TWiki Release 4.3.2 (Georgetown), 2009-09-02

It is highly recommended to upgrade to TWiki-4.3.2. Users will find this release much more stable and secure in daily use.

• • Reduced risk of XSS (cross-site scripting)
  • Reduced risk CSRF (cross-site request forgery) - added in TWiki-4.3.1

• • Use ISO date format by default - added in TWiki-4.3.1

Important Changes

1. Added protection against CSRF (cross-site request forgery) in TWiki 4.3.2 patch release

TWiki protects content updates with a one-time-use crypt token to guard against CSRF exploits. This means that it is no longer possible to hit the browser back button to fix a typo; you get an "invalid crypt token" error message if you try to save again. Workaround: Instead of browser back button, hit the "Edit" button to fix a typo.

There is a balance between security and user convenience. A TWiki administrator can enable and disable the crypt token based CSRF protection with the {CryptToken}{Enable} configure setting. For mission critical public TWiki sites it is recommended to enable the crypt token; for firewalled TWiki sites it is usually OK to disable it.

TWiki 4.3.2 Patch Release - Details

TWiki-4.3.2 was built from SVN http://svn.twiki.org/svn/twiki/branches/TWikiRelease04x03 revision 18148 (2009-09-02)

Highlights

• Security:
  • TWiki:Codev/SecurityAuditTokenBasedCsrfFix: Hardening TWiki content update with a crypt token based fix against cross-site request forgery vulnerabilities.

Enhancements

Item2927	Topic moved message too visible
Item6283	upgrade TinyMCEPlugin with latest tinyMCE WYSIWYG editor
Item6315	HeadlinesPlugin: New touch parameter for HEADLINES variable

Fixes

Item6253	SpreadSheetPlugin: $WORKINGDAYS is returning invalid results
Item6259	Prevent GUI-based rename of TWiki web and Main web
Item6267	FORMFIELD expands $title to field name if $title exists in field value
Item6295	Preferences for raw edit or WYSIWYG edit
Item6296	Crypt token based CSRF fix for TWiki
Item6308	viewfile adds trailing newline to attachments

TWiki Release 4.3.1 (Georgetown), 2009-04-29

It is highly recommended to upgrade to TWiki 4.3.1. Users will find this release much more stable and secure in daily use.

• • Reduced risk of XSS (cross-site scripting) and CSRF (cross-site request forgery)

• • Use ISO date dormat by default

Deprecation Notices

The %MAINWEB% and %TWIKIWEB% variables have been deprecated. For compatibility reasons they are unlikely to ever be removed completely, but you should use the %USERSWEB% and %SYSTEMWEB% variables instead.

In Func getOopsUrl and permissionsSet have been declared deprecated. There is no plan to remove them yet.

TWiki-4.3.0 Minor Release - Details

TWiki-4.3.0 was built from SVN http://svn.twiki.org/svn/twiki/branches/TWikiRelease04x03 revision 17948 (2009-03-30)

Highlights

Enhancements

Fixes

TWiki 4.3.1 Patch Release - Details

TWiki-4.3.1 was built from SVN http://svn.twiki.org/svn/twiki/branches/TWikiRelease04x03 revision 18054 (2009-04-29)

Highlights

• Security:
  • TWiki:Codev/SecurityAlert-CVE-2009-1339: A remote user may gain TWiki admin privileges with a specially crafted image tag. This cross-site request forgery vulnerability existed because TWiki allowed HTTP GET to save content.
• Usability:
  • Use of ISO format date promoted in this release
• Handling URLPARAM:
  • The handling of URLPARAM for empty or missing was corrected in this release.

Enhancements

Item6239	Fix TWIKIWEB to SYSTEMWEB, MAINWEB to USERSWEB
Item6254	Feature: Use ISO Date Format by Default

Fixes

Item5453	Value of "0" improperly handled in ENCODE variable
Item6232	Use of uninitialized value $1 in concatenation (.) or string at lib/TWiki.pm
Item6240	unhelpful error message when sysCommand fails
Item6243	URLPARAM "empty or missing"
Item6251	CSRF vulnerability CVE-2009-1339: Possible to gain TWiki admin privileges with a specially crafted image tag

TWiki Release 4.3 (Georgetown), 2009-03-30

Introduction

TWiki 4.3.0 released on 30 Mar 2009 introduces security enhancements, usability enhancements, feature enhancements, and adds extensions to strengthen TWiki as an enterprise collaboration platform.

It is highly recommended to upgrade to TWiki 4.3.0. Users will find this release much more stable and secure in daily use.

Pre-installed Extensions

TWiki 4.3 is ships with:

• Plugins: CommentPlugin, EditTablePlugin, EmptyPlugin, HeadlinesPlugin, InterwikiPlugin, PreferencesPlugin, RenderListPlugin, SlideShowPlugin, SmiliesPlugin, SpreadSheetPlugin, TablePlugin, TinyMCEPlugin, TWikiNetSkinPlugin, TwistyPlugin, WysiwygPlugin
• Contribs: BehaviourContrib, JSCalendarContrib, MailerContrib, TipsContrib, TWikiUserMappingContrib, TwistyContrib
• Skins: ClassicSkin, PatternSkin, TWikiNetSkin,

Note: HeadlinesPlugin, TWikiNetSkin and TWikiNetSkinPlugin are new in TWiki 4.3.

New Features Highlights

• Security Enhancements
  • Reduced risk of XSS (cross-site scripting)
  • S/MIME support to sign administrative e-mails
• Usability Enhancements
  • Replace question mark links with red-links to point to non-existing topics
• Enterprise Collaboration Enhancements
  • Pre-installed HeadlinesPlugin to show headline newsfeeds in TWiki topics
  • Pre-installed TWikiNetSkin, TWikiNetSkinPlugin for corporate look and feel
• Search Enhancements
  • Add footer parameter to Formatted Search
  • Add number of topics to Formatted Search
• Miscellaneous Feature Enhancements
  • Control over variable expansion at topic creation time
  • 17 new TWikiDocGraphics images
  • Include URL supports list of domains to exclude from proxy
  • Adding Korean language
• Plugin Enhancements
  • SpreadSheetPlugin: 5 new functions

Important Changes in 4.3.0

Highlights of bug fixes in 4.3.0

• Security:
  • Review code for robustness and security
  • Secure configure script with taint mode turned on
• Rendering:
  • %TOC% does not distinguish two headlines that have the same text
  • TablePlugin produces bad links for sorting when using "short" URLs
  • %SCRIPTSUFFIX% is added twice in %TOC% links
  • Incorrect Content-length breaks HTTP headers, a.o. pound fail results
  • TablePlugin: Date sorting is broken
  • Bullet lists in form fields are not rendered properly
  • TWiki Forms expand variables like $nop, $quote $percnt
  • TwistyPlugin: Twisty can't be placed in TWiki table cells
• Users and groups:
  • TWikiGroups shows all members twice
• Editing:
  • WysiwygPlugin: Bolding single character within a word introduces spaces around bolded character
• Miscellaneous:
  • configure's get more extensions does not work well without LWP
  • CommentPlugin: Lost data if it's targeted before/after a missing anchor
  • Plugin installation fails on windows: extender.pl line 684
  • Statistics script does not handle properly topics with special characters

See the full list of bug fixes at the bottom of this topic.

Important Changes in Recent Releases

Deprecation Notices

The %MAINWEB% and %TWIKIWEB% variables have been deprecated. For compatibility reasons they are unlikely to ever be removed completely, but you should use the %USERSWEB% and %SYSTEMWEB% variables instead.

In Func getOopsUrl and permissionsSet have been declared deprecated. There is no plan to remove them yet.

TWiki 4.3.0 Minor Release - Details

The 4.3.0 release was built from SVN http://svn.twiki.org/svn/twiki/branches/TWikiRelease04x03 revision 17948 (30 Mar 2009)

Enhancements in TWiki 4.3.0

Item3647	Usability: Control over variable expansion in topic templates
Item5025	InterwikiPlugin: Allow special characters in "Page" of Site:Page
Item6148	HeadlinesPlugin: Support for {PROXY}{HOST} and {PROXY}{PORT} configure settings
Item6176	Search: Add footer parameter to Formatted Search
Item6180	HeadlinesPlugin: Support for {PROXY}{SkipProxyForDomains} configure setting, USERAGENTNAME plugin setting
Item6184	Search: Add Number of Topics to Formatted Search
Item6189	Usability: Replace question mark links with red links to point to non-existing topics
Item6199	Enhancement: Add TWikiNetSkin to Distribution
Item6200	Enhancement: Add HeadlinesPlugin to Distribution
Item6222	SpreadSheetPlugin: New functions $EMPTY(), $INSERTSTRING(), $LEFTSTRING(), $RIGHTSTRING(), $SUBSTRING() functions
Item6226	Include: Specify a list of domains to exclude from proxy with {PROXY}{SkipProxyForDomains} setting
Item6227	Documentation: 17 new TWikiDocGraphics images
Item6228	Security: Option to send signed e-mail with S/MIME

Fixes in TWiki 4.3.0

Item1607	%TOC% does not distinguish two headlines that have the same text
Item2525	TablePlugin produces bad links for sorting when using "short" URLs
Item4835	SpreadSheetPlugin: SUBSTITUTE error when text=old and replace is empty
Item5176	%SCRIPTSUFFIX% is added twice in %TOC% links
Item5471	SpreadSheetPlugin: The character 0 cannot be replaced using the REPLACE-funtion
Item5910	TablePlugin: %TOC% variable creates links with unecessary query string
Item5914	TWiki::Request::url() must support -rewrite, -absolute and -relative
Item5920	TWikiGroups shows all members twice
Item5939	Rogue <p /> below </html> on every topic in every web
Item5960	Incorrect Content-length breaks HTTP headers, a.o. pound fail results
Item5961	WysiwygPlugin: Bolding single character within a word introduces spaces around bolded character
Item5991	JSCalendarContrib: Does not work correctly in IE7
Item5994	Secure configure script with taint mode turned on
Item6005	EditTablePlugin: "label"-formatted cell changed in unexpected way
Item6022	%ENCODE{}% treats % as safe character
Item6026	With header format emtpy table is initialized with one column only
Item6031	TablePlugin: Date sorting is broken.
Item6041	TinyMCE bug with Firefox 3 and bulleted lists
Item6050	statistics script fails when cuid is not equal login name (as login name is what's in the log files...)
Item6054	TwistyPlugin: No longer possible to have a twisty on one line without linebreak
Item6060	configure's get more extensions does not work well without LWP
Item6061	TWiki::Func::getContext documention
Item6138	Bullet lists in form fields are not rendered properly
Item6163	CommentPlugin: Lost data if it's targeted before/after a missing anchor.
Item6167	TWiki Forms expand variables like $nop, $quote $percnt
Item6170	Plugin installation fails on windows: extender.pl line 684
Item6171	Per RFC 5321, single quote is allwed in e-mail addresses
Item6178	Statistics script does not handle properly topics with special characters
Item6185	Missing newline in Formatted Search if footer used
Item6186	Review code for robustness and security
Item6208	WebChanges does not work on Windows
Item6220	TwistyPlugin: Twisty can't be placed in TWiki table cells
Item6223	Users can't edit content in Main web

<-- Note: Do not use TWikibug: interwiki links because interwiki rule might not be defined 

 Set BUGS = http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs
 
-->