Hey there everyone! It's another release :D This is an unusual one in many respects - for one there hasn't been a beta release (the least time this happened for a major release was waaay back in v0.9 in 2015). There's a reason for that - in issue #222 someone has unethically reported a security issue with Pepperminty Wiki by not privately disclosing it, and instead publishing it publicly on the internet (exhibits a, b).
Of these 2, the one that involves the first-run action is not of concern, since it requires the site secret to pull off and even then that can only be executed once. If you're worried about that, you've got other issues - you could achieve the same effect simply uploading a static HTML file to your web server or changing multiple different settings in peppermint.json which by design take arbitrary HTML!
The other vulnerability uncovered a bunch of places in which potentially unsafe user input was sent to the user improperly encoded - potentially allowing someone to insert arbitrary HTML (and hence scripts) where they shouldn't. This release fixes that.
Despite this rushed release, there are a number of awesome additions in this release too:
- 📄 Experimental support for transparent handling of
[display text](./Page Name.md)style internal links (disabled by default: enable theparser_mangle_external_linkssetting and delete the._cachedirectory to enable) - 🗺 XML sitemap support (manual setup required via an edit to your
robots.txt) - 💡 Automatic system requirements indicator to first run (doesn't block you from proceeding, but helps you make sure you meet Pepperminty Wiki's system requirements)
- 🪲 Many bugs squashed!
- ⏫ Fixed compatibility issues with PHP 8.0
So all in all this release should be a good incremental improvement over v0.22. If I spot any new show stoppers, I'll make a quick hotfix release to squash them.
Have you updated to this release? Click this link to say hi!
This release also has an experimental GPG and SHA256 hashes file attached. My GPG key is C2F7843F9ADF9FEE264ACB9CC1C6C0BB001E1725 - please open an issue if you encounter any issues 🙂
Updating
You can update to this release simply by grabbing an updated copy of index.php and replacing the version in your current wiki (don't forget to take backups! I make every effort to squash as many bugs as possible, but you can never be too certain). You can get an updated copy of index.php in a number of ways:
- By downloading the
index.phpfile attached to this release - Using the online downloader (always has the latest stable version)
- Using the online downloader offline
- Building your own from source
For more information on the last 2 methods, please see the documentation for more information.
For those who want to contribute financially as a thank you, I've recently setup a Liberapay to accept donations. It's certainly not required, but would definitely help me out :-) If you want to contribute but Liberapay isn't for you, please let me know (e.g. open an issue, see my website for more contact options)
Since v0.22
Added
- Added HTTP API support for creating pages that don't yet have a name (#194)
- This allows for having a "create new page" button in your navigation links - e.g. edit
nav_links,nav_links_extra, ornav_links_bottomin yourpeppermint.jsonand add something like[ "+", "index.php?action=edit&unknownpagename=yes" ].
- This allows for having a "create new page" button in your navigation links - e.g. edit
- XML sitemap support with the new
page-sitemapmodule (manual setup required for crawlers to notice it: see the documentation) - Experimental support for transparent handling of
[display text](./Page Name.md)style internal links (disabled by default: enable theparser_mangle_external_linkssetting and delete the._cachedirectory to enable) - Added automatic system requirements indicator to first run (checks for various PHP extensions required for various different functions) - does not block you from proceeding, but does assist in first-time system configuration
Changed
- Updated the configuration guide to include count of how many settings we have
- Also send a
x-robots-tag: noindex, nofollowHTTP header for the login page (Semrush Bot, you better obey this one) - Support
pageas either a GET parameter or a POST parameter (GET takes precedence over POST) - Preview generation: If php-imagick is not installed but required for a particular operation, return a proper error message
- File upload: If fileinfo is not installed, return a proper error message when someone attempts to upload a file
- Add
image/avif(AVIF image),image/jxl(JPEG XL image), andimage/heif/image/heictoupload_allowed_file_types(you'll need to delete your entry inpeppermint.jsonto get the new updated list)- Also added these and
flac(which was already allowed as an upload by default) to the data size calculator on?action=help&dev=yes
- Also added these and
Fixed
- [security] Fixed some potential XSS attacks in the page editor
- [security] Fix stored XSS attack in the wiki name via the first run wizard CVE-2021-38600; low severity since it requires the site secret to do the initial setup & said initial setup can only be performed once
- [security] Fix reflected XSS attacks (arbitrary code execution in the user's browser) via the many different GET parameters in many different modules
- [security] Automatically run page titles through
htmlentities() - Fixed a weird bug in the
stats-updateaction causing warnings - search: Properly apply weightings of matches in page titles and tags
- Improved error handling on first run where the PHP Zip extension is not installed
- Also extract to
._extra_dataif the directory is empty - Add
sidebar_showto the settings GUI and the configuration guide - Fix crash when using the search bar with PHP 8.0+
- Prefix the default value of the
logo_urlsetting withhttps: - Fix display of subpages in the sidebar, and also wrap subpage lists in a
<details />element to allow collapsing them - Fix file upload error handling logic - a proper error page is now sent to the client
- Create theme gallery help section instead of overwriting the one entitled "Jumping to a random page".
- Fix broken character in recent changes log entry when moving pages