TWiki Release 4.3.2 (Georgetown), 2009-09-02

On this page:


TWiki-4.3.0 released on 2009-03-30 introduces security enhancements, usability enhancements, feature enhancements, and adds extensions to strengthen TWiki as an enterprise collaboration platform.

TWiki-4.3.1 released on 2009-04-29 introduces security enhancements. This release also introduces use of ISO date format by default.

TWiki-4.3.2 released on 2009-09-02 introduces security enhancements (CSRF fix). WYSIWYG editing is enhanced as well, the TinyMCEPlugin is upgraded with latest tinyMCE Javascript library.

It is highly recommended to upgrade to TWiki-4.3.2. Users will find this release much more stable and secure in daily use.

Pre-installed Extensions

TWiki-4.3.2 ships with:

Note: HeadlinesPlugin, TWikiNetSkin and TWikiNetSkinPlugin are new in TWiki-4.3.0.

New Features Highlights

See the full list of bug fixes at the bottom of this topic.

Important Changes

1. Added protection against CSRF (cross-site request forgery) in TWiki 4.3.2 patch release

TWiki protects content updates with a one-time-use crypt token to guard against CSRF exploits. This means that it is no longer possible to hit the browser back button to fix a typo; you get an "invalid crypt token" error message if you try to save again. Workaround: Instead of browser back button, hit the "Edit" button to fix a typo.

There is a balance between security and user convenience. A TWiki administrator can enable and disable the crypt token based CSRF protection with the {CryptToken}{Enable} configure setting. For mission critical public TWiki sites it is recommended to enable the crypt token; for firewalled TWiki sites it is usually OK to disable it.

Deprecation Notices

The %MAINWEB% and %TWIKIWEB% variables have been deprecated. For compatibility reasons they are unlikely to ever be removed completely, but you should use the %USERSWEB% and %SYSTEMWEB% variables instead.

In Func getOopsUrl and permissionsSet have been declared deprecated. There is no plan to remove them yet.

TWiki-4.3.0 Minor Release - Details

TWiki-4.3.0 was built from SVN revision 17948 (2009-03-30)



Item2927 Topic moved message too visible
Item6283 upgrade tinyMCE to latest version in TinyMCEPlugin
Item3647 Usability: Control over variable expansion in topic templates
Item5025 InterwikiPlugin: Allow special characters in "Page" of Site:Page
Item6148 HeadlinesPlugin: Support for {PROXY}{HOST} and {PROXY}{PORT} configure settings
Item6176 Search: Add footer parameter to Formatted Search
Item6180 HeadlinesPlugin: Support for {PROXY}{SkipProxyForDomains} configure setting, USERAGENTNAME plugin setting
Item6184 Search: Add Number of Topics to Formatted Search
Item6189 Usability: Replace question mark links with red links to point to non-existing topics
Item6199 Enhancement: Add TWikiNetSkin to Distribution
Item6200 Enhancement: Add HeadlinesPlugin to Distribution
Item6222 SpreadSheetPlugin: New functions $EMPTY(), $INSERTSTRING(), $LEFTSTRING(), $RIGHTSTRING(), $SUBSTRING() functions
Item6226 Include: Specify a list of domains to exclude from proxy with {PROXY}{SkipProxyForDomains} setting
Item6227 Documentation: 17 new TWikiDocGraphics images
Item6228 Security: Option to send signed e-mail with S/MIME


Item6253 $WORKINGDAYS is returning invalid results
Item6259 Prevent GUI-based rename of TWiki web and Main web
Item6267 FORMFIELD expands $title to field name if $title exists in field value
Item6295 Preferences For Raw Edit or Wysiwyg Edit
Item1607 %TOC% does not distinguish two headlines that have the same text
Item2525 TablePlugin produces bad links for sorting when using "short" URLs
Item4835 SpreadSheetPlugin: SUBSTITUTE error when text=old and replace is empty
Item5176 %SCRIPTSUFFIX% is added twice in %TOC% links
Item5471 SpreadSheetPlugin: The character 0 cannot be replaced using the REPLACE-funtion
Item5910 TablePlugin: %TOC% variable creates links with unecessary query string
Item5914 TWiki::Request::url() must support -rewrite, -absolute and -relative
Item5920 TWikiGroups shows all members twice
Item5939 Rogue <p /> below </html> on every topic in every web
Item5960 Incorrect Content-length breaks HTTP headers, a.o. pound fail results
Item5961 WysiwygPlugin: Bolding single character within a word introduces spaces around bolded character
Item5991 JSCalendarContrib: Does not work correctly in IE7
Item5994 Secure configure script with taint mode turned on
Item6005 EditTablePlugin: "label"-formatted cell changed in unexpected way
Item6022 %ENCODE{}% treats % as safe character
Item6026 With header format emtpy table is initialized with one column only
Item6031 TablePlugin: Date sorting is broken.
Item6041 TinyMCE bug with Firefox 3 and bulleted lists
Item6050 statistics script fails when cuid is not equal login name (as login name is what's in the log files...)
Item6054 TwistyPlugin: No longer possible to have a twisty on one line without linebreak
Item6060 configure's get more extensions does not work well without LWP
Item6061 TWiki::Func::getContext documention
Item6138 Bullet lists in form fields are not rendered properly
Item6163 CommentPlugin: Lost data if it's targeted before/after a missing anchor.
Item6167 TWiki Forms expand variables like $nop, $quote $percnt
Item6170 Plugin installation fails on windows: line 684
Item6171 Per RFC 5321, single quote is allwed in e-mail addresses
Item6178 Statistics script does not handle properly topics with special characters
Item6185 Missing newline in Formatted Search if footer used
Item6186 Review code for robustness and security
Item6208 WebChanges does not work on Windows
Item6220 TwistyPlugin: Twisty can't be placed in TWiki table cells
Item6223 Users can't edit content in Main web

TWiki 4.3.1 Patch Release - Details

TWiki-4.3.1 was built from SVN revision 18054 (2009-04-29)



Item6254 Feature: Use ISO Date Format by Default


Item5453 Value of "0" improperly handled in ENCODE variable
Item6232 Use of uninitialized value $1 in concatenation (.) or string at lib/
Item6240 unhelpful error message when sysCommand fails
Item6243 URLPARAM "empty or missing"
Item6251 CSRF vulnerability CVE-2009-1339: Possible to gain TWiki admin privileges with a specially crafted image tag

TWiki 4.3.2 Patch Release - Details

TWiki-4.3.2 was built from SVN revision 18148 (2009-09-02)



Item2927 Topic moved message too visible
Item6283 upgrade TinyMCEPlugin with latest tinyMCE WYSIWYG editor
Item6315 HeadlinesPlugin: New touch parameter for HEADLINES variable


Item6253 SpreadSheetPlugin: $WORKINGDAYS is returning invalid results
Item6259 Prevent GUI-based rename of TWiki web and Main web
Item6267 FORMFIELD expands $title to field name if $title exists in field value
Item6295 Preferences for raw edit or WYSIWYG edit
Item6296 Crypt token based CSRF fix for TWiki
Item6308 viewfile adds trailing newline to attachments

Related Topic: TWikiHistory, TWikiInstallationGuide, TWikiUpgradeGuide