The primary focus of glFusion v1.1.4 was to provide a more secure and stable content management system. Specifically we have made several improvements to the handling of user input to ensure only proper data is allowed and that all user supplied data is properly filtered. We’ve also moved a few items around to reduce the number of writable directories required by glFusion. Specifically, the public_html/ directory no longer needs to be writable by the web server for glFusion to properly run.
We've also expanded the ability to customize a site, without worrying about customizations getting lost in the upgrade process. In addition to allowing custom template (.thtml) files, which was introduced in a previous release, you can now define language overrides in a similar manner, which allow you to customize the language texts. Another popular request voiced by the community, was to add the ability to change the owner of static pages and file management files. With glFusion v1.1.4 you can now easily edit the owners of these items.
The security of your web site is very important to us. If a vulnerability in glFusion is found, we try to fix it immediately. The challenge is informing our users of the risk and the fix. We now offer the glFusion Announce Mailing List that you can subscribe to. We will post all known issues and security issues to this list. We also offer a Known Issues / Security Updates RSS feed you can subscribe to as well. We recommend that you subscribe to at least one of these items.
With improved security also comes potential usability problems. One area where security controls have caused issues in the past is the use of security tokens to validate input is coming from a known source. Security tokens are only valid for 20 minutes which has caused problems when creating large static pages. With glFusion v1.1.4, saving a static page after the security token has expired will not cause all your data to simply vanish, instead you will be presented with a message that the token is invalid and you should try the save again.
Another security control that has caused some issues is validating the long term cookie to the IP address that originally created it. Normally, when you log into a glFusion site, a long term cookie is set in the browser that contains an encrypted version of your password. This allows you to automatically login to the site hours later. In v1.1.3 we added a security control to validate the IP address of the user to the IP address that originally created the long term cookie. This works great in most cases and removes the ability for someone to masquerade as another user. Unfortunately, if you have users who use the web while behind a set of proxy servers, their IP address may change with each page load. We’ve now included the ability to turn off this check if it is causing problems for your users.
We’ve also implemented the ability to change the owner of stories, static pages, and file mgmt files.
If you have a custom htmlheader.thtml file, you must update it to be compatible with this change. See the Template Changes section of the documentation wiki for details.
If you are running the Chameleon Theme, you'll see to update to which is compatible with this change.
For a full list of changes, please see the What's New Wiki Page.
What's on the Horizon
The next version of glFusion will introduce some exciting new improvements to the way layouts are created and managed. In addition to wrapping up v1.1.4, we've been doing some work "behind the scenes" to prepare to get the community's feedback on future inclusions. We expect to roll them out soon, so please come back and visit glFusion.org often and take a moment to provide your input! Together, we can continue to grow glFusion and the glFusion community!