SPIP commits

Hello,

the SPIP team (thank you again Arnault) have discovered a security hole in SPIP, allowing an injection of cross-site-scripting (XSS).

The error dating back more than five years (it was introduced October 8, 2005), it is clear that ALL versions of SPIP are affected.

To secure your site, simply update the file 404.html (and for some templates 401.html), located in the directory:
dist/ in SPIP version 1.9
squelettes-dist/ in SPIP version 2.0 or 2.1
extensions/dist_2007/ in the dev version
and also in your templates (ex. zpip)

If you have customized this template, the fix is simply to remove star and filter to transform the expression
#ENV*{erreur}|propre
into #ENV{erreur}.

We remind everyone that the best way to inform us of vulnerabilities is to send an email to spip-team@rezo.net.

Feel free to use the following means available to get help with this migration:
spip-user list: http://listes.rezo.net/mailman/listinfo/spip
The english list: http://listes.rezo.net/mailman/listinfo/spip-en
Forum: http://forum.spip.org/
irc: http://spip.net/irc


How to upgrade?

As usual, several possibilities for the update:

1. security screen: if you do not have time to do it now a full update, you can secure your site in two minutes by downloading the 1.0.1 version of the security screen, and copy it in config/
cf. http://www.spip.net/en_article4201.html

2. by spip_loader.php: If you installed spip_loader, go to the address http://YOUR_WEBSITE_URL/spip_loader.php to install SPIP 2.1.9

3. FTP: SPIP 2.1.9 is available at http://files.spip.org/spip/stable/

4. and of course by SVN, just do svn up

in the 2.1 branch: svn://trac.rezo.net/spip/branches/spip-2.1
in the stable branch: svn://trac.rezo.net/spip/branches/spip-2-stable/
on the tag: svn://trac.rezo.net/spip/tags/spip-2.1.9/

For older versions, we did a zip for 1.9.2j and 2.0.14 that can be found on http://files.spip.org/spip/archives/


-- news freely translated from the official announcement --

#INCLURE and #MODELE accept several parameters : the syntax used for it was #INCLURE(a){b}{c}. This syntax has been introduced in spip1.9.1. We can also read on the official documentation :

Models are not restricted to shortcuts within the text of articles. They can also be called from within a template by using the tag #MODELE{model} or [(#MODELE{model}{p1=thing,p2=whatsit}{p3=etc}|filter...)]. But this is less new, because it is equivalent to a (static) inclusion of another template (already made possible by the tag #INCLURE).

However it was quite buggy and not really homogeneous. For ex. a few abnormal differences were found between #MODELE{my_model, ..} and #INCLURE(fond=modeles/my_model){..}. Now, the codes with parenteses and/or several braces delimited blocks are considered as deprecated : You should write instead #INCLURE{a,b,c} and #MODELE{a,b,c}. The old syntax is still accepted. Ex.:

#INCLURE(fond=inc-header){type=test}{env}
#INCURE{fond=inc-header, type=test, env}
#MODELE{img,lien=article5,class=logo,align=left,lien_class=important}

You can also calculate these parameters with other static content (like tags, #MODELE and #INCLURE) :

#INCLURE{fond=inc-[(#ENV{skel}|secu)]}
#MODELE{img,lien=article5,class=logo_#LANG_LEFT,align=#LANG_LEFT}

Parentheses, brakets and filters can also be used to display elements only where #INCLURE returns a content : Ex. :

[Lastest articles in the feed #FEED_TITLE : 
  <ul>
  (#INCLURE{fond=rss-read, url=#FEED_URL, date=#DATE}|extract_post_titles)
  </ul>
]

Edit : The first argument of an INCLURE can be calculated. The common syntax indicates that filters require parentheses. But, for reason of compatibility, the following simplified syntax is accepted :

[(#INCLURE{#CHEMIN{spip_style.css}|url_absolue_css}|compacte_css)]

Read more...

The SPIP team is really active and improve it regularly.
Here is a list of new functions that can help you develop plugins :

supprimer_objets_lies ( array($type, $id) ) :
Type : pipeline
Removes the objects of plugins linked to core objects (used when these core objects are deleted)

// http://doc.spip.org/@action_editer_message_post_supprimer
function action_editer_message_post_supprimer($id_message) {
        sql_delete("spip_messages", "id_message=".sql_quote($id_message));
        sql_delete("spip_auteurs_messages", "id_message=".sql_quote($id_message));
        pipeline('supprimer_objets_lies',array(
                array('type'=>'message','id'=>$id_message)
        ));
}

optimiser_sansref ($table, $id, $sel) :
This pipeline is called in genie/optimiser.php
It completes the removal process of orphelin objects.
(dead links between tables, that results from the suppression of articles, authors, etc)

example :

/**
 * Optimizes the database by removing orphelins forums
 *
 * @param int $n
 * @return int
 */
function forum_optimiser_base_disparus ($n){
       # detect forums that are linked to an id_rubrique that doesn't exist anymore
       $res = sql_select("forum.id_forum AS id",
                       "spip_forum AS forum
                       LEFT JOIN spip_rubriques AS rubriques
                         ON forum.id_rubrique=rubriques.id_rubrique",
                       "rubriques.id_rubrique IS NULL
                        AND forum.id_rubrique>0");

       $n+= optimiser_sansref ('spip_forum', 'id_forum', $res);
       
...
       
       return $n;
}

filtre_lien_ou_expose ($url, $text, $on=false, $class="", $title="", $rel="") :
This filter creates a link or a tag <strong class='on'>
note : class, title and rel are optional
usage ; [(#URL|lien_ou_expose{texte,condition_selection_on,class,title,rel})]
example : [(#GET{self}|parametre_url{type,public}|lien_ou_expose{<:onglet_messages_publics:>,#ENV{type,public}|=={public}})]


filtre_balise_img ($img, $alt="", $class="") :
This filter creates an <img> tag
usage : [(#CHEMIN{monimage.png}|balise_img)]
(the opposite of filtre_fichier())


filtre_icone ($link, $text, $template_name, $align="", $function="", $class="") :
This filter is a shortcut for creating icons in the templates of the private area
usage : [(#URL|icone{text,template_name,align,function,class})]

test_plugin_actif ('prefix_of_the_plugin') :
This function tests if a plugin is activated and returns a boolean.

For more details :
http://www.spip.net/fr_article3784.html

A little changelog for SPIP2.0 :
- Translation in asturiano, Burmese, Khmer (Kampuchean), Indonesian, Swedish
- Unified private interface using AJAX
- Programming interface for SQL Server (MySQL, Postgres, SQLite)
- New forms for use on the site in public and private area
- Improved interface for documents and forums (documents joints possible)
- Access to several databases from a single skeleton
- Models and pagination in AJAX by simply adding a new criterion
- Hierarchical URLs (like: http://www.example.com/sector/section1/subsection2/article_name)
- Automatic compaction of CSS and javascript files
- Amelioration of the filter system and automatic installer
- And more...

Modifications between 1.9.2e of 13 September 2008 (svn [12624])
and 1.9.2f of 10 December 2008 (svn [13443]):

- Correction of a spelling error in the language list
- Correction of the criteria {par multi titre} in MySQL 5 and utf-8 (alphabetical sorting correct even with accented characters)
- Correction of the RSS of del.icio.us
- Unification of the calculation of the date of publication (now in php) in case of time lag between php and sql
- Optimization of SQL (use of the MySQL requests cache)
- Protection of redirects urls (not < or ")
- Corrections of Ukrainian
- Fix of a security problem