Welcome, guest ( Login )

» Home (JDC Blog)
» Forums

Page Tags

2.8 security releasenotes

Search Tags:
WikiHome » 2006-10-16-28UpgradesComingThisWeekAndNext

2.8 Upgrades Coming This Week and Next

Version 7, changed by ScottMcmullan. 10/27/2006.   Show version history

By ScottMcmullan at 10/16/2006 10:49PM Tags: 2.8, security, releasenotes

All wikis will be upgraded to JotSpot service release 2.8 over the next week or so. This upgrade brings new wiki features, some new and updated apps, and two security-related changes that you need to understand if you do any serious JotSpot coding.

What's New?

In the new and improved department we have a bunch of features and fixes (see release notes), including:

  1. the return of WYSIWYG table editing!
  2. search and index pages that support filtering by user, recently changed, and page types
  3. a new slick-as-can-be todo list application
  4. a new email list app so you can centralize email threads in the wiki too

Security Changes You Need To Be Aware Of

The new release has two security-related changes:

  1. changes to prevent cross-site request forgery (XSF) attacks
  2. A new restriction that prevents non-admin users from editing and saving code (e.g. <jot:foo> tags) on a page

The XSF-checking changes might prevent code that used to work from working in 2.8, particularly code that uses HTTP GET to modify pages.

If something stops working post-2.8 upgrade, you may need to update your code. We have a posted a general 2.8 security FAQ as well as a detailed description of XSF-related changes to help you understand how you might be affected and how to modify your code if needed.

If you have any questions or issues about these security changes, please email support@jot.com for assistance.

Upgrade Update: Friday 10/27

Custom Theme Issues:

We've identified a fix to the permissions issue for CustomTheme27 users running on 2.8. (See the 10/23 update below for a description of the problem.)

In the theme's edit.xml there's a <form> tag under <body> that needs the following id added: id="jot-mainForm". (Edit using: /System/Themes/CustomTheme27/edit?edit=1&editStyle=xml, and ignore the fact that you'll see errors when you view the page.)

So the <form> tag should look like: 

...
<body class="jot-edit">
  <jot:extension declare="bodyStart" />
  <div id="jot-canvas">
    <jot:include href="top" />
    <form method="post" action="wiki:\\${page/path}" class="editMode" id="jot-mainForm">
...

Upgrade Update: Wednesday 10/25

Custom Theme Issues:

We've identified a couple of fixes for CustomTheme27 users now running on 2.8. These fix the 1. Clicking "Install Package"... and 3. _Admin, AboutJotSpot,... issues identified in my 10/23 update below.

In vars.xml, change the getPageTitle() function to the following. (Edit using: /System/Themes/CustomTheme27/vars?edit=1&editStyle=xml) 

 function getPageTitle(page) {
   if (typeof page == "string") {
     page = jot.pages[page];
     if (typeof page == "undefined") {
       return;
     }
   }
   var title = page["blogpost/title"] || page["project/name"] ||
               page["main/title"] || page["title"] || page["name"];
   if (title.indexOf("\\\\${L/") != -1) {
       //strip the xpath stuff to get the translation key, then trim
       var key = title.replace(/\$|{L\/|}/g,"").replace(/^\s+|\s+$/g,"");
       title = jot.lib.locale.getString(key);
   }
   return title;
 }

In header.xml, add this reference at the top (underneath the reference to header-minimal). (Edit using: /System/Themes/CustomTheme27/header?edit=1&editStyle=xml) 

<jot:include href="wiki:/Lib/Security" />

Upgrade Update: Monday 10/23

Almost all hosted wikis have been updated to 2.8. Here are the issues we've seen thus far. (To check your wiki's version, see "About this Wiki" in the footer menu, or go to /System/Pages/AboutJotSpot.)

Custom Theme Issues:

Issues seen in 2.8 wikis running 2.7 custom themes. We don't have fixes for these right now, other than 1) reverting to the standard theme (as admin, click "Other Settings" -> "Switch Themes") or 2) working around these issues by overriding a page's theme with the &theme=/System/Themes/Jot/ query string parameter.

1. Clicking "Install Package" from the "Manage Packages" page gives "addXTokenToForm" error (see workaround above)
2. UI to set page permissions doesn't work (see workaround above)
3. _Admin, AboutJotSpot, Index, Recent Changes pages display a line of information used in i18n implementation
4. Index and Recent Changes pages do not contain same user interface as version 2.8. (Some wikis seeing Index pages with "'SharedRoot' is not defined" errors.)
5. Calendar application: month view and upcoming tabs overlap

General Issues:

1. Client-side Javascript code no longer requires two backslashes -- must use one.

Before: 

var startCopy = xml.indexOf("id=\\"jot-page\\">") ;

With 2.8: 

var startCopy = xml.indexOf("id=\"jot-page\">") ;

2. Installing 2.8 blog app from the gallery into a 2.7 wiki hides posts for blogs that were not under /Blog page. (I.e. all blogs that were created by applying the blog form directly to a page in the wiki.) Please contact support@jot.com for a script to fix this.


Back to WikiHome



Comments (7)

chrislouvion said, 10/18/2006:

Will updates to 2.8 (over the next week or so) be only for hosted?
What about jotboxes? what ETA can we get there? Will that be a download we can install on our own server or require support from you guys?
(we're on 2.6.5)
C

ScottMcmullan said, 10/18/2006:

Yes, this is for hosted wikis. Jotboxes will be coordinated on a different schedule.

ScottMcmullan said, 10/18/2006:

An example of a required change for 2.8 is the Email page change plugin code.

It used to use HTTP GET like so: 

...
...
	dojo.io.bind({ 
		url: dojo.uri.joinPath(djConfig.wikiRootPath, "/_/cmd/saveForm"), 
		method: "get",
...
...

I had to change these calls to use POST to get it to work in 2.8: 

	dojo.io.bind({ 
		url: dojo.uri.joinPath(djConfig.wikiRootPath, "/_/cmd/saveForm"), 
		method: "post",

kevin said, 10/18/2006:

Just a note, in version 2.8, Jot has fixed a "bug" where Client Side Javascript esc characters were preceded by two back slashes. Now we can go back to one backslash. Any double backslash will need to be fixed...

JimHaljun said, 10/20/2006:

We want to give users a heads up that we noticed a few minor cosmetic issues with using a 2.7 Custom Theme on a version 2.8 wiki. Here is a partial inventory:

  • _Admin page displays a line of information used in i18n implementation
  • Index and Recent Changes pages do not contain same user interface as version 2.8
  • Calendar application: month view and upcoming tabs overlap

This is a good time to remind everyone that if you use a custom them it is your responsibility to maintain compatibility to our deployed releases. With that disclaimer out of the way, JotSpot is working to catalog all issues and migrate 2.7 Custom Themes to version 2.8

dweekes said, 10/27/2006:

When I attempt to edit with /System/Themes/CustomTheme27/header?edit=1&editStyle=xml . I get the following error:

An error occurred
Subscribe to changes
Error: You have specified a parent page that does not exist.

Additional information: can't find parent: /System/Themes/CustomTheme27?

HJS1685 said, 11/06/2006:

Since the upgrade any articles added to any knowledge base are competely unseen in either the List of all Wiki pages, the Wiki search in the top right corner of the screen and in the All Changes log. Its like they have become invisible. The only place they can be seen is from within the knowledge base itself which makes it very difficult.

Also since the upgrade when I go to group management for users, rather than seeing nice list of users with click buttons next to them to include / exclude, no matter what format I edit in, each user name must be added in the format " | a/u/s/e/r/n/a/m/e@location.com | " which is confusing most of my users horribly.

Any ideas on what I can do to fix either of the above... the first is the most worrying, but the second is not ideal either!

Attachments (0)

  File By Size Attached Ver.