Serendipity - Announcements

Spartacus infrastructure change, Developers please read

mail@garv.in (Garvin Hicking) — Tue, 13 Dec 2011 14:06:21 +0100

Since the core Serendipity project is now maintained on github.com and every developer is quite happy about that, we decided to go the jquery-plugins route and delete all Serendipity plugins.

No, just kidding. We actually imported all data from the SourceForge.net CVS servers into the github infrastructure. The short version for normal end-users: Nothing should change for you!

https://github.com/s9y/additional_plugins

https://github.com/s9y/additional_themes

All current Serendipity developers also have access to those repositories to contribute code. Developers now no longer should commit code to CVS (actually, they can't, because I took all their committing karma *eg*).

The harder task for the Spartacus infrastructure service is the actual publishing of data. The Spartacus plugin operates on a PEAR-like XML format for each plugin, which luckily is automatically generated by a small shellscript which runs once daily on one of our webservers (emerge.sh). That script iterates on a checkout of all plugins and templates, creates the XML and uploads it to all mirror servers (currently netmirror.org, s9y.org and now also github.com).

Downloading the files also either works via the files that are uploaded daily to netmirror.org and s9y.org, or you always could use the SourceForge.net server, that published the file via a nasty ViewVC oddity. The spartacus plugin of the current github core code (version 2.25) now can also retrieve those files from the Github.com servers.

For all users that currently use the Spartacus plugin with the SourceForge.Net mirror, our daily script now pushes all changes in the GitHub tree also to CVS, so that both repositories *should* be kept in sync. This is done via the gitclone.sh and gitclone.php scripts in the additional_plugins repository, for anyone that's interested.

Most likely, something in this script won't work properly, so in the next days it might be that some glitches in the matrix can occur. In that case, please report issues and remain seated. Or buy christmas presents for your beloved. Or your beloved developers.

Serendipity 1.6 released

mail@garv.in (Garvin Hicking) — Thu, 27 Oct 2011 13:21:00 +0200

The Serendipity Team is proud to present the final release of Serendipity 1.6. We are steadily walking towards a Serendipity 2.0 release and would be happy about any developer who may want to join our cause. The list of things is available on http://www.s9y.org/238.html and open for discussion on the Serendipity Forums.

This new version mainly covers:

Bundle jQuery by default to enable plugin and template authors to easier provide extended functionality to the frontend
Support for templates, so that they can also use config-groups like plugins already have (added to bulletproof template)
Templates can now enable core-provided options like a global navigation setup
Fixed a bug in the automatic media database synchronization that did not properly add new files with the same basename but different file extensions
Added a .htaccess parameter to prevent IE9 CSS-trouble
API changes: Added "shortcuts" to commonly used constructs (language loading, hack protection)
Several minor feature additions in plugins (Karma, Akismet, Mailer) and the core (comment subscriptions, multiple comment moderation)
Fulltextsearch improvements with "*" expansion
Added a "hidden" option for specific author groups, so that their members are not revealed on usual author listings by plugins etc.
Fixes a backend XSS issue in the karma plugin and media database filtering, thanks to Stefan Schurtz!

The current release can be easily installed on any previous Serendipity installation. Just unpack, upload and visit your admin panel to perform possible database upgrades. Upon first login with an old password, Serendipity will store your old password in the new format - please be sure to make a backup of your Database prior to upgrading, and read the upgrade pointers on Upgrading Serendipity.

Also, this release marks our move from the closing BerliOS service (thanks for the great service during those years) on to our new GitHub repository. Contributions are welcome of course!

Have fun using Serendipity, and let us know on the Forums if you have any issues!

BerliOS closing down, Serendipity moving

mail@garv.in (Garvin Hicking) — Sun, 02 Oct 2011 22:22:21 +0200

Serendipity's code repository is being hosted on BerliOS for several years. Their free service is now closing down, which means that Serendipity will move its versioning control to a new provider.

The current idea is to migrate SVN over to GitHub.com. This might even motivate some new contributors to get accustomed with the Serendipity core code and make contributing patches easier.

We are planning to move the code repository at the end of October and will keep you posted here. If there are people reading this who are well familiar with Git and especially SVN migration, please step up here or in the forums to help us in the process.

Asides from the SVN service, Serendipity is currently using this infrastructure:

A self-hosted webserver providing a phpBB board on http://board.s9y.org. This is quite active and will stay in the future.
A self-hosted wiki software on http://www.s9y.org/ that allows for a custom navigation and wiki documentation by users. We might switch this to another software, but are not happy with the way MediaWiki handles navigation. We'll see if GitHub is an option to power this.
A self-hosted Serendipity installation on http://blog.s9y.org/
The http://spartacus.s9y.org/ plugin and theme repository, hosted on SourceForge.Net
The code repository for plugins and themes, also hosted on SourceForge.Net and maintained through CVS. Depending on the usage license of GitHub, we are looking into if we can merge plugins/templates and the Core code on GitHub.
A issue tracker, hosted on SourceForge.net. We might utilize the GitHub-Tracker for this in the future.
A mailinglist, that is not very active anymore, also hosted on SourceForge.Net. Since we favor the s9y forums, we might not further spend time on changing this mailinglist.

Details about the GitHub migration process, developers please read!

mail@garv.in (Garvin Hicking) — Wed, 05 Oct 2011 17:28:51 +0200

This is just a reference posting to indicate something important going on. Please read here on the process of the Serendipity source code repository being about to move to GitHub

Read the posting on the s9y forums

Spartacus plugin: Change in download Mirrors

mail@garv.in (Garvin Hicking) — Mon, 27 Jun 2011 11:42:14 +0200

Christian Boltz notified us and provided a patch to fix the spartacus plugin properly being able to retrieve remote files. This became necessary when SourceForge.net changed their underlying structure.

If you are using Spartacus, you have several possibilities to fix this issue for you:

1: Manually download the updated plugin file plugins/ serendipity_event_spartacus/ serendipity_event_spartacus.php from here: serendipity_event_spartacus.php for Serendipity 1.6 / Development, serendipity_event_spartacus.php for Serendipity 1.5.

2: You can also simply configure your spartacus plugin and enable the use of Netmirror.org, or you can enter a custom mirror: http://php-blog.cvs.sourceforge.net/viewvc/php-blog/|http://netmirror.org/mirror/serendipity/

3: You can also simply edit your serendipity_event_spartacus.php file and replace all 2 occurences of the string *checkout* with viewvc.

Thanks to Christian for notifying us!

serendipity_event_freetag: Plugin update, XSS bug

mail@garv.in (Garvin Hicking) — Tue, 31 May 2011 12:00:00 +0200

Thanks to Stefan Schurtz, who reported a XSS issue in the serendipity_event_freetag plugin (SSCHADV2011-004). The issue was fixed in version 3.22 of the plugin, you can fetch the update through Spartacus or download via Spartacus.s9y.org.

The bug was introduced in version 3.20 of the plugin. Users of the plugin should upgrade, as it allows malicious users to trick people into visiting a specially crafted link on your blog to steal cookie login information for example, if you click on such a link.

IE9 has trouble with CSS Content-Types

mail@garv.in (Garvin Hicking) — Thu, 17 Mar 2011 14:19:48 +0100

The Internet Explorer 9 has been released a few days ago. It's a great improvement over old versions, despite of one mayor breakage.

Usually, a web-browser requests a CSS URL with a variety of HTTP-headers. The "Accept" HTTP-Header instructs the remote server, which valid content-types it can handle. In the past, most web-browsers sent a "Accept: text/css; */*" header, which means they prefer "text/css", but would also interpret any other file types as CSS.

Now, the IE9 does no longer send */* as an accepted content-Type, thus it will now ONLY render stylesheets if they have the Content-Type "text/css". If that does not happen, IE9 complains with a "HTTP 406" error and refuses to parse/render the stylesheet.

That does not sound so bad yet, but many web-applications (including Serendipity) provide dynamic CSS stylesheets that hide behind a PHP file. Serendipity compiles this PHP through a file called "serendipity.css.php". If URL rewriting is enabled, to mask that PHP file, a RewriteRule is added that will accept "serendipity.css" and send it to the main serendipity index.php file, which in turn will include serendipity.css.php and deliver the appropriate output.

Now certain Apache setups use a module mod_negotiation that will detect "Hey- there's a file serendipity.css.php, but the browser requested serendipity.css. He surely must be mistaken, I better serve up this serendipity.css.php file instead". Sadly, it does so, BEFORE executung mod_rewrite that would "fix" this behaviour.

Finally - mod_negotiate would basically properly execute the PHP file and return valid CSS. But it does that by returning a Content-Type that matches the original negotiated request, which is "application/x-httpd-php". IE9 will receive this, and refuse to render the proper CSS, because it does not accept */*.

IMHO this is a very bad mixture of several components acting weird altogether. But the easiest place to fix this is inside IE9, to restore the "Accept" behaviour of all other major browsers, so that mod_negotiated sites will not break.

I have posted on a IE9 Team blog since it seems, Microsoft does not accept bug reports anywhere. If anybody knows of a proper place to get a hold of their team, please let us know.

FINALLY - WHAT YOU CAN DO IF THIS AFFECTS YOUR SERENDIPITY BLOG:

Edit your .htaccess file, and add the directive Options -Multiviews at the top of the file. As long as your server has the AllowOveride ability enabled for you (that's mostly the case, as soon as you are allowed to use mod_rewrite) you can remove the negotiation feature of Apache.

This change in the default .htaccess will also be part of upcoming Serendipity versions.

Clarification: This is not only IE9's fault, but rather a bad combination of multiple factors: One being that s9y has a .php file called the same way like a rewritten URL. One being that mod_negotiate does not pass a request through to mod_rewrite and fatally catches it before other means are not used up. And the last being that IE9 does not accept a fallback contenttype for CSS.

The reason why I think this should be considered a IE9 bug, is because the restrictive parsing stats against current plans to make the web as accessible as possible. XHTML actually failed in its restrictive, XML-based parsing (google mime-type application/x-html+xml) was stomped down in favor of a lax HTML5 parsing. Users should never be locked out of content, and that's why I think a fallback */* should not hurt. This allows for applications to overcome mod_negotiate and allows the browser to evaluate the final Content-Type, and not an intermediate negotiated one.

SourceForge Attack; Spartacus affected

mail@garv.in (Garvin Hicking) — Sun, 30 Jan 2011 12:26:58 +0100

This week, the SourceForge.Net servers have been attacked. Since the Serendipity project hosts files and our plugin's CVS on SourceForge's provided servers, this also affects our maintaineance and distribution of plugins through Spartacus.

For people having problems, you can manually download plugins through spartacus.s9y.org. You should be able to choose netmirror.org as the spartacus mirror as well.

Normal services should be restored in a few days. For the longer run, our team might move plugin repositories from CVS to SVN or even Git, but changing this will take some time (and discussion).

Important Security Update: Serendipity 1.5.5 released

mail@garv.in (Garvin Hicking) — Tue, 21 Dec 2010 21:12:36 +0100

Serendipity bundles the powerful Xinha WYSIWYG editor to provide its functionality to our users.

Xinha ships with several plugins that utilize PHP scripting for special usage, like the ImageManager or ExtendedFileManager. A 0-day security exploit has been reported available as of today that exploits the functionality of these plugins to upload malicious files to your webspace, to execute foreign code.

Since no official patch has been made on the Xinha side, the Serendipity Team has released an updated version where those active Xinha-Plugins are no longer executable.

If you do not wish to apply the patch to the most recent Serendipity version 1.5.5 you can remove those files:

htmlarea/contrib/php-xinha.php
htmlarea/plugins/ExtendedFileManager/config.inc.php
htmlarea/plugins/FormOperations/formmail.php
htmlarea/plugins/HtmlTidy/html-tidy-logic.php
htmlarea/plugins/ImageManager/config.inc.php
htmlarea/plugins/InsertPicture/InsertPicture.php
htmlarea/plugins/InsertSnippet/snippets.php
htmlarea/plugins/SpellChecker/aspell_setup.php
htmlarea/plugins/SpellChecker/spell-check-logic.php
htmlarea/plugins/SuperClean/tidy.php

The provided functionality is usually not enabled by default, since Serendipity provides its own media file manager.

Future serendipity releases might re-enable these features, once they are safely patched.

To see if you are infected, please check the directories htmlarea/plugins/ImageManager/demo_images and htmlarea/plugins/ExtendedFileManager/demo_images to see if files have been uploaded there. If so, delete the files and check your webspace for other modified files, as well as change your passwords for FTP and SQL access. Please upgrade as soon as possible.

The release can be found on the Serendipity Download page. All serendipity versions from 1.4 to 1.6 (alpha) are affected. 1.6 alpha users should migrate to a recent SVN head checkout or tomorrow's snapshot.

Thanks a lot to Hauser & Wenz for reporting the issue. Serendipity fully acknowledges responsible full disclosure, non-reported 0-day exploits are helping nobody of true OpenSource spirit.

Serendipity 1.5.4 released

mail@garv.in (Garvin Hicking) — Fri, 27 Aug 2010 12:28:28 +0200

Serendipity 1.5.4 has been released and addresses some minor bugfixes as well as a XSS security issue discovered and reported by High-Tech Bridge. The XSS is only exploitable though, if you are using the "Remember me" feature in the Serendipity backend to login. Thanks to the quick notification by the team we were able to fix the issue within 24 hours, as with all past security issues.

The XSS-issue can easily be patched by only replace the file include/functions_config.inc.php with the new file (link), or by applying this patch.

Other bugfixes that come with the new Serendipity 1.5.4 release are:

Fix PHP 5.3.2 parse error in a file, thanks to fyremoon
Fix SQL query statement for deleting a category, which on some DB types (SQlite) might not return "true" and thus not really delete the category.
Include license output in plugin listing
Fix escaping when using ImageMagick to create PDF-thumbnail images
Add new template variable to feed*.tpl files to support new plugins like pubsubhubbub, so that plugins can embed data to the main XML element

The latest release can be found on our SourceForge repository and on the usual place on . To upgrade from any previous Serendipity version, simply extract and upload the new files to your server.

Server hardware replaced

jannis@gmail.com (Jannis) — Wed, 18 Aug 2010 17:16:23 +0200

Hey there, we got some of the server hardware for s9y.org and board.s9y.org replaced, so let's hope everything goes a little more smoothly from here on... Cheers!

PHP Parse Error on new PHP 5.3.2

mail@garv.in (Garvin Hicking) — Sun, 25 Jul 2010 00:34:53 +0200

As we were notified on our forums, the updated PHP 5.3.2 version seems to have changed a behaviour of quoting array variables within strings, which produces a PHP parse error on a serendipity file include/functions_entries.inc.php at line 1433 (in Serendipity 1.5.3).

The fix is actually quite easy, if you replace the code found at line 1433 from this:

serendipity_db_query("DELETE FROM {$serendipity["dbPrefix"]}entries WHERE id=$id");
serendipity_db_query("DELETE FROM {$serendipity["dbPrefix"]}entrycat WHERE entryid=$id");
serendipity_db_query("DELETE FROM {$serendipity["dbPrefix"]}entryproperties WHERE entryid=$id");
serendipity_db_query("DELETE FROM {$serendipity["dbPrefix2]}comments WHERE entry_id=$id");

to this:

serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}entries WHERE id=$id");
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}entrycat WHERE entryid=$id");
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}entryproperties WHERE entryid=$id");
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}comments WHERE entry_id=$id");

If you can't easily spot the difference: It's changing ["dbprefix"] with double quotes to ['dbprefix'] with single quotes. We're sorry for this inconvenience, which is already fixed in our SVN branches and will be part of the next release.

Thanks a lot to fyremoon from the forums, this thread.

Server Maintenance

mail@garv.in (Garvin Hicking) — Tue, 29 Jun 2010 11:19:13 +0200

The s9y.org server currently is experiencing some issues. Jannis, our master-bithorder is investigating the issue and we hope it will be resolved shortly. The s9y.org server powers the main wiki as well as the forums; this blog here is hosted on a different machine.

Meanwhile: Summer.

Update 2010-07-05: The server was up and running during parts of the weekend, but it seems the situation was not resolved completely. The server is now once again up and running, but the bootup-process seems to be blocking due to some MySQL issue. The hardware does not report any specific failure, so we're a bit clueless as to what is happening, but we currently do not have the time to completely setup a new server. We'll further investigate the issue, and hope that this outage won't repeat itself too soon.

If something fails, the SourceForge.net support options on SourceForge.net/Projecs/php-blog will be there. We'll also try to work out a possibility for a secondary forum installation that people have offered, and see if we can setup a dump of s9y.org on a static install.

Update 2010-07-06: And the server went down again. We cannot seem to find the reason why it hangs. We might need to completely reinstall the machine. We try to make it happen as soon as possible and post updates here.

Update 2010-07-06, #2: Until being able to reinstall the machine, we try to fix the situation by manually booting the machine's services - currently it seems as if the machine "lives" for about 24-30 hours after each reboot.

Update 2010-07-06, #3: I created a temporary support forum on SourceForge: SourceForge Forum for Serendipity.

Serendipity 1.5.3 released, Security Issue with Xinha

mail@garv.in (Garvin Hicking) — Mon, 10 May 2010 13:37:00 +0200

Serendipity 1.5.3 has been released, as a security-fix release with no other relevant changes.

A security issue has been discovered by Stefan Esser during the course of the Month of PHP Security. This issue was found in the WYSIWYG-Library Xinha (that Serendipity uses), and affects certain plugins to Xinha (Linker, ImageManager, ExtendedFileManager, InsertSnippet) which can use a dynamic configuration loader. This loader allows to upload file with arbitrary PHP-Code and thus allows remote code execution, even when not logged in to the Xinha/Serendipity backend.

Due to the seriousness of this bug, we urge everyone to upgrade their installations. People who don't want the hassle of a full upgrade and are not using the mentioned Xinha-plugins actively, can simply delete the file htmlarea/contrib/php-xinha.php, which will render the mentioned plugins and exploits useless.

Thanks to Stefan Esser for reporting this issue to us, and making a quick bugfix possible.