TWiki Release 4.3.2 (Georgetown), 2009-09-02
Introduction
TWiki-4.3.0 released on 2009-03-30 introduces security enhancements, usability enhancements, feature enhancements, and adds extensions to strengthen TWiki as an enterprise collaboration platform.
TWiki-4.3.1 released on 2009-04-29 introduces security enhancements. This release also introduces use of ISO date format by default.
TWiki-4.3.2 released on 2009-09-02 introduces security enhancements (CSRF fix). WYSIWYG editing is enhanced as well, the TinyMCEPlugin is upgraded with latest tinyMCE Javascript library.
It is highly recommended to upgrade to TWiki-4.3.2. Users will find this release much more stable and secure in daily use.
Pre-installed Extensions
TWiki-4.3.2 ships with:
- Plugins: CommentPlugin, EditTablePlugin, EmptyPlugin, HeadlinesPlugin, InterwikiPlugin, PreferencesPlugin, RenderListPlugin, SlideShowPlugin, SmiliesPlugin, SpreadSheetPlugin, TablePlugin, TinyMCEPlugin, TWikiNetSkinPlugin, TwistyPlugin, WysiwygPlugin
- Contribs: BehaviourContrib, JSCalendarContrib, MailerContrib, TipsContrib, TWikiUserMappingContrib, TwistyContrib
- Skins: ClassicSkin, PatternSkin, TWikiNetSkin,
Note: HeadlinesPlugin, TWikiNetSkin and TWikiNetSkinPlugin are new in TWiki-4.3.0.
New Features Highlights
- Security Enhancements
- Usability Enhancements
- Replace question mark links with red-links to point to non-existing topics
- Use ISO date format by default - added in TWiki-4.3.1
- Enterprise Collaboration Enhancements
- Pre-installed HeadlinesPlugin to show headline newsfeeds in TWiki topics
- Pre-installed TWikiNetSkin, TWikiNetSkinPlugin for corporate look and feel
- Search Enhancements
- Add footer parameter to Formatted Search
- Add number of topics to Formatted Search
- Miscellaneous Feature Enhancements
- Control over variable expansion at topic creation time
- 17 new TWikiDocGraphics images
- Include URL supports list of domains to exclude from proxy
- Adding Korean language
- Plugin Enhancements
- SpreadSheetPlugin: 5 new functions
See the full list of bug fixes at the bottom of this topic.
Important Changes
1. Added protection against CSRF (cross-site request forgery) in TWiki 4.3.2 patch release
TWiki protects content updates with a one-time-use crypt token to guard against CSRF exploits. This means that it is no longer possible to hit the browser back button to fix a typo; you get an "invalid crypt token" error message if you try to save again. Workaround: Instead of browser back button, hit the "Edit" button to fix a typo.
There is a balance between security and user convenience. A TWiki administrator can enable and disable the crypt token based CSRF protection with the
{CryptToken}{Enable} configure setting. For mission critical public TWiki sites it is recommended to enable the crypt token; for firewalled TWiki sites it is usually OK to disable it.
Deprecation Notices
The %MAINWEB% and %TWIKIWEB% variables have been deprecated. For compatibility reasons they are unlikely to ever be removed completely, but you should use the %USERSWEB% and %SYSTEMWEB% variables instead.
In Func getOopsUrl and permissionsSet have been declared deprecated. There is no plan to remove them yet.
TWiki-4.3.0 Minor Release - Details
TWiki-4.3.0 was built from SVN
http://svn.twiki.org/svn/twiki/branches/TWikiRelease04x03
revision 17948 (2009-03-30)
Highlights
- Security:
- Review code for robustness and security
- Secure configure script with taint mode turned on
- Rendering:
- %TOC% does not distinguish two headlines that have the same text
- TablePlugin produces bad links for sorting when using "short" URLs
- %SCRIPTSUFFIX% is added twice in %TOC% links
- Incorrect Content-length breaks HTTP headers, a.o. pound fail results
- TablePlugin: Date sorting is broken
- Bullet lists in form fields are not rendered properly
- TWiki Forms expand variables like $nop, $quote $percnt
- TwistyPlugin: Twisty can't be placed in TWiki table cells
- Users and groups:
- TWikiGroups shows all members twice
- Editing:
- WysiwygPlugin: Bolding single character within a word introduces spaces around bolded character
- Miscellaneous:
- configure's get more extensions does not work well without LWP
- CommentPlugin: Lost data if it's targeted before/after a missing anchor
- Plugin installation fails on windows: extender.pl line 684
- Statistics script does not handle properly topics with special characters
Enhancements
| Item2927 |
Topic moved message too visible |
| Item6283 |
upgrade tinyMCE to latest version in TinyMCEPlugin |
| Item3647 |
Usability: Control over variable expansion in topic templates |
| Item5025 |
InterwikiPlugin: Allow special characters in "Page" of Site:Page |
| Item6148 |
HeadlinesPlugin: Support for {PROXY}{HOST} and {PROXY}{PORT} configure settings |
| Item6176 |
Search: Add footer parameter to Formatted Search |
| Item6180 |
HeadlinesPlugin: Support for {PROXY}{SkipProxyForDomains} configure setting, USERAGENTNAME plugin setting |
| Item6184 |
Search: Add Number of Topics to Formatted Search |
| Item6189 |
Usability: Replace question mark links with red links to point to non-existing topics |
| Item6199 |
Enhancement: Add TWikiNetSkin to Distribution |
| Item6200 |
Enhancement: Add HeadlinesPlugin to Distribution |
| Item6222 |
SpreadSheetPlugin: New functions $EMPTY(), $INSERTSTRING(), $LEFTSTRING(), $RIGHTSTRING(), $SUBSTRING() functions |
| Item6226 |
Include: Specify a list of domains to exclude from proxy with {PROXY}{SkipProxyForDomains} setting |
| Item6227 |
Documentation: 17 new TWikiDocGraphics images |
| Item6228 |
Security: Option to send signed e-mail with S/MIME |
Fixes
| Item6253 |
$WORKINGDAYS is returning invalid results |
| Item6259 |
Prevent GUI-based rename of TWiki web and Main web |
| Item6267 |
FORMFIELD expands $title to field name if $title exists in field value |
| Item6295 |
Preferences For Raw Edit or Wysiwyg Edit |
| Item1607 |
%TOC% does not distinguish two headlines that have the same text |
| Item2525 |
TablePlugin produces bad links for sorting when using "short" URLs |
| Item4835 |
SpreadSheetPlugin: SUBSTITUTE error when text=old and replace is empty |
| Item5176 |
%SCRIPTSUFFIX% is added twice in %TOC% links |
| Item5471 |
SpreadSheetPlugin: The character 0 cannot be replaced using the REPLACE-funtion |
| Item5910 |
TablePlugin: %TOC% variable creates links with unecessary query string |
| Item5914 |
TWiki::Request::url() must support -rewrite, -absolute and -relative |
| Item5920 |
TWikiGroups shows all members twice |
| Item5939 |
Rogue <p /> below </html> on every topic in every web |
| Item5960 |
Incorrect Content-length breaks HTTP headers, a.o. pound fail results |
| Item5961 |
WysiwygPlugin: Bolding single character within a word introduces spaces around bolded character |
| Item5991 |
JSCalendarContrib: Does not work correctly in IE7 |
| Item5994 |
Secure configure script with taint mode turned on |
| Item6005 |
EditTablePlugin: "label"-formatted cell changed in unexpected way |
| Item6022 |
%ENCODE{}% treats % as safe character |
| Item6026 |
With header format emtpy table is initialized with one column only |
| Item6031 |
TablePlugin: Date sorting is broken. |
| Item6041 |
TinyMCE bug with Firefox 3 and bulleted lists |
| Item6050 |
statistics script fails when cuid is not equal login name (as login name is what's in the log files...) |
| Item6054 |
TwistyPlugin: No longer possible to have a twisty on one line without linebreak |
| Item6060 |
configure's get more extensions does not work well without LWP |
| Item6061 |
TWiki::Func::getContext documention |
| Item6138 |
Bullet lists in form fields are not rendered properly |
| Item6163 |
CommentPlugin: Lost data if it's targeted before/after a missing anchor. |
| Item6167 |
TWiki Forms expand variables like $nop, $quote $percnt |
| Item6170 |
Plugin installation fails on windows: extender.pl line 684 |
| Item6171 |
Per RFC 5321, single quote is allwed in e-mail addresses |
| Item6178 |
Statistics script does not handle properly topics with special characters |
| Item6185 |
Missing newline in Formatted Search if footer used |
| Item6186 |
Review code for robustness and security |
| Item6208 |
WebChanges does not work on Windows |
| Item6220 |
TwistyPlugin: Twisty can't be placed in TWiki table cells |
| Item6223 |
Users can't edit content in Main web |
TWiki 4.3.1 Patch Release - Details
TWiki-4.3.1 was built from SVN
http://svn.twiki.org/svn/twiki/branches/TWikiRelease04x03 revision 18054 (2009-04-29)
Highlights
- Security:
- TWiki:Codev/SecurityAlert-CVE-2009-1339: A remote user may gain TWiki admin privileges with a specially crafted image tag. This cross-site request forgery vulnerability existed because TWiki allowed HTTP GET to save content.
- Usability:
- Use of ISO format date promoted in this release
- Handling URLPARAM:
- The handling of URLPARAM for empty or missing was corrected in this release.
Enhancements
| Item6239 |
Fix TWIKIWEB to SYSTEMWEB, MAINWEB to USERSWEB |
| Item6254 |
Feature: Use ISO Date Format by Default |
Fixes
| Item5453 |
Value of "0" improperly handled in ENCODE variable |
| Item6232 |
Use of uninitialized value $1 in concatenation (.) or string at lib/TWiki.pm |
| Item6240 |
unhelpful error message when sysCommand fails |
| Item6243 |
URLPARAM "empty or missing" |
| Item6251 |
CSRF vulnerability CVE-2009-1339: Possible to gain TWiki admin privileges with a specially crafted image tag |
TWiki 4.3.2 Patch Release - Details
TWiki-4.3.2 was built from SVN
http://svn.twiki.org/svn/twiki/branches/TWikiRelease04x03 revision 18148 (2009-09-02)
Highlights
Enhancements
| Item2927 |
Topic moved message too visible |
| Item6283 |
upgrade TinyMCEPlugin with latest tinyMCE WYSIWYG editor |
| Item6315 |
HeadlinesPlugin: New touch parameter for HEADLINES variable |
Fixes
| Item6253 |
SpreadSheetPlugin: $WORKINGDAYS is returning invalid results |
| Item6259 |
Prevent GUI-based rename of TWiki web and Main web |
| Item6267 |
FORMFIELD expands $title to field name if $title exists in field value |
| Item6295 |
Preferences for raw edit or WYSIWYG edit |
| Item6296 |
Crypt token based CSRF fix for TWiki |
| Item6308 |
viewfile adds trailing newline to attachments |
Related Topic: TWikiHistory,
TWikiInstallationGuide,
TWikiUpgradeGuide
Copyright © 1999-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.