Publify 8.3.3 – Security Fixes

Alvaro Folgado identified several security issues in Publify that are fixed in this release:

  • Rails’ protection from CSRF was not active for all actions. This was fixed.
  • Devise’ password recovery feature was configured to behave differently for existing and non-existing email addresses. This has been changed to use Devise’ ‘paranoid’ mode.
  • Publify was vulnerable to CVE-2016–3714, a vulnerability in ImageMagick, on servers that have affected versions of ImageMagick installed. It now checks the mime type of uploaded files based on their content before processing with ImageMagick.
  • Publify used Rails’ cookie session store, making it possible to effectively log back in by using an older value of the session cookie. Publify now stores the session data in the database.
  • The blog name was not properly escaped in the views used for Devise.

Additionally, the following small bugs were fixed:

  • There was an error on the sign-in due to the use of a deprecated method in Devise.
  • Failed resource uploads were reported as succesful.

It is recommended you update to this release as soon as possible.

Published on 03/11/2016 at 20h30 by Matijs van Zuijlen, tags

Publify 8.3.0 – Changes are coming

This release brings a lot of small changes and a few big ones under the hood. The big ones shouldn’t really change anything from a functional standpoint right now, but they will allow some new possibilities and directions in the future. Enough with the vague words, here is a list of large or breaking changes:

  • Make Publify multiblog-ready: All models should now be directly or indirectly linked to a blog, opening the way for finally supporting multiple blogs in some form. What form? That is still up for debate, but you can join the discussion in the GitHub ticket.
  • Replace custom Publify authentication system with Devise. This just gives use less code to maintain ourselves.
  • Replace custom Publify authorization system with CanCanCan. As with Devise, it’s better to use a well-maintained gem for this.
  • Remove Profile model. This wasn’t really doing anything in standard Publify, but beware if you’ve put any customization there.
  • Remove long-deprecated view_root method for sidebars. Just some simple house-keeping, but if you haven’t been paying to Publify’s warnings for the past years, this is a breaking change.
  • Provide registration mechanism for themes, allowing them to be stored anywhere. This opens the way for turning Publify into a Rails Engine, and for having themes as plug-ins.

As always, there are many small changes as well. See the change log for details.

Published on 24/06/2016 at 09h25 by Matijs van Zuijlen, tags

Publify 8.2.0 – Rails 4.2

Publify master has been running on Rails 4.2 for some time, so a new release is long overdue.

Some important changes:

  • Dependency on Rails has been updated to 4.2, including recent security fixes.
  • Migrations have been rolled up to 113 according to our upgrade policy. You must now first upgrade to at least version 7 before upgrading to the latest version.
  • The default bootstrap theme was replaced with bootstrap-2. You can find the old theme at in its own repository.
  • A Plain theme was added that uses only Publify’s default templates with a sprinkle of custom css.

In addition, there have been numerous smaller changes, bug fixes and improvements. See the change log for details.

Published on 16/03/2016 at 15h39 by Matijs van Zuijlen, tags

Publify 8.1.1 – Rails 4 bug fix

Short after pushing 8.1.0, we’re releasing a quick bugfix one. We’re obviously too serious about “release early, release often”.

#497 Publishing breaks before adding tags and publishing time.

#498 Pages and articles editor appears on 2 lines only

#499 Autosave is broken on PostgreSQL

Download Publify 8.1.1

Published on 17/09/2014 at 20h37 by Frédéric de Villamil, tags

Publify 8.1.0

That was fast! Only 3 days after Publify 8.0.2 went live, we’re pushing a new 8.1.0 version.

This version does one thing: it migrates Publify from Rails 3.2 to 4.1.

It does not seem a lot, but there was actually a tremendous work from Matijs and Thomas to make it possible.

You may not be aware of it, but Publify is as old as open source Rails itself, and not only did they make our old code work under the latest version of our favorite framework, but they also modernized huge parts of our code.

It’s now time for them to take some rest, and for us to pick up the feature we want to see in the next version. Stay tuned!

Download Publify 8.1.0

Published on 17/09/2014 at 16h22 by Frédéric de Villamil, tags

Release of Publify 8.0.2

Hello world,

We’re thrilled to announce the release of Publify 8.0.2. This is the last release before we migrate to Rails 4, and mostly a bug fix one. It fixes a denial of service security breach, so we highly recommend updating.

As usual, we want to thank our contributors. For this release, they are Alexander Markov, Benoit C. Sirois, Hans de Graaff, Soon Van, Tor Helland and Nicolas Bianco.


Très Acton has discovered a risk of denial of service by memory exhaustion in the way Publify comments user input are parsed.

Other squashed bugs

#423 , #474: When using the more tag, articles content is displayed twice.

#428 The editor save bar jumps up and down when typing with inconsistent behavior.

#429: The help messages can’t be hidden.

#431: Avatars in the dashboard last comments block are not inline with the comment.

#432: Dashboard inbound links widget is broken.

#433: The admin / content search does not bring anything back.

#442,#453: The content and page editor layout are not consistent.

#443: When creating a post, tags are shown in white on white.

#444: The articles date picker does not allow to change the time the article is published.

#445: Using the articles date picker results in a 500 error.

#447: Marking content as spam using the thumb icon results in a 500 error.

#454: Media library: the JS refactoring removed the lightbox.

#455, #473: Admin / sidebar: trying to remove a sidebar item does not work.

#456: Admin / sidebar: the help box should be in a blue block.

#475: Lots of unused assets to clear.

#482: Cancel links are not displayed correctly.

#488: File upload is broken.

Link caching issue (All cached links are the same basically).

Use a relative image path for blogs installed outside of the site root.

Archive page is not cached.

Feature and improvement

Improved Russian, Norwegian and French translations.

Upgraded to Rails 3.2.18.

Added support for a human.txt.

Published on 15/09/2014 at 09h26 by Frédéric de Villamil, tags

Typo 6.1.4 (get your booty on the floor)

It’s been only 2 weeks since we released Typo 6.1.3 and Typo 6.1.4 is already here. 2 weeks ago, we were sure that Typo was stable enough to ensure a long term release while we would work on our new major release.

3 things prevented us to do so.

First, a new Rails version was released with another important security fix. Typo 6.1.4 comes with that fix so you should definitely upgrade.

Second, we had the opportunity to fix some bugs, and that was another very good reason to release.

Three, we have done a huge documentation effort lately, and we thought it would be a good idea to have it released as well. The doc is now used to automatically deploy our Web Site on Oh, and we’ve also changed our Twitter account, you can now follow us on @gettypo.

Once again, we’d like to thank our contributors Marcel M. Cary, Nicolas Blanco and randomecho for their… contribution to Typo.

Fixed bugs

Moved #defaulttextfilter so Trackback can use it (Marcel M. Cary).

Fixed typo news and latest posts date format with distanceoftimeinwords (Marcel M. Cary)

Fixed Heroku deployment Gemfile (Nicolas Blanco)

Fixes a bug where already published articles publication date would be changed by autosave (issue 141).

Fixed secret token generation on existing blog (issue 142).

Fixed an issue where textfilter showed always as ‘none’, even if set before to markdown (issue 69).

Published on 12/02/2013 at 19h48 by Frédéric de Villamil, tags

History repeating : release of Typo 6.1.3

I love how History tricks you by repeating itself. There’s a lot of irony in the way insignificant events build the perfect running gag in real life. 9 years ago, Tobias Luetke started Typo in a Starbucks because of a typo in his calendar. Today, I was in a Starbucks releasing Typo 6.1.3 because of a glitch in my agenda. History repeating.

I love free software communities too, when it stops arguing about politics and trolling licences to focus on code and releasing software for the fun of it.

Open source world is wonderful. The more active a project, the more contributors it find. Exactly 2 years ago, I was writing (in French) about how Github would kill open source software communities. I still believe a single word of it, even though Github is amazing to make project activity more visible. Typo has 1180 forks and is followed by 858 people without advertising about it. Latest release happened 2 weeks ago, and we had more contribution that I would have expected from 4 great contributors : Nicolas Bianco, Soon Van, Mcary, and Diego Elio Pettenò, who’s been packaging Typo on Gentoo for years.

Typo 6.1.3 is probably the latest of the 6.1 series, and a bug fixing only release. We’re now going to work on Typo 6.2, a feature based release.


For a comprehensive list of fixes, please refer to Typo 6.1.3 Changelog.

The biggest contribution was pushed by Nicolas Bianco. It fixes file upload on Amazon S3. His work andgreat ideas make Typo easier to use on Heroku than ever.

Soon Van has been doing a great work on i18n, documentation and interface consistency.

Diego Elio Pettenò fixed various plugins and text filters that make use of Flickr API.

Mcary fixed live search plugin and behavior consistency within the admin interface.

Closed tickets

Ticket nº86 : Media list did not reload after uploading a resource.

Ticket nº103 : Fixes a security issue by changing the scret token at setup time. Displays a warning message when default secret token is used.

Ticket nº123 : fixes the links available on the dashboard for both contributors and publishers.

Ticket nº124 : Fixes the html editor look and feel when the window gets too small.

Ticket nº129 : the default theme would not take all the blog options into account.

Published on 01/02/2013 at 08h06 by Frédéric de Villamil, tags


It’s been a while since you haven’t heard of us, and we first wanted to wish you a happy new year. As 2013 is starting, we’re happy to release Typo 6.1.2, the second of the Remi Ochlik series, nammed after a French photographer who was killed in Syria a few days after getting a World Press Photo, the most prestigious award for photojournalists.

This new Typo release comes with a major security bugfix that affects every Ruby on Rails version so far, and make your hosting vulnerable. If you’ve been using a prior Typo version, then it’s time for you to upgrade as soon as possible. This is mission critical, no kidding.

Download Typo 6.1.2.

New feature and improvements

Typo 6.1.2 is the first one to run out of the box on a Heroku instance. You just need to change the config/storage.yml file to switch to Amazon S3. This will make Typo deployment much more easier, and we plan to make it even more simple in the next few months.

Typo’s been translated in a few more language, we’re happy to welcome the Norvegian and Simple Chinese versions. Other translations have been improved as well.

The possibility of Typo sidebar plugins have been extended with the possibility to add new settings on existing plugins without reloading them.

Bug fixes

This version also provides the usual bug fixes:

A bug in the article list within the admin has been fixed. Selecting “all articles” would not display drafts.

Some usability issues regarding the menu highlight have also been fixed.

Solves an issue where the SEO titles would not be saved when submitting the form.

Autosave when using the visual editor has also been saved.

Published on 18/01/2013 at 22h42 by Frédéric de Villamil, tags

Powered by Publify | Photo Startup stock photos