head 1.6; access; symbols pkgsrc-2013Q2:1.6.0.2 pkgsrc-2013Q2-base:1.6 pkgsrc-2013Q1:1.5.0.22 pkgsrc-2013Q1-base:1.5 pkgsrc-2012Q4:1.5.0.20 pkgsrc-2012Q4-base:1.5 pkgsrc-2012Q3:1.5.0.18 pkgsrc-2012Q3-base:1.5 pkgsrc-2012Q2:1.5.0.16 pkgsrc-2012Q2-base:1.5 pkgsrc-2012Q1:1.5.0.14 pkgsrc-2012Q1-base:1.5 pkgsrc-2011Q4:1.5.0.12 pkgsrc-2011Q4-base:1.5 pkgsrc-2011Q3:1.5.0.10 pkgsrc-2011Q3-base:1.5 pkgsrc-2011Q2:1.5.0.8 pkgsrc-2011Q2-base:1.5 pkgsrc-2011Q1:1.5.0.6 pkgsrc-2011Q1-base:1.5 pkgsrc-2010Q4:1.5.0.4 pkgsrc-2010Q4-base:1.5 pkgsrc-2010Q3:1.5.0.2 pkgsrc-2010Q3-base:1.5 pkgsrc-2010Q2:1.4.0.6 pkgsrc-2010Q2-base:1.4 pkgsrc-2010Q1:1.4.0.4 pkgsrc-2010Q1-base:1.4 pkgsrc-2009Q4:1.4.0.2 pkgsrc-2009Q4-base:1.4 pkgsrc-2009Q3:1.3.0.2 pkgsrc-2009Q3-base:1.3 pkgsrc-2009Q2:1.1.0.4 pkgsrc-2009Q2-base:1.1 pkgsrc-2009Q1:1.1.0.2; locks; strict; comment @# @; 1.6 date 2013.04.02.15.46.36; author taca; state dead; branches; next 1.5; 1.5 date 2010.08.10.16.00.42; author taca; state Exp; branches; next 1.4; 1.4 date 2009.11.30.15.44.45; author taca; state Exp; branches; next 1.3; 1.3 date 2009.09.15.10.48.46; author taca; state Exp; branches; next 1.2; 1.2 date 2009.09.13.01.15.11; author taca; state Exp; branches; next 1.1; 1.1 date 2009.05.26.14.19.29; author taca; state Exp; branches 1.1.2.1 1.1.4.1; next ; 1.1.2.1 date 2009.05.26.14.19.29; author tron; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2009.05.30.21.14.02; author tron; state Exp; branches; next ; 1.1.4.1 date 2009.09.13.14.57.36; author tron; state Exp; branches; next ; desc @@ 1.6 log @Update geeklog to 2.0.0. Here is summary from release announce. Full changes are available in docs/history file. (XSS problem was already fixed by geeklog-1.8.2sr1.) * Improved strength of password hashing * Allow Topics to have child Topics * Allow Articles, Blocks and other Plugin objects to be associated with more than one Topic * Topic Breadcrumb support * Emergency Rescue Tool is included with the Geeklog Install * Added support for MySQLi * Add Stop Forum Spam and Spam Number of Links Modules to Spam-X * A new theme called Denim which is based on Responsive Web Design * A new theme called Modern Curve * Comments Form on same page as Articles and plugin other Plugin objects * Comments RSS Feed Plugin now integrated into Geeklog * Includes updated versions of jQuery to 1.9.1 and jQuery UI to 1.10.1 * Updated FCKeditor version to 2.6.9 * XSS fixes for the Install, Configuration, Topic Editor, Polls Plugin and Calendar Plugin * Twitter OAuth API updated * HTML 5 DOCTYPE @ text @$NetBSD: patch-aj,v 1.5 2010/08/10 16:00:42 taca Exp $ * Change for pkgsrc. --- public_html/admin/install/index.php.orig 2010-04-25 06:56:58.000000000 +0000 +++ public_html/admin/install/index.php @@@@ -918,16 +918,8 @@@@ function INST_defaultPluginInstall() // | Main | // +---------------------------------------------------------------------------+ -// prepare some hints about what /path/to/geeklog might be ... -$gl_path = strtr(__FILE__, '\\', '/'); // replace all '\' with '/' -for ($i = 0; $i < 4; $i++) { - $remains = strrchr($gl_path, '/'); - if ($remains === false) { - break; - } else { - $gl_path = substr($gl_path, 0, -strlen($remains)); - } -} +// pkgsrc default. +$gl_path = '@@PREFIX@@/@@GEEKLOG_BASE@@'; $html_path = INST_getHtmlPath(); $siteconfig_path = '../../siteconfig.php'; @ 1.5 log @Update geeklog package to 1.7.0. Quote from release announce: This release adds support for PostgreSQL (in addition to MySQL and MS SQL), developed by Stan Palatnik during the Google Summer of Code 2009. It also adds a re-authentication option in case the CSRF token expires, thus preventing loss of data. For other improvements, please see the list of changes. Of course, it also addresses the latest security issue. We would also like to thank all those students again who applied for the Google Summer of Code 2010 and submitted patches for Geeklog. Some of them already made it into 1.7.0, the rest is scheduled for inclusion into Geeklog 1.7.1. We will also be looking into adding more of our successful GSoC projects from 2009 into that release. @ text @d1 1 a1 1 $NetBSD: patch-aj,v 1.4 2009/11/30 15:44:45 taca Exp $ @ 1.4 log @Update www/geeklog package to 1.6.1. Geeklog 1.6.1 New Features and Improvements * Geeklog now lets you enter meta descriptions and meta keywords for the main page, for stories, topics, static pages, and polls. Please note that these meta tags may not be used by some search engines. * You can now have one featured story per topic (for stories set to "Show only in Topic"). * New autotags now allow you to embed polls in stories and everywhere else where autotags are allowed. * The Migrate option in the install script can now also be applied to an existing database (i.e. you don't need to import a database dump to update your URLs and paths). * The Database Backup admin panel now includes options to optimize the database and convert tables to InnoDB (MySQL only). * Improved timezone support and let users actually set their own timezone. * Minor security enhancements: + "Important" cookies (like the session cookies) are now created with the HttpOnly flag set. This will help avoid some XSS attacks, provided your browser supports this flag. + Template errors will now trigger the standard error handler instead of exposing the template path. + Fixed inclusion protection for some of the Spam-X class files. Please also see the list of theme changes. Bugfixes * Fixed automatic closing of stories for comments after a certain amount of days. If you need to re-open comments on stories that were closed due to this bug, you can use this SQL request: UPDATE gl_stories SET commentcode = 0, comment_expire = 0 WHERE commentcode = 1; * The comment speed limit was being ignored. * Fixed a bug in the Group Editor that didn't let you add groups to other groups (this problem was only introduced in Geeklog 1.6.0). * The admin group for the Static Pages plugin was created with a wrong name in Geeklog 1.6.0 (fresh installs only). * Several tweaks and minor fixes (e.g. compatibility with PHP 4) in the search. @ text @d1 1 a1 1 $NetBSD: patch-aj,v 1.3 2009/09/15 10:48:46 taca Exp $ a3 1 * Output Content-Type header explicitly. d5 1 a5 1 --- public_html/admin/install/index.php.orig 2009-08-30 18:08:41.000000000 +0900 d7 1 a7 1 @@@@ -867,16 +867,8 @@@@ function INST_defaultPluginInstall() @ 1.3 log @Update Geeklog to 1.6.0sr2 (security release 2). o Add some pkgsrc patches to improve Content-Type header output. Geeklog 1.6.0sr2 This release addresses the following security issue: * Unauthorized file uploads were possible through FCKeditor. Uploaded files still had to go through FCKeditor's filter, so it was not possible to upload scripts (and the integrity of the Geeklog site as such was not in danger). There were, however, reports that this was used to host malware. This update prevents use of the upload feature when FCKeditor is disabled and disables it for anonymous users. It also doesn't allow uploading of archive files any more. Furthermore, you need some sort of "edit" permission now to be able to upload files through FCKeditor (this is meant as an interim measure - we will probably introduce a separate "upload" permission in future Geeklog versions). Other fixes: * Fixed installation using InnoDB tables. * Fixed a (non-exploitable) SQL error when auto-updating a story's commentcode field. * Fixed a wrong function name in the Links plugin. Geeklog 1.6.0sr1 This release addresses the following security issues: 1. Gerendi Sandor Attila reported an XSS in the forms to email a user and to email a story to a friend. 2. The "Mail Story to a Friend" function didn't check story permissions, so that it was possible to email a story even if you didn't have the permissions to view it on the site. Other fixes: * Fixed an SQL error when submitting a story and the story submission queue was off. * Fixed calls to a nonexistent function COM_outputMessageAndAbort. Geeklog 1.6.0 Results from the Summer of Code This release incorporates the following projects implemented during the the 2008 Google Summer of Code: * Site migration support and easier plugin installation, by Matt West * Improved search, by Sami Barakat * Comment moderation and editable comments, by Jared Wenerd Other changes * The minimum PHP version required by Geeklog is now PHP 4.3.0. Given that the PHP team ended support for PHP 4 in August 2008, you should be looking into upgrading to PHP 5 anyway. * Includes FCKeditor 2.6.4.1 * Includes a new plugin, XMLSitemap, that automatically generates a XML sitemap file, as supported by all major search engines. Plugin written and provided by mystral-kk. * Several new plugin API functions have been added and existing functions have been extended. * The included documentation has been moved to docs/english to allow for translations. Links to the documentation from within Geeklog will link to existing translations for the current language automatically (or fall back to the English documentation if no suitable translation can be found). * There were a variety of theme changes to support new functionality and fix inconsistencies in the layout. This release also includes a number of patches and improvements made by students applying for participation in the Google Summer of Code 2009. Thank you! @ text @d1 1 a1 1 $NetBSD: patch-aj,v 1.1 2009/05/26 14:19:29 taca Exp $ a26 8 @@@@ -1242,6 +1234,7 @@@@ $display .= '' . LB . ''; +header('Content-Type: text/html; charset=' . $LANG_CHARSET); echo $display; ?> @ 1.2 log @Update Geeklog 1.5.2sr5 by adding patches since 1.5.2sr5 isn't provided as full release. And add updated fckeditor for Geeklog. These updates should fix known security problems, Secunia SA36372. Jul 30, 2009 (1.5.2sr5) ------------ This release addresses the following security issues: - Gerendi Sandor Attila reported an XSS in the forms to email a user and to email a story to a friend. - The "Mail Story to a Friend" function didn't check story permissions, so that it was possible to email a story even if you didn't have the permissions to view it on the site. @ text @d3 2 a4 4 * make it geeklog 1.5.2sr5. * Add missing charset parameter. * Add missing utf8 select button. * Send correct charset parameter. d6 1 a6 1 --- public_html/admin/install/index.php.orig 2009-04-18 16:55:00.000000000 +0900 d8 1 a8 40 @@@@ -48,7 +48,7 @@@@ if (!defined("LB")) { define("LB", "\n"); } if (!defined('VERSION')) { - define('VERSION', '1.5.2sr4'); + define('VERSION', '1.5.2sr5'); } if (!defined('XHTML')) { define('XHTML', ' /'); @@@@ -178,7 +178,8 @@@@ function get_SPX_Ver() */ function INST_checkPost150Upgrade($dbconfig_path, $siteconfig_path) { - global $_CONF, $_TABLES, $_DB, $_DB_dbms, $_DB_host, $_DB_user, $_DB_pass; + global $_CONF, $_TABLES, $_DB, $_DB_dbms, $_DB_host, $_DB_user, $_DB_pass, + $language; require $dbconfig_path; require $siteconfig_path; @@@@ -227,6 +228,7 @@@@ function INST_checkPost150Upgrade($dbcon // this is a 1.5.x version, so upgrade directly $req_string = 'index.php?mode=upgrade&step=3' . '&dbconfig_path=' . $dbconfig_path + . '&language=' . $language . '&version=' . $version; header('Location: ' . $req_string); @@@@ -407,6 +409,11 @@@@ function INST_installEngine($install_typ if ($install_type == 'install') { $display .= '

'; + } else { + if ($utf8) { + $display .= ' + '; + } } $display .= ' @@@@ -1793,16 +1800,8 @@@@ function INST_setDefaultCharset($sitecon d25 1 a25 1 $html_path = str_replace('admin/install/index.php', '', str_replace('admin\install\index.php', '', str_replace('\\', '/', __FILE__))); d27 3 a29 3 @@@@ -2228,5 +2227,6 @@@@ $display .= ' ' . LB; d33 1 @ 1.1 log @Update geeklog package from 1.4.1nb4 to 1.5.2.4 (1.5.2sr4). pkgsrc changes: overhaul this package. * Add LICENSE. * Clean up bmake's macros, such as addition of PRINT_PLIST_AWK. Geeklog changes: too many chagnes to write here. * New user-friendly installation. * New Configuration GUI. * New Webservice GUI. * And more. Please refer http://www.geeklog.net/docs/english/changes.html for more information. Fixed some security problems about SQL injection vulnerability. @ text @d1 6 a6 1 $NetBSD$ d10 40 a49 1 @@@@ -1793,16 +1793,8 @@@@ function INST_setDefaultCharset($sitecon d68 7 @ 1.1.4.1 log @Pullup ticket #2889 - requested by taca geeklog: security update Revisions pulled up: - www/geeklog/Makefile 1.23 - www/geeklog/PLIST 1.10 - www/geeklog/distinfo 1.10 - www/geeklog/patches/patch-aa 1.4 - www/geeklog/patches/patch-aj 1.2 - www/geeklog/patches/patch-ak 1.1 - www/geeklog/patches/patch-al 1.1 - www/geeklog/patches/patch-ba 1.1 - www/geeklog/patches/patch-bb 1.1 - www/geeklog/patches/patch-bc 1.1 - www/geeklog/patches/patch-bd 1.1 --- Module Name: pkgsrc Committed By: taca Date: Sun Sep 13 01:15:11 UTC 2009 Modified Files: pkgsrc/www/geeklog: Makefile PLIST distinfo pkgsrc/www/geeklog/patches: patch-aa patch-aj Added Files: pkgsrc/www/geeklog/patches: patch-ak patch-al patch-ba patch-bb patch-bc patch-bd Log Message: Update Geeklog 1.5.2sr5 by adding patches since 1.5.2sr5 isn't provided as full release. And add updated fckeditor for Geeklog. These updates should fix known security problems, Secunia SA36372. Jul 30, 2009 (1.5.2sr5) ------------ This release addresses the following security issues: - Gerendi Sandor Attila reported an XSS in the forms to email a user and to email a story to a friend. - The "Mail Story to a Friend" function didn't check story permissions, so that it was possible to email a story even if you didn't have the permissions to view it on the site. @ text @a2 5 * make it geeklog 1.5.2sr5. * Add missing charset parameter. * Add missing utf8 select button. * Send correct charset parameter. d5 1 a5 40 @@@@ -48,7 +48,7 @@@@ if (!defined("LB")) { define("LB", "\n"); } if (!defined('VERSION')) { - define('VERSION', '1.5.2sr4'); + define('VERSION', '1.5.2sr5'); } if (!defined('XHTML')) { define('XHTML', ' /'); @@@@ -178,7 +178,8 @@@@ function get_SPX_Ver() */ function INST_checkPost150Upgrade($dbconfig_path, $siteconfig_path) { - global $_CONF, $_TABLES, $_DB, $_DB_dbms, $_DB_host, $_DB_user, $_DB_pass; + global $_CONF, $_TABLES, $_DB, $_DB_dbms, $_DB_host, $_DB_user, $_DB_pass, + $language; require $dbconfig_path; require $siteconfig_path; @@@@ -227,6 +228,7 @@@@ function INST_checkPost150Upgrade($dbcon // this is a 1.5.x version, so upgrade directly $req_string = 'index.php?mode=upgrade&step=3' . '&dbconfig_path=' . $dbconfig_path + . '&language=' . $language . '&version=' . $version; header('Location: ' . $req_string); @@@@ -407,6 +409,11 @@@@ function INST_installEngine($install_typ if ($install_type == 'install') { $display .= '

'; + } else { + if ($utf8) { + $display .= ' + '; + } } $display .= ' @@@@ -1793,16 +1800,8 @@@@ function INST_setDefaultCharset($sitecon a23 7 @@@@ -2228,5 +2227,6 @@@@ $display .= ' ' . LB; +header('Content-Type: text/html; charset=' . $LANG_CHARSET); echo $display; ?> @ 1.1.2.1 log @file patch-aj was added on branch pkgsrc-2009Q1 on 2009-05-30 21:14:02 +0000 @ text @d1 23 @ 1.1.2.2 log @Pullup ticket #2782 - requested by taca geeklog: security update Revisions pulled up: - www/geeklog/DEINSTALL 1.5 - www/geeklog/INSTALL 1.4 - www/geeklog/Makefile 1.22 - www/geeklog/Makefile.common 1.7 - www/geeklog/PLIST 1.8 - www/geeklog/distinfo 1.9 - www/geeklog/files/README 1.4 - www/geeklog/files/createdb.php delete - www/geeklog/files/geeklog.conf 1.2 - www/geeklog/patches/patch-aa 1.3 - www/geeklog/patches/patch-ab delete - www/geeklog/patches/patch-ac delete - www/geeklog/patches/patch-ag delete - www/geeklog/patches/patch-ah delete - www/geeklog/patches/patch-ai delete - www/geeklog/patches/patch-aj 1.1 --- Module Name: pkgsrc Committed By: taca Date: Tue May 26 14:19:29 UTC 2009 Modified Files: pkgsrc/www/geeklog: DEINSTALL INSTALL Makefile Makefile.common PLIST distinfo pkgsrc/www/geeklog/files: README geeklog.conf pkgsrc/www/geeklog/patches: patch-aa Added Files: pkgsrc/www/geeklog/patches: patch-aj Removed Files: pkgsrc/www/geeklog/files: createdb.php pkgsrc/www/geeklog/patches: patch-ab patch-ac patch-ag patch-ah patch-ai Log Message: Update geeklog package from 1.4.1nb4 to 1.5.2.4 (1.5.2sr4). pkgsrc changes: overhaul this package. * Add LICENSE. * Clean up bmake's macros, such as addition of PRINT_PLIST_AWK. Geeklog changes: too many chagnes to write here. * New user-friendly installation. * New Configuration GUI. * New Webservice GUI. * And more. Please refer http://www.geeklog.net/docs/english/changes.html for more information. Fixed some security problems about SQL injection vulnerability. @ text @a0 23 $NetBSD: patch-aj,v 1.1 2009/05/26 14:19:29 taca Exp $ --- public_html/admin/install/index.php.orig 2009-04-18 16:55:00.000000000 +0900 +++ public_html/admin/install/index.php @@@@ -1793,16 +1793,8 @@@@ function INST_setDefaultCharset($sitecon // | Main | // +---------------------------------------------------------------------------+ -// prepare some hints about what /path/to/geeklog might be ... -$gl_path = strtr(__FILE__, '\\', '/'); // replace all '\' with '/' -for ($i = 0; $i < 4; $i++) { - $remains = strrchr($gl_path, '/'); - if ($remains === false) { - break; - } else { - $gl_path = substr($gl_path, 0, -strlen($remains)); - } -} +// pkgsrc default. +$gl_path = '@@PREFIX@@/@@GEEKLOG_BASE@@'; $html_path = str_replace('admin/install/index.php', '', str_replace('admin\install\index.php', '', str_replace('\\', '/', __FILE__))); $siteconfig_path = '../../siteconfig.php'; @