$Id: ReleaseNotes,v 1.12 2006/03/03 17:27:38 bhockney Exp $

Release notes for Webfwlog

Version 0.92 2006-03-04

- It is now possible to add an abritrary column definition when data is logged
  to a database.  This requires that the allow_raw_sql parameter in
  webfwlog.conf be set (this was previously called allow_additional_where).
  There are security consideration to allowing this.  See the security advisory
  below.

- The release notes below for previous releases may still apply if upgrading. 

Version 0.91 2005-04-21

- SECURITY ADVISORY

  All webfwlog versions before 0.91 by default allowed the user to add raw SQL
  to the WHERE and HAVING clause of the queries sent to the database server.
  In older versions of webfwlog this was the only way to select packets based
  on some fields, and embedded quoted strings are difficult to escape, so the
  entire user provided input was sent as-is.  All logged fields now have
  specific selectors so in most cases it is not necessary to add raw SQL to a
  query, and everything entered by the user is properly validated and escaped.
  Accordingly, the ability to add raw SQL is now disabled by default, and must
  be explicitly enabled in the webfwlog.conf file.

  However, saved reports from older versions of webfwlog that made use of this
  feature (e.g., to specify multiple ports in webfwlog versions < 0.87) will
  need to me modified using the report editor.  In particular, some of the
  sample reports included in the webfwlog distribution for version < 0.87 used
  this feature and these reports and any reports based on them will need to be
  modified.  The affected reports are tcpports, tcpsyn, and recent_active.

  In order to modify these reports it will be necessary to temporarily enable
  the allow_additional_where parameter in the webfwlog.  After saving the
  modified reports the allow_additional_where parameter should be disabled.

  Even if present in a saved report, the additional_where and additional_having
  fields are ignored if allow_additional_where is disabled (default).

  It is recommended that all users of webfwlog < 0.91 upgrade to the latest
  version.

- The file name for the home page has been changed from webfwlog.php to
  index.php.  Depending upon your web server, you may now only need to point
  your browser to the directory webfwlog in order to start the program.
  However, this change also breaks any links you may have to webfwlog.php
  and you should update them accordingly.

- Cookies are now explicitly required to be enabled in order to use webfwlog.
  Cookies are used by webfwlog to propagate the PHP session ID, and the 
  drill-down function does not work properly without this.  Webfwlog uses
  session cookies only, not persistent cookies.

Version 0.90 2004-11-11

- The webfwlog.conf file has been updated and has some new parameters.  Please
  review if you are upgrading from a previous version of webfwlog.
  If you are upgrading to 0.9x from 0.8x you will need to add two
  parameters to your config file in order to use the syslog parser:
    wfwl_syslog=/path/to/wfwl_syslog executable
    syslog_dir=/path/to/logfiles
