-ikiwiki (2.31) UNRELEASED; urgency=low
+ikiwiki (2.49) UNRELEASED; urgency=low
+
+ * haiku: Generate valid xhtml.
+ * ikiwiki-mass-rebuild: Don't trust $! when setting $)
+ * inline: The optimisation in 2.41 broke nested inlines. Detect those
+ and avoid overoptimising.
+ * search: Converted to use xapian-omega.
+ * Filter hooks are no longer called during the scan phase. This will
+ prevent wikilinks added by filters from being scanned properly. But
+ no known filter hook does that, and calling filters unncessarily during
+ scan slowed down complex filters such as the one used to update the xapian
+ index.
+
+ -- Joey Hess <joeyh@debian.org> Fri, 30 May 2008 19:08:54 -0400
+
+ikiwiki (2.48) unstable; urgency=high
+
+ * Fix security hole that occurred if openid and passwordauth were both
+ enabled. passwordauth would allow logging in as a known openid, with an
+ empty password. Closes: #483770 (CVE-2008-0169)
+ * Add rel=nofollow to edit links. This may prevent some spiders from
+ pounding on the cgi following edit links.
+ * passwordauth: If Authen::Passphrase is installed, use it to store
+ password hashes, crypted with Eksblowfish.
+ * `ikiwiki-transiition hashpassword /path/to/srcdir` can be used to
+ hash existing plaintext passwords.
+ * Passwords will no longer be mailed, but instead a password reset link.
+ * The password_cost config setting is provided as a "more security" knob.
+ * teximg: Fix logurl.
+ * teximg: If the log isn't written, avoid ugly error messages.
+ * Updated French translation. Closes: #478530
+
+ -- Joey Hess <joeyh@debian.org> Fri, 30 May 2008 17:36:07 -0400
+
+ikiwiki (2.47) unstable; urgency=low
+
+ * mdwn: Add a multimarkdown setup file option.
+ * If PERL5LIB is set to the libdir when building ikiwiki, calculate and
+ hardcode a proper 'use lib' statement anyway. This fixes a gotcha,
+ since PERL5LIB won't work once ikiwiki is running via a wrapper or as
+ a cgi.
+ * orphans: As a special case, the toplevel index page is never considered
+ an orphaned page.
+ * inline: Display a message if the 'pages' parameter is missing, before
+ it just expanded to nothing.
+ * git: Skip over signed-off-by and similar lines in commit messages
+ when generating recentchanges.
+ * ENV can be used in the setup file to override environment variable
+ settings, such as TZ or PATH.
+ * Perls older than 5.10 need to use the old method of decoding utf-8 in CGI
+ values. Neither method will work for all versions of perl, so check
+ version number at runtime.
+ * Avoid unsightly warning message when evaling broken pagespecs.
+ * Improve error message when a pagespec fails to parse.
+
+ -- Joey Hess <joeyh@debian.org> Sun, 25 May 2008 14:25:42 -0400
+
+ikiwiki (2.46) unstable; urgency=low
+
+ * amazon_s3: New plugin, which injects wiki pages into Amazon S3, allowing
+ ikiwiki to be used without a dedicated web server.
+ * aggregate: Add support for web-based triggering of aggregation
+ for people stuck on shared hosting without cron. (Sheesh.) Enabled
+ via the `aggregate_webtrigger` configuration optiom.
+ * Add pinger and pingee plugins, which allow setting up mirrors and branched
+ wikis that automatically ping one another to stay up to date.
+ * Optimised file statting code when scanning for modified pages;
+ cut the number of system calls in half. (Still room for improvement.)
+ * Fixes for behavior changes in perl 5.10's CGI that broke utf-8 support
+ in several interesting ways.
+
+ -- Joey Hess <joeyh@debian.org> Mon, 12 May 2008 20:51:50 -0400
+
+ikiwiki (2.45) unstable; urgency=low
+
+ * toc: Add the table of contents at sanitize time, rather than at format
+ time. This allows the toc to be displayed when previewing an edit. It also
+ avoids headers in the page template from showing up in the toc.
+ * Add PREFIX/bin to the hardcoded PATH within ikiwiki.
+ * Deal with different paths to perl when removing -T flag.
+ * Add missing de.po. Closes: #471540
+ * img: Support a title attribute, will be passed through to html.
+ Closes: #478718
+ * anonk: Add anonok_pagespec configuration setting that can be used to
+ allow anonymous users to edit only matching pages. Closes: #478892
+ * Fix ugly display when editing a page that has vanished.
+ * srcfile now has an optional second parameter to avoid it throwing an error
+ if the source file does not exist.
+ * git: Put -- before the filename when calling git rev-list to avoid
+ warning message when the file doesn't exist.
+ * Add a Bundle::IkiWiki and Bundle::IkiWiki::Extras to the source for use
+ with CPAN to install perl modules.
+ * Add a cpan directory containing a CPAN::MyConfig that can ease use of
+ CPAN to install in a home directory on shared hosting providers.
+ * With these changes, it's pretty easy to install onto nearlyfreespeech.net
+ and probably other shared hosting providers like dreamhost. Added
+ a page documenting the process for nearlyfreespeech.
+
+ -- Joey Hess <joeyh@debian.org> Mon, 05 May 2008 15:06:05 -0400
+
+ikiwiki (2.44) unstable; urgency=medium
+
+ * Bring back the svnrepo setup file option. This is needed for
+ recentchangediff to work with svn repos.
+ * Allow libtext-markdown-perl to satisfy dependencies, as a
+ an alternative to the markdown package.
+ * Correct a bug in pagespec matching, where a empty pagespec matched all
+ pages. This manifested as wikis with no locked pages treating them all as
+ locked. The bug was introduced in version 2.41.
+ * Medium urgency upload due to above fix.
+
+ -- Joey Hess <joeyh@debian.org> Thu, 17 Apr 2008 14:33:54 -0400
+
+ikiwiki (2.43) unstable; urgency=low
+
+ * Fix missing import of escapeHTML in userlink. (Scott Bronson)
+ * Fix broken rcs_update for bzr. (Scott Bronson)
+ * Use bzr --quiet to avoid it outputting stuff and messing up http headers.
+ (Scott Bronson)
+ * Give the full path to the hyperestraier helpfile in estseek.conf.
+ * Recommend a recent git-core for git init. Closes: 475609
+
+ -- Joey Hess <joeyh@debian.org> Wed, 16 Apr 2008 18:35:13 -0400
+
+ikiwiki (2.42) unstable; urgency=high
+
+ * aggregate: Correct a mistake in the code that dummy up a guid for feeds
+ lacking one.
+ * inline: Correct handling of urls relative to baseurl in feeds.
+ * Fix CSRF attacks against the preferences and edit forms. The fix involved
+ embedding the session id in the forms, and not allowing the forms to be
+ submitted if the embedded id does not match the session id. Closes: #475445
+ (CVE-2008-0165)
+
+ -- Joey Hess <joeyh@debian.org> Thu, 03 Apr 2008 02:35:39 -0400
+
+ikiwiki (2.41) unstable; urgency=low
+
+ [ Adeodato Simó ]
+ * Preprocessor directives generated by the shortcut plugin accept a `desc`
+ parameter that overrides the anchor text provided at shortcut definition
+ time. (Closes: #458126)
+
+ [ martin f. krafft ]
+ * The meta plugin now allows for the robots tag to be specified without the
+ risk of it being scrubbed.
+ * Let meta.openid set X-XRDS-Location header
+ * Make makerepo set the Git merge remote.
+ branch.master.remote previously used to default to origin, which has
+ recently been changed; it now needs to be set explicitly, which this
+ patch does. Closes: #470517
+ * meta: Also generate openid2 headers.
+ * Handle SimpleXMLRPCDispatcher arg count change in python 2.5
+ * Provide XML-RPC proxy abstraction for Python plugins.
+ [ Joey Hess ]
+ * Add recentchangesdiff plugin that adds diffs to the recentchanges feeds.
+ * rcs_diff is a new function that rcs modules should implement.
+ * Implemented rcs_diff for git, svn, and tla (tla version untested).
+ Mercurial and monotone still todo.
+ * Support Text::Markdown::markdown, which is the spelling used by
+ version 1.0.16 of Text::Markdown.
+ * Updated Spanish translation from Victor Moral.
+ * Fix example exclude regexp. Closes: #469691
+ * Remove locking code in git rcs_commit. I'm not sure if this was ever
+ correct, and it's certianly not correct now, since the wiki is locked
+ before rcs_commit is ever called, and should not be unlocked by
+ rcs_commit either.
+ * monotone: Require version 0.38 or greater, and stop using the mtnmergerc
+ option. (Brian May)
+ * Use forcebaseurl to make page previews be displayed with the html base
+ set to the destination page. This avoids need for hacks to munge the urls
+ in preview mode, which fixes several bugs.
+ * Several destpage fixes in plugins.
+ * Use absolute url for feedurl when filling out the feed templates.
+ Closes: #470530
+ * Fix expiry of old recentchanges changeset pages.
+ * French translation update. Closes: #471010
+ * external: Fix support of XML::RPC::fault.
+ * htmltidy: Pass --markup yes, in case tidy's config file disabled it.
+ * external: Add getargv and setargv methods to allow access to ikiwiki's
+ @ARGV.
+ * Correct bug in encoding of %pagestate keys, fixes edittemplate.
+ * Detect invalid pagespecs and do not merge them in add_depends,
+ as that can result in a broken merged pagespec that matches nothing.
+ * Record new pages in %pagesources temporarily when previewing so that
+ things that need to know the page source or type can query it from there.
+ Fixes previewing of tables when creating a new page.
+ * German translation update. Closes: #471540
+ * Time::Duration is no longer used, remove from docs and recommends.
+ * Store userinfo in network byte order for easy portability.
+ (Old files will be automatically converted.)
+ * Close meta tag for redir properly.
+ * smiley: Detect smileys inside pre and code tags, and do not expand.
+ * inline: Crazy optimisation to work around slow markdown.
+ * Precompile pagespecs, about 10% overall speedup.
+ * Changed to a binary index file, written using Storable, for speed.
+ * external: Work around XML RPC's lack of support for null by passing
+ a special sentinal value.
+ * inline: Allow the "feedshow" parameter to take values greater than the
+ value for "show".
+ * Added a hardlink option in the setup file, useful if the source and
+ dest are on the same filesystem and the wiki includes large media files,
+ which would normally be copied, wasting time and space.
+
+ -- Joey Hess <joeyh@debian.org> Sat, 29 Mar 2008 21:07:22 -0400
+
+ikiwiki (2.40) unstable; urgency=low
+
+ [ Josh Triplett ]
+ * Add new preprocessor directive syntax¸ using a '!' prefix. Add a
+ prefix_directives option to the setup file to turn this syntax on;
+ currently defaults to false, for backward compatibility. Support
+ optional '!' prefix even with prefix_directives off, and use that in
+ the underlay to support either setting of prefix_directives. Add NEWS
+ entry with migration information.
+
+ [ Joey Hess ]
+ * Danish translation update from Jonas Smedegaard. Closes: #465152
+ * Generate XML RPC messages with the encoding set to utf-8 instead
+ of XML::RPC's default of us-ascii. Allows interoperation with
+ python's xmlrpc library, which threw invalid encoding exceptions and
+ caused the rst plugin to hang.
+ * Add the linkify and scan hooks. These hooks can be used to implement
+ custom, first-class types of wikilinks.
+ * Move standard wikilink implementation to a new link plugin, which
+ will of course be enabled by default.
+ * camelcase: Convert to use new linkify and scan hooks rather than the old
+ hack.
+ * Setting NOTAINT=1 had no effect when building ikiwiki itself, fix this.
+ * Depend on HTML::Scrubber, since the scrubber is enabled by default and
+ dies if its can't be loaded.
+ * The search plugin needs to override <base> to point to the directory
+ containing ikiwiki.cgi, but this should not change the urls to the style
+ sheets etc. Add a new forcebareurl parameter to misctemplate to allow
+ it to do that.
+ * Preview limits the page dropdown to what's selected previously
+ (as preserving the full list across preview would be tricky). Userdirs
+ were still being offered as an option there, remove them.
+ * Fix a bug where user A created a page concurrently with user B, and
+ when B previewed it would redirect B to A's new page, losing B's work.
+ Instead, don't redirect and let conflict handling resolve it.
+ * monotone: Add code to default mergerc file to run
+ _MTN/ikiwiki-netsync-hook when a commit is merged in from the net.
+ * tla: Remove call to escapeHTML when constructing recentchanges message;
+ the html is escaped at a different level. Closes: #466495
+ * bzr, mercurial: Remove unused import of escapeHTML.
+ * Fix another preview will_render bug. This one involved inline,
+ which forced a scan of the page to make available metadata that
+ appeared after the inline directive. Problem is that scan made it forget
+ about any other files rendered due to the page. The scan also turns out
+ to be unnecessary now, since meta persistently stores state and it's
+ always available. So it was just removed.
+ * Disable taint checking for all builds as people keep complaining about it,
+ and since all versions of perl seem to be hopelessly broken.
+ * Fix links generated by preprocessor directives when previewing.
+ * inline: When forcing urls absolute for rss feeds, skip mailto and other
+ such urls.
+ * ikiwiki-makerepo: Don't fail if the third argument ends in a slash.
+ * Allow colons in URLs after the first slash. (Adeodato Simó)
+
+ -- Joey Hess <joeyh@debian.org> Fri, 29 Feb 2008 23:05:39 -0500
+
+ikiwiki (2.31.3) unstable; urgency=high
+
+ [ Josh Triplett ]
+ * Do not allow the about: URI scheme; some browsers interpret about:
+ URIs like a limited version of data: URIs. In particular, some
+ versions of Internet Explorer interpret arbitrary HTML content in
+ about: URIs.
+ * Also filter the attributes cite, longdesc, and usemap, which can contain
+ URIs.
+
+ [ Joey Hess ]
+ * meta: Check that the urls provided for authorurl, permalink, and openid
+ are safe and can't contain javascript.
+
+ [ Josh Triplett ]
+ * Match literal '.' in URI schemas containing '.', rather than matching any
+ character.
+ * Do not allow the steam: URI scheme.
+ * Allow the snews: URI scheme.
+ * Allow the smb: URI scheme.
+
+ -- Josh Triplett <josh@freedesktop.org> Sun, 10 Feb 2008 14:48:48 -0800
+
+ikiwiki (2.31.2) unstable; urgency=high
+
+ * The security fix in the last release had buggy handling of data:image,
+ now fixed. Closes: #465110 (CVE-2008-0808, CVE-2008-0809)
+
+ -- Joey Hess <joeyh@debian.org> Sun, 10 Feb 2008 15:31:17 -0500
+
+ikiwiki (2.31.1) unstable; urgency=low
+
+ * htmlscrubber security fix: Block javascript in uris.
+ * Add htmlscrubber test suite.
+ * Thanks to Josh Triplett for pointing out the holes and for his help
+ in implementing and checking fixes.
+
+ -- Joey Hess <joeyh@debian.org> Sun, 10 Feb 2008 13:22:59 -0500
+
+ikiwiki (2.31) unstable; urgency=low
+
+ [ Joey Hess ]
* Revert preservation of input file modification times in output files,
since this leads to too many problems with web caching, especially with
inlined pages. Properly solving this would involve tracking every page
direction. No need to pull changes when doing a commit. mtn sync
is still called in rcs_update.
- Support for viewing differences via patches using viewmtn.
+ * inline: When previewing, still call will_render on rss/atom files,
+ just avoid actually writing the files. This is necessary because ikiwiki
+ saves state after a preview (in case it actually *did* write files),
+ and if will_render isn't called its security checks will get upset
+ when the page is saved. Thanks to Edward Betts for his help tracking this
+ tricky bug down.
+ * inline: Add new `allowrss` and `allowatom` config options. These can be
+ used if you want a wiki that doesn't default to generating rss or atom
+ feeds, but that does allow them to be turned on for specific blogs.
+ * Don't die if running with --getctime and rcs_getctime throws an error.
+ There are several cases (recentchanges files, aggregated files)
+ where some source files are not in revision control.
+ * Page templates can now use CTIME to show when the page was created.
+
+ [ Josh Triplett ]
+ * README.Debian: Mention user wikilists.
- -- Joey Hess <joeyh@debian.org> Sat, 02 Feb 2008 23:36:31 -0500
+ -- Joey Hess <joeyh@debian.org> Sat, 09 Feb 2008 23:09:45 -0500
ikiwiki (2.30) unstable; urgency=low