CMS Made Simple Forums
https://forum.cmsmadesimple.org/

Announcing CMSMS 2.2.2 - Hearts Content
https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=76886
Page 1 of 1

Author:  calguy1000 [ Sat Jul 08, 2017 2:36 pm ]
Post subject:  Announcing CMSMS 2.2.2 - Hearts Content

Hello everybody,

Continuing with our commitment to quality code, we are announcing the release of 2.2.2 "Hearts Content", a security and stability release.

This release fixes or blocks a couple of very important security issues, addresses a number of bugs that existed in the system, and generally improves stability and usability.

Some important things to note are:

1. The security issues addressed effect all previous versions of CMS Made Simple, not just the 2.x series.

2. Due to the security fixes, Smarty resource specifications with paths or wildcard characters will no longer work. This will affect a few third party modules--notably JMFilePicker. The maintainers of affected modules should be able to address this issue without too much difficulty. Additionally, any and all occurrences of {php} tags that may have been able to function in old versions of CMSMS should now fail.

3. We have once again changed the template processing order, specifically related to mact preprocessing. Now, mact-preprocessing occurs AFTER the top portion of the template, but before the body portion. This specifically addresses issues with multi-lang sites. As of now, the template processing order is:
The top portion of the page template.
mact-preprocesing (if enabled) caches a module action intended for the {content} block.
  1. The top portion of the page template.
  2. mact-preprocesing (if enabled) caches a module action intended for the {content} block.
  3. The body portion of the page template.
  4. The head portion of the page template.

4. Fixes to cms_selflink, to content pages and to various API functions such that entirely numeric page aliases are invalid. This is to prevent them from being confused with numeric page ids.
When adding or editing a page, if the resulting page alias is entirely numeric (i.e: 12345 or 123-123) then a non-numeric character ('p') will be prepended to the alias. aliases such as 123-foo are not entirely numeric and therefore are valid.

5. Upgraded MicroTiny to use TinyMce 4.6.x and added the tabfocus and hr plugins.

As usual, a complete list of the items fixed and changed are available in the changelog that is displayed during the upgrade process and included with the release.

Because this is a security release as well as a stability release we encourage everybody to upgrade their websites as soon as possible.

Again we would like to thank Daniel Le Gall from SCRT SA, Switzerland for identifying these vulnerabilities, reporting them to us in a professional manner, and working with us to ensure that they were resolved.

The CMSMS Dev Team now only officially supports CMSMS 2.2.2 and CMSMS 2.2.1. Therefore, it is to your advantage to upgrade as soon as possible.

Thank you, and have fun with CMSMS.

Author:  DIGI3 [ Sat Jul 08, 2017 10:31 pm ]
Post subject:  Re: Announcing CMSMS 2.2.2 - Hearts Content

Note: if you're using the legacy functionality "use https for this page" and don't have https forced in your htaccess, you will get a redirect error.

Although this is technically a bug in 2.2.x, we decided a while ago to drop mixed content support, as it's no longer needed with free/cheap ssl. It was useful a few years ago with shared certificates on shared hosting.

So, it is fixed in svn for the next minor release, but will be dropped in 2.3.

Here's what I put in my htaccess, and there's plenty of tips on Google for other methods:
Code:
#force non-www and https
RewriteCond %{HTTP_HOST} ^(www\.)(.+) [OR]
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^(www\.)?(.+)
RewriteRule ^ https://%2%{REQUEST_URI} [R=301,L]

Page 1 of 1 All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/