Moin

New features:
* cfg.recovery_token_lifetime to determine how long the password recovery
token will be valid, default is 12 [h]. Check this setting to be adequate
before doing (global) password resets, so your users have enough time to
react before the toke times out!
* cfg.log_events_format can be used to configure the format of the records
written to <data_dir>/event-log:
0 = dot not create event-log entries (saves disk space, disk I/O)
1 = standard (like in moin <= 1.9.7) [default]
2 = extended (add infos about username, wikiname, url)
* add a tool to output the contents of the event-log to CSV:
moin export eventlog --file=output.csv
Output encoding is utf-8, columns are in this order:
time, event, username, ip, wikiname, pagename, url, referrer, ua
time: UNIX timestamp (float)
* reimplement cfg.log_timing - if True, emits INFO level log output like:
"timing: <REMOTE_ADDR> <URL> <REFERRER> <TIME> <SLOWNESS-INDICATOR>"
TIME is in seconds, the slowness indicator is "." for sub-second requests
or N times "!" for requests taking N seconds (so you easily can grep for
slow stuff).
* add "abuse" logging. this will log every attempt to login (successful ones
as well as unsuccessful ones). abuse logging is configured via the logging
configuration, see example in wiki/config/logging/abuse.
Currently, abuse logging is implemented for:
* authentication system
* "moin" auth
* "given" auth
* setuid (when superuser switches to another user)
* new user creation
* some security/ACL violations (xmlrpc and perhaps others not implemented)
* surge protection for authentication (currently only for MoinAuth):
a) surge protect by IP
This covers the case someone is trying to authenticate way too
often - we don't look at the username here, just at the remote IP
address. If surge protection kicks in for some specific IP, that IP
won't be able to try to authenticate any more until surge_lockout_time
is over.
Note: be careful with users behind proxies or NAT routers - these are
common and legitimate cases with (potentially lots of)
authentication requests coming from same IP.
if it is a trusted proxy, you can configure moin so it sees the
real remote IP address (not just the proxy's address).
b) surge protect by name
This covers the case someone is trying to authenticate for a
specific user name way too often (e.g. when someone tries to attack the
wiki admin's account). We don't look at the IP here, just at the user
name. If surge protection kicks in for some specific user name, that user
name will not be able to try to authenticate any more until
surge_lockout_time is over.
Note: this even covers widely distributed attacks against a user, but
you should only enable this if you are aware that the "real" user
also won't be able to authenticate while surge protection is active
(at least not using the account for that specific username).
Thus, there is some denial-of-service danger with this if the
attacker can guess or find your valid user names (which isn't too
difficult if your wiki is publicly readable).
This is bad, but technically hard to avoid.
Configuration (allowing 10 authentication attempts per hour):
surge_action_limits = {
...
'auth-ip': (10, 3600), same remote ip (any name)
'auth-name': (10, 3600), same name (any remote ip)
}
* backlinks performance tuning: the pagename in the theme has historically
been used to trigger a "linkto:ThisPage" search. While this is a nice
feature for human users of the wiki (esp. on category pages), it has one
big issue: as it is a normal link, stupid crawlers (ignoring "nofollow")
follow it and cause a lot of unneccessary load.

What moin shows in that "backlinks" place can now be configured in your
wiki config:

always render the backlink as in moin < 1.9.8 (bad bots causing high load!):
backlink_method = lambda cfg, req: 'backlink'

always render a simple link to same page, as in moin 2.0:
backlink_method = lambda cfg, req: 'pagelink'

logged-in users get the backlink, anon users/bots get a pagelink (default):
backlink_method = lambda cfg, req: 'backlink' if req.user.valid else 'pagelink'

logged-in users get the backlink, anon users/bots get simple text:
backlink_method = lambda cfg, req: 'backlink' if req.user.valid else 'text'
* AbandonedPages macro: check user agent to reduce load caused by bots
* RSS feed: check for bots and rather give them empty results than waste a
lot of time with them
* ldap_auth: support placeholders for basedn also, e.g. you could use:
base_dn='uid=%(username)s,ou=people,dc=company,dc=com'
* move or delete multiple attachments (see checkboxes and buttons on the
AttachFile view). Be careful: in the same way as you could delete a single
attachment with one click, you can now delete all attachments of a page
with one click (we don't ask for a 2nd confirmation, so think first).
* mailimport: use relative attachment link markup instead of absolute links,
enables some page renaming operations without needing to edit the markup.
* better caching and lookup optimizations for userprofile data:
* name, email, jid, openids -> userid lookups
* page subscriptions for notifications (as a consequence, determination of
subscribers when a page is saved is much faster now, esp. for wikis with
many users) - see also MoinMoinBugs/GetSubscribersSlow
* Notification template strings are now configurable via cfg.mail_notify_...
* page_text (this puts together the pieces for the mail body, used for all
changed / deleted / renamed page mail notifications)
* page_changed_subject, page_changed_intro
* page_deleted_subject, page_deleted_intro
* page_renamed_subject, page_renamed_intro
* att_added_subject, att_added_intro
* att_removed_subject, att_removed_intro
* user_created_subject, user_created_intro
* Best is to read HelpOnConfiguration and look at MoinMoin.config.multiconfig
to see the help text and the defaults.
* The defaults are chosen to be the same as the old hardcoded values, so the
translations keep working.
* If you overwrite the strings in your configuration moin will still try to
translate your strings, but it will only find translations if you add them
to the gettext catalogs, too.
* Examples:

a) notification mail body: you don't want the rendered diff, you don't
want to link to the diff, but to the full page view on your wiki.

original (default) value
mail_notify_page_text = '%(intro)s%(difflink)s\n\n%(comment)s%(diff)s'
put this in your wiki config
mail_notify_page_text = '%(intro)s%(pagelink)s\n\n%(comment)s'

b) notification mail subject:
original (default) value
mail_notify_page_changed_subject = '[%(sitename)s] %(trivial)sUpdate of "%(pagename)s" by %(username)s'

c) notification mail intro:
original (default) value
mail_notify_page_changed_intro = \
("Dear Wiki user,\n\n"
'You have subscribed to a wiki page or wiki category on "%(sitename)s" for change notification.\n\n'
'The "%(pagename)s" page has been changed by %(editor)s:\n')

Note: if you change "*_page_changed_*", you likely also want to change
"*_page_deleted_*" and "*_page_renamed_*", maybe even "*_att_added_*"
and "*_att_removed_*".

Fixes:
* security fix: XSS in useragents stats
* do not create empty pagedirs (with empty edit-log). To clean up all the
trash pagedirs, use moin ... maint cleanpage.
* page rename/delete, attachment add/remove email notifications work now
(somehow we had an event for this, but no code handling it)
* AttachFile do=get and do=view: send 404 status if file does not exist
* link rel="Alternate" links: rather use page.url than request.href, so
url_prefix_action gets used for the (print and raw) action URLs
* fixed wrong detection of UI language from accept-language header for not
logged-in users if the language identifier there was (partially) uppercase.
* fix Python 2.7.4/5 compatibility issue with rss_rc action using handler._out
* fix "moin import wikipage" timestamp confusion
* use 302 http status for redirect as some clients cache 301 redirects, but
the redirect might get changed or removed later (so it should not be
cached and we also can't really say it is permanent)
* fix crash when macro names contain non-ascii chars
* CopyPage action: fix NameError exception when TextCha was answered wrong
* docbook formatter: fix image URL generation, avoid script name duplication
* fix caching scope of name2id/openid2id caches (was: "wiki", now:
"userdir"). this is relevant for shared user_dir configurations.
* moin maint cleancache: cleans up openid2id cache now also
* "userdir" caching scope used for userid lookup caches (the previously used
name2id cache with "wiki" caching scope could have outdated data if you
share the user_dir between multiple wikis)
* catch "filename too long" exception if some crap URL refers to a too long
pagename that the filesystem can not represent. It is treated like a not
existing page then, so you don't get a traceback in your log file.

Other changes:
* rss_rc action (RSS feed) is now much faster / much less resource consuming
when requested for a specific single page. As we have a link to this in
every page's html output, this likely also lightens the load caused by bots
and search engine crawlers.
* tuned editlog.news() - only open/read log if there is new stuff in it after
last read position
* improve python2.5 compatibility (with_statement)
* add bingbot to ua_spiders
* upgraded bundled werkzeug to 0.8.3
* upgraded bundled passlib to 1.6.2
* upgraded bundled pygments to 1.6

New features:
* passlib support - enhanced password hash security. Special thanks go to
the Python Software Foundation (PSF) for sponsoring development of this!

Docs for passlib: http://packages.python.org/passlib/

If cfg.passlib_support is True (default), we try to import passlib and set
it up using the configuration given in cfg.passlib_crypt_context (default
is to use sha512_crypt with default configuration from passlib).

The passlib docs recommend 3 hashing schemes that have good security, but
some of them have additional requirements:
sha512_crypt needs passlib >= 1.3.0, no other requirements.
pbkdf2_sha512 needs passlib >= 1.4.0, no other requirements.
bcrypt has additional binary/compiled package requirements, please refer to
the passlib docs.

cfg.password_scheme should be '{PASSLIB}' (default) to tell that passlib is
wanted for new password hash creation and also for upgrading existing
password hashes.

For the moin code as distributed in our download release archive, passlib
support should just work, as we have passlib 1.6.1 bundled with MoinMoin
as MoinMoin/support/passlib. If you use some other moin package, please
first check if you have moin AND passlib installed (and also find out the
passlib version you have installed).

If you do NOT want to (not recommended!) or can't use (still using python
2.4?) passlib, you can disable it your wiki config:

passlib_support = False do not import passlib
password_scheme = '{SSHA}' use best builtin hash (like moin < 1.9.7)

Please note that after you have used moin with passlib support and have user
profiles with passlib hashes, you can't just switch off passlib support,
because if you did, moin would not be able to log in users with passlib
password hashes. Password recovery would still work, though.

password_scheme always gives the password scheme that is wanted for new or
recomputed password hashes. The code is able to upgrade and downgrade hashes
at login time and also when setting / resetting passwords for one or all
users (via the wiki web interface or via moin account resetpw script
command).

So, if you want that everybody uses strong, passlib-created hashes,
resetting the passwords for all users is strongly recommended:
First have passlib support switched on (it is on by default), use
password_scheme = '{PASSLIB}' (also default), then reset all passwords.

Same procedure can be used to go back to weaker builtin hashes (not
recommended): First switch off passlib support, use password_scheme =
'{SSHA}', then reset all passwords.

Wiki farm admins sharing the same user_dir between multiple wikis must use
consistent password hashing / passlib configuration settings for all wikis
sharing the same user_dir. Using the builtin defaults or doing the
configuration in farmconfig.py is recommended.

Admins are advised to read the passlib docs (especially when experiencing
too slow logins or when running old passlib versions which may not have
appropriate defaults for nowadays):
http://packages.python.org/passlib/new_app_quickstart.html#choosing-a-hash
http://packages.python.org/passlib/password_hash_api.html#choosing-the-right-rounds-value

* Password mass reset/invalidation support, see docs/resetpw/.
This is useful to make sure everybody sets a new password and moin computes
the password hash using the current configuration.

* Customizable default password checker:
Moin's default password checker used and still uses min_length=6 (minimum pw
length) and min_different=4 (minimum count of different chars in the password).
If you feel that you need to require better passwords from your users, you
can customize it now like that in your wiki config:

password_checker = lambda cfg, request, name, pw: multiconfig._default_password_checker(cfg, request, name, pw, min_length=10, min_different=7)

* Removing/disabling inactive users (moin ... account inactive)
Many wikis have a lot of inactive users, that never ever made a single edit.
See help of the command for more details, be careful.
* SystemAdmin user browser: show disabled user accounts at the bottom of
the list
* At startup, announce moin version and code path in log output (makes
support and debugging easier).
* AttachList: introduced search_term parameter (optional) for listing
attachments filtered by a regular expression on their name.
* sign release archive using GnuPG with the key of twwaldmann-edv.de
ID 31A6CB60 (main key ID FAF7B393)

Fixes:
* logging: if the logging config file can't be read, give a helpful error msg
* logging: use info loglevel (not warning) for telling about using the builtin
default logging config
* moin script commands: warn if someone gave ... to the moin script, avoids a
strange and unhelpful 'empty module name' error message
* reorder html input fields in recoverpass form, to help browsers remember
the user name and password (not erroneously the recovery token and password)
* don't try to send password recovery email to user if email address in
user profile is empty
* cache action: fix 304 http status
* rst parser: fix safe_import for level param in __import__ call of docutils 0.10
* moin maint cleancache: also kill the i18n cache 'meta' pickle file
* sendmail: catch unicode errors when E-Mail addr has non-ascii chars
* redirect last visited: if last visited page is on same wiki, use a local
redirect, do not compute via interwiki map (fixes https: usage)

Fixes:
* fix remote code execution vulnerability in twikidraw/anywikidraw action
* fix path traversal vulnerability in AttachFile action
* fix XSS issue, escape page name in rss link
* escape user- or admin-defined css url
* make taintfilename more secure
* use a constant time str comparison function to prevent timing attacks
* Attachment handler: catch all Zip-related errors

Fixes:
* Security fix: fix virtual group bug in ACL evaluation.
* Avoid crash if refresh processing instruction is used without arguments.
* Fix issue with non-ASCII textchas.
* Xapian indexing: remove copy.copy() that crashed on Windows/IIS/isapi-wsgi
after page save.
* Fix dictionary file reading crash under Windows.
* Work around crash of AdvancedSearch macro rendering caused by non-ascii
mimetypes.types_map entries.
* Added migration script for moin 1.8.9.
* rss_rc: Fix diffs added in RSS with diffs=1 (now they correspond to item
listed in feed and not just last page diffs). Links generated with ddiffs=1
also fixed.
* rss_rc: fix double escaping issue.
* rss_rc: respect show_names configuration option.
* rss_rc: proper support of rename, revert, page creation.
* modern/modernized theme: fix padding/width for editor preview
* group/pagelinks formatters: avoid to create unnecessary output, redirect
output of send_page call with the groups formatter, it must not be written
to the output stream
* rst parser: fix include and macro directives
* wikisync: fix unicode pagename sending for python 2.7 httplib

New features:
* add a comment_required config option (default: False) to require a
non-empty comment when saving a page
* when a save error happens, show the editor again and highlight the error
* rss_rc: several new options added: lines parameter gives ability to set
maximum size of diffs showed in RSS. show_att parameter gives ability
to show information aboout attachment-related items in RSS. page parameter
gives ability to specify set of pages for which changes RSS feed should be
generated. Configuration of defaults and limits can now be done via wiki
configuration mechanism.
* As soon as it is now possible to provide RSS for page change history,
appropriate alternate link is now added for every page (controlled by
rss_show_page_history_link configuration parameter).
* Search: "no_highlight:" search query option provided for suppressing
highlighting search results.
* Search macros: new options for FullSearch, FullSearchCached and PageList
available:
* highlight_titles option controls highlighting of matches in search
results provided by these macros. Default value is set in
search_macro_highlight_titles configuration option)
* highlight_pages option controls adding of highlight URL parameter to
page links (so search term is highlighted when user goes to one of
these pages via provided link) in search results. Default value is set
in search_macro_highlight_pages configuration option.
Usage of these options is disabled (via search_macro_parse_args
configuration option) by default due to behavioural changes introduced
in macro parameter parsing mechanism to support them. Related to
http://moinmo.in/FeatureRequests/FullSearchResultsWithoutHighlight .

Other changes:
* Remove 4suite dependency for docbook formatter, use minidom (included in
Python).
* Upgraded FCKeditor to 2.6.8.

HINT: Python >= 2.5 is maybe required! See docs/REQUIREMENTS for details.

Fixes:
* Fix XSS / remove javascript URL support in rst parser (CVE-2011-1058).
* werkzeug: Removed a dummy import. Fixes Python 2.7 compatibility.
* Fix linux-to-windows edit-log migration/upgrade issue (wrong line endings)
* logfile: strip \n lineends from line data (\n is part of the file
structure, not of the data)
* Fix for MoinMoinBugs/SinglePageSlideShowAndParserMarkup.
* Simplify auto scroll initialization; fix bug in IE init discovered when
using IE7 on pages with wide tables.
* Fix timestamp in edit lock message to show the time when edit-locking ends.
* Updated wikiserverconfig.py from internal defaults, sync the one in
toplevel dir and the one in wiki/server/ - fixes hostname setting.
* SubProcess: make sure files are closed at the end (experimental change).
* text plain formatter: fix bullet_list, see number_list.
* Add some image mimetypes to MIMETYPES_MORE to fix windows issues.
* Include page name in password reset URL.
* Fix moin export dump to generate relative URLs.
* Fix MonthCalendar mouseover for pages with ampersand in page name.
* ldap_login: assign server early, it is used in exception handler.
* OpenID server preferences: fix traceback related to request method.
* Work around page.mtime_usecs() returning 0 for pages without edit-log.
* revert action: catch and display all SaveErrors when revert failed.
* Fixed bug in groups formatter which caused the last list item to be not in the group.
* Avoid strange exception in zipfile.py for pre-1980 timestamps.
* TableOfContents: fix for other markups than default wiki markup, e.g. rst
* script.account.homepage: added wiki format to homepage_default_text
* Enable webkit based browsers (try chrome/safari/konqueror now) for GUI
editing (after fixing selection FCKeditor plugin for chrome).
* Parsers: avoid crash when Parser.format() call gets inhibit_p kw arg.
* advancedsearch: fix problem with non-ascii chars breaking up words for OR
and NOT terms
* fix globaledit script to keep comments on Homepage...Template pages

New features:
* Added print mode to action.SlideShow, see
FeatureRequests/PrintableSinglePageSlideshows.
* xmlrpc: new methods xmlrpc_getProcessingInstruction(Version)
* Add support for other password hashes (all of them will get auto-upgraded
to SSHA when user logs in):
* {DES} (Unix crypt(3))
* {MD5} (MD5-based crypt())
* {APR1} (Apache .htpasswd).
* Experimental queued indexing support to work around memory leak - use it like this:
put all pages into indexer queue:
python MoinMoin/script/moin.py index build --mode=makequeue
take <count> pages out of the indexer queue and index them,
you need to repeat the following line respective to the total amount of pages
in your wiki (doing more indexer calls does no harm, doing less means an
incomplete index):
python MoinMoin/script/moin.py index build --mode=buildnewindexqueued --count=500
python MoinMoin/script/moin.py index build --mode=buildnewindexqueued --count=500
python MoinMoin/script/moin.py index build --mode=buildnewindexqueued --count=500
...
switch to new index:
python MoinMoin/script/moin.py index build --mode=usenewindex

Other changes:
* Raise exceptions as recommended in PEP 8.
* Updated i18n / underlay pages.
* Updated interwiki map.
* Use logging.traceback to get more information if a indexing filter crashes.
* u200b is not considered a space any more in unicode 4.0.1.
* Improve textcha security, use some crypto and timing to make cheating
harder - use cfg.textchas_expiry_time = 600 (default, seconds) to set the
time a textcha is valid.
* Upgraded bundled werkzeug to 0.8.1, pygments to 1.4, flup to repo tip.

Fixes:
* Fix XSS in Despam action (CVE-2010-0828).
* Fix XSS issues (see MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg):
* by escaping template name in messages
* by fixing other places that had similar issues
* Make moin compatible to werkzeug 0.5 .. 0.6.2 (1.9.2 had issues
with xmlrpc when used with werkzeug 0.6.x).
* MoinMoin.util.filesys: disable usage of dircache, deprecate dc* functions,
because the dircache stdlib module can't work correctly for fast updates of
directories.
* rss_rc and sisterpages actions: fix Content-Type header (mimetype)
* Fix associating OpenID identity with user, wasn't adapted to werkzeug yet.
* openidrp auth: fix undefined _ (gettext)
* Fix auth.cas and userprefs.oidserv request object usage.
* highlight parser: fixed MoinMoinBugs/LineNumberSpansForProcessInstructionsMissed
* Pygments syntax highlighting: add missing code files
* Notifications: use same email subject format for every notification
* Fix docbook formatter crashing, see MoinMoinPatch/IncludeMacroWithDocBookFormatter
* Fix regex content search for xapian search.
* Get rid of the empty line at the end of code highlights.
* GUI editor: compute editor height like the text editor does.
* Added help texts for: standalone server and moin migration.
* script.maint.cleancache: clean also i18n cache files
* Improved formatter.text_plain, see FeatureRequests/TextPlainFormatterRewrite
(fixes many issues of this formatter).
* text_html_text_moin_wiki: fixed index error for width="", see also:
MoinMoinBugs/GUI_convertor_list_index_out_of_range
* xmlrpc: disable editor backup for putPage, renamePage and revertPage
because if pages get uploaded by xmlrpc then the draft cache file can
rapidly increase in size, causing high memory usage because it needs to
get loaded into memory for updating/processing.
* Emit Content-Type header (with charset) for SlideShow action and many other
actions that just call send_title().
* ActionBase: better compatibility to moin 1.8, use request.values by
default, optionally use request.form data only

New features:
* RenamePage action: added ability to create redirect pages when renaming
(turned off by default, see show_rename_redirect config option).
* formatter/text_html: Added line number links to code blocks.
* diff action:
* Fixed whitespace in generated (html) diff view table so white-space: pre
can be used (and whitespace in diffs preserved).
* Added links to first/last revision.
* MoinMoin.widget.browser: introduced feature for sorting tables, see:
http://moinmo.in/FeatureRequests/SortableTables
* SystemAdmin user and attachment browsers: sorting feature used there now
* Scrolling the text editor to the double clicked line.
* Enable double-click-editing by default.
* WikiConfigHelp macro: make heading and description display optional,
heading level as a parameter (default 2)
* If edit ticket check fails, send the editor with the current content.
* moin import wikipage - use this script to import local files as a wiki page

Other changes:
* upgraded pygments from 1.2.2 to 1.3.1
* upgraded FCKeditor from 2.6.4.1 to 2.6.6
* added configuration snippet for ldap authentication against 2 servers
* improved script help output