Foswiki Blog

While it’s been quiet in the blog lately, we’re back just in time for the latest release in the Foswiki 1.1 series, with a few general improvements but also a fixed security issue. In other words: you don’t want to miss the new Foswiki version! It’s available right now at http://foswiki.org/Download/FoswikiRelease01x01x08.

Be sure to pay attention to the upgrade instructions there, especially if you’re upgrading from Foswiki 1.1.5 or older.

In case you haven’t been following the release announcements elsewhere, I’ve included a brief description of the other releases you may have missed. If you want to know every last detail about all the changes in recent releases, look at the full release notes for the Foswiki 1.1 series.

Highlights of Foswiki 1.1.8 release

Security Release

Release 1.1.8 fixes a Critical Security Vulnerability. All previous releases of Foswiki are vulnerable to a security issue in Locale::Maketext. It is described further in SecurityAlert-CVE-2013-1666.  If your site runs with Internationalization enabled, you should upgrade to this release.

• For users: 4 bug fixes relative to 1.1.7
• For administrators: SSL Email works on newer versions of IO::Socket::SSL. (The prior fix in 1.1.7 was incomplete).

Highlights of Foswiki 1.1.7 release

Release 1.1.7 fixes a Critical Security Vulnerability. All previous releases of Foswiki are vulnerable to a security issue in Locale::Maketext. It is described further in SecurityAlert-CVE-2012-6329. A 2nd vulnerability in the Foswiki %MAKETEXT% macro was also discovered, and is described further in SecurityAlert-CVE-2012-6330 .

For users:

• 20 bug fixes and 4 improvements relative to 1.1.6
• WYSIWYG editor improves handling of WikiWord links. Changing the displayed WikiWord also updates the link target.
• The default font has been restored to the attributes from 1.1.5. This prevents layout differences when upgrading to Foswiki 1.1.7

For administrators:

• For sites using SSL accelerators and load balancers: A new expert configuration parameter {ForceDefaultUrlHost} can be enabled to force Foswiki to override the user entered URL with the {DefaultUrlHost} setting.
• SSL Email works again on newer versions of IO::Socket::SSL
• Pending registration requests now have a separate timer independent from the Session timer.
• Removed undocumented dependency on updated HTML::TreeBuilder > 4.0

Highlights of Foswiki 1.1.6 release

For users:

• More than 117 bug fixes and improvements relative to 1.1.5
• TinyMCE has been updated to release 3.4.9
• Markup within input fields is no longer rendered
• The Chili syntax highlighter has been enabled by default

For administrators:

• Duplicate email checks are applied to pending registrations.
• Stale pending registrations are removed.
• Configure makes a backup before saving configuration changes
• Performance problems with Rename and Log Rotation have been addressed.

Jan Krüger Release, Security

Updated versions of the WysiwygPlugin and TinyMCEPlugin have been released to the Foswiki Extensions web. This update adds a couple of minor enhancements and addresses several issues reported with WYSIWYG editing since the release of 1.1.5.

Update: This version does not work with perl older than 5.10.
Update 2:  Version 1.1.12 of WysiwygPlugin fixes the perl compatibility issues and resolves a but where certain links were corrupted.

• TinyMCE Editor is upgraded to Release 3.4.9
• The editor can now view and edit blocks marked with the foswikiHidden class
• Loss of whitespace in the edited topic  has been resolved.
• Improvements  in link handling.  All wiki links are editable as true HTML links in TinyMCE.
• Colors implemented using the new 1.1.5  foswiki CSS are now recognized

There are several other bug fixes and enhancements.   Details are in the WysiwygPlugin and TinyMCEPlugin topics.  The new extensions are both now installed on foswiki.org.

George Clark Development

While 1.1.5 is primarily a security focused release, it also comes with more than 120 bug fixes and improvements related to 1.1.4. For those of you that can’t wait to get their hands on it: head over to the download page.

Update: The VMware images , FoswikiOnUsb, RHEL6/Centos6 and Debian/Ubuntu installs have been updated to the Foswiki latest release.

Improvements to User Registration

• The complete fix for CVE-2012-1004 has been integrated, including pluggable field validations in the User Mapper. If your installation uses a custom user mapper, there is a new function in the base user mapper lib/Foswiki/Users.pm, that performs registration field validations. Override this method in your custom user mapper to add site specific validations.
• The user registration and group management API calls now all return error messages describing any failures. All errors are processed through MAKETEXT so that they are translated to the selected language.
• New options can reject duplicate registrations using the same email, and can either white-list or black-list email domains from registering.

Improvements to .htpasswd handling

• The HtPasswdUser password manager has been changed to globally cache the password file if enabled. In an installation running fcgi or mod_perl, this will reduce the overhead of reading the file for each transaction.
• The .htpasswd lock file is now configurable. There was a small risk that when multiple foswiki installations shared a common .htpasswd file, simultaneous updates would not be prevented, resulting in file corruption.
• The default for {Htpasswd}{Encoding} has been changed to apache-md5. We strongly recommend that installations migrate away from crypt encoding – the prior default. crypt truncates passwords at 8 characters.
• The {Htpasswd}{AutoDetect} option is enabled by default. This ensures that an existing .htpasswd file cannot be accidentally corrupted due to the change in default encoding.
• A new password encoding hash has been added. bcrypt encoding. (Ref. http://yorickpeterse.com/articles/use-bcrypt-fool )

Better session support for mixed http and https environments

If your foswiki is set up to accept both https and http requests, your users may find themselves logged out much faster than desired. 1.1.5 fixes this by using separate authentication session cookies when using http and https, but this may mean your users may need to login again. This applies to both TemplateLogin and ApacheLogin.

Changes to the configure password handling

The encoding of the bin/configure and “sudo” admin user has been changed. Sites should change their configure password as soon as possible. Note that this change is not backwards compatible. Once the password has been changed, if fallback to 1.1.4 is required, the password will have to be reset by removing the password from lib/LocalSite.cfg.

Changes to Statistics processing

The WebStatistics topics are no longer shipped with Foswiki. Two new topics have been included; DefaultWebStatistics and WebStatisticsTemplate. The statistics script now has the optional capability of creating the missing WebStatistics topics.

• The Foswiki configuration has a new parameter: {Stats}{AutoCreateTopic} (Default is disabled)
• The statistics script has a new parameter: -autocreate 1 or autocreate=1 (Default is 0 or disabled)
• The statistics script must now only be run using POST. HTML GET should never result in an update.

Changes to PlainFile logger to improve log rotation

In previous versions of foswiki, the default PlainFile logger failed to rotate the logs if any log records were corrupted. This is more likely in the error log file, but can be caused by any log record that is written containing embedded newlines. If a log record is read without the expected | Timestamp | as the first column, rotation stops.

This behavior has been corrected, however sites where rotation was failing may have extremely large log files. When foswiki performs the rotation at the beginning of the next month, rotation can take an extended time, resulting in extended response time.

Rotation is performed when the timestamp of the log file (events.log, error.log, debug.log) is in a month prior to the current month. In order for rotation to proceed:

• The directory containing the log files must be writable.
• Archive files named [logfile].YYYYMM must not exist for any records in the current [logfile].log file.
  • For example, if events.log contains an event dated 2012-01-15:, then the archive file events.201201 must not exist.
• In order to force rotation and avoid extended web server response time:

• Quiesce the web server to prevent logging activity
• Upgrade to 1.1.5, which will install the updated lib/Foswiki/Logger/PlainFile.pm
• Reset the timestamps to the previous month on the logfile requiring rotation
  • touch -t 201202280101 events.log will set the timestamp to February 28th on a linux/unix system.
  • Windows users will need to install a 3rd party tool to change timestamps, or wait for the next month
• Change to the bin directory and run the view script from the shell as the web user.
  • sudo -u www ./view (Actual user will vary depending on the distribution)

The plainfile logger will now report additional information on the rotation process, including displaying bad records to STDERR. Edit lib/Foswiki/Logger/Plainfile.pm and change the line use constant TRACE => 0; to use constant TRACE => 1; to enable more detailed debug messages.

Michael Daum Release Development, foswiki, Release

So far 1.1.5-RC1 has been very reliable, and RC2 will be “the release” unless new urgent issues are found. We plan to build 1.1.5 on April 10th.   You can download RC2 for testing from our Download Site.

George Clark Development Release

foswiki.org has been updated to an early beta of release 1.1.5. We are not quite ready for a public beta. There are a number of release blocking bugs that we hope to get fixed over the next week or two, and translations still need to be completed. So don’t look for the 1.1.5-Beta1 download just yet. We installed the early beta to get some live testing of a bug in log file rotation, and will hopefully find that it is fixed when the March 1st rollover occurs.

Details of the release are in the Beta release notes.

George Clark Development Release

Foswiki will have a booth on this year’s CeBIT fair sponsored by Linux New Media AG. So come visit us in Hall 2, Section E58 at the Open Source Forum 6th – 10th March. More information at http://foswiki.org/Community/FoswikiCeBIT2012.

Michael Daum Promo cebit, fair, hannover

One of the great strengths of Foswiki is that it stores topics in plain text files. This feature has proven its worth time and again, as Foswiki is able to quickly adapt to organisational change, easily support external processes that write to topics, and is quickly accessible for emergency measures. For an admin who has login access to the server, it’s very easy to use the command-line to make bulk changes to many topics simultaneously.

In Foswiki 1.1.4 we addressed a nasty bug that was inherited from the very earliest days of TWiki. This bug could result in serious history errors such as the wrong username being attributed to edits, incorrect revision numbers, and broken revision histories. Unfortunately there was a side-effect of this fix that anyone who modifies topics on the server needs to be aware of, and take action on.

Any process (or person) that changes a .txt file on the server must make sure that the corresponding .txt,v file is left with a file date that is equal to or more recent than the .txt file.

If you don’t do this, Foswiki will be forced to constantly re-read the .txt,v for the correct revision history, which can affect performance. Also, when such a topic is edited, Foswiki will create a new revision attributed to the “UnknownUser” to record that the topic was changed outside of Foswiki’s control. This is the correct behaviour in the general case, and will save less experienced users a lot of pain. However more experienced users may know that their changes are ‘safe’ and that no change to the topic history is required. In this case, it is trivial to update the file date on the .txt,v file. In summary,

• After making any manual change to a .txt file on the server make sure that the corresponding .txt,v is ‘touched’ (use the UNIX ‘touch’ command, or simply text-edit and save the file)
• Scripts that make bulk changes to files – and external processes that write .txt files – should be modified to ‘touch’ the .txt,v files after writing.
• If you have already made such a change but can’t remember which files you changed, you can use the following linux command line to ‘touch’ all .txt,v files (this is perfectly safe)

find /path/to/foswiki/data -name '*.txt,v' -exec touch {} ;

Crawford Currie Development

Foswiki is now over 3 years old, and its still an extremely active project: Congratulations and thankyou!

The Foswiki Association’s Board has just elected the new Office holders:

• Chairman: Sven Dowideit
• Vice Chairman: Crawford Currie
• Treasurer: Oliver Krueger

As the new chairman, I hope to continue the great work that Crawford did in guiding our foundation so far, and take the opportunity I have to thank Kenneth for the work he did the last 2 years, and for the experience he has passed on to the Board in general.

For 2012, I have suggested that we work on improving our communications both within our community and towards the outside world – for example by developing more microblogging tools like the Extension News, and then creating a regular newsletter from those feeds. Given that foswiki is a do-ocracy, that means I just volunteered myself to building some more tools for foswiki.org, and then to write newsletters.

In case you’re still reading this, the Board has a question for you – we now have 1,385 euros in the bank, is there anything we could use this money for that would positively impact on the community, its growth and visibility?

Have a happy and productive 2012

Sven Dowideit Misc

It took 8 months and 2 days since the previous one to come out with yet another release of Foswiki, the Open Source Enterprise Wiki. Just in time before people dash off into Christmas holidays. So don’t forget to fetch your copy now available at http://foswiki.org/Download/DownloadFoswiki.

This release of Foswiki comes with quite some new features and more than 160 crunched bugs relative to the previous release. Here are some highlights:

Read up all the details on the full release notes.

The Foswiki team wishes you quiet and relaxing Christmas holidays. See you next year.

Michael Daum Release Development, foswiki, Release

The intrepid Foswiki computer science & engineering team, prepared with appropriate safety gear, about to delve into the core. Boldly seeking new discoveries and features to enhance Foswiki for the benefit of all. More at Sven’s photo stream …

Michael Daum Promo camp, cern, community, foswiki