even if there is no featured story (after the static pages to 2144 be displayed at the top of the page). 2145 - Static pages are not wrapped in a block when the page format is set to "blank 2146 page" (bug #60). 2147 - Added a "Cancel" button in the static pages editor. 2148 - Bugfix: Depending on the permission settings, the "Edit" link was sometimes 2149 displayed for users without them having edit permissions for the static page. 2150 It wasn't possible to edit the page, though, but the link shouldn't have 2151 been there in the first place. 2152 - For security reasons, the Static Page Admin group does not include 2153 'staticpages.PHP' permissions by default any more. 2154 - When a user is deleted, static pages created by that user can now either be 2155 deleted or assigned to a Root user (see $_SP_CONF['delete_pages'] option). 2156 2157 Please see docs/staticpages.html for details. 2158 2159 2160 Oct 8, 2004 (1.3.8-1sr6) 2161 ----------- 2162 2163 This release addresses 2 security issues: 2164 2165 - Fixed a cross site scripting vulnerability caused by using the $topic 2166 variable in the language files ($LANG05[3]) where it should have been 2167 using '%s' instead (bug #293) [Vinny, Dirk] 2168 Note: german.php was not affected and is therefore not included. 2169 2170 - It was possible to post comments to stories or polls for which comment 2171 posting had been switched off [Dirk] 2172 This was only a problem if you allowed anonymous posts or when spammers 2173 went through the trouble of actually signing up for an account before 2174 posting. 2175 2176 2177 Jun 1, 2004 (1.3.8-1sr5) 2178 ----------- 2179 2180 This release fixes a bug due to which it was possible to post anonymous 2181 comments even when anonymous comment posting had been switched off in 2182 config.php. 2183 2184 To upgrade from Geeklog 1.3.8-1sr4 to 1.3.8-1sr5, simply upload the included 2185 comment.php, replacing the file of the same name on your webserver. 2186 2187 2188 January 26, 2004 (1.3.8-1sr4) 2189 ---------------- 2190 2191 This release addresses the following security issues: 2192 2193 1. It was possible for users in the Group Admin and User Admin groups to 2194 become a member of the Root group (reported by Samuel M. Stone, bug #135). 2195 2. Being admin for a certain area (e.g. Story Admin for stories) made it 2196 possible to delete all objects in that area (e.g. stories) even if the 2197 user was not supposed to have access to them, provided the id of the object 2198 was known. 2199 3. It was possible to delete other people's personal events if you knew the 2200 event ID. 2201 4. It was possible to browse through the comments of a story even if the user 2202 did not have access to the actual story (reported by Peter Roozemaal). 2203 5. Due to an XSS issue, it was possible to change someone's account settings 2204 (including the password) if you got them to click on a specially crafted 2205 link (reported by Jelmer, fix suggested by Vincent Furia). 2206 6. The comment display suffered from the possibility of an SQL injection 2207 (reported by Jelmer). 2208 7. It was possible to inject Javascript code in the calendar (reported by 2209 Jelmer). 2210 8. It was possible to execute (but not save) Javascript code in the comment 2211 preview (reported by Jelmer). 2212 2213 2214 December 5, 2003 (1.3.8-1sr3) 2215 ---------------- 2216 2217 This release addresses the following security-related issues: 2218 2219 1. As "dr.wh0" pointed out, the category field for link submissions was not 2220 filtered at all. Although you probably can't cause too much harm with 2221 those 32 characters, this has now been fixed. 2222 2. Vincent Furia found that the restrictions for the form to email users 2223 could be circumvented and could even be used to spam users. 2224 In addition to fixing theses issues, there is now also a speed limit 2225 on that form (defaults to the speed limit for story submissions). 2226 3. There was a way to post comments anonymously even when posting for 2227 anonymous users had been disabled. 2228 4. It was possible to post comments under someone else's username. 2229 2230 2231 October 14, 2003 (1.3.8-1sr2) 2232 ---------------- 2233 2234 Jouko Pynnonen found a way to trick the new "forgot password" feature, 2235 introduced in 1.3.8, into letting an attacker change the password for _any_ 2236 account. This release addresses this issue - there were no other changes. 2237 2238 The only thing you need to do is to replace the file users.php on your site 2239 with the file that comes with this tarball. It's suggested that you change 2240 the version number in your config.php to '1.3.8-1sr2' afterwards. 2241 2242 Please note that only Geeklog 1.3.8, 1.3.8-1, and 1.3.8-1sr1 are affected, 2243 as this feature did not exist in earlier versions. 2244 2245 2246 October 12, 2003 (1.3.8-1sr1) 2247 ---------------- 2248 2249 This release is intended to address some of the security issues reported in 2250 September and early October 2003. 2251 2252 1. Includes Ulf Harnhammar's kses HTML filter to address possible Javascript 2253 injections and CSS defacements. 2254 2255 When upgrading from an earlier version, please make sure to copy over the 2256 $_CONF['user_html'] and $_CONF['admin_html'] arrays from the included 2257 config.php to your own copy of that file. 2258 2259 2. While almost all of the alleged SQL injection issues could not be 2260 reproduced, this release includes an update to the MySQL class to not 2261 report SQL errors in the browser any more (but only in Geeklog's error.log). 2262 This will avoid disclosing any sensitive information as part of the error 2263 message. 2264 2265 Please note that at the moment we do NOT recommend to use Geeklog with 2266 MySQL 4.1 (which, at the time of this writing, is in alpha state and should 2267 not be used on production sites anyway). 2268 2269 An upcoming release of Geeklog will address the remaining SQL issues, 2270 including any problems with MySQL 4.1. 2271 2272 Other fixes (not security-related): 2273 - When trying to guess the value of $_CONF['cookiedomain'], we need to remove 2274 the port number from the URL, if there is one (bug #75). 2275 - The full 1.3.8-1sr1 tarball also includes updated French (Canada) and 2276 Turkish language files. 2277 2278 2279 August 9, 2003 (1.3.8-1) 2280 -------------- 2281 2282 - When upgrading, the install script will now default the version selection to 2283 the last version in the list (currently: 1.3.7) instead of the first one 2284 (1.2.5-1). 2285 - Don't allow HTML in static page titles (bug #26). 2286 - Display the search form again if the query returned no results. 2287 - Make sure we're not attempting to send a Daily Digest email to Anonymous. 2288 - Prevent admin from changing a user's email address to one that's already used 2289 by someone else (bug #24). The error message you get when you try this may 2290 be confusing, though ("The username you tried saving already exists.") since 2291 I don't want to introduce new texts in the language file at this point. To 2292 be corrected later. 2293 - Fixed a problem with the cookie timeout: When a user edited his/her profile 2294 for the first time, the cookie timeout defaulted to 1 hour, while the default 2295 in config.php was usually much longer (default: 1 week). So after editing 2296 their profile for the first time, users didn't stay logged in as long as 2297 before (unless they noticed that and changed the cookie timeout accordingly 2298 themselves). 2299 - Fixed problems in the install script when trying to find out the MySQL 2300 version number. 2301 - Fixed a problem collecting links for the What's Related block when the article 2302 contained (uploaded) images. 2303 - Words from a search query are now hightlighted in comments as well. 2304 - You can now use variables {rss_url} and {rdf_file} in both the site header 2305 and footer. Both variables hold the URL to the RSS feed. 2306 - Fixed an occassional "call to member function of non-object" error message 2307 in lib-plugins.php. 2308 - Make sure the RSS feed and Older Stories block are updated when a story is 2309 deleted. 2310 - The language selection will only list files that end in .php and do not 2311 start with a '.'. 2312 - Fixed links to a user's comments from the Last 10 Comments block in the user 2313 profile. 2314 - Removed '&query=' from links in search results if the query was empty. 2315 - Anonymous users couldn't use the advanced search even if 2316 $_CONF['searchloginrequired'] was not set. 2317 - Fix to disallow access to the extended search for anonymous users (i.e. 2318 $_CONF['searchloginrequired'] works again as it did in 1.3.7) 2319 - Fixed search by date. 2320 - Template variable {uid_value} was always empty in the user's profile edit 2321 form (in usersettings.php). 2322 2323 - New French (Canada) language file, provided by Jean-Francois Allard. 2324 - Updated Dutch language file, provided by W. Niemans. 2325 - Updated Bulgarian language file, provided by Vassil Simeonov and Itso Banov. 2326 - Updated Spanish language file, provided by Angel Romero. 2327 2328 - New French (Canada) language file for the Static Pages plugin, provided by 2329 Jean-Francois Allard. 2330 - New Dutch language file for the Static Pages plugin, provided by W. Niemans. 2331 2332 2333 July 17, 2003 (1.3.8) 2334 ------------- 2335 2336 - Added Blaine's sample code for the custom registration to lib-custom.php 2337 (there's also an accompanying sample template file, memberdetail.thtml). 2338 - "No new links" wasn't displayed in the What's New block when you didn't 2339 have any links in the database or when the current user didn't have access 2340 to any of them (reported by krove). 2341 - Applied a patch by Tatsumi Imai to fix problems with Japanese characters 2342 when editing polls (bug #17). 2343 - Hide those story submissions from moderators that don't have access to the 2344 topic. 2345 - Use $HTTP_SERVER_VARS['PATH_INFO'] instead of $PATH_INFO for the url_rewrite 2346 feature, since the latter doesn't seem to work on some setups (reported by 2347 Peter Sieradzki). 2348 2349 - Updated Slovenian language file, provided by gape. 2350 - Updated Polish language file for the Static Pages plugin, provided by 2351 Robert Stadnik 2352 2353 2354 July 6, 2003 (1.3.8rc2) 2355 ------------ 2356 2357 - When failing to delete an image for a story (from the Admin's story editor), 2358 only log this problem in the error.log but don't abort the script (reported 2359 by Rob). 2360 - When editing a story that used double quotes in the title, the title was cut 2361 off after the first quote sign. 2362 - Story Admins could edit stories in a topic they didn't have access to, if 2363 they somehow found out the story id. 2364 - When $_CONF['listdraftstories'] was enabled, moderation.php listed all stories 2365 that had the "draft" flag set without checking for topic permissions (this 2366 option was only introduced in 1.3.8rc1). 2367 - For Story Admins, the Admin menu may have listed a greater number of stories 2368 than the user actually had access to (didn't check for topic permissions). 2369 - Fixed "Google paging" on the Admin's list of stories when the current user 2370 didn't have access to all the topics (paging was only introduced in 1.3.8rc1). 2371 - Try to prevent "illegal access" messages in error.log, caused by the plugin 2372 page looking for uninstalled plugins. 2373 - Upcoming events (in the block of the same name) are now sorted by start date 2374 and start time, which makes more sense than the old start date, end date 2375 sort order (reported by Peter Sieradzki). 2376 - Fixed description of function DB_count() in lib-database.php (reported by 2377 jose on IRC). 2378 - Changed the "getBent" block to test the real admin directory in case it has 2379 been renamed (bug #762881). 2380 - Saving the user profile also saved the privacy options, setting them all to 2381 "off" (reported by Dwight Trumbower). 2382 - Check the topic permissions when doing a search on stories and comments. 2383 - Check the topic permissions when displaying the new stories and comments in 2384 the What's New block. 2385 - Need to use date_sub() in the SQL request for the display=new mode on the 2386 index page to ensure compatibility with old versions of MySQL (reported by 2387 Markus Guske). 2388 - New users created manually from the Admin's User menu were assigned a 2389 random password, even when the Admin entered one (reported by TechFan). 2390 This bug was only introduced in 1.3.8rc1. 2391 - The printer-friendly version of a story in HTML format should not call 2392 nl2br() on the story text (bug #762636). 2393 - When attempting to edit a submission, check that it still exists in the 2394 submission queue (since another Admin could already have handled it), 2395 avoiding an SQL error (reported by Simon Lord). 2396 2397 - New language file for formal German (addressing the user as "Sie" instead of 2398 "Du"), provided by Philip Sack. 2399 - Updated Italian language file, provided by quess65. 2400 - Updated Japanese language file, provided by Yusuke Sakata. 2401 - Updated Polish language file, provided by Robert Stadnik. 2402 - Updated Spanish language file, provided by Angel Romero. 2403 - Updated Swedish language file, provided by Markus Berg. 2404 2405 - New formal German language file for the Static Pages plugin. 2406 - New Italian language file for the Static Pages plugin, provided by quess65. 2407 - New Japanese language file for the Static Pages plugin, provided by Yusuke 2408 Sakata. 2409 - New Swedish language file for the Static Pages plugin, provided by Markus Berg 2410 2411 2412 June 29, 2003 (1.3.8rc1) 2413 ------------- 2414 2415 - Fixed SQL error when using quotes in a group description. 2416 - Fixed bug where blocks assigned to a topic disappeared when viewing articles. 2417 - Add new Plugin API PLG_getHeaderCode, Used to return JS Functions or other 2418 Header Meta Tags required by the plugin. Added new variable {plg_headercode} 2419 to the template header.thtml files. 2420 - New search: You can search for the exact phrase, all of the words, or any of 2421 the words from the query. Search words are highlighted in stories. Also, 2422 results in stories and comments are listed separately. 2423 - Added new block "Privacy Options" to the Preferences: 2424 + chose to receive email from admins and/or other users 2425 + chose to show up in Who's Online block 2426 (Feature requests #609758 and #609759) 2427 - New config option $_CONF['hide_author_exclusion'] to hide the author 2428 exclusion list from the user's preferences (useful e.g. when it's a rather 2429 long list but hardly used by the users of your site). 2430 - Added tracking of users lastlogin to the userinfo table. 2431 New $_CONF['lastlogin'] added to config.php - SESSION SETTINGS area 2432 - Added an option in admin/group.php to list all the users belonging to a group. 2433 - Added adminoption_off.thtml template file (for current entry in the Admin 2434 menu) and topicoption.thtml and topicoption_off.thtml files (for entries in 2435 the Topics/Sections menu). 2436 - Geeklog will not accept topic ids containing spaces any more. 2437 - Added new config option $_CONF['allow_account_delete'] to allow users to 2438 delete their account (from their Account Information page). 2439 - Posts (stories and comments) from deleted users will now be reassigned to 2440 user "Anonymous". 2441 - Removed the Geeklog version number from the footer of the default themes. 2442 Instead, the version number is now displayed in the headline of the "Command 2443 and Control" block (moderation.php) and next to the "GL Version Test" entry 2444 in the Admin's functions block. 2445 - New Norwegian language file, provided by Torfinn Ingolfsen. 2446 - Introduced new config.php variable $_CONF['mysqldump_options'] that holds 2447 additional options to be used when Geeklog calls mysqldump to do a backup 2448 of the database. 2449 - Added a check for an existing email address in the user's profile so that 2450 users can't change their email address to one that's already in use for 2451 another account. 2452 - Pick up the 'postmode' default setting for the Admin's story editor. 2453 - Stories in the Daily Digest are now sorted by date (newest first, as on the 2454 index page). 2455 - Changed handling of plugin comments slightly: Plugins will have to do the 2456 'delete' operation on their comments on their own now since Geeklog can't 2457 possibly know which (if any) permissions are needed to delete a comment. 2458 The 'id' parameter in the call to plugin_handlecomment_<type> will now 2459 always be the comment id. 2460 - In another attempt to solve the various issues regarding "www vs. non-www" 2461 URLs and related login problems: 2462 + Made sure all setcookie() calls use all 6 parameters 2463 + Try to guess the correct value for $_CONF['cookiedomain'] if it isn't set 2464 + Removed the redirection attempt from index.php 2465 - When requesting a new password for your account, you can now enter either 2466 your username or the email address you used to register with the site. 2467 - Added a speed limit for requests for a new password (defaults to 5 minutes 2468 between requests). 2469 - The commentspeedlimit and submitspeedlimit tables have been replaced with a 2470 general speedlimit table and three new functions operating on it have been 2471 introduced (in lib-common.php). The new table has a 'type' field, so plugins 2472 could easily implement their own speed limits. 2473 - Introduced new "forgot password" functionality: When requesting a new password 2474 for an account, the user will now receive an email with a link that s/he has 2475 to click on. It will take the user to a form where s/he can enter a new 2476 password (a unique id is contained in the URL and checked when entering the 2477 new password, thus preventing misuse). The old password remains valid until a 2478 new password is entered from this form, so the email can simply be ignored in 2479 case the user didn't request a new password (cf. Feature Request #567979). 2480 - Removed unused commentheader.thtml file from all default themes. 2481 - Fixed the redirect after posting a comment to a poll (should return to the 2482 poll, not to the index page). 2483 - You can now "clone" events, i.e. make a copy of an existing event. This comes 2484 in handy if you have a lot of similar events (e.g. repeating events). 2485 Template files admin/event/eventlist.thtml and admin/event/listitem.thtml 2486 need to be updated or the "clone" option will not show up ... 2487 - Fixed a bug in the Admin's poll editor which let you enter more than 2488 $_CONF['maxanswers'] answers for a poll. You may need to adjust your setting 2489 of $_CONF['maxanswers'] or you may lose an answer when editing such a poll 2490 (found & fixed by Tom Willet). 2491 - Moved hard-coded HTML for the poll block and poll results to new template 2492 files. 2493 - When the theme uses a replacement function for COM_siteHeader and/or 2494 COM_siteFooter, we need to pass it the same parameter that the replaced 2495 function was being called with. 2496 - Fixed "Last 10 comments by user" in the user's profile which was missing the 2497 comments to polls. 2498 - When a new user registers, we need to check for a valid email address 2499 first (before searching the database to see if that address is already in use) 2500 - You are now taken back to the moderation page after editing a story submission 2501 - Fixed 'previous' link on the Admin's list of stories. Alternatively, you can 2502 now use {google_paging} there (requires a change in the template). 2503 - Added -Q option to the mysqldump call when doing a database backup. This will 2504 enclose database names in quotes and thus prevent problems with special 2505 characters in table names as used by some plugins (bug #712901). 2506 - Set the max length of the input field for the event URL to 128 characters 2507 (was 96) in the default themes (other themes may need adjusting). 2508 - Fixed localisation of the date of all-day events in the event details. 2509 - Added missing {event_location} variable in calendar/eventdetails.thtml 2510 template files. 2511 - Fixed display of events spanning several days in the personal calendar. 2512 - Moved hard-coded HTML for the login form in the User Functions block to a new 2513 template file. 2514 - The Sections block now uses the useroption.thtml and the new 2515 useroption_off.thtml template files for the list of topics. You can also use 2516 $_CONF['hide_home_link'] to hide the "Home" link from the Sections block. 2517 - New config option $_CONF['keep_unscaled_image'] allows you to keep the 2518 original, unscaled image after upload (in stories only, for now). The smaller, 2519 scaled image will be used as a thumbnail and link to the original image 2520 (based on code provided by Alexander Schmacks). 2521 - In admin/database.php: 2522 + Made sure we really display the last 10 backups (fix by Alexander Schmacks) 2523 + Display total number of backups in the directory 2524 + Moved hard-coded HTML for the list of backups to template files 2525 + Replaced $PHP_SELF with $_CONF['site_admin_url']/database.php since 2526 $PHP_SELF seems to cause problems in some environments 2527 - You can now make one topic the default topic. The topic selection in the 2528 story submission form will then default to this topic. 2529 - When clicking on the "contribute" link from the topic index page, the new 2530 story will now default to the topic you just viewed. 2531 This only works with themes that use the {menu_elements} variable in 2532 header.thtml. Other themes can use the new variable {current_topic} which 2533 holds '&topic=<topicid>' when a topic is selected (and is empty otherwise). 2534 - Integrated Vincent Furia's improvements for COM_exportRDF. You can now use 2535 $_CONF['rdf_limit'] to limit the number of stories in the RDF file by 2536 setting this to a number (e.g. 10) or a number of hours (e.g. 24h). 2537 $_CONF['rdf_storytext'] lets you add the story's introtext to the RDF feed. 2538 Also fixed a bug with un-escaped special characters in the feed's title. 2539 - Added paging to the list of Static Pages (for more than 50 pages). 2540 - Fixed problem with the Older Stories block disappearing when it was edited 2541 (e.g. moved from left to right), bug #670673. 2542 - Fixed "late" update of portal blocks (bug #681855). 2543 - Fixed mixing of comments from different plugins, found & fixed by Alan McKay. 2544 - A theme can provide its own functions to render the site header and footer 2545 (this is not a new feature). Geeklog now expects those functions to be named 2546 <themename>_siteHeader and <themename>_siteFoote, respectively. Until now, 2547 it was, however, looking for the wrong function names ... 2548 - Added the piece of code that is needed to make the Theme Tester work to 2549 lib-common.php (won't do anything without the Theme Tester block). 2550 - Fixed SQL query for displaying new comments in the What's New block, provided 2551 by Marc Von Ahn (with some help from Rob Griffiths). 2552 - Changes to make Geeklog install and work again on old versions of MySQL 2553 (e.g. MySQL 3.22). Special thanks to Markus Guske for providing the fixes 2554 for the What's New block and for testing the new install. 2555 - Feb 13/03: (Blaine) Added new Plugin function to support Center Blocks 2556 Included call to PLG_showCenterblock in index.php 2557 - The user's signature is now appended to messages sent to another user. 2558 - Feb 6/03: (Blaine) Added support for custom user registration and account 2559 profile: Added hooks to users.php, usersettings.php and admin/user.php and 2560 new $_CONF parm to enable 2561 Developer is responsible for code to handle new form processing, account 2562 record save, update and delete. 2563 - The list of blocks now includes a column indicating whether the block is 2564 enabled or disabled (will need changes in admin/block/listblocks.thtml and 2565 listitem.thtml template files of custom themes). 2566 - Variable {rdf_url} (available in footer.thtml) holds the URL of the RDF file. 2567 - What's Related block is now created dynamically. 2568 - Top Ten Commented Stories didn't count comments on stories submitted by 2569 anonymous users (found & fixed by Laurence Whitworth). 2570 - Allow users to change their username if $_CONF['allow_username_change'] is 2571 set to 1. 2572 - Jan 18/03: (Blaine) Corrected problem in mysql.class.php where the checks in 2573 dbdelete, dbchange, dbcount and dbcopy for a passed value of 0 were not 2574 sufficient. If the parameter was 0 - it was assuming it was empty. 2575 Consequence: The dbdelete would delete all records or dbcount would return 2576 count(*) 2577 - Display Preferences and Comment Preferences have been merged. There is now 2578 only one option, Preferences, in the User Functions block. 2579 - Hard-coded HTML for the Display Preferences, Comment Preferences, and 2580 Account information has been moved to template files (new "preferences" 2581 directory). 2582 2583 Static Pages Plugin 1.3 2584 ----------------------- 2585 - Integrated (and extended) the Static Pages plugin 1.2 (originally started by 2586 Phill Gillespie and later supported by Tom Willet). This "combined" version 2587 is now called Static Pages 1.3. 2588 Use Geeklog's install script to upgrade from any previous version (1.1 or 1.2) 2589 - Supports the use of PHP in static pages. 2590 - You can now edit the ID of a static page to create more readable URLs like 2591 http://yoursite/staticpages/index.php?page=about 2592 In combination with Geeklog's $_CONF['url_rewrite'] option, the URL can even 2593 look like http://yoursite/staticpages/index.php/page/about 2594 - You can now "clone" static pages, i.e. make a copy of an existing page. 2595 - Removed the "static pages on frontpage" hack and changed the plugin to use 2596 the new Center Block API instead: 2597 A static page can now be displayed on the top of the front page, on the 2598 bottom, or after the featured story. It can also replace the front page 2599 entirely. Instead of using special label names (like "frontpage"), the 2600 display mode and position can now be selected from drop-down menus in the 2601 static pages editor. 2602 2603 Please see docs/staticpages.html for details. 2604 2605 2606 January 26, 2004 (1.3.7sr5) 2607 ---------------- 2608 2609 This release addresses the following security issues: 2610 2611 1. It was possible for users in the Group Admin and User Admin groups to 2612 become a member of the Root group (reported by Samuel M. Stone, bug #135). 2613 2. Being admin for a certain area (e.g. Story Admin for stories) made it 2614 possible to delete all objects in that area (e.g. stories) even if the 2615 user was not supposed to have access to them, provided the id of the object 2616 was known. 2617 3. It was possible to delete other people's personal events if you knew the 2618 event ID. 2619 4. It was possible to browse through the comments of a story even if the user 2620 did not have access to the actual story (reported by Peter Roozemaal). 2621 5. Due to an XSS issue, it was possible to change someone's account settings 2622 (including the password) if you got them to click on a specially crafted 2623 link (reported by Jelmer, fix suggested by Vincent Furia). 2624 6. The comment display suffered from the possibility of an SQL injection 2625 (reported by Jelmer). 2626 7. It was possible to inject Javascript code in the calendar (reported by 2627 Jelmer). 2628 8. It was possible to execute (but not save) Javascript code in the comment 2629 preview (reported by Jelmer). 2630 2631 2632 December 5, 2003 (1.3.7sr4) 2633 ---------------- 2634 2635 This release addresses the following security-related issues: 2636 2637 1. As "dr.wh0" pointed out, the category field for link submissions was not 2638 filtered at all. Although you probably can't cause too much harm with 2639 those 32 characters, this has now been fixed. 2640 2. Vincent Furia found that the restrictions for the form to email users 2641 could be circumvented and could even be used to spam users. 2642 3. There was a way to post comments anonymously even when posting for 2643 anonymous users had been disabled. 2644 4. It was possible to post comments under someone else's username. 2645 2646 2647 October 12, 2003 (1.3.7sr3) 2648 ---------------- 2649 2650 This release is intended to address some of the security issues reported in 2651 September and early October 2003. 2652 2653 1. Includes Ulf Harnhammar's kses HTML filter to address possible Javascript 2654 injections and CSS defacements. 2655 2656 When upgrading from an earlier version, please make sure to copy over the 2657 $_CONF['user_html'] and $_CONF['admin_html'] arrays from the included 2658 config.php to your own copy of that file. 2659 2660 2. While almost all of the alleged SQL injection issues could not be 2661 reproduced, this release includes an update to the MySQL class to not 2662 report SQL errors in the browser any more (but only in Geeklog's error.log). 2663 This will avoid disclosing any sensitive information as part of the error 2664 message. 2665 2666 Please note that at the moment we do NOT recommend to use Geeklog with 2667 MySQL 4.1 (which, at the time of this writing, is in alpha state and should 2668 not be used on production sites anyway). 2669 2670 An upcoming release of Geeklog will address the remaining SQL issues, 2671 including any problems with MySQL 4.1. 2672 2673 2674 May 26, 2003 (1.3.7sr2) 2675 ------------ 2676 2677 Security issues: 2678 2679 1. It was possible to obtain valid session ids for every account (reported by 2680 SCAN Associates). 2681 2. Using Internet Explorer, it was possible to upload an image with embedded 2682 PHP code and execute it (reported by SCAN Associates). 2683 3. Story permissions could override topic permissions, resulting in the display 2684 of stories to users who shouldn't have access to them (reported by Andrew 2685 Lawlor). 2686 Note: This was already fixed with the new index.php, released 2003-05-15. 2687 4. Added a warning in config.php that adding any of the following tags to the 2688 list of allowable HTML can make the site vulnerable to scripting attacks: 2689 <img> <span> <marquee> <script> <embed> <object> <iframe> 2690 (pointed out by Joat Dede) 2691 2692 - Fixed the bug in several of the admin areas (blocks, events, links, polls, 2693 stories, topics) where admins without root access got a message stating 2694 that they did not have the proper permissions when trying to save an object. 2695 - Fixed a typo in lib-sessions.php that caused the creation of unnecessary 2696 sessions (pointed out by Kobaz). 2697 - Fixed malformed cookie (used $_CONF['site_url'] instead of 2698 $_CONF['cookiedomain']) in lib-sessions.php, found & fixed by Jon Evans. 2699 - Fixed a bug that prevented certain right blocks from showing up when there 2700 were no stories for a topic. 2701 - The "Google paging" on the index page may have displayed the wrong number 2702 of pages for users who disabled topics in their display preferences. 2703 2704 - Updated Dutch language file, provided by Claudio. 2705 - Updated French language file, provided by Jaques. 2706 - Updated Hellenic (Greek) language file, provided by Access-=-Denied Networks 2707 - Updated Spanish and Spanish (Argentina) language files, 2708 provided by Fernando Bernardini 2709 - New Portuguese language file, provided by Mario Seabra 2710 - New Bulgarian language file, provided by lachko 2711 - New Turkish language file, provided by Sinan Ussakli 2712 - New Slovenian language file, provided by gape 2713 - New Slovak language file, provided by Rado 2714 - New Romanian language file, provided by Dan Gheorghitza 2715 - New Chinese language file (gb2312 encoding), provided by Crocodile King 2716 - New Czech language file, provided by Hermes Trismegistos 2717 2718 2719 January 13, 2003 (1.3.7sr1) 2720 ---------------- 2721 2722 Security issues: 2723 2724 1. Javascript code could be used in the homepage link of a user's profile 2725 (reported by Jin Yean Tan). 2726 2. Javascript code could be injected in several URLs so that these could then 2727 be used for a cross-site scripting attack (reported by Jin Yean Tan). 2728 3. Anybody could delete comments, provided they knew the comment id. 2729 4. A StoryAdmin could manipulate any story, even if permissions should have 2730 prevented that. The same applied to Admins for links, events, polls, topics, 2731 and blocks (reported by Kobaz). 2732 2733 - The new user notification email was always sent out, even if 'user' was not 2734 listed in $_CONF['notification']. 2735 - In admin/database.php, added a check to test if function is_executable() is 2736 available (since it is not available on Windows). 2737 - {copyright_notice} in the site's footer (footer.thtml) will now use the 2738 current year for the copyright notice. You can override this by setting 2739 $_CONF['copyrightyear'] to the year you want. 2740 Also, new variables {lang_copyright} and {current_year} as well as {site_name} 2741 and {site_slogan} are now available in footer.thtml so that you can build a 2742 customised copyright notice from them. 2743 - Fixed incomplete links to search results from poll comments. 2744 - Fixed wrong link to the week view from the last week of the month view. 2745 - Fixed bug where links was not using the date field - being stored as null. 2746 - Fixed image resizing when using ImageMagick. 2747 - Added the actual and max. image dimensions in the error message that is 2748 displayed when an image exceeds the max. image dimensions and no imagelib 2749 is configured. 2750 - The Admin menu will now be displayed for users which have Admin access to 2751 a plugin but not to a core Geeklog Admin feature. 2752 - The redirect in index.php (when a site is called up with a URL other than 2753 the one configured in $_CONF['site_url']) now checks for the existence of 2754 $HTTP_SERVER_VARS['HTTP_HOST']. Also, the server name comparison is done 2755 case-insensitive now. 2756 - New config option $_CONF['emailstoriesperdefault']: Set to 1 if new users 2757 should be subscribed to the daily digest automatically. Defaults to 0 (no 2758 automatic subscribtion), thus restoring the behaviour of Geeklog prior to 2759 1.3.7. 2760 - Removed some unused / outdated files (include and etc directories) 2761 - Updated URLs to point to www.geeklog.net and lists.geeklog.net instead of the 2762 now outdated places on Sourceforge. 2763 - Updated Dutch language file, provided by R.F. van der Veen 2764 - New Danish language files (for Geeklog and for the Static Pages plugin), 2765 provided by Steen Broelling 2766 2767 2768 December 16, 2002 (1.3.7) 2769 ----------------- 2770 2771 - In all Admin editors, the hard-coded default group permissions have been 2772 changed from 3 (read/write) to 2 (read-only). 2773 - Make sure an error message is displayed when a StoryAdmin tries to edit a 2774 story s/he does not have access to. 2775 - Hide topics from the Admin's list of stories that the current (Story)Admin 2776 has no access to. 2777 - Tom Willet found a problem in admin/user.php that sometimes mangled user 2778 names, especially on sites hosted on sourceforge.net. 2779 - Fixed an SQL error when using single quotes in a block title. 2780 - When updating events in the master calendar, make sure copies of such events 2781 in the personal calendars are updated as well (including deleting them when 2782 the original event is removed from the master calendar). 2783 - Fixed PRIMARY KEY for table personal_events, so that more than one user can 2784 add an event to his/her personal calendar. 2785 2786 - New Hellenic (Greek) language file, provided by Access-=-Denied Networks 2787 - New Spanish language file, provided by LeChuck 2788 - Updated Polish language file, provided by Robert Stadnik 2789 - Updated Italian language file, provided by quess65 2790 - Updated Japanese language file, provided by Yusuke Sakata 2791 2792 2793 December 3, 2002 (1.3.7rc1) 2794 ---------------- 2795 2796 - Modifed savesubmission() to better handle Plugin return - Bug ID 642106 2797 - Modified Comment Plugin API Comment call - PLG_handlePluginComment now passes 2798 $operation to indicate a 'save' or 'delete'. 2799 - Fixed problems with the portal.php redirect for links (bug #579221). 2800 - Fixed a problem when uploading images with certain versions of Opera. 2801 - When deleting a topic, also remove stories for that topic from the submission 2802 queue. 2803 - Added a redirect in index.php when the site was called up with the "wrong" 2804 URL (i.e. not the one that has been set in $_CONF['site_url']), thus 2805 fixing the "www vs. non-www" problem where people showed up in Who's Online 2806 but did not get the User Functions block. 2807 - The topic selection in the daily digest now defaults to "on" for all topics, 2808 i.e. when the daily digest is activated ($_CONF['emailstories'] = 1) and 2809 a user has not selected any topics yet, s/he will receive a digest for all 2810 topics. This ensures that new topics are automatically added to the daily 2811 digest (bug #573305). 2812 - Fixed a permission problem with the daily digest where users could get a 2813 digested version of a story they didn't have access to. 2814 - Fixed permission problems in the statistics where story titles, links, and 2815 events where listed even when the current user did not have access to them. 2816 - Added the Top Ten Links to the links page (only when links are displayed 2817 per category). 2818 - When sending emails, Geeklog now uses \r\n in the mail headers which should 2819 resolve problems under Windows. 2820 - Resolved a couple of stripslashes() issues. 2821 - The static pages plugin can now be uninstalled using the "delete" option 2822 from the plugin editor. Note that this will only remove the plugin's tables 2823 and data from the database, not remove any files. 2824 - Added a simple email notification when a new story, link, or event has been 2825 submitted or a new user has registered. See $_CONF['notification'] for details 2826 - Added a separate set of config variables for the max. dimensions of user 2827 photos ($_CONF['max_photo_width'] etc.). 2828 - Fixed a problem when resizing GIF images using the netpbm tools. 2829 - Check the topic permissions when presenting a list of topics in the Admin 2830 story editor (since the StoryAdmin may not have access to all topics). 2831 - Removed the Normal / Archive / Refreshing drop down menus from the admin 2832 story and poll editors since they're not used anyway. 2833 - In the links section, do not display link categories when the current user 2834 does not have access to the links in those categories (bug #612869). 2835 - Fixed problems when using quotes in the title of an HTML-formatted comment 2836 (including confusing error messages and wrong speed limit alerts). 2837 - Changed the way how Geeklog checks if it's currently displaying the site's 2838 front page, thus fixing the problem with disappearing "homeonly" blocks. 2839 - Fixed double line spacing in HTML-formatted comments and [code] sections when 2840 running on PHP 4.2.0 and up. 2841 - Fixed problems with slashes and HTML entities in emails sent out by Geeklog 2842 (Send story to friend, daily digest, Admin mail utility). 2843 - Added new config variable 'showfirstasfeatured' which, when set to 1, will 2844 render the first story on _any_ page like it was a featured story. 2845 - Added admin/plugins/newpluginlist.thtml and newlistitem.thml template files 2846 for the list of plugins not installed yet. These files are optional, i.e. 2847 the list will be formatted using hard-coded HTML when they don't exist. 2848 - Removed unused template file admin/plugins/installform.thtml. 2849 - The plugin menu will now list all plugins which exist in the file system 2850 but haven't been installed (yet) with a link to their install script for 2851 easy installation (based on code provided by Blaine Lang). 2852 - New plugin API function PLG_callCommentForm() and improvements for the use of 2853 comments in plugins, provided by Blaine Lang. 2854 - The Older Stories block did not take stories into account which were to be 2855 published in the future. Therefore, the block sometimes listed stories that 2856 were still on the first index page. 2857 - Added variable {contributedby_photo} (user photo of story author) for use in 2858 story templates. 2859 - Users couldn't disable display of the Older Stories block in their preferences 2860 - The contents of the Older Stories block was deleted whenever you changed it 2861 (e.g. moving it from the left to the right column). 2862 - The static pages editor displayed a blank page when the title and/or content 2863 field of a new static page were not filled in (will display an error message 2864 now). 2865 - Implemented fixes for plugins using the submission queue, suggested by 2866 Vincent Furia. 2867 - Following the link "X stories in last 24 hours" from the What's New block 2868 will now display only the new stories on the index page. 2869 - When $_CONF['searchloginrequired'] = 2, the search is completely blocked 2870 for anonymous users (1 will only block the advanced search). 2871 - Added a check to test for a valid date format when searching by date. 2872 - Added $_CONF['skip_preview'] to allow submission of comments and stories 2873 without previewing (defaults to off). 2874 - Search queries with less than 3 characters are now rejected to reduce server 2875 load. 2876 - (Event)Admins couldn't add events directly to their personal calendar 2877 (found & fixed by Kenn Osborne). 2878 - Fixed a nasty bug in SEC_inGroup() (in lib-security.php) that let a user 2879 admin change the password of a root user, so that effectively every user 2880 admin could become a root user ... 2881 - Topics are now sorted alphabetically by the topic name instead of by topic id. 2882 - Added several new variables which can be used in the story template files. 2883 - New config options $_CONF['dateonly'] and $_CONF['timeonly'] which hold the 2884 format string for day + month (to be used in the Upcoming Events and Older 2885 Stories blocks) and the time (to be used for event details). 2886 - Fixed calls to unknown function printErrorMsgs in the file upload class. 2887 - New options in config.php: 2888 $_CONF['upcomingeventsrange'] = no. of days to look ahead for upcoming events 2889 $_CONF['emailstoryloginrequired'] = disallow "send story be email" for 2890 anonymous users 2891 $_CONF['hideemailicon'], $_CONF['hideprintericon'] = hide email / printer 2892 icon from stories (and from Story Options block) 2893 $_CONF['hidenewstories'], $_CONF['hidenewcomments'], $_CONF['hidenewlinks'] = 2894 hide new stories / comments / links from What's New block 2895 - User photos are now resized according to the image dimensions in config.php 2896 (if an imagelib is configured - otherwise images exceeding those dimensions 2897 are rejected). 2898 - Added a check for the proper permissions on the admin page of the Static 2899 Pages plugin. 2900 - Plugins can now return "false" (or an empty array) from 2901 plugin_cclabel_<plugin-name> so that the plugin's icon does not show up 2902 in moderation.php if the user does not have the proper access rights for the 2903 plugin. Changed the Static Pages plugin to do exactly that. 2904 - Fixed problems when using multiple [code] ... [/code] sections. 2905 - PHP blocks which return an empty string are not displayed any more. This 2906 allows PHP blocks to "hide" themselves. 2907 - Searching for links caused an SQL error on installs that were upgraded 2908 from Geeklog 1.1 (missing "date" field in links table). However, links don't 2909 use that field anyway, so searching by date was removed (the "date" field 2910 will be added when upgrading the database to 1.3.7). 2911 Also, the search results are now sorted by link title. 2912 - The calendar displayed an empty last week (in month view) for some months, 2913 e.g. November 2002. 2914 - COM_pollResults() will not use the side block templates when called from 2915 pollbooth.php (thus allowing different block layouts for the poll results 2916 in a side block and in pollbooth.php). 2917 - Allow for theme-based topic icons by using the $_THEME_URL variable as the 2918 base directory for topic icons (if that variable is set). 2919 - Fixed display (or lack thereof) of $ signs in portal blocks. 2920 - lib-common.php didn't use $_CONF['path_language'] to include the default 2921 language file. 2922 - What's Related block 2923 + content is now set for all user submitted stories (previously, links where 2924 only added in stories submitted by the Admin or user submissions edited by 2925 the Admin) 2926 + block is not displayed when it's empty 2927 + now uses COM_makeList() (i.e. the list.thtml and listitem.thtml template 2928 files) instead of hard-coded <li> tags 2929 - The What's Related and Story Options blocks can now be used independent of 2930 each other in the article/article.thtml template file - use {whats_related}, 2931 {story_options} or {whats_related_story_options}. 2932 - Theme authors can now use the $_BLOCK_TEMPLATE "hack" for the What's Related 2933 and Story Options blocks as well (using 'whats_related_block' and 2934 'story_options_block' as the block names). 2935 - Fixed the "noboxes" feature where all blocks (with the exception of the 2936 section, login / user functions, and admin blocks) are hidden. 2937 - Changed admin/link/listitem.thtml so that the URLs in the Admin's list of 2938 links are clickable. 2939 - Fixed an SQL error when calling search.php and there were no stories and no 2940 comments in the system. 2941 - Fixed an SQL error in the user profile when there were no stories and no polls 2942 in the system. 2943 - Fixed date bug when previewing stories to be posted around the noon hour in 2944 the admin story editor. 2945 - Added sanity checks in admin/story.php to prevent possible loss of stories 2946 when using an incomplete language file (or manipulating the URL). 2947 - Fixed a variable in admin/plugins/editor.ththml of the Smooth Blue theme. 2948 - Fixed a typo and a grammatical error in english.php 2949 - Fixed problems with the "static page as frontpage" hack: 2950 + will now check if the static pages plugin is installed and enabled 2951 + uses sp_format (i.e. display blocks as specified in the static pages editor) 2952 + added a missing stripslashes() call 2953 New: When you have $_SP_CONF['in_block'] == 1 and the label of the static 2954 page is neither empty nor "nonews" then that label is used as the block title 2955 for the static page. 2956 - The "userevent" table is back in lib-database.php. Geeklog doesn't use this 2957 table any more, but the name is needed when upgrading from old versions. 2958 2959 Localisation: 2960 - New Chinese language file (Big 5 encoding), provided by Jacky Chan 2961 - New Swedish language file, provided by Markus Berg 2962 - Updated Dutch language file, provided by R. F. van der Veen 2963 - Updated French language file, provided by Florent Guiliani 2964 - The German language file now uses the proper national special characters 2965 (umlauts) instead of HTML entities. 2966 _ New Polish language file for the Static Pages plugin, provided by Robert Stadnik 2967 - New Spanish language file for the Static Pages Plugin, provided by gorka 2968 2969 2970 September 20, 2002 (1.3.6) 2971 ------------------ 2972 - Images in stories can now be resized automatically during upload, provided 2973 you have either ImageMagick or netpbm installed. See the image settings in 2974 config.php for details. 2975 - If you create a static page with the title "Frontpage" then the content of 2976 this static page will be displayed above the first story on the front page 2977 of your site. If you additionally set the label of this static page to 2978 "nonews", then the static page will completeley replace the news on the front 2979 page of your site. 2980 You may want to wrap static pages in a block - set $_SP_CONF['in_block'] = 1; 2981 in /path/to/geeklog/plugins/staticpages/config.php 2982 - A user assigned only to the Mail Admin group wasn't able to use the "Mail 2983 Users" function. 2984 - The filter to disable Javascript onXXX events also changed certain links in 2985 HTML postings. This should be fixed now. 2986 - The poll uses a POST instead of a GET request now to at least prevent 2987 primitive manipulation attempts ... 2988 - Events on the same day were displayed in the order they were entered, not 2989 in the order they were scheduled (occured in day, week, and month view). 2990 - The user function and admin blocks weren't using the proper templates when 2991 the theme was using the $_BLOCK_TEMPLATE trick, as outlined in 2992 <http://www.geeklog.net/article.php?story=20020429092841722>. 2993 - When the first character of the content of a block is a '<' it is now 2994 assumed that the block contains HTML and nl2br() is not applied to the 2995 block content. This allows proper HTML usage and even the use of Javascript 2996 in blocks. 2997 - Sanity checks have been added to the admin editors (including the editor 2998 for static pages) to prevent possible damage to the database in case of 2999 incomplete translations (language files) or invalid IDs. 3000 - The delete button in the plugin editor, which was unused since the removal 3001 of the automated plugin install (in Geeklog 1.3.4), will now cause a function 3002 plugin_uninstall_<plugin name> to be called. This allows plugins to uninstall 3003 themselves (if possible). 3004 - The author's name was missing from emailed stories. Also changed it so that 3005 the author's name is only included when $_CONF['contributedbyline'] == 1. 3006 The daily digest now also includes the author's name. 3007 - Fixed the "1054: Unknown column 'deleted' in 'where clause'" SQL error that 3008 some people were getting when logging out. 3009 - Submitted stories will now pick up the permissions from the topic they were 3010 posted under (instead of using default permissions). 3011 - Added new features story.submit, link.submit, event.submit which, when 3012 assigned to a group, allow members of that group to post directly (skipping 3013 the submission queue) even when the submissione queue is active. 3014 - Fixed issues with backslashes in block titles, as suggested by Neil Darlow. 3015 - The page navigation is now wrapped in a <div class="pagenav"> so that it 3016 can be formatted by a theme using CSS. 3017 Because of this change, the template files admin/user/userslist.thtml and 3018 links/links.thtml had to be changed, because they wrapped the page navigation 3019 in a <p>. 3020 - Submission of links and events by anonymous users failed when the link 3021 submission queues were switched off. 3022 - Anonymous users were able to submit comments even when $_CONF['loginrequired'] 3023 was set to 1. 3024 - Fixed a search bug introduced in 1.3.6rc1 when searching by author. 3025 - When updating from an earlier version, the install script will no longer try 3026 to rename the staticpage table when no prefix is used in the database. 3027 - PLG_getUserOptions() will no longer return empty menu options. 3028 - Updated Italian language file, provided by quess65 3029 - Changed some wording in the German language file 3030 - Fixed spelling errors in the English language file 3031 3032 3033 August 28, 2002 (1.3.6rc1) 3034 --------------- 3035 - Problems with using the dollar sign in stories, comments, and their titles 3036 have been fixed. 3037 - Fresh installations now have a "Are you secure?" block pre-installed 3038 that only the Admin can see and which does some (very simple) tests whether 3039 the site is secure or not. 3040 - Fixed the page navigation in (admin's) user list. 3041 - Using the preview in the admin story editor will now keep the topic icon 3042 and the time will not revert from pm to am any more. 3043 - The links section now includes a list of the link categories at the top. 3044 The list of links is now also separated into pages (10 links per page by 3045 default, configurable in config.php). 3046 To get back the old (pre-1.3.6) style of the links section, just set both 3047 $_CONF['linkcols'] and $_CONF['linksperpage'] (in config.php) to 0. 3048 These changes are based on code provided by Tom Willett. 3049 - Fixed the SQL syntax for some requests ("count(*) AS count" instead of 3050 "count(*) count") which seems to have caused problems with some (older) 3051 versions of MySQL. 3052 - A proper error message is now displayed when attempting to use "Mail Users" 3053 but not filling out all the fields. 3054 - Editing a portal block shouldn't make it disappear any more ... 3055 - The somewhat random order of poll answers has been fixed. 3056 - The site can be disabled by setting $_CONF['site_enabled'] = false; in 3057 config.php. $_CONF['site_disabled_msg'] can either contain a message to be 3058 displayed in that case or a URL (has to start with http:) to which all 3059 requests will be redirected. 3060 - Fixed various access rights / privacy issues where users could see (but 3061 not access) information even when they shouldn't ... 3062 + Search returns only those stories, comments, links, and events to which the 3063 user has the proper access rights 3064 + What's New block counts stories and comments according to access rights 3065 now (this should also fix the problems some people had when New Comments 3066 were not displayed for anonymous users). New Links also take access rights 3067 into account. 3068 + Upcoming events are only visible to those with the proper rights. 3069 + Topics are not available for submissions without proper rights. 3070 + Topic selection in the user preferences also follows access rights. 3071 + "Last 10 comments" (and the new "Last 10 stories too, of course) in profile 3072 takes proper rights into account 3073 - Story display and paged navigation weren't working properly when some stories 3074 were only accessible to certain users. 3075 - Fixed a bug where users weren't able to use the site when their theme had 3076 been removed (until they cleared their cookies). 3077 - New installations now have only two default accounts: The Admin account (as 3078 before) and a Moderator account that has access to the story, links, and 3079 events submission queues. 3080 - The Older Stories block should work again. 3081 - The submission queues for stories, links, events, and users can now be 3082 switched off separately (in config.php), i.e. items submitted by users will 3083 then be visible to everybody immediately. 3084 - The database backup is more verbose now, especially when there are problems 3085 (changes provided by Blaine Lang). 3086 - Fixed a bug where the admin's user photo overwrote a user's photo when the 3087 admin was editing the user's account information. 3088 - Group editor: 3089 + Could not create new groups when using a non-english language file. 3090 + Once you've added one group to another (by checking off an option from 3091 the "Security Groups" list), there was no way to uncheck it again. 3092 + The message after saving/deleting a group said that the topic(!) had been 3093 saved/deleted ... 3094 - Changes in search: 3095 + Should be faster now. 3096 + Search by date did not work (mostly because the date format recommended to 3097 be used in a search is really YYYY-MM-DD and not MM-DD-YYYY). 3098 + List of authors is now sorted by username. 3099 + Search results for links are now routed via portal.php, too, so that the 3100 links are counted when clicked. 3101 + When no results are returned for a search, then the search form will now 3102 be displayed below that message again. 3103 - The static pages plugin uses the table prefix now (databases created with 3104 Geeklog 1.3.5 or older need to be upgraded). 3105 - A user submission queue has been added. When activated in config.php 3106 ($_CONF['usersubmission'] = 1;), new users will not get their password 3107 emailed until they are approved by an admin. 3108 You can, however, let users from certain domains be approved automatically 3109 by adding their domain names to the comma-separated list of domains in 3110 $_CONF['allow_domains']. 3111 - Fixed problems with quotes in poll question and answers. 3112 - The default value for the number of stories per page for a new user is now 3113 taken from $_CONF['limitnews'] (was hard-coded to 10). 3114 - The user profile has been extended to include 3115 + last 10 stories by that user 3116 + total number of stories and comments posted by that user 3117 + link to search for all postings by that user 3118 - The title of an article is now displayed in the page title (again). 3119 - New configuration option $_CONF['allow_user_language'] to allow / prevent 3120 to change the language. When set to 0, the option to switch the language 3121 is hidden from the user preferences. 3122 - The message "You have successfully logged out" should not show up any more 3123 when you log out and log in again. 3124 - The blocks stating that the search returned no results (e.g. for links) are 3125 now switched off by default but can be switched on again with the new 3126 configuration variable $_CONF['showemptysearchresults']. 3127 - Fixed the list of authors in the search form (did not list all authors). 3128 - Fixed search results for links and events: They always displayed only one 3129 result, even when there where more hits. Also, when searching for authors, 3130 no hits amongst the links and events will be returned (since they have 3131 no author). 3132 - In the admin menu, the count of available submissions is now displayed 3133 according to the admin's access rights (e.g. don't count story submissions 3134 for someone who's only a link admin). 3135 - Links in the What's New block are now counted when clicked (for the site 3136 statistics). 3137 - Fixed a stray "(N/A)" that would show up in the admin menu for admins which 3138 were not static pages admins. 3139 - You can now block anonymous users from accessing any part of a Geeklog site 3140 or you can block them from certain parts, e.g. block anonymous access to the 3141 calendar (via a new set of XXXloginrequired flags in config.php). 3142 Please note that $_CONF['loginrequired'] is now used to require login to all 3143 areas. To require login for submissions, use $_CONF['submitloginrequired']. 3144 - New RDF/RSS parser, provided by Roger Webster. This should now properly 3145 import even those RDF feeds which Geeklog previously refused to display. 3146 - Updated language files: 3147 + Italian, provided by quess65 3148 + Japanese, provided by Yusuke Sakata 3149 + Polish, provided by Robert Stadnik 3150 - Various fixes for the consistent use of $_CONF['site_admin_url'] instead of 3151 $_CONF['site_url']/admin, provided by Gene Wood. 3152 - The static pages plugin can now wrap static pages in a block 3153 (available as an option in staticpages.cfg) 3154 - You can now use [code] ... [/code] in stories and comments (HTML formatted 3155 only) to mark portions of the text as containing code of any form (HTML, PHP, 3156 any other programming language). Geeklog will then reproduce this section 3157 verbatim, i.e. not interpreting any special characters in that section. 3158 - Fixed type pulldown menu in search when more than one plugin was used. 3159 - Signatures in comments are working again. 3160 - The daily digest uses $_CONF['shortdate'] now 3161 - New configuration variable $_CONF['emailstorieslength'] to specify the length 3162 of stories sent in the daily digest: 0 = only the title and a link to the 3163 story are included, 1 = entire introtext is included (default), any other 3164 number = cut off text after that amount of characters. 3165 - The selection of the user theme is now hidden from the user's preferences 3166 when 'allow_user_themes' is turned off in config.php 3167 - The links "Add To My Calendar" are now hidden when personal calendars are 3168 turned off in config.php 3169 - Fixed a bug where the number of submissions was displayed in the sections 3170 block even when that was turned off. 3171 - New variable $_CONF['adminhtml'] allows (Story)Admin to use a wider variety 3172 of HTML tags than the ordinary user. 3173 - Fixed COM_exportRDF so that only articles that anonymous users have access to 3174 show up. 3175 - Search: User drop down only shows users that have posted a comment or a story. 3176 - Fixed bug with double quotes in title of story submission. 3177 - The upcoming events block uses the list templates now. 3178 - The story option block uses the list templates now. 3179 - The (Event)Admin could not delete events (delete button was missing). 3180 - The calendar class reverted to using the english day and month names as 3181 soon as you called setCalendarMatrix(). 3182 - Added {edit_link} in story templates in Classic theme. 3183 - All admin editors have the save / cancel / delete buttons at the bottom now. 3184 - The link to the plugin homepage did not work from the plugin editor. 3185 - Added $_CONF['default_charset'] in config.php and $LANG_CHARSET in the 3186 language files to specify a character set to be used for the web pages (use 3187 {charset} in header.thtml) and email sent by Geeklog. 3188 - Changes in the themes and the admin editors, moving lots of hard-coded 3189 english texts to the language files. 3190 This affects most of the files in the admin and calendar directories within 3191 the themes directories. 3192 - The static pages plugin will now pick the language automatically, based on 3193 the user / default setting for the language. Currently, only English and 3194 German language files are included. 3195 - New variables that can be used in footer.thtml: {execution_textandtime}, 3196 {powered_by}. 3197 3198 3199 July 8, 2002 (1.3.5sr2) 3200 ------------- 3201 - New installation instructions (now back in docs/install.html). 3202 Please note that some of the other documentation may be out of date ... 3203 - Display of stories in older stories block was off by one day. 3204 - Number of guest users in Who's online block should now be reset properly. 3205 - Added some scripts in admin/install to help with the installation: 3206 + info.php just does a phpinfo() 3207 + check.php will check the file and directory permissions 3208 + configinfo.php will display the contents of config.php 3209 Note: It is now even more important that you remove the install directory 3210 after the installation went through (or at least block read access to this 3211 directory). 3212 - Disable all onXXX Javascript events in HTML postings (stories and comments). 3213 - Fill in user name and email address when writing an email to a user (via 3214 the 'send email' form from the user profile). 3215 - Make sure that the first comment to a story has the 'title' field filled in 3216 (previously, only comments to comments took over the title). 3217 - Cut off the subject at the first linefeed when sending email to a user, 3218 thus preventing the injection of additional email headers. 3219 - Added a test for register_globals=off in the install script (and display a 3220 warning if it is off). Also added a hint what the current path is and tries 3221 to guess the /path/to/geeklog. 3222 - Fixed the "12pm bug": Posting a story between 12 and 1 pm would result in 3223 the story being posted with a date in 1969. 3224 - Use mysql_connect() instead of mysql_pconnect() in MySQL class. 3225 - The redirect after submitting a story always went to /index.php 3226 - HTML tags are now stripped out of search queries. 3227 - Removed the logging of all search queries to error.log. 3228 - Fixed a wrong link from personal events in the upcoming events block. 3229 - The "Home" link in the section block was not active on pages > 1. It was, 3230 however, always active on the home page when the Geeklog site was not 3231 located in the DocumentRoot. 3232 3233 3234 June 10, 2002 (1.3.5sr1) 3235 ------------- 3236 - This release addresses security issues recently discovered by the people at 3237 olympos.org. These issues allow for the injection of malicious javascript 3238 code (which could be used to access the admin's cookie) and the injection 3239 of MySQL code which could be used to access and even damaged the database 3240 (under certain circumstances). Details will be available in a report on 3241 the Bugtraq list shortly after this release is out. 3242 - The following bugs from the 1.3.5 release have also been fixed: 3243 + missing field 'emailfromadmin' in userprefs table (fresh installs only) 3244 + fixed a typo that prevented the page navigation from working 3245 + fixed batch user import 3246 + fixed logo size and path to search in XSilver theme 3247 + optimized size of image files in XSilver theme 3248 + fixed path to search in Clean theme 3249 3250 3251 April 24, 2002 (1.3.5) 3252 -------------- 3253 - Change installation so that server configuration is manual, DB configuration is scripted 3254 - Search page now properly generates the right link to search comments 3255 - Comments to polls now show up in whats new block 3256 - You can now specify the order the poll results show up in in config.php. You can either sort by 3257 voteorder (highest number of votes -> lowest) or by the order they were saved in admin/poll.php 3258 - You can now move /admin somewhere else in web tree. This should help out folk where ISP's use /admin 3259 for their administration stuff. 3260 - if you go to submit.php as an admin we will try to send you to the admin/ page for the type of thing you 3261 are trying to submit (e.g. story, link, event) 3262 - fixed calendar.php so month view now shows events spanning multiple days on months other than the current 3263 - admin/event.php now saves am/pm and allday properly 3264 - PollAdmin group can now properly add a new poll. 3265 - fixed SEC_getUserGroups() so that it always returns an array even if no groups are returned (e.g. 3266 empty array 3267 - fixed moderation.php so post mode is saved properly from storysubmission to story table. 3268 - killed 1064 bug in admin/event.php 3269 - set error_reporting() so uninitialized variables don't show up (common in poorly configured PHP installs) 3270 - gldefault blocks now actually use permissions assigned to them in admin/block.php 3271 - Added all sorts of shit to english.php. Translators will need to really take their time 3272 with this file. 3273 - Added $_CONF['maximagesperarticle'] to config.php 3274 - install.php was reworked a bit for upcoming release 3275 - lib-common.php has changed. can't even begin to note all the changes there 3276 - admin/user.php has a very simple batch import utility. You can now create multiple 3277 accounts by importing a tab-delimited file. See that page for file format specs 3278 - story.php was reworked a bit to be simplified and to correctly do paging (old 3279 paging feature had a bug where one article would never show up. 3280 - admin/user.php now allows for paging and searching. Check it out, you'll see what I mean ;-) 3281 - blocks can now be disabled in admin/block.php 3282 - added support for images in articles 3283 - complete overhauled upload.class.php for ease of use, better security, better logging 3284 and for use in putting images in articles. 3285 - fixed bug in users.php that allows accounts with same email addresses yet different 3286 usernames to be created. 3287 - New strings in english.php (and german.php): 3288 $LANG02: 15 (moved from calendar_event.php) 3289 $LANG04: 74, 75, 76 (moved from usersettings.php) 3290 $LANG08: 31, 32, 33, 34 (moved from lib-common.php) 3291 These strings need to be added to the other language files! 3292 - Fixed user selection of emailed topics (usersettings.php) and removed the 3293 hard coded texts for the daily digest from lib-common.php (again). 3294 - Slightly changed display of event block: The type of event is no longer 3295 underlined and the event date is displayed as 03-Apr etc. 3296 - Added Russion Translation 3297 - Fixed bug #531483 where $_CONF['commentsloginrequired'] was set to 'on' or 3298 'off' instead of '1' or '0'. 3299 - Fixed bug #529621 and added the variable layout_url in COM_endBlock in 3300 lib-common.php 3301 - (Sort of) fixed bug #530142: {geeklog_blocks} is now set to an empty string 3302 in lib-common.php 3303 - Fixed bug #531018: {contributedby_use} had an 'r' too many in lib-common.php 3304 - There have been lots of minor changes in the themes so that they now contain 3305 valid HTML. Nearly all those change fall into one of the following categories: 3306 + changed '&' in URLs to '&' 3307 + added alt="" to <img> tags 3308 + changed the script tags to <script type="text/javascript"> 3309 + changed the DOCTYPE to HTML 4.01 (there is a bug in the HTML 4.0 3310 specification which prevents the use of 'name' attributes in forms). 3311 + added '#' signs in front of colour values (mostly in the Classic theme) 3312 These kinds of changes have also been applied to index.php and lib-common.php 3313 - During those changes for valid HTML, some typos were corrected: 3314 + Classic/header.thtml: added a missing <b> before {welcome_message} 3315 + Classic/storytext.thtml: added a missing 'n' in {end_contributedby_anchortag} 3316 + Yahoo/header.thml referred to a non-existent file "spec.gif" 3317 + Yahoo/footer.thml: there was an extra quote after align="right" 3318 + Digital_Monochrom/admin/plugins/editor.thml: file was missing - copied 3319 over from the Classic theme) 3320 + Digital_Monochrom/footer.thtml: added a missing ';' after   3321 - admin/install/install.php had two <body> tags but was missing the </head> 3322 3323 March 7, 2002 3324 ----------------- 3325 - Fixed broken older stories block (lib-common.php) 3326 - Fixed problems with saving rights to a group in admin/group.php (admin/group.php) 3327 - Fixed bug in admin/user that would reset user's settings when admin made a change (admin/user.php) 3328 - Fixed bug in index.php. There were two FOR loops, one nested inside the other both interating 3329 on the variable $i. This caused problems only for users who went into display preferences and 3330 selected only the topics they wanted to get articles for (index.php) 3331 - Fixed bug in story admin that would prevent the date edit from prepopulating right when admin hit 3332 the preview button (admin/story.php) 3333 - Modified admin/plugin.php to reflect change in how plugins are installed. Because of platform 3334 dependance issues, all plugins will have a simple but manual installation process. This should 3335 work across all platforms. (admin/plugin.php, layout/Yahoo/admin/plugins/pluginlist.thtml, 3336 layout/Classic/admin/plugins/pluginlist.thtml, layout/Digital_Monochrome/admin/plugins/pluginlist.thtml) 3337 - Alter the database to force all stories to show on the frontpage by default. This will make the 3338 moderation of articles work as expected. Before if you approved an article it would show up only 3339 in the topic and not on the frontpage (mysql_tableanddata.sql, table.sql, mysql_1.3.3_to_1.3.4.sql) 3340 3341 March 1, 2002 3342 ----------------- 3343 - Admins can now manually edit the publish date of an article. This include the ability 3344 to set the date for a time in the future. In that case the article is completely 3345 ignored by COM_exportRDF, stats.php, search.php and the email digest 3346 - Rudimentary support for database backups (one per day at most). There is no restore 3347 capability at this time. 3348 - Modified the display preference so we store the blocks a user doesn't want to see instead 3349 of the ones they do want to see. This will allow any new block to show up by default as 3350 expected. 3351 - Removed hardcoded english from COM_emailUserTopics 3352 - Fixed minor security bug with whats new block. It would display items the user didn't have access too (however, if they click them they would correctly get the access denied message) 3353 - Topic administration page now default the group to 'Topic Admin' properly 3354 - Topic administration now save anonymous permissions properly 3355 3356 February 22, 2002 3357 ----------------- 3358 - Removed some outdated themes (hence the 1.3.2-1 version number) 3359 3360 February 22, 2002 3361 ----------------- 3362 - Added Canadian French, German and Polish translations 3363 - Fixed bug that kept front page with multiple polls from working right 3364 - Added missing help field to block table 3365 - Added block to usersettings where user can pick topics to receive articles for in an 3366 email digest 3367 - Fixed bug with the contact link in the header of some themes 3368 - Fixed bug that caused the admin block to disappear 3369 - Fixed bug that caused save of story as admin to go to http://someurl/draft_flag 3370 - Fixed bad relative paths in calendar 3371 - block type now defaults properly when showing prepopulated data 3372 3373 January 11, 2001 3374 ----------------- 3375 - Two security fixes, one major one. This release addes a users MD5 password to a cookie that is checked when using the permanent cookie. Prior to this you could change the permanent cookie to any user and get their access rights. Second security fix addresses an orphaned group_assignments record that, one new Geeklog installations, would give the very first user to register with the site access to the GroupAdmin and UserAdmin groups 3376 - In admin/block.php you can now specify the URL to a help file. This is usefully in providing site help to your users 3377 - Many bugfixes to the calendar in both the UI and the administration 3378 - Added who's online block 3379 - Fixed bug that was keeping users registration date from being saved. 3380 - Fixed bugs in usersettings.php that keep user options from saving 3381 - Added two database indexes that really speed things up 3382 - Coded some performance-related enhancements 3383 - Fixed bug that kept user-defined themes from working 3384 - Fixed bug in links.php that caused the first link category to report over and over 3385 - Started updating some of the documents 3386 3387 November XX, 2001 3388 ----------------- 3389 - Added user-defined themes via PHPLib's template class library 3390 - Update the Geeklog security model from numeric Security Levels to a *nix-like model that 3391 can be used by plugins 3392 - Added support for plugins. Plugins can be downloaded from http://geeklog.sourceforge.net and uploaded and installed remotely or manually 3393 - Updated most places where dates are used to use the user-defined format in their display preferences 3394 - Updated session management to use a long-term cookie that is fully configurable. If desired, users can specify how long their long-term cookie will persist for. 3395 - Update blocks so that admins can specify the side and order a block shows up on. 3396 - Seperated common.php into the following libraries: lib-database.php, lib-common.php, lib-sessions.php lib-security.php 3397 - Started moving Geeklog to use PHP's OO features with the addition of a timer class, a calendar class, a MySQL database class. 3398 - Fixed bug with output of Geeklog RDF file that allowed story drafts to be included. 3399 - Updated most of the codebase to use the Geeklog Coding Standard (a subset of the PEAR standard). 3400 3401 August 21, 2001 3402 ----------------- 3403 3404 - Updated configuration documentation 3405 - Added the ability for article author's username to be hidden (via 'contributedbyline' option in config.php) 3406 - Fixed a bug with the Google-like paging feature where it would only work if the GeekLog site was in the root dir 3407 - Fixed a bug which caused slashes to appear before apostrophes in the older stuff block and in the search results 3408 - Fixed overlapping/bad HTML in index.php and common.php 3409 - Fixed the bug in the sections block that showed submission cue numbers to non-logged in people 3410 - Added workaround for problem where users (after following link in e-mail after registration) would still see the login page after logging in 3411 - Created phrase IDs for previously hard-coded English in common.php and story.php 3412 - Fixed a bug which caused draft stories to be counted as new stories in the What's New block 3413 - Fixed a bug with the upcoming events block where it would only work if the GeekLog site was in the root dir 3414 - Stroked the cat 3415 3416 August 17, 2001 3417 ----------------- 3418 - Released 1.3b 3419 - Added in support for plugins and has been test for *nix and *should* work for windows 3420 - A few bug fixes 3421 3422 August 3, 2001 3423 ---------------- 3424 - Released 1.2.2 3425 - Added the ability for admins to save drafts of stories 3426 - Fixed a bug with in calendar_event.php when adding event to user calendar 3427 - Fixed a bug with the search bar in header.php 3428 3429 August 1, 2001 3430 ---------------- 3431 - Released 1.2.1 3432 - a few minor bug fixes 3433 - Added google-like paging feature 3434 - fixed all references to newsgeeks to point to geeklog.org 3435 - when you login when on users.php you are routed to index.php when successfully logged in 3436 instead of back to users.php 3437 3438 July 19, 2001 3439 ---------------- 3440 - Released 1.2 stable. 3441 - Added personalized calendars 3442 - Fixed a number of bugs from 1.2b 3443 - Fixed MySQL 3.23 incompatibility issues 3444 - Added alt_header.php which is the same as header.php minus the left hand side 3445 3446 May 29, 2001 3447 ---------------- 3448 3449 - Released 1.2b. Changes are below: 3450 -Fixed security error in usersettings.php with PGP key 3451 -Now allows posts that don't go to front page 3452 -Added new calendar 3453 -Whether the count of stories and submissions shows up in the Sections block is driven in config.php 3454 -Add ability to sort topics in Section block by number or alpha (specified in config.php) 3455 -Renamed header.inc and footer.inc to have the php extension to avoid letting nosy people see the code 3456 -Added field called limitnews to topics table. This is the same as limitnews in the config.php but applys to only that topic (i.e. you can control the number of stories that show up in each topic 3457 -changed userindex.maxstories to default to null. This is so that the order of precedence for the number for articles that show up will be 1) userindex.maxstories 2) topic.limitnews 3) $CONF["limitnews"] 3458 -added config variable called $CONF["minnews"] which specifies the minimum number of stories per page regardless of topic (i.e. it overrides topics.limitnews) 3459 -an anonymous user can now email a story to a friend and they can enter some text to accompany the message 3460 -fixed bug that allowed users to post comments to non-existent articles through article.php 3461 -added the Get Geeklog Articles in Your Mailbox feature. This is dependent on cron and a shelled php script. This can be turned off in the config file 3462 -session management has been improved 3463 -moved "appears on homepage" setting on poll administraction screen to the top of the form to 3464 keep from having to scroll down all the way. 3465 -Added messages to various user actions (i.e. notification that submission was sent, confirmation that user data was saved, etc) 3466 -Added Upcoming events block 3467 -Fixed MySQL 3.23 incompatibilities 3468 -added account creation date to user table along with other useful information (aim, yim, etc) 3469 -added email gl users/admins feature 3470 -fixed checkhtml function so that strings to gain extra spaces 3471 -added file custom_code.php. This is where admins should put all custom code (not addon code). GL admins should never touch common.php moving forward 3472 -added version checking system to let admins check for current version 3473 -added $CONF["OS"] for use by Geeklog Addons (Use PHP OS variable). It represents the operating system that Geeklog is running on and is useful for producing useful error messages should a user be trying to use an addon that is OS specific 3474 3475 3476 September 24, 2000 3477 --------------------------------------- 3478 3479 - Tar'ed it up and shipped 1.1 out the door! 3480 3481 September 24, 2000 3482 ----------------- 3483 3484 - Date in moderation now shows the correct 3485 submission date. 3486 - Maxstories now counts a feature as a story. 3487 - Saving user information now returns you the 3488 the edit screen. 3489 3490 September 18, 2000 3491 ----------------- 3492 3493 - Fixed comment post mode preview bug. 3494 - If a block is empty, it will not be displayed. 3495 - Fixed a user creation error. 3496 - Fixed the submission scripts to add and remove 3497 slashes in all the right places. 3498 3499 September 13, 2000 3500 ----------------- 3501 3502 - Added a limit check to index.php to ensure stories 3503 are displayed. 3504 - If block order is between 1 and 9 it is a default 3505 block. Anything greater than 9 will not be displayed 3506 without the user configuring thier settings for it. 3507 - Added bolding to the display preferences screen for 3508 default blocks. 3509 3510 September 12, 2000 3511 ----------------- 3512 3513 - If a user sets maxstories to less than 5, max stories 3514 will be 5. 3515 - If a story id and poll id are the smae they will 3516 share comments and the poll will be displayed on the 3517 stories article page. 3518 - Poll results box is now linked to comments. 3519 - Added stripslashes to the links description. 3520 - Made HTML the default posting format. 3521 - Updated the user authentication to address a login bug. 3522 - Added a 404 script. 3523 - Updated the admin user editor to create all the new 3524 user tables when creating a user. 3525 - Updated the What's Releated function to better parse 3526 for links. 3527 - Updated comment functions to update the comment counter 3528 more often. 3529 - Finished the addition of a "smart" style sheet! It will 3530 now format the font size according to the users browser 3531 an platform. 3532 3533 September 9, 2000 3534 ----------------- 3535 3536 - Updated some missing to language in english.php. 3537 Thanks to Hidekazu SHIOZAWA. 3538 - Updated the stats script. 3539 - Added post modes, the user can now select plain 3540 text or HTML. 3541 - Added user preferences for date format. 3542 3543 September 8, 2000 3544 ----------------- 3545 3546 - Fixed a few more issues surronding the 3547 $CONF["site_url"] placement. Thanks to Hidekazu SHIOZAWA. 3548 - Added sig to user accounts. 3549 - Added a system hit counter 3550 - Fixed a poll comment bug. 3551 - Comments can now be enabled on a per story basis. 3552 - Comments can now be enabled on a per poll basis. 3553 3554 September 7, 2000 3555 ----------------- 3556 3557 - Fixed the // uri issue. 3558 - Fixed a few issues surronding the $CONF["site_url"] 3559 placement in links. 3560 - Began work on new user customization system! 3561 - Index Configuration 3562 - Comment Configuration 3563 - Story Configuation 3564 - User Configuration 3565 - Fixed the link submission script so it now 3566 actually works. 3567 3568 September 6, 2000 3569 ----------------- 3570 3571 - Updated the email story to a friend to use the 3572 db widgets. 3573 - Fixed the "More by author" search links from the 3574 article page. 3575 - Fixed the article editor to be able to delete 3576 submissions. 3577 - Fixed translation issues by adding two more 3578 strings to english.php. Added $LANG01[61] and 3579 $LANG01[62]. 3580 - Fixed a formating error on the links page. 3581 - Fixed the admin user editor to allow blanking 3582 on non-essential fields. 3583 - Removed moderation option from config. If you 3584 want an unmoderated site there are better 3585 applications out there like UBB and FreeLinks. 3586 - Updated the user profile page to put all 3587 descriptors at the top of the cell for the 3588 about and PGP key boxes. 3589 - Updated INSTALL.HTML 3590 3591 September 5, 2000 3592 ----------------- 3593 3594 - Olderstuff() will now parse special charactors. 3595 - Fixed the admin story editor to properly parse 3596 the special charactors in the text for editing. 3597 - Fixed article() to stripslashes from the title. 3598 3599 September 4, 2000 3600 ----------------- 3601 3602 - Fixed a logout bug effecting Netscape users. 3603 - Fixed a change password bug effecting Netscape 3604 users. 3605 - Fixed references to speck.gif, spec.gif was 3606 referenced incorrectly. 3607 - Fixed the story submission to correctly 3608 record the user instead of Anonymous. 3609 - Added multiple previews when submitting a 3610 story. 3611 - Update to english.php 3612 - Updated the blockparser to use str_replace() 3613 instead of strtr(). The use of strtr() was 3614 causing issues on some platforms using 3615 earlier versions of PHP4. 3616 - Added a sample httpd.conf Apache configuration 3617 file to the distribution. 3618 - Updated INSTALL.HTML 3619 - Updated README 3620 3621 September 1, 2000 3622 ----------------- 3623 3624 - Fixed a bug in the database upgrade scripts. 3625 3626 RELEASE!!! 1.0!!! - August 29, 2000 3627 ------------------------------------ 3628 3629 - Tar'ed it up and shipped 1.0 out the door! 3630 3631 August 29, 2000 3632 --------------- 3633 3634 - Fixed a bug in the command and control center 3635 which didn't allow the display to be completely 3636 updated after a batch moderation. 3637 3638 August 28, 2000 3639 --------------- 3640 3641 - Completed the command and control center 3642 functionality. 3643 - Completed new search engine. 3644 - Fixed language display bug in story submission 3645 form. 3646 3647 August 27, 2000 3648 --------------- 3649 3650 - Fixed a login bug that occoured under FreeBSD. 3651 3652 August 26, 2000 3653 --------------- 3654 3655 - Fixed a bug that allowed anyone logged in to 3656 delete a comment. 3657 3658 August 22, 2000 3659 --------------- 3660 3661 - Fixed a nasty delete everything bug with the 3662 link editor. 3663 - Continued with search engine update. 3664 3665 August 21, 2000 3666 --------------- 3667 3668 - Fixed a bug with the link counter. 3669 - Reworked the olderstuff block. 3670 - Updated the search engine. 3671 - Fixed the speed limit warnings so they show the 3672 number of seconds since the last post. 3673 - Updated the index page to show date of last 3674 comment. 3675 3676 August 20, 2000 3677 --------------- 3678 3679 - Cleaned out now defuct class settings. 3680 - Comments can now be set to force login to post. 3681 - Block list is now sorted by type 3682 - Email forms updated. 3683 - Fixed the no from info bug in the password email. 3684 - Fixed the topic editor background bug. 3685 - Postions of the olderstuff and poll blocks is now 3686 configurable. 3687 - Olderstuff block can now be turned off. 3688 - Olderstuff block now shows 2x the news limit. 3689 - Updated the install instructions. 3690 3691 August 19, 2000 3692 --------------- 3693 3694 - Modified the polls, you can now set then maximum 3695 number of possible answers in config.php. 3696 - Fixed edit link bug. 3697 - Updared english.php for the new admin files. 3698 - Modified the cookies to have a configurable 3699 expiration time for users and admins. This can 3700 be set in config.php. 3701 3702 August 18, 2000 3703 --------------- 3704 3705 - Reworked the default interface. 3706 - Fixed numerous bugs. 3707 3708 August 14, 2000 3709 --------------- 3710 3711 - Began moving portions of the HTML in to blocks 3712 - Updated the english.php file. 3713 3714 August 13, 2000 3715 --------------- 3716 3717 - Updated how polls are shown. 3718 - Updated the poll adminstration interface, this was 3719 the last old piece of code to be re-worked. 3720 3721 August 12, 2000 3722 --------------- 3723 3724 - Completed new submission forms. 3725 - Completed added base path to all references. 3726 - Completed scripts for user account creation. 3727 - Completed comment intergration with user 3728 accounts. 3729 - Added comment posting speed limit. 3730 3731 3732 August 11, 2000 3733 --------------- 3734 3735 - Completed new story editor and managment 3736 functions. 3737 - Completed database widgets. 3738 - Began work on reworking the poll editor 3739 and managment. 3740 - Removed the following functions that have 3741 become obsolete: 3742 - countx 3743 - topicsel 3744 - getTopic 3745 - saveuser 3746 - rot13 3747 - Removed the following array used to set 3748 premissions in older versions 3749 - $ADMIN 3750 - Began work on intergrating comments with 3751 user accounts. 3752 3753 August 7, 2000 3754 -------------- 3755 3756 - More work on user accounts and database 3757 widgets. 3758 - Minor cosmetic fixes. 3759 - Began re-working the administration forms. 3760 3761 August 7, 2000 3762 -------------- 3763 3764 - More work on new submission engine and 3765 database widgets. 3766 - Implemented submission speed limit. 3767 3768 August 6, 2000 3769 -------------- 3770 3771 - Added command and contol center to admin and 3772 moderate submissions. 3773 - Added ability for users to submit links. 3774 - Added ability for users to submit events. 3775 - Began intergrating user accounts. 3776 - Began intergration of a help system. 3777 3778 August 5, 2000 3779 -------------- 3780 3781 - Created new database function templates. Began 3782 updating all the scripts to use these new 3783 database calls. 3784 3785 BETA RELEASE!!! 0.5!!! - August 3, 2000 3786 ---------------------------------------- 3787 3788 - Tar'ed it up and shipped 0.5 BETA out the door! 3789 3790 August 2, 2000 3791 -------------- 3792 3793 - Getting ready for 0.5 release!! 3794 - Parent links no longer show up on top level 3795 comments. 3796 - Story moderation now show the "new story" button 3797 even if no stories exist. 3798 - Story contribution preview now displays the date 3799 correctly. 3800 - Comment preview now displays the date correctly. 3801 - Made the log path configurable. 3802 - Fixed false "no stories" error in index.php. 3803 - Fixed the topic highlighting in showtopics. 3804 - Fixed comments so that the posting and delete 3805 work properly again. 3806 - Events (calander) now properly parses special 3807 charactors. 3808 - Links now properly parses special charactors. 3809 - Mail to a friend should work better now. 3810 3811 July 30, 2000 3812 ------------- 3813 3814 - Moved all date functions to using strftime and 3815 locale settings for display of dates and times 3816 in local languages and formats. These are also 3817 configurable in the config.php file. 3818 3819 July 27, 2000 3820 ------------- 3821 3822 - Finished move admin strings to english.php. 3823 3824 July 26, 2000 3825 ------------- 3826 3827 - Added the featured article functionality. 3828 - Fixed a special charactors problem in the 3829 comments, you can now use special charactors. 3830 - Made some changes to the email story function 3831 to provide a statement on this isn't spam! 3832 - Added parent function to comments. 3833 3834 July 25, 2000 3835 ------------- 3836 3837 - Began moving strings from the admin files in to 3838 english.php 3839 - Finished up printable story and email story 3840 functions. 3841 - More minor bug fixes to the comment engine. 3842 3843 July 24, 2000 3844 ------------- 3845 3846 - Fixed encoding bugs in comments. Slashes are now 3847 being stripped properly. 3848 - Fixed the comment control bar, the title and 3849 number of comments are now showing up correctly. 3850 - Fixed the url encoding in the reply links. The 3851 title of a reply now copies over in to the form. 3852 - Bought more vodka! The vodka shortage is over! 3853 - Adjusted the comment spacing. 3854 - Began to add the printable story and email story 3855 functions. 3856 3857 July 23, 2000 3858 ------------- 3859 3860 - Added comment count to olderstuff block. 3861 - Reworked the polls for better display 3862 - Worked more on the comment engine, all comment 3863 modes (none, flat, threaded, nested) work at 3864 one level or another. This is really shaping up 3865 well and we have unchained the monkies from 3866 their typewriters... But no novel yet... 3867 - Out of vodka and can't buy any more since it is 3868 illegal to sell alcohol on Sundays in Georgia. 3869 3870 July 22, 2000 3871 ------------- 3872 3873 - Changed password functions to use md5, crypt() 3874 is becoming to unreliable. Running the dat 3875 3876 <editor problems, change log for 0.4.1.2 - 0.4.1.1 lost> 3877 3878 BETA RELEASE!!! 0.4.1!!! - July 19, 2000 3879 ----------------------------------------- 3880 3881 - Tar'ed it up and shipped 0.4.1 BETA out the door! 3882 3883 July 19, 2000 3884 ------------- 3885 3886 - RDF fetch bug fixed. The rdfimport routine was 3887 not correctly identifying if the file open didn't 3888 work correctly. 3889 - Poll Dispaly bug fixed. Poll wouldn't display if 3890 there wern't at least two user defined blocks. 3891 - Added word count to the read more display. 3892 - Move all strings for public side functions to 3893 a resource bundle called english.php. Geeklog can 3894 now be translated. If you do translate Geeklog 3895 please send me your resource file! Great thanks 3896 goes to Mischa Polivanov for his work on this 3897 project! 3898 - When moderating a story, it now returns you to 3899 the submissions que when your done. 3900 3901 BETA RELEASE!!! 0.4.0!!! - July 8, 2000 3902 ---------------------------------------- 3903 3904 - Tar'ed it up and shipped 0.4.0 BETA out the door! 3905 3906 July 8, 2000 3907 ------------ 3908 3909 - Update the poll to restrict votes by IP. This 3910 function only creates a table of IP addresses 3911 pollids and timestamps, votes are NOT tracked! 3912 Addresses are deleted after an admin specified 3913 peroid of time set with the config.php variable 3914 $CONF["polladdresstime"]. 3915 - Added $CONF["pollcookietime"] to config.php to 3916 allow you to set the amount of time the poll 3917 cookies will exist for the user. 3918 - Changed poll to only show a % in the smaller 3919 index window. Graphs are now only on the full 3920 view of the results. 3921 - Added SQL query interface for admins. This was 3922 added for those that don't have shell access or 3923 shell access isn't alaways avaiable for 3924 troubleshooting. Be VERY careful with this! 3925 - Fixed a really nasty bug with the RDF import 3926 HTTP calls! This was causing the server to 3927 lock up under certian circumstances. 3928 - Update showblocks() to now order polls and 3929 olderstuff as well. Here's the new method: 3930 - show blockoder = 0 to 1 3931 - show the polls 3932 - show blockorder = 2 3933 - show olderstuff 3934 - show remaining blocks 3935 - Reworked the calendar layout a bit. 3936 - Added two new doc files dbschema.html and 3937 dbschema.png to document the database. 3938 3939 July 5, 2000 3940 ------------ 3941 3942 - New admin menu as well as more admin checks 3943 in editing of stories and blocks. In stories 3944 only the owner or someone with a seclev of 200 3945 or higher can edit a story. Blocks seclev's 3946 are now being enforced. 3947 - More stats stuff 3948 - Access logging is now working! It reports on 3949 admin access and illegal operations in 3950 /logs/access.log 3951 - Found some more bugs released to stricter PHP 3952 syntax guidelines in blocks.php and users.php. 3953 They've been fixed! 3954 - Added the beginings for threaded comments, but 3955 it is NOT working yet. 3956 - Refined different aspects of the database, this 3957 is going to be the bigest DB update script yet! 3958 - Calendar has been rewored as events, since I can 3959 see Security Geeks using this functionality for 3960 things other than a calendar. Hmm, what is he 3961 thinking? 3962 - Adding CSS references where needed when I find 3963 them. 3964 3965 July 4, 2000 3966 ------------ 3967 3968 - Added additional security checks for admins 3969 as well as adding additional admin tracking. 3970 - REMOVAL: function isAdmin() is being removed. 3971 - Created a new story format and parser. The 3972 story text is now broken in to two blocks, an 3973 introtext block and bodytext block. Introtext 3974 is all that is displayed on the index page. 3975 Both introtext and bodytext are displayed on 3976 an article page. There are many other neat 3977 things that have changed to go along with this, 3978 too many to mention! An example is "read more" 3979 is only displayed when there is data in bodytext. 3980 - Added comment and poll stats to the stats page. 3981 3982 BETA RELEASE!!! 0.3.0!!! - July 3, 2000 3983 ---------------------------------------- 3984 3985 - Tar'ed it up and shipped 0.3.0 BETA out the door! 3986 3987 July 3, 2000 3988 ------------ 3989 3990 - Fixed poll division by zero error. (xix) 3991 - Added the calander. This also involved adding 3992 lines to config.php and style.css. 3993 - Added next a previous links to the stories list. 3994 Security Geeks has almost 2000 stories now. We 3995 needed a better way to view this information 3996 without killing the SQL server! 3997 - Fixed a parsing bug on the contrib form. (richpav) 3998 - Fixed a bug in which votes were not being saved 3999 if the first answer has 0 votes in the poll 4000 editor. (richpav) 4001 4002 July 2, 2000 4003 ------------ 4004 4005 - Fixed a rouge <xmp> tag in contrib.php. 4006 - Added a new function to check email addresses. 4007 - Fixed a problem with the checking of <a href=> 4008 tags. (frank) 4009 - Moved more of the layout to CSS. Giving some 4010 though to creating a CSS editor for the site. 4011 - Added additional error checking on submissions. 4012 - Evaluated the security of the file layout, file 4013 premissions, cookies and made some minor changes 4014 - Added the RDF import capibilty to the blocks. 4015 Woo-hoo! Half way there to 0.3.0! 4016 - Fixed a bunch of function calls that are now 4017 considered errors in PHP 4.0.1pl2 (richpav) 4018 4019 BETA RELEASE!!! 0.2.1!!! - July 1, 2000 4020 ---------------------------------------- 4021 4022 - Tar'ed it up and shipped 0.2.1 BETA out the door! 4023 The bugs fixed here are pretty signifant. This 4024 has none of the 0.3.0 features. 4025 4026 July 1, 2000 4027 ------------ 4028 4029 - Cleaned up the all of the PHP scripts and added 4030 missing ;'s. (macole) 4031 - Fixed some table layouts for comment and story 4032 submissions. 4033 4034 June 30, 2000 4035 ------------- 4036 4037 - Fixed an bug in the story submit functions. It 4038 seems addslashes was droped when putting in the 4039 content checking. It's back now! 4040 - Added a line to display the allowable HTML in the 4041 story editor and submission form. 4042 4043 BETA RELEASE!!! 0.2.0!!! - June 29, 2000 4044 ----------------------------------------- 4045 4046 - Tar'ed it up and shipped 0.2.0 BETA out the door! 4047 4048 June 29, 2000 4049 ------------- 4050 4051 - Bugs Found Score: Women:28 Men:13 4052 - Security hole regarding user cookies. The 4053 user cookie contined the site key, this 33% 4054 is part of the information needed to forge 4055 a admin site key. This has been fixed. 4056 - Also fixed a problem in the user cookie where 4057 some of Jason's (the other Jason) info for 4058 his site was coded in there. 4059 - Added the ability to specify your own salt 4060 value for the encryptor. 4061 - Added filters that are admin configurable to 4062 strip out unwanted HTML tags and key words. 4063 These options are configurable in the 4064 config.php file. 4065 - Blocks are now topic aware. 4066 - Change sid to char(20) in the database tables 4067 stories and comments. This was in order to 4068 create compatibilty between stories, comments 4069 and polls. 4070 - Poll comments! 4071 - Added a blockorder field to the blocks table. You 4072 can now modify the display order of blocks. 4073 - Fixed a bug in the link generation in stats.php. 4074 - Changed the description field in the links 4075 tables from varchar(255) to text to allow for 4076 longer descriptions. 4077 - Preview now uses article() function. Shows a 4078 true preview! 4079 - Fixed a bug in comment.php that still may the 4080 user type in a user name email even if if the 4081 anonymous option was chosen. It never actually 4082 saved the info, just asked for it. Now it no 4083 longer asks. :-) 4084 4085 June 28, 2000 4086 ------------- 4087 4088 - Correct setting of a user cookie in comment.php, 4089 contrib.php and profile.php. The cookie was not 4090 being set to remember a users infomation if they 4091 selected to do so. 4092 - Fixed the CSS layout for the comment bar, this 4093 wasn't working properly under Netscape. 4094 - Fixed an error in the change password function. It 4095 was displaying a error even when the change was 4096 successful. 4097 - Made total votes a caculated field in the poll 4098 editor, this is also a easy way to reset the count 4099 in the case of SQL errors. 4100 - Fixed topic sorting bug, topics sort themselves now. 4101 This also involved a change to the config.php file 4102 in which $CONF["topicssort"] was changed to 4103 $CONF["topicsort"]. 4104 - Added feature to track which admin moderated a 4105 story and posted it to the site. 4106 4107 BETA RELEASE!!! 0.1.0!!! - June 27, 2000 4108 ----------------------------------------- 4109 4110 - Tar'ed it up and shipped 0.1.0 BETA out the door! 4111 4112 June 27, 2000 4113 ------------- 4114 4115 - Added the ability to delete comments. NOTE: I do 4116 not plan on the abilty to edit comments. Just 4117 a personal thing, thats all. 4118 4119 June 26, 2000 4120 ------------- 4121 4122 - Created search engine that searched stories, 4123 comments and links. 4124 - Update comments and how they are displayed. 4125 - Created new form for submitting comments. 4126 - Enhansed a bunch of the forms. 4127 - Removed some obsolete stuff, cleaned things up a bit. 4128 - Added some additional error checking to submits. Also 4129 moved all error checking to the server side. I was 4130 testing the use of JavaScript but too many people 4131 like to turn it off! I know I do! :-) 4132 4133 June 25, 2000 4134 ------------- 4135 4136 - Squashed 23 bugs with the help of my wife! Now if 4137 only Frank would get his bug reports in! 4138 - Created interface for editing, creating and deleting 4139 links. 4140 - Cleaned PHP procedures out of inc files. 4141 - Updated and tested SQL statements to refelct DB 4142 changes. 4143 - DB changes frozen for release and the beta testers 4144 rejoiced! 4145 4146 June 24, 2000 4147 ------------- 4148 4149 - Created interface for editing, creating and deleting 4150 users. 4151 - Figgin problem with polls deleting themselves seems 4152 to be fixed now. 4153 - Created interface for editing, creating and deleting 4154 topics. 4155 - Created interface for editing, creating and deleting 4156 blocks. 4157 - Created interface for moderation, editing and posting 4158 of stories by admin. This worked out well! 4159 4160 June 23, 2000 4161 ------------- 4162 4163 - Finished up additions to the datebase, need to change 4164 the forms now so the site can use the new fields. 4165 Some of the new feilds are for future use as well. 4166 - Added descriptions to the Links page. 4167 - Fixed the search page so its now formated correctly. 4168 - Finished up the pollbooth functions (edit and delete). 4169 - Optimized some of the HTML in the scripts, further 4170 optimization later! 4171 4172 June 21, 2000 4173 ------------- 4174 4175 - Created a new layout format using all external CSS 4176 calls. Let the client do the work! 4177 - Finished moving configuration to config.php 4178 - Weeded out some functions in common.php. Move 4179 functions that are only used by one script to that 4180 script. Combined other similar functions in to one 4181 function. Smaller... Faster... More Stable! 4182 - Only 6 more items on the to do list for 0.1.0.0 4183 4184 June 20, 2000 4185 ------------- 4186 4187 - Created admin functions for the pollbooth. Seems the 4188 other authors on the site don't like hand entering SQL! 4189 I don't like them having shell accounts! -grin- 4190 - Update the Header feild in the Stories block to be a 4191 little bigger. This should let wordy authors emblish 4192 their titles more! 4193 - Created a more robust errorlog routine. Now has the 4194 options of output to a log, the screen or both! 4195 4196 June 19, 2000 4197 ------------- 4198 4199 - Created a pollbooth for voting. All user functions are 4200 in pollbooth.php. There are no admin functions yet as I 4201 just love hand entering SQL! 4202 4203 June 18, 2000 4204 ------------- 4205 4206 - Optimizations made to the SQL connections and calls. Too 4207 much done here to talk about, but part of it was moving 4208 the site configuration to a flat file. These changes 4209 should decrease the usage of the SQL server a great deal. 4210 This took up most of my day. 4211 - Variable usage optimizations. Made many, many chnages in 4212 the way variables were being used. This should result in 4213 cleaner, faster code that _may_ use a little less memory? 4214 Hey, if I can save 2k per hit, thats a big deal! :-) 4215 - Updated all code and tested to ensure php4 compatibility. 4216 So from now on only php4 will be run on the Geeks web 4217 servers. So I changed all the extentions and links from 4218 .php3 to .php to mark this moment. 4219 - Restructured the directory layout so I can implement some 4220 new security settings on the files. Hmmm, I bet you 4221 wondering "what is this mad-man thinking?" 4222 4223 June 17, 2000 4224 ------------- 4225 4226 - Initial announcement, running this new code on the Geeks 4227 web servers. 4228 - Special thanks to Jason Hines and phpWebLog! His work 4229 inspired much of my efforts! Unfortunatly phpWebLog is 4230 taking a different direction that the Geeks sites needed. 4231 However, all the code I am writing here will be published 4232 in the hopes that Jason and others may find these functions 4233 useful. If you looking for a weblog software that is cool, 4234 configurable and supported by someone I would recommend you 4235 check out http://phpweblog.org and party on dudes!
titre
Description
Corps
titre
Description
Corps
titre
Description
Corps
titre
Corps
| Généré le : Wed Nov 21 12:27:40 2007 | par Balluche grâce à PHPXref 0.7 |
|
|