Serendipity 2.5.0

We are very happy to announce the availability of the final release for Serendipity 2.5.0, our new stable version! 2.5.0 contains the changes that were part of the 2.5-beta1, plus some additional changes.

With this version 2.5.0, Serendipity works with PHP 7.4 up to and including PHP 8.2. We also got positive reports about the compatibility with PHP 8.3, but this newest PHP version is not yet officially supported by us. The compatibility with PHP 8.2 is the main purpose of this release.

In this version, we further worked on how the bundled dependencies are managed. They got updated for PHP 8.x support, including some legacy dependencies where it was missed before, and more of them are now managed by the dependency management system composer. For those changes the file placement under bundled_libs/ has changed a bit, with wrappers added for compatibility. Despite those wrappers for backwards compatibility, authors of custom plugins that relied manually on files under bundled_libs/ are advised to check that their plugins still work.

The release contains some additional changes to 2.4.0, like bundling the webfonts used by the default theme 2k11, to avoid legal issues in Germany, fixes for an incompatibility with MySQL 5.7, fixes for the usergroup permission display and an improved russian translation.

It also fixes a potential security issue discovered for this project by @hannob, by removing the prior included composer.phar. That file was only useful for developers, but could be misused in some specific server environments. Though the necessary conditions for the attack are not a given, since this is a security fix a timely upgrade to 2.5.0 is highly recommended to all existing serendipity installations. As another possible mitigation, you can safely delete the file "composer.phar" in your root directory.

Upgrade hints: If you see errors when extracting this release archive that mention bundled_libs/, delete said folder in your old installation and extract the archive again. If you run an older version of serendipity than 2.4.0 and/or if you are not using PHP 8.x yet, please have a look at the PHP 8 upgrade guide.

If you encounter bugs, please report an issue here at Github or open a thread in our forum. The forum is also the right place for general questions and support.

The project thanks all contributors to the release, including the testers and issue reporters.

(MD5: 1dfb1f34483038179ac511666de60b8f)

Serendipity 2.5-beta1

We release this beta primarily to give those of you an upgrade path that need support for PHP 8.2 now.

For this release, we:

• Made code changes to be compatible with PHP 8.2, including a polyfill for strftime, see #784.
• Fixed a bug where the usergroup permissions were displayed incorrectly. Please ensure after upgrading that any possible custom usergroup configurations have the wanted permission settings. If you have never saved a permission group setting, you will not be impacted.
• Let the theme 2k11 use local font files, avoiding privacy risks (and a legal risk in Germany).
• Improved the russian translation.
• Moved several bundled libs to composer, which will make future upgrades easier.
• Updated smarty, HTTP_Request2, Net/DNS2 and Onyx/RSS.
• Added several other changes.

This release contains commits from @garvinhicking, @surrim, @stephanbrunker, @varakh, @hannob, @mariohommel and @onli.

(MD5: 9b4d17075ea43425312707f0b8ddc8ba)

Serendipity 2.4.0

We are very happy to announce the availability of the final release for Serendipity 2.4, our new stable version, after more than two years of work (right, same as the last full release :) )!

Serendipity 2.4 focuses on

• PHP 8.0 (fully) and 8.1 support (partly), with PHP 8.0 being the recommended version to run Serendipity with
• Update of bundled libs, improving the way we use composer
• Fixes and extensions to the multi language system
• Use of full UTF8 in MySQL/MariaDB by default

Additional changes include:

• Plugin update notifications in the dashboard
• Fixes to the .htaccess-blocking SQL statement
• Changes to the responsive images srcset, improving edge cases where unexpected image sizes leading lead to blurry thumbnails
• Rework of the error handler, resulting in this behaviour: Warnings will not be shown in production blogs, but will be properly shown in alpha versions (this was important for PHP 8 compatibility)
• A cleanup of the WYSIWYG configuration options, as shown in the personal settings
• A plethora of changes related to PHP 8 support

An update to this version is highly recommended, as hosters start to shutdown their PHP 7.4 support. Please be aware that full PHP 8 support does not include all plugins, though many plugins have been made compatible. If you encounter further incompatibilities, please let us know. Fixes to plugins would be even better, sent as pull request to https://github.com/s9y/additional_plugins.

You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (serendipity_event_autoupdate).

The s9y team wants to thank all contributors to this release, in no particular order: Hanno Böck, Mario Hommel, Stephan Brunker, Garvin Hicking, Malte Paskuda, Matthias Gutjahr, Markus Birth, surrim, Uwe Krause, Soatok Dreamseeker, Thomas Hochstein, and Eike Rathke.

Upgrade hint 1: We missed a bug in the sidebar comments plugin (serendipity_plugin_comments), it will break the frontend under PHP 8.x when showing long comments. Please disable the plugin for now or fix the code manually.

Upgrade hint 2: Be careful with your PHP version, the new minimum requirement is PHP 7.3.

(MD5: 8b80df37f4640486419227882d071730)

Serendipity 2.4-beta1

This is a beta release with a couple bigger changes and many small fixes, but most notably support for PHP 8. Some changes are:

• Support for PHP 8 in the core, as well as core plugins and themes
• When using MySQL or MariaDB serendipity will try to use the utf8mb4 charset, instead of the incomplete utf8 charset implementation.
• Split date and time input in editor into two input fields with browser supported input types
• Update buttons in dashboard and plugin section will show a notification about available plugin updates
• Multiple fixes to the multilanguage system
• Improved logic for which thumbnails should be used with responsively scaled images

We would love to get feedback from our users. This release was tested thoroughly, but it is still a first beta and with the bigger code changes than usual it might also contain more bugs than usual. Please do test it even in production environments if you need PHP 8, but have a current backup - including the database - before installing it.

(MD5: 3eabb22b14e868aca9a3bb4c7824e2f7)

Serendipity 2.3.5

This is a bugfix release with some fixes backported from our master branch:

• Fix: Truncate extension of media items to 5 chars which ist the max length of the corresponding database field (#609). Thanks to @mmitch!
• Fix: Unconditionally keep upgraded_version in plugin cache (64b5d56).
• Fix: Entry title in backend list of entries was double escaped (c66451e).
• Fix: serendipity_plugin_history would error out (and prevent display of the sidebar) since 2.3.3 (#694).
• Fix: Don't delete extend properties from the entryproperties plugin when publishing from dashboard or sending delayed trackbacks (#695).
• Fix: CKE: Don't remove <details> and <summary> elements from WYSIWYG editor (6c15c80).
• Fix: Don't strip HTML from comments body in serendipity_plugin_comments before serendipity_event_unstrip_tags can convert the HTML tags (#702).

You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (serendipity_event_autoupdate).

(MD5: e9d6937ffb06533de9566d600e1ffdc2)

Serendipity 2.3.4

This bugfix and security release Serendipity 2.3.4 fixes a potential remote code execution exploit for users with upload rights (on Windows systems only), some bugs in the Media Library renaming code and adds some other small fixes and enhancements backported from our master branch:

• Add plugin source (Spartacus, bundled or local) to list of installable plugins and show plugin author(s) on plugin managament page.

• Fix: Add "more info" link to Spartacus for all plugins there (was missing for already installed plugins).

• Fix: [SECURITY]: Media Library: The file name of renamed files may not end with one or more dot(s). This is not problematic on Linux, but on Windows file names ending with a dot will lose this dot on disk, making it possible to rename a file without extension ("file") to "file.php." which morphes to "file.php" on Windows, creating an executable PHP file in a remotely accessable directory and a possible remote code execution vulnerability. Thanks to Junyu Zhang for spotting this!

• Fix: Media Library: Renaming files without extension caused a discrepancy between the file name on disk and in the media library database so the database entry was deleted, making the file disappear from the Media library (while it was still in disk).

• Fix: Media Library: Add some more checking and proper error messages.

• Fix: Wrap comments with very long words on the backend dashboard.

You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (serendipity_event_autoupdate).

(MD5: 0b203494571997a3ac5093a21c3d855e)

Serendipity 2.3.3

This bugfix release Serendipity 2.3.3 will bring you quite some smaller and larger fixes and minor enhancements backported from our master branch:

• Update bundled event_mailer plugin to support forcibly sending mails on published blog entries and add the ability to prepend a mail body. Also fixes missing "keep strip tags" configuration option.

• Media Library: Checkboxes allow you to insert multiple media files in a kind of gallery. Fall back to single-asset view when just one file has been selected. Let checkboxes be selected when clicking on the asset title, and hide the the 'Insert all' button when no assets are selected.

• Media Library: Use the <video> tag for videos in the library and for inserting them into an entry.

• Media Library: Allow plugins to skip HTML block insertion to use their own markup.

• Fix: Media Library: Items that are not images now get the correct link.

• Fix: Media Library: Prevent renaming an asset into an existing file, resulting in deletion of both from disk and database.

• Fix: Media Library: Remember directory from last upload.

• Fix: Media Library: Missing variable initialisation when removing empty folders.

• Fix: Stop generation of default page every time when serving JS (functions_routing.php).

• Fix: Don't allow requesting an archive page that doesn't exist.
  Thanks to @lotharsm!

• Fix: Add valid HTTP referrer when trying to delete a trackback from the frontend.

• Fix: Update bundled plugin plugin_comments to wrap text at word boundaries only, removing spurious whitespace in comment output.

• Fix: Update bundled plugin event_bbcode to get roman numerals working.
  Thanks to Fabien Chabreuil!

• Fix: Force positive limits for number of entries shown on title page and in RSS feed and fix potential SQL error with limit set to 0 in serendipity_fetchEntries().

• Fix: Escape version string in update notifier to avoid potential for XSS.

You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (serendipity_event_autoupdate).

(MD5: a25fa2d0484538fb2c07ea2e670787b9)

Serendipity 2.3.2

This bugfix release Serendipity 2.3.2 contains some bug fixes backported from our master branch:

• Fix: [SECURITY] Only allow .txt and .log files for spamblock logging.
  Thanks to Gary O'Leary-Steele!
• Fix: [SECURITY] Escape category images to avoid backend XSS (#639).
  Thanks to @hannob!
• Fix: Pagination should now really be fixed for the new default "stable archives" sorting order.
• Fix: Fix autologin when using MySQL (#632).
  Thanks to @erAck!
• Fix: Properly display plugin save errors after validation.
• Fix: The WYSIWYG editor stripped the figcaption element used for image captions.
• Fix: Rotating an image did not rotate all responsive thumbnails.
• Fix: Auto-generated mails where mangled by wrong linebreaks on some MTA (#644).
• Fix: Prevent PHP warnings (#638, #642).
  Thanks to @hannob!

You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (serendipity_event_autoupdate).

(MD5: b81c97851afdb9c9fe3b7bd5b6765d29)

Serendipity 2.3.1

This bugfix release Serendipity 2.3.1 contains some bug fixes and small feature updates backported from our master branch:

• Fix: ML mass delete didn't work.
  (Added a question mark to a dialog and another language constant, incidentally.)
• Fix: Pagination (a feature of themes like Timeline and Bulletproof) didn't work with the new default "stable archives" sorting order.
• Change: Previous/next links and page numbers for archive pages with "stable archives" sorting order have been changed to match the pagination.
• Fix: Notices for moderated comments ("This comment needs approval before it will be displayed") didn't show (reliably) when more than one spamblock plugin was active (as these plugins mutually overwrote their "moderated" flags).
• Fix: Some internationalisation fixes and new German translations.
• New: Show links for each plugin installed from Spartacus to its Spartacus entry.

You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (serendipity_event_autoupdate).

(MD5: c0b1cc96277e15d61440f5c6891a8ef0)

Serendipity 2.3.0

We are very happy to announce the availability of the final release for Serendipity 2.3, our new stable version, after more than two years of work!

Serendipity 2.3 focuses on

• PHP 7.2 and 7.3 support - minimal PHP version is now PHP 7.0
• Smarty upgrade to 3.1.33
• Updates to the media manager and some bug fixes
  • New function to add multiple images to an entry at once, creating a gallery
  • Use figure/figcaption markup for media manager images with captions
  • Ability to create responsive image thumbnails
  • Set responsiveimages as default plugin
  • Add rewrite to absolute url for srcsets to the feed generation
• Using voku/simple-cache for internal cache as bundled lib, which will allow to cache with memcached and redis instead of just on the filesystem
• Adding a maintenance mode option
• Improving the nl2br plugin (thanks to Stephan Brunker!)
• Allowing to receive multiple trackbacks and pingbacks (thanks to @mmitch!)
• Changing (installation) defaults: disable entryproperties cache and enable internal cache, enable stable-archive option

Other changes include:

• Security fixes for XSS in Editor Preview and Media Library by interpreted EXIF tags (thanks to Hanno Boeck!)
• Fallback for $lang variable when configuration failed to load which evades some unuseful error messages (thanks @HQJaTu!)
• Drop deprecated serendipity_purgeEntry function
• Bootstrap4 adaptations
• Fixes for plugin drag'n'drop
• Multiple minor bug fixes to core, bundled plugins and bundled themes.

You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (serendipity_event_autoupdate).

Have fun!

(MD5: f5e2fa7fdabb738586600086a02c3c89)