Log message:
Update to 1.9.7:
Version 1.9.7:
SECURITY HINT: make sure you have allow_xslt = False (or just do not use
allow_xslt at all in your wiki configs, False is the internal default).
Allowing XSLT/4suite is very dangerous, see HelpOnConfiguration wiki page.
HINT: Python >= 2.5 is maybe required! See docs/REQUIREMENTS for details.
New features:
* passlib support - enhanced password hash security. Special thanks go to
the Python Software Foundation (PSF) for sponsoring development of this!
Docs for passlib: http://packages.python.org/passlib/
If cfg.passlib_support is True (default), we try to import passlib and set
it up using the configuration given in cfg.passlib_crypt_context (default
is to use sha512_crypt with default configuration from passlib).
The passlib docs recommend 3 hashing schemes that have good security, but
some of them have additional requirements:
sha512_crypt needs passlib >= 1.3.0, no other requirements.
pbkdf2_sha512 needs passlib >= 1.4.0, no other requirements.
bcrypt has additional binary/compiled package requirements, please refer to
the passlib docs.
cfg.password_scheme should be '{PASSLIB}' (default) to tell that passlib is
wanted for new password hash creation and also for upgrading existing
password hashes.
For the moin code as distributed in our download release archive, passlib
support should just work, as we have passlib 1.6.1 bundled with MoinMoin
as MoinMoin/support/passlib. If you use some other moin package, please
first check if you have moin AND passlib installed (and also find out the
passlib version you have installed).
If you do NOT want to (not recommended!) or can't use (still using python
2.4?) passlib, you can disable it your wiki config:
passlib_support = False # do not import passlib
password_scheme = '{SSHA}' # use best builtin hash (like moin < 1.9.7)
Please note that after you have used moin with passlib support and have user
profiles with passlib hashes, you can't just switch off passlib support,
because if you did, moin would not be able to log in users with passlib
password hashes. Password recovery would still work, though.
password_scheme always gives the password scheme that is wanted for new or
recomputed password hashes. The code is able to upgrade and downgrade hashes
at login time and also when setting / resetting passwords for one or all
users (via the wiki web interface or via moin account resetpw script
command).
So, if you want that everybody uses strong, passlib-created hashes,
resetting the passwords for all users is strongly recommended:
First have passlib support switched on (it is on by default), use
password_scheme = '{PASSLIB}' (also default), then reset all passwords.
Same procedure can be used to go back to weaker builtin hashes (not
recommended): First switch off passlib support, use password_scheme =
'{SSHA}', then reset all passwords.
Wiki farm admins sharing the same user_dir between multiple wikis must use
consistent password hashing / passlib configuration settings for all wikis
sharing the same user_dir. Using the builtin defaults or doing the
configuration in farmconfig.py is recommended.
Admins are advised to read the passlib docs (especially when experiencing
too slow logins or when running old passlib versions which may not have
appropriate defaults for nowadays):
http://packages.python.org/passlib/new_app_quickstart.html#choosing-a-hash
\
http://packages.python.org/passlib/password_hash_api.html#choosing-the-right-rounds-value
* Password mass reset/invalidation support, see docs/resetpw/.
This is useful to make sure everybody sets a new password and moin computes
the password hash using the current configuration.
* Customizable default password checker:
Moin's default password checker used and still uses min_length=6 (minimum pw
length) and min_different=4 (minimum count of different chars in the password).
If you feel that you need to require better passwords from your users, you
can customize it now like that in your wiki config:
password_checker = lambda cfg, request, name, pw: \
multiconfig._default_password_checker(cfg, request, name, pw, min_length=10, \
min_different=7)
* Removing/disabling inactive users (moin ... account inactive)
Many wikis have a lot of inactive users, that never ever made a single edit.
See help of the command for more details, be careful.
* SystemAdmin user browser: show disabled user accounts at the bottom of
the list
* At startup, announce moin version and code path in log output (makes
support and debugging easier).
* AttachList: introduced search_term parameter (optional) for listing
attachments filtered by a regular expression on their name.
* sign release archive using GnuPG with the key of tw@waldmann-edv.de
ID 31A6CB60 (main key ID FAF7B393)
Fixes:
* logging: if the logging config file can't be read, give a helpful error msg
* logging: use info loglevel (not warning) for telling about using the builtin
default logging config
* moin script commands: warn if someone gave ... to the moin script, avoids a
strange and unhelpful 'empty module name' error message
* reorder html input fields in recoverpass form, to help browsers remember
the user name and password (not erroneously the recovery token and password)
* don't try to send password recovery email to user if email address in
user profile is empty
* cache action: fix 304 http status
* rst parser: fix safe_import for level param in __import__ call of docutils 0.10
* moin maint cleancache: also kill the i18n cache 'meta' pickle file
* sendmail: catch unicode errors when E-Mail addr has non-ascii chars
* redirect last visited: if last visited page is on same wiki, use a local
redirect, do not compute via interwiki map (fixes https: usage)
|