Announce 3.20160506
Simon McVittie
parent
847c9f232e
commit
26d4641d02
|
|
@ -1,44 +0,0 @@
|
|||
ikiwiki 3.20150107 released with [[!toggle text="these changes"]]
|
||||
[[!toggleable text="""
|
||||
[ [[Joey Hess|joey]] ]
|
||||
|
||||
* Added ikiwiki-comment program.
|
||||
* Add missing build-depends on `libcgi-formbuilder-perl`, needed for
|
||||
`t/relativity.t`
|
||||
* openid: Stop suppressing the email field on the Preferences page.
|
||||
* Set Debian package maintainer to Simon McVittie as I'm retiring from
|
||||
Debian.
|
||||
|
||||
[ [[Simon McVittie|smcv]] ]
|
||||
|
||||
* calendar: add `calendar_autocreate` option, with which `ikiwiki --refresh`
|
||||
can mostly supersede the `ikiwiki-calendar` command.
|
||||
Thanks, Louis Paternault
|
||||
* search: add more classes as a hook for CSS. Thanks, sajolida
|
||||
* core: generate HTML5 by default, but keep avoiding new elements
|
||||
like `<section>` that require specific browser support unless `html5` is
|
||||
set to 1.
|
||||
* Tell mobile browsers to draw our pages in a device-sized viewport,
|
||||
not an 800-1000px viewport designed to emulate a desktop/laptop browser.
|
||||
* Add new `responsive_layout` option which can be set to 0 if your custom
|
||||
CSS only works in a large viewport.
|
||||
* style.css, actiontabs, blueview, goldtype, monochrome: adjust layout
|
||||
below 600px ("responsive layout") so that horizontal scrolling is not
|
||||
needed on smartphone browsers or other small viewports.
|
||||
* core: new `libdirs` option alongside `libdir`. Thanks, Louis Paternault
|
||||
|
||||
[ [[Amitai Schlair|schmonz]] ]
|
||||
|
||||
* core: log a debug message before waiting for the lock.
|
||||
Thanks, Mark Jason Dominus
|
||||
* build: in po/Makefile, use the same `$(MAKE)` as the rest of the build.
|
||||
Thanks, ttw
|
||||
* blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd).
|
||||
Closes: [[!debbug 774441]]
|
||||
|
||||
[ [[Joey Hess|joey]] ]
|
||||
|
||||
* po: If msgmerge falls over on a problem po file, print a warning
|
||||
message, but don't let this problem crash ikiwiki entirely.
|
||||
"""]]
|
||||
[[!meta date="2015-01-07 10:24:25 +0000"]]
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
News for ikiwiki 3.20160506:
|
||||
|
||||
To mitigate [[!cve CVE-2016-3714]] and similar ImageMagick security vulnerabilities,
|
||||
the `[[!img]]` directive is now restricted to these common web formats by
|
||||
default:
|
||||
* JPEG (`.jpg`, `.jpeg`)
|
||||
* PNG (`.png`)
|
||||
* GIF (`.gif`)
|
||||
* SVG (`.svg`)
|
||||
(In particular, by default resizing PDF files is no longer allowed.)
|
||||
Additionally, resized SVG files are displayed in the browser as SVG
|
||||
instead of being converted to PNG.
|
||||
If all users who can attach images are fully trusted, this restriction
|
||||
can be removed with the new img\_allowed\_formats setup option.
|
||||
See [[ikiwiki/directive/img]] for more details.
|
||||
|
||||
ikiwiki 3.20160506 released with [[!toggle text="these changes"]]
|
||||
[[!toggleable text="""
|
||||
* [ [[Simon McVittie|smcv]] ]
|
||||
* HTML-escape error messages, in one case avoiding potential cross-site
|
||||
scripting (OVE-20160505-0012)
|
||||
* Mitigate ImageMagick vulnerabilities such as CVE-2016-3714:
|
||||
- img: force common Web formats to be interpreted according to extension,
|
||||
so that "allowed\_attachments: '*.jpg'" does what one might expect
|
||||
- img: restrict to JPEG, PNG and GIF images by default, again mitigating
|
||||
CVE-2016-3714 and similar vulnerabilities
|
||||
- img: check that the magic number matches what we would expect from
|
||||
the extension before giving common formats to ImageMagick
|
||||
* d/control: use https for Homepage
|
||||
* d/control: add Vcs-Browser
|
||||
* [ [[Joey Hess|joey]] ]
|
||||
* img: Add back support for SVG images, bypassing ImageMagick and
|
||||
simply passing the SVG through to the browser, which is supported by all
|
||||
commonly used browsers these days.
|
||||
SVG scaling by img directives has subtly changed; where before
|
||||
size=wxh would preserve aspect ratio, this cannot be done when passing
|
||||
them through and so specifying both a width and height can change
|
||||
the SVG's aspect ratio.
|
||||
* loginselector: When only openid and emailauth are enabled, but
|
||||
passwordauth is not, avoid showing a "Other" box which opens an
|
||||
empty form.
|
||||
* [ [[Amitai Schlair|schmonz]] ]
|
||||
* mdwn: Process .md like .mdwn, but disallow web creation.
|
||||
* [ Florian Wagner ]
|
||||
* git: Correctly handle filenames starting with a dash in add/rm/mv."""]]
|
||||
Loading…
Reference in New Issue