Foswiki 1.1.5 released

| Michael Daum | , |
foswiki-helmet.jpegWhile 1.1.5 is primarily a security focused release, it also comes with more than 120 bug fixes and improvements related to 1.1.4. For those of you that can't wait to get their hands on it: head over to the download page.

Update: The  VMware images , FoswikiOnUsb, RHEL6/Centos6 and Debian/Ubuntu installs have been updated to the Foswiki latest release.

Improvements to User Registration

  • The complete fix for CVE-2012-1004 has been integrated, including pluggable field validations in the User Mapper. If your installation uses a custom user mapper, there is a new function in the base user mapper lib/Foswiki/, that performs registration field validations. Override this method in your custom user mapper to add site specific validations.
  • The user registration and group management API calls now all return error messages describing any failures. All errors are processed through MAKETEXT so that they are translated to the selected language.
  • New options can reject duplicate registrations using the same email, and can either white-list or black-list email domains from registering.

Improvements to .htpasswd handling

  • The HtPasswdUser password manager has been changed to globally cache the password file if enabled. In an installation running fcgi or mod_perl, this will reduce the overhead of reading the file for each transaction.
  • The .htpasswd lock file is now configurable. There was a small risk that when multiple foswiki installations shared a common .htpasswd file, simultaneous updates would not be prevented, resulting in file corruption.
  • The default for {Htpasswd}{Encoding} has been changed to apache-md5. We strongly recommend that installations migrate away from crypt encoding - the prior default. crypt truncates passwords at 8 characters.
  • The {Htpasswd}{AutoDetect} option is enabled by default. This ensures that an existing .htpasswd file cannot be accidentally corrupted due to the change in default encoding.
  • A new password encoding hash has been added. bcrypt encoding. (Ref. )

Better session support for mixed http and https environments

If your foswiki is set up to accept both https and http requests, your users may find themselves logged out much faster than desired. 1.1.5 fixes this by using separate authentication session cookies when using http and https, but this may mean your users may need to login again. This applies to both TemplateLogin and ApacheLogin.

Changes to the configure password handling

The encoding of the bin/configure and "sudo" admin user has been changed. Sites should change their configure password as soon as possible. Note that this change is not backwards compatible. Once the password has been changed, if fallback to 1.1.4 is required, the password will have to be reset by removing the password from lib/LocalSite.cfg.

Changes to Statistics processing

The WebStatistics topics are no longer shipped with Foswiki. Two new topics have been included;  DefaultWebStatistics and  WebStatisticsTemplate. The statistics script now has the optional capability of creating the missing WebStatistics topics.
  • The Foswiki configuration has a new parameter: {Stats}{AutoCreateTopic} (Default is disabled)
  • The statistics script has a new parameter: -autocreate 1 or autocreate=1 (Default is 0 or disabled)
  • The statistics script must now only be run using POST. HTML GET should never result in an update.

Changes to PlainFile logger to improve log rotation

In previous versions of foswiki, the default PlainFile logger failed to rotate the logs if any log records were corrupted. This is more likely in the error log file, but can be caused by any log record that is written containing embedded newlines. If a log record is read without the expected | Timestamp | as the first column, rotation stops.

This behavior has been corrected, however sites where rotation was failing may have extremely large log files. When foswiki performs the rotation at the beginning of the next month, rotation can take an extended time, resulting in extended response time.

Rotation is performed when the timestamp of the log file (events.logerror.logdebug.log) is in a month prior to the current month. In order for rotation to proceed:
  • The directory containing the log files must be writable.
  • Archive files named [logfile].YYYYMM must not exist for any records in the current [logfile].log file.
    • For example, if events.log contains an event dated 2012-01-15:, then the archive file events.201201 must not exist.
  • In order to force rotation and avoid extended web server response time:
  • Quiesce the web server to prevent logging activity
  • Upgrade to 1.1.5, which will install the updated lib/Foswiki/Logger/
  • Reset the timestamps to the previous month on the logfile requiring rotation
    • touch -t 201202280101 events.log will set the timestamp to February 28th on a linux/unix system.
    • Windows users will need to install a 3rd party tool to change timestamps, or wait for the next month
  • Change to the bin directory and run the view script from the shell as the web user.
    • sudo -u www ./view (Actual user will vary depending on the distribution)
The plainfile logger will now report additional information on the rotation process, including displaying bad records to STDERR. Edit lib/Foswiki/Logger/ and change the line use constant TRACE => 0; to use constant TRACE => 1; to enable more detailed debug messages.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License
This page was cached on 23 Nov 2017 - 12:44.