Blog

  • Version 1.6 10 July 2015

    security

    We’ve released version 1.6 of FixMyStreet (previously numbered 1.5.5).

    This release includes important security fixes:

    • A vulnerability in login email sending that could allow an account to be hijacked by a third party;
    • Alterations to token logging in and timeout behaviour;
    • A dependency update to fix an issue with Unicode characters in passwords.

    More details on those items below. Other items in this release include a Chinese translation, a bug fix with shrunken update photos, and some front end improvements, such as a ‘hamburger’ menu icon and an easier Report button on mobile, and resized map pins based on zoom level.

    See the full list of changes over on GitHub.

    Security fixes

    Login email account hijacking: Due to the way parameters were passed into the token table in the database, it was possible for someone to request a login email for one email address, but have the login email sent to different address. This would allow a third party to log in as someone else, letting them make reports or updates as that person.

    The code has been rewritten so all user parameter passing goes through central functions that return only one parameter even if the user has passed multiple parameters. More details of this class of vulnerability.

    Email authentication tokens: Problem confirmation tokens had to be used within a month; this now applies to all confirmation tokens, and email sign in tokens are valid for a day. Using those tokens after confirmation will redirect correctly, but no longer log you in; links in alert emails will no longer log you in.

    Unicode characters in passwords: The package our code uses to encode database columns, DBIx::Class::EncodedColumn, could have issues with Unicode characters provided to it. This was fixed by upgrading the version we use.

  • Version 1.5.4 18 March 2015

    We’ve released version 1.5.4 of FixMyStreet.

    This includes a couple of new map layers, Bing Maps and Stamen’s toner-lite, and nicer confirmation pages for after you’ve made a report or update, along with other smaller improvements and bug fixes. See the full list of changes over on GitHub.

    For developers, it includes a few small improvements, to do with Mac installation, making some things optional, and including a new configuration variable for if you’re running behind an SSL proxy. We’ve also added some test URLs so that you can view confirmation pages without having to leave a new report or update, e.g. see it in action on fixmystreet.com: https://www.fixmystreet.com/P/_test_.

    As always, do ask on the mailing list if you’d like more information on any of the above, or submit an issue or pull request on GitHub.

  • Version 1.5 20 November 2014

    We’ve released version 1.5 of FixMyStreet. This version fully supports the new Long Term Support (LTS) version of Ubuntu, Trusty Tahr 14.04 (the code did already run fine on Ubuntu Trusty if you set it up manually, but now the install script will work and a few other bits have been tidied).

    This release comes with a few improvements to the admin interface, including pagination of search results, validation of new categories, and some display enhancements.

    We’ve moved the map sidebar to be flush with the window edge, which we think is simpler and easier on the eye, and we’ve continued making the template structure easier to change and override.

    We’ve also fixed some bugs, such as map submission not working with JavaScript disabled or unavailable. As another example, we had a report of the Android browser crashing when showing a map page, which we tracked down to the slightly transparent map navigation controls – crashing wasn’t worth this, so now on mobile they’re fully opaque.

    From Transifex we’ve added four new languages (as well as updating the existing ones): Albanian, Bulgarian, Hebrew, and Ukranian.

    See the full changes over on GitHub.

    As always, do ask on the mailing list if you’d like more information on any of the above, or submit an issue or pull request on GitHub.

  • Version 1.4.2 15 July 2014

    We’ve released version 1.4.2, a maintenance release, but also with a couple of new features. The main reason for this release was to fix a couple of issues with the installation script, which are hopefully now resolved. It also upgrades our bundled copy of cpanm (to cope better when an external module website is down), tidies up the template structure, copes with browser autofill on the /auth sign in page, and adds links from the All Reports page to a body’s open or fixed reports.

    The main new feature is the addition of SMTP username/password and SSL/TLS options for your setup. You can read about the new options on the configuration settings page

    See the full changes over on GitHub at https://github.com/mysociety/fixmystreet/releases.

    As always, do ask on the mailing list if you’d like more information on any of the above, or submit an issue or pull request on GitHub.

  • Version 1.4 23 May 2014

    Say hello to version 1.4 of FixMyStreet. As usual, the install script and AMI have both been updated to this version.

    Hopefully this release will run more smoothly on EC2 micro instances, with some cron rejigging to alleviate memory problems.

    There have been a few minor user-facing improvements, such as automatically selecting the reporting category if there’s only one choice, and removing the indenting of emails; some bug fixes, including changes for the new version of Debian, a problem with language setting in email alerts, and removal of cached photos; and a number of improvements for people reusing the code, including a no-op send method, having reports on staging sites be sent to the reporter, adding an external URL field to bodies, and making it easier to change the pin icons.

    See the full changes over on GitHub at https://github.com/mysociety/fixmystreet/releases.

    Thanks to Andy Lulham, Chris Mytton, Dave Arter, Dave Whiteland, Gerald, Hakim Cassimally, Ian Chard, Jon Kristensen, Jonas Oberg, Kindrat, Matthew Somerville, Rikard, Steven Day, and Struan Donald for contributing to this release.

    As always, do ask on the mailing list if you’d like more information on any of the above, or submit an issue or pull request on GitHub.

  • Version 1.3 25 November 2013

    Yosemite tunnel tonemapped in qtpfsgui

    Version 1.3 of FixMyStreet is now out :-) The install script and AMI are both updated to this version.

    I realise I haven’t posted here with each point release during version 1.2, sorry. You can see the changes in each release here on GitHub at https://github.com/mysociety/fixmystreet/releases and below is a list of all the main things that have changed since version 1.2 (* means new since the last version, 1.2.6, if you were keeping track):

    • OpenLayers upgraded to 2.13.1, giving e.g. animated zooming
    • A fully functional Google Maps layer via OpenLayers
    • * If you only specify one cobrand in the configuration file, the site will always use it, rather than only if your hostname also matches. This is probably what you would expect to happen!
    • * A contact can be given multiple email addresses
    • * A body can be marked as deleted, and then it will not be used by the front end at all
    • The admin interface has had a lot of inline documentation, hints and notices added, along with a page showing the site’s current configuration
    • * The admin interface has some feature additions from coding volunteers, such as a date picker on the stats page thanks to Andrew Black, and searching by external ID thanks to Andy Lulham
    • We’ve added an example Vagrantfile and improved the install scripts
    • * The test suite should now run regardless of the contents of your configuration file
    • Translation improvements - some better wording of strings, some missed or UK-only URLs/translations (thanks Jonas and Rikard), and a fix for the long-standing issue where multiline strings were not being translated (hooray)
    • * Bug fixes, most notably sometimes when changing report state in the admin interface, and an issue with the bottom navbar in Chrome (which we’ve reported to the Chromium project)

    As always, do ask on the mailing list if you’d like more information on any of the above, or submit an issue or pull request on GitHub.

  • Version 1.2 3 May 2013

    broken lamp post

    Today we’re releasing version 1.2 of the FixMyStreet platform. The AMI has been updated and the install script will automatically now install this version.

    The main items in this release are things prompted by requests on our mailing list :-)

    • Postfix is now installed as part of the install script, or in the AMI. This means email should work out of the box. For anyone already installed, you can run the commands in the GitHub ticket.

    • A new configuration option MAPIT_ID_WHITELIST has been added, to restrict usage to the IDs specified, if given. This means Claudio, who emailed last week, could have [ 239540 ] as his MAPIT_ID_WHITELIST, and then reports could only be made within the Marche region of Italy. We already use this new option ourselves on https://www.zueriwieneu.ch/ where before it was hard-coded in the code.

    • Other things include being able to zoom in further on OSM maps, and HTML pages are now being gzipped.

    Lastly, as you can see this site has had a redesign to make it more friendly, and we’ve added some more documentation about e.g. updating an AMI instance to a newer version. If there’s anything unclear, please do ask on the mailing list or submit an issue or pull request on GitHub.

  • Version 1.1 - Bodies 22 February 2013

    Big Beautiful Face Statue in Tenerife by epSos.de

    Today we’re releasing version 1.1 of the FixMyStreet platform. The AMI has been updated and the install script will automatically now install this version.

    The main change since version 1.0 is the addition of bodies. Historically, FixMyStreet has assumed that the administrative areas that are returned from MapIt are the same thing as the bodies to which the reports will be sent. This has led over time to a number of workarounds when this hasn’t been the case, either in manual code changes in FixMyStreet or by adding new types to a MapIt install, and dealing with it in that way.

    We have updated the code so that FixMyStreet holds its own records of bodies to which reports can be sent, and the MapIt area – or areas – that they cover. This is conceptually much clearer, as well as making it much easier to have a body covering multiple areas, an area with multiple bodies, or a combination.

    Smaller functional changes in this release include admin improvements (it now looks like the front end site, and has add a number of other additions), and a couple of new configuration variables, DO_NOT_REPLY_EMAIL and SEND_REPORTS_ON_STAGING, to make debugging a little easier, along with a --debug option to send-reports. Also, we found on the mailing list a couple of times that people ran into trouble because their MapIt had debug turned on, and FixMyStreet didn’t cope well with the debug output MapIt included in its responses. This has now been fixed.

    Many others of the commits in the past few months have been for various installations of the codebase, from the forthcoming FixMyBarangay in the Philippines to local UK council installs such as Oxfordshire or Bromley. These have in many cases led to small improvements and bugfixes to the central codebase, which can then be used by any reusers of the code.

    Lastly, all the strings in the JavaScript are now translatable, along with a few other strings that had previously been missed; do let us know if you find any other strings that can’t be translated and we’ll look into it.

  • Easy Installation 2 October 2012

    Four months ago, someone raised a ticket on FixMyStreet’s GitHub account, asking for alternative ways of setting up an installation. We certainly agreed this was a good idea, as we’re well aware that there are various different parts to FixMyStreet that might require quite a bit of knowledge in setting up.

    We’re now pleased to announce that we have created an AMI (Amazon Machine Image) containing an already set-up default installation of FixMyStreet. You can use this to create a running server on an Amazon EC2 instance. If you haven’t used Amazon Web Services before, then you can get a Micro instance free for a year.

    If you have your own server, then we have separately released the install script that is used to create the AMI, which can be run on any clean Debian or Ubuntu server to set everything up for you, from the PostgreSQL database to nginx.

    If you prefer to do things manually, and already know how to set up your database and web server, our manual documentation is still available.

    An AMI and install script is also available for MapIt – see our MapIt documentation for more details. This should make it very straightforward to get something set up for testing and development.

    Do let us know how you get on.

  • Improving Configuration 17 August 2012

    Now that a default install is a bit more straightforward to set up, our thoughts turn to improving the customistation of that default install. Currently, apart from the options already present in the main configuration file, that involves knowing a bit of Perl, in order to create a Cobrand .pm file containing the various customistations. So to reduce that dependency, we’ve moved a number of these options into the main configuration file, so that hopefully a standard customisation might not need a Cobrand .pm file at all.

    These changes range from simple text strings that are now in templates, through to specifying what areas from MapIt you are interested in, or what languages the site is available in. The general.yml-example file contains information on each option, and we’ve updated our customisation documentation as well.

    Also, thanks to some testing of a current installation by Anders for FiksGataMi, we’ve made more incremental improvements to the installation, including fixing a couple of tests that shouldn’t run unless your configuration is set up in a particular way, making sure inherited cobrands use the best templates, and including the Catalyst::Devel module so running the development server is easier.