Foswiki is an enterprise collaboration and information sharing tool targeted for professional use in many types of organizations: from small businesses to multi-nationals, from one-product open source groups, to worldwide research networks.
Foswiki is a wiki: fundamentally, a website with editable web pages. It looks like a normal web site but it encourages contributions, edits, updates, questions, and answers from its users. It's a powerful way of enabling a community to communicate asynchronously using intranet and public Internet websites. Foswiki is simple to learn and use. It aims to provide a transparent way for you to publish and exchange your ideas with others over the web and eliminates the one-webmaster syndrome of outdated intranet content.
Foswiki is a structured wiki with tools that enable users without programming skills to build powerful yet simple applications to process information and support workflows. Developers can extend the functionality of Foswiki with plugins.
Foswiki is backwards compatible with content generated on all previous Foswiki versions, and even content and many plugins from TWiki installations (Foswiki ships with a TWikiCompatibilityPlugin, thus enabling most extensions made for TWiki to work in Foswiki. TWiki® is a registered trademark of Peter Thoeny.)
Foswiki is released under the GNU General Public License.
Foswiki 1.0.0, the first Foswiki was released on 09 Jan 2009.
Foswiki 1.0.1, 1.0.2 and 1.0.3 were released internally in the development community, but were never publicly released.
Foswiki 1.0.4 was built 19 Mar 2009. It is a patch release with more than 120 bug fixes relative to 1.0.0 and only very few minor enhancements.
Foswiki 1.0.5 was built 25 Apr 2009. It is a patch release with more than 150 bug fixes relative to 1.0.0 and a few enhancements. This patch release further enhances the robustness and the security of the Foswiki software.
Foswiki 1.0.6 was built 21 Jun 2009. It is a patch release with more than 200 bug fixes relative to 1.0.0 and some enhancements. This version introduces a major enhancement in security against Cross-Site Request Forgery. Further more a central translation framework got introduced which ease the translation process and enables all users to contribute to translations.
Foswiki 1.0.7 was built 20 Sep 2009. It is a patch release with more than 240 bug fixes relative to 1.0.0 and some enhancements. This release fixes some serious issues introduced by the CSRF fix and the redirect cache fix in 1.0.6. Major enhancement that also fixes many annoying editor bugs is the upgrade of the Tiny MCE editor to version 3.2.2.
Foswiki 1.0.8 was built 29 Nov 2009. It is a patch release with more than 280 bug fixes relative to 1.0.0 and some enhancements. This release fixes a short list of quite annoying old bugs incl a bug that prevented efficient use of MailerContrib for producing newsletters. The Wysiwyg editor has been upgraded with the latest Tiny MCE editor release 3.2.7.
Foswiki 1.0.9 was built 17 Jan 2010. It is a patch release with more than 320 bug fixes relative to 1.0.0 and several enhancements. This release fixes many bugs in the Wysiwyg editor, bugs related to more advanced wiki applications and bugs in the Plugin API. It contains several bug fixes and enhancements related to security and spam fighting.
Foswiki 1.0.10 was built 08 Sep 2010 as a patch release with more than 410 bug fixes relative to 1.0.0. It is assumed to be the last 1.0.X release.
Foswiki 1.1.0 was built 04 Oct 2010. It is a release with more than 270 bug fixes relative to 1.0.10 and more than 680 bug fixes relative to 1.0.0. And the release adds more than 100 enhancements. Foswiki 1.1.0 introduces jQuery Javascript user interface framework, improved topic history display, new QUERY and FORMAT macros, better user interfaces for groups, much improved WYSIWYG editor, facelift of the default skin, much improved configure tool, and many more enhancements.
Foswiki 1.1.1 was built 25 Oct 2010. It is a release that fixes some important bugs that were introduced in 1.1.0. It is highly recommended that all running 1.1.0 upgrade to 1.1.1.
Foswiki 1.1.2 was built 09 Nov 2010. It is a release that fixes some very important bugs incl. a security related bug. Installations running 1.1.0 and 1.1.1 should be upgraded to 1.1.2
Foswiki 1.1.3 was built 16 Apr 2011. It is a release that fixes more than 150 bugs. jQuery has been updated to 1.4.3. The default PatternSkin has some usability improvements.
Foswiki 1.1.4 was built 20 Dec 2011. It is a release that fixes some very important including some security related issues. It contains 143 fixes and 27 enhancements. jQuery has been updated to 1.7.1.
Foswiki 1.1.5 was built 10 Apr 2012. It is a release that fixes some very important issues including some security related issues. It contains 100 fixes and 20 enhancements.
Foswiki 1.1.6 was built 02 Dec 2012. It is a release that fixes some important issues including some minor security related issues. It contains 94 fixes and 27 enhancements.
Foswiki 1.1.7 was built 01 Feb 2013. It is a release that fixes CVE-2012-6329 and CVE-2012-6330. It contains 20 fixes and 4 enhancements.
Foswiki 1.1.8 was built 28 Feb 2013. It is a release that fixes CVE-2013-1666. It contains 4 fixes.
Foswiki 1.1.9 was built 18 Nov 2013. It is a release that contains 44 fixes and 4 enhancements..
Foswiki 1.1.10 was built 23 Nov 2015. It is a release that contains 8 fixes and 8 enhancements.
WARNING About {Store}{Encoding}: If you intend to use high-bit characters in attachment filenames (such as umlauts and accents), then links to these
attachments on Foswiki pages will not work on a non-utf-8 Store without modification. This is because Foswiki works internally using Unicode, but the store saves files to disk using your chosen
{Store}{Encoding}. Running the Store with other than utf-8 encoding is considered a transitional step and not recommended for long-term operation.
The strongly recommended solution is to convert your store to UTF8 at the earliest opportunity.
A partial workaround is implemented in the PubLinkFixupPlugin This Plugin will attempt to rewrite broken links. This generally gets linked images and other attachments working.
However the TinyMCEPlugin is still unable to render image links while editing a topic.
See Item13696 for up-to-date details.
Important changes in Foswiki 2.1.8
CVE-2023-24698: Local file inclusion vulnerability in viewfile
CVE-2023-33756: SpreadSheetPlugin's EVAL feature exposes infromation about paths and files on the server
Important changes in Foswiki 2.1.7
Multiple cross-site scripting vulnerability in jQuery and jQuery UI
These fixes are described in
CVE-2021-41182: XSS in the `altField` option of the Datepicker widget in jQuery UI < 1.30.0
CVE-2021-41183: XSS in `*Text` options of the Datepicker widget in jQuery UI < 1.30.0
CVE-2021-41184: XSS in the `of` option of the `.position()` util in jQuery UI &kt; 1.30.0
CVE-2016-7103: XSS in closeText option of Dialog in jQuery UI < 1.12.0
Fixes for CVE-2015-9251 and CVE-2019-11358 have been backported from jquery-3.x to jquery-2.x which is being used by default
Regular Expression Denial of Service vulnerability in jquery.validate
Details in CVE-2021-21252
Possible server site request forgery exposing the session id
For decades Foswiki and TWiki had ways to access the session id of a user and make it available on a wiki page using the %SESSIONID macro.
Anybody that has got access to a session id can use this session in behalf of the user that is associated with it.
There are multiple ways to leak this information to the outside using this macro. Therefore the two related macros %SESSIONID and %SESSIONVAR
are deprecated for security reasons and have been disabled by default using the {Sessions}{HideSessionVariable} setting. Note that these macros
will be removed completely in the next minor release.
QUERY macro does not check access rights
While macros such as %FORMFIELD only allowed access only to information the current user has got view rights for, the %QUERY macro does not.
Reimplementation of livequery using mutation observer
The LiveQuery module is at the core of Foswiki's javascript framework, alas was abandoned upstream. In the meantime modern browsers now
all support a feature called "mutation observer" to monitor changes to the DOM in an efficient standardized way. Thus a new module called Observer has been implemented
on this base to initialize javascript modules in a declarative way as it has been done before using LiveQuery.
Important changes in Foswiki 2.1.6
CVE-2018-7446
This is a critical Security Release, addressing CVE-2018-7446. In addition to installing this patch release, site adminstrators should follow the
recommended changes in Support.SecurityAlert-CVE-2018-7446 to ensure that certain critical topic are protected.
Additional default topic protections
A number of "operational" topics shipped in the Main and Sandbox web are not
protected from modifications by users. This release adds an ACL to most of the
default topics shipped in the Main and Sandbox webs to restrict modifications
to the Admin group.
The _default template web does not provide individual topic protections. The site
administrators should customize the desired permissions before allowing users
to create new webs.
Issues with NatEditPlugin Permissions tab not supporting certain ACLs.
It was discovered that the NatEditPlugin under some conditions will lose topic ACLs:
When a topic is copied, the ACLs in the source topic are not applied to the new topic.
If a topic contains crafted ACLs set using the More topic actions -> Edit settings dialog, they can be lost when the topic is edited by NatEdit. Specifically:
DENYTOPIC* ACLs (except for DENY = WikiGuest) are not supported by NatEdit and were silently discarded.
NatEditPlugin version 9.21 (shipped with this release) resolves this issue by disabling the "Permissions" tab when unsupported ACLs are detected.a
Support for CaptchaPlugin in User Registration
A change has been made to the validate.js javascript used by the UserRegistration page. This will permit easier integration
of the Captcha Plugin to the default user registration page.
Important changes in Foswiki 2.1.5
New zone added as a default zone.
The body zone has been added as a default zone. It is rendered at the end
of the body, just before the <body> tag. This improves compatibity of PatternSkin with Foswiki:Extensions.NatSkin. A number of extensions released for NatSkin will not
function correctly without this zone. No changes are required unless you
have replaced the foswiki.tmpl or foswiki.pattern.tmpl with a local
version.
Additional support for Proxy configurations.
Foswiki has a new option under bin/configure -> Security and Authentication -> Proxies: {PROXY}{UseForwardedHeaders}. Enable this setting
if the Foswiki is accessed through a reverse proxy. Foswiki will the use the X-Forwarded-For header to determine the Client IP address. This has several effects:
Foswiki will log the real Client IP address instead of the address of the reverse proxy server.
Session IP matching will use the real client IP when determining if the CGI Session is for the correct client.
Plugins that perform security functions based upon the IP address will see the real client IP address.
This setting should only be enabled if the majority of the clients access the server via the reverse proxy. It is possible for clients to spoof the
X-Forwarded-For header, so only enable this setting when appropriate to avoid client IP Address spoofing.
Change in HTTP status return for authentication failures.
The fix for Item14445 changes the HTTP status return for authentiation errors from 401 - Unauthorized to 200 - OK
when returning the Template Login screen. The 401 status is not valid unless it returns a WWW-Authentication challenge that can be processed by the
agent. This is only valid when using HTTP authentication. The REST and JSONRPC actions will still return a 401, so that it can be handled by javascript.
Note: This change requires a corresponding fix for the LdapContrib. If you use the LdapContrib, you should not apply this release until an update of
LdapContrib is available.
Running Foswiki on a Windows based web server
This release fixes a critical error that prevented Foswiki from being installed on Windows. Foswiki mistakenly used a reserved filename for
a module which blocked installaion on Windows. This has been corrected in this release.
A possible data loss issue was discovered in DataForms migrated from Foswiki 1.x. A new configuration setting ({LegacyFormfieldNames}) was added to restore the old Foswiki 1.x behavior.
If your site uses DataForms that use non-Ascii field names, the form data will require manual migration, or you must enable {LegacyFormfieldNames} in
the configuration.
Releases prior to Foswiki 2.0 stripped characters other than A-Z, a-z, 0-9 and _. So a field named Fühler would be stored as Fhler.
The same DataForms definition on Foswiki 2.0 would be stored as Fühler.
With the mismatch of field name, the form field will be lost when the topic is saved.
If you do not enable {LegacyFormfieldNames}, then you will need to find and update the META:FIELD definitions in the topics. This would need to be done external to Foswiki.
The optional (expert) configuration parameter {Sessions}{CookieRealm} now applies to the Domain of all cookies generated by the Foswiki core. In addition, if your site is accessed
over HTTPS, all cooikes will now have the Secure flag set. In prior releases, only the Foswiki session cookie used the CookieRealm and Secure flag. After upgrade to 2.1.3, users may
lose saved preferences and/or fail strikeone validation due to the cookie domain change. If using a non-default CookieRealm setting, users may need to delete all domain cookies after this update.
User Registration
The stored format of pending registrations has been changed to perl "Storable" in order to better support Unicode user names and other registration fields.
As this format is binary and not generally human readable, a new report: PendingRegistrations has been added. It shows registrations that are
awating email verification and registrations awating approval. Registrations awaiting approval can be directly approved from the new page.
Any existing pending registrations should be resolved prior to upgrading to Foswiki 2.1.3. Existing submissions will be lost.
Usability on small screens
A user contributed WebSideBar toggle button can be enabled. This renders a small "hamburg" icon to restore the side bar when viewing
Foswiki on a small device. See PatternSkinCssCookbookSidebarToggle.
Configuration bootstrap
Bootstrap should be able to detect operation behind a proxy server, and will try harder to get the protocol (HTTP or HTTPS) and the hostname used by the user
correct. If bootstrap fails to properly set up a proxy configuration, we would appreciate bug reports that will help us improve operation. Note that
operation behind a chain of multiple proxy servers is not currently detected.
Page cache tuning.
A new optional (expert) configuration parameter {Cache}{TrackInternalLinks}
is available for tuning how the cache tracks dependencies of topic references.
Default is on which is the same as prior releases. Foswiki will record
every topic link as a dependency. This can result in extrememly large cache
dependency tables, especially when using a WebLeftBar that displays a large
number of webs and/or topics.
Set this to authenticated to track these topic references only for logged in
users. Set to off (not recommended) to disable all reference link tracking.
The side effect of not tracking a link dependency is that cached pages will
not reflect updates that remove or add a topic.
Note that the PageCache should be globally flushed whenever any configuration
changes are made, or after updating Foswiki or any Extensions.
JQuery
This release updates to a newer maintenance version of JQuery. You should
visit bin/configure and select the updated versions of JQuery.
Important changes in Foswiki 2.1.1
Page Caching
The Foswiki PageCache has added another index on the dependencies table.
After installing this update, you should issue the refresh=all option to
drop the foswiki cache tables, and allow them to be recreated. This will
create the new index.
New CPAN dependency, and foswiki.org changes
Due to upstream changes, the Perl LWP package has been split into two
packages. You may need to install LWP::Protocol::https for https support in
extension installation and accessing remote sites with the INCLUDE macro.
Important changes in Foswiki 2.1
Deprecations
The %HTTP% and %HTTPS% macros are deprecated and will be removed in a future release. These macros now restrict the available information to the
Accept-language and User-Agent headers. The list of available headers is now configurable.
The PatternSkin created contentheader and contentfooter as aliases for the beforetext and aftertext templates and deprecated the older templates. As
this broke compatibity with other skins, that deprecation has been reversed. For best compatibiliy continue to use beforetext and aftertext.
API Change
The Foswiki API version is incremented to version 2.4 in Foswiki 2.1.0. Foswiki 2.1 permits template names using Unicode characters.
New Perl CPAN dependencies!
Foswiki now requires CPAN:Email::MIME. Foswiki will be unable to send email without this module. SystemRequirements has more details on CPAN dependencies and
package names for most *nix distributions.
Enhanced Registration form
The registration form now accepts the parameter templatename to override the default NewUserTemplate. In addition the registration topics have been
restructured to permit multiple custom registration pages. Customization of the registration form is greatly simplified.
Easier to restrict access to the System web.
Some sites prefer to block access to the System web documentation for guest users. Duplicated content can result in lowered search engine rank, so it is
advantageous to restrict access to the System web. Foswiki now includes ALLOWTOPICVIEW settings for critical system topics that are required for guest access.
Changes in permitted characters in topic and attachment names.
Foswiki has split the topic and attachment name filters. The topic name filter has become more restrictive. Attachment names now permit embedded spaces, and
attachments with spaces will no longer be renamed to underscores. If you would prefer to use the old behavior, enable $Foswiki::cfg{AttachmentReplaceSpaces}.
Action Required: The colon (:) has been removed from the list of legal characters permitted in topic names. The colon was in
conflict with the InterWiki links. If your existing topic use the colon in topic names, you should remove the colon from the configuration setting
$Foswiki::cfg{NameFilter}.
Improvements in International Character Set support
Foswiki 2.1 has further improved support for utf-8 based character sets. Topics and data forms can use utf-8 characters. They will be properly rendered and
preserved during edit. The Foswiki core has been fully converted to utf-8 and unicode. All encoding / decoding is done "at the edge", when reading from
/ writing to the Foswiki store.
Foswiki 2.1 International support
Emails sent by Foswiki now fully support International Character Sets.
Foswiki now uses NFC Normalization of Unicode characters. This greatly improves compatibility with Operating Systems like OSX which use NFD form characters by default.
Template names are no longer restricted to ASCII characters.
Foswiki 2.0 International support
New sites will use utf-8 by default. Internationalizaiton should just work.
Sites migrating data from a previous installation have two choices:
Set {Store}{Encoding} to match the previous ={Site}{CharSet}. (Default was iso-8859-1)
Migrate the data to utf-8 by using the tools/bulk_copy.pl script. This is the recommended solution.
Support for Locales is still known to have issues. {UseLocales} should not be enabled in the configuration.
ACTION REQUIRED If you are upgrading an existing system, you
should review the existing data and determine if migration to utf-8 should be performed.
See the UpgradeGuide for more details. Note that the topic and
attachment name filters no longer filter international characters, so migration to utf-8 is
strongly recommended.
Due to the extensive internal changes, extensions may require changes for
compatibility with this release.
In form fields of type "select", space after a value and before the delimiting comma makes the value selectable and it saves but will reset on next edit.