Skip to content
e1fa101
Compare
Choose a tag to compare

What's Changed

  • Applying the filters to inner elements of arrays by @skenow in #1162
  • Additional input filtering - mailusers, findusers, checkVarArray inner elements by @skenow in #1163
  • Filtering updates for blocksadmin and mailusers by @skenow in #1164
  • Prepare 1.4.4 by @fiammybe in #1171

Full Changelog: v1.4.3...v1.4.4

Download ImpressCMS

e85b158
Compare
Choose a tag to compare

What's Changed

  • Fixed some warnings and notices in installer for newer PHP versions by @MekDrop in #882
  • Protector get_magic_quotes_gpc fix for php 7.4 by @MekDrop in #884
  • Smiles in misc.php now are escaped by @MekDrop in #890
  • Fix "#881 trying to send mails with SMTP auth gives missing smtp class" by @MekDrop in #889
  • Added exception handler by @MekDrop in #888
  • Fixed bug when handlers from module separate files cant be loaded by @MekDrop in #887
  • Fixes 'Notice: Only variables should be passed by reference in /home/vagrant/impresscms/htdocs/libraries/icms/config/Handler.php on line 237' by @MekDrop in #886
  • Fixed bug when admin menu can't regenerate when module folder is removed before uninstalling by @MekDrop in #897
  • Fixed syntax error in include/registerform.php by @MekDrop in #896
  • fix vulnerability in autoloader by @fiammybe in #913
  • block path traversal in image editor, transform .. to _ by @fiammybe in #915
  • Fixes/ipf table filtering - limitsel missing POST value by @skenow in #937
  • Adjusted template file inclusion for correct path. Fixes #603 by @skenow in #944
  • Increase input sanitizing for system module and submodules by @skenow in #943
  • Dev/jquery inclusion by @skenow in #935
  • Fix for modules admin; user language files - fix #948 by @skenow in #949
  • Update release_notes.md by @fiammybe in #1058
  • Added filtering to the input in setSortOrder in icms_ipf_table by @fiammybe in #966
  • filter url variable in findusers.php by @fiammybe in #967
  • Remove the old FCKEditor - no longer supported by @fiammybe in #833
  • add CKEditor 4.17.1 by @fiammybe in #1095
  • Protector updates - PHP8 compatibility, update and remove legacy code by @skenow in #1098
  • Preparations for the 1.4.3 RC release by @fiammybe in #1099
  • Add a default parameter to addSlashes by @fiammybe in #1108
  • Improvements in findusers logic and filtering by @skenow in #1110
  • Undefined language constants for CKeditor in general preferences by @skenow in #1111
  • Accept token for valid users only by @skenow in #1115
  • User cookie could be contaminated - filter added by @skenow in #1117
  • Protector enhancements and added security by @skenow in #1118
  • Prepare 1.4.3 RC2 release by @fiammybe in #1109
  • Making sure protector gets installed during the site installation by @skenow in #1137
  • Changing filter method for request_uri to filter_sanitize_string by @skenow in #1136
  • Fix for information displayed in protector admin and debug console by @skenow in #1154
  • release 1.4.3 by @fiammybe in #1155

Full Changelog: v1.4.2...v1.4.3

Download ImpressCMS

73e72a5
Compare
Choose a tag to compare

v1.4.3-rc2

Pre-release
Pre-release

What's Changed

  • Fixed some warnings and notices in installer for newer PHP versions by @MekDrop in #882
  • Protector get_magic_quotes_gpc fix for php 7.4 by @MekDrop in #884
  • Smiles in misc.php now are escaped by @MekDrop in #890
  • Fix "#881 trying to send mails with SMTP auth gives missing smtp class" by @MekDrop in #889
  • Added exception handler by @MekDrop in #888
  • Fixed bug when handlers from module separate files cant be loaded by @MekDrop in #887
  • Fixes 'Notice: Only variables should be passed by reference in /home/vagrant/impresscms/htdocs/libraries/icms/config/Handler.php on line 237' by @MekDrop in #886
  • Fixed bug when admin menu can't regenerate when module folder is removed before uninstalling by @MekDrop in #897
  • Fixed syntax error in include/registerform.php by @MekDrop in #896
  • fix vulnerability in autoloader by @fiammybe in #913
  • block path traversal in image editor, transform .. to _ by @fiammybe in #915
  • Fixes/ipf table filtering - limitsel missing POST value by @skenow in #937
  • Adjusted template file inclusion for correct path. Fixes #603 by @skenow in #944
  • Increase input sanitizing for system module and submodules by @skenow in #943
  • Dev/jquery inclusion by @skenow in #935
  • Fix for modules admin; user language files - fix #948 by @skenow in #949
  • Update release_notes.md by @fiammybe in #1058
  • Added filtering to the input in setSortOrder in icms_ipf_table by @fiammybe in #966
  • filter url variable in findusers.php by @fiammybe in #967
  • Remove the old FCKEditor - no longer supported by @fiammybe in #833
  • add CKEditor 4.17.1 by @fiammybe in #1095
  • Protector updates - PHP8 compatibility, update and remove legacy code by @skenow in #1098
  • Preparations for the 1.4.3 RC release by @fiammybe in #1099
  • Add a default parameter to addSlashes by @fiammybe in #1108
  • Improvements in findusers logic and filtering by @skenow in #1110
  • Undefined language constants for CKeditor in general preferences by @skenow in #1111
  • Accept token for valid users only by @skenow in #1115
  • User cookie could be contaminated - filter added by @skenow in #1117
  • Protector enhancements and added security by @skenow in #1118
  • Prepare 1.4.3 RC2 release by @fiammybe in #1109

Full Changelog: v1.4.2...v1.4.3-rc2

Download ImpressCMS

133d2a1
Compare
Choose a tag to compare

v2.0.0 alpha 12

Pre-release
Pre-release

What's Changed

🚀 Features

🐛 Bug Fixes

  • Fixed incorrect urls for PageNav generated links @MekDrop (#1107)
  • Enable migrations for modules in module installer/updating/removing @MekDrop (#1104)
  • Fixed module block titles/names from constants resolving @MekDrop (#1103)
  • Fixes few issues with page_modulesinstall.php for installer @MekDrop (#1102)
  • Add IcmsPersistableController to legacy class resolving map @MekDrop (#1101)
  • Remove few system module services that was previously defined in core @MekDrop (#1093)
  • Fixes system module upgrading from installer @MekDrop (#1091)
  • Fixes some old class references resolving for some older modules @MekDrop (#1087)
  • Fixes crash when not correct order comes from user data for table @MekDrop (#1086)
  • Fixed namespaces issues for never PHP in footer.php and header.php @MekDrop (#1083)
  • Fixed legacy url index.php resolving when they are described as paths @MekDrop (#1084)
  • Use new version imponeer/smarty-db-resource @MekDrop (#1013)
  • Corrected DataFilter class usage @MekDrop (#1070)
  • Fixed crashing translator when translation folder contains index file @MekDrop (#1072)
  • Fixed bug when HTTP headers for modules that doesn't use controllers where stripped @MekDrop (#1061)
  • Fixed media uploader sizes checks when there is no limit set @MekDrop (#1069)
  • image.php rewritten as controller action @MekDrop (#1068)
  • Fixed 'Class "ImpressCMS\Core\Database\Legacy\Updater\ReflectionClass" not found' bug @MekDrop (#1066)
  • Fixed fatal error (PHP 8.x) when config item doesn't have a description @MekDrop (#1067)
  • Fixed bug when legacy module crashed due translations constants not loaded at correct time @MekDrop (#1065)
  • Fixed rights check for legacy URL modules @MekDrop (#1064)
  • Fixed module model resolving to be able to work with PHP 8.x @MekDrop (#1063)
  • Fixed module submenu counting bug for PHP 8.x @MekDrop (#1062)
  • Fixed bug when version getting failed for never PHP in system admin @MekDrop (#1060)
  • Fixed translation loading for module admin menus @MekDrop (#1059)
  • PHP 8.0 & PHP 8.1 support @MekDrop (#1053)

🧰 Maintenance

Download ImpressCMS

d84c124
Compare
Choose a tag to compare

v1.4.3-rc

Pre-release
Pre-release

What's Changed

  • Fixed some warnings and notices in installer for newer PHP versions by @MekDrop in #882
  • Protector get_magic_quotes_gpc fix for php 7.4 by @MekDrop in #884
  • Smiles in misc.php now are escaped by @MekDrop in #890
  • Fix "#881 trying to send mails with SMTP auth gives missing smtp class" by @MekDrop in #889
  • Added exception handler by @MekDrop in #888
  • Fixed bug when handlers from module separate files cant be loaded by @MekDrop in #887
  • Fixes 'Notice: Only variables should be passed by reference in /home/vagrant/impresscms/htdocs/libraries/icms/config/Handler.php on line 237' by @MekDrop in #886
  • Fixed bug when admin menu can't regenerate when module folder is removed before uninstalling by @MekDrop in #897
  • Fixed syntax error in include/registerform.php by @MekDrop in #896
  • fix vulnerability in autoloader by @fiammybe in #913
  • block path traversal in image editor, transform .. to _ by @fiammybe in #915
  • Fixes/ipf table filtering - limitsel missing POST value by @skenow in #937
  • Adjusted template file inclusion for correct path. Fixes #603 by @skenow in #944
  • Increase input sanitizing for system module and submodules by @skenow in #943
  • Dev/jquery inclusion by @skenow in #935
  • Fix for modules admin; user language files - fix #948 by @skenow in #949
  • Update release_notes.md by @fiammybe in #1058
  • Added filtering to the input in setSortOrder in icms_ipf_table by @fiammybe in #966
  • filter url variable in findusers.php by @fiammybe in #967
  • Remove the old FCKEditor - no longer supported by @fiammybe in #833
  • add CKEditor 4.17.1 by @fiammybe in #1095
  • Protector updates - PHP8 compatibility, update and remove legacy code by @skenow in #1098
  • Preparations for the 1.4.3 RC release by @fiammybe in #1099

Full Changelog: v1.4.2...v1.4.3-rc

Download ImpressCMS

178b665
Compare
Choose a tag to compare

v2.0.0 alpha 11 🌈

Pre-release
Pre-release

What's Changed

🚀 Features

  • Added ImpressCMS/codemirror-integration to default installation & fixed installer bug for installing from there @MekDrop (#1051)
  • Added asset-packagist repo to composer for installing frontend assets as composer packages (if there is a need) @MekDrop (#1019)
  • Added phpseclib/bcmath_compat to make it possible to install without bcmath extension @MekDrop (#1000)
  • Remove all editors from core @MekDrop (#800)
  • PARTIAL use editor contracts from imponeer to make editors plugable @MekDrop (#1007)
  • Do not show module version for unreleased modules in modules admin @MekDrop (#1012)
  • Available modules list function now uses module describers @MekDrop (#1011)
  • Added possibility for module to copy assets from vendor/ @MekDrop (#1005)
  • Use criteria lib from Imponeer @MekDrop (#927)
  • Using Composer 2.x API for internal operations @MekDrop (#796)
  • Most of Smarty plugins now implemented as composer libraries from @imponeer + xoops_link smarty function removed @MekDrop (#919)
  • add install instructions to readme for 2.0 @fiammybe (#917)
  • Added smarty 'trans' block and 'trans' variable modifier for translations @MekDrop (#874)
  • Added ping to extend sessions automatically @MekDrop (#869)
  • Fix/Improvement for cases when a theme was selected but than removed @MekDrop (#855)
  • Removed reflex theme from core @MekDrop (#854)
  • Site closed view functionality as dynamic SiteClosedMiddleware @MekDrop (#725)
  • Code about multi_login moved from common.php into separate HTTP Middlware @MekDrop (#724)
  • Session moved from container to middleware + theme changing now from HTTP middleware @MekDrop (#723)
  • Added possibility to describe themes (also support for composer themes!) @MekDrop (#770)
  • Added possibility to load modules definitions from different type of info files (like icms_version.php or composer.json) @MekDrop (#768)
  • Smarty plugins can now be defined as services in container @MekDrop (#752)
  • System waiting block is now can be expanded with services defined in container @MekDrop (#750)
  • Upgraded middlewares/referrer-spam to 2.0.2 for PHP 8.0 and Composer 2.0 supporr @MekDrop (#826)
  • Replace "ICMS_URL . '/modules/' -> ICMS_MODULES_URL . '/'" and "ICMS_ROOT_PATH . '/modules/' -> ICMS_MODULES_PATH . '/'" @MekDrop (#749)
  • Using properties instead of setVar when setting database object properties everywhere where is possible @MekDrop (#745)
  • Added new translator service @MekDrop (#801)
  • Use league/mime-type-detection for dealing with mimetype detection & deprecated icms_Utils @MekDrop (#738)
  • Using object property instead of getVar everywhere where is possible @MekDrop (#744)
  • Fixed #733: Rename using the proper naming convention (This is a public var) @MekDrop (#736)
  • Removed some old openid related code + migration to update openid related fields @MekDrop (#747)
  • Added Roave Security Advisories to composer [dev] @MekDrop (#742)
  • Encrypt cookies automatically with middleware if such preference is set @MekDrop (#740)
  • Timers visible as Server-Timing header (using HTTP Middleware) @MekDrop (#727)
  • Messengers fields from user settings where removed @MekDrop (#746)
  • Fixed 'Rename using the proper naming convention (this is a public var)' for #731 @MekDrop (#737)
  • Removed old style redirect @MekDrop (#726)
  • Using FireWall middleware for bad ips checking instead of Security class @MekDrop (#720)
  • Replaced DB_SALT env variable with APP_KEY @MekDrop (#739)
  • Removes textsanitizer plugins and default DHTMLEditor @MekDrop (#735)
  • Removed checkSuperGlobals from Security class @MekDrop (#721)
  • Checks referers with HTTP middleware instead of security class @MekDrop (#719)
  • Upgraded phpunit to 9.4 and test to make sure PHP 8.0 compatible @MekDrop (#802)
  • Changed way how paths in subfolder would be handled @MekDrop (#797)

🐛 Bug Fixes

  • Added ImpressCMS/codemirror-integration to default installation & fixed installer bug for installing from there @MekDrop (#1051)
  • Fixes few installer errors @MekDrop (#1020)
  • Fixed template file source resolving for tplsets @MekDrop (#1018)
  • Use editor contracts (second part) @MekDrop (#1017)
  • Fixed wrong constant for uptating module config data @MekDrop (#1016)
  • Fixes bug with constants translations for console @MekDrop (#1015)
  • Fixed bug when module model couldn't load unreleased module info @MekDrop (#1014)
  • If database was already initialized, do not go back in installer without message @MekDrop (#1009)
  • Better non installed icms detection @MekDrop (#1008)
  • Added phpseclib/bcmath_compat to make it possible to install without bcmath extension @MekDrop (#1000)
  • Remove all editors from core @MekDrop (#800)
  • Available modules list function now uses module describers @MekDrop (#1011)
  • Fixed bug when composer.json module describer failed with unreleased modules due release date @MekDrop (#1010)
  • Fixed bug when there are no editors of type @MekDrop (#1006)
  • Fixed a bug for templates during installation @MekDrop (#1003)
  • Fix bug with mindplay/composer-locator old version @MekDrop (#1001)
  • Fixed few security issues with packages @MekDrop (#974)
  • Fixed tuupola/server-timing-middleware requirements @MekDrop (#975)
  • CacheClearSetup steps moved to same namespace/path as other steps @MekDrop (#892)
  • Smiles in misc.php now are escaped @MekDrop (#891)
  • Fixed bug when was not possible to automatically resolve correct Route Strategy service due missing escape character in beginning @MekDrop (#870)
  • Fix/Improvement for cases when a theme was selected but than removed @MekDrop (#855)
  • Fixed includeq not working in smarty anymore bug @MekDrop (#849)
  • Fixed null response bug for root path instalations @MekDrop (#844)
  • Fixed bug with too long cookie names for Table component @MekDrop (#842)
  • Upgraded middlewares/referrer-spam to 2.0.2 for PHP 8.0 and Composer 2.0 supporr @MekDrop (#826)
  • Fixed #733: Rename using the proper naming convention (This is a public var) @MekDrop (#736)
  • Remove whitesource config @MekDrop (#837)
  • Removed some old openid related code + migration to update openid related fields @MekDrop (#747)
  • Messengers fields from user settings where removed @MekDrop (#746)
  • Fixed 'Rename using the proper naming convention (this is a public var)' for #731 @MekDrop (#737)
  • Fixed short if bug for newer PHP in BlockHandler @MekDrop (#798)
  • Prevents using submitted filenames with ../ for modelcontroller @MekDrop (#813)
  • Fixed possible file system exposing due language cookie on installer (reported by hackerone_success) @MekDrop (#822)
  • switch to a more explicit form of comparison @fiammybe (#809)
  • Changed way how paths in subfolder would be handled @MekDrop (#797)
  • Fix '0.0.0/composer-include-files 1.5.0 requires composer-plugin-api ^1.0 -> found composer-plugin-api[2.0.0] but it does not match the constraint.' with newer composer @MekDrop (#787)
  • Fixes deprecation 'Array and string offset access using curly braces' @MekDrop (#786)

🧰 Maintenance

Download ImpressCMS

2e3f2b3
Compare
Choose a tag to compare

This release fixes several bugs that were found during the HackerOne initial penetration test run on the 1.4.1 release. Some improvements and bugfixes are present as well.

This is a repackaged version of 1.4.2, because a small fix in the installer was necessary.

Fixes

  • #574 Test 1.4 on PHP 7.4 PHP7 (fiammybe)
  • #692 Include new version of profile PHP7 (fiammybe)
  • #845 PHP 7.4 : access array offset on value of type null in include/functions.php 1037 php 7.4 (fiammybe)
  • #852 anti-clickjacking security vulnerability (report #1055589 by jrckmcsb on HackerOne) (fiammybe)
  • #825 Improve path sanitizing bug security vulnerability (MekDrop)
  • #814 Better sanitize database queries in installer bug (report #983710 by solov9ev on HackerOne) (fiammybe)
  • #637 Notice on admin pages in PHP 7.4 duplicate php 7.4 (fiammybe)
  • #843 Fix the amount of cookies (fiammybe)
  • #805 Missing templates in system module (skenow)
  • #838 Remove whitesource config (Mekdrop)
  • #834 + #836 Limit maximum length of password (report #1033373 by f1v3 on HackerOne) (fiammybe)
  • #821 Fixed possible file system exposing due language cookie on installer (MekDrop)
  • #812 Prevents using submitted filenames with ../ for controller (report #1035311 by siva12 on HackerOne) (MekDrop)
  • #815 Better sanitize database queries in installer (report #983710 by solov9ev on HackerOne) (fiammybe)
  • #811 Remove phpopenid example folder bug (report #1042838 by hackerone_success on HackerOne) (fiammybe)
  • #810 more strict comparison of variables (report #1036883 by hodorsec on HackerOne) (fiammybe)
  • #806 Include the missing templates for the image manager (skenow)
  • #603 Issue with image inclusion on TinyMCE (fiammybe)

Improvements

  • #636 errors in form fields on admin account creation page of the installer (fiammybe)
  • #848 Cleanup deprecated functions in functions.php (fiammybe)
  • #694 remove the icms_banner reference. No longer present (fiammybe)

Download ImpressCMS

3aa86b2
Compare
Choose a tag to compare
Pre-release

A bugfix and security release :

  • Limit Maximum length of password (#836)
  • Fixed possible file system exposing due language cookie on installer (#821)
  • Better sanitize DB queries in installer (#815)
  • Prevents using submitted filenames with ../ (#812 )
  • Stricter comparison of variables (#810)
  • Include the missing templates for the image manager (#806)
  • Remove the icms_banner references - no longer present (#694)

Download ImpressCMS

f8ad8d1
Compare
Choose a tag to compare

v2.0.0 Alpha 10 🌈

Pre-release
Pre-release

What's Changed

🚀 Features

  • change link to Hackerone to the security form @fiammybe (#782)
  • Added 'Security Policy' file @MekDrop (#779)
  • Clears cache when saving config items @MekDrop (#718)
  • Clears cache when installing, uninstalling or updating module @MekDrop (#708)
  • Using request middleware for detecting module + tags middleware.global support for all routes @MekDrop (#707)
  • Message confirm screen use build in form elements instead of internally hardcoded HTML elements @MekDrop (#706)
  • Gzip/Deflates encoder based on HTTP Middlewares @MekDrop (#717)
  • Renders legacy routes as groups in cache file @MekDrop (#704)
  • there is now a possible way to define required permissions for routes @MekDrop (#698)
  • sanitizePath in Logger now works faster (caches real path) @MekDrop (#697)
  • Removed old theme functions @MekDrop (#763)
  • Most core classes now moved into namespaces (with backward compability) @MekDrop (#691)
  • Filesystems doesn't use Mountmanager. Instead we using container services for each filesystem. @MekDrop (#696)
  • IPF Handler uses in most cases mysql param bindings @MekDrop (#626)
  • Routes defined in composer.json @MekDrop (#620)
  • Update CONTRIBUTING.md @fiammybe (#690)

🐛 Bug Fixes

  • Replace | to || @idetinkin (#781)
  • Fixed URLs for GPLv2 license in php files @MekDrop (#773)
  • Fixes license in composer.json @MekDrop (#772)
  • Fixed bug when ImpresCMS was installed in subfolder and route grouping functionality prevendted to add correct prefixes @MekDrop (#771)
  • Fixed #767: logging into admin gives db error @MekDrop (#769)
  • correct the interface path for the setupsteps @fiammybe (#766)
  • Fixes 'Deprecation Notice: Unparenthesized a ? b : c ? d : e is deprecated. Use either (a ? b : c) ? d : e or a ? b : (c ? d : e) in include/cp_functions.php:277' @MekDrop (#700)
  • When handling HTTP errors index.php now correctly detects status code @MekDrop (#699)
  • Removed todo 'Use language constants for messages' from IPF Handler @MekDrop (#748)
  • Composer now has local storage path @MekDrop (#755)
  • Replaced mibe/feedwriter with suin/php-rss-writer because of license conflicts @MekDrop (#756)
  • Fixes bug when if value in criteria is not a string some comparisons fails @MekDrop (#753)
  • Replace tecnickcom/tcpdf with dompdf/dompdf due license incompatibility @MekDrop (#762)
  • Fixes session cookies path for modules @MekDrop (#705)
  • IPF Handler uses in most cases mysql param bindings @MekDrop (#626)
  • Fixed downloading and cloning in admin tplsets @MekDrop (#624)

Download ImpressCMS

2789e96
Compare
Choose a tag to compare

This release resolves some regressions that were introduced with 1.4.0, makes sure everything works fine with PHP 7.3 and also resolves a long-lasting bug with blank pages after login.

Download ImpressCMS