CMS Made Simple Forums

Hey all,

1.0.6 is released and is a critical update.  It's explained in the blog posting.

Please, please, please take the required precautions to patch this flaw.

http://blog.cmsmadesimple.org/2007/04/2 ... -released/

Thanks, and sorry for the brevity.  Emergency releases are a bit stressful.

Is it correct that there isnt an install/upgrade.php

but you only need to override all files?

Correct.  If it's just the diff version, you just have to overwrite all the files with the new ones.

thank you, just to be sure!

whew... i did the upgrade from 1.05 to 1.06 using the diff version and i was concerned that it didn't seem to update the database. glad you guys were already talking about it... lol

BTW, for the 0.13 users that might be out there still, I sent this to someone via email.

Search for:
                       $sql="SELECT c.css_text,c.css_id FROM ".$config['db_prefix']."css
c,".$config['db_prefix']."css_assoc ac WHERE ac.assoc_type='template'
AND ac.assoc_to_id = $templateid AND ac.assoc_css_id = c.css_id AND
c.media_type = '" . mysql_real_escape_string($mediatype, $db) . "'";

Change to:
                       $sql="SELECT c.css_text,c.css_id FROM ".$config['db_prefix']."css
c,".$config['db_prefix']."css_assoc ac WHERE ac.assoc_type='template'
AND ac.assoc_to_id = " . $db->qstr($templateid) . " AND
ac.assoc_css_id = c.css_id AND c.media_type = '" .
mysql_real_escape_string($mediatype, $db) . "'";

Then search for:

$sql="SELECT c.css_text,c.css_id FROM ".$config['db_prefix']."css
c,".$config['db_prefix']."css_assoc ac WHERE ac.assoc_type='template'
AND ac.assoc_to_id = $templateid AND ac.assoc_css_id = c.css_id AND
c.media_type = '" . pg_escape_string($mediatype) . "'";

Change to:

$sql="SELECT c.css_text,c.css_id FROM ".$config['db_prefix']."css
c,".$config['db_prefix']."css_assoc ac WHERE ac.assoc_type='template'
AND ac.assoc_to_id = " . $db->qstr($templateid) . " AND
ac.assoc_css_id = c.css_id AND c.media_type = '" .
pg_escape_string($mediatype) . "'";

Both of thses changes are in stylesheet.php

Thanks Ted.  New user, great CMS, thanks for making it available.  Upgraded to 1.0.6.

Regards
Ozbob

Ted wrote: BTW, for the 0.13 users that might be out there still,

If I'm comparing current stylesheet.php and CMSms 0.13 stylesheet.php I see that current version is more adodb specific (yes, I'm try to learn ).

Do you have an overview how much current default CMSms is adodb specified (maybe in percent)?

Background of my question is following:

If I have a ful adodbized cmsms I can use all adodb supported databases ... if that's not the goal we should use PDO with version 2.0 instead cause adodb eats too much resources (only for supporting postgres, mysql and sqlite). In german we said - it's like to shot with a cannon to sparrows.

PDO comes with every default php5.2 install. And step to version 2.0 is too big - we need a migrating script for 1.0.x content, wether we use adodb or pdo.

CMSMS is pretty much 100% adodb.  Stylesheet.php had some non-adodb stuff that was submitted as a patch, but that's pretty much the only thing... and honestly was the part that had the security hole fixed in 1.0.6.

Anyways, convinced about PDO being the right way to go, I went off and did some research.  This research was then backed up by a little test suite that ThomasM from irc quickly created.

The difference isn't enough to justify the change.  It's a matter of where the memory hit happens.  In the case of adodb, you get a 350k memory hit up front by loading the library.  PDO doesn't take that hit... but instead uses more memory in a result set instead.  Basically, in our tests of larger datasets, the memory and speed differences were negigable. 

Normally, I would say, great let's do it anyway...  except for 2 issues...

1. 2.0 is seriously behind schedule already and rewriting every database call would be a killer.
2. At least at this point, most modules will work with little to no changes.  Making this change globally would basically invalidate every bit of module code out there.

If the memory usage was seriously lower, then I would gone ahead with it.  But I just can't justify it at this point.  CMSMS 2.0 is sitting at about 4.1-4.2 megs per page view with no modules.  With default modules, it's in the upper 5's.  I think this is going to be as good as it gets without seriously cripping the software, which I won't do.   The 8M limit is archaic anyway.

As for the upgrade, yes, it will be a separate script.  It'll just be too big of a procedure to justify distributing it with all new installs.

Hi Ted,

thank you much for this detailed posting. Thanks too to ThomasM from irc  .

Ted wrote: CMSMS is pretty much 100% adodb.

As I've said I'm trying to learn php understand database layer system.

If I read at adodb website I found that I can access all supported databases. I have only to change the type of database.

But now comes the big question for me - if it's so easy why does CMSms not support all adodb supported databases?

Signex wrote: Is it correct that there isnt an install/upgrade.php

but you only need to override all files?

well i lost contact with my site after overwriting the files.
no matter is i try to get index.php or admin/index.php, i get the same (random?) page...
so anyone a hint as how to proceed?

thanks!
Floris

klankschap wrote: well i lost contact with my site after overwriting the files.
no matter is i try to get index.php or admin/index.php, i get the same (random?) page...
so anyone a hint as how to proceed?

thanks!
Floris

Make sure all files got properly overwritten, check the webserver logs for PHP errors and start a new topic in the Installation Help forum, providing more information.

Regards,
D

Hi.

Upgraded from 1.0.5 > 1.0.6 using the diff files. Site looks ok BUT without the menu in the front-end. In the admin interface the menu module is not visible (only templates, stylesheets ans theme manager under layout; see attachment 1). When I click on extensions>modules and mouse-over the layout, the menu manager link is visible. Clicking on it opens a page with an error (see attachment 2).

Ondra

[gelöscht durch Administrator]

Any ideas how to fix 1.02 stylesheet.php? I just tried to replace the file with the 1.06 file, but it breaks the front-end (no CSS). I can't upgrade the whole site since 1.04 and 1.05 had serious permissions issues with my host. I would just like to fix the SQL hole and that's it. For other sites and future ones I'll use 1.06 but I'd like to fix this single 1.02 installation. Any ideas? Thanks.

kotecky wrote: Hi.

Upgraded from 1.0.5 > 1.0.6 using the diff files. Site looks ok BUT without the menu in the front-end. In the admin interface the menu module is not visible (only templates, stylesheets ans theme manager under layout; see attachment 1). When I click on extensions>modules and mouse-over the layout, the menu manager link is visible. Clicking on it opens a page with an error (see attachment 2).

Ondra

This post is the solution to the problem: http://forum.cmsmadesimple.org/index.php/topic,11727.0.html