Serendipity - Development

Searching for feedback of iOS developers

mail@garv.in (Garvin Hicking) — Tue, 03 Jan 2012 17:54:04 +0100

Grischa needs some help on updating the XML-RPC for more iOS clients. Here's the quote from his original posting of the s9y forum post:

At the moment I am enhancing the xml-rpc interface of Serendipity with WordPress functionality.

The idea: If Serendipity is able to emulate WordPress interfaces, we can use all the tools using it. WordPress is much more suported than S9Y as it is more known. I'm aiming on the mobile clients available for WordPress blogs in special at them moment.

The problem: The enhancements are nearly ready and successfully tested with the official WP for Android client, blogsy on iOS for iPad and MarsEdit and ecto for Mac. What is missing is the app for the iphone. The official WP for iOS client is able to register the blog and reads some categories but then it crashes without any message.

The developer team of WP for iOS was not very helpful on that but the client is available as Open Source.

As I am not able to debug iOS apps (I don't even have a Mac) I'm seeking an iOS developer being s9y fan, too, who is able to debug what goes wrong there, so I can finalize my changes on the s9y xml-rpc interface.

Thanks!

Spartacus infrastructure change, Developers please read

mail@garv.in (Garvin Hicking) — Tue, 13 Dec 2011 14:06:21 +0100

Since the core Serendipity project is now maintained on github.com and every developer is quite happy about that, we decided to go the jquery-plugins route and delete all Serendipity plugins.

No, just kidding. We actually imported all data from the SourceForge.net CVS servers into the github infrastructure. The short version for normal end-users: Nothing should change for you!

https://github.com/s9y/additional_plugins

https://github.com/s9y/additional_themes

All current Serendipity developers also have access to those repositories to contribute code. Developers now no longer should commit code to CVS (actually, they can't, because I took all their committing karma *eg*).

The harder task for the Spartacus infrastructure service is the actual publishing of data. The Spartacus plugin operates on a PEAR-like XML format for each plugin, which luckily is automatically generated by a small shellscript which runs once daily on one of our webservers (emerge.sh). That script iterates on a checkout of all plugins and templates, creates the XML and uploads it to all mirror servers (currently netmirror.org, s9y.org and now also github.com).

Downloading the files also either works via the files that are uploaded daily to netmirror.org and s9y.org, or you always could use the SourceForge.net server, that published the file via a nasty ViewVC oddity. The spartacus plugin of the current github core code (version 2.25) now can also retrieve those files from the Github.com servers.

For all users that currently use the Spartacus plugin with the SourceForge.Net mirror, our daily script now pushes all changes in the GitHub tree also to CVS, so that both repositories *should* be kept in sync. This is done via the gitclone.sh and gitclone.php scripts in the additional_plugins repository, for anyone that's interested.

Most likely, something in this script won't work properly, so in the next days it might be that some glitches in the matrix can occur. In that case, please report issues and remain seated. Or buy christmas presents for your beloved. Or your beloved developers.

Serendipity 1.6 released

mail@garv.in (Garvin Hicking) — Thu, 27 Oct 2011 13:21:00 +0200

The Serendipity Team is proud to present the final release of Serendipity 1.6. We are steadily walking towards a Serendipity 2.0 release and would be happy about any developer who may want to join our cause. The list of things is available on http://www.s9y.org/238.html and open for discussion on the Serendipity Forums.

This new version mainly covers:

Bundle jQuery by default to enable plugin and template authors to easier provide extended functionality to the frontend
Support for templates, so that they can also use config-groups like plugins already have (added to bulletproof template)
Templates can now enable core-provided options like a global navigation setup
Fixed a bug in the automatic media database synchronization that did not properly add new files with the same basename but different file extensions
Added a .htaccess parameter to prevent IE9 CSS-trouble
API changes: Added "shortcuts" to commonly used constructs (language loading, hack protection)
Several minor feature additions in plugins (Karma, Akismet, Mailer) and the core (comment subscriptions, multiple comment moderation)
Fulltextsearch improvements with "*" expansion
Added a "hidden" option for specific author groups, so that their members are not revealed on usual author listings by plugins etc.
Fixes a backend XSS issue in the karma plugin and media database filtering, thanks to Stefan Schurtz!

The current release can be easily installed on any previous Serendipity installation. Just unpack, upload and visit your admin panel to perform possible database upgrades. Upon first login with an old password, Serendipity will store your old password in the new format - please be sure to make a backup of your Database prior to upgrading, and read the upgrade pointers on Upgrading Serendipity.

Also, this release marks our move from the closing BerliOS service (thanks for the great service during those years) on to our new GitHub repository. Contributions are welcome of course!

Have fun using Serendipity, and let us know on the Forums if you have any issues!

Details about the GitHub migration process, developers please read!

mail@garv.in (Garvin Hicking) — Wed, 05 Oct 2011 17:28:51 +0200

This is just a reference posting to indicate something important going on. Please read here on the process of the Serendipity source code repository being about to move to GitHub

Read the posting on the s9y forums

Spartacus plugin: Change in download Mirrors

mail@garv.in (Garvin Hicking) — Mon, 27 Jun 2011 11:42:14 +0200

Christian Boltz notified us and provided a patch to fix the spartacus plugin properly being able to retrieve remote files. This became necessary when SourceForge.net changed their underlying structure.

If you are using Spartacus, you have several possibilities to fix this issue for you:

1: Manually download the updated plugin file plugins/ serendipity_event_spartacus/ serendipity_event_spartacus.php from here: serendipity_event_spartacus.php for Serendipity 1.6 / Development, serendipity_event_spartacus.php for Serendipity 1.5.

2: You can also simply configure your spartacus plugin and enable the use of Netmirror.org, or you can enter a custom mirror: http://php-blog.cvs.sourceforge.net/viewvc/php-blog/|http://netmirror.org/mirror/serendipity/

3: You can also simply edit your serendipity_event_spartacus.php file and replace all 2 occurences of the string *checkout* with viewvc.

Thanks to Christian for notifying us!

Bugfix for Cronjob plugin

mail@garv.in (Garvin Hicking) — Thu, 07 Apr 2011 10:07:00 +0200

It has come to our attention that the Cronjob-Plugin (serendipity_event_cronjob) has a bug that prevents it from properly detecting the next scheduled update time. This bug has been fixed in version 0.6, which should now be available through Spartacus and usual means.

If you use this plugin, this is a required update to ensure it's proper function. Thanks to Matthias2 from the forums for reporting this to us.

IE9 has trouble with CSS Content-Types

mail@garv.in (Garvin Hicking) — Thu, 17 Mar 2011 14:19:48 +0100

The Internet Explorer 9 has been released a few days ago. It's a great improvement over old versions, despite of one mayor breakage.

Usually, a web-browser requests a CSS URL with a variety of HTTP-headers. The "Accept" HTTP-Header instructs the remote server, which valid content-types it can handle. In the past, most web-browsers sent a "Accept: text/css; */*" header, which means they prefer "text/css", but would also interpret any other file types as CSS.

Now, the IE9 does no longer send */* as an accepted content-Type, thus it will now ONLY render stylesheets if they have the Content-Type "text/css". If that does not happen, IE9 complains with a "HTTP 406" error and refuses to parse/render the stylesheet.

That does not sound so bad yet, but many web-applications (including Serendipity) provide dynamic CSS stylesheets that hide behind a PHP file. Serendipity compiles this PHP through a file called "serendipity.css.php". If URL rewriting is enabled, to mask that PHP file, a RewriteRule is added that will accept "serendipity.css" and send it to the main serendipity index.php file, which in turn will include serendipity.css.php and deliver the appropriate output.

Now certain Apache setups use a module mod_negotiation that will detect "Hey- there's a file serendipity.css.php, but the browser requested serendipity.css. He surely must be mistaken, I better serve up this serendipity.css.php file instead". Sadly, it does so, BEFORE executung mod_rewrite that would "fix" this behaviour.

Finally - mod_negotiate would basically properly execute the PHP file and return valid CSS. But it does that by returning a Content-Type that matches the original negotiated request, which is "application/x-httpd-php". IE9 will receive this, and refuse to render the proper CSS, because it does not accept */*.

IMHO this is a very bad mixture of several components acting weird altogether. But the easiest place to fix this is inside IE9, to restore the "Accept" behaviour of all other major browsers, so that mod_negotiated sites will not break.

I have posted on a IE9 Team blog since it seems, Microsoft does not accept bug reports anywhere. If anybody knows of a proper place to get a hold of their team, please let us know.

FINALLY - WHAT YOU CAN DO IF THIS AFFECTS YOUR SERENDIPITY BLOG:

Edit your .htaccess file, and add the directive Options -Multiviews at the top of the file. As long as your server has the AllowOveride ability enabled for you (that's mostly the case, as soon as you are allowed to use mod_rewrite) you can remove the negotiation feature of Apache.

This change in the default .htaccess will also be part of upcoming Serendipity versions.

Clarification: This is not only IE9's fault, but rather a bad combination of multiple factors: One being that s9y has a .php file called the same way like a rewritten URL. One being that mod_negotiate does not pass a request through to mod_rewrite and fatally catches it before other means are not used up. And the last being that IE9 does not accept a fallback contenttype for CSS.

The reason why I think this should be considered a IE9 bug, is because the restrictive parsing stats against current plans to make the web as accessible as possible. XHTML actually failed in its restrictive, XML-based parsing (google mime-type application/x-html+xml) was stomped down in favor of a lax HTML5 parsing. Users should never be locked out of content, and that's why I think a fallback */* should not hurt. This allows for applications to overcome mod_negotiate and allows the browser to evaluate the final Content-Type, and not an intermediate negotiated one.

Serendipity Updater Plugin

mail@garv.in (Garvin Hicking) — Sat, 15 Jan 2011 23:51:03 +0100

Onli has contributed a new plugin to spartacus, called serendipity_event_autoupdate. It is currently very much in experimental state and is meant to aid in the process of upgrading Serendipity (which already is quite easy, but automatic might even be better, right?).

If you are interested in this feature, now is the time to help develop it! Please give Feedback to online (german) or directly on the corresponding forum thread.

Important Security Update: Serendipity 1.5.5 released

mail@garv.in (Garvin Hicking) — Tue, 21 Dec 2010 21:12:36 +0100

Serendipity bundles the powerful Xinha WYSIWYG editor to provide its functionality to our users.

Xinha ships with several plugins that utilize PHP scripting for special usage, like the ImageManager or ExtendedFileManager. A 0-day security exploit has been reported available as of today that exploits the functionality of these plugins to upload malicious files to your webspace, to execute foreign code.

Since no official patch has been made on the Xinha side, the Serendipity Team has released an updated version where those active Xinha-Plugins are no longer executable.

If you do not wish to apply the patch to the most recent Serendipity version 1.5.5 you can remove those files:

htmlarea/contrib/php-xinha.php
htmlarea/plugins/ExtendedFileManager/config.inc.php
htmlarea/plugins/FormOperations/formmail.php
htmlarea/plugins/HtmlTidy/html-tidy-logic.php
htmlarea/plugins/ImageManager/config.inc.php
htmlarea/plugins/InsertPicture/InsertPicture.php
htmlarea/plugins/InsertSnippet/snippets.php
htmlarea/plugins/SpellChecker/aspell_setup.php
htmlarea/plugins/SpellChecker/spell-check-logic.php
htmlarea/plugins/SuperClean/tidy.php

The provided functionality is usually not enabled by default, since Serendipity provides its own media file manager.

Future serendipity releases might re-enable these features, once they are safely patched.

To see if you are infected, please check the directories htmlarea/plugins/ImageManager/demo_images and htmlarea/plugins/ExtendedFileManager/demo_images to see if files have been uploaded there. If so, delete the files and check your webspace for other modified files, as well as change your passwords for FTP and SQL access. Please upgrade as soon as possible.

The release can be found on the Serendipity Download page. All serendipity versions from 1.4 to 1.6 (alpha) are affected. 1.6 alpha users should migrate to a recent SVN head checkout or tomorrow's snapshot.

Thanks a lot to Hauser & Wenz for reporting the issue. Serendipity fully acknowledges responsible full disclosure, non-reported 0-day exploits are helping nobody of true OpenSource spirit.

PHP Parse Error on new PHP 5.3.2

mail@garv.in (Garvin Hicking) — Sun, 25 Jul 2010 00:34:53 +0200

As we were notified on our forums, the updated PHP 5.3.2 version seems to have changed a behaviour of quoting array variables within strings, which produces a PHP parse error on a serendipity file include/functions_entries.inc.php at line 1433 (in Serendipity 1.5.3).

The fix is actually quite easy, if you replace the code found at line 1433 from this:

serendipity_db_query("DELETE FROM {$serendipity["dbPrefix"]}entries WHERE id=$id");
serendipity_db_query("DELETE FROM {$serendipity["dbPrefix"]}entrycat WHERE entryid=$id");
serendipity_db_query("DELETE FROM {$serendipity["dbPrefix"]}entryproperties WHERE entryid=$id");
serendipity_db_query("DELETE FROM {$serendipity["dbPrefix2]}comments WHERE entry_id=$id");

to this:

serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}entries WHERE id=$id");
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}entrycat WHERE entryid=$id");
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}entryproperties WHERE entryid=$id");
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}comments WHERE entry_id=$id");

If you can't easily spot the difference: It's changing ["dbprefix"] with double quotes to ['dbprefix'] with single quotes. We're sorry for this inconvenience, which is already fixed in our SVN branches and will be part of the next release.

Thanks a lot to fyremoon from the forums, this thread.