Announcing CMSMS 2.2.2 - Hearts Content

Project Announcements. This is read-only, as in... not for problems/bugs/feature request.
Post Reply
calguy1000
Support Guru
Support Guru
Posts: 8169
Joined: Tue Oct 19, 2004 6:44 pm
Location: Fernie British Columbia, Canada

Announcing CMSMS 2.2.2 - Hearts Content

Post by calguy1000 »

Hello everybody,

Continuing with our commitment to quality code, we are announcing the release of 2.2.2 "Hearts Content", a security and stability release.

This release fixes or blocks a couple of very important security issues, addresses a number of bugs that existed in the system, and generally improves stability and usability.

Some important things to note are:

1. The security issues addressed effect all previous versions of CMS Made Simple, not just the 2.x series.

2. Due to the security fixes, Smarty resource specifications with paths or wildcard characters will no longer work. This will affect a few third party modules--notably JMFilePicker. The maintainers of affected modules should be able to address this issue without too much difficulty. Additionally, any and all occurrences of {php} tags that may have been able to function in old versions of CMSMS should now fail.

3. We have once again changed the template processing order, specifically related to mact preprocessing. Now, mact-preprocessing occurs AFTER the top portion of the template, but before the body portion. This specifically addresses issues with multi-lang sites. As of now, the template processing order is:
The top portion of the page template.
mact-preprocesing (if enabled) caches a module action intended for the {content} block.
  1. The top portion of the page template.
  2. mact-preprocesing (if enabled) caches a module action intended for the {content} block.
  3. The body portion of the page template.
  4. The head portion of the page template.
4. Fixes to cms_selflink, to content pages and to various API functions such that entirely numeric page aliases are invalid. This is to prevent them from being confused with numeric page ids.
When adding or editing a page, if the resulting page alias is entirely numeric (i.e: 12345 or 123-123) then a non-numeric character ('p') will be prepended to the alias. aliases such as 123-foo are not entirely numeric and therefore are valid.

5. Upgraded MicroTiny to use TinyMce 4.6.x and added the tabfocus and hr plugins.

As usual, a complete list of the items fixed and changed are available in the changelog that is displayed during the upgrade process and included with the release.

Because this is a security release as well as a stability release we encourage everybody to upgrade their websites as soon as possible.

Again we would like to thank Daniel Le Gall from SCRT SA, Switzerland for identifying these vulnerabilities, reporting them to us in a professional manner, and working with us to ensure that they were resolved.

The CMSMS Dev Team now only officially supports CMSMS 2.2.2 and CMSMS 2.2.1. Therefore, it is to your advantage to upgrade as soon as possible.

Thank you, and have fun with CMSMS.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
User avatar
DIGI3
Dev Team Member
Dev Team Member
Posts: 1609
Joined: Wed Feb 25, 2009 4:25 am
Location: Victoria, BC

Re: Announcing CMSMS 2.2.2 - Hearts Content

Post by DIGI3 »

Note: if you're using the legacy functionality "use https for this page" and don't have https forced in your htaccess, you will get a redirect error.

Although this is technically a bug in 2.2.x, we decided a while ago to drop mixed content support, as it's no longer needed with free/cheap ssl. It was useful a few years ago with shared certificates on shared hosting.

So, it is fixed in svn for the next minor release, but will be dropped in 2.3.

Here's what I put in my htaccess, and there's plenty of tips on Google for other methods:

Code: Select all

#force non-www and https
RewriteCond %{HTTP_HOST} ^(www\.)(.+) [OR]
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^(www\.)?(.+)
RewriteRule ^ https://%2%{REQUEST_URI} [R=301,L]
Not getting the answer you need? CMSMS support options
Post Reply

Return to “Announcements”