Roundup 1.4.20 released
rsc at runtux.com
Tue May 15 12:55:49 CEST 2012
I'm proud to release version 1.4.20 of Roundup which can be seen as a
security release. We've fixed several security issues, in particular
some XSS issues. We've also dropped support for python 2.4 with this
release. This release also introduces some minor features and, as usual,
fixes some bugs:
- Experimental support for the new Chameleon templating engine.
We now have two configurable templating engines, the old Zope TAL
templates (called zopetal in the config) and the new Chameleon (called
chameleon in the config). A new config-option "template_engine" under
[main] can take these config-options, the default is zopetal.
Thanks to Cheer Xiao for the idea of making this configurable *and*
for the actual implementation! (Ralf)
WARNING: Chameleon support is highly experimental and *not* recommended for
production use. It has known performance issues and i18n is not yet
functioning. It's still under active development. Only use this feature if
you want to experiment with Chameleon and/or help with Roundup
developement. If you found a bug in Chameleon support, please report after
testing against latest Roundup source from the Mercurial repository.
- issue2550678: Allow pagesize=-1 which returns all results.
Suggested and implemented by John Kristensen.
Tested by Satchidanand Haridas. (Bernhard)
- Allow to turn off translation of generated html options in menu method
of LinkHTMLProperty and MultilinkHTMLProperty -- default is
translation as it used to be (Ralf)
- Sending of OpenPGP encrypted mail to all users or selected users (via
roles) is now working. (Ralf)
- Add config-option "nosy" to messages_to_author setting in [nosy]
section of config: This will send a message to the author only
in the case where the author is on the nosy-list (either added
earlier or via the add_author setting). Current config-options
for this setting will send / not send to author without considering
the nosy list. (Ralf)
- issue2550730: FAQ has broken link to Zope book. Reported and fixed by
- issue2550728: remove buggy parentheses in TAL/DummyEngine.py.
Reported and fixed by Ralf Hemmecke. (Bernhard)
- issue2550715: IndexError when requesting non-existing file via http.
Reported and fixed by Cedric Krier. (Bernhard)
- issue2550712: exportcsvaction errors poorly when given invalid columns.
Reported by Will Kahn-Greene, fixed by Cedric Krier. (Bernhard)
- issue2550695: 'No sort or group' settings not retained when editing queries.
Reported and fixed by John Kristensen. Tested by Satchidanand Haridas.
- Fix matching of incoming email addresses to the alternate_addresses
field of a user -- this would match substrings, e.g. if the user has
discuss-support at example.com as an alternate email and an incoming mail
is addressed to support at example.com this would (wrongly) match. (Ralf)
- issue2550729: Fix password history display for anydbm backend, thanks
to Ralf Hemmecke for reporting. (Ralf)
- OpenPGP support is again working (pyme API has changed significantly) and
we now have a regression test. We now take care that bounce-messages
for incoming encrypted mails or mails where the policy dictates that
outgoing traffic should be encrypted is actually OpenPGP encrypted. (Ralf)
- Ignore confirm set() fields by themselves in the absence of non-"confirm"
values; otherwise a bare confirm field can be used to change the a
password. Reported by Cam Blackwood. (Ralf)
- Updated version of simplified Chinese message file by Cheer Xiao:
Corrected some mistakes, added a few more items and did some
- Fix xmlrpc URL parsing so that passwords may contain a ':' character
- Be more tolerant when parsing RFC2047 encoded mail headers. Use
backported version of my proposed changes to
email.header.decode_header in http://bugs.python.org/issue1079
- issue2550684 Fix XSS vulnerability when username contains HTML code,
thanks to Thomas Arendsen Hein for reporting and patch. (Ralf)
- issue2550711 Fix XSS vulnerability in @action parameter,
thanks to "om" for reporting. (Ralf)
- issue2550535 In some cases even when keep_quoted_text=yes is
configured we would strip quoted sections. This hit the python
bug-tracker especially for python interpreter examples with leading
'>>>' strings. The fix is slightly different compared to the proposal
as this broke keep_quoted_text=no in certain cases. We also fix a bug
where keep_quoted_text=no would drop the last line of a non-quoted
section if there wasn't an empty line between the next quotes. (Ralf)
- issue2431638 wrong registration link in bounce mail for non-registered
users reported *years* ago by anonymous (Ralf)
- Fix doc/upgrading.txt which produces errors with latest docutils about
wrong block structure. Fix .gitignore in doc directory. Thanks to
Cheer Xiao for the patches. (Ralf)
- Fix wrong execute permissions on some files, thanks to Cheer Xiao for
the patch. (Ralf)
- Fix override of TemplatingUtils in instance.py, thanks to Cheer Xiao
for the patch. (Ralf)
- Fix another XSS with the "otk" parameter, thanks to Jesse Ruderman for
- Mark cookies HttpOnly and -- if https is used -- secure. Fixes
issue2550689, but is untested if this really works in browsers.
Thanks to Joseph Myers for reporting. (Ralf)
- Fix another XSS with the ok- and error message, see issue2550724. We
solve this differently from the proposals in the bug-report by not
allowing *any* html-tags in ok/error messages anymore. Thanks to
David Benjamin for the bug-report and to Ezio Melotti for several
proposed fixes. (Ralf)
If you're upgrading from an older version of Roundup you *must* follow
the "Software Upgrade" guidelines given in the maintenance documentation.
Roundup requires python 2.5 or later (but not 3+) for correct operation.
To give Roundup a try, just download (see below), unpack and run::
Release info and download page:
Source and documentation is available at the website:
Mailing lists - the place to ask questions:
Roundup is a simple-to-use and -install issue-tracking system with
command-line, web and e-mail interfaces. It is based on the winning design
from Ka-Ping Yee in the Software Carpentry "Track" design competition.
Note: Ping is not responsible for this project. The contact for this
project is richard at users.sourceforge.net.
Roundup manages a number of issues (with flexible properties such as
"description", "priority", and so on) and provides the ability to:
(a) submit new issues,
(b) find and edit existing issues, and
(c) discuss issues with other participants.
The system will facilitate communication among the participants by managing
discussions and notifying interested parties when issues are edited. One of
the major design goals for Roundup that it be simple to get going. Roundup
is therefore usable "out of the box" with any python 2.5+ (but not 3+)
installation. It doesn't even need to be "installed" to be operational,
though an install script is provided.
It comes with two issue tracker templates (a classic bug/feature tracker and
a minimal skeleton) and four database back-ends (anydbm, sqlite, mysql
Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16
Open Source Consulting www: http://www.runtux.com
Reichergasse 131, A-3411 Weidling email: office at runtux.com
osAlliance member email: rsc at osalliance.com
More information about the Python-announce-list