The user was nameencoded twice.

These regular files were executable for no reason. They needed a special
rule for the Debian package, better to fix it upstream.

This functionality broke in recent updates to the cookie handling. This
patch makes it work again.
Binding to the session is now a functionality of auth_cookiesalt()

This plugin converts existing filenames that were stored using the
option "safe" in fnencode from using the dot (.) as post_indicator to
using a bracket (]) as post_insdicator. It will also add a
post_indicator at the end of the file name should it be missing (Bug
FS#2122).

This plugin needs testing by people using the safe encode option!

Note, any filenames encoded with the previous SafeFN scheme will need to
be converted to the new scheme.  Users of the old SafeFN scheme should
not use this new scheme until after converting their filenames.

Before this patch with a .htaccess file on a higher level in the
hierarchy with "Satisfy Any" it has been possible that the directory
protection didn't work as expected.

This was broken in 3a48618a

as discussed at
http://www.freelists.org/post/dokuwiki/tokenizer-cmd-in-indexer,1

This avoids having the blowfish encrypted pass stored together with the
decryption key on the same server.

When a plugin is installed in the wrong directory, the class loading
will fail. This patch tries to find the correct directory from the
plugin.info.txt (using the base key) and give a hint to the user on how
to fix this.