START HERE! This is the Foswiki project "Distribution". It is a monolith repository with the core + default extensions.
This release contains 61 fixes relative to 2.1.7, including 9 critical security related fixes.
Most notable are:
But also:
Foswiki can now properly be run behind a reverse proxy reading a X-Forwarded-For http header. This resulted in mixed content before while rendering HTML.
Under certain conditions a deep recursion can be triggered using otherwise innocend markup code.
While Foswiki defaults to its own plain file storage format, there are still a lot of installs that still use RCS for file versioning. Given that this part of the code preceeds the shift to unicode ages ago, there still was an error in the RCS store not properly encoding topic information.
Changes are send out to subscribers using a mailnotify service. This however must be run as admin user to fully read all changes. Still people are only informed about changes that they actually have view rights to. In addition this release fixes sending out emails in the user's preferend language. There was an error reading these preferences before.
The JSON-RPC is one of the most important web apis of Foswiki with a mandatory topic parameter. This parameter - as in other service endpoints - specifies the location within the knowledge base to operate on. It thus determins the context of any other internal operations such as the calculation of the preference stack. The jsonrpc endpoint sometimes failed to properly set the required context in previous releases.
Foswiki now supports uploading multiple files in one request
Session cookies now have a same-site policy for better security.
Foswiki now always creates a proper I18N service internally, even though only one language (english) is being used. This makes sure that its internal I18N api is instantiated proplerly for other plugins to use, such as MultiLingualPlugin.
See the full set of release notes at https://foswiki.org/System/ReleaseNotes02x01.
Full Changelog: https://github.com/foswiki/distro/compare/FoswikiRelease02x01x07...FoswikiRelease02x01x08
These fixes are described in
altField
option of the Datepicker widget in jQuery UI < 1.30.0*Text
options of the Datepicker widget in jQuery UI < 1.30.0of
option of the .position()
util in jQuery UI &kt; 1.30.0Details in CVE-2021-21252
For decades Foswiki and TWiki had ways to access the session id of a user and make it available on a wiki page using the %SESSIONID macro. Anybody that has got access to a session id can use this session in behalf of the user that is associated with it. There are multiple ways to leak this information to the outside using this macro. Therefore the two related macros %SESSIONID and %SESSIONVAR are deprecated for security reasons and have been disabled by default using the new {Sessions}{HideSessionVariable} setting. Note that these macros will be removed completely in the next minor release.
While macros such as %FORMFIELD only allowed access only to information the current user has got view rights for, the %QUERY macro does not.
The LiveQuery module is at the core of Foswiki's javascript framework, alas was abandoned upstream. In the meantime modern browsers now all support a feature called "mutation observer" to monitor changes to the DOM in an efficient standardized way. Thus a new module called Observer has been implemented on this base to initialize javascript modules in a declarative way as it has been done before using LiveQuery.
See ReleaseNotes02x01 for complete release notes.
See ReleaseNotes02x01 for complete release notes.
See ReleaseNotes02x01 for complete release notes.
See ReleaseNotes02x01 for complete release notes.
See ReleaseNotes02x01 for complete release notes.
Note: This release was re-uploaded on June 1st, due to a version string error. Purely cosmetic issue during the build process.
See ReleaseNotes02x01 for complete release notes.
See ReleaseNotes02x01 for complete release notes.
See ReleaseNotes02x01 for complete release notes.