Serendipity - Development

Netmirror.org Outage, Spartacus affected.

mail@garv.in (Garvin) — Fri, 16 May 2008 16:33:42 +0200

As of today, the netmirror.org server seems to be having a hiccup. The serendipity Plugin Spartacus by default requires this server to provide automatic plugin and theme updates and downloads. The inavailibility of this server can lead to timeouts and not being able to install new plugins.

The issue should resolve itself once netmirror.org is up again. Temporarily you can either reconfigure your Spartacus-plugin to use the SourceForge-Mirrors, or completely disable the Spartacus plugin. Using the s9y.org mirror will not help you, as this server is currently not hosting any files.

I will post an update once the server is up again. Sorry for the inconvenience.

Serendipity 1.3 released (addresses security)

mail@garv.in (Garvin) — Tue, 18 Mar 2008 10:11:50 +0100

Serendipity 1.3 has finally been released. The new release is mainly a feature consolidation release, but also contains XSS security fixes:

The karma rating plugin has been upgraded to support nice, CSS-based rating graphics (see this post) and an overall rehaul on the its coding.
Make the Spartacus plugin be able to use FTP upload, a workaround for SafeMode PHP restrictions. Also add a remote backend for plugin update checks.
An importer for phpNuke and lifetype has been added.
Support for pingbacks has been improved a lot. Trackbacks can now be blocked based on Sender IP checks.
Add better CSS styling for some internal plugins and the embedding of images. Also made the Remote-RSS plugin to be capable of Smarty-Templating.
Increased Smarty templating features for the {serendipity_fetchPrintEntries} function, to be able to check for entry properties.
Add support for SQRelay.
Minor CSS and graphic updates to the Bulletproof template.

The full list of 41 changes to this release are documented within the NEWS file.

Regarding Security, the bundled Smarty library has been updated to version 2.6.19 and adresses an issue in environments where the PHP security mode is required. Also, the new Serendipity release contains tighter backend XSS checks so that environments with untrusted authors can be more secure - many thanks to Hanno Böck for addressing this. Most importantly, an issue with XSS attacks within received trackbacks has been discovered by Peter Hüwe and was fixed.

The update is easy as usual, and recommended for Serendipity users - especially if you do not regularly moderate or check your incoming trackbacks.

Upgrade pointers can be found in the FAQ and is as easy as just to upload the new files.

Have fun!

Serendipity 1.3-beta1 released

mail@garv.in (Garvin) — Mon, 25 Feb 2008 11:53:00 +0100

Serendipity 1.3-beta1 has been released. This beta is considered a release candidate before the final 1.3 release, which is scheduled to be released at the end of this month.

The new release is mainly a feature consolidation release:

The karma rating plugin has been upgraded to support nice, CSS-based rating graphics and an overall rehaul on the its coding.
Make the Spartacus plugin be able to use FTP upload, a workaround for SafeMode PHP restrictions. Also add a remote backend for plugin update checks.
An importer for phpNuke and lifetype has been added.
Support for pingbacks has been improved a lot. Trackbacks can now be blocked based on Sender IP checks.
Add better CSS styling for some internal plugins and the embedding of images. Also made the Remote-RSS plugin to be capable of Smarty-Templating.
Increased Smarty templating features for the {serendipity_fetchPrintEntries} function, to be able to check for entry properties.
Add support for SQRelay.

The full list of 35 changes to this release are documented within the NEWS file.

Please test this release and give us feedback here or on the forums so that we can further improve this upcoming version. The files are available on the s9y.org Downloads page. Upgrade pointers can be found in the FAQ and is as easy as just to upload the new files.

Spamblock and blogg.de blacklist

mail@garv.in (Garvin) — Sat, 08 Dec 2007 10:16:00 +0100

The Serendipity Anti-Spam plugin allows to utilize the blogg.de IP blacklist service to block spam. Their service seems to have ceased existence, or at least is rejecting connections. This can lead to comments to your serendipity blog to be rejected. You can easily disable the blogg.de blacklist service in your Anti-Spam plugin configuration.

Note that this option is by default disabled in Serendipity since blogg.de announced that they are no longer actively maintaining the blacklist. A well fit alternative to this service is the Akismet API, which the spamblock plugin also supports.

PHP Magazine Article (German)

mail@garv.in (Garvin) — Fri, 28 Sep 2007 12:25:14 +0200

Some while ago, I announced an article about Serendipity in the German PHP Magazine (read here). This article was now made available as a PDF by the publisher, so you can feel free to download and read it:

PHP Magazin Mai 2007: "Blogging mit Biss" von Garvin Hicking (German/Deutsch)

Have fun reading!

Your help in sorting serendipity plugins

mail@garv.in (Garvin) — Thu, 16 Aug 2007 10:20:05 +0200

Like announced earlier on the serendipity blog, fellow usability expert Joachim Harloff is currently trying to improve the listing of Serendipity Plugins so that they are more accessible to users.

He needs your help to fulfill them. Initially he planned to personally meet with serendipity users, but this proved more complex than initially hoped. Thus he has created a smaller, text-based version of it.

You can download the file at http://www.softuse.com/serendipity_sorting.zip. It contains detailed instructions. You can also feel free to personally contact Joachim about any questions you have.

Joachim estimates this questionnaire to take you about 1,5 hours of your time. You could greatly help to improve the serendipity usability, so please participate! Joachim wants to evaluate your responses starting on September the 8th.

Feedback!

mail@garv.in (Garvin) — Thu, 12 Jul 2007 14:13:48 +0200

The last call for users in munich didn't result in too terribly many, so we're now broadening the userbase.

Joachim Harloff ist a usability expert and wants to help Serendipity in creating a better overview of plugins. To do so, he needs participants to find out what users needs. And guess what: YOU are those users. :-)

So if you want to help out and give Joachim some feedback, please get in touch with him privately: harloff at softuse dot com. Just refer to this blog entry, and he'll provide you with details on how you can help.

German

Der letzte Aufruf nach Münchner Usern ist nicht ganz so ausführlich ausgefallen, wie wir uns das erhofft hätten. Daher weiten wir das ganze etwas aus, damit sich nun jeder (via E-Mail) beteiligen kann.

Joachim Harloff ist ein Usability-Experte, der angeboten hat, die Pluginsortierung für Serendipity zu optimieren. Dafür benötigt er euer Feedback. Bitte schreibt ihm eine Mail an harloff at softuse dot com und bezieht euch auf diesen Blog-Eintrag, er wird euch dann weitere Details zukommen lassen, wie ihr helfen könnt.

Serendipity 1.1.3 and 1.2-beta2 released due to SQL exploit

mail@garv.in (Garvin) — Sun, 17 Jun 2007 13:08:33 +0200

Serendipity 1.1.3 and 1.2-beta2 have been released due to a SQL injection attack reported by Dr. Neal Krawetz today. It is possible to abuse a 'commentMode' variable to inject SQL code that was targeted to the function that fetches comment information. This variable was introduced to Serendipity 1.1 - all prior versions are not affected.

Please update your blogs as soon as possible. If you are using a database backend that allows SQL union queries, the injection could probably lead to disclosure of the stored MD5 password hashes. Because of this, we also suggest to update your blog user account passwords.

It is a good idea to check your server's Access-Logs and search for the 'commentMode' variable to see, if malicious request have been issued to your blog already.

For those people that do not want to upgrade to a whole new version, you can also simply patch the file include/functions_comments.inc.php and replace the single occurence of:

$type = $serendipity['GET']['commentMode'];

$type = serendipity_db_escape_string($serendipity['GET']['commentMode']);

We are very sorry for this, but happy to provide a quick fix in short time. You can download the latest files as usual on www.s9y.org. Read the FAQ on how to perform an easy update.

Serendipity 1.2-beta1 released

mail@garv.in (Garvin) — Tue, 05 Jun 2007 16:18:49 +0200

After a long time of development and testing, Serendipity 1.2 is now out in its first release candidate.

There have been quite a lot of changes to the new version. Most important of them all, the authentication and session scheme has been altered to allow easier plugin interaction. Also the backend (master template and template for the entry editor) has finally ben Smartyfied so that they can be changed by template authors.

We would kindly ask all Serendipity users to test this new version to squash any possible showstoppers before the final release.

Please check especially if the login to your admin backend still works flawlessly (especially if you are using https) and if your 'Edit Entry' backend section works just like before. Please report bugs and issues on our Serendipity Forum Board.

Here's a list of other new cool enhancements since Serendipity 1.1:

Templates for Backend (Entry Editor, Master Template) via Smarty
New session/login system
SQLite3, PDO::Postgresql Support
better IPv6 support
better HTTP headers to support Caching
allow to define if a parent category should show entries of child categories on the frontend, or only entries of that exact category
Bugfix: RSS fullfeed for "let user decide" now properly works
Bugfix: Saving/sending trackbacks and tracking exit-links works in circumstances involving cached entries
Bugfix: Place possible dangerous user preference options to group management to prevent unwanted configuration changes

A full list of changes is contained in the docs/NEWS file inside the file archive. Many changes are small bugfixes and user interaction enhancements that all speed up your Serendipity experience.

You can download the latest version on www.s9y.org. And most of all: Have fun!

Backend Templating

mail@garv.in (Garvin) — Thu, 31 May 2007 12:43:00 +0200

For Serendipity, only the frontend (what the visitors see) could be subject to Smarty-Templating. One reason for not utilizing these features in the backend was to maintain stability, ease of change for core developers and reduce migration woes so that the Admin Backend would always be accessible.

What we have now added to the Serendipity 1.2 snapshots (that will soon become public beta and a final release in late Summer) is functionality that allows you to template the backend layout as well as the 'New/Edit Entry' screen. Other functions like category manager, plugin manager etc. will remain hardcoded and eventually changed, because most of their look can already be controlled with CSS only.

To maintain stability and prevent migration problems where Smarty might not be initialized, Serendipity can fall back to the usual PHP-only backend. This is done using a tricky session variable scheme - when Smarty cannot be loaded, a session variable is set, and on the next page call, this variable will force the Serendipity framework to use the fallback routines. Nifty stuff. :-)

Please try out the new theming possibilites and give feedback. The default admin stylesheet can be found in the templates/default/admin/index.tpl and templates/default/admin/entries.tpl templates, and can be copied to your own theme directory as usual.

XML-RPC and PHP 5.2.2

mail@garv.in (Garvin) — Wed, 23 May 2007 12:56:47 +0200

Due to a bug in PHP 5.2.2, the Serendipity XML-RPC plugin will no longer work, because PHP does not initialize a required variable correctly.

The bug is listed on PHP.net here and has been fixed in their CVS already. To fix the problem in Serendipity you will need to either update your PHP installation, or downgrade to the previous version.

Since this bug happens at a place where Serendipity has no possibility to interact, the bug cannot be circumvented by the XML-RPC posting plugin, and your provider definitely needs to upgrade PHP as soon as it will be out officially.

OpenID - Testing help needed

mail@garv.in (Garvin) — Wed, 09 May 2007 11:51:03 +0200

rrichards from the forums published his first public OpenID-Plugin results. Check out this thread on the forums. If you're interested in testing the plugin or are interested in OpenID, please give it a look and report about it.

Many thanks to rrichards and all volunteers!

Beta-test Serendipity 1.2

mail@garv.in (Garvin) — Mon, 26 Feb 2007 15:50:48 +0100

As you might have read in the Serendipity 1.1.1 release announcement, we have a fundamental code change in Serendipity 1.2 concerning the authentication theme.

Those changes were discussed in this forum thread

It basically evolves around those things:

Introduce a new, first event hook that can be fired to authenticate external users.
This new event hook requires to execute a plugin before the whole language system is initialized, and thus language preferences have been fetched. To accomodate this, a new cookie has been introduced that defines the language your used has chosen.
A new HTTP / HTTPS session sharing system is now in effect, which allows you to login via HTTPS and be able to work using the HTTP connection and be recognized as logged-in.

Those changes might introduce new glitches, especially in environments where HTTPS is used, and/or the multilingual plugin features.

Everyone using such an environment, please download a recent Serendipity 1.2 snapshot and try it out on a test-system. You can easily clone an existing installation of yours by copying all files to a second directory, copying the database tables to a different table (or with a different table prefix) and then uploading the Serendpity 1.2 Snapshot to that dummy directory. After your login to that new installation, change the path locations in your Serendipity Configuration and you can test the new install with the data of your production blog.

Your help is much required to ensure the stability of Serendipity. Any problems you face that did not previously show up in older Serendipity versions should please be reported on our forums!

Many thanks go to rrichards_ from the original thread, who implemented the new functionality that will hopefully ultimately lead to OpenID integration into Serendipity. :-)

Serendipity 1.1.1 released

mail@garv.in (Garvin) — Thu, 22 Feb 2007 10:50:41 +0100

After the well-received Serendipity 1.1 release, we put our ears to the community and searched for any bugs left. Luckily, those were very few (like the IIS server cookie bug) - we didn't at first believe it, so we let some time go by to be absolutely sure there were no other things to fix before issuing a maintenance release.

And here it is now: Serendipity 1.1.1 is a bugfix-only release to fix these reported issues:

Windows IIS server cookie/session authentication problem when not running via HTTPS
Change execution order of trackbacks to properly send them when a failure occurs
Display proper plugin permissionship restrictions when the admin user is not part of the group that is restricted
Fixed a bug that some plugins were not able to properly execute in the entry detail view

This is not a security-related upgrade. You only need to apply it if you think you are affected by any of the bugs listed.

Meanwhile, we continue to work on Serendipity 1.2 for feature improvements. Together with helpful users of the forum we are currently working on improving the authentication/plugin API sequence to better support future plugins like OpenID. Any help is appreciated, have a look at the forum thread. Also we are working on improving the Spartacus API, PDO::PostgreSQL support has been added, spamblock plugin improvements and some tweaks to the permalink system.

You can download the new version (or a recent snapshot of Serendipity 1.2) as always on our Download page. Detailed upgrade steps are explained in our FAQ, but it's as simply as: Download, extract, go to the Admin panel. :-)

Have fun!

Serendipity 1.1: Login/Session Cookie Bug in Windows IIS

mail@garv.in (Garvin) — Thu, 04 Jan 2007 22:55:52 +0100

Some users have reported on the forums that they had login problems to their Serendipity Admin suite since the upgrade to version 1.1.

Thanks to the help of Shadowin it was discovered that a problematic $_SERVER['HTTPS'] variable setting by the Windows IIS Server caused this. According to the PHP documentation, $_SERVER['HTTPS'] should only contain a non-empty value in case of enabled SSL/HTTPS connections, in which case Serendipity would issue a "secure" cookie.

To fix this odd behaviour in Serendipity 1.1 you need to open the file include/functions_config.inc.php and replace the line

$secure = !empty($_SERVER['HTTPS']) ? true : false;

with

$secure = (strtolower($_SERVER['HTTPS']) == 'on') ? true : false;. Also replace this line in the file serendipity_config.inc.php:

if ($_SERVER['HTTPS'])) {
@ini_set('session.name', 'SSLSID');
@ini_set('session.cookie_secure', '1');
}

with

if (strtolower($_SERVER['HTTPS']) == 'on') {
@ini_set('session.name', 'SSLSID');
@ini_set('session.cookie_secure', '1');
}

This will use a more stricter check. For people who are afraid to edit that file, simply download this file and replace it with your current include/functions_config.inc.php file. Also please download this file and replace it with the 'serendiptiy_config.inc.php' file.

A fully patched 1.1.1 version will be made available later, when we have made sure that there are no other bugs left. So far, the 1.1 version has been received very stable by the public! Thanks for improving Serendipity through your reports and help!