TWiki Release 4.3.2 (Georgetown), 2009-09-02

Note: This is the release note for the previous major release version 4.3.X. This note, TWikiReleaseNotes04x00, TWikiReleaseNotes04x01 and TWikiReleaseNotes04x02 are included with 5.0.X because they contain valuable information for people upgrading from earlier versions. Both for the admin and the users. See TWikiReleaseNotes05x00 for the 5.0.X release notes.


Line: 9 to 11
  TWiki-4.3.1 released on 2009-04-29 introduces security enhancements. This release also introduces use of ISO date format by default.
TWiki-4.3.2 released on 2009-09-02 introduces security enhancements.
  It is highly recommended to upgrade to TWiki-4.3.2. Users will find this release much more stable and secure in daily use.
Line: 48 to 50
  See the full list of bug fixes at the bottom of this topic.

Important Changes

1. Added protection against CSRF (cross-site request forgery) in TWiki 4.3.2 patch release

TWiki protects content updates with a one-time-use crypt token to guard against CSRF exploits. This means that it is no longer possible to hit the browser back button to fix a typo; you get an "invalid crypt token" error message if you try to save again. Workaround: Instead of browser back button, hit the "Edit" button to fix a typo.

There is a balance between security and user convenience. A TWiki administrator can enable and disable the crypt token based CSRF protection with the {CryptToken}{Enable} configure setting. For mission critical public TWiki sites it is recommended to enable the crypt token; for firewalled TWiki sites it is usually OK to disable it.


Deprecation Notices

The %MAINWEB% and %TWIKIWEB% variables have been deprecated. For compatibility reasons they are unlikely to ever be removed completely, but you should use the %USERSWEB% and %SYSTEMWEB% variables instead.

Line: 95 to 89


  • Security:


Item2927 Topic moved message too visible
Item6283 upgrade TinyMCEPlugin with latest tinyMCE WYSIWYG editor
Item6315 HeadlinesPlugin: New touch parameter for HEADLINES variable


Item6253 SpreadSheetPlugin: $WORKINGDAYS is returning invalid results
Item6259 Prevent GUI-based rename of TWiki web and Main web
Item6267 FORMFIELD expands $title to field name if $title exists in field value
Item6295 Preferences for raw edit or WYSIWYG edit
Item6296 Crypt token based CSRF fix for TWiki
Item6308 viewfile adds trailing newline to attachments

