Faq-O-Matic Faq-O-Matic : Administrators' Guide : Upgrade : Version History :
Changes in 2.631 from 2.630
|Added a blurb of text to the end of the editPart page telling users
about the expert editing commands. This is a stopgap measure until
better help is in place; I did it because since I hid the expert
editing commands, a few of my users have had to ask how to edit or
delete existing text.
|Jim Adler detected an inconsistency in the cached output due to me modifying a data structure that should have been constant; that's fixed.
|Jim Adler uses the $showEditOnFaq feature, and requested the ability to
control whether that link (a shortcut for the same feature on the
[Appearance] page) gave 'compact' or normal ('show')-style edit commands.
That's now supported, in the $showEditOnFaq configuration.
|Bernhard Scholz (scholzATpeanutsDOTorg) discovered that some commands weren't performing their security duty. This has been remedied; including the introduction of the Auth::ensureOrExit() function that will make it less likely to happen again in the future.
|One day I was stroking my ego by searching AltaVista for instances of the
FAQ-O-Matic, when I found one that had been incompletely installed. I knew that there was a window of vulnerability before the admin sets a password during which arbitrary web users can create arbitrary directories on the hosting site.
Here was an example of a site left in just such a vulnerable state. Yuck.
New installations of the FAQ-O-Matic now automatically generate a temporary password and embed it in the CGI stub. That password must be supplied at install time and used until the administrator sets an official password, after which the temporary password is ignored. This eliminates the window of vulnerability, although it still depends on passwords that are transmitted in the clear.
Existing installs will not be affected; they are already beyond the stage
where the code will examine the temporary password.
|Preliminary support for mod_perl. This involved (generally small) changes to almost every module. Some caveats for this version:
- Apache::Registry mode does not work yet. Use Apache::PerlRun mode. (I would appreciate it if someone familiar with mod_perl could answer a few questions for me so I could fix this problem.) Be careful: the mod_perl docs advise setting up your config so that the same CGIs are visible through both modes; if you do this, visitors may end up accidentally running FAQ-O-Matic in Registry mode, which will break.
- I haven't figured out how to make mod_perl check and reload the fom-meta/config file when it changes, which means that changes you make with the install page may not show up in mod_perl children until httpd is restarted or the httpd children die of old age (i.e. each servers 30 pages).
- The Slow module doesn't correctly work yet in PerlRun mode. You probably won't be able to see the output of the rebuildCache step.
- The 'define groups' page doesn't report errors well.
Because of the many small changes, this version should be considered
THANKS to Bernhard Scholz (scholzATpeanutsDOTorg) for prompting the mod_perl changes.
|[Append to This Answer]|
|Previous:||Changes in 2.630 from 2.622|
|Next:||Changes in 2.632 from 2.631|