Temboz

Please update to Temboz 4.4.0 or later

TL:DR If you are using my Temboz feed reader, please update as soon as possible to version 4.4.0 or later.

This is somewhat related to the last security advisory for Temboz. Fields like article title, author or tags, or feed title or description that are supposed to be plain text (not even HTML) were not being sanitized. For XSS. The effect was demonstrated by this article in BoingBoing.

Once again I apologize for potentially exposing you to XSS attacks via malicious feeds, and I would recommend you subscribe to my RSS feed for it so you can get important announcements like this one in the future.

Critical Temboz vulnerability, please update

TL:DR If you are using my Temboz feed reader, please update as soon as possible to version 4.0 or later.

This is because Temboz depends on feedparser, Kurt McKee’s (originally Mark Pilgrim’s) ultra-liberal feed parsing library for Python. One of its responsibilities is to sanitize feed content to strip out potentially dangerous HTML like <script> tags. Unfortunately, I only just realized that on Python 3, due to the absence of the sgmllib module in Python 3 that used to ship with Python 2, feedparser will silently fail and not sanitize the HTML instead of failing safe, e.g. throwing a NotImplementedError. Since this is such a fundamentally flawed approach, I decided no longer to trust feedparser withis responsibility and assign it to Mozilla’s bleach instead. Furthermore, Temboz will now perform a sanity check at startup and refuse to start if <script> tags are not being filtered.

I apologize for potentially exposing you to XSS attacks via malicious feeds. Unfortunately I have no way to reach out to all those who installed Temboz. If you are installing Temboz, I would recommend you subscribe to my RSS feed for it so you can get important announcements like this one in the future.

Temboz 0.8 released

I am pleased to announce the release of Temboz 0.8.

The main change in this release is its ability to work with either SQLite 2.x or SQLite 3.x. SQLite 3.x is now the recommended version, see the Temboz Wiki for upgrade instructions. SQlite 3.x improves performance, database file sizes and concurrency, but it also introduced a condition where Temboz could deadlock, hence the long incubation time for this release.

Another enhancement is the ability to sort feeds by Signal to Noise Ratio (SNR). The default view for the all feeds page will list high-quality feeds with unread articles first. If you are catching up with many articles, it pays to concentrate on the richest lodes of information first, and possibly prune those that no longer provide an adequate level of interesting information..

I have a number of feature requests I received from users or thought up myself. You are welcome to suggest others on the ticket page for Temboz CVStrac.

Temboz 0.7 released

I have released version 0.7 of Temboz. The main improvements in the new version are a better user interface, ad filtering, and garbage collection of articles older than 6 months. Several facilities have also been added to make it easier to write and test filtering rules – you can now add comments to a rule, or purge and reload a feed from the feed details page to see if changes rules are kicking in or not.

Temboz now also has a publicly accessible CVStrac with a documentation Wiki and a bug-tracking database (where change requests can also be submitted). The Wiki is publicly read-only for now, but if you would like to contribute to it, drop me an email and I will create an account with edit privileges for you.

Temboz 0.5 released

I have released version 0.5 of Temboz. This version makes considerable improvements in its tracking of feed changes. Feeds where the GUID is distinct from the link are now handled correctly. Some feeds have a tendency to modify articles and reissue them with a different GUID or link, causing them to appear as duplicates. This is often the case with Reuters and Sun blogs (Sun is now handled as a special case in the feed normalization code). If the optional title-based duplicate detection flag is set on a feed (go into the feed details page from the all feeds view), articles with duplicate titles will not be recorded twice in the database. This is not on by default, as it could cause false positives on some feeds that have recurring titles.

The other big feature in this release is that Temboz now automatically backs up its database nightly, and keeps a configurable number of daily backups (7 by default).

These changes require a data model upgrade. A script is provided to perform the upgrade, as well as another one to reconcile items already recorded where the GUID differs from the link. Upgrade instructions are provided in the UPGRADE file. All users are advised to upgrade.