Subtext 2.1 Released! Contains Security Update

subtext 0 comments suggest edit

A Subtext user found a security flaw which opens up Subtext to potential XSS attacks via comment. This flaw was introduced in Subtext 2.0 by the feature which converts URLs to anchor tags. If you are still on 1.9.5b or before, you are not affected by this issue. If you upgraded to 2.0, then please update to 2.1 as soon as you can.

Note that you can edit comments in the admin section of your blog to fix comments if someone attempts to abuse your comments.

This release has several other bug fixes and usability improvements as well. I started to replace the use of UpdatePanel in some areas with straight up jQuery, which ends up reducing bandwidth usage.

List of bug fixes and changes:

  • Fixed Medium Trust issue by removing calls to UrlAuthorizationModule.CheckUrlAccessForPrincipal which is not allowed from medium trust.
  • Removed email address from RSS feed by default and added Web.config setting to change this in order to protect against spamming.
  • Upgraded Jayrock assembly to fix the issue with VerificationException being thrown.
  • Fixed code which strips HTML from comments when displaying recent comments. Certain cases would cause CPU spike.
  • Fixed Remember Me functionality for the OpenID login.
  • Fixed a bug with adding categories in which an error was displayed, even though the category was added correctly.
  • Fixed a bug in the code to convert URLs to anchor tags.
  • Upgraded jQuery to version 1.2.6
  • Improved the timezone selection UI with jQuery

I was the one who implemented the feature at fault. Unfortunately the way the feature was written made it such that it reversed earlier scrubbing of the HTML due to a mistake in how I used SgmlReader. I apologize for the mistake. It won’t happen again.

Many thanks go out to Adrian Bateman for pointing out the bug and the fix.

Notes for new installations

The install package includes a default Subtext2.1.mdf file for SQL 2005 Express. If you plan to run your blog off of SQL Server Express, installation is as easy as copying the install files to your Web Root. If you’re not using SQL Express, but plan to use SQL Server 2005, you can attach to the supplied .mdf file and use it as your database.

Notes for upgrading

In the app_data folder of the install package, feel free to delete the database files there. They only apply to new installs. Subtext 2.1 does not have any schema changes, so upgrading should be smooth.

Full upgrade instructions are on the Subtext project website.

Download it here. Note that the file is the one you want to use to upgrade your site. The other file contains the source in case you want to build the solution.

Found a typo or error? Suggest an edit! If accepted, your contribution is listed automatically here.



18 responses

  1. Avatar for Si Philp
    Si Philp November 27th, 2008

    This is fantastic news. I was about to do an upgrade from the trunk now I don't need to :)

  2. Avatar for Andrei Rînea
    Andrei Rînea November 27th, 2008

    When will an MVC version appear? :D

  3. Avatar for Dragan Panjkov
    Dragan Panjkov November 28th, 2008

    Excellent work, Phil! I finally managed to successfully upgrade installation on my blog to from 1.9.3 (all upgrade attempts to other releases were unsuccessfull).

  4. Avatar for Braden
    Braden November 28th, 2008

    Most excellent! :) Thank you, Phil!!

  5. Avatar for Aetrex
    Aetrex November 30th, 2008

    Phil, this is excellent news. Great!

  6. Avatar for Flavio Muniz
    Flavio Muniz December 2nd, 2008

    Does it have any way I leave the title be on the tagcloud by default?

  7. Avatar for Robbie
    Robbie December 6th, 2008

    Finally got around to upgrading my blog from 1.9.5 to Looking forward to future goodness.

  8. Avatar for Pierre Henri Kuate
    Pierre Henri Kuate December 6th, 2008

    I just migrated from v2.0 to v2.1 and I noticed that, in Web.config, you removed the assemblyBinding to redirect System.Web.Extensions to .NET 3.5 which causes the error: "The server tag 'asp:ScriptManager' is ambiguous."
    So I had to add it back to make it work again.
    Thanks for this great product!

  9. Avatar for holywolf
    holywolf January 8th, 2009

    I have updated to subtext 2.1,and when I edit an existing category I got a error message:
    Value cannot be null. Parameter name: str,
    how can I do?

  10. Avatar for Pankaj Mishra
    Pankaj Mishra April 7th, 2009

    Good work Phill. Now i am thinking of moving to subtext.

  11. Avatar for Eric
    Eric July 18th, 2010

    Hi Phil,
    I'm having issues with UrlAuthorizationModule.CheckUrlAccessForPrincipal and medium trust, how did you replace this functionality? Thanks.

  12. Avatar for Nt Ice
    Nt Ice February 1st, 2011

    When I updated to the latest Subtext and was having email problems. I was able to solve the problem so I do get notified when comments / contact form submissions are made. If you upgrade to 2.5 and run into the "email isn't being sent" issue, make sure you're logged out. Log out of both the HostAdmin and the blog proper.

  13. Avatar for Email Sender
    Email Sender July 23rd, 2011

    NTice it is possible to have problems with your email server

  14. Avatar for lite 1.4
    lite 1.4 August 2nd, 2011

    Very good news, thanks.

  15. Avatar for Rent A Car Malaga
    Rent A Car Malaga August 8th, 2011

    It feels really good to know about the update file which is so important.the edition in the specific errors are as eliminated, so it will be great to use this latest version.

  16. Avatar for debouchage canalisation paris
    debouchage canalisation paris September 11th, 2011

    Thanx you for share i like your blogs thanx you

  17. Avatar for Escorts in Atlanta
    Escorts in Atlanta October 14th, 2011

    I had great time over here and i found plenty of sources which are useful in many ways.Keep going.

  18. Avatar for phillip
    phillip March 8th, 2015

    Ha ha ha... Thanks. At this point I think the two undecided people in this world will have to make up their own minds and not have me tell them what to think (though I think I would do a fine job of that).