Latest News
2008/10/04
Hi folks,
after the release of the second RC had to be postponed a bit due to some other workload it's finally done: It's out.
What's new: Not much, except for some minor bugfixes in some of the language files (Bash, Boo, CIL, COBOL, MySQL, mIRC, Perl, Tcl, Typoscript, VB.NET and some others), some other minor fixes the GESHI_HEADER_PRE_TABLE header type and some other small tweaks here and there ...
As always, there are some new languages. This time: TeraTerm, Oracle11, Prolog and a language file for GNU make compatible Makefiles.
As always I wish happy testing of the RC. It's available from the usual place from within the SVN repository. As usual the website features the latest RC - so if you don't want to upload it on your server, feel free to test it here ;-)
BenBE.
2008/09/17
Hi folks!
We recently asked all of you for some code for our Code Repository which we mainly use to verify language files to work properly, but which we also use to work on some additional functions that might come in handy for GeSHi.
There has been some input already, but far too little for some of the projects we are working onn. This Code Repository is open for everyone and free to use in own contributions for GeSHi.
So if you like to have your name included in the THANKS file there's one easy way: write a small script, that uses GeSHi (and optionally the CodeRepo) to achieve a new function that other users of GeSHi might find helpful in their daily work, for their applications or which shows what's all possible with current versions of GeSHi.
The rule for this contest are - just as using GeSHi - very simple:
- Submissions must be at BenBE (AT) geshi _DOT_ org by December 1st 00:00 UTC
- Submissions must be released under GPLv2 or GPLv3
- Submissions should be well documented and easy to understand (usage and code).
- The code should be secure against CSRF, XSS, SQL-Injections and other common forms of Web Attacks
- No other libraries (except GeSHi) should be used.
- It should be innovative ;-) So please not Yet Another Pastebin ;-)
Depending on the number of submissions we will announce up to three winners. The winning submissions will be publically announced here and included in the 1.0.8.2 release and all following.
I hope for some interesting submission which show various interesting tasks, GeSHi could be used for, or functions that would come in handy for upcoming GeSHi releases.
BenBE.
2008/09/17
Today in the morning at 00:20 UTC until around 05:30 UTC there was an unplanned server downtime due to a crash of a hardware node this server is hosted on. For all of you who were desperatly hoping for the site to come back, here's some more news, you all probably will like to hear.
There will be another Release Candidate of 1.0.8.1 this weekend which will fix some minor issues we've encountered since 1.0.8. There will be no new features compared to the first RC, just some improved documentation, some fixes to language files that showed ill behaviour and some corrections to language files that had some warnings when tested with our language file verification script.
There's only little left to do for the final 1.0.8.1 release and so we think, we can announce the final work here soon.
BenBE.
2008/08/30
I've just updated the Release Branch of the GeSHi SVN to contain the latest version of what could become the next GeSHi release. Well, not quite, as there will still be some changes to the code, but the current release candidate should give you a short introduction to what you can expect of the next release.
The version in the Release Branch (namely 1.0.8.1rc1) contains mainly fixes over the 1.0.8 release and improvements to existing language files. So we fixed some problems with Symbol Highlighting (i.e. ; and | were ignored even if a language asked to highlight them).
Also we accidentially introduced an issue with line numbering where calls to start_line_numbers_at() got ignored with GESHI_HEADER_PRE_TABLE headers. Though the main problem, i.e. styling issues, could not be resolved yet. If you have a solution to them, contact us at the usual places.
But no new GeSHi release without new features ;-) The next version will allow you to highligh arbitrary stuff inside strings. What's new about this is not that you now can highlight escapes (which you already could quite a while) but you can e.g. highlight format string escapes or variable names inside PHP strings, OR correctly render Octal numbers ... There are thousands of possibilities and we only implemented a few common ones yet. To try this feature just feed some PHP source with lots of strings to the demo on this page and you'll see it ;-)
As mentioned a few weeks ago the next version will contain a fix to an issue where Remote Code Inclusion could have been possible. To avoid this, no colons are allowed in Language File Paths (except on Windows at the second char in the path). If you encounter any issues with this behaviour, fell free to get in contact so we can resolve this issue.
This release candidate doesn't yet contain updated documentation, but this will follow with the next RC. In the meantime feel free, to play around with this Release Candidate - it's installed on the server for you to test!
BenBE.
2008/08/12
Hi folks,
as I promised before I now will give some more details on a security issue found and fixed in 1.0.8. The issue was present in earlier versions, but had no harming effect there. As far as I know only 1.0.7.22 has the problematic variant of this issue shown below.
Well, on to the issue: Many of you might know that GeSHi had a long time where with certain input it could be forced to output invalid HTML, because of a problem with incorrect ender generation under rare circumstances. This issue was mainly present with markup languages (no further details on this, though).
If given such prepared input GeSHi could be forced into an endless loop (in 1.0.7.22) which produced 100% server load AND used up all the memory PHP was allowed to take (on some systems I could verify up to 2 GB!). Using this scheme an attacker could abuse this malfunction to do an Denial of Service Attack on the webserver (verified to work) with minimal (unsuspicious) input but unpredictable side-effects (if caused by this other programs randomly crashed due to missing memory). Previous versions only produced invalid XHTML when given that input.
A patch for this issue has been present in the SVN release branch as of 1.0.8rc2 and later and is included in the latest official 1.0.8 release. Especially administrators of Pastebins or other applications where users have free choice of input language AND source you should upgrade to the latest version as soon as possible.
Also there has been found an issue with the language file loading with low to medium severity depending on the system configuration. There is a possibility for Remote Code Inclusion under rare circumstances, if paths given to GeSHi aren't checked correctly. There is a patch available in SVN trunk that will be included in the next 1.0.8.1 release. The severity of this problem is seen as low, because your Web Application has to be insecure itself for this attack to be feasable.
The next versions on GeSHi will concentrate on improving overall reliability and security of GeSHi, so don't hesitate to report any such issues (please by mail to nigel@geshi.org for critical issues so we get some time to suggest a proper solution). Also don't be affraid if we do some more state reports on this, as we will take proper precautions to provide fixes before disclosing any details.
For those concerned about their webserver security I can recommend the use of the Suhosin Patches and the PHP Suhosin Extension. Both work well together with GeSHi and from own experience there are only few Web Applications that need to be changed (and changes are often only a few lines). There have been some patches for GeSHi in 1.0.8 that fixed some problems with preg_replace and the /e-Modifier, that can be disabled with mentioned extension. If you aren't sure, whether this extension works together with your application: There's a test-mode where only violations are reported, but no restrictions are enforced. This can be used for a slow transition towards this extension, that BTW runs on the GeSHi website without problems.
Regards,
BenBE.
News Archive
|
![[GeSHi - syntax colorizer]](./images/title.png)
![[small3.png: Click for a larger view]](images/screenshots/screen3.png)