From d8b9ed07e61168d224ca33afc4b83f6f84681481 Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Mon, 1 Aug 2011 11:14:20 -0400 Subject: [PATCH 1/6] update README --- README | 55 ++++++++++++++++--------------------------------------- 1 file changed, 16 insertions(+), 39 deletions(-) diff --git a/README b/README index 4a8aba104e..bb9f7a2ea2 100644 --- a/README +++ b/README @@ -2,8 +2,8 @@ README ------ -StatusNet 0.9.7 "World Leader Pretend" -17 March 2011 +StatusNet 0.9.8 "Letter Never Sent" +1 August 2011 This is the README file for StatusNet, the Open Source microblogging platform. It includes installation instructions, descriptions of @@ -96,47 +96,24 @@ for additional terms. New this version ================ -This is a security, bug and feature release since version 0.9.6 released on -23 October 2010. - -For best compatibility with client software and site federation, and a -lot of bug fixes, it is highly recommended that all public sites -upgrade to the new version. Upgrades require new database indexes for -best performance; see Upgrade below. +This is a security release since version 0.9.7 released on 11 March +2011. It fixes security bug #3260. All sites running version 0.9.7 or +below are recommended to upgrade to 0.9.8 immediately. Notable changes this version: -- GroupPrivateMessage plugin lets users send private messages - to a group. (Similar to "private groups" on Yammer.) -- Support for Twitter streaming API in Twitter bridge plugin -- Support for a new Activity Streams-based API using AtomPub, allowing - richer API data. See http://status.net/wiki/AtomPub for details. -- Unified Facebook plugin, replacing previous Facebook application - and Facebook Connect plugin. -- A plugin to send out a daily summary email to network users. -- In-line thumbnails of some attachments (video, images) and oEmbed objects. -- Local copies of remote profiles to let moderators manage OStatus users. -- Upgrade upstream JS, minify everything. -- Allow pushing plugin JS, CSS, and static files to a CDN. -- Configurable nickname rules. -- Better support for bit.ly URL shortener. -- InProcessCache plugin for additional caching on top of memcached. -- Support for Activity Streams JSON feeds on many streams. -- User-initiated backup and restore of account data in Activity Streams - format. -- Bookmark plugin for making del.icio.us-like social bookmarking sites, - including del.icio.us backup file import. Supports OStatus. -- SQLProfile plugin to tune SQL queries. -- Better sorting on timelines to support restored or imported data. -- Hundreds of translations from http://translatewiki.net/ -- Hundreds of performance tunings, bug fixes, and UI improvements. -- Remove deprecated data from Activity Streams Atom output, to the - extent possible. -- NewMenu plugin for new layout of menu items. -- Experimental support for moving an account from one server to - another, using new AtomPub API. +- Fix bug #3260, a cross-site scripting (XSS) bug that allows an + attacker to inject JavaScript into a page with a carefully structured URL. +- Updated code for Google Analytics to reflect new API. +- Various fixes for Bookmark plugin. +- Updates to reCAPTCHA plugin based on changes to API. +- New plugin to move the site notice to the sidebar. +- Add rss.me to notice source list. +- Updates to data backup/restore. +- Correct use of "likes" in Facebook plugin. +- Ignore failures in Twitter plugin. -A full changelog is available at http://status.net/wiki/StatusNet_0.9.7. +A full changelog is available at http://status.net/wiki/StatusNet_0.9.8. Prerequisites ============= From e0238e7c171984cbb07533085b5304bcc433633b Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Mon, 1 Aug 2011 11:15:49 -0400 Subject: [PATCH 2/6] Update version number --- lib/common.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/common.php b/lib/common.php index 17375c4b62..95192a67b1 100644 --- a/lib/common.php +++ b/lib/common.php @@ -22,13 +22,13 @@ if (!defined('STATUSNET') && !defined('LACONICA')) { exit(1); } //exit with 200 response, if this is checking fancy from the installer if (isset($_REQUEST['p']) && $_REQUEST['p'] == 'check-fancy') { exit; } -define('STATUSNET_BASE_VERSION', '0.9.7'); -define('STATUSNET_LIFECYCLE', 'fix1'); // 'dev', 'alpha[0-9]+', 'beta[0-9]+', 'rc[0-9]+', '' for release +define('STATUSNET_BASE_VERSION', '0.9.8'); +define('STATUSNET_LIFECYCLE', ''); // 'dev', 'alpha[0-9]+', 'beta[0-9]+', 'rc[0-9]+', '' for release define('STATUSNET_VERSION', STATUSNET_BASE_VERSION . STATUSNET_LIFECYCLE); define('LACONICA_VERSION', STATUSNET_VERSION); // compatibility -define('STATUSNET_CODENAME', 'World Leader Pretend'); +define('STATUSNET_CODENAME', 'Letter Never Sent'); define('AVATAR_PROFILE_SIZE', 96); define('AVATAR_STREAM_SIZE', 48); From 10ce44c2971f65c5fa732d91a74e3fa61d43c3bd Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Tue, 2 Aug 2011 13:49:00 -0400 Subject: [PATCH 3/6] cleanse tags of non-tag characters when canonicalizing --- lib/util.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/util.php b/lib/util.php index e5b0c86e06..d8eee3d134 100644 --- a/lib/util.php +++ b/lib/util.php @@ -1096,8 +1096,11 @@ function common_tag_link($tag) function common_canonical_tag($tag) { + // only alphanum + $tag = preg_replace('/[^\pL\pN]/', '', $tag); $tag = mb_convert_case($tag, MB_CASE_LOWER, "UTF-8"); - return str_replace(array('-', '_', '.'), '', $tag); + $tag = substr($tag, 0, 64); + return $tag; } function common_valid_profile_tag($str) From 897e3c87e59b071254fcb0820fa46f3133a69e9d Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Tue, 2 Aug 2011 13:49:27 -0400 Subject: [PATCH 4/6] encode values when inserting into MeteorUpdater JS --- plugins/Meteor/MeteorPlugin.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/plugins/Meteor/MeteorPlugin.php b/plugins/Meteor/MeteorPlugin.php index 6e93e364f7..3d36c67f57 100644 --- a/plugins/Meteor/MeteorPlugin.php +++ b/plugins/Meteor/MeteorPlugin.php @@ -96,7 +96,11 @@ class MeteorPlugin extends RealtimePlugin function _updateInitialize($timeline, $user_id) { $script = parent::_updateInitialize($timeline, $user_id); - return $script." MeteorUpdater.init(\"$this->webserver\", $this->webport, \"{$timeline}\");"; + $ours = sprintf("MeteorUpdater.init(%s, %s, %s);", + json_encode($this->webserver), + json_encode($this->webport), + json_encode($timeline)); + return $script." ".$ours; } function _connect() From edb3f704b969769ce20b2e1e7d4504a570e42231 Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Tue, 2 Aug 2011 14:03:12 -0400 Subject: [PATCH 5/6] correctly include UTF-8 alphanum chars in tags --- lib/util.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/util.php b/lib/util.php index d8eee3d134..629d8326fd 100644 --- a/lib/util.php +++ b/lib/util.php @@ -1097,7 +1097,7 @@ function common_tag_link($tag) function common_canonical_tag($tag) { // only alphanum - $tag = preg_replace('/[^\pL\pN]/', '', $tag); + $tag = preg_replace('/[^\pL\pN]/u', '', $tag); $tag = mb_convert_case($tag, MB_CASE_LOWER, "UTF-8"); $tag = substr($tag, 0, 64); return $tag; From 6ce81344719386362d298af34b54d410fdc28d50 Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Tue, 2 Aug 2011 14:40:23 -0400 Subject: [PATCH 6/6] New release because I'm stupid --- README | 21 ++++++++++++--------- lib/common.php | 4 ++-- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/README b/README index bb9f7a2ea2..6508ba9ca7 100644 --- a/README +++ b/README @@ -2,8 +2,8 @@ README ------ -StatusNet 0.9.8 "Letter Never Sent" -1 August 2011 +StatusNet 0.9.9 "9-9" +2 August 2011 This is the README file for StatusNet, the Open Source microblogging platform. It includes installation instructions, descriptions of @@ -98,7 +98,7 @@ New this version This is a security release since version 0.9.7 released on 11 March 2011. It fixes security bug #3260. All sites running version 0.9.7 or -below are recommended to upgrade to 0.9.8 immediately. +below are recommended to upgrade to 0.9.9 immediately. Notable changes this version: @@ -113,7 +113,10 @@ Notable changes this version: - Correct use of "likes" in Facebook plugin. - Ignore failures in Twitter plugin. -A full changelog is available at http://status.net/wiki/StatusNet_0.9.8. +A full changelog is available at http://status.net/wiki/StatusNet_0.9.9. + +NOTE: The short-lived StatusNet 0.9.8 ("Letter Never Sent") did not +adequately fix bug #3260 as originally thought; thus this new release. Prerequisites ============= @@ -224,9 +227,9 @@ especially if you've previously installed PHP/MySQL packages. 1. Unpack the tarball you downloaded on your Web server. Usually a command like this will work: - tar zxf statusnet-0.9.7.tar.gz + tar zxf statusnet-0.9.9.tar.gz - ...which will make a statusnet-0.9.7 subdirectory in your current + ...which will make a statusnet-0.9.9 subdirectory in your current directory. (If you don't have shell access on your Web server, you may have to unpack the tarball on your local computer and FTP the files to the server.) @@ -234,7 +237,7 @@ especially if you've previously installed PHP/MySQL packages. 2. Move the tarball to a directory of your choosing in your Web root directory. Usually something like this will work: - mv statusnet-0.9.7 /var/www/statusnet + mv statusnet-0.9.9 /var/www/statusnet This will make your StatusNet instance available in the statusnet path of your server, like "http://example.net/statusnet". "microblog" or @@ -649,7 +652,7 @@ with this situation. If you've been using StatusNet 0.7, 0.6, 0.5 or lower, or if you've been tracking the "git" version of the software, you will probably want to upgrade and keep your existing data. There is no automated -upgrade procedure in StatusNet 0.9.7. Try these step-by-step +upgrade procedure in StatusNet 0.9.9. Try these step-by-step instructions; read to the end first before trying them. 0. Download StatusNet and set up all the prerequisites as if you were @@ -670,7 +673,7 @@ instructions; read to the end first before trying them. 5. Once all writing processes to your site are turned off, make a final backup of the Web directory and database. 6. Move your StatusNet directory to a backup spot, like "statusnet.bak". -7. Unpack your StatusNet 0.9.7 tarball and move it to "statusnet" or +7. Unpack your StatusNet 0.9.9 tarball and move it to "statusnet" or wherever your code used to be. 8. Copy the config.php file and the contents of the avatar/, background/, file/, and local/ subdirectories from your old directory to your new diff --git a/lib/common.php b/lib/common.php index 95192a67b1..c4bed30118 100644 --- a/lib/common.php +++ b/lib/common.php @@ -22,13 +22,13 @@ if (!defined('STATUSNET') && !defined('LACONICA')) { exit(1); } //exit with 200 response, if this is checking fancy from the installer if (isset($_REQUEST['p']) && $_REQUEST['p'] == 'check-fancy') { exit; } -define('STATUSNET_BASE_VERSION', '0.9.8'); +define('STATUSNET_BASE_VERSION', '0.9.9'); define('STATUSNET_LIFECYCLE', ''); // 'dev', 'alpha[0-9]+', 'beta[0-9]+', 'rc[0-9]+', '' for release define('STATUSNET_VERSION', STATUSNET_BASE_VERSION . STATUSNET_LIFECYCLE); define('LACONICA_VERSION', STATUSNET_VERSION); // compatibility -define('STATUSNET_CODENAME', 'Letter Never Sent'); +define('STATUSNET_CODENAME', '9-9'); define('AVATAR_PROFILE_SIZE', 96); define('AVATAR_STREAM_SIZE', 48);