+++ /dev/null
-ikiwiki 3.20150107 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
- [ [[Joey Hess|joey]] ]
-
- * Added ikiwiki-comment program.
- * Add missing build-depends on `libcgi-formbuilder-perl`, needed for
- `t/relativity.t`
- * openid: Stop suppressing the email field on the Preferences page.
- * Set Debian package maintainer to Simon McVittie as I'm retiring from
- Debian.
-
- [ [[Simon McVittie|smcv]] ]
-
- * calendar: add `calendar_autocreate` option, with which `ikiwiki --refresh`
- can mostly supersede the `ikiwiki-calendar` command.
- Thanks, Louis Paternault
- * search: add more classes as a hook for CSS. Thanks, sajolida
- * core: generate HTML5 by default, but keep avoiding new elements
- like `<section>` that require specific browser support unless `html5` is
- set to 1.
- * Tell mobile browsers to draw our pages in a device-sized viewport,
- not an 800-1000px viewport designed to emulate a desktop/laptop browser.
- * Add new `responsive_layout` option which can be set to 0 if your custom
- CSS only works in a large viewport.
- * style.css, actiontabs, blueview, goldtype, monochrome: adjust layout
- below 600px ("responsive layout") so that horizontal scrolling is not
- needed on smartphone browsers or other small viewports.
- * core: new `libdirs` option alongside `libdir`. Thanks, Louis Paternault
-
- [ [[Amitai Schlair|schmonz]] ]
-
- * core: log a debug message before waiting for the lock.
- Thanks, Mark Jason Dominus
- * build: in po/Makefile, use the same `$(MAKE)` as the rest of the build.
- Thanks, ttw
- * blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd).
- Closes: [[!debbug 774441]]
-
- [ [[Joey Hess|joey]] ]
-
- * po: If msgmerge falls over on a problem po file, print a warning
- message, but don't let this problem crash ikiwiki entirely.
-"""]]
-[[!meta date="2015-01-07 10:24:25 +0000"]]
--- /dev/null
+News for ikiwiki 3.20160506:
+
+ To mitigate [[!cve CVE-2016-3714]] and similar ImageMagick security vulnerabilities,
+ the `[[!img]]` directive is now restricted to these common web formats by
+ default:
+ * JPEG (`.jpg`, `.jpeg`)
+ * PNG (`.png`)
+ * GIF (`.gif`)
+ * SVG (`.svg`)
+ (In particular, by default resizing PDF files is no longer allowed.)
+ Additionally, resized SVG files are displayed in the browser as SVG
+ instead of being converted to PNG.
+ If all users who can attach images are fully trusted, this restriction
+ can be removed with the new img\_allowed\_formats setup option.
+ See [[ikiwiki/directive/img]] for more details.
+
+ikiwiki 3.20160506 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+ * [ [[Simon McVittie|smcv]] ]
+ * HTML-escape error messages, in one case avoiding potential cross-site
+ scripting (OVE-20160505-0012)
+ * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714:
+ - img: force common Web formats to be interpreted according to extension,
+ so that "allowed\_attachments: '*.jpg'" does what one might expect
+ - img: restrict to JPEG, PNG and GIF images by default, again mitigating
+ CVE-2016-3714 and similar vulnerabilities
+ - img: check that the magic number matches what we would expect from
+ the extension before giving common formats to ImageMagick
+ * d/control: use https for Homepage
+ * d/control: add Vcs-Browser
+ * [ [[Joey Hess|joey]] ]
+ * img: Add back support for SVG images, bypassing ImageMagick and
+ simply passing the SVG through to the browser, which is supported by all
+ commonly used browsers these days.
+ SVG scaling by img directives has subtly changed; where before
+ size=wxh would preserve aspect ratio, this cannot be done when passing
+ them through and so specifying both a width and height can change
+ the SVG's aspect ratio.
+ * loginselector: When only openid and emailauth are enabled, but
+ passwordauth is not, avoid showing a "Other" box which opens an
+ empty form.
+ * [ [[Amitai Schlair|schmonz]] ]
+ * mdwn: Process .md like .mdwn, but disallow web creation.
+ * [ Florian Wagner ]
+ * git: Correctly handle filenames starting with a dash in add/rm/mv."""]]