Announce: One Click Orgs 1.2.3

[Chris Mear]

Version 1.2.3 is released and running at http://oneclickorgs.com/ . Most of the content of this release is security fixes, but there are also a couple of feature improvements.

The security fixes in this version and in version 1.2.2 are the result of an excellent security review that Darren McDonald kindly did for us recently.

2011-11-17 One Click Orgs 1.2.3

* FEATURE: Members can now specify what role they play in the organisation.
* FIX: Proposal comments were not displayed in date order.
* FIX: The notification that the founding vote failed would still display
repeatedly in certain situations.
* SECURITY FIX: HTML was not properly escaped in proposal descriptions and
comments.
* SECURITY FIX: Users could be redirected to an external site by abusing the
URL used for registering a vote.
* SECURITY FIX: Members could set their email to that of an existing member,
and new members could be added with the same email as an existing member.
* SECURITY FIX: Browsers were permitted to cache login credentials.
* SECURITY FIX: The password reset system allowed a non-member to determine
whether or not an email address corresponded to a valid user or not.
* SECURITY FIX: The organisation's name was not properly escaped for the
'From' field of emails.
* SECURITY FIX: Some invalid characters were allowed in members' email
addresses.
* SECURITY FIX: Users could be redirected to an external site by inserting
special characters into the organisation's subdomain.
* A vote taking place under the 'veto' voting system now closes early if
all members vote in favour.
* Rails is upgraded to version 3.0.10.

Source and downloads at:

https://github.com/oneclickorgs/one-click-orgs

Thanks to Andrew Black and Darren McDonald for contributions, testing and reports for this release.

Chris