Publify 8.3.3 – Security Fixes

Alvaro Folgado identified several security issues in Publify that are fixed in this release:

  • Rails’ protection from CSRF was not active for all actions. This was fixed.
  • Devise’ password recovery feature was configured to behave differently for existing and non-existing email addresses. This has been changed to use Devise’ ‘paranoid’ mode.
  • Publify was vulnerable to CVE-2016–3714, a vulnerability in ImageMagick, on servers that have affected versions of ImageMagick installed. It now checks the mime type of uploaded files based on their content before processing with ImageMagick.
  • Publify used Rails’ cookie session store, making it possible to effectively log back in by using an older value of the session cookie. Publify now stores the session data in the database.
  • The blog name was not properly escaped in the views used for Devise.

Additionally, the following small bugs were fixed:

  • There was an error on the sign-in due to the use of a deprecated method in Devise.
  • Failed resource uploads were reported as succesful.

It is recommended you update to this release as soon as possible.

Published on 03/11/2016 at 20h30 by Matijs van Zuijlen, tags

Publify 8.3.0 – Changes are coming

This release brings a lot of small changes and a few big ones under the hood. The big ones shouldn’t really change anything from a functional standpoint right now, but they will allow some new possibilities and directions in the future. Enough with the vague words, here is a list of large or breaking changes:

  • Make Publify multiblog-ready: All models should now be directly or indirectly linked to a blog, opening the way for finally supporting multiple blogs in some form. What form? That is still up for debate, but you can join the discussion in the GitHub ticket.
  • Replace custom Publify authentication system with Devise. This just gives use less code to maintain ourselves.
  • Replace custom Publify authorization system with CanCanCan. As with Devise, it’s better to use a well-maintained gem for this.
  • Remove Profile model. This wasn’t really doing anything in standard Publify, but beware if you’ve put any customization there.
  • Remove long-deprecated view_root method for sidebars. Just some simple house-keeping, but if you haven’t been paying to Publify’s warnings for the past years, this is a breaking change.
  • Provide registration mechanism for themes, allowing them to be stored anywhere. This opens the way for turning Publify into a Rails Engine, and for having themes as plug-ins.

As always, there are many small changes as well. See the change log for details.

Published on 24/06/2016 at 09h25 by Matijs van Zuijlen, tags

Publify 8.2.0 – Rails 4.2

Publify master has been running on Rails 4.2 for some time, so a new release is long overdue.

Some important changes:

  • Dependency on Rails has been updated to 4.2, including recent security fixes.
  • Migrations have been rolled up to 113 according to our upgrade policy. You must now first upgrade to at least version 7 before upgrading to the latest version.
  • The default bootstrap theme was replaced with bootstrap-2. You can find the old theme at in its own repository.
  • A Plain theme was added that uses only Publify’s default templates with a sprinkle of custom css.

In addition, there have been numerous smaller changes, bug fixes and improvements. See the change log for details.

Published on 16/03/2016 at 15h39 by Matijs van Zuijlen, tags

Publify 8.1.1 – Rails 4 bug fix

Short after pushing 8.1.0, we’re releasing a quick bugfix one. We’re obviously too serious about “release early, release often”.

#497 Publishing breaks before adding tags and publishing time.

#498 Pages and articles editor appears on 2 lines only

#499 Autosave is broken on PostgreSQL

Download Publify 8.1.1

Published on 17/09/2014 at 20h37 by Frédéric de Villamil, tags

Publify 8.1.0

That was fast! Only 3 days after Publify 8.0.2 went live, we’re pushing a new 8.1.0 version.

This version does one thing: it migrates Publify from Rails 3.2 to 4.1.

It does not seem a lot, but there was actually a tremendous work from Matijs and Thomas to make it possible.

You may not be aware of it, but Publify is as old as open source Rails itself, and not only did they make our old code work under the latest version of our favorite framework, but they also modernized huge parts of our code.

It’s now time for them to take some rest, and for us to pick up the feature we want to see in the next version. Stay tuned!

Download Publify 8.1.0

Published on 17/09/2014 at 16h22 by Frédéric de Villamil, tags

Release of Publify 8.0.2

Hello world,

We’re thrilled to announce the release of Publify 8.0.2. This is the last release before we migrate to Rails 4, and mostly a bug fix one. It fixes a denial of service security breach, so we highly recommend updating.

As usual, we want to thank our contributors. For this release, they are Alexander Markov, Benoit C. Sirois, Hans de Graaff, Soon Van, Tor Helland and Nicolas Bianco.

CVE-2014-3211

Très Acton has discovered a risk of denial of service by memory exhaustion in the way Publify comments user input are parsed.

Other squashed bugs

#423 , #474: When using the more tag, articles content is displayed twice.

#428 The editor save bar jumps up and down when typing with inconsistent behavior.

#429: The help messages can’t be hidden.

#431: Avatars in the dashboard last comments block are not inline with the comment.

#432: Dashboard inbound links widget is broken.

#433: The admin / content search does not bring anything back.

#442,#453: The content and page editor layout are not consistent.

#443: When creating a post, tags are shown in white on white.

#444: The articles date picker does not allow to change the time the article is published.

#445: Using the articles date picker results in a 500 error.

#447: Marking content as spam using the thumb icon results in a 500 error.

#454: Media library: the JS refactoring removed the lightbox.

#455, #473: Admin / sidebar: trying to remove a sidebar item does not work.

#456: Admin / sidebar: the help box should be in a blue block.

#475: Lots of unused assets to clear.

#482: Cancel links are not displayed correctly.

#488: File upload is broken.

Link caching issue (All cached links are the same basically).

Use a relative image path for blogs installed outside of the site root.

Archive page is not cached.

Feature and improvement

Improved Russian, Norwegian and French translations.

Upgraded to Rails 3.2.18.

Added support for a human.txt.

Published on 15/09/2014 at 09h26 by Frédéric de Villamil, tags

[ANN] Publify 8.0.1 has been released!

Hi everyone,

I’m happy to announce that Publify 8.0.1 has been released. This is a small bug fix release, but it fixes some very annoying ones.

  • issue 398: the user-style.css stylesheet is not loaded in the Bootstrap theme
  • issue 399: the note style is not applied.
  • issues 402, 410, 411: deployment crashes on Heroku (thank you @slainer68 for fixing that).
  • issue 412: the editor locally saves the content of the edited note, which means it reloads it when you edit another note, overwriting the legit content.

I’d like to thank you all, every contributor who helped with this release.

Download Publify 8.0.1.

Published on 04/04/2014 at 18h58 by Frédéric de Villamil, tags ,

Publify 8.0

It’s been 5 months since Publify 7.1, and considering the figures, Publify 8.0 is the biggest release we ever pushed in 9 years: 474 commits, 71 issues closed, 8 contributors, 567 files changed, 60,767 additions and 45,166 deletions.

But you probably don’t care about numbers that much, except if you’re wondering whether or not the project is till alive. TL; DR: it is.

The project itself has known one big change, moving from Fred’s personal Github account to a dedicated organization. We have been thinking about it for a while, and we believe it’s the best we could do for Publify.

Simpler, better, faster

Last summer, we started to rethink what we wanted Publify to be. At a time where online publishing is more or less split between Wordpress, hosted platforms and static engines, being “only” a blogging platform had no meaning anymore. We started to extend publishing capabilities, choosing Twitter pushed short notes as a first step before we add more content type. This led to Publify 7.0, and once again we knew it was the way to go.

Before adding these feature, we wanted Publify 8.0 to rebuild the whole user experience. It had to be simpler, clearer and better, far from the MS Word 97 style that prevails in Web publishing since more than 10 years.

This meant a simpler interface with a single, smaller menu, getting out of the old create / read / update / delete scheme when possible, merging some sections and finally removing lots of things. This also means using the most of large screens capabilities, using responsive layouts as much as we could, even though it made the job more difficult at some point.

Article listing

The editor, it has been completely revamped, following the way opened by both Medium and Ghost. We’ve pushed aside everything that may distract you from writing. The editor goes fullscreen, and you can even pick up a white or dark background at your convenience. The post settings are 1 click away from the editor so you won’t feel lost anyway. We know how much work is left to get a really classy tool, but we’re working on it.

A new editor

The notes have got improvement. When replying to a tweet, Publify now displays the original tweet so readers can keep the context this was done.

note reply context

Users profiles have been improved to. Each user now has its own detailed page with avatar, contact links, short bio and indeed the published content.

Author page

Missing in action

The old categories VS tags separation is no more. We merged the first into the seconds as a strict categorization has no real meaning on most blogs. Don’t worry about your URLs, we took care of everything, eventually creating the redirects you needed.

The excerpt has been removed. Excerpt was meant to display a different content on the listing page and on the post itself. It was an interesting feature, but only a handful of people, if none was using it, and it made the editor more complicated than necessary.

The old Typographic theme is not part of the core anymore. It has moved to its own project and will still be maintained.

The old XMLRPC backend has been discontinued. This means Publify does not support desktop clients anymore. This choice has been motivated by the fact that the APIs it was relying had not been updated for 10 years, and that most desktop editors are not maintained anymore either. Web browsers capabilities have evolved, and you can now have a fairly decent editor with local saving without the need of a desktop application.

Under the hood

Publify has been around for 9 years now. Rails was not 1.0 yet, and some of our code was older than you can ever imagine.

Publify 8.0 got rid of most of that legacy code. The old Prototype based helpers that made Rails famous back then left the building. Prototype itself has finally been replaced by Jquery, and Rails i18n allowed the Globalize based translation system to enjoy a deserved retirement. Most helpers have been removed too, as most of them were only used in one place.

This should not affect you unless you’re running custom themes and plugins. If so, have a look at the Bootstrap theme to see how we’re now working.

That’s all folks, you can now download Publify, or give it a try on our demo platform.

Published on 02/03/2014 at 16h47 by Frédéric de Villamil, tags

Powered by Publify | Photo Startup stock photos