12:32 am GMT
Here's where you can find out all the latest news about GeSHi - new releases, bug fixes and general errata.
I'm proud to announce that the 2000th revision of GeSHi has just been committed to the SVN.
This, at the same time, is also the first Release Candidates for the upcoming 188.8.131.52 release of GeSHi to enable all of you out there to check the new features involved in this new release. As mentioned in my blog there will not be much news with the parser as there has been with the previous releases, but again a bunch of new language files and loads of corrections to existing ones have been incoorperated.
But well, one news there is. Previous releases of GeSHi had problems with languages containing keywords like "CREATE TABLE" like SQL has, or the famous "O RLY?" keyword from LOLcode. Old versions matched spaces in there literally thus your code had to exactly replicate these keywords. Starting with rev 1999 - the last change included with this release candidate - there is a PARSER_CONTROL to make GeSHi handle those kinds of keywords more liberal.
More details on the changes in this RC can as always be taken from the CHANGELOG; downloads as usual for Release Candidates from the RELEASE_1_0_X_STABLE branch in the SVN.
I want to thank all the people out there for their great efforts and helpful hand in making GeSHi what it has become: A great highlighter!
On to the next 2000 revisions!
Right on time we lay you this kind gift below your Christmas Tree: version 184.108.40.206 of GeSHi.
This release is mainly a bugfix release and thus does not incorperate many changes to the parser itself, but a lot of work on the language files. The main goal intended to reach in this release has not fully been reached: Two language files out of the total 126 languages supported still have some minor problems, yet the rest has all been fixed to be free of warnings or improved in some other way.
Alongside these 126 languages are 10 new languages; including 5 esotheric languages intended for release with 220.127.116.11 and available separately as an Halloween Esoteric Languages Pack - sorry for the minor glitches in there though: It was created in a hurry and some minor issues accidentially slipped by ;-).
For all those interested in up-to-date on-the-edge information on developement I recommend reading the GeSHi category of my blog which will cover the latest efforts that went into GeSHi as well as some future plans.
As I mentioned in my blog yesterday, there unfortutnally have not been any submissions for the GCC: GeSHi Contributions Contest and thus there has been no new script been added to the contrib section of the release. If you have any comments or feedback regarding the contest I'd be glad to hear about it in my blog or by mail.
I wish you a merry X-mas, nice presents and everything you wish yourself.
P.S.: Download from the usual place, bug reports to the sf.net tracker please etc. etc...
There are moments, when a developer leans back after a release, concentrating on planning work for the next release to come and suddenly gets a mail on the devel list telling him about an security advisory about a bug he himself fixed about two months ago. For economy reasons the publically accessible news entry for users and developers contains the information on two distinct problems: One arbitrary remote code execution issue, which requires a system to be compromised by itself already (controlled by the attacker) or affected by another remote code execution issue in other third party software that gets executed before GeSHi runs - or to make it short: The door was open BEFORE the you could use the bug. In an attackers view, that issue was unnecessary to mention, because an attacker won't use it.
So well, maybe they mixed things up and ment the Denial of Service attack you could drive against GeSHi which had an real impact - in my tests I accidentially drove one server into the corner making the owner to having to reboot it. No - they didn't notice that one because the report clearly said "fixed in 18.104.22.168" AND the impact clearly stated "remote code execution". In an attackers point of view I'd clearly prefer the bug fixed with 1.0.8 instead of relying on an issue I won't be able to take advantage of.
So please, Secunia: Read bug reports provided by vendors, before you post your notices on unnecessary information on isues not relevant for attacks. Also I'd appreciate it if you at least could write the programs names correctly that you are reporting about. Furthermore you should use the contact information provided by the project management and contact them if you don't understand things or have information for them. It's simply annoying to get informed by third-parties of an issue of near-zero revelance, when there is public information on critical issues you can use to DoS a remote system.
Well, so far for security companies, now on to Debian package maintaining: I really like Debian, except for one point: You can't use testing for reasonably current software - instead you have to use unstable or even experimental. I know, testing should become more and more stable over time until it becomes the next stable at one point, but in my oppinion that shouldn't automatically mean that you freeze a package at a point where there is enough evidence of that particular version having more than just a few minor issues compared to updated versions. Instead you're botching around in an outdated version trying to backport patches for issues that can't be easily ported there, because the code evolved. This might work for the remote code execution issue that just changed one routine, but it won't work for the Denial of Service error in 22.214.171.124 because fixing it means to actually improve the parser, which in returns means, you just could update to the latest upstream version. So if you please could drop that package botching crap and let the upstream authors decide on how to handle things or at least give them more control on their software? Thanks in advance!
On a final word after all that complaining I would like to thank the people from the MediaWiki packaging team for their great work and efforts in packaging the latest versions of GeSHi that fast after a new release has been out. Keep up your good work!
Not quite in time, but better late than never, I proudly present you the latest work on the GeSHi project. The latest version now is 126.96.36.199 and mainly includes bugfixes and security changes that should help improving your GeSHi experience. Also there are 7 new language files.
We also would like to remind you of the GCC: GeSHi Contribution Contest where you can let play your creativity.
Download from the usual place, bug reports to the sf.net tracker please etc. etc...
I'm proud to announce the GeSHi HELP Edition (Halloween Esoteric Languages Pack) that will contain some rare, newly created and still unreleased languages. The pack contains some common esoteric languages which I hope you all will enjoy. These languages will be available only for a short time, so make sure you get them ;-)
after the release of the second RC had to be postponed a bit due to some other workload it's finally done: It's out.
What's new: Not much, except for some minor bugfixes in some of the language files (Bash, Boo, CIL, COBOL, MySQL, mIRC, Perl, Tcl, Typoscript, VB.NET and some others), some other minor fixes the GESHI_HEADER_PRE_TABLE header type and some other small tweaks here and there ...
As always, there are some new languages. This time: TeraTerm, Oracle11, Prolog and a language file for GNU make compatible Makefiles.
As always I wish happy testing of the RC. It's available from the usual place from within the SVN repository. As usual the website features the latest RC - so if you don't want to upload it on your server, feel free to test it here ;-)
We recently asked all of you for some code for our Code Repository which we mainly use to verify language files to work properly, but which we also use to work on some additional functions that might come in handy for GeSHi.
There has been some input already, but far too little for some of the projects we are working onn. This Code Repository is open for everyone and free to use in own contributions for GeSHi.
So if you like to have your name included in the THANKS file there's one easy way: write a small script, that uses GeSHi (and optionally the CodeRepo) to achieve a new function that other users of GeSHi might find helpful in their daily work, for their applications or which shows what's all possible with current versions of GeSHi.
The rule for this contest are - just as using GeSHi - very simple:
Depending on the number of submissions we will announce up to three winners. The winning submissions will be publically announced here and included in the 188.8.131.52 release and all following.
I hope for some interesting submission which show various interesting tasks, GeSHi could be used for, or functions that would come in handy for upcoming GeSHi releases.
Today in the morning at 00:20 UTC until around 05:30 UTC there was an unplanned server downtime due to a crash of a hardware node this server is hosted on. For all of you who were desperatly hoping for the site to come back, here's some more news, you all probably will like to hear.
There will be another Release Candidate of 184.108.40.206 this weekend which will fix some minor issues we've encountered since 1.0.8. There will be no new features compared to the first RC, just some improved documentation, some fixes to language files that showed ill behaviour and some corrections to language files that had some warnings when tested with our language file verification script.
There's only little left to do for the final 220.127.116.11 release and so we think, we can announce the final work here soon.
I've just updated the Release Branch of the GeSHi SVN to contain the latest version of what could become the next GeSHi release. Well, not quite, as there will still be some changes to the code, but the current release candidate should give you a short introduction to what you can expect of the next release.
The version in the Release Branch (namely 18.104.22.168rc1) contains mainly fixes over the 1.0.8 release and improvements to existing language files. So we fixed some problems with Symbol Highlighting (i.e. ; and | were ignored even if a language asked to highlight them).
Also we accidentially introduced an issue with line numbering where calls to start_line_numbers_at() got ignored with GESHI_HEADER_PRE_TABLE headers. Though the main problem, i.e. styling issues, could not be resolved yet. If you have a solution to them, contact us at the usual places.
But no new GeSHi release without new features ;-) The next version will allow you to highligh arbitrary stuff inside strings. What's new about this is not that you now can highlight escapes (which you already could quite a while) but you can e.g. highlight format string escapes or variable names inside PHP strings, OR correctly render Octal numbers ... There are thousands of possibilities and we only implemented a few common ones yet. To try this feature just feed some PHP source with lots of strings to the demo on this page and you'll see it ;-)
As mentioned a few weeks ago the next version will contain a fix to an issue where Remote Code Inclusion could have been possible. To avoid this, no colons are allowed in Language File Paths (except on Windows at the second char in the path). If you encounter any issues with this behaviour, fell free to get in contact so we can resolve this issue.
This release candidate doesn't yet contain updated documentation, but this will follow with the next RC. In the meantime feel free, to play around with this Release Candidate - it's installed on the server for you to test!
as I promised before I now will give some more details on a security issue found and fixed in 1.0.8. The issue was present in earlier versions, but had no harming effect there. As far as I know only 22.214.171.124 has the problematic variant of this issue shown below.
Well, on to the issue: Many of you might know that GeSHi had a long time where with certain input it could be forced to output invalid HTML, because of a problem with incorrect ender generation under rare circumstances. This issue was mainly present with markup languages (no further details on this, though).
If given such prepared input GeSHi could be forced into an endless loop (in 126.96.36.199) which produced 100% server load AND used up all the memory PHP was allowed to take (on some systems I could verify up to 2 GB!). Using this scheme an attacker could abuse this malfunction to do an Denial of Service Attack on the webserver (verified to work) with minimal (unsuspicious) input but unpredictable side-effects (if caused by this other programs randomly crashed due to missing memory). Previous versions only produced invalid XHTML when given that input.
A patch for this issue has been present in the SVN release branch as of 1.0.8rc2 and later and is included in the latest official 1.0.8 release. Especially administrators of Pastebins or other applications where users have free choice of input language AND source you should upgrade to the latest version as soon as possible.
Also there has been found an issue with the language file loading with low to medium severity depending on the system configuration. There is a possibility for Remote Code Inclusion under rare circumstances, if paths given to GeSHi aren't checked correctly. There is a patch available in SVN trunk that will be included in the next 188.8.131.52 release. The severity of this problem is seen as low, because your Web Application has to be insecure itself for this attack to be feasable.
The next versions on GeSHi will concentrate on improving overall reliability and security of GeSHi, so don't hesitate to report any such issues (please by mail to email@example.com for critical issues so we get some time to suggest a proper solution). Also don't be affraid if we do some more state reports on this, as we will take proper precautions to provide fixes before disclosing any details.
For those concerned about their webserver security I can recommend the use of the Suhosin Patches and the PHP Suhosin Extension. Both work well together with GeSHi and from own experience there are only few Web Applications that need to be changed (and changes are often only a few lines). There have been some patches for GeSHi in 1.0.8 that fixed some problems with preg_replace and the /e-Modifier, that can be disabled with mentioned extension. If you aren't sure, whether this extension works together with your application: There's a test-mode where only violations are reported, but no restrictions are enforced. This can be used for a slow transition towards this extension, that BTW runs on the GeSHi website without problems.