-ikiwiki (3.20130904.2) UNRELEASED; urgency=low
+ikiwiki (3.20160729) UNRELEASED; urgency=medium
+
+ * Fix installation when prefix includes a string metacharacter.
+ Thanks, Sam Hathaway.
+
+ -- Joey Hess <id@joeyh.name> Wed, 03 Aug 2016 14:59:36 -0400
+
+ikiwiki (3.20160728) unstable; urgency=medium
+
+ * Explicitly remove current working directory from Perl's library
+ search path, mitigating CVE-2016-1238 (see #588017)
+ * wrappers: allocate new environment dynamically, so we won't overrun
+ the array if third-party plugins add multiple environment variables.
+ * Standards-Version: 3.9.8 (no changes required)
+
+ -- Simon McVittie <smcv@debian.org> Thu, 28 Jul 2016 10:41:56 +0100
+
+ikiwiki (3.20160509) unstable; urgency=high
+
+ [ Amitai Schlair ]
+ * img: ignore the case of the extension when detecting image format,
+ fixing the regression that *.JPG etc. would not be displayed
+ since 3.20160506
+
+ [ Simon McVittie ]
+ * img: parse img_allowed_formats case-insensitively, as was done in
+ 3.20141016.3
+ * inline: restore backwards compat for show=-1 syntax, which
+ worked before 3.20160121
+ * Remove a spurious changelog entry from 3.20160506 (the relevant
+ change was already in 3.20150614)
+ * Add CVE-2016-4561 reference to 3.20160506 changelog
+ * Set high urgency to get the CVE-2016-4561 fix and CVE-2016-3714
+ mitigation into testing
+
+ -- Simon McVittie <smcv@debian.org> Mon, 09 May 2016 21:57:09 +0100
+
+ikiwiki (3.20160506) unstable; urgency=medium
+
+ [ Simon McVittie ]
+ * HTML-escape error messages, in one case avoiding potential cross-site
+ scripting (CVE-2016-4561, OVE-20160505-0012)
+ * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714:
+ - img: force common Web formats to be interpreted according to extension,
+ so that "allowed_attachments: '*.jpg'" does what one might expect
+ - img: restrict to JPEG, PNG and GIF images by default, again mitigating
+ CVE-2016-3714 and similar vulnerabilities
+ - img: check that the magic number matches what we would expect from
+ the extension before giving common formats to ImageMagick
+ * d/control: use https for Homepage
+ * d/control: add Vcs-Browser
+
+ [ Joey Hess ]
+ * img: Add back support for SVG images, bypassing ImageMagick and
+ simply passing the SVG through to the browser, which is supported by all
+ commonly used browsers these days.
+ SVG scaling by img directives has subtly changed; where before
+ size=wxh would preserve aspect ratio, this cannot be done when passing
+ them through and so specifying both a width and height can change
+ the SVG's aspect ratio.
+ * loginselector: When only openid and emailauth are enabled, but
+ passwordauth is not, avoid showing a "Other" box which opens an
+ empty form.
+
+ [ Amitai Schlair ]
+ * mdwn: Process .md like .mdwn, but disallow web creation.
+
+ [ Florian Wagner ]
+ * git: Correctly handle filenames starting with a dash in add/rm/mv.
+
+ -- Simon McVittie <smcv@debian.org> Fri, 06 May 2016 07:54:26 +0100
+
+ikiwiki (3.20160121) unstable; urgency=medium
+
+ [ Amitai Schlair ]
+ * meta: Fix [[!meta name=foo]] by closing the open quote.
+ * Avoid unescaped "{" in regular expressions
+ * meta test: Add tests for many behaviors of the directive.
+ * img test: Bail gracefully when ImageMagick is not present.
+
+ [ Joey Hess ]
+ * emailauth: Added emailauth_sender config.
+ * Modified page.tmpl to to set html lang= and dir= when
+ values have been specified for them, which the po plugin does.
+ * Specifically license the javascript underlay under the permissive
+ basewiki license.
+
+ [ Simon McVittie ]
+ * git: if no committer identity is known, set it to
+ "IkiWiki <ikiwiki.info>" in .git/config. This resolves commit errors
+ in versions of git that require a non-trivial committer identity.
+ * inline, trail: rename show, feedshow parameters to limit, feedlimit
+ (with backwards compatibility)
+ * pagestats: add "show" option to show meta fields. Thanks, Louis
+ * inline: force RSS <comments> to be a fully absolute URL as required
+ by the W3C validator. Please use Atom feeds if relative URLs are
+ desirable on your site.
+ * inline: add <atom:link rel="self"> to RSS feeds as recommended by
+ the W3C validator
+ * inline: do not produce links containing /./ or /../
+ * syslog: accept and encode UTF-8 messages
+ * syslog: don't fail to log if the wiki name contains %s
+ * Change dependencies from transitional package perlmagick
+ to libimage-magick-perl (Closes: #789221)
+ * debian/copyright: update for the rename of openid-selector to
+ login-selector
+ * d/control: remove leading article from Description
+ (lintian: description-synopsis-starts-with-article)
+ * d/control: Standards-Version: 3.9.6, no changes required
+ * Wrap and sort control files (wrap-and-sort -abst)
+ * Silence "used only once: possible typo" warnings for variables
+ that are part of modules' APIs
+ * Run autopkgtest tests using autodep8 and the pkg-perl team's
+ infrastructure
+ * Add enough build-dependencies to run all tests, except for
+ non-git VCSs
+ * tests: consistently use done_testing instead of no_plan
+ * t/img.t: do not spuriously skip
+ * img test: skip testing PDFs if unsupported
+ * img test: use the right filenames when testing that deletion occurs
+
+ -- Simon McVittie <smcv@debian.org> Thu, 21 Jan 2016 09:53:07 +0000
+
+ikiwiki (3.20150614) unstable; urgency=medium
+
+ * inline: change default sort order from age to "age title" for
+ determinism, partially fixing deterministic build for git-annex,
+ ikiwiki-hosting etc. (Closes: #785757)
+ * img: avoid ImageMagick misinterpreting filenames containing a colon
+ * img test: set old timestamp on source file that will change, so that
+ the test will pass even if it takes less than 1 second
+
+ -- Simon McVittie <smcv@debian.org> Sun, 14 Jun 2015 18:13:23 +0100
+
+ikiwiki (3.20150610) unstable; urgency=low
+
+ [ Joey Hess ]
+ * New emailauth plugin lets users log in, without any registration,
+ by simply clicking on a link in an email.
+ * Re-remove google from openid selector; their openid provider is
+ gone for good.
+ * Make the openid selector display "Password" instead of "Other"
+ when appropriate, so users are more likely to click on it when
+ they don't have an openid.
+ * Converted openid-selector into a more generic loginselector helper
+ plugin.
+ * passwordauth: Don't allow registering accounts that look like openids.
+ * Make cgiurl output deterministic, not hash order. Closes: #785738
+ Thanks, Daniel Kahn Gillmor
+
+ [ Simon McVittie ]
+ * Do not enable emailauth by default, to avoid surprises on httpauth-only
+ sites. Enable it by default in openid instead, since it is essentially
+ a replacement for OpenIDs.
+ * Make the attachment plugin work with CGI.pm 4.x (Closes: #786586;
+ workaround for #786587 in libcgi-pm-perl)
+ * Add a public-domain email icon from tango-icon-theme
+ * Populate pagectime from either mtime or inode change time,
+ whichever is older, again for more reproducible builds
+ * debian: build the docwiki with LC_ALL=C.UTF-8 and TZ=UTC
+ * debian/copyright: consolidate permissive licenses
+ * debian/copyright: turn comments on provenance into Comment
+ * brokenlinks: sort the pages that link to the missing page, for
+ better reproducibility
+ * Add [[!meta date]] to news items and tips, since the git checkout
+ and build process can leave the checkout date in the tarball
+ release, leading to unstable sorting
+ * Sort backlinks deterministically, by falling back to sorting by href
+ if the link text is identical
+ * Add a $config{deterministic} option and use it for the docwiki
+ * haiku: if deterministic build is requested, return a hard-coded haiku
+ * polygen: if deterministic build is requested, use a well-known random seed
+
+ -- Simon McVittie <smcv@debian.org> Wed, 10 Jun 2015 21:56:36 +0100
+
+ikiwiki (3.20150329) experimental; urgency=high
+
+ [ Joey Hess ]
+ * Fix NULL ptr deref on ENOMEM in wrapper. (Thanks, igli)
+
+ [ Simon McVittie ]
+ * Really don't double-decode CGI submissions, even on Perl versions that
+ bundle an old enough Encode.pm for that not to be a problem: the
+ system might have a newer Encode.pm installed separately, like Fedora 20.
+ (Closes: #776181; thanks, Anders Kaseorg)
+ * If neither timezone nor TZ is set, set both to :/etc/localtime if
+ we're on a GNU system and that file exists, or GMT otherwise
+ * t/inline.t: accept translations of "Add a new post titled:"
+ (Closes: #779365)
+ * Consistently document command-line options as e.g. --refresh, not -refresh
+
+ [ Amitai Schlair ]
+ * In VCS-committed anonymous comments, link to url.
+
+ [ Joey Hess ]
+ * Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483)
+
+ -- Simon McVittie <smcv@debian.org> Sun, 29 Mar 2015 21:48:24 +0100
+
+ikiwiki (3.20150107) experimental; urgency=medium
+
+ [ Joey Hess ]
+ * Added ikiwiki-comment program.
+ * Add missing build-depends on libcgi-formbuilder-perl, needed for
+ t/relativity.t
+ * openid: Stop suppressing the email field on the Preferences page.
+ * Set Debian package maintainer to Simon McVittie as I'm retiring from
+ Debian.
+
+ [ Simon McVittie ]
+ * calendar: add calendar_autocreate option, with which "ikiwiki --refresh"
+ can mostly supersede the ikiwiki-calendar command.
+ Thanks, Louis Paternault
+ * search: add more classes as a hook for CSS. Thanks, sajolida
+ * core: generate HTML5 by default, but keep avoiding new elements
+ like <section> that require specific browser support unless html5 is
+ set to 1.
+ * Tell mobile browsers to draw our pages in a device-sized viewport,
+ not an 800-1000px viewport designed to emulate a desktop/laptop browser.
+ * Add new responsive_layout option which can be set to 0 if your custom
+ CSS only works in a large viewport.
+ * style.css, actiontabs, blueview, goldtype, monochrome: adjust layout
+ below 600px ("responsive layout") so that horizontal scrolling is not
+ needed on smartphone browsers or other small viewports.
+ * core: new libdirs option alongside libdir. Thanks, Louis Paternault
+
+ [ Amitai Schlair ]
+ * core: log a debug message before waiting for the lock.
+ Thanks, Mark Jason Dominus
+ * build: in po/Makefile, use the same $(MAKE) as the rest of the build.
+ Thanks, ttw
+ * blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd).
+ Closes: #774441
+
+ [ Joey Hess ]
+ * po: If msgmerge falls over on a problem po file, print a warning
+ message, but don't let this problem crash ikiwiki entirely.
+
+ -- Simon McVittie <smcv@debian.org> Wed, 07 Jan 2015 09:13:58 +0000
+
+ikiwiki (3.20141016) unstable; urgency=medium
+
+ [ Joey Hess ]
+ * Fix crash that can occur when only_committed_changes is set and a
+ file is deleted from the underlay.
+
+ [ Simon McVittie ]
+ * core: avoid dangerous use of CGI->param in list context, which led
+ to a security flaw in Bugzilla; as far as we can tell, ikiwiki
+ is not vulnerable to a similar attack, but it's best to be safe
+ * core: new reverse_proxy option prevents ikiwiki from trying to detect
+ how to make self-referential URLs by using the CGI environment variables,
+ for instance when it's deployed behind a HTTP reverse proxy
+ (Closes: #745759)
+ * core: the default User-Agent is now "ikiwiki/$version" to work around
+ ModSecurity rules assuming that only malware uses libwww-perl
+ * core: use protocol-relative URLs (e.g. //www.example.com/wiki) so that
+ https stays on https and http stays on http, particularly if the
+ html5 option is enabled
+ * core: avoid mixed content when a https cgiurl links to http static pages
+ on the same server (the static pages are assumed to be accessible via
+ https too)
+ * core: force the correct top URL in w3mmode
+ * google plugin: Use search form
+ * docwiki: replace Paypal and Flattr buttons with text links
+ * comments: don't record the IP address in the wiki if the user is
+ logged in via passwordauth or httpauth
+ * templates: add ARIA roles to some page elements, if html5 is enabled.
+ Thanks, Patrick
+ * debian: build-depend on libmagickcore-6.q16-2-extra | libmagickcore-extra
+ so we can thumbnail SVGs in the docwiki
+ * debian: explicitly depend and build-depend on libcgi-pm-perl
+ * debian: drop unused python-support dependency
+ * debian: rename debian/link to debian/links so the intended symlinks appear
+ * debian: fix some wrong paths in the copyright file
+
+ -- Simon McVittie <smcv@debian.org> Thu, 16 Oct 2014 23:28:26 +0100
+
+ikiwiki (3.20140916) unstable; urgency=low
+
+ * Don't double-decode CGI submissions with Encode.pm >= 2.53,
+ fixing "Error: Cannot decode string with wide characters".
+ Thanks, Antoine Beaupré
+ * Avoid making trails depend on everything in the wiki by giving them
+ a better way to sort the pages
+ * Don't let users post comments that won't be displayed
+ * Fix encoding of Unicode strings in Python plugins.
+ Thanks, chrysn
+ * Improve performance and correctness of the [[!if]] directive
+ * Let [[!inline rootpage=foo postform=no]] disable the posting form
+ * Switch default [[!man]] shortcut to manpages.debian.org. Closes: #700322
+ * Add UUID and TIME variables to edittemplate. Closes: #752827
+ Thanks, Jonathon Anderson
+ * Display pages in linkmaps as their pagetitle (no underscore escapes).
+ Thanks, chrysn
+ * Fix aspect ratio when scaling small images, and add support for
+ converting SVG and PDF graphics to PNG.
+ Thanks, chrysn
+ - suggest ghostscript (required for PDF-to-PNG thumbnailing)
+ and libmagickcore-extra (required for SVG-to-PNG thumbnailing)
+ - build-depend on ghostscript so the test for scalable images can be run
+ * In the CGI wrapper, incorporate $config{ENV} into the environment
+ before executing Perl code, so that PERL5LIB can point to a
+ non-system-wide installation of IkiWiki.
+ Thanks, Lafayette Chamber Singers Webmaster
+ * filecheck: accept MIME types not containing ';'
+ * autoindex: index files in underlays if the resulting pages aren't
+ going to be committed. Closes: #611068
+ * Add [[!templatebody]] directive so template pages don't have to be
+ simultaneously a valid template and valid HTML
+ * Add myself to Uploaders and release to Debian
+
+ -- Simon McVittie <smcv@debian.org> Fri, 12 Sep 2014 21:23:58 +0100
+
+ikiwiki (3.20140831) unstable; urgency=medium
+
+ * Make --no-gettime work in initial build. Closes: #755075
+
+ -- Joey Hess <joeyh@debian.org> Sun, 31 Aug 2014 14:17:24 -0700
+
+ikiwiki (3.20140815) unstable; urgency=medium
+
+ * Add google back to openid selector. Apparently this has gotten a stay
+ of execution until April 2015. (It may continue to work until 2017.)
+ * highlight: Add compatibility with highlight 3.18, while still supporting
+ 3.9+. Closes: #757679
+ Thanks, David Bremner
+ * highlight: Add support for multiple language definition directories
+ Closes: #757680
+ Thanks, David Bremner
+
+ -- Joey Hess <joeyh@debian.org> Fri, 15 Aug 2014 12:58:08 -0400
+
+ikiwiki (3.20140613) unstable; urgency=medium
+
+ * only_committed_changes could fail in a git repository merged
+ with git merge -s ours.
+ * Remove google from openid selector, per http://xkcd.com/1361/
+
+ -- Joey Hess <joeyh@debian.org> Fri, 13 Jun 2014 10:09:10 -0400
+
+ikiwiki (3.20140227) unstable; urgency=medium
+
+ * Added useragent config setting. Closes: #737121
+ Thanks, Tuomas Jormola
+ * po: Add html_lang_code and html_lang_dir template variables
+ for the language code and direction of text.
+ Thanks, Mesar Hameed
+ * Allow up to 8 levels of nested directives, rather than previous 3
+ in directive infinite loop guard.
+ * git diffurl: Do not escape / in paths to changed files, in order to
+ interoperate with cgit (gitweb works either way)
+ Thanks, intrigeri.
+ * git: Explicity push master branch, as will be needed by git 2.0's
+ change to push.default=matching by default.
+ Thanks, smcv
+ * Deal with nasty issue with gettext clobbering $@ while printing
+ error message containing it.
+ Thanks, smcv
+ * Cleanup of the openid login widget, including replacing of hotlinked
+ images from openid providers with embedded, freely licensed artwork.
+ Thanks, smcv
+ * Improve templates testing.
+ Thanks, smcv
+ * python proxy: Avoid utf-8 related crash.
+ Thanks, Antoine Beaupré
+ * Special thanks to Simon McVittie for being the patchmeister for this
+ release.
+
+ -- Joey Hess <joeyh@debian.org> Thu, 27 Feb 2014 11:55:35 -0400
+
+ikiwiki (3.20140125) unstable; urgency=medium
+
+ * inline: Allow overriding the title of the feed. Closes: #735123
+ Thanks, Christophe Rhodes
+ * osm: Escape name parameter. Closes: #731797
+
+ -- Joey Hess <joeyh@debian.org> Sat, 25 Jan 2014 16:40:32 -0400
+
+ikiwiki (3.20140102) unstable; urgency=low
* aggregate: Improve display of post author.
* poll: Fix behavior of poll buttons when inlined.
rather than using the internal xapain database.
(googlesearch plugin is too hard to turn on when xapain databases
corrupt themselves, which happens all too frequently).
-
- -- Joey Hess <joeyh@debian.org> Thu, 05 Sep 2013 10:01:10 -0400
+ * osm: Remove invalid use of charset on embedded javascript tags.
+ Closes: #731197
+ * style.css: Add compatibility definitions for more block-level
+ html5 elements. Closes: #731199
+ * aggregrate: Fix several bugs in handling of empty and colliding
+ titles when generating filenames.
+
+ -- Joey Hess <joeyh@debian.org> Thu, 02 Jan 2014 12:22:22 -0400
ikiwiki (3.20130904.1) unstable; urgency=low