Geeklog Documentation - Changes

Changes

This document is intended to give a quick overview over the most important and / or obvious changes. For a detailed list of changes, please consult the ChangeLog. The file docs/changed-files has a list of files that have been changed since the last release.

Geeklog 1.3.11

Geeklog 1.3.11 is a bugfix and security release over Geeklog 1.3.10 and is meant to replace 1.3.10. The change in the version number was necessary since one of the bugfixes involves a change in the database.

Security issues

1. It was possible to submit stories anonymously even if anonymous submissions were turned off in config.php (reported by Barry Wong).
   These stories still ended up in the submission queue, though, unless you disabled it in config.php.
2. Some of the parameters in link and event submissions weren't filtered, leaving them open to potential SQL injections.
3. The links for the What's Related block were created from the unfiltered story text, opening the possibility of XSS attacks (reported by Vincent Furia).

Bugfixes

• Fixes the length of the 'sid' field in the gl_comments table. Using story IDs longer than 20 characters prevented comment posts from being associated with the story.
• Ensures compatibility with PHP 4.1.x (includes updated PEAR packages).
• Fixes the archiving option being activated too early (bug #345).
• Properly deletes comments and story images when deleting entire topics (bug #339).
• Deletes comments when deleting polls.
• Fixes several bugs in the calendar and improves overall handling of both the site calendar and the personal calendars (bugs #268, #336, #338, and others).
• Fixes "More by author" and "More from topic" links in articles.
• Various other fixes, see docs/history for details.

We strongly advise users of Geeklog 1.3.10 to upgrade to 1.3.11 ASAP. Upgrading should be relatively painless, as there weren't any changes in the themes, language files, or config.php over 1.3.10.

Geeklog 1.3.10

New Default Theme

This release comes with a new default theme: We've chosen the Professional theme, kindly provided by Victor B. Gonzalez (of Aeonserv fame). The theme has been modified slightly and is now fully HTML 4.01 and CSS compliant.

We've also decided to remove the old set of themes (Classic, Clean, Digital Monchrome, Gameserver, Smooth Blue, XSilver, Yahoo) from the distribution. They are now available as a separate tarball.

New Features

• SpamX plugin included. Tom Willet has kindly provided his spam detection plugin, which is now part of the default Geeklog install.
  The plugin has been modified slightly to store the blacklists in the database. Users of the previous version of the plugin will have to import their personal blacklist via the plugin's admin panel.
• Story Archive feature: It is now possible to move stories to an "archive" topic or have them deleted automatically at a given time.
• Customizable menu bar: The site's menu bar can now be configured in config.php, i.e. you can choose which entries should be displayed there and in which order. It's also possible to add custom entries by providing a function in lib-custom.php.
• Clickable links in text postings: URLs in non-HTML postings are now recognized by Geeklog and displayed as clickable links.
• Editable story IDs: The IDs of stories can now be changed (like the IDs of static pages) to provide more readable URLs (and further improve the chances of being picked up by seach engines, especially when used with URL rewriting).
• Autolinks are a new form of links that can be used in stories and comments. An autolink takes the form [name:id link text] where name is the tag name, id is the ID of an object the link should be pointing to, and link text is used as the text of the link.
  Example: [story:email-bug About the email bug] would be translated into <a href="http://example.com/article.php/email-bug">About the email bug</a>
  For the built-in autotags, the link text is optional and Geeklog will use the title of the object (story / event / static page) if it is not given.
  Predefined autotags are [story:] to link to stories and [event:] to link to events. Plugins can define their own autotags to provide links to objects under their control. The Static Pages plugin already provides a [staticpage:] autotag.
• Customizable welcome email: The email that is sent out to users registering with your site is now fully customizable by providing the text in a text file (/path/to/geeklog/data/welcome_email.txt).
• Timezone hack: The popular "timezone hack" is now included. It lets you set the site's timezone for when your server is located in another timezone.

Other Improvements

• Various changes have been made to improve the overall performance.
• On fresh installs, there is now an option to use InnoDB tables (instead of MyISAM) if your MySQL version supports them (as of MySQL 4.0, or 3.x "Max" builds). Existing databases can be converted to InnoDB by using the script admin/install/toinnodb.php.
  Warning: Using InnoDB tables makes database backups somewhat more complicated. Small and medium-sized sites should work just fine with MyISAM tables, so if in doubt don't use InnoDB tables.
• The calendar's week can now either start on a Sunday or a Monday.
• The Static Pages plugin now has an option to display a printer-friendly version of a static page.

Comments

• The comment code has undergone major changes to improve performance and add improvements like the ability to link to individual comments, paging comments, etc.
• Users can now report abusive comments to the site admin.
• The site admin can get an email notification when a new comment is posted (similar to the notification emails for new stories, links, events, and users).
• The IP addresses of comment posters are now tracked and can be looked up directly by linking to a Whois service (or you can install Tom Willet's NetTools, which include a Whois function).

Security-related fixes

Note: All of the following bugs were problems with Geeklog's permissions system and fall into the "information leakage" category, i.e. under certain circumstances, site content was visible to persons who shouldn't be able to see it. None of these bugs were exploitable in the sense that they could be used to gain privileges or cause damage to Geeklog or the environment it's running in.

• Group Admins were able to list the members of all groups, even if they were not members of those groups.
• Group Admins were given a list of all the groups in the system, even if they were not members of those groups (bug #280).
• Story and Event Admins were always given a list of all the stories / all the events, even when they didn't have read access to them (bug #269).
• It was possible to request comments from stories even if the user didn't have permission to read the story (provided you knew both the story and the comment id).
• Event permissions in the calendar's day and week view weren't checked properly, so that events may have been visible to users who shouldn't have been able to see them.
• It was possible to add any event to the personal calender, even if you didn't have permissions to see it in the site calendar (provided you knew the event id).

Other bugfixes

• Previewing and saving a story submission left the submitted story in the submission queue, but did additionally save it as a new story.
• Deleting an event from the personal calendar didn't work (bug #199).
• Old userphotos weren't removed when the new photo had a different file type, e.g. when changing from a .gif to a .jpg (bug #228).
• Scaling images didn't work when the image exceeded the max. height but not the max. width (bug #242).
• Keeping an unscaled image wasn't possible when using gdlib to rescale images (bug #197).
• When using gdlib, GIF images were converted to PNG format, but Geeklog was still trying to display the GIF version. Since the LZW patent has now expired, it is safe to use GIF images again and the PNG conversion has been dropped.
• The tarball also includes updated PEAR packages which should address the email problems some users were having (bug #246).
  Note: These are the same PEAR packages that already shipped with Geeklog 1.3.9sr2.

Please note that there have also been theme changes, some of which are important to make the new features work (e.g. the editable story IDs and the story archive options)!

This release contains various improvements provided by the Geeklog community (see the docs/history file for proper credits). Thank you!

Geeklog 1.3.9sr3

This release addresses the following security issues:

1. It was possible to submit stories anonymously even if anonymous submissions were turned off in config.php (reported by Barry Wong).
   These stories still ended up in the submission queue, though, unless you disabled it in config.php.
2. Some of the parameters in link and event submissions weren't filtered, leaving them open to potential SQL injections.

Geeklog 1.3.9sr2

This release addresses the following security issues:

1. Fixed a cross site scripting vulnerability caused by using the variable $topic in the language files (bug #293).
2. Prevent comment posts on stories or polls were comment posting has been disabled.

Other fixes

• Fixed lib-plugins.php to work properly with PHP 5.
• The complete tarball also includes updated PEAR packaged that fix some of the reported email problems.

Geeklog 1.3.9sr1

This release addresses the following security issues:

1. It was possible to post anonymous comments, even when anonymous comment posting had been switched off in config.php.
   This bug was apparently exploited by spammers to send hundreds of spam posts to certain Geeklog sites.
2. Added additional speed limit checks for comments and submissions.
3. If none of the topics were visible for anonymous users, the site's index page may still have displayed some stories for anonymous users, depending on the stories' permissions.
4. Users still got Daily Digest emails for topics from which they had been removed (bug #178).
5. It was possible to subscribe to the Daily Digest for all topics, even if the user did not have access to certain topics.
6. Comments to stories were sometimes listed in a user's profile, even if the user viewing the profile didn't have permissions to access the story the comments belonged to.

Other fixes

• Fixed an SQL error in COM_showTopics if users excluded topics from their preferences.
• Fixed sporadic "Duplicate entry '...' for key 1." messages in error.log, caused by the handling of pseudo-session ids for anonymous users.
• Fixed incorrect author names in Daily Digest (bug #207).
• The plugin_profileblocksedit_plugin-name Plugin API function wasn't working due to a missing piece of code in usersettings.php.
• COM_extractLinks will now ignore anchor tags that do not contain "href" (bug #183).

Geeklog 1.3.9

New Features

• Geeklog now uses PEAR::Mail to send all emails. This gives you the option to send emails via PHP's built-in mail() function (as before), via sendmail or via SMTP.
• There is a new admin option called Content Syndication that lets you create and configure (RSS) feeds. In addition to the standard feed containing all the new stories, you can now create feeds per topic, for upcoming events, and for links.
  This feature is extensible in that plugins can provide additional feeds. It is also possible to provide feeds in formats other than RSS 0.91 by providing additional feed classes.
• Admins can change the block order easily from the list of blocks now.
• There is an alternative interface to adding users to groups (requires JavaScript).
• Users in the Group Admin group can now only assign other users to groups of which they themselves are a member.
• Image upload can now also use the GD library to scale images.
• Comments now use templates.
• To accomodate strict webhosts who don't allow file uploads to the standard image directory, you can now set a new configuration variable, $_CONF['path_images'] to point to a directory outside of your webtree where article images and user profile pictures will be saved.
• Geeklog now supports URL rewriting for story URLs, i.e. you can have URLs like http://www.geeklog.net/article.php/20031229225326631 which are known to be picked up by Google.
• Plugins can add their own section to Geeklog's What's New block.
• All URL fields can now hold up to 255 characters (requires theme updates).

Please see the themes documentation for a complete list of theme changes.

Also included is the Static Pages plugin 1.4, which now has, among other improvements, a second option to include PHP in static pages without having to use the PHP return statement.

Bugfixes

• Words from a search query are now properly highlighted in comments. Also fixed a problem with highlighting when the search query contained '*' characters.
• Various fixes in the search class.
• Fixed a bug that let users register with an empty username.
• When batch-importing users, those users were all subscribed to the Daily Digest automatically (uses the $_CONF['emailstoriesperdefault'] setting instead now).
• Fixed option to delete comments, which previously was only available to users in the Root group (e.g. Admin). Now those users that have story.edit permissions for the actual story can delete comments.
• Deleting a group may have left orphaned entries in the group_assignments table (this has been fixed now). When upgrading to 1.3.9, the install script will remove any orphaned entries from the database.

There have also been a lot of changes to improve security, especially against SQL injections.

Geeklog 1.3.8-1sr6

This release addresses the following security issues:

1. Fixed a cross site scripting vulnerability caused by using the variable $topic in the language files (bug #293).
2. Prevent comment posts on stories or polls were comment posting has been disabled.

Geeklog 1.3.8-1sr5

This release addresses the following security issue:

1. It was possible to post anonymous comments, even when anonymous comment posting had been switched off in config.php.
   This bug was apparently exploited by spammers to send hundreds of spam posts to certain Geeklog sites.

Geeklog 1.3.8-1sr4

This release addresses the following security issues:

1. It was possible for users in the Group Admin and User Admin groups to become a member of the Root group (reported by Samuel M. Stone, bug #135).
2. Being admin for a certain area (e.g. Story Admin for stories) made it possible to delete all objects in that area (e.g. stories) even if the user was not supposed to have access to them, provided the id of the object was known.
3. It was possible to delete other people's personal events if you knew the event ID.
4. It was possible to browse through the comments of a story even if the user did not have access to the actual story (reported by Peter Roozemaal).
5. Due to an XSS issue, it was possible to change someone's account settings (including the password) if you got them to click on a specially crafted link (reported by Jelmer, fix suggested by Vincent Furia).
6. The comment display suffered from the possibility of an SQL injection (reported by Jelmer).
7. It was possible to inject Javascript code in the calendar (reported by Jelmer).
8. It was possible to execute (but not save) Javascript code in the comment preview (reported by Jelmer).

Geeklog 1.3.8-1sr3

This release addresses the following security-related issues:

1. As "dr.wh0" pointed out, the category field for link submissions was not filtered at all. Although you probably can't cause too much harm with those 32 characters, this has now been fixed.
2. Vincent Furia found that the restrictions for the form to email users could be circumvented and could even be used to spam users. In addition to fixing theses issues, there is now also a speed limit on that form (defaults to the speed limit for story submissions).
3. There was a way to post comments anonymously even when posting for anonymous users had been disabled.
4. It was possible to post comments under someone else's username.

Geeklog 1.3.8-1sr2

Jouko Pynnonen found a way to trick the new "forgot password" feature, introduced in 1.3.8, into letting an attacker change the password for any account. This release addresses this issue - there were no other changes.

Obviously, we strongly recommend to upgrade as soon as possible.

Geeklog 1.3.8-1sr1

The purpose of this release is to address some of the security issues reported in September and early October 2003. We strongly recommend upgrading to this version.

Security issues

1. By including Ulf Harnhammar's kses HTML filter, this release addresses a variety of possible Javascript injection and CSS defacement issues.
2. Details of SQL errors will not be reported in the browser any more (but only in Geeklog's error.log file). This will avoid disclosing any sensitive information as part of the error message (which is so far the only problem we have found with the alleged SQL injection issues that have been reported).

Please note that at the moment we do not recommend to use Geeklog with MySQL 4.1 (which, at the time of this writing, is in alpha state and should not be used on production sites anyway). An upcoming release of Geeklog will include more thorough filtering of SQL injections attempts, thus also fixing the problems with MySQL 4.1.

Other fixes

• Fixed the auto-detection of the value for the $_CONF['cookiedomain'] variable if the URL included a port number (such as example.com:8080). This will fix the login problems some users were reporting.
• The full 1.3.8-1sr1 tarball also includes updated French (Canada) and Turkish language files.

Geeklog 1.3.8-1

Geeklog 1.3.8-1 is a bugfix release over Geeklog 1.3.8. It contains a variety of (mostly minor) bugfixes. None of those fixes are security-related.

Bugfixes

• Fixes to the new search to restore pre-1.3.8 behavior (display search form again if no results are returned, handling of $_CONF['searchloginrequired'], etc.). Also fixed the search by date.
• Fixed problems in the install script when trying to identify the MySQL version. The install script failed silently on PHP 4.0.4 and earlier versions.
• Fixed a problem with the What's Related block on stories that contain images.
• Skip user "Anonymous" when sending out the Daily Digest.
• Prevent admin from changing a user's email address to one that's already used by another user.
• Update RSS feed and Older Stories block when deleting a story.

The full 1.3.8-1 tarball also includes new and updated language files (see the Changelog for details).

Geeklog 1.3.8

New Features

Geeklog 1.3.8 Includes the Static Pages 1.3 plugin which replaces both the Static Pages 1.1 and 1.2 plugins. See the Static Pages documentation for details.

• The search function has been rewritten. You can now search for the exact phrase, all the words, or any of the words from a query. Search words are also highlighted in stories.
• New Privacy options: Users can decide whether they want to receive email from other users and/or admins and whether they want to show up in the Who's Online block.
• You can now get a list of all users who are in a certain group (from the Admin's group editor).
• When scaling is configured for images in stories, you can now keep the unscaled image (has to be enabled in config.php first). In that case, the scaled-down image in the story will serve as a thumbnail and link to the unscaled image.
• You can now make one topic the default topic. The topic selection in the story submission form will then default to that topic. However, when browsing by topic (index.php?topic=Geeklog etc.) new story submissions will default to the current topic.
• You can give your users the ability to change their username and delete their account. Both features have to be enabled in config.php.
• Extended Plugin API: Plugins can now display content in Geeklog's center area, add their own information to the user profile, and add information to the site's header (<head> section).
• There's a new API for custom registration forms (see lib-custom.php for sample code).
• There have been quite a few theme changes in order to move most larger portions of hard-coded HTML to template files and to give theme designers more control over the layout. Please consult the themes documentation for a list of changes.

Bugfixes

• The "forgot password" function has been rewritten. Instead of resetting your old password and sending you a new one, you will now receive an email with a unique link in it. If you follow this link, you can enter a new password directly. Otherwise, you can simply ignore the email and your old password will remain valid.
• Topic access was not always checked properly. If Story Admins report getting access denied messages after upgrading to 1.3.8, check your topic permissions carefully.
• The poll editor let you enter one answer too many (i.e. when the max. number of answers was set to 10 you could actually enter 11). Please check your existing polls or you may lose the last answer if you exceeded the max. number of answers in a poll (adjust $_CONF['maxanswers'] accordingly, if necessary).
• Geeklog should install and run again on old versions of MySQL (specifically, 3.22.xx). Please note that some of these old versions aren't even supported by MySQL AB any more and MySQL installs older than 3.23.54 are having security issues.

Geeklog 1.3.7sr5

This release addresses the following security issues:

1. It was possible for users in the Group Admin and User Admin groups to become a member of the Root group (reported by Samuel M. Stone, bug #135).
2. Being admin for a certain area (e.g. Story Admin for stories) made it possible to delete all objects in that area (e.g. stories) even if the user was not supposed to have access to them, provided the id of the object was known.
3. It was possible to delete other people's personal events if you knew the event ID.
4. It was possible to browse through the comments of a story even if the user did not have access to the actual story (reported by Peter Roozemaal).
5. Due to an XSS issue, it was possible to change someone's account settings (including the password) if you got them to click on a specially crafted link (reported by Jelmer, fix suggested by Vincent Furia).
6. The comment display suffered from the possibility of an SQL injection (reported by Jelmer).
7. It was possible to inject Javascript code in the calendar (reported by Jelmer).
8. It was possible to execute (but not save) Javascript code in the comment preview (reported by Jelmer).

Geeklog 1.3.7sr4

This release addresses the following security-related issues:

1. As "dr.wh0" pointed out, the category field for link submissions was not filtered at all. Although you probably can't cause too much harm with those 32 characters, this has now been fixed.
2. Vincent Furia found that the restrictions for the form to email users could be circumvented and could even be used to spam users.
3. There was a way to post comments anonymously even when posting for anonymous users had been disabled.
4. It was possible to post comments under someone else's username.

Geeklog 1.3.7sr3

The purpose of this release is to address some of the security issues reported in September and early October 2003. If you don't plan to upgrade to the latest version of Geeklog (1.3.8-1sr1, at the time of this writing), we strongly suggest you upgrade to at least 1.3.7sr3 instead.

Security issues

1. By including Ulf Harnhammar's kses HTML filter, this release addresses a variety of possible Javascript injection and CSS defacement issues.
2. Details of SQL errors will not be reported in the browser any more (but only in Geeklog's error.log file). This will avoid disclosing any sensitive information as part of the error message (which is so far the only problem we have found with the alleged SQL injection issues that have been reported).

Please note that at the moment we do not recommend to use Geeklog with MySQL 4.1 (which, at the time of this writing, is in alpha state and should not be used on production sites anyway). An upcoming release of Geeklog will include more thorough filtering of SQL injections attempts, thus also fixing the problems with MySQL 4.1.

Geeklog 1.3.7sr2

Security issues

The purpose of this release is to fix the following security issues. All users are strongly encouraged to upgrade to this version ASAP.

1. It was possible to obtain valid session ids for every account on a Geeklog site, including the Admin account (reported by SCAN Associates).
2. Using Internet Explorer, it was possible to upload an image with embedded PHP code and execute it (reported by SCAN Associates).
3. Story permissions could override topic permissions, resulting in the display of stories to users who shouldn't have access to them (reported by Andrew Lawlor). This was already fixed with the new index.php, released 2003-05-15.
4. Added a warning in config.php that adding any of the following tags to the list of allowable HTML can make the site vulnerable to scripting attacks:
   <img> <span> <marquee> <script> <embed> <object> <iframe>
   (pointed out by Joat Dede).

This update also includes fixes for the notorious "permission denied" error messages that some users would get in the Admin area (e.g. when trying to save a story and being "only" a user with Story Admin permissions).

The full 1.3.7sr2 tarball also includes various new and updated language files (see the Changelog for details).

Geeklog 1.3.7sr1

Security issues

The main purpose of this release is to fix the following security issues. All users are strongly recommended to upgrade to this version.

1. Javascript code could be injected in the homepage field of a user's profile (reported by Jin Yean Tan).
2. Javascript code could be injected in certain URLs to be used in a cross-site scripting attack (reported by Jin Yean Tan).
3. Comments could be deleted by anybody if they knew the comment id (which is not normally visible).
4. A StoryAdmin could manipulate stories even if s/he did not have access to them (e.g. when s/he was not a member of a certain group). The same applied to Admins for events, links, polls, topics, and blocks (reported by Kobaz).

Other Bugfixes

• Fixed possible causes for endless loops with the redirect in index.php: No redirect will be done if $HTTP_SERVER_VARS['HTTP_HOST'] is not set. Also, the comparison of the configured and actual server name is not case-sensitive any more.
• Fixed image resizing when using ImageMagick.
• The new user notification email (introduced in Geeklog 1.3.7) was always sent out, even if 'user' was not listed in $_CONF['notification'].
• The Admin menu will now be displayed for users who have Admin access to plugins only, but not to one of the core Admin features.
• The default for the daily digest is now back to "off", i.e. new users will not receive it automatically. To enable the daily digest for new users again, set $_CONF['emailstoriesperdefault'] = 1 in config.php.

Documentation and hard-coded links (version check, link to Geeklog in a site's footer) have been updated to point to www.geeklog.net.

Geeklog 1.3.7

New Features

• A notification email can now be sent when a new story, link, or event has been submitted or a new user has registered with the site (see the submission settings for details).
  Please note that this feature doesn't tie in with Geeklog's security features - it's really more of a hack, since many people asked for this functionality.
• Following the "X stories in last 24 hours" link in the What's New block will now display just those new stories.
• User photos are now resized, just like images in stories (if the use of an image library is configured). The max. dimensions for user photos can be set with a separate set of config variables in config.php.
• The plugin menu now lists all plugins which exist in the file system but haven't been installed yet. It also provides a link to the install script of those plugins for easy installation.
• Several new config variables have been added to config.php (notification, showfirstasfeatured, dateonly, timeonly, skip_preview, upcomingeventsrange, emailstoryloginrequired, hideemailicon, hideprintericon, hidenewstories, hidenewcomments, hidenewlinks, max_photo_width, max_photo_height, max_photo_size). Please see the config documentation for details.
• Theme changes: Please consult the themes documentation for a list of changes.

Bugfixes

• Added sanity checks in the Admin story editor to prevent the loss of all stories when using an incomplete language file (or when manipulating the URL).
• Fixed a nasty bug in lib-security.php that let any user with UserAdmin permissions change the Root user's password, thus effectively becoming root.
• Fixed problems with blocks disappearing when they were set to "homeonly".
• Fixed problems with multiple [code] ... [/code] sections in stories and comments.
• Fixed double line spacing in [code] sections and HTML-formatted comments on PHP 4.2.0 and up.
• Fixed problems with slashes and HTML entities in emails sent by Geeklog.
• Fixes and improvements to the plugin API.

Contributors: Blaine Lang, Vincent Furia, and Kenn Osborne have contributed to this release. Thank you!

Speeding up Geeklog (a bit)

If you're upgrading from 1.3.6 or older versions, you may want to run the script called addindex.php that you will find in the install directory. This script adds index fields to some of Geeklog's database tables which should improve overall access times a bit.

This has been implemented as a separate script (and not as part of the upgrade process of the install script) since it may take some time to run, depending on how many users / stories / etc. you have in your database. Some people may even run into timeouts, e.g. when their hosting service limits the execution time of PHP scripts. If that happens to you - Don't Panic. Simply run the script again (and again and ...) until it reports that it didn't add any fields to any tables.

Please note that you do not need to run this script if you're doing a fresh install of Geeklog 1.3.7. A database created during a fresh install already has the new index fields.

Geeklog 1.3.6

New Features

• Images in articles can now be resized automatically during upload (provided you have either ImageMagick or netpbm installed). See the configuration description for details.
• The contents of a static page entitled "Frontpage" will be displayed before the first story on the front page of a Geeklog site. If the static page additionally carries the label "nonews", then it will completely replace the news on the front page.
• User submission queue: When activated (in config.php), new users will need to be approved by an admin before they receive their password.
• The submission queues can be switched off separately, either completely (in config.php) or only for certain groups of users (by using the new features story.submit, links.submit, and event.submit).
• When posting source code (e.g. PHP, HTML, ...), you can now use the [code] ... [/code] pseudo tags to enclose those portions of your posting that should be reproduced verbatim.
• The links section now uses a categorized and paged display (can be switched off separately and even back to the pre-1.3.6 style listing).
• Anonymous users can now be blocked from almost every part of the site (e.g. links section, site stats, ...), if needed.
• A Geeklog site can now be disabled easily (e.g. for maintenance) by setting a flag in config.php.
• Theme changes: Please consult the themes documentation for a list of changes.

Bugfixes

• Several fixes have been made to ensure that permissions are taken into account properly (e.g. not revealing titles of stories that the user has no access to).
• Several fixes have been made to make sure that Geeklog can now be properly localized (provided you have a language file that is up to date and have chosen the proper locale settings for your country and language).
• The variable $_CONF['site_admin_url'] is now used properly so that you can rename Geeklog's admin directory if needed.
• New RDF parser will now import most (if not all) RDF news feeds properly

Notes

• Since there are a lot of new variables in config.php, it is recommended you start with a fresh copy of that file instead of copying over your old config.php from your previous installation.
• Please note that currently only the English, German, Italian, Polish, and Japanese language files are up to date. Using one of the other language files may result in your Geeklog site not working properly.

Contributors: Gene Wood, Blaine Lang, Tom Willet, and Roger Webster have contributed to this release. Thank you!