Development

The last call for users in munich didn't result in too terribly many, so we're now broadening the userbase.

Joachim Harloff ist a usability expert and wants to help Serendipity in creating a better overview of plugins. To do so, he needs participants to find out what users needs. And guess what: YOU are those users. :-)

So if you want to help out and give Joachim some feedback, please get in touch with him privately: harloff at softuse dot com. Just refer to this blog entry, and he'll provide you with details on how you can help.

German

Der letzte Aufruf nach Münchner Usern ist nicht ganz so ausführlich ausgefallen, wie wir uns das erhofft hätten. Daher weiten wir das ganze etwas aus, damit sich nun jeder (via E-Mail) beteiligen kann.

Joachim Harloff ist ein Usability-Experte, der angeboten hat, die Pluginsortierung für Serendipity zu optimieren. Dafür benötigt er euer Feedback. Bitte schreibt ihm eine Mail an harloff at softuse dot com und bezieht euch auf diesen Blog-Eintrag, er wird euch dann weitere Details zukommen lassen, wie ihr helfen könnt.

Serendipity 1.1.3 and 1.2-beta2 have been released due to a SQL injection attack reported by Dr. Neal Krawetz today. It is possible to abuse a 'commentMode' variable to inject SQL code that was targeted to the function that fetches comment information. This variable was introduced to Serendipity 1.1 - all prior versions are not affected.

Please update your blogs as soon as possible. If you are using a database backend that allows SQL union queries, the injection could probably lead to disclosure of the stored MD5 password hashes. Because of this, we also suggest to update your blog user account passwords.

It is a good idea to check your server's Access-Logs and search for the 'commentMode' variable to see, if malicious request have been issued to your blog already.

For those people that do not want to upgrade to a whole new version, you can also simply patch the file include/functions_comments.inc.php and replace the single occurence of:

$type = $serendipity['GET']['commentMode'];

to

$type = serendipity_db_escape_string($serendipity['GET']['commentMode']);

We are very sorry for this, but happy to provide a quick fix in short time. You can download the latest files as usual on www.s9y.org. Read the FAQ on how to perform an easy update.

After a long time of development and testing, Serendipity 1.2 is now out in its first release candidate.

There have been quite a lot of changes to the new version. Most important of them all, the authentication and session scheme has been altered to allow easier plugin interaction. Also the backend (master template and template for the entry editor) has finally ben Smartyfied so that they can be changed by template authors.

We would kindly ask all Serendipity users to test this new version to squash any possible showstoppers before the final release.

Please check especially if the login to your admin backend still works flawlessly (especially if you are using https) and if your 'Edit Entry' backend section works just like before. Please report bugs and issues on our Serendipity Forum Board.

Here's a list of other new cool enhancements since Serendipity 1.1:

• Templates for Backend (Entry Editor, Master Template) via Smarty
• New session/login system
• SQLite3, PDO::Postgresql Support
• better IPv6 support
• better HTTP headers to support Caching
• allow to define if a parent category should show entries of child categories on the frontend, or only entries of that exact category
• Bugfix: RSS fullfeed for "let user decide" now properly works
• Bugfix: Saving/sending trackbacks and tracking exit-links works in circumstances involving cached entries
• Bugfix: Place possible dangerous user preference options to group management to prevent unwanted configuration changes

A full list of changes is contained in the docs/NEWS file inside the file archive. Many changes are small bugfixes and user interaction enhancements that all speed up your Serendipity experience.

You can download the latest version on www.s9y.org. And most of all: Have fun!

For Serendipity, only the frontend (what the visitors see) could be subject to Smarty-Templating. One reason for not utilizing these features in the backend was to maintain stability, ease of change for core developers and reduce migration woes so that the Admin Backend would always be accessible.

What we have now added to the Serendipity 1.2 snapshots (that will soon become public beta and a final release in late Summer) is functionality that allows you to template the backend layout as well as the 'New/Edit Entry' screen. Other functions like category manager, plugin manager etc. will remain hardcoded and eventually changed, because most of their look can already be controlled with CSS only.

To maintain stability and prevent migration problems where Smarty might not be initialized, Serendipity can fall back to the usual PHP-only backend. This is done using a tricky session variable scheme - when Smarty cannot be loaded, a session variable is set, and on the next page call, this variable will force the Serendipity framework to use the fallback routines. Nifty stuff. :-)

Please try out the new theming possibilites and give feedback. The default admin stylesheet can be found in the templates/default/admin/index.tpl and templates/default/admin/entries.tpl templates, and can be copied to your own theme directory as usual.

Due to a bug in PHP 5.2.2, the Serendipity XML-RPC plugin will no longer work, because PHP does not initialize a required variable correctly.

The bug is listed on PHP.net here and has been fixed in their CVS already. To fix the problem in Serendipity you will need to either update your PHP installation, or downgrade to the previous version.

Since this bug happens at a place where Serendipity has no possibility to interact, the bug cannot be circumvented by the XML-RPC posting plugin, and your provider definitely needs to upgrade PHP as soon as it will be out officially.

rrichards from the forums published his first public OpenID-Plugin results. Check out this thread on the forums. If you're interested in testing the plugin or are interested in OpenID, please give it a look and report about it.

Many thanks to rrichards and all volunteers!