Skip to content

v0.31.11.0 — Installer Recovery & Hardening

Choose a tag to compare

View all tags
@bertugfahriozer bertugfahriozer released this 24 May 20:07
· 19 commits to master since this release
0.31.11.0
42de996

This release fixes two installation-blocking regressions reported by the community: the web installer returned 404 after step 1, and the CLI installer aborted on migration. Both installation paths are now functional on every supported MySQL/MariaDB version, and the installer's HTTP attack surface has been reduced.

Highlights

  • Web installer recovered — no more 404: GET install/dbsetup after submitting the install form
  • CLI installer recoveredphp spark ci4ms:setup now runs migrations successfully on MySQL 5.7+, MariaDB 10.x, and strict-mode installs
  • Installer attack surface reduceddbsetup is no longer a public endpoint

Fixed

  • CRITICAL — Web Installer Broken (404 GET install/dbsetup): Install::index() redirected to install/dbsetup via HTTP 302 (which the browser follows with GET), but the route was registered as POST-only. Every fresh web installation aborted with 404 — Can't find a route for 'GET: install/dbsetup'. The two-step flow also relied on flashdata that could be lost across the redirect on some session drivers. index() now calls dbsetup($installData) directly in the same request, and the install/dbsetup route has been removed.
  • CRITICAL — CLI Migration Failure (profileIMG can't have a default value): The users table migration declared profileIMG as TEXT NOT NULL with a string default. MySQL/MariaDB reject this with BLOB, TEXT, GEOMETRY or JSON column 'profileIMG' can't have a default value on every server version that does not silently relax the rule. php spark ci4ms:setup aborted at Step 5/6 before the database was usable. Changed to VARCHAR(255) NULL so the default URL is preserved and the migration succeeds everywhere.

Changed

  • Install Controller Hardening: Install::dbsetup() is now private and accepts the installation payload as a typed array parameter, removing the externally callable seed endpoint, the flashdata round-trip, and the empty-payload guard. The install_dbsetup route alias and its role=create permission are gone, shrinking the installer's attack surface to a single endpoint protected by InstallFilter.
  • Version Bump: app.version now defaults to 0.31.11.0 in both Install::index() and Ci4msSetup::run().

Upgrade Notes

  • Existing installations: No action required. This release only affects the installer (/install and php spark ci4ms:setup). Existing users.profileIMG columns are not migrated.
  • Fresh installations: Both the web installer (/install) and the CLI installer (php spark ci4ms:setup) now complete successfully on any MySQL 5.7+ or MariaDB 10.x server, regardless of sql_mode.
  • Anyone who started a failed install: Drop the partially created database, remove any .env and writable/install.lock that were generated, and re-run the installer.

Full Changelog: 0.31.10.0...0.31.11.0

Assets 2
Loading