Plugins

Thanks to Erich Schubert, we were made aware of a bug and security issue in the Plugin Extended properties for entries. Since this plugin is delivered with the core release, we have created a new Serendipity release for both the current stable 1.1 version tree, as well as a new 1.2 beta version.

Serendipity Users that are using the mentioned plugin do not need to upgrade the full release, they can just fetch the updated version of the plugin through this direct link. Put that updated file into your plugins/ serendipity_event_entryproperties/ serendipity_event_entryproperties.php file.

The actual bug was, that people were able to deliver custom entryproperties settings to the Serendipity Frontend via a HTTP-Request, which made them able to bypass a possibly used passwort protection. Any other restriction of viewability of entries done via category read-privileges were not affected, though.

Bottom line is: If you are using password protection for entries, this security update is mandatory for you. Also if you were generally using the entryproperties plugin (which is not installed by default in Serendipity), you are urged to update your plugin. Only people not using this plugin need not care about this issue.

You can download the new full releases as always on the Serendipity download page.

I upgraded the staticpage plugin in CVS to version 3.50 yesterday (which should be available via Spartacus now already).

It now supports to use a custom smarty function to show static pages. This can be used in your custom template files (like the userprofile .tpls) to emit specific staticpages depending on variables.

Go ahead and play with it. The API is quite basic and described in the new 'smarty.inc.php' file. It basically works like this:

{staticpage_display template="$TEMPLATE" pagevar="$PAGEVAR" id="$ID" permalink="$PERMALINK" pagetitle="$PAGETITLE" authorid="$AUTHORID" query="$QUERY"}

The API is quite fundamanetal right now. If you want to access more properties/parameters, please let me know, and I'll implement them. Please discuss this feature on our forums in this thread.

rrichards from the forums published his first public OpenID-Plugin results. Check out this thread on the forums. If you're interested in testing the plugin or are interested in OpenID, please give it a look and report about it.

Many thanks to rrichards and all volunteers!

This new Serendipity release addresses a local file inclusion security issue discovered yesterday. It was possible to give a special parameter to a serendipity file to include a file on your own web-tree (or other files the webserver has read access to). If used on clear-text files, this could be used to disclose information like the apache logfiles on your website.

This error can only happen in a scenario with two prerequisites: Register_Globals needs to be turned on in your PHP configuration AND your webserver must ignore the default Serendipity .htaccess file. This .htaccess file usually prevents to directly call Serendipity's include files via HTTP. Thus we feel that only a very low percentage of installations should be affected by this bug.

However, Serendipity 1.0.4 is a recommended upgrade for everyone taking security responsibly, like we do. We are thankful to the community for inspecting Serendipity, searching for bugs and security issues and reporting them to us. In this case, many thanks to Majestic from the forums for notifying us.

Most of the plugins (both bundled and available via spartacus) were upgraded to also circumvent that bug, so you should upgrade all of your active plugins to the recent versions as well.

The Serendipity 1.1 release tree was also modified with a patch for this issue. It will be contained in todays snapshot, and the 1.1-beta6 release file. The easy steps to perform an upgrade are documented in our FAQ on http://www.s9y.org/.

Thanks to Robert from the forums he convinced me to implement a feature for him. Well, actually he bribed me to do it. ;-)

Nevertheless, now that I implemented the feature, I kinda like it. The enhancement to the Freetag plugin (version 2.7, should be available via Spartacus now) allows you to enter a list of comma seperated keywords for each tag you have available on your blog.

Whenever you save an article now, the plugin will analyze the content of your entry. For each keyword that you entered and that is found in the article, the corresponding tag will be auotmatically assigned to your entry (taking care that no duplicate tags happen).

So, if you have the Tag "PHP" you could enter keywords like "Serendipity,php,s9y,phpbb,xss,sesser". When you now create an entry where you use the keyword "Serendipity", the freetag plugin will automatically assign the tag "PHP" to this entry.

Thus, especially if you have a low count of tags you can save a lot of time by assigning meaningful keywords to your tags. Beware that if you enter a lot of keywords for a lot of tags, that this might slow down saving an entry. This happens because a list of EVERY available keyword needs to be compiled and matched against your saved article to be able to see which keywords were used.

Have fun!

Google seems to have changed their URLs where pings to the sitemap webmaster helper tool are sent to.

Thus, the Serendipity Google Sitemap plugin requires you to either manually update to the right URL. The updated plugin in Spartacus has been committed today and should be available tomorrow.

The new URL to use is: http://www.google.com/webmasters/tools/ping?sitemap=%s (see this thread)