Wikka 1.1.6.3 Release Notes
Released on May 7, 2007Security patches
- Sanitized UserSettings to prevent JS injection. Ticket:363 (thanks to Sakaru)
- Secured LoadRecentComments() and LoadRecentlyCommented(). Ticket:383
- Dropped use of GetEnv() to retrieve Wikka configuration because of potential security issues on shared servers. It's still possible to point to load a configuration file stored outside the installation directory (and outside the webroot, for increased security) by editing wikka.php, uncommenting the definition of WAKKA_CONFIG, and defining it as the path to your configuration file. Ticket:98
- Fixed bug that allowed information on revisions to private pages (page name, edit note and revision datetime) to show up in the RecentChanges feed. Ticket:305
- Replaced every occurrence of $_REQUEST with $_GET or $_POST to enforce security of user input. Ticket:312
- Patched a native PHP vulnerability (HTML Entity Encoder Heap Overflow Vulnerability) affecting virtually anyweb application running on PHP<5.2. The security fix was also applied to GeSHi version 1.0.7.18. Ticket:427
Bug fixes
- Fixed bug producing invalid XHTML in referrer handlers. Ticket:469
- Added missing trailing slash that could result in invalid base_url during installation. Ticket:438
- Fixed bug in Onyx that could prevent correct feed parsing when using PHP<4.3.0. Ticket:420
- Further minor fixes. Ticket:466, Ticket:437
CategoryEN