Samizdat: Co-op Engine

Home | About | Documentation | Developers | Download

Dedication

Samizdat 0.6.2 release is dedicated to the memory of Stanislav Markelov and Anastasia Baburova, activists murdered in Moscow on January 19, 2009.

Samidat 0.6.2 (2009-02-12)

The most important part of this release is the long list of security improvements in various parts of Samizdat engine. Password encryption is now as strong as it gets, HTTPS now gets the emphasis it deserves, cross-site scripting protection has been tightened, and in general the engine is even more paranoid about user-submitted data than before.

End users will be most interested in the integration with Flowplayer free Flash video player and the thumbnailing capabilities of the new image plugin. Both features are enabled by the new plugin mechanism, which, in addition to handling different content types, allows to add fancy member profile parameters and alternative access control schemes.

Due to the number of security improvements in this release, it is highly recommended that all Samizdat installations update to this version. If you are not able to update your installation immediately, you should apply the following patches (applicable to vanilla Samizdat 0.6.1) at the first opportunity:

• samizdat-0.6.1-xss-escape-title.patch
• samizdat-0.6.1-tidy-binary.patch

Download

• samizdat-0.6.2.tar.gz (273k)

What's new

cross-site scripting fixes

several cases of unsanitized user-submitted HTML strings are fixed in this release; these vulnerabilities allowed attackers to perform cross-site scripting attacks by publishing specially crafted messages or user names (CVE-2009-0359)

passwords

over the past several years, multiple attacks on the MD5 hash function were demonstrated, making this algorithm less than optimal for password encryption; while Samizdat 0.6.2 still supports old MD5 passwords, all new passwords will use salted SHA-512; users of Samizdat sites are advised to update their passwords to take advantage of stronger password encryption

HTTPS logins

it is now possible to ensure that all authenticated access to a Samizdat site goes only over an encrypted HTTPS connection; comments in the https section of config.yaml explain how to make this work

plugins

the new plugin system allows to augment and customize various parts of Samizdat engine, including content rendering, member profile parameters, and access control

image thumbnails

new image plugin automatically generates and uses reduced versions of uploaded images with help of the RMagick library

Flowplayer

flowplayer plugin integrates this free Flash video player into Samizdat pages, allowing to display FLV and MP4/H.264 files inline in addition to the usual download link; as of this release, Flowplayer doesn't reliably work with free Flash plugins Gnash and SWFdec, more collaboration between these projects is needed to implement a fully free Flash video stack

GPL3

Samizdat license has been upgraded to the latest version of GPL and now reads: "You can distribute/modify this program under the terms of the GNU General Public License version 3 or later."

Mahoro

instead of relying on inconsistent and untrustworthy content type headers supplied by web browser, Samizdat now uses Mahoro bindings to libmagic library to determine real content type of the uploaded files

Sanitize

due to incompatibility of Tidy/DL bindings with the latest Ruby 1.8 releases, Sanitize now prefers to invoke tidy binary through a pipe instead of linking to a shared library; more Tidy errors are now handled and reported back to the user, single quote special character is now escaped as ' for compatibility with browsers that don't support XHTML 1.0 character entities (e.g. Internet Explorer)

member profile

member settings page is split into account, profile, and settings pages; settings page controls UI preferences available both to members and guests; profile page allows to edit public information about a member, such as full name (which is now optional) or occupation (enabled by the occupation profile plugin); account parameters such as password and email are edited on the account page

new translations

Japanese translation has been reviewed and corrected by a native speaker and is now enabled by default, bringing the count of supported languages up to 10

documentation

several key aspects of Samizdat architecture are explained in new Dia diagrams and the LVEE'2008 presentation slides

other

exported RSS feeds now include item descriptions, tainted data handling is now more robust, more bugfixes and UI improvements

How to upgrade

First of all, make sure tidy binary (and not just libtidy shared library) is installed on your system. By default, sanitize.rb checks for /usr/bin/tidy or /usr/local/bin/tidy. On Debian 5.0/lenny or later, run `apt-get install tidy`. Debian 4.0/etch has an old Tidy version that doesn't support some of the options used in Samizdat 0.6.2, so you may need to install the backported Tidy package.

Update your database schema to allow NULL value in member full name (login is now used as a substitute when full name is not set):

  ALTER TABLE Member ALTER COLUMN full_name DROP NOT NULL;

Since moderator list is now stored in database, you need to move your list of moderators from your yaml config to the database:

  CREATE TABLE Role (member INTEGER REFERENCES Member, role TEXT);
  CREATE INDEX Role_member_idx ON Role (member);
  GRANT INSERT, UPDATE, SELECT ON Role TO samizdat;
  INSERT INTO Role (member, role) SELECT id, 'moderator' FROM Member
  WHERE login IN ('moderator1', 'moderator2', ...);

In the last line, replace ('moderator1', 'moderator2', ...) with your current moderator list, that can be produced by the following command line:

  grep moderators /etc/samizdat/sites/*|sed "s/, /', '/g"

You will also need to update your Apache or Lighttpd configuration to make js/ directory visible via the Web server (see examples).

Finally, if your access control configuration differs from Samizdat default (e.g. guests are allowed to post), see defaults.yaml on how role plugin is configured.