Serendipity 0.8.5 released

Thanks to Nenad Jovanovic (a pleasure to have worked with), we were notified of a serious problem with hijacking Serendipity functionality under certain circumstances when users are tricked on foreign malicious websites.

The effects of that issue resulted in the possibility that when people know the URL to your Backend, they were able to change your user password and lock you out of the system. However you were required to do two things for this to work: First you'd need to be logged in to your Serendipity backend via a session or permanent cookie, and second you would need to visit the webpage of a malicious user.

As a follow-up to this problem, it came to our attention that Serendipity (like many other web applications - watch the next releases of your favourite software in the next days) can be subject to XSRF ("Cross Site Request Forgery") attacks. All web applications that depend on session cookies and have their backend URL known to the public can be tricked into those XSRF attacks when not verifying the origin of a submitted HTML form.

Serendipity 0.8.5 addresses this problem by introducing HTML-form tokens. Only if they are set, the administrative tasks requested will be carried out - and foreign websites can not get that token under usual circumstances.

It is strongly suggested to upgrade to Serendipity 0.8.5! The development versions of 0.9 also fixed this bug, please read the separate 0.9-beta1 announcement for more information.

Updating from any Serendipity version is easy: Backup first, then extract the release files over your old installation, make sure the files .htaccess/ are writable, login to Serendipity and be guided through the automatic upgrade process.

Download the release here

Serendipity 0.9-beta1 released

The Serendipity Team is very proud to present the first beta release of Serendipity 0.9. This version has been in development for about half a year, and alpha version nightlies/snapshot have been available ever since. Thus, many people already got a hang of the large feature improvements since Serendipity 0.8.

The nightlies have been reported as quite stable, and there are no open bugs known to us - so now it's your turn to have a try!

Upgrading from any version to Serendipity 0.9 is easy and can be done as before: Just unpack the release files to your existing directory, go to your admin panel and confirm the upgrade process. Serendipity automatically upgrades your database and tells you of important changes. If you are upgrading from a version prior to Serendipity 0.8, be sure to read this upgrade pointer:

With the same method you can later upgrade to the 0.9 final release, so you won't put yourself in danger when trying out the release.

Now here's a list of major new changes since Serendipity 0.8:

  • Flexible usergroup management. Authors can now be grouped inside usergroups and can have certain privileges (edit entries, upload images, maintain plugins, ...). An author can be a member of more than one groups, inheriting all privileges of each group he is a member of. You can also now adjust read/write permissions for each category.
  • Custom Permalink support. Allows to configure the URL path structure from all important permalinks to suit your needs - you can now use /oldEntries/2005/10/28/Garvins-Birthday.html as entry permalink format or any other structure you may like.
  • UTF-8 support for all languages and bundled/additional plugins. Be sure to read for migrating an non-UTF-8 blog to UTF-8
  • Improved performance of Plugin API, introduce validation of config items within the API
  • Improved Spartacus Online Repository. Less memory usage, now also fetch templates over the web, plugin groups and better integration with the plugin backend
  • Better usability: Multiple fileupload at once, media manager remembers last used settings, when deleting entries/comments you return to the overview immediately, foundation to support other WYSIWYG editors via plugin (TinyMCE, Xinha, FCKEditor)
  • Atom 1.0 Feed support
  • Improved MoveableType import, recognizing comments and trackbacks
  • Support of MySQL boolean fulltext search
  • More smarty templating options: Added new CSS classes in the default template to support styling trackback/comment/commentform/search-results easier. Localized "Reply" string. Optimized performance of accessing constants.
  • Support frontend viewing of multiple selected categories and allowing the entryproperties plugin to hide certain entries from the frontpage.
  • Support Gregorian/Jalali calendar
  • New translations: Swedish, Hungarian, European Portuguese
  • Bugfix: Category selector will now act correctly in Konqueror and Opera
  • Bugfix: Importers can now import from tables that are not inside the same database as Serendipity

And those are only the highlights! See the docs/NEWS file in the release file for the full list of changes.

Now what are you waiting for? Download latest release!

Plugin Requests?

We have a new volunteer who likes to get his hands a bit more dirty by wading through the cool Serendipity Plugin Architecture.

Alexander already has provided us with the useful Downloadmanager-Plugin and asks on our forums if there are any open plugin requests or ideas.

So it's up to you people - tell us which plugins you still need. Serendipity already has a large repository of many useful plugins, but there might still be a need for more - right? :-)

Obsolete plugin "serendipity_event_authorpic"

The plugin serendipity_event_authorpic ("Picture of the author") has been obsoleted. Its functionality is now included in the serendipity_event_userprofiles ("User profiles") plugin.

The reason is that we are trying to not have redundant plugins in our repository that unneccessarily swamp the amount of available plugins. We are not trying to make any "Uber-Plugins" which bundle many functionalities - but in this case, both plugins handle personal user information, and it is just better suitable inside a single plugin.

Users who have that plugin currently installed do not need to do anything. The plugin just is no longer maintained. If anyone is using both plugins in conjunction, he should upgrade to the new userprofile plugin and remove the authorpic plugin then.

New plugin: HTTP Authentication

I've just added the serendipity_event_httpauth ("HTTP-Authentication") plugin to our CVS, where it will appear shortly and in Spartacus as well.

The plugin is very basic: It authenticates you via HTTP Auth instead of using a HTML form for your login. This plugin is not needed in most environments, but can provide very helpful if you don't want any visitor to see your frontpage already, and thus you can shut out any visitors without access to your installation completely.

People who know what I'm talking about might find this helpful. All others can safely ignore this new plugin ;-)

Downloadmanager plugin

For quite some time people have requested a plugin to manage (and count) file downloads. Alexander Mieland was so kind to hear those prayers and develop his downloadmanager plugin.

The plugin allows you to attach and upload several files and make them available in a nuke-like category hierarchy. Have a look at Alexanders page to see a demo.

The files have been added to CVS and the version bumped to 0.3 because of some changes to the plugin (bbcode, download counting) made after version 0.2. Have fun and thanks to Alexander!