diff --git a/README b/README index 6a0633144b..194471e552 100644 --- a/README +++ b/README @@ -2,8 +2,8 @@ README ------ -StatusNet 0.9.7 "World Leader Pretend" -17 March 2011 +StatusNet 0.9.9 "9-9" +2 August 2011 This is the README file for StatusNet, the Open Source microblogging platform. It includes installation instructions, descriptions of @@ -96,47 +96,27 @@ for additional terms. New this version ================ -This is a security, bug and feature release since version 0.9.6 released on -23 October 2010. - -For best compatibility with client software and site federation, and a -lot of bug fixes, it is highly recommended that all public sites -upgrade to the new version. Upgrades require new database indexes for -best performance; see Upgrade below. +This is a security release since version 0.9.7 released on 11 March +2011. It fixes security bug #3260. All sites running version 0.9.7 or +below are recommended to upgrade to 0.9.9 immediately. Notable changes this version: -- GroupPrivateMessage plugin lets users send private messages - to a group. (Similar to "private groups" on Yammer.) -- Support for Twitter streaming API in Twitter bridge plugin -- Support for a new Activity Streams-based API using AtomPub, allowing - richer API data. See http://status.net/wiki/AtomPub for details. -- Unified Facebook plugin, replacing previous Facebook application - and Facebook Connect plugin. -- A plugin to send out a daily summary email to network users. -- In-line thumbnails of some attachments (video, images) and oEmbed objects. -- Local copies of remote profiles to let moderators manage OStatus users. -- Upgrade upstream JS, minify everything. -- Allow pushing plugin JS, CSS, and static files to a CDN. -- Configurable nickname rules. -- Better support for bit.ly URL shortener. -- InProcessCache plugin for additional caching on top of memcached. -- Support for Activity Streams JSON feeds on many streams. -- User-initiated backup and restore of account data in Activity Streams - format. -- Bookmark plugin for making del.icio.us-like social bookmarking sites, - including del.icio.us backup file import. Supports OStatus. -- SQLProfile plugin to tune SQL queries. -- Better sorting on timelines to support restored or imported data. -- Hundreds of translations from http://translatewiki.net/ -- Hundreds of performance tunings, bug fixes, and UI improvements. -- Remove deprecated data from Activity Streams Atom output, to the - extent possible. -- NewMenu plugin for new layout of menu items. -- Experimental support for moving an account from one server to - another, using new AtomPub API. +- Fix bug #3260, a cross-site scripting (XSS) bug that allows an + attacker to inject JavaScript into a page with a carefully structured URL. +- Updated code for Google Analytics to reflect new API. +- Various fixes for Bookmark plugin. +- Updates to reCAPTCHA plugin based on changes to API. +- New plugin to move the site notice to the sidebar. +- Add rss.me to notice source list. +- Updates to data backup/restore. +- Correct use of "likes" in Facebook plugin. +- Ignore failures in Twitter plugin. -A full changelog is available at http://status.net/wiki/StatusNet_0.9.7. +A full changelog is available at http://status.net/wiki/StatusNet_0.9.9. + +NOTE: The short-lived StatusNet 0.9.8 ("Letter Never Sent") did not +adequately fix bug #3260 as originally thought; thus this new release. Prerequisites ============= @@ -246,9 +226,9 @@ especially if you've previously installed PHP/MySQL packages. 1. Unpack the tarball you downloaded on your Web server. Usually a command like this will work: - tar zxf statusnet-0.9.7.tar.gz + tar zxf statusnet-0.9.9.tar.gz - ...which will make a statusnet-0.9.7 subdirectory in your current + ...which will make a statusnet-0.9.9 subdirectory in your current directory. (If you don't have shell access on your Web server, you may have to unpack the tarball on your local computer and FTP the files to the server.) @@ -256,7 +236,7 @@ especially if you've previously installed PHP/MySQL packages. 2. Move the tarball to a directory of your choosing in your Web root directory. Usually something like this will work: - mv statusnet-0.9.7 /var/www/statusnet + mv statusnet-0.9.9 /var/www/statusnet This will make your StatusNet instance available in the statusnet path of your server, like "http://example.net/statusnet". "microblog" or @@ -671,7 +651,7 @@ with this situation. If you've been using StatusNet 0.7, 0.6, 0.5 or lower, or if you've been tracking the "git" version of the software, you will probably want to upgrade and keep your existing data. There is no automated -upgrade procedure in StatusNet 0.9.7. Try these step-by-step +upgrade procedure in StatusNet 0.9.9. Try these step-by-step instructions; read to the end first before trying them. 0. Download StatusNet and set up all the prerequisites as if you were @@ -692,7 +672,7 @@ instructions; read to the end first before trying them. 5. Once all writing processes to your site are turned off, make a final backup of the Web directory and database. 6. Move your StatusNet directory to a backup spot, like "statusnet.bak". -7. Unpack your StatusNet 0.9.7 tarball and move it to "statusnet" or +7. Unpack your StatusNet 0.9.9 tarball and move it to "statusnet" or wherever your code used to be. 8. Copy the config.php file and the contents of the avatar/, background/, file/, and local/ subdirectories from your old directory to your new diff --git a/lib/util.php b/lib/util.php index ffa92fc69f..f3be1d0ddc 100644 --- a/lib/util.php +++ b/lib/util.php @@ -1127,8 +1127,11 @@ function common_tag_link($tag) function common_canonical_tag($tag) { + // only alphanum + $tag = preg_replace('/[^\pL\pN]/u', '', $tag); $tag = mb_convert_case($tag, MB_CASE_LOWER, "UTF-8"); - return str_replace(array('-', '_', '.'), '', $tag); + $tag = substr($tag, 0, 64); + return $tag; } function common_valid_profile_tag($str) diff --git a/plugins/Meteor/MeteorPlugin.php b/plugins/Meteor/MeteorPlugin.php index 3f963eb732..1cff453d61 100644 --- a/plugins/Meteor/MeteorPlugin.php +++ b/plugins/Meteor/MeteorPlugin.php @@ -103,7 +103,11 @@ class MeteorPlugin extends RealtimePlugin function _updateInitialize($timeline, $user_id) { $script = parent::_updateInitialize($timeline, $user_id); - return $script." MeteorUpdater.init(\"$this->webserver\", $this->webport, \"{$timeline}\");"; + $ours = sprintf("MeteorUpdater.init(%s, %s, %s);", + json_encode($this->webserver), + json_encode($this->webport), + json_encode($timeline)); + return $script." ".$ours; } function _connect()