1.8.4.1
Tiki 1.8.4.1 is available since 2004-12-14 and fixes a security problem in 1.8.4. Polaris users should upgrade to 1.8.4.1 or follow the instructions on the security alert.
Tiki 1.8.4 is available since 2004-08-01.

Tiki admins running 1.8x are strongly urged to upgrade to this version due to a vulnerability in versions 1.8 through 1.8.3 that allows individual wiki page permissions to be bypassed. Several path disclosure vulnerabilities have also been removed in the smarty_tiki area.

Terence, aka teedog, was the coordinator of this release.

Some links for more information about this release

Upgrade instructions

Those on ReleaseNotes181 should help.

Bugs known to have been introduced in this version

None yet

Security

  • Fixed custom permissions on Wiki pages could be tricked to go back to global permissions mose

Resolved bugs and misbehaviors since 1.8.3

  • Fixed articles wiki plugin which ignored real number of comments and displayed 0 comments all the time ;) luci
  • Fixed version conflicts related to wiki tag restorations teedog
  • admin-assignuser.php: if a default group has not been set, a blank entry should be displayed teedog
  • minicallib.php: fixed a typo in a db query - gmuslera
  • tiki-edit_submisson.php: fixed bugged display of the rating field when selecting article type "Review" teedog
  • Bug #973561: workaround for environments where $_SERVER['SERVER_NAME'] is undefined teedog
  • SF BUG 818569: RSS with authentication ohertel
  • cosmetic fix: don't display reply icon in forum threads if user has no permission to post teedog
  • forum stats aren't updated after moving a thread (until someone enters the affected forum) teedog
  • bug #894670: wiki edit permission should not depend on global wiki view permission if individual permissions are assigned for a wiki page teedog
  • bug #962993: duplicate version numbers when editing wiki pages teedog
  • bug #961711: broken find function for orphan wiki pages teedog
  • bug #930209: tracker categorization broken on tiki-admin_trackers.php teedog
  • bug #924502: parse_url() seems to be more robust than basename(); avoid login problems when tiki-index.php is the DirectoryIndex teedog
  • bug where current page gets deleted without a trace when rolling back to a previous version, resulting in the inability to undo a rollback and a gap in version numbers teedog
  • bug #924985: the CATEGORY() plugin couldn't handle type=directory or type=forum teedog
  • a forum home is selected even when none is set in Admin/Forums teedog
  • bug #898860: the directory category removal function leaves all kinds of zombie subcategories and member sites teedog
  • Rewrote large part of the buggy wiki edit-conflict code which should fix bug #872234 and several other edit-conflict related problems. teedog
  • users logging in from the Tiki homepage are not sent to their group homepages teedog
  • users logging in from wiki pages are always sent to the wiki homepage teedog
  • inner boxes created by embedding the BOX plugin within each other had messed up line spacing teedog
  • the author of a shoutbox msg changes to the shoutbox admin who edits the msg teedog
  • the name inputted by an anonymous user in Live Support is lost teedog
  • Path disclosure fixes in the smarty_tiki area. Damian
  • Fixed overlib tooltip width in moreneat.css teedog
  • Scrollbar of the textarea no longer jumps to the top after using a quicktag teedog
  • Fixed bug where removing any parent categories of an object causes the object to become uncategorized even if there are other parent categories teedog

Other changes

  • Diff engine replaced with LGPL codet to resolve license issue teedog