Download Latest Version
Foswiki-2.1.9.zip (24.3 MB)
Get an email when there's a new version of Foswiki
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| Foswiki-upgrade-2.1.8.tgz.asc | 2023-08-06 | 833 Bytes | |
| Foswiki-upgrade-2.1.8.zip.asc | 2023-08-06 | 833 Bytes | |
| Foswiki-2.1.8.tgz.asc | 2023-08-06 | 833 Bytes | |
| Foswiki-2.1.8.zip.asc | 2023-08-06 | 833 Bytes | |
| Foswiki-2.1.8.md5 | 2023-08-06 | 224 Bytes | |
| Foswiki-2.1.8.sha1 | 2023-08-06 | 256 Bytes | |
| Foswiki-upgrade-2.1.8.tgz | 2023-08-06 | 15.2 MB | |
| Foswiki-upgrade-2.1.8.zip | 2023-08-06 | 18.5 MB | |
| Foswiki-2.1.8.tgz | 2023-08-06 | 15.2 MB | |
| Foswiki-2.1.8.zip | 2023-08-06 | 18.5 MB | |
| Foswiki-2.1.8.tar.gz | 2023-08-06 | 22.2 MB | |
| README.md | 2023-08-06 | 2.9 kB | |
| Totals: 12 Items | 89.7 MB | 0 | |
Highlights of this maintenance release
This release contains 61 fixes relative to 2.1.7, including 9 critical security related fixes.
Most notable are: - CVE-2023-33756: SpreadSheetPlugin's EVAL feature exposes infromation about paths and files on the server - CVE-2023-24698: Local file inclusion vulnerability in viewfile
But also: - directories in working directory are created as world writable 777 permissions - possible XSS attack in attachment comments - restricted allowed protocols to http and https, i.e. forbid file protocol for local file inclusion - prevent symlink attacks by defaulting to a secure location for temporary files - update to jquery-ui 1.13.2 - backport patch to earlier jQuery versons to fix a potential XSS vulnerability - possible XSS vulnerability in topic title field
Reverse proxing Foswiki
Foswiki can now properly be run behind a reverse proxy reading a X-Forwarded-For http header. This resulted in mixed content before while rendering HTML.
Macro parser
Under certain conditions a deep recursion can be triggered using otherwise innocend markup code.
RCS storage
While Foswiki defaults to its own plain file storage format, there are still a lot of installs that still use RCS for file versioning. Given that this part of the code preceeds the shift to unicode ages ago, there still was an error in the RCS store not properly encoding topic information.
Change notifications
Changes are send out to subscribers using a mailnotify service. This however must be run as admin user to fully read all changes. Still people are only informed about changes that they actually have view rights to. In addition this release fixes sending out emails in the user's preferend language. There was an error reading these preferences before.
JSON-RPC API
The JSON-RPC is one of the most important web apis of Foswiki with a mandatory topic parameter. This parameter - as in other service endpoints - specifies the location within the knowledge base to operate on. It thus determins the context of any other internal operations such as the calculation of the preference stack. The jsonrpc endpoint sometimes failed to properly set the required context in previous releases.
Uploading multiple files
Foswiki now supports uploading multiple files in one request
Session cookies
Session cookies now have a same-site policy for better security.
Internationalization
Foswiki now always creates a proper I18N service internally, even though only one language (english) is being used. This makes sure that its internal I18N api is instantiated proplerly for other plugins to use, such as MultiLingualPlugin.
See the full set of release notes at https://foswiki.org/System/ReleaseNotes02x01.
Full Changelog: https://github.com/foswiki/distro/compare/FoswikiRelease02x01x07...FoswikiRelease02x01x08