Mercurial > moin > 1.9
changeset 5903:e55effb840da
update docs/CHANGES
| author | Thomas Waldmann <tw AT waldmann-edv DOT de> |
|---|---|
| date | Wed, 12 Dec 2012 12:04:34 +0100 |
| parents | 840ebd16ddd9 |
| children | 3a1b92276377 |
| files | docs/CHANGES |
| diffstat | 1 files changed, 11 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/docs/CHANGES Sun Dec 09 23:20:50 2012 +0100 +++ b/docs/CHANGES Wed Dec 12 12:04:34 2012 +0100 @@ -16,7 +16,7 @@ editor_force = True editor_default = 'text' # internal default, just for completeness -Version 1.9.5: +Version 1.9.<current>: SECURITY HINT: make sure you have allow_xslt = False (or just do not use allow_xslt at all in your wiki configs, False is the internal default). @@ -25,6 +25,16 @@ HINT: Python >= 2.5 is maybe required! See docs/REQUIREMENTS for details. Fixes: + * fix XSS issue, escape page name in rss link + * escape user- or admin-defined css url + * make taintfilename more secure + * use a constant time str comparison function to prevent timing attacks + * Attachment handler: catch all Zip-related errors + + +Version 1.9.5: + + Fixes: * Security fix: fix virtual group bug in ACL evaluation. * Avoid crash if #refresh processing instruction is used without arguments. * Fix issue with non-ASCII textchas.