Being way overdue, and not only because some other projects askednagged for a release, I’m really pleased I finally had everything together last week so I could do the release of GeSHi 1.0.8.11. Besides the 18 new language files there are also two important bugfixes addressing problems in contrib scripts.
The first of these issues, known as CVE 2012-3521 is related to a prblem with parameter handling inprevious versions of the cssgen script of GeSHi. If you called the script with the geshi_path and geshi_lang_path parameters pointing to some valid directory+file the script could be made to read any file the webserver had access to. This has now been fixed by forcing an absolut path and only continuing if the full path build from the files pointed to contains a GeSHi language file.
The second issue might be a bit more interesting to know as it allowed real attacks against others. Although non-persistent it was a classical version of basic XSS. When you called the Language Wizard (langwiz) contribution script with any arguments containing arbitrary HTML you got that HTML reflected in the resulting page. combined with the inclusion of some JavaScript and a link shortener this makes the perfect base for a cookie stealer or other malicious attacks on the domain the script was running at.
So, if you are running any version of those scripts prior to SVN Revision 2508 or prior to Stable Release 1.0.8.11 you should update your version of GeSHi immediately. This applies even if you aren’t actively using those scripts but have them present on your webserver (e.g. as part of a plugin).
Also you might consider not using Debian for their packages lacking roughly 3 years behind in unstable. Currently they are still working on getting the bugfix in, but well, that might take a while – the usual Debian problem 😉 As unfortunately Ubuntu suffers the same problem, you could either switch to RedHat OR just download GeSHi manually and place the files at the right places (/usr/share/php-geshi for language files plus the core, /usr/share/docs/php-geshi for contrib and docs).
But on to more interesting things. As mentioned above GeSHi 1.0.8.11 includes 18 new language files for highlighting. Besides FreeSWITCH, LDIF and Nagios which might be interesting for those managing servers and switches there’s also great news for those tho want to highlight their assembly. In addition to a big update to x86 assembly which now contains everything up to CPUs of 2013 we now also have support for ARM (v7 and v9). For those interested in programming their own spaceship there’s at least some support for DCPU-16.
If you’re more the number-guy or want to draw your graphics with code you might be interested to hear there’s now support for Octave and Asymptote, although the Asymptote language file still needs some cleanup to be fully compliant.
As 2012 is the Year of IPv6 also GeSHi now handles IPv6 addresses which appear as part of RFC822 compliant messages, which most of you might know better as „email“. But besides being compliant only with RFC 822 formatted text GeSHi know also knows HTML5; at least when you ask it to highlight some of it. This should give most of you a very good alternative to html4strict which would have been just too much of a PITA to be renamed considering the backward-compatibility issues involved.
Other than these mentioned changes there are mostly updates that added missing keywords, corrected some links or did both. Anyway that’s a lot of updates that have accumulate since last February (the one in 2011 to be preise).
As always thanks to everybody who contributed bugfixes and new language files for this release!
P.S.: Thanks in advance to the guy bringing 1.0.8.11 into Wheezy; you’ll get a drink if we meet!
