CHANGES

Version 1.3.0 (released ??-???-????)

  * require Python 3.3 (#138)
    - minimum Subversion version now 1.14.0 with py3 bindings
    - minimum Pygments version now 1.1
  * make-database now requires --force to destroy existing DB (#212)
  * removed deprecated checkout_magic option/behavior (#215)
  * new 'allow_mojibake' option (#216)
  * require explicit match for web-friendly images in 'binary_mime_types' (#216)

Version 1.2.1 (released 26-Mar-2020)

  * security fix: escape subdir lastmod file name (#211) [CVE-2020-5283]

Version 1.2.0 (released 17-Mar-2020)

  * bumped minimum supported Python version to 2.4
  * implemented support for property diffs (Tigris #383)
  * allow user-configurable cvsgraph display (Tigris #336)
  * allow rNNNN syntax for Subversion revision numbers (Tigris #441)
  * display revision numbers in CVS tag/branch selector (Tigris #546)
  * allow roots to have optional context (#58)
  * use a more secure temporary file generator (#159)
  * fix problems with make-database and special characters (#141, #182)
  * fix bogus default ci_when value in cvsdb (#200)
  * standalone query interface removed (#206)
  * GUI support (--gui) removed from standalone.py

Version 1.1.28 (released 26-Mar-2020)

  * security fix: escape subdir lastmod file name (#211) [CVE-2020-5283]
  * fix standalone.py first request failure (#195)

Version 1.1.27 (released 06-Jun-2019)

  * suppress stack traces (with option to show) (#140)
  * distinguish text/binary/image files by icons (#166, #175)
  * colorize alternating file content lines (#167)
  * link to the instance root from the ViewVC logo (#168)
  * display directory and root counts, too (#169)
  * fix double fault error in standalone.py (#157)
  * support timezone offsets with minutes piece (#176)

--- NOTE: Issue references below this point are from Tigris.org ---

Version 1.1.26 (released 24-Jan-2017)

  * security fix: escape nav_data name [CVE-2017-5938]

Version 1.1.25 (released 15-Sep-2016)

  * fix _rev2optrev assertion on long input

Version 1.1.24 (released 02-Oct-2015)

  * fix minor bug in human_readable boolean calculation
  * allow hr_funout option to apply to unidiff diffs, too
  * fix infinite loop in rcsparse
  * fix iso8601 timezone offset handling (#542)
  * add support for renamed roots (#544)
  * fix minor buglet in viewvc-install error message

Version 1.1.23 (released 04-Nov-2014)

  * fix annotate bug triggered by files with trailing blank lines (#533)
  * fix markup display of files with trailing blank lines (#533)
  * add support for root-relative svnauthz access files (#535)
  * fix cvsdb MySQL-python argument conversion error (#539)
  * fix double-escaping of revision links (#541)
  * fix bug that prevented mod_python 3.4+ deployment (#540)

Version 1.1.22 (released 14-Jan-2014)

  * minor directory sorting logic fix (re: show_subdir_lastmod)
  * fix display of show_subdir_lastmod details (#532)
  * pay attention to chardet's detection confidence
  * linkify line numbers in markup/annotate view

Version 1.1.21 (released 13-Sep-2013)

  * fix markup/annotate exception with Python < 2.7 (#527)

Version 1.1.20 (released 24-Apr-2013)

  * fix tab-to-space handling regression in markup view
  * fix regression in root lookup handling (#526)

Version 1.1.19 (released 22-Apr-2013)

  * improve root lookup performance (#523)
  * new 'max_filesize_kbytes' config option and handling (#524)
  * tarball generation improvements:
    - preserve Subversion symlinks in generated tarballs (#487)
    - reduce memory usage of tarball generation logic
    - fix double compression of generated tarballs (#525)
  * file content handling improvements:
    - expanded support for encoding detection and transcoding (#11)
    - fix tab-to-space conversion bugs in markup, annotate, and diff views
    - fix handling of trailing whitespace in diff view
  * add support for timestamp display in ISO8601 format (#46)

Version 1.1.18 (released 28-Feb-2013)

  * fix exception raised by BDB-backed SVN repositories (#519)
  * hide revision-less files when rcsparse is in use
  * include branchpoints in branch views using rcsparse (#347)
  * miscellaneous cvsdb improvements:
    - add --port option to make-database (#521)
    - explicitly name columns in queries (#522)
    - update MySQL syntax to avoid discontinued "TYPE=" terms

Version 1.1.17 (released 25-Oct-2012)

  * fix exception caused by uninitialized variable usage (#516)

Version 1.1.16 (released 24-Oct-2012)

  * security fix: escape "extra" diff info (#515) [CVE-2012-4533]
  * add 'binary_mime_types' configuration option and handling (#510)
  * fix 'select for diffs' persistence across log pages (#512)
  * remove lock status and filesize check on directories in remote SVN views
  * fix bogus 'Annotation of' page title for non-annotated view (#514)

Version 1.1.15 (released 22-Jun-2012)

  * security fix: complete remote SVN authz support (#353) [CVE-2012-3356]
  * security fix: log message leak with unreadable copy source [CVE-2012-3357]
  * fix several instances of incorrect information in remote SVN views
  * increase performance of some revision metadata lookups in remote SVN views
  * fix RSS feed regression introduced in 1.1.14

Version 1.1.14 (released 12-Jun-2012)

  * fix annotation of svn files with non-URI-safe paths (#504)
  * handle file:/// Subversion rootpaths as local roots (#446)
  * fix bug caused by trying to case-normalize anon usernames (#505)
  * speed up log handling by reusing tokenization results (#506)
  * add support for custom revision log markup rules (#246)

Version 1.1.13 (released 23-Jan-2012)

  * fix svndbadmin failure on deleted paths under Subversion 1.7 (#499)
  * fix annotation of files in svn roots with non-URI-safe paths
  * fix stray annotation warning in markup display of images
  * more gracefully handle attempts to display binary content (#501)

Version 1.1.12 (released 03-Nov-2011)

  * fix path display in patch and certain diff views (#485)
  * fix broken cvsdb glob searching (#486)
  * allow svn revision specifiers to have leading r's (#441, #448) 
  * allow environmental override of configuration location (#494)
  * fix exception HTML-escaping non-string data under WSGI (#454)
  * add links to root logs from roots view (#470)
  * use Pygments lexer-guessing functionality (#495)

Version 1.1.11 (released 17-May-2011)

  * security fix: remove override of cvsdb row limit [CVE-2009-5024]
  * fix broken standalone.py -c and -d options handling
  * add --help option to standalone.py
  * fix stack trace when asked to checkout a directory (#478)
  * improve memory usage and speed of revision log markup (#477)
  * fix broken annotation view in CVS keyword-bearing files (#479)
  * warn users when query results are incomplete (#433)
  * avoid parsing errors on RCS newphrases in the admin section (#483)
  * make rlog parsing code more robust in certain error cases (#444)

Version 1.1.10 (released 15-Mar-2011)

  * fix stack trace in Subversion revision info logic (#475, #476)

Version 1.1.9 (released 18-Feb-2011)

  * vcauth universal access determinations (#425)
  * rework svn revision info cache for performance
  * make revision log "extra pages" count configurable
  * fix Subversion 1.4.x revision log compatibility code regression
  * display sanitized error when authzfile is malformed
  * restore markup of URLs in file contents (#455)
  * optionally display last-committed metadata in roots view (#457)

Version 1.1.8 (released 02-Dec-2010)

  * fix slowness triggered by allow_compress=1 configuration (#467)
  * allow use of 'fcrypt' for Windows standalone.py authn support (#471)
  * yield more useful error on directory markup/annotate request (#472)

Version 1.1.7 (released 09-Sep-2010)

  * display Subversion revision properties in the revision view (#453)
  * fix exception in 'standalone.py -r REPOS' when run without a config file
  * fix standalone.py server root deployments (--script-alias='')
  * add rudimentary Basic authn support to standalone.py (Unix-only) (#49)
  * fix obscure "unexpected NULL parent pool" Subversion bindings error
  * enable path info / link display in remote Subversion root revision view
  * fix vhost name case handling inconsistency (#466)
  * use svn:mime-type property charset param as encoding hint
  * markup Subversion revision references in log messages (#313)
  * add rudimentary support for FastCGI-based deployments (#464)
  * fix query script WSGI deployment
  * add configuration to fix query script cross-linking to ViewVC

Version 1.1.6 (released 02-Jun-2010)

  * add rudimentary support for WSGI-based deployments (#397)
  * fix exception caused by trying to HTML-escape non-string data (#454)
  * fix incorrect RSS feed Content-Type header (#449)
  * fix RSS <title> encoding problem (#451)
  * allow 'svndbadmin purge' to work on missing repositories (#452)

Version 1.1.5 (released 29-Mar-2010)

  * security fix: escape user-provided search_re input [CVE-2010-0132]

Version 1.1.4 (released 10-Mar-2010)

  * security fix: escape user-provided query form input [CVE-2010-0736]
  * fix standalone.py failure (when per-root options aren't used) (#445)
  * fix annotate failure caused by ignored svn_config_dir (#447)

Version 1.1.3 (released 22-Dec-2009)

  * security fix: support per-root authz config in root listing [CVE-2010-0004]
  * security fix: validate configured query.py authorizer [CVE-2010-0005]
  * fix URL-ification of truncated log messages (#3)
  * fix regexp input validation (#426, #427, #440)
  * add support for configurable tab-to-spaces conversion
  * fix not-a-sequence error in diff view
  * allow viewvc-install to work when templates-contrib is absent
  * minor template improvements/corrections
  * expose revision metadata in diff view (#431)
  * markup file/directory item property URLs and email addresses (#434)
  * make ViewVC cross copies in Subversion history by default
  * fix bug that caused standalone.py failure under Python 1.5.2 (#442)
  * fix support for per-vhost overrides of authorizer parameters (#411)
  * fix root name identification in query.py interface

Version 1.1.2 (released 11-Aug-2009)

  * security fix: validate the 'view' parameter [CVE-2009-3618]
  * security fix: avoid printing illegal parameter names/values [CVE-2009-3619]
  * add optional support for character encoding detection (#400)
  * fix username case handling in svnauthz module (#419)
  * fix cvsdbadmin/svnadmin rebuild error on missing repos (#420)
  * don't drop leading blank lines from colorized file contents (#422)
  * add file.ezt template logic for optionally hiding binary file contents

Version 1.1.1 (released 03-Jun-2009)

  * fix broken query form (missing required template variables) (#416)
  * fix bug in cvsdb which caused rebuild operations to lose data (#417)
  * fix cvsdb purge/rebuild repos lookup to error on missing repos
  * fix misleading file contents view page title

Version 1.1.0 (released 13-May-2009)

  * add support for full content diffs (#153)
  * make many more data dictionary items available to all views
  * various rcsparse and tparse module fixes
  * add daemon mode to standalone.py (#235)
  * rework helper application configuration options (#229, #62)
  * teach standalone.py to recognize Subversion repositories via -r option
  * now interpret relative paths in "viewvc.conf" as relative to that file
  * add 'purge' subcommand to cvsdbadmin and svndbadmin (#271)
  * fix orphaned data bug in cvsdbadmin/svndbadmin rebuild (#271)
  * add support for query by log message (#22, #121)
  * fix bug parsing 'svn blame' output with too-long author names (#221)
  * fix default standalone.py port to be within private IANA range (#234)
  * add unified configury of allowed views; checkout view disabled by default
  * add support for ranges of revisions to svndbadmin (#224)
  * make the query handling more forgiving of malformatted subdirs (#244)
  * add support for per-root configuration overrides (#371)
  * add support for optional email address mangling (#290)
  * extensible path-based authorization subsystem (#268), supporting:
    - Subversion authz files (new)
    - regexp-based path hiding (for compat with 1.0.x)
    - file glob top-level directory hiding (for compat with 1.0.x)
  * allow default file view to be "markup" (#305)
  * add support for displaying file/directory properties (#39)
  * pagination improvements
  * add gzip output encoding support for template-driven pages
  * fix cache control bugs (#259)
  * add RSS feed URL generation for file history
  * add support for remote creation of ViewVC checkins database
  * add integration with Pygments for syntax highlighting
  * preserve executability of Subversion files in tarballs (#233)
  * add ability to set Subversion runtime config dir (#351, #339)
  * show RSS/query links only for roots found in commits database (#357)
  * recognize Subversion svn:mime-type property values (#364)
  * hide CVS files when viewing tags/branches on which they don't exist
  * allow hiding of errorful entries from the directory view (#105)
  * fix directory view sorting UI
  * tolerate malformed Accept-Language headers (#396)
  * allow MIME type mapping overrides in ViewVC configuration (#401)
  * fix exception in rev-sorted remote Subversion directory views (#409)
  * allow setting of page sizes for log and dir views individually (#402)

Version 1.0.14 (released 24-Jan-2017)

  * security fix: escape nav_data name [CVE-2017-5938]
  * fix bug that prevented mod_python 3.4+ deployment (issue #540)

Version 1.0.13 (released 24-Oct-2012)

  * security fix: escape "extra" diff info (#515) [CVE-2012-4533]
  * security fix: remove override of cvsdb row limit [CVE-2009-5024]
  * fix obscure "unexpected NULL parent pool" Subversion bindings error
  * fix svndbadmin failure on deleted paths under Subversion 1.7 (issue #499)

Version 1.0.12 (released 02-Jun-2010)

  * fix exception caused by trying to HTML-escape non-string data (issue #454)

Version 1.0.11 (released 29-Mar-2010)

  * security fix: escape user-provided search_re input [CVE-2010-0132]

Version 1.0.10 (released 10-Mar-2010)

  * security fix: escape user-provided query form input [CVE-2010-0736]
  * fix errors viewing remote Subversion paths with URI-unsafe characters
  * fix regexp input validation (issue #426, #427, #440)

Version 1.0.9 (released 11-Aug-2009)

  * security fix: validate the 'view' parameter [CVE-2009-3618]
  * security fix: avoid printing illegal parameter names/values [CVE-2009-3619]

Version 1.0.8 (released 05-May-2009)

  * fix directory view sorting UI
  * tolerate malformed Accept-Language headers (#396)
  * fix directory log views in revision-less Subversion repositories
  * fix exception in rev-sorted remote Subversion directory views (#409)

Version 1.0.7 (released 14-Oct-2008)

  * fix regression in the 'as text' download view (#373)

Version 1.0.6 (released 16-Sep-2008)

  * security fix: validate content_type (#354) [CVE-2005-4831, CVE-2008-4325]
  * fix bug in regexp search filter when used with sticky tag (#346)
  * fix bug in handling of certain 'co' output (#348)
  * fix regexp search filter template bug
  * fix annotate code syntax error
  * fix mod_python import cycle (#369)

Version 1.0.5 (released 28-Feb-2008)

  * security fix: query: omit commits of solely forbidden files [CVE-2008-1290]
  * security fix: disallow navigation to hidden CVSROOT folder [CVE-2008-1291]
  * security fix: multiple forbidden path exposures [CVE-2008-1292]
  * new 'forbiddenre' regexp-based path authorization feature
  * fix root name conflict resolution inconsistencies (#287)
  * fix an oversight in the CVS 1.12.9 loginfo-handler support
  * fix RSS feed content type to be more specific (#306)
  * fix entity escaping problems in RSS feed data (#238)
  * fix bug in tarball generation for remote Subversion repositories
  * fix query interface file-count-limiting logic
  * fix query results plus/minus count to ignore forbidden files
  * fix blame error caused by 'svn' unable to create runtime config dir

Version 1.0.4 (released 10-Apr-2007)

  * fix some markup bugs in query views (#266)
  * fix loginfo-handler's support for CVS 1.12.9 (#151, #257)
  * make viewvc-install able to run from an arbitrary location
  * update viewvc-install's output for readability
  * fix bug writing commits to non-MyISAM databases (#262)
  * allow long paths in generated tarballs (#12)
  * fix bug interpreting EZT substitute patterns
  * fix broken markup view disablement
  * fix broken directory view link generation in directory log view
  * fix Windows-specific viewvc-install bugs
  * fix broke query result links for Subversion deleted items (#296)
  * fix some output XHTML validation buglets
  * fix database query cache staleness problems (#180)

Version 1.0.3 (released 13-Oct-2006)

  * security fix: declare charset for views [CVE-2006-5442]
  * fix bug in path shown for Subversion deleted-under-copy items (#265)

Version 1.0.2 (released 29-Sep-2006)

  * minor documentation fixes
  * fix Subversion annotate functionality on Windows (#18)
  * fix annotate assertions on uncanonicalized #include paths (#208)
  * make RSS URL method match the method used to generate it (#245)
  * fix Subversion annotation to run non-interactively, preventing hangs
  * fix bug in custom syntax highlighter fallback logic
  * fix bug in PHP CGI hack to avoid force-cgi-redirect errors

Version 1.0.1 (released 20-Jul-2006)

  * fix exception on log page when use_pagesize is enabled
  * fix an XHTML validation bug in the footer template (#239)
  * fix handling of single-component CVS revision numbers (#237)
  * fix bug in download-as-text URL link generation (#241)
  * fix query.cgi bug, missing 'rss_href' template data item (#249)
  * no longer omit empty Subversion directories from tarballs (#250)
  * use actual modification time for Subversion directories in tarballs

Version 1.0 (released 01-May-2006)

  * add support for viewing Subversion repositories
  * add support for running on MS Windows
  * generate strict XHTML output
  * add support for caching by sending "Last-Modified", "Expires", 
    "ETag", and "Cache-Control" headers
  * add support for Mod_Python on Apache 2.x and ASP on IIS
  * Several changes to standalone.py:
    - -h commandline option to specify hostname for non local use.
    - -r commandline option may be repeated to use more than repository
      before actually installing ViewCVS.
    - New GUI field to test paging.
  * add new, better-integrated query interface
  * add integrated RSS feeds
  * add new "root_as_url_component" option to embed root names as
    path components in ViewCVS URLs for a more natural URL scheme
    in ViewCVS configurations with multiple repositories.
  * add new "use_localtime" option to display local times instead of UTC times
  * add new "root_parents" option to make it possible to add and
    remove repositories without modifying the ViewCVS configuration
  * add new "template_dir" option to facilitate switching between sets of 
    templates
  * add new "sort_group_dirs" option to disable grouping of
    directories in directory listings
  * add new "port" option to connect to a MySQL database on a nonstandard port
  * make "default_root" option optional. When no root is specified,
    show a page listing all available repositories
  * add "default_file_view" option to make it possible for relative
    links and image paths in checked out HTML files to work without
    the need for special /*checkout*/ prefixes in URLs. Deprecate
    "checkout_magic" option and disable by default
  * add "limit_changes" option to limit number of changed files shown per
    commit by default in query results and in the Subversion revision view
  * hide CVS "Attic" directories and add simple toggle for showing
    dead files in directory listings
  * show Unified, Context and Side-by-side diffs in HTML instead of
    in bare text pages
  * make View/Download links work the same for all file types
  * add links to tip of selected branch on log page
  * allow use of "Highlight" program for colorizing
  * enable enscript colorizing for more file types
  * add sorting arrows for directory views
  * get rid of popup windows for checkout links
  * obfuscate email addresses in html output by encoding @ symbol
    with an HTML character reference
  * add paging capability
  * Improvements to templates
    - add new template authoring guide
    - increase coverage, use templates to produce HTML for diff pages,
      markup pages, annotate pages, and error pages
    - move more common page elements into includes
    - add new template variables providing ViewCVS URLs for more 
      links between related pages and less URL generation inside
      templates
  * add new [define] EZT directive for assigning variables within templates
  * add command line argument parsing to install script to allow 
    non-interactive installs
  * add stricter parameter validation to lower likelihood of cross-site
    scripting vulnerabilities
  * add support for cvsweb's "mime_type=text/x-cvsweb-markup" URLs
  * fix incompatibility with enscript 1.6.3
  * fix bug in parsing FreeBSD rlog output
  * work around rlog assumption all two digit years in RCS files are
    relative to the year 1900.
  * change loginfo-handler to cope with spaces in filenames and
    support a simpler command line invocation from CVS
  * make cvsdbadmin work properly when invoked on CVS subdirectory
    paths instead of top-level CVS root paths
  * show diff error when comparing two binary files
  * make regular expression search skip binary files
  * make regular expression search skip nonversioned files in CVS
    directories instead of choking on them
  * fix tarball generator so it doesn't include forbidden modules
  * output "404 Not Found" errors instead of "403 Forbidden" errors
    to not reveal whether forbidden paths exist
  * fix sorting bug in directory view
  * reset log and directory page numbers when leaving those pages
  * reset sort direction in directory listing when clicking new columns
  * fix "Accept-Language" handling for Netscape 4.x browsers   
  * fix file descriptor leak in standalone server
  * clean up zombie processes from running enscript
  * fix mysql "Too many connections" error in cvsdbadmin
  * get rid of mxDateTime dependency for query database
  * store query database times in UTC instead of local time
  * fix daylight saving time bugs in various parts of the code

Version 0.9.4 (released 17-Aug-2005)

  * security fix: query: omit forbidden/hidden modules

Version 0.9.3 (released 17-May-2005)

  * security fix: disallow bad "content-type" input [CVE-2004-1062]
  * security fix: disallow bad "sortby" and "cvsroot" input [CVE-2002-0771]
  * security fix: omit forbidden/hidden modules from tarballs [CVE-2004-0915]

Version 0.9.2 (released 15-Jan-2002)

  * fix redirects to Attic for diffs
  * fix diffs that have no changes (causing an infinite loop)

Version 0.9.1 (released 26-Dec-2001)

  * fix a problem with some syntax in ndiff.py which isn't compatible
    with Python 1.5.2 (causing problems at install time)
  * remove a debug statement left in the code which continues to
    append lines to /tmp/log

Version 0.9 (released 23-Dec-2001)

  * create templates for the rest of the pages: markup pages, graphs,
    annotation, and diff.
  * add multiple language support and dynamic selection based on the
    Accept-Language request header
  * add support for key/value files to provide a way for user-defined
    variables within templates
  * add optional regex searching for file contents
  * add new templates for the navigation header and the footer
  * EZT changes:
    - add formatting into print directives
    - add parameters to [include] directives
    - relax what can go in double quotes
    - [include] directives are now relative to the current template
    - throw an exception for unclosed blocks
  * changes to standalone.py: add flag for regex search
  * add more help pages
  * change installer to optionally show diffs
  * fix to log.ezt and log_table.ezt to select "Side by Side" properly
  * create dir_alternate.ezt for the flipped rev/name links
  * various UI tweaks for the directory pages

Version 0.8 (released 10-Dec-2001)

  * add EZT templating mechanism for generating output pages
  * big update of cvs commit database
    - updated MySQL support
    - new CGI
    - better database caching
    - switch from old templates to new EZT templates (and integration
      of look-and-feel)
  * optional usage of CVSGraph is now builtin
  * standalone server (for testing) is now provided
  * shifted some options from viewcvs.conf to the templates
  * the help at the top of the pages has been shifted to separate help
    pages, so experienced users don't have to keep seeing it
  * paths in viewcvs.conf don't require trailing slashes any more
  * tweak the colorizing for Pascal and Fortran files
  * fix file readability problem where the user had access via the
    group, but the process' group did not match that group
  * some Daylight Savings Time fixes in the CVS commit database
  * fix tarball generation (the file name) for the root dir
  * changed default human-readable-diff colors to "stoplight" metaphor
  * web site and doc revamps
  * fix the mime types on the download, view, etc links
  * improved error response when the cvs root is missing
  * don't try to process vhosts if the config section is not present
  * various bug fixes and UI tweaks