Skip to content

v0.23

Compare
Choose a tag to compare
@sbrl sbrl released this 03 Sep 01:27
· 118 commits to master since this release
6b9dfbc

Hey there everyone! It's another release :D This is an unusual one in many respects - for one there hasn't been a beta release (the least time this happened for a major release was waaay back in v0.9 in 2015). There's a reason for that - in issue #222 someone has unethically reported a security issue with Pepperminty Wiki by not privately disclosing it, and instead publishing it publicly on the internet (exhibits a, b).

Of these 2, the one that involves the first-run action is not of concern, since it requires the site secret to pull off and even then that can only be executed once. If you're worried about that, you've got other issues - you could achieve the same effect simply uploading a static HTML file to your web server or changing multiple different settings in peppermint.json which by design take arbitrary HTML!

The other vulnerability uncovered a bunch of places in which potentially unsafe user input was sent to the user improperly encoded - potentially allowing someone to insert arbitrary HTML (and hence scripts) where they shouldn't. This release fixes that.

Despite this rushed release, there are a number of awesome additions in this release too:

  • 📄 Experimental support for transparent handling of [display text](./Page Name.md) style internal links (disabled by default: enable the parser_mangle_external_links setting and delete the ._cache directory to enable)
  • 🗺 XML sitemap support (manual setup required via an edit to your robots.txt)
  • 💡 Automatic system requirements indicator to first run (doesn't block you from proceeding, but helps you make sure you meet Pepperminty Wiki's system requirements)
  • 🪲 Many bugs squashed!
  • ⏫ Fixed compatibility issues with PHP 8.0

So all in all this release should be a good incremental improvement over v0.22. If I spot any new show stoppers, I'll make a quick hotfix release to squash them.

Have you updated to this release? Click this link to say hi!

This release also has an experimental GPG and SHA256 hashes file attached. My GPG key is C2F7843F9ADF9FEE264ACB9CC1C6C0BB001E1725 - please open an issue if you encounter any issues 🙂

Updating

You can update to this release simply by grabbing an updated copy of index.php and replacing the version in your current wiki (don't forget to take backups! I make every effort to squash as many bugs as possible, but you can never be too certain). You can get an updated copy of index.php in a number of ways:

  • By downloading the index.php file attached to this release
  • Using the online downloader (always has the latest stable version)
  • Using the online downloader offline
  • Building your own from source

For more information on the last 2 methods, please see the documentation for more information.

For those who want to contribute financially as a thank you, I've recently setup a Liberapay to accept donations. It's certainly not required, but would definitely help me out :-) If you want to contribute but Liberapay isn't for you, please let me know (e.g. open an issue, see my website for more contact options)

Since v0.22

Added

  • Added HTTP API support for creating pages that don't yet have a name (#194)
    • This allows for having a "create new page" button in your navigation links - e.g. edit nav_links, nav_links_extra, or nav_links_bottom in your peppermint.json and add something like [ "+", "index.php?action=edit&unknownpagename=yes" ].
  • XML sitemap support with the new page-sitemap module (manual setup required for crawlers to notice it: see the documentation)
  • Experimental support for transparent handling of [display text](./Page Name.md) style internal links (disabled by default: enable the parser_mangle_external_links setting and delete the ._cache directory to enable)
  • Added automatic system requirements indicator to first run (checks for various PHP extensions required for various different functions) - does not block you from proceeding, but does assist in first-time system configuration

Changed

  • Updated the configuration guide to include count of how many settings we have
  • Also send a x-robots-tag: noindex, nofollow HTTP header for the login page (Semrush Bot, you better obey this one)
  • Support page as either a GET parameter or a POST parameter (GET takes precedence over POST)
  • Preview generation: If php-imagick is not installed but required for a particular operation, return a proper error message
  • File upload: If fileinfo is not installed, return a proper error message when someone attempts to upload a file
  • Add image/avif (AVIF image), image/jxl (JPEG XL image), and image/heif/image/heic to upload_allowed_file_types (you'll need to delete your entry in peppermint.json to get the new updated list)
    • Also added these and flac (which was already allowed as an upload by default) to the data size calculator on ?action=help&dev=yes

Fixed

  • [security] Fixed some potential XSS attacks in the page editor
  • [security] Fix stored XSS attack in the wiki name via the first run wizard CVE-2021-38600; low severity since it requires the site secret to do the initial setup & said initial setup can only be performed once
  • [security] Fix reflected XSS attacks (arbitrary code execution in the user's browser) via the many different GET parameters in many different modules
  • [security] Automatically run page titles through htmlentities()
  • Fixed a weird bug in the stats-update action causing warnings
  • search: Properly apply weightings of matches in page titles and tags
  • Improved error handling on first run where the PHP Zip extension is not installed
  • Also extract to ._extra_data if the directory is empty
  • Add sidebar_show to the settings GUI and the configuration guide
  • Fix crash when using the search bar with PHP 8.0+
  • Prefix the default value of the logo_url setting with https:
  • Fix display of subpages in the sidebar, and also wrap subpage lists in a <details /> element to allow collapsing them
  • Fix file upload error handling logic - a proper error page is now sent to the client
  • Create theme gallery help section instead of overwriting the one entitled "Jumping to a random page".
  • Fix broken character in recent changes log entry when moving pages