Release v6.0.1

6.0.1

Fixes & Improvements

• Use static assets when APP_ENV is development (@dometto)
• Explicitly require Rack 3 or greater (@dometto)
• Let the --base-path wiki option handle prefixed and suffixed slashes in path values. (i.e. --base-path /my-wiki) (@dometto)

Release v6.0.0

6.0.0

See the 6.0 release notes.

Breaking Changes

• Docker image: removed deprecated automatic activation of --mathjax. Pass --math mathjax to continue using MathJax, or --math to use KaTeX (see below).
• RACK_ENV is ignored, please use APP_ENV instead (@svoop).

New Features

• Add support for Mermaid diagrams (@dometto).
• Add support for downloading page sources with ?raw (@tstein).
• Add OpenSSH client to Docker images for SSH repo support. (@jagerkin).
• Add support for mathematical typesetting using KaTeX (@dometto). Users can now choose between MathJax and KaTeX with the --math flag.
• Add support for more languages (Chinese).

Fixes & Improvements

• Fix (Docker image): add git configuration for /wiki as safe directory. #2006
• Fix: use base_path as set in config file.

Release v5.3.2

5.3.2

• Guard against CVE-2020-11022 (@bartkamphorst)

Release v5.3.1

A backport of some fixes from the current development branch that make Gollum compatible with Ruby 3.2!

Work on Gollum 6.0 continues steadily, and we hope to be able to release it soon.

Release v5.3.0

5.3.0 / 2022-05-24

• Feature: allow for overriding only specific Mustache templates/partials (@beporter)
• Feature: Add option to show browser's local time (@NikitaIvanovV)
• Improvement: presentation on mobile devices (@benjaminwil)
• Improvement: Add page context to template filter. #1603 (@tevino)
• Fix: restore normalize check on file upload (@manofstick)
• Fix mathjax on edit and create pages. #1772 (@fhchl)
• Fix utf-8 issues: #1721 #1758 #1801 (@basking2, @dometto)
• Fix an IME rendering issue. #1735 (@yy0931)
• Fix broken history button when viewing historical deleted file. (@NikitaIvanovV)
• Fix: non-ascii characters in page names are not rendered correctly in the preview tab of the "Edit" page. #1739 (@yy0931)
• Fix: anchors and header display on JRuby. #1779

Release 5.1.2

Gollum versions from 5.0 up to this release were vulnerable to CVE-2020-35305, a Cross-Site Scripting (XSS) vulnerability. Please update!

NB: this report has arrived late because it took about two years for a CVE to be reserved. 😢 Newer versions of Gollum have been released since, which are all unaffected by this vulnerability.

Description of the vulnerability

• Vulnerability Type: Cross Site Scripting (XSS)
• Affected Component: Gollum wiki's Overview and Pages.
• Result: Run arbitrary JavaScript on Gollum's Overview and Pages pages.
• Attack Vectors: Enter a maliciously crafted filename in the 'New Page' dialog
• Discoverer: Tsubasa Umeuchi (@Szarny)

Reproducing the vulnerability

Filenames of the following form triggered the vulnerability on the Overview and Pages views: '<img src=x onerror=alert(1) />'.

Solution

We now sanitize displayed page names (137728c) and have added regression tests guarding against this and similar vulnerabilities. Thanks to @Szarny for the report!