Home » Archives for Holger Just

Author: Holger Just

Half-time Ruby and Rails developer and half-time friendly operations guy, I try to improve the world one step at a time, striving for perfection along the way.

You can follow me on Twitter or subscribe to my blog.

ChiliProject 2.7.1 released

ChiliProject 2.7.1 has just been released. This release is a security release to fix several mass-assignment vulnerabilities. It contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.1.0. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download the release. For more information about the bug, please see the release announcement for ChiliProject 3.1.0.

Download ChiliProject 2.7.1

What’s included

2.7.1 includes a security fix which was backported from ChiliProject 3.1.0.

  • Bug #922: Mass assignment

Contributors to 2.7.1

I’d like to thank all of the contributors to the 2.7.1 release.

  • Eric Davis
  • Holger Just
  • Jean-Philippe Lang

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 2.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 4.0. After that date the 2.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 3.1.0.

ChiliProject 3.1.0 released

ChiliProject 3.1.0 has just been released. It includes some new features and bugfixes for ChiliProject 3.0.0 as well as some critical security fixes. It is suitable for use on production websites and we recommend that all users download the release as soon as possible.

Users of the old 2.x release branch, please check the 2.7.1 release which includes the security fixes. User still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

Download ChiliProject 3.1.0

What’s included

3.1.0 includes 20 bug fixes including one security fix and 5 new features for 3.0.0.

The security fix addresses several the mass assignment vulnerabilities in ChiliProject. These allowed users to write certain pieces of data which they should not have been allowed to. However users could not grant themselves access to data they can’t normally access. It was also not possible for non-admins to grant users additional rights.

All of the vulnerabilities existed since the start of the project, most going back to the beginning of Redmine itself. To further mitigate the issue, we are going to review the controller code and add additional means to prevent mass-assignment vulnerabilities in the future. As these changes require some architectural changes, we will spread them out over the future releases as part of our migration to Rails 3.

More information about the way mass-assignment works in Rails can be found at Michael Hartl’s tech blog.

The full list of changes is below:

  • Bug #739: Relative textile links not converted to full URLs in emails
  • Bug #828: uninitialized constant Redmine::Scm::Adapters::CommandFailed in RepositoryController
  • Bug #861: Apply Filter does not work on all-project-activities view
  • Bug #868: Done bar has no filling
  • Bug #869: Issue option list stacked vertically instead of horizontally
  • Bug #873: Incorrect error message text for groups
  • Bug #882: Right click context menu doesn’t show submenu icon.
  • Bug #887: Stacked month (top row)
  • Bug #888: Cannot edit note
  • Bug #891: quotes around path when shelling out does not work on Windows
  • Bug #892: CP code or test assumes ordering where none is guaranteed
  • Bug #896: Enabling “Authentication required” mode returns 404s
  • Bug #903: ActionView::TemplateError (undefined method `new0′ for DateTime:Class)
  • Bug #911: Sub-sub (and deeper) issues CSS rules are overridden
  • Bug #914: comments gets striked through, when description changes before
  • Bug #922: Mass assignment
  • Bug #927: Reposman script problem
  • Bug #929: Missing links in Issues section in left menu bar
  • Bug #933: News RSS Feed tag not populating
  • Bug #939: GMail documentation in configuration.yml.default out of date
  • Feature #559: Group Menus
  • Feature #899: Create a jQuery verison of the context menu
  • Feature #906: Add Link back to Parent of Subtask
  • Feature #915: default bundle install installs old pg version
  • Feature #928: Increase username length limit from 30 to 60

Contributors to 3.1.0

  • Andrew Smith
  • Dominique Feyer
  • Eric Davis
  • Felix Schäfer
  • Gregor Schmidt
  • Holger Just
  • Jean Philippe Lang
  • Martin S
  • Michaël Rigart
  • Robert Mitwicki

In closing, go and download ChiliProject 3.1.0 now.

Chili Cupcake

ChiliProject 3.0.0 released

Chili Cupcake

Almost to the day one year after the first announcement of ChiliProject we are proud to announce the final 3.0.0 release of ChiliProject.

A birthday party is always very exciting, especially the very first one. We have achieved a lot in this year and we have seen a steady stream of new users and contributors to the project. We received great feedback from many people running ChiliProject for their small and medium projects as well as from people running very large instances like the KDE Projects site which hosts Git repositories and provides project management for thousands of developers in the various KDE subprojects.

This release marks a new height as we finally release the long awaited new look-and-feel (new desgin, better usability) into the wild. While we are always working on improving the user experience, this release lays the foundation for the future of ChiliProject.

In ChiliProject 3.0, we introduce a flexible templating system called Liquid. Liquid integration gives users and developers new ways to work with content from various sources and provides the foundation for unprecedented customization options and dynamic content without forcing users to write or deploy Ruby code.

Finally, ChiliProject 3.0 comes with a huge stack of smaller improvements making it more flexible, easy and fun to use.

We are very happy about what we have achieved this past year and confidently look forward to a very bright future.

Download ChiliProject 3.0.0

With this release, the 2.x branch enters maintenance mode. From now on until the release of 4.0.0 (planned for this summer), the 2.x branch will receive security updates only. The final regular version of the 2.x branch is 2.7.0 which was released today.

The old ChiliProject 1.x branch will be considered unsupported from now on. We will not provide any new patches or releases for it. We strongly advise users still running ChiliProject 1.x to update to ChiliProject 3.0.0.

What’s included

3.0.0 includes 24 new features and 15 bugfixes over 2.7.0. It includes all bug fixes and features of the 2.7.0 release.

The full list of changes is below:

Contributors to 3.0.0

  • elm
  • Eric Davis
  • Felix Schäfer
  • Gregor Schmidt
  • Holger Just
  • Jérôme BATAILLE
  • Johannes Wollert
  • Kornelius Kalnbach
  • Moritz Breit
  • Romano Licker
  • Spencer Markowski
  • Toshi MARUYAMA
  • And everyone I forgot… You are all awesome!

Upgrading

The upgrade and installation documentation has already been updated for 3.0.0. The update from 2.x to 3.0.0 will be very smooth as we changed very little of the underlying data-storage compared to the previous 2.0.0 release.

Nevertheless, we strongly encourage you to have a full backup in place before starting the upgrade. We do our best to make it a safe experience but there is always the possibility of uncovering yet hidden bugs.

What’s next?

This is the first release in our 3.x series which we will fully support with monthly bugfix releases until the next major ChiliProject version which is due around July 2012. The big goals for that major release are the upgrade to Rails 3.x and the further modularization of ChiliProject.

If you’re interested in participating or contributing to ChiliProject, please leave a comment below or post to our forums. We would love to have your help in polishing the usability or adding exciting new features. Once the upgrade process to Rails 3 has started, we will need as many tester as we can get to iron out the bumps along the way. If you are interested in helping us, just speak up.

In closing, go and download ChiliProject 3.0.0 now.

ChiliProject 2.7.0 released

ChiliProject 2.7.0 has just been released. It includes some new features and bugfixes for ChiliProject 2.6.0. It is suitable for use on production websites.

This is the last regular release of the 2.x series of ChiliProject. With the final 3.0.0 release today, the 2.x branch enters maintenance mode. We will only provide security updates for it until the release of 4.0.0 planned for summer. The old ChiliProject 1.x branch will be considered unsupported from now on. We will not provide any new patches or releases for it. Users still running ChiliProject 1.x are strongly advised to update to ChiliProject 3.0.0.

Download ChiliProject 2.7.0

What’s included

2.7.0 includes 8 bug fixes for 2.6.0. None of the bug fixes is security related.

User running 2.6.0 are encouraged to updated as the previous 2.6.0 release contained a regression which prevented ChiliProject from using the correct Rails environment when used with certain application servers and environments.

The full list of changes is below:

  • Bug #593: Notification Mail for Wiki-Changes has wrong Diff
  • Bug #775: Activity view too verbose
  • Bug #819: RAILS_ENV is not properly set if running under thin
  • Bug #822: Initial journal creation fails because of the missing log_encoding of Repositories
  • Bug #823: Plugin in new directory not picking up Gemfile
  • Bug #839: ruby-debug19 breaks on Ruby 1.9.3
  • Bug #849: Prefix parameter of thin is not working
  • Bug #857: Gemfile has an non ASCII character

What’s Next?

This release marks the end of the 2.x release cycle. Effective immediately the 2.x branch will enter maintenance mode and will only receive security updates until the release of 4.0.0 around July 2012.

With the release of 3.0.0 today the 1.x branch will stop to be supported at all. We will not issue and more releases, bugfixes or security patches for this branch anymore. If you are still using ChiliProject 1.x, you are strongly advised to upgrade to 3.0.0 as soon as possible.

In closing, go and download ChiliProject 2.7.0 now.

ChiliProject 3.0.0beta2 released

We are proud to announce the second Beta release of the upcoming version 3.0.0 of ChiliProject. Since the release of the 3.0.0beta1 we have fixed some bugs mainly in the areas of caching and the theme.

We also added some new awesome features. We now have more flexible issue filters which allow to filter date ranges and restrict the project scope of queries. We also added a more flexible handling  of emails which is a bit more secure and will allow us to add some more advanced e-mail integration later.

The watchers functionality was heavily extended. It is now possible to add watchers to wiki pages , forum threads, and documents. And you can now bulk-edit watchers of issues.

As previously, we have already updated our own ChiliProject to the new Beta. That said, please be advised that this release is neither feature-complete nor considered stable. Instead it is considered an old-style Beta, not a Beta-cause-it’s-cool (I’m looking at you, Google…) Please download this release, install it in a testing environment, play with it, and report any bugs or missing features. But please don’t install it on your production environment right now without knowing what you are doing (and having a backup).

Download ChiliProject 3.0.0beta2

What’s included

3.0.0beta2 fixes some bugs  and add various features found in the previous Beta. It also contains all features and bugfixes of the previous 2.6.0 release as well as several features and bugfixes of the upcoming 2.7 release.

The full list of changes are below:

  • Bug #558: Reduce version information from Help link
  • Bug #774: Gravatar on issue#show is at a weird position
  • Bug #778: Textile Caching breaks Liquid
  • Bug #780: Setting Cache is not invalidated properly
  • Bug #783: Link to new issue on issues list displayed although user is not allowed to create issue
  • Bug #791: Allow SSL in POP3 in receive_pop3 task
  • Bug #797: Wiki page list is shown as one long list and not a nested one
  • Bug #798: Sidebar design looks bad
  • Bug #807: History elements overlays revisions in Issues
  • Bug #815: Inconsistent margin used for gravatars
  • Bug #827: Group issues by the Status field
  • Feature #672: Allow queries to include subproject issues
  • Feature #674: Change outgoing email to be sent-per user and not as a single BCC email
  • Feature #790: Allow plugins to register custom static and lazy evaluated variables
  • Feature #792: Confirmation emails when an incoming email is submitted
  • Feature #796: Filter issues based on a date range
  • Feature #799: Watch documents
  • Feature #800: Allow non-members to watch issues
  • Feature #801: Bulk adding issue watchers
  • Feature #802: Allow groups to watch issues
  • Feature #805: Set watchers on a wiki page
  • Feature #806: Set watchers on a Forum or Forum Thread
  • Feature #808: Show description changes on issues in a diff
  • Feature #809: Bulk add and search for projects when adding a member

Included from the upcoming 2.7.0 release are the following changes:

  • Bug #819: RAILS_ENV is not properly set if running under thin
  • Bug #822: Initial journal creation fails because of the missing log_encoding of Repositories
  • Bug #823: Plugin in new directory not picking up Gemfile

Contributors to 3.0.0beta2

  • Eric Davis
  • Holger Just
  • Gregor Schmidt
  • Jérôme BATAILLE
  • And everyone I forgot… You are all awesome!

In closing, go and download ChiliProject 3.0.0beta2 now.

ChiliProject 2.6.0 released

ChiliProject 2.6.0 has just been released. It includes some new features and bugfixes for ChiliProject 2.5.0. It is suitable for use on production websites.

Download ChiliProject 2.6.0

What’s included

2.6.0 includes 6 new features and 8 bug fixes for 2.5.0. None of the bug fixes is security related. The major highlights of this release are:

  • ChiliProject is now fully compatible with Ruby 1.9.3
  • Plugins needed by the core and user-provided plugins should now be separated. Users are advised to install their custom plugins into vendor/chiliproject_plugins from now on. This helps to distinguish plugins during updates. Existing installations with all plugins in vendor/plugins will continue to work as they used to be.
  • Admins using LDAP as an authentication backend can now define arbitrary LDAP filters to further narrow down the elements eligible for authentication.
  • rdm-mailhandler.rb which is used for receiving mails is usable again after fixing a regression introduced in 2.5.0
  • Small bug fixes and translation improvements.

All users of ChiliProject are encouraged to update their installations as fits. This release contains no security related fixes.

The full list of changes are below:

  • Bug #356: Clicking on login while logged-in logs you out
  • Bug #463: REST API does not accept Basic HTTP auth when running through Apache mod_proxy
  • Bug #708: AAJ does not create journals, when models are created using sub classes
  • Bug #740: Revision page, new files are not displayed (Git Repo)
  • Bug #746: Problems with rdm-mailhandler.rb
  • Bug #748: ChiliProject::VERSION.revision doesn’t capture error output
  • Bug #761: Fix quoting in shell-out (git adapter)
  • Bug #812: Change references to Redmine
  • Feature #298: Seperate core plugins and user plugins into different directories
  • Feature #388: Add LDAP filter to ldap authentication
  • Feature #486: Do not display edit link in annotation page when you don’t have permissions
  • Feature #733: Add css class for issues that are due today
  • Feature #785: pt-BR translation updates
  • Feature #789: Provide a rackup file for Rack-only servers like pow.cx

Contributors to 2.6.0

  • Enderson Maia
  • Eric Davis
  • Felix Schäfer
  • Florian Mutter
  • Gregor Schmidt
  • Holger Just
  • Jean Philippe Lang
  • Moritz Breit
  • Spencer Markowski
  • Tom Rochette

What’s Next?

We are working on the final features and bug fixes for the next beta for ChiliProject 3.0.0. If you’re interested in participating or helping out the development, please leave a comment below or post to our forums.

This release marks the beginning of the end of the 2.x release cycle. Depending on how many bugs emerge until the release of 3.0.0 we will probably issue a last normal release shortly after 3.0.0 is released later this month. After that, the 2.x branch will enter maintenance mode and will only receive security updates until the release of 4.0.0 in summer.

After the release of 3.0.0 the 1.x branch will stop to be supported at all. We will not issue and more releases, bugfixes or security patches for this branch anymore. If you are still using ChiliProject 1.x, you are strongly advised to upgrade to either 2.6.0 or to 3.0.0 as soon as possible.

In closing, go and download ChiliProject 2.6.0 now.

ChiliProject 3.0.0beta1 released

We are proud to announce the first Beta release of the upcoming version 3.0.0 of ChiliProject. When you read this announcement it means that the new and shiny 3.0.0 release is not far away anymore. This Beta release gives a first mostly complete look at the new features in 3.0.0. We expect to have a first Release Candidate on 2011-12-31. The final 3.0.0 release is scheduled to be in early January.

Because of the really great improvements we have already updated our own ChiliProject to the new Beta. That said, please be advised that this release is neither feature-complete nor considered stable.  Instead it is considered an old-style Beta, not a Beta-cause-it’s-cool (I’m looking at you, Google…) Please download this release, install it in a testing environment, play with it, and report any bugs or missing features. But please don’t install it on your production environment right now without knowing what you are doing (and having a backup).

Download ChiliProject 3.0.0beta1

Now that you have survived the disclaimer, be prepared for awesomeness. This release includes the long awaited new design as well as a completely new wiki template engine which allows you to create dynamic wiki pages curated with your content. It also contains the foundation for a built-in tagging system.

The New Design

New ChiliProject Theme

The new design is a first step into the complete overhaul of the ChiliProject user experience. It sports a modern look and a completely re-thought interaction model.

Gone are the days of the plethora of tabs that start to scroll on even medium-sized windows. We now have an ever-present navigation on the sidebar which allows for easier access and a better navigation model. Related functions are grouped together preventing a lost-in-space feeling.

We have greatly improved the contrast and font-sizes which makes ChiliProject more approachable to anyone. Blind or otherwise disabled people will love the new design as it greatly improves compatibility with screen readers and other support devices.

This beta release is the beginning of the end of a long journey to improve the user experience of ChiliProject which started about 2 years ago as it was still Redmine. A great deal of work from Eric Davis, the whole Finnlabs crew and some other contributors is going to mark this 3.0.0 release the biggest release in ChiliProject’s history.

The Liquid Template Language

ChiliProject inherited the old macro concept of Redmine which allowed to include a wiki page into another and to provide plugin authors with the ability to extend the standard textile markup language with additional functionality. This worked great at its time. However it became evident that a powerful templating system would provide users with much richer capabilities to display and organize content.

The Liquid template language completely replaces the old macro system and makes it even more mighty. It supports variables, includes facilities to display text based on conditions and even has loops. That allows users to create dynamic wiki pages based on many different data pieces in ChiliProject.

While it now brings minimal support for querying, remixing and displaying internal ChiliProject data, it allows us to easily extend the API. Users can then create custom issue or time reports inside a wiki without having to write a single line of Ruby code. It’s all inside the wiki editor.

Plugin developers can extend the language and create new tags, filters, and data APIs called drops  to provide access to many different data sources. It gives them much more flexibility in what ways to represent their data and allows users to easily remix, combine, and display different pieces of data.

The Tagging foundation

Yes, that’s correct. ChiliProject will finally have a tagging engine. This will allow you to organize your data in any way you like. We will be able to create issue tags to group issues and to instantly find the important ones. Or you can organize your Wiki with tag clouds to have a free-form order schema.

The technical foundation is in place right now but is not exposed to the user. In future releases (and maybe even for the final 3.0.0 release) we will add features which use it to allow you to keep control over your data.

What’s included

3.0.0beta1 sports the new design and the Liquid template language as well as several smaller new features and bugfixes. It also contains several features and bugfixes of the upcoming 2.6 release.

The full list of changes are below:

Included from the upcoming 2.6.0 release are the following changes:

  • Bug #356: Clicking on login while logged-in logs you out
  • Bug #463: REST API does not accept Basic HTTP auth when running through Apache mod_proxy
  • Bug #708: AAJ does not create journals, when models are created using sub classes
  • Bug #740: Revision page, new files are not displayed (Git Repo)
  • Bug #746: Problems with rdm-mailhandler.rb
  • Bug #748: ChiliProject::VERSION.revision doesn’t capture error output
  • Bug #761: Fix quoting in shell-out (git adapter)
  • Feature #298: Seperate core plugins and user plugins into different directories
  • Feature #388: Add LDAP filter to ldap authentication
  • Feature #486: Do not display edit link in annotation page when you don’t have permissions
  • Feature #733: Add css class for issues that are due today

Contributors to 3.0.0beta1

  • elm
  • Eric Davis
  • Felix Schäfer
  • Gregor Schmidt
  • Holger Just
  • Johannes Wollert
  • Kornelius Kalnbach
  • Moritz Breit
  • Romano Licker
  • Spencer Markowski
  • And everyone I forgot… You are all awesome!

In closing, go and download ChiliProject 3.0.0-beta1 now.

ChiliProject 1.5.5 Released

ChiliProject 1.5.5 has just been released. This release is a security release to fix a cache poisoning bug in the bundle Redmine.pm module which can be used for authenticating and authorizing subversion or git users for repositories served through Apache. It contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 2.5.0. It is suitable for use on production websites running ChiliProject 1.x and we highly recommend that 1.x users download the release.

Download ChiliProject 1.5.5

What’s included

1.5.5 includes a security fix which was back ported from ChiliProject 2.5.0.

  • Bug #709: Redmine.pm potential security issue with cache credential enabled and subversion

All users of ChiliProject who use the bundled Redmine.pm module are strongly advised to update their installations as soon as possible as the resolved issue potentially allows users to access restricted repository data.

Users of Redmine should be advised that the fixed issue is also present there. There is currently no Redmine release that fixes the it. Currently it is only addressed in the trunk and 1.3-stable branch in the repository. You should either upgrade or apply the fix in the issue manually.

Contributors to 1.5.5

I’d like to thank all of the contributors to the 1.5.5 release.

  • Holger Just
  • Jean-Philippe Lang

We would like to especially thank Niels Lindenthal who informed us of the security issue.

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 1.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 3.0 in early January. After that date the 1.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 2.5.0.

ChiliProject 2.5.0 Released

ChiliProject 2.5.0 has just been released. It includes some bugfixes for ChiliProject 2.4.0 as well as one security fix. It is suitable for use on production websites and we recommend that all users download the release as soon as possible.

Users of the old 1.x release branch, please check the 1.5.5 release which includes the security fix.

Download ChiliProject 2.5.0

What’s included

2.5.0 includes 3 new features and 9 bug fixes including 1 security fix for 2.4.0. The major highlights of this release are:

  • The provided perl module Redmine.pm for authenticating and authorizing subversion or git users for repositories served through Apache was vulnerable to a cache poisoning attack if caching was enabled. The vulnerability could result in a temporary permissions escalation giving a user write permission to a repository she normally had only read permission. The fix will be immediately active after installation and reboot of the Apache the Redmine.pm is installed on.
  • Registered but not-yet activated users can now be deleted.
  • ChiliProject will be transitioning to jQuery as the primary javascript library for client-side scripting. To ease the transition, plugin developers can query ChiliProject::Compatibility to decide if they want to use the to-be-bundled jQuery or use a version they bundle with their plugin. ChiliProject::Compatibility can also be queried to check for the presence or absence of Prototype.
  • 2 view hooks have been added to the Project index.
  • Still more Ruby 1.9 compatibility fixes.
  • The vendored ruby-net-ldap gem has been removed and replaced by an updated version (now called net-ldap) in the Gemfile.
  • Small bug fixes and translation improvements.

All users of ChiliProject are strongly advised to update their installations as soon as possible.

Users of Redmine should be advised that the fixed security issue of Redmine.pm is also present there. There is currently no Redmine release that fixes the it. Currently it is only addressed in the trunk and 1.3-stable branch in the repository. You should either upgrade or apply the fix manually.
The full list of changes are below:

  • Bug #258: Upgrade from ruby-net-ldap to net-ldap gem
  • Bug #554: Failed to migrate from 1.2.0 to 2.1.0 with Ruby 1.9.2
  • Bug #688: doc/CHANGELOG.rdoc is very huge
  • Bug #698: Searching in issue is broken on ruby 1.9
  • Bug #707: Wiki diffs: incompatible character encoding error on Ruby 1.9.2
  • Bug #709: Redmine.pm potential security issue with cache credential enabled and subversion
  • Bug #711: translation missing: en, field_lock_version on issue edit on Ruby 1.9
  • Bug #735: any user can edit time entries via context menu
  • Bug #736: Adding users with a dash “-” in email address is broken sometimes
  • Feature #124: User deletion
  • Feature #706: Add hooks to view projects/index.rhtml
  • Feature #725: Compatibility check for jQuery and Prototype availability

Contributors to 2.5.0

  • David O
  • Eric Davis
  • Felix Schäfer
  • Gregor Schmidt
  • Holger Just
  • Ivan Cenov
  • Jan Schulz-Hofen
  • Jean Philippe Lang
  • Moritz Breit

We would like to especially thank Niels Lindenthal and Jan Schulz-Hofen who informed us of the (potential) security issues. If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

In closing, go and download ChiliProject 2.5.0 now.

ChiliProject 2.4.0 Released

ChiliProject 2.4.0 has just been released. It includes some bugfixes for ChiliProject 2.3.0 as well as one security fix. It is suitable for use on production websites and we recommend that all users download the release as soon as possible.

Users of the old 1.x release branch, please check the 1.5.4 release which includes the security fix.

Download ChiliProject 2.4.0

What’s included

2.4.0 includes 3 new features and 8 bug fixes for 2.3.0. The major highlights of this release are:

  • The bundled Textile library which is used to transform the markup used in issues and wiki pages contained a bug which prevented it from properly escaping certain characters URLs for image tags. This allowed for a persistent cross-site-scripting vector (XSS). The fix for this bug prevents its exploitation for newly entered content as well as for already present text.
  • We tremendously improved our Ruby 1.9 compatibility. While our test suite completely passes for 1.9 we had several reports of encoding issues in the past. With this release we are very confident that these issues should be fixed by now – to the extend possible by the current Rails and Rack implementations. However we still recommend Ruby 1.8.7 or Ruby Enterprise Edition as the most widely deployed ruby variants for ChiliProject.
  • Users running MySQL and Ruby 1.9 should be aware that the mysql database adapter seems not to play nice with Ruby 1.9. We strongly recommend to use mysql2 with Ruby 1.9.
  • Users using the rmagick group to export the Gantt chart as a PNG mentioned that Ruby 1.9 requires rmagick 2.0.0 or newer. Thus we adapted our Gemfile to allow newer versions to be installed. In future versions of ChiliProject we will require rmagick 2 which currently requires rather new distributions. We will announce the deprecation time frame once it has been decided.
  • The project identifier can now automatically be created based on the project name saving project managers some keystrokes.

All users of ChiliProject are strongly advised to update their installations as soon as possible as the resolved security issue allows users able to add or edit content to inject persistent Javascript code into pages.

Users of Redmine should be advised that the fixed issue is also present there. There is currently no Redmine release that fixes the it. Currently it is only addressed in the trunk and 1.2-stable branch in the repository. You should either upgrade or apply the fix in the issue manually.

The full list of changes are below:

  • Bug #277: News list is missing Avatars
  • Bug #458: rmagick specified in the Gemfile doesn’t build in Ubuntu 11.04
  • Bug #591: ArgumentError (invalid byte sequence in US-ASCII)
  • Bug #640: internal error on journals for deleted custom fields
  • Bug #647: XSS: User input for images is not properly sanitized
  • Bug #652: wrong redirect after login when url contains umlaute
  • Bug #667: Label all input field and control tags
  • Bug #668: Duplicate “Modules” section on Copy Project
  • Feature #221: Use the git sha for the revision
  • Feature #240: Link to global news on projects list
  • Feature #615: Generate project identifier automatically with JavaScript

Contributors to 2.4.0

  • Eric Davis
  • Felix Schäfer
  • Greg Mefford
  • Holger Just
  • Jan Schulz-Hofen
  • Pieter Nicolai
  • Romano Licker
  • Toshi MARUYAMA
  • Etienne Massip
  • Karel Picman
  • Mischa The Evil

We would like to especially thank Mischa The Evil who informed us of the security issue. If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

In closing, go and download ChiliProject 2.4.0 now.