You are here: start » glfusion » whatsnew » v114

What's New in glFusion v1.1.4

glFusion v1.1.4 is primarily a security and bug fix release, with a few minor feature enhancements thrown in.

This release does make configuration modifications, so you must run the Installation / Upgrade routine after you have loaded the files to your server.

Security Fixes / Enhancements

We have audited the glFusion code base and identified a few areas where coding best practices were not always followed. As a result, we have improved the data checks and validations on many SQL calls.

We’ve also consolidated some of the writable directories so we can reduce the overall number of directories that glFusion needs to have write permissions. Specifically, we have eliminated the Media Gallery rss/ directory and moved the Media Gallery RSS files to the glFusion backend/ directory. We’ve also moved the cached style.css and javascript.js files from the public_html/ directory into the layout_cache/ directory, so there is no requirement for glFusion to write to the public_html/ directory.

In glFusion v1.1.3 we implemented a new security feature that checks to ensure the IP address used to set the long term cookie is the same as the user who is trying to auto login with the long term cookie. This fix removes the ability for someone to steal a users password hash and login (masquerade) as that user. We found this ‘fix’ can cause issues to users who are behind multiple proxy servers where the IP address can change very often. In glFusion v1.1.4 we’ve added the ability to disable this security check.

We added some additional protections to Media Gallery so users cannot upload malicious files if the album is configured to allow any file type.

Security of your web site is very important to us. If an vulnerability is found, we try to fix it immediately. The challenge is informing our users of the risk and the fix. We now offer the glFusion Announce Mailing List that you can subscribe to. We will post all known issues and security issues to this list. We also offer a Known Issues / Security Updates RSS feed you can subscribe to as well.

Custom Language Overrides

You now have the ability to override any of the language file texts with your own custom language file. Custom language files would go in the private/language/custom/ directory. The files should only contain the actual language text you want to override, not the entire language file. For example, if I want to override the text: 

    "This email was sent to you by %s at %s because they thought you might be interested in this article from {$_CONF['site_url']}.  This is not SPAM and the email addresses involved in this transaction were not saved to a list or stored for later use."

It is located in the language file stored in the $LANG08[23] variable, so my override file would be: 

custom/english.php

$LANG08[23]='This is my override text';

During the next upgrade you won't have to worry about your customizations being overwritten!

User Stats

We've added a new PHP block, phpblock_lastlogin() which will display that last 5 users to log into the site.

We've also added a list of the last 10 users logged in to the stats page.

Improved CSS and JavaScript Handling (again!)

At one time, glFusion used css.php and js.php PHP scripts to send the stylesheet and javascript to the browser. This was great for performance in sending the data to the browser, but it added a lot of load to the web server. In the previous release of glFusion, we moved to using a cache file, this provided the benefit of the speed to the browser with lower load on the server. While this worked well, it did require that the public_html/ directory had to be writable, which we believe is not the best security practice.

In glFusion v1.1.4, we've found a good compromise on speed, load, and security. We've implemented an improved css.php and js.php that does not place any additional load on the server, maintains the speed of sending the data to the browser in a single HTTP call and does not require the public_html/ be writable.

You will need to update your htmlheader.thtml file if you have a custom version on your site!

Ability to turn off the long term cookie IP check

When you log into a glFusion site, a long term cookie is set in the browser that contains an encrypted version of your password. This allows you to automatically login to the site hours later. In v1.1.3 we added a security control to validate the IP address of the user to the IP address that originally created the long term cookie. This works great in most cases and removes the ability to someone to masquerade as another user. Unfortunately, if you have users who surf the web while behind a set of proxy servers, their IP address may change with each page load. We’ve now included the ability to turn off this check if it is causing problems for your users.

To turn off the IP check, edit your siteconfig.php file and add (or modify if there already) the following line: 

$_SYSTEM['skip_ip_check'] = 1;  // 0 = Check IP  1 = Do not check IP

Object Editing

We've added the ability to change the owner on static pages and files in the FileMgmt plugin.

Other Enhancements / Bug Fixes

  • Remove spaces from block arrays to ensure no trailing spaces are converted to commas (Fix provided by James) (Mark)
  • Allow anonymous users to email admin using contact form regarless of login requirement (Mark)
  • User profile page did not properly honor showonline status and accept email from user status (Mark)
  • Integrated last 10 logged in users into stats
  • Integrated User Activity (phpblock_lastlogin) block (Mark)
  • Trim trailing spaces from username during login authentication (Mark)
  • Only allow non-Root mail.admin users to email users in groups the mail.admin user belongs to (Mark)
  • Search did not display proper results when search string contained % (Mark)
  • Added ability to enable / disable plugins in fusionrescue.php (Mark)
  • Added permission check for MG tmp directory during install / upgrade (Mark)
  • Added CUSTOM_js() hook to allow addition of other JS files (Mark)
  • Advanced path settings in the installation screen are not updated if base path changes (Mark)
  • Group editor did not properly save additional groups or features (Mark)
  • Set height of logview window to facilitate easier horizontal scrolling (Eric)
  • Moved css and js cache files to layout_cache/ directory (Mark)
  • Added $_SYSTEM['skip_ip_check'] to disable the long term cookie IP check (Mark)
  • Handle disabled set_time_limit() function better in plugin upload routines (Mark)
  • Fine tuned SQL calls to help prevent injection / other issues (Mark)
  • Force IE8 to use IE7 compatibility mode to resolve text entry issues with the forum plugin (Mark)
  • Properly filter the topics array prior to using in SQL in usersettings.php (Mark)
  • Add CRLF between each JavaScript file (Mark)
  • Language overrides - the ability to override language file entries using a custom language file (Mark)
  • Additional security tweaks (Mark)
  • Use of adveditor in block editor does not permit use of image insert or file upload connector (Mark)
  • Implemented 'passwd' configuration type, this allows passwords in the configuration screen to be properly masked (Mark)
  • Story submission does not clear the Site Tailor menu cache which results in the topic story count being wrong (Mark) (story.class.php)
  • Installation did not properly detect missing siteconfig.php.dist file (Mark)
  • Advanced search using date range did not return stories or comments in that date range (Mark)

FileMgmt Plugin

  • Do not allow user to select the current category as it's own parent (Mark)
  • Call stripslashes() on file description prior to emailing admins of new upload (Mark)
  • Ability to change the owner (submitter) of a file (Mark)

Forum Plugin

  • Root users could not post to read only forums (Mark)
  • Set width for text formatted code blocks in forum when using a fixed width layout (Eric)
  • Fixed issue where duplicate forum names (different categories) did not show in the forum selection list for moderation functions. (Mark)

Media Gallery Plugin

  • New config setting: $_MG_CONF['use_large_stars'] - if set to 1, the larger stars will be used in the album view instead of the smaller stars. (Mark)
  • Added option to phpblock_mg_randommedia to link to album instead of media. Modify the block function to phpblock_mg_randommedia(album) (Mark)
  • Added option to statically sort an album by rating (Mark)
  • FTP import did not properly add trailing backslash if missing (Mark)
  • Moved RSS feed files to the glFusion backend/ directory (Mark)
  • Email moderators option did not appear in album edit / create (Mark)
  • Under some circumstances creating an album would fail with an SQL error (Mark)
  • Fixed issue where 'slideshow' auto tag did not honor the media_order field (Mark).
  • FTP batch import would crash with SQL error (Mark)
  • Added [alink] auto tag to allow text links to albums (Mark)
  • Slideshow autotag does not honor caption option in config. (Mark)
  • Improved error handling when a user tries to access a media item they do not have permission to view (Mark)
  • Random image block did not change (Mark)

Site Tailor Plugin

  • Copy menu does not work (Mark)

StaticPages Plugin

  • Handle session timeouts more gracefully (Mark)
  • Added option to edit the author and owner (Mark)
  • Unable to upload images via the advanced editor when cloning a story (Mark)

What's New Archives

v1.1.4
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.1
v1.0.0

glfusion/whatsnew/v114.txt · Last modified: 2010/02/02 02:12 (external edit)
 
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3