Announce 3.20160506
Simon McVittie
parent
847c9f232e
commit
26d4641d02
|
|
@ -1,44 +0,0 @@
|
||||||
ikiwiki 3.20150107 released with [[!toggle text="these changes"]]
|
|
||||||
[[!toggleable text="""
|
|
||||||
[ [[Joey Hess|joey]] ]
|
|
||||||
|
|
||||||
* Added ikiwiki-comment program.
|
|
||||||
* Add missing build-depends on `libcgi-formbuilder-perl`, needed for
|
|
||||||
`t/relativity.t`
|
|
||||||
* openid: Stop suppressing the email field on the Preferences page.
|
|
||||||
* Set Debian package maintainer to Simon McVittie as I'm retiring from
|
|
||||||
Debian.
|
|
||||||
|
|
||||||
[ [[Simon McVittie|smcv]] ]
|
|
||||||
|
|
||||||
* calendar: add `calendar_autocreate` option, with which `ikiwiki --refresh`
|
|
||||||
can mostly supersede the `ikiwiki-calendar` command.
|
|
||||||
Thanks, Louis Paternault
|
|
||||||
* search: add more classes as a hook for CSS. Thanks, sajolida
|
|
||||||
* core: generate HTML5 by default, but keep avoiding new elements
|
|
||||||
like `<section>` that require specific browser support unless `html5` is
|
|
||||||
set to 1.
|
|
||||||
* Tell mobile browsers to draw our pages in a device-sized viewport,
|
|
||||||
not an 800-1000px viewport designed to emulate a desktop/laptop browser.
|
|
||||||
* Add new `responsive_layout` option which can be set to 0 if your custom
|
|
||||||
CSS only works in a large viewport.
|
|
||||||
* style.css, actiontabs, blueview, goldtype, monochrome: adjust layout
|
|
||||||
below 600px ("responsive layout") so that horizontal scrolling is not
|
|
||||||
needed on smartphone browsers or other small viewports.
|
|
||||||
* core: new `libdirs` option alongside `libdir`. Thanks, Louis Paternault
|
|
||||||
|
|
||||||
[ [[Amitai Schlair|schmonz]] ]
|
|
||||||
|
|
||||||
* core: log a debug message before waiting for the lock.
|
|
||||||
Thanks, Mark Jason Dominus
|
|
||||||
* build: in po/Makefile, use the same `$(MAKE)` as the rest of the build.
|
|
||||||
Thanks, ttw
|
|
||||||
* blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd).
|
|
||||||
Closes: [[!debbug 774441]]
|
|
||||||
|
|
||||||
[ [[Joey Hess|joey]] ]
|
|
||||||
|
|
||||||
* po: If msgmerge falls over on a problem po file, print a warning
|
|
||||||
message, but don't let this problem crash ikiwiki entirely.
|
|
||||||
"""]]
|
|
||||||
[[!meta date="2015-01-07 10:24:25 +0000"]]
|
|
||||||
|
|
@ -0,0 +1,45 @@
|
||||||
|
News for ikiwiki 3.20160506:
|
||||||
|
|
||||||
|
To mitigate [[!cve CVE-2016-3714]] and similar ImageMagick security vulnerabilities,
|
||||||
|
the `[[!img]]` directive is now restricted to these common web formats by
|
||||||
|
default:
|
||||||
|
* JPEG (`.jpg`, `.jpeg`)
|
||||||
|
* PNG (`.png`)
|
||||||
|
* GIF (`.gif`)
|
||||||
|
* SVG (`.svg`)
|
||||||
|
(In particular, by default resizing PDF files is no longer allowed.)
|
||||||
|
Additionally, resized SVG files are displayed in the browser as SVG
|
||||||
|
instead of being converted to PNG.
|
||||||
|
If all users who can attach images are fully trusted, this restriction
|
||||||
|
can be removed with the new img\_allowed\_formats setup option.
|
||||||
|
See [[ikiwiki/directive/img]] for more details.
|
||||||
|
|
||||||
|
ikiwiki 3.20160506 released with [[!toggle text="these changes"]]
|
||||||
|
[[!toggleable text="""
|
||||||
|
* [ [[Simon McVittie|smcv]] ]
|
||||||
|
* HTML-escape error messages, in one case avoiding potential cross-site
|
||||||
|
scripting (OVE-20160505-0012)
|
||||||
|
* Mitigate ImageMagick vulnerabilities such as CVE-2016-3714:
|
||||||
|
- img: force common Web formats to be interpreted according to extension,
|
||||||
|
so that "allowed\_attachments: '*.jpg'" does what one might expect
|
||||||
|
- img: restrict to JPEG, PNG and GIF images by default, again mitigating
|
||||||
|
CVE-2016-3714 and similar vulnerabilities
|
||||||
|
- img: check that the magic number matches what we would expect from
|
||||||
|
the extension before giving common formats to ImageMagick
|
||||||
|
* d/control: use https for Homepage
|
||||||
|
* d/control: add Vcs-Browser
|
||||||
|
* [ [[Joey Hess|joey]] ]
|
||||||
|
* img: Add back support for SVG images, bypassing ImageMagick and
|
||||||
|
simply passing the SVG through to the browser, which is supported by all
|
||||||
|
commonly used browsers these days.
|
||||||
|
SVG scaling by img directives has subtly changed; where before
|
||||||
|
size=wxh would preserve aspect ratio, this cannot be done when passing
|
||||||
|
them through and so specifying both a width and height can change
|
||||||
|
the SVG's aspect ratio.
|
||||||
|
* loginselector: When only openid and emailauth are enabled, but
|
||||||
|
passwordauth is not, avoid showing a "Other" box which opens an
|
||||||
|
empty form.
|
||||||
|
* [ [[Amitai Schlair|schmonz]] ]
|
||||||
|
* mdwn: Process .md like .mdwn, but disallow web creation.
|
||||||
|
* [ Florian Wagner ]
|
||||||
|
* git: Correctly handle filenames starting with a dash in add/rm/mv."""]]
|
||||||
Loading…
Reference in New Issue