These are my ideas:
1. Change password hash
We are currently using sha1 as hash function, in https://github.com/s9y/Serendipity/blob ... .php#L2219. SHA1 is the wrong choice for passwords, as it is a fast hash that. I'd replace it with scrypt or Argon2.
For context: That is not something that is really security-relevant for a normal blog system. It is more that if someone was to capture your database and you have user accounts for thousands of users, then that hash becomes important in protecting the stored passwords from being computable with the resources a hacker has a hand, like a gpu. Still, big multi-user systems is something s9y does theoretically support.
1.1: Add rate limiting to the login function (if we don't have that already)
1.2: Rewrite autologin-cookie (issue #441)
2. Fix MySQL UTF-8 bug
That will include changing the charset of existing installations. I'm most likely the wrong dev to do that btw, I'm using so far sqlite everywhere (issue #394). But this one is very pressing.
3. PHP 7.1 compatibility
We got 7.0, but 7.1 seems to have new incompatibilities (issue #441)
4. Cleanup plugins
We should remove broken plugins, or fix them, or at the very least mark them (that idea is coming from YL, I think)
5. Responsive Images
YL mentioned that a long time ago. S9Y already has functionality for resizing images, it should thus be able to generate the needed sizes (if the original is big enough) and set them according to https://responsiveimages.org/.
6. Social Network Home
I'd like to look into whether it is possible to mirror comments on FB/etc and have them as marked comment in the blog (nod to Mario, I think we talked about that).
7. Minor: A round of Trackback/Pingback compatibility testing.
After implementing the trackback meta header it would need to be tested anyway. S9y should work well with Wordpress, and we should disallow settings that break compatibility easily, such as the IP check.
8. Database security
We had some ugly sql injections this round, thankfully not with ciritical variables, if I saw that right. The main fault is that someone made a fault when creating the responsible code, but the other fault is that we create them as raw strings in the first place. We should use prepared statements instead of escaping manually and bind the variables to them, which escapes the variables automatically, which will remove almost all the possibilities of such issues occurring. We can wrap an API around that, such that a statement looks like:
Code: Select all
$result = serendipity_db_query("SELECT * from namespace_config WHERE key = :name AND user = :user", {"name" => "editor", "user" => "otto"});
That would mean a lot of change in the core and plugins, that is why we didn't do it so far.
9. Caching
2.1 brings the database cache, but for the next version I'd like to activate it by default, and add the functionality of using redis as cache system. My goal here is to counteract the image Wordpress has, that it fails as soon as something like Reddit or Hacker News links to it, if the admin did not do a lot of tuning. At least as much as possible with the servers we have.
---
Do you have other changes in your mind?
We also could bring back the "upcoming s9y Features" subforum, if there is a some interest.