Moin

Latest version: v1.9.11

Safety actively analyzes 682457 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 1 of 13

2.2.2

(with 2.3.x, MoinMoin runs about 20-30% faster).

New features:
Configuration:
* config.default_lang lets you set a default language for users not
having specified language in their browser or UserPreferences
* "config.page_category_regex" defines what pages are categories
* replaced `config.page_template_ending` by a more flexible setting
named `config.page_template_regex`
* the same with config.page_form_regex (was: page_form_ending)
* "config.page_group_regex" defines what pages are group definitions
Currently groups are used for "user groups" (see ACLs) and "page
groups" (see AllSystemPagesGroup).
* robot exclusion from all pages except the standard view action,
via the config.ua_spiders regex (reduces server load)
* "maxdepth" argument for the TableOfContents macro
* config.title1, config.title2, config.page_footer1,
config.page_footer2 can now be callables and will be called with
the "request" object as a single argument (note that you should
accept any keyword arguments in order to be compatible to future
changes)
* "config.html_pagetitle" allows you to set a specific HTML page
title (if not set, it defaults to "config.sitename")
* navi_bar / quicklinks can now contain free-form links, i.e.
entries of the form "[url linktext]" just like in wiki pages
* if a quick link starts with '^', it opens in a new window; help
now opens in a new window also
* `config.smileys` for user-defined smileys (default: `{}`) - a dict
with the markup as the key and a tuple of width, height, border, image
name as the value).
* `config.hosts_deny` to forbid access based on IP address
* `config.mail_login` can be set to username and password separated by
a space, e.g. "username userpass", if you need to use SMTP AUTH
* `config.edit_locking` can be set to None (old behaviour, no
locking), 'warn <timeout mins>' (warn about concurrent edits, but
do not enforce anything), or 'lock <timeout mins>' (strict locking)
* optionally showing a license text on editor page, use:
config.page_license_enabled = 1
Optionally use these to customize what is shown there:
config.page_license_text = "... your text ..."
config.page_license_page = "MyLicensePage"
See the default values in MoinMoin/config.py for details and
override them in moin_config.py, if needed.
* `config.shared_intermap` can be a list of filenames (instead of a
single string)
* If you have added your own `SecurityPolicy`, the class interface for
that has changed (see `security.py`).

Authenticaton / Authorization:
* added ACL support, written by Gustavo Niemeyer of Conectiva and
Thomas Waldmann. See HelpOnAccessControlLists for more infos.
You should use MoinMoin/scripts/moin_usercheck.py before activating
ACLs or some users with bad or duplicate accounts might get into
trouble.
* A user account can be disabled using moin_usercheck.py or
UserPreferences page. Disabling, but keeping it is good for edit
history.
* changed security default: deletion only available to known users
* support for Basic authentication (Apache style: AUTH_TYPE="Basic",
REMOTE_USER="WikiUserName"). If authentication is there, user
will be in ACL class "Trusted".
* support for username / password login
The username / password login will ONLY work, if you define a
password. With an empty password, username / password login is not
allowed due to security reasons. Passwords are stored encrypted
(format similar to Apache SHA) and can also be entered in the
UserPreferences form in this format. When requesting login
information by email, the password is also sent in this encrypted
format (use copy&paste to fill it in the form).
...?action=userform?uid=<userid> is still possible, so if you have
bookmarks, they will still work). The input field for the ID was
dropped.
NOTE: using the userid for login purposes is DEPRECATED and might
be removed for better security soon.
* after logging in, you will get a cookie valid until midnight.
The next day, the cookie will expire and you will have to login
again. If you don't want this, you can check the "remember me
forever" option in UserPreferences.
* if the page file is read-only, you get a message (i.e. you can now
protect pages against changes if you're the wiki admin).
Note: you can do that easier using ACLs.

Markup / Macros / Actions:
* RandomQuote macro (and even parses Wiki markup now)
* `[[Navigation]]` macro for slides and subpage navigation
* [[ShowSmileys]] displays ALL smileys, including user-defined ones
* the Include macro has new parameters (from, to, sort, items) and
is able to include more than one page (via a regex pattern)
* `MailTo` macro for adding spam-safe email links to a page
* if a fancy link starts with '^' (i.e. if it has the form
"[^http:... ...]"), it's opened in a new window
* because of that, the NewWindow macro was removed from contrib
* "pragma section-numbers 2" only displays section numbers for
headings of level 2 and up (similarly for 3 to 6)
* ../SubPageOfParent links

User interface:
* new fancy diffs
* Page creation shows LikePages that already exist
* editor shows the current size of the page
* editor returns to including page when editing an included page
* Visual indication we're on the editor page (new CSS style)
* selection to add categories to a page in the editor (use preview
button to add more than one category)
* if user has a homepage, a backup of save/preview text is saved as
a subpage UsersHomePage/MoinEditorBackup
* added "revert" link to PageInfo view (which makes DeletePage more
safe in public wikis, since you can easily revive deleted pages
via revert)
* Selection for logged in users (i.e. no bots) to extend the listing
of recent changes beyond the default limits
* Activated display of context for backlinks search
* Subscriber list shown on page info
* LikePages shows similar pages (using difflib.get_close_matches)
* last edit action is stored into "last-edited" file, and
displayed in the page footer
* reciprocal footnote linking (definition refers back to reference)
* "Ex-/Include system pages" link for title index
Note: system/help pages algorithm is still mostly broken.
* list items set apart by empty lines are now also set apart
visually (by adding the CSS class "gap" to <li>)
* "save" check for security.Permissions
* Added Spanish, Croatian and Danish system texts
* Added flag icons for the languages supported in "i18n"
* updated help and system pages, more translations, see also
AllSystemPagesGroup
* there was quite some work done on wiki xmlrpc v1 and v2 - it
basically works now.

Tools and other changes:
* moin-dump: New option "--page"
* there are some scripts MoinMoin/scripts/* using wiki xmlrpc for
backup and wiki page copying applications
* Updated the XSLT parser to work with 4Suite 1.0a1
* more infos in cgi tracebacks
* UPDATE.html is a HTML version of MoinMaster:HelpOnUpdating

Unfinished or experimental features:
* user defined forms
* XML export of all data in the wiki
* RST parser (you need to install docutils to use this)
* SystemAdmin macro

Privacy fixes:
* do not use / display user's email address in public places

SECURITY FIXES:
* Removed two cross-site scripting vulnerabilities reported by "office"

Bugfixes:
* Bugfix for PageList when no arguments are given
* Disallow full-text searches with too short search terms
* [ 566094 ] TitleIndex now supports grouping by Hangul Syllables
* fix for multibyte first char in TitleIndex
* Footnotes were not HTML escaped
* Numbered code displays are now in a table so that you can cut the
code w/o the numbers
* Bugfix for wrong mail notifications
* Create unique anchors for repeated titles
* [ 522246 ] Transparently recode localized messages
* [ 685003 ] Using "preview" button when editing can lose data
* use gmtime() for time handling
* fixed negative gmtime() arguments
* [[Include]] accepts relative page names
* fixed ||NotInterWiki:||...||

-----------------------------------------------------------------------------

1.62

* Moved configuration to "moin_config.py"
* Added "edit_rows" setting
* Added navigation bar
* Improved HTML formatting
* Added timing comment (page created in xx secs)
* ISO date and time formats by default
* Formatted RecentChanges with HTML tables
* Uppercase letters for the index pages
* Added PythonPowered logo

Bugfixes:
* Javadoc comments now get formatted properly in {{{ }}} sections
* Remove \r from submitted pages (so we get PORTABLE wiki files)
* chmod(0666) eases manual changes to the data dir

-----------------------------------------------------------------------------

1.9.11

Not secure
SECURITY HINT: make sure you have allow_xslt = False (or just do not use
allow_xslt at all in your wiki configs, False is the internal default).
Allowing XSLT/4suite is very dangerous, see HelpOnConfiguration wiki page.

HINT: Python 2.7 is required! See docs/REQUIREMENTS for details.

HINT: please read the changelog below carefully before upgrading to 1.9.10.
This release has some fundamental changes you (and your wiki users)
should be aware of beforehands.

Fixes:
* security fix for CVE-2020-25074:
fix remote code execution via cache action
changeset with fix: d1e5fc7d
* security fix for CVE-2020-15275:
fix malicious SVG attachment causing stored XSS vulnerability
changeset with fix: 64e16037
* make setup.py and .cfg ascii-only, 40
* fix SubProcess' os.setsid usage, 44
* fix interwiki test fails that crept into 1.9.10 release
* highlight parser: use language as code_type rather than "highlight"
* catch indexer error for too long names, 57
* improved indexer logging so logging never crashes due to
encoding issues for non-ascii page or attachment names.
* fix mailheader parsing, add tests for mailimport, 53
* workaround werkzeug errors='fallback:...' regression, 37
* mailimport: fix AttributeError, 55
* surge protection / hosts_deny: fix broken html, 60

Other changes:
* upgrade werkzeug 0.14.1 -> 1.0.1, adapt imports
HINT: if you use the ProxyFix code, the required import has changed to:
from werkzeug.middleware.proxy_fix import ProxyFix
* add secure-cookie 0.1.0 (code was formerly part of werkzeug.contrib), adapt imports
* update pygments 2.1.3 -> 2.5.2
* update passlib 1.7.1 -> 1.7.2
* update parsedatetime 2.4 -> 2.6

1.9.10

Not secure
Fixes:
* security fix for CVE-2017-5934, XSS in GUI editor related code
* fix wrong digestmod of hmac.new calls (incorporate 1.9.9 patch)
* fix broken table attribute processing (wikiutil.escape)
* fix AttributeError in multifile action
* read text attachments using universal newlines (including \r line seps)
* anywikidraw / twikidraw: check write permissions early
* fix exec_cmd for windows: preexec_fn is UNIX only

New features:
* added a convenient way to create a user account via the superuser's
"Settings" -> "Switch User" form:

just type in the new user's name there, switch to the account and
fill out the email address. You do not need to set a password, the
account will not be usable until the users claims it via the "forgot
my password" functionality on the login page (and sets a password).

* you now can also type in an existing user's name there to switch to the
account, instead of selecting it (convenient if you have many users).

* newaccount action by default only available for superusers.

This is to avoid spam bots creating huge amounts of crap accounts on
internet connected wikis.

This is done via a new cfg.actions_superuser = ['newaccount', ] default.

If you prefer to have newaccount action available for every visitor (not
advisable for internet connected wikis), use this in your wiki config:

actions_superuser = FarmConfig.actions_superuser[:]
actions_superuser.remove('newaccount')

For internet connected wikis, a safer way is to let potential new users
ask for an account. Everyone in the superuser list can easily create a new
account (wiki username and email address needed). If you run a public
MoinMoin wiki on the internet, document the way to get an account on
your front page.

* support tel: urls

Other changes:
* safer internal default ACL: Known and All now only have read permissions.

This is to avoid that you accidentally give r/w permissions to the world
when running a wiki on the internet.

Considering there are lots of spam bots out there, that can create a ton
of spam pages in little time, we advise you to keep the safer default for
internet connected wikis and only allow specific users / groups read/write
access.

See also the updated sample configs / the HelpOnAccessControlLists help
page.
* disable the gui editor / enforce the text editor by default

fckeditor 2.6.11 as we bundle it (latest available version, but years
old) might have security issues meanwhile as it is not maintained any
more.

also, there ever have been major issues with MoinMoin's integration of
that "gui editor" (as our documentation pointed out since long).

if you want to give wiki users the choice to choose the gui editor
nevertheless, you can re-enable it in your wiki config:

editor_force = False
editor_ui = 'freechoice'
* change log_reverse_dns_lookups default to False.
* update / upgrade bundled software:
* upgrade werkzeug to 0.14.1
* upgrade passlib to 1.7.1
* upgrade parsedatetime to 2.4
* moved MoinMoin 1.9.x development to GitHub:
https://github.com/moinwiki/moin-1.9/
* update mailing list address and download URL in pypi metadata
* enabled Travis CI to run the unit tests for PRs / branches
* fixed some stuff found by PyCharm Code Inspection
* make build reproducible

1.9.9

Not secure
Fixes:
* security: fix XSS in AttachFile view (multifile related) CVE-2016-7148
* security: fix XSS in GUI editor's attachment dialogue CVE-2016-7146
* security: fix XSS in GUI editor's link dialogue CVE-2016-9119
* catch IOError for zipfile errors (sometimes triggered by zipfile.is_zipfile
false positives, see http://bugs.python.org/issue28494 ).

Other changes:
* update moin.spec, setup.py: py27 only

1.9.9rc1

Fixes:
* add meta "viewport" for small device viewports
* add meta X-UA-Compatible IE=Edge, make IE happy on intranets

New features:
* AttachFile multifile operation: support copying multiple files to another page
* cfg.xmlrpc_overwrite_user is a new setting to control whether the xmlrpc
code overwrites an already authenticated user before processing a request.
True (default): behaviour as in 1.9.8 and before
False: use this if you want to use GivenAuth (e.g. http basic auth) for
xmlrpc requests.

Other changes:
* upgraded bundled 3rd party code:
* werkzeug 0.11.11
* passlib 1.6.5
* pygments 2.1.3
* parsedatetime 2.1
* FCKEditor 2.6.11
* removed some bundled stuff we needed due to stdlib issues in older Pythons:
* MoinMoin.support.difflib
* MoinMoin.support.tarfile
* MoinMoin.support.HeaderFixed (-> email.header)
* SubProcess: reimplement exec_cmd, remove our stdlib hacks
* remove own usage of python_compatibility module which we needed to support
older Pythons. the module is still there, in case some 3rd party moin
extensions used it.

Page 1 of 13

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.