X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/dae0f48e91304afcb6ebe0936360e51b22a56548..0fbcd69a1d3c0b62c895b4ff70ef396408d125dc:/CHANGELOG diff --git a/CHANGELOG b/CHANGELOG deleted file mode 120000 index d526672ce..000000000 --- a/CHANGELOG +++ /dev/null @@ -1 +0,0 @@ -debian/changelog \ No newline at end of file diff --git a/CHANGELOG b/CHANGELOG new file mode 100644 index 000000000..a30a5de00 --- /dev/null +++ b/CHANGELOG @@ -0,0 +1,5392 @@ +ikiwiki (3.20200202.4) UNRELEASED; urgency=medium + + * aggregate: When a feed has an enclosure that is an image, audio, or + video, include the enclosure in the generated page. + * aggregate: Also support feeds with media:content tags. + + -- Joey Hess Sat, 25 Dec 2021 12:41:34 -0400 + +ikiwiki (3.20200202.3) upstream; urgency=medium + + [ Amitai Schleier ] + * highlight: Adapt to API change in highlight >= 3.51 + * mdwn: Fix inverted footnote configuration when MultiMarkdown is + enabled. Thanks, Giuseppe Bilotta + + [ Joey Hess ] + * Updated German basewiki and directives translation from + Sebastian Kuhnert. + * Updated German program translation from + Sebastian Kuhnert. + + -- Joey Hess Sun, 02 Feb 2020 00:00:00 -0400 + +ikiwiki (3.20190228) upstream; urgency=medium + + * aggregate: Use LWPx::ParanoidAgent if available. + Previously blogspam, openid and pinger used this module if available, + but aggregate did not. This prevents server-side request forgery or + local file disclosure, and mitigates denial of service when slow + "tarpit" URLs are accessed. + (CVE-2019-9187) + * blogspam, openid, pinger: Use a HTTP proxy if configured, even if + LWPx::ParanoidAgent is installed. + Previously, only aggregate would obey proxy configuration. If a proxy + is used, the proxy (not ikiwiki) is responsible for preventing attacks + like CVE-2019-9187. + * aggregate, blogspam, openid, pinger: Do not access non-http, non-https + URLs. + Previously, these plugins would have allowed non-HTTP-based requests if + LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local + file disclosure, and preventing other rarely-used URI schemes like + gopher mitigates request forgery attacks. + * aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly + recommended. + These plugins can request attacker-controlled URLs in some site + configurations. + * blogspam: Document LWPx::ParanoidAgent as desirable. + This plugin doesn't request attacker-controlled URLs, so it's + non-critical here. + * blogspam, openid, pinger: Consistently use cookiejar if configured. + Previously, these plugins would only obey this configuration if + LWPx::ParanoidAgent was not installed, but this appears to have been + unintended. + * po: Always filter .po files. + The po plugin in previous ikiwiki releases made the second and + subsequent filter call per (page, destpage) pair into a no-op, + apparently in an attempt to prevent *recursive* filtering (which as + far as we can tell can't happen anyway), with the undesired effect + of interpreting the raw .po file as page content (e.g. Markdown) + if it was inlined into the same page twice, which is apparently + something that tails.org does. Simplify this by deleting the code + that prevented repeated filtering. Thanks, intrigeri + (Closes: #911356) + + -- Simon McVittie Tue, 26 Feb 2019 21:05:49 +0000 + +ikiwiki (3.20190207) upstream; urgency=medium + + [ Amitai Schleier ] + * graph: Add an optional "file" parameter + * emailauth: When email can't be sent, show the error message + * osm: Don't raise errors if tags don't have attached icons + * cgi: Avoid C compiler warnings for waitpid() on NetBSD + + [ Simon McVittie ] + * Hide popup template content from documentation (Closes: #898836) + * meta: Make [[!meta date]] show an error if dates are invalid or + Date::Parse can't be loaded + * inline: Cope with non-ASCII `rootpage` parameter. + Thanks, Feng Shu + * table: Cope with non-ASCII content in CSV format tables. + Thanks, Feng Shu + * trail: Allow unescaped punctuation in `pagenames` parameter + * comments: Hide "add comment" link from print stylesheet. + Thanks, Antoine Beaupré + * recentchangesdiff, relativedate, toggle: + Import JavaScript at the end of the page content, not the beginning, + so that the browser can render content as soon as possible. + Thanks, Antoine Beaupré + * debian: Allow Breezy as an alternative to bzr + Thanks, Jelmer Vernooij + * inline: Add basic test coverage for [[!inline rootpage]] + * table: Add basic test coverage + * po: Add enough test coverage to reproduce Debian #911356 + * comments: Improve test coverage + * tests: Exercise Unicode more + + [ Joey Hess ] + * aggregate: Fix aggregation of posts without a title. + Thanks, Alexandre Oliva + * poll: Added postlink and posttrail options for better multi-page polls. + * Fix permalink to comments. + + -- Simon McVittie Thu, 07 Feb 2019 11:07:44 +0000 + +ikiwiki (3.20180311) upstream; urgency=medium + + [ Amitai Schleier ] + * Avoid unexpected full paths from find(1) + + [ thm.id.fedoraproject.org ] + * rst test: Probe for docutils Python 3 module, not Python 2 + + [ Simon McVittie ] + * mdwn: Automatically detect which Discount flags to use, fixing + regressions in 3.20180228 when using Discount < 2.2 + * Add a test asserting that no plugin is an empty file, to confirm + that the build fixes in 3.20180228 were successful + + -- Simon McVittie Sun, 11 Mar 2018 15:53:34 +0000 + +ikiwiki (3.20180228) upstream; urgency=medium + + * core: Don't send relative redirect URLs when behind a reverse proxy + * core: Escape backticks etc. in directive error messages as HTML + entities so that the error message is not subsequently parsed as + Markdown + * mdwn: Enable fenced code blocks, PHP Markdown Extra-style definition + lists and GitHub-style extensions to HTML tag syntax when used with + Discount >= 2.2.0 (Closes: #888055) + * img: Fix auto-detection of image format (if enabled, which is + strongly discouraged) with ImageMagick >= 6.9.8-3 + * rst: Use Python 3 instead of Python 2 + * build: `set -e` before each `for` loop, so that errors are reliably + trapped + * build: Use if/then instead of `||` so that the `-e` flag works + * build: Ensure that pm_to_blib finishes before rewriting shebang lines + * t: Make the img test pass with ImageMagick >= 6.9.8-3 + (Closes: #891647) + * debian: Remove unused Lintian overrides for duplicate word false positives + * debian: Declare compliance with Debian Policy 4.1.3 + + -- Simon McVittie Wed, 28 Feb 2018 10:38:19 +0000 + +ikiwiki (3.20180105) upstream; urgency=medium + + * emailauth: Fix cookie problem when user is on https and the cgiurl + uses http, by making the emailed login link use https. + * passwordauth: Use https for emailed password reset link when user + is on https. + * Remove openid provider icons from login selector, since openid providers + are increasingly not working. Verisign retired theirs, and aol and + yahoo/flickr are not commonly used for openid. Any users who still + clicked those icons to login will need to instead enter their openid url. + * Updated German basewiki and directives translation from + Sebastian Kuhnert. + + -- Joey Hess Fri, 05 Jan 2018 13:41:20 -0400 + +ikiwiki (3.20171001) upstream; urgency=medium + + [ Joey Hess ] + * htmlscrubber: Add support for the video tag's loop and muted + attributes. Those were not in the original html5 spec, but have been + added in the whatwg html living standard and have wide browser support. + * emailauth, passwordauth: Avoid leaving cgisess_* files in the + system temp directory. + + [ Simon McVittie ] + * core: Don't decode the result of strftime if it is already tagged as + UTF-8, as it might be since Perl >= 5.21.1. (Closes: #869240) + * img: Strip metadata from resized images when the deterministic config + option is set. Thanks, intrigeri + * receive: Avoid asprintf() in IkiWiki::Receive, to avoid implicit + declaration, potential misbehaviour on 64-bit platforms, and lack + of portability to non-GNU platforms + * t: Add a regression test for untrusted git push + * receive: Fix untrusted git push with git (>= 2.11) by passing through + the necessary environment variables to make the quarantine area work + * debian: Declare compliance with Debian Policy 4.1.1 + + [ Amitai Schleier ] + * l10n: Fix the build with po4a 0.52, by ensuring that msgstr ends + with a newline if and only if msgid does + + -- Simon McVittie Sun, 01 Oct 2017 16:32:01 +0100 + +ikiwiki (3.20170622) unstable; urgency=medium + + * t/git-cgi.t: Wait 1 second before doing a revert that should work. + This hopefully fixes a race condition in which the test failed + around 6% of the time. (Closes: 862494) + * Guard against set-but-empty REMOTE_USER CGI variable on + misconfigured nginx servers, and in general treat sessions with + a set-but-empty name as if they were not signed in. + * When the CGI fails, print the error to stderr, not "Died" + * mdwn: Don't mangle