TWiki 4.2.3 Windows installer update

TWiki 4.2 for windows – with fully integrated native installers that will update your Computer with perl, apache and other tools needed to run TWiki.

The first of these installers released is the  Windows TWiki installer, and includes

  1. Apache 2.2, (apache_2.2.10-win32-x86-openssl-0.9.8i.msi)
  2. ActiveState Perl (ActivePerl-
  3. Gnu Grep
  4. Gnu rcs
  5. Vanilla TWiki 4.2.3.

If the installer detects that you already have the same version (or later) of apache, perl, grep or rcs installed, it will only install the needed components. TWiki is installed into c:\Program Files\TWiki. The main change to the installer is that it now tries to detect non-English ‘Program Files’ directories and install into the right place.

Please download it, try it out and report your impressions, gripes, bugs and successes here on, or in the TWiki Bugs system.

Another TWiki innovation brought to you by fosiki, a founding partner.

Working towards Native TWiki attachment search

And along the way, TWiki’s inbuilt Topic and structured Search is going to get a boost too.

I’ve been working on trying to bring SearchEngineKinoSearchAddOn into TWiki properly – by adding it as a configuration item in the SearchAlgorithms. So far, its a pretty cool – it super fast, especially on my test topic set of 50,000 plants – even allowing simple structured queries based on TWiki FormFields.

The work will require a few refactorings that will be in TWiki 4.2.2 and above (planned for mid-September), so I expect things to move along quickly.

Enterprise Wiki – TWiki 4.2.1 update released

This release makes over 150 improvements to the current Enterprise TWiki.

Along with many WYSIWYG Editing improvements, better UTF8 support, User mapping fixes and SEARCH improvements, This release contains an optimization that should see 4.2.1 being 10-30% faster than 4.2.0.

I will be updating the TWikiInstallers as soon as I can – the Windows installer should see the biggest impact, as I have managed to fix a number of SEARCH issues that are windows specific.

see TWikiRelease04x02x01 for more details.

Debian TWiki repository now with 212 TWiki Plugins, Contribs, Skins and more.

I’ve just updated the Experimental TWiki and Plugins repository. It now contains TWiki 4.2.0 and 212 Plugins, Contribs and Skins that you can simply apt-get install

To use them, add the following 2 lines to your /etc/apt/sources.list

deb experimental main contrib
deb-src experimental main contrib

then type

apt-get update

to update the available packages.

you can now see all 212 packages with apt-cache search twiki-

and install (assuming you don’t have twiki installed yet)

apt-get install apache2 twiki

and TWiki Contrib installation is as easy as

apt-get install twiki-bugscontrib

You will still need to use configure to enable Plugins.

Please report your experiences to me – bugs, gripes, you name it – its a work in progress. and I need your help!

defense against the dark arts? (Cross site scripting and Cross Site forgery)

I was having a discussion with someone on IRC about how TWiki is vulnerable to Cross-site scripting and Cross-site request forgery, and we realized that there are 2 possible approaches to securing TWiki effectively (both requiring a unique magic number for all URLs):

  1. add a pre process to the TWiki::UI system, requiring a valid and unique magic, and a post process step between rendering and output to the browser
  2. use a small proxy system between TWiki and browsers to add and validate the magic
  1. is actually still risky as all scripts still are able to output directly to the browser using a =print= statement, thus giving the user urls that may not have a necessary magic in the url, or similarly for AddOns that persist in not using resthandlers.

whereas 2. abstracts the security from the application server, in much the same way as it is for ssl – goodness all round.

So – I wonder if there is such a proxy already?

There are also massive performance reasons why you should always have a proxy between browsers and heavy application servers like TWiki – this too could do with filling out.Securing TWiki is not as simple as converting all actions to POST (ie using proper REST / HTTP) because there are too many legacy conveniences, allowing GET URL’s to act upon the data. But, by delegating the securing of the transactions to an external wrapper, I think we can avoid these flaws.
see Wikipedia on Cross Site Scripting and Cross-site request forgery

progress towards TWiki 4.2.1 patch release.

(test post using Gnome Webog poster)

The last fortnight, I’ve been working on creating a new, soon to be released to web 2.0 ‘Beta’ site based on TWiki 4.2.0. That means that I’ve been busy finding, reporting and fixing Bugs for TWiki 4.2.1.

The list todate are:

Item5455 BuildContrib doesn’t cope with larger numbers of files Closed 15 Apr 2008 – 04:34 SvenDowideit

Item5536 robots.txt is missing some obvious scripts – like login Waiting for Release 14 Apr 2008 – 08:43 SvenDowideit

Item5535 IF{“$BANNER” does not really work. Waiting for Release 14 Apr 2008 – 06:49 SvenDowideit

Item5534 missing contexts for several bin scripts Waiting for Release 14 Apr 2008 – 06:25 SvenDowideit

Item5533 tmpl login script does not do writeCompletePage, so it does not get addToHEAD bits. Waiting for Release 14 Apr 2008 – 05:10 SvenDowideit

Item5513 update TalkContrib topic Closed 11 Apr 2008 – 06:19 SvenDowideit

Item5509 IF & query String matching may be incorrectly greedy. Waiting for Release 11 Apr 2008 – 01:55 SvenDowideit

Item5501 IF allows does not work correctly if the topic does not exist. Waiting for Release 11 Apr 2008 – 01:41 SvenDowideit

Item5510 initial version of TalkContrib Closed 09 Apr 2008 – 08:11 SvenDowideit

Item5499 TWiki::UI::Resister::changePassword sends login, not cUID to TWiki::Users::setPassword Waiting for Release 04 Apr 2008 – 02:24 SvenDowideit

Item5496 Conclusion: Turn off UTF-8 test case until bug is fixed (4.2 branch only) Waiting for Release 03 Apr 2008 – 02:06 SvenDowideit

Item5495 add twikiBroadcastMessage class div to default & classic skins Waiting for Release 03 Apr 2008 – 00:53 SvenDowideit

TWiki 4.2.0 OpenIDUserContrib Consumer released.

I have just uploaded the OpenIDUserContrib for TWiki 4.2.0. It adds OpenID login and 1.1 Attribute functionalty to TWiki.

Currently, it disables Registration, and limits authentication to OpenID users.

It has the advantage over the OpenIDAuth apache module, that it automatically requests the User’s OpenId 1.1 attributes like Name, Email address directly from their OpenID identity.

While it trusts the user’s choice of ‘FullName’ registration attribute when displaying who made changes to topics, the TWiki topic source
actually stores the authenticating OpenID URI, thus their user details will be updated from the authentication server next time they log in.

Note that TWiki Topic based Groups are not yet implemented using this Mapper.

Future directions

  • add mixing of UserMappers to allow OpenID and ‘normal’ TWiki auth
  • turn TWiki into an OpenID identity server
  • add Safe Group definition system
  • add OpenId to TWiki’s registration process (would require openid auth first, then prefill registration details from any available attributes
    • This will require re-writing of TWiki’s inbuilt registration system
  • move the list of Known users and their mapping information from data/OpenIdUsers.txt to somewhere more scalable. (perhaps DBI)
    • combine the info TWiki uses persistently with the Session and other caching info OpenID11? uses

Net::OpenID11 (based on Net::JanRain::OpenID)

To make this work, I fixed the Perl bugs I found in Net::JanRain::OpenID, and renamed the resulting modules under Net::openID11 (as it is not OpenID2.0). I expect to upload these packages to CPAN some time soon.

If you want to take a look at the code – goto my Subversion repository

TWiki (4.2 final) Microsoft Windows, OSX and rpm (Centos & Fedora Core i386) installers

logoed_installer.jpgThese Windows, OSX, Centos and Fedora Core installers are fully integrated native installers that will update your Computer with perl, apache, rcs and other tools needed to run TWiki on that platform.TWiki 4.2.0 contains many new improvements to TWiki, including a much improved Wysiwyg editor, a structured query engine, a more generic authentication system and at the same time, the Core engine is faster than the previous twiki4 releases.The TWiki installers include native installs of (only installed if not already)

  1. Apache 2.2 (Windows & rpm)
  2. Perl (ActiveState – Windows & native for rpm)
  3. Gnu Grep (Windows only)
  4. Gnu rcs (All platforms)
  5. TWiki 4.2.0 Release.

Please download it, try it out and report your impressions, ideas, bugs and successes here, on, or in the TWiki Bugs system.

Another TWiki innovation brought to you by distributedINFORMATION &

Download TWiki Release 4.2.0

With the hard slog done, we’ve managed to release TWiki 4.2.0.

I will be updating and releasing the TWiki Installers, the TWiki debian package and the OpenID contrib in the next month (I need a little time to recover from the final release rush)

We’re looking forward to setting up the new release on the new Servers that were donated by Sun to the TWiki project – it’ll be fun using the DTrace probes to make TWiki faster for everyone before we start the new features for TWiki 5.0.

Updated TWiki BugsContrib package

WikiRing BugsContrib

I’ve just updated and uploaded a bug fixing release of the popular BugsContrib TWiki application. It is a classic example of a TWikiApplication created using only TWiki core functionality.

I’m planning on updating it to use the new 4.2.0 query based SEARCH’s – but I will continue to support TWiki version 4.0.x and 4.1.x.