Safety vulnerability ID: 36447
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Moin 1.9.10 includes a security fix for CVE-2017-5934, XSS in GUI editor related code.
Latest version: 1.9.11
MoinMoin 1.9.11 is an easy to use, full-featured and extensible wiki software package
SECURITY HINT: make sure you have allow_xslt = False (or just do not use
allow_xslt at all in your wiki configs, False is the internal default).
Allowing XSLT/4suite is very dangerous, see HelpOnConfiguration wiki page.
HINT: Python 2.7 is required! See docs/REQUIREMENTS for details.
HINT: please read the changelog below carefully before upgrading to 1.9.10.
This release has some fundamental changes you (and your wiki users)
should be aware of beforehands.
Fixes:
* security fix for CVE-2017-5934, XSS in GUI editor related code
* fix wrong digestmod of hmac.new calls (incorporate 1.9.9 patch)
* fix broken table attribute processing (wikiutil.escape)
* fix AttributeError in multifile action
* read text attachments using universal newlines (including \r line seps)
* anywikidraw / twikidraw: check write permissions early
* fix exec_cmd for windows: preexec_fn is UNIX only
New features:
* added a convenient way to create a user account via the superuser's
"Settings" -> "Switch User" form:
just type in the new user's name there, switch to the account and
fill out the email address. You do not need to set a password, the
account will not be usable until the users claims it via the "forgot
my password" functionality on the login page (and sets a password).
* you now can also type in an existing user's name there to switch to the
account, instead of selecting it (convenient if you have many users).
* newaccount action by default only available for superusers.
This is to avoid spam bots creating huge amounts of crap accounts on
internet connected wikis.
This is done via a new cfg.actions_superuser = ['newaccount', ] default.
If you prefer to have newaccount action available for every visitor (not
advisable for internet connected wikis), use this in your wiki config:
actions_superuser = FarmConfig.actions_superuser[:]
actions_superuser.remove('newaccount')
For internet connected wikis, a safer way is to let potential new users
ask for an account. Everyone in the superuser list can easily create a new
account (wiki username and email address needed). If you run a public
MoinMoin wiki on the internet, document the way to get an account on
your front page.
* support tel: urls
Other changes:
* safer internal default ACL: Known and All now only have read permissions.
This is to avoid that you accidentally give r/w permissions to the world
when running a wiki on the internet.
Considering there are lots of spam bots out there, that can create a ton
of spam pages in little time, we advise you to keep the safer default for
internet connected wikis and only allow specific users / groups read/write
access.
See also the updated sample configs / the HelpOnAccessControlLists help
page.
* disable the gui editor / enforce the text editor by default
fckeditor 2.6.11 as we bundle it (latest available version, but years
old) might have security issues meanwhile as it is not maintained any
more.
also, there ever have been major issues with MoinMoin's integration of
that "gui editor" (as our documentation pointed out since long).
if you want to give wiki users the choice to choose the gui editor
nevertheless, you can re-enable it in your wiki config:
editor_force = False
editor_ui = 'freechoice'
* change log_reverse_dns_lookups default to False.
* update / upgrade bundled software:
* upgrade werkzeug to 0.14.1
* upgrade passlib to 1.7.1
* upgrade parsedatetime to 2.4
* moved MoinMoin 1.9.x development to GitHub:
https://github.com/moinwiki/moin-1.9/
* update mailing list address and download URL in pypi metadata
* enabled Travis CI to run the unit tests for PRs / branches
* fixed some stuff found by PyCharm Code Inspection
* make build reproducible
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application