Prepare 1.4.3 RC2 release (#1109)

* Update and rename changelog.txt to changelog.md

* no upgrade DB 45 -> DB 46 necessary

* change release date

* Amended upgrade conditions to prevent continuous loop

Hopefully, the comments will help in structuring future updates to the
core.

* update version to 1.4.3 RC2

build = 102

* Update icms_version.php

* Update README.md

* Update changelog.md

* Update changelog.md

Co-authored-by: steve <skenow@impresscms.org>

README.md

@@ -1,6 +1,6 @@
 [![license](https://img.shields.io/badge/license-GPLv2-brightgreen.svg)](https://raw.githubusercontent.com/ImpressCMS/impresscms/branches/impresscms_1.4/docs/license.txt) [![GitHub release](https://img.shields.io/github/release/ImpressCMS/impresscms.svg?maxAge=86400&logo=github&logoColor=white&label=latest%20release)](github.com/ImpressCMS/impresscms/releases/latest) [![GitHub tag (latest SemVer pre-release)](https://img.shields.io/packagist/vpre/impresscms/impresscms.svg?label=preview&logo=github)](https://github.com/ImpressCMS/impresscms/releases) [![GitHub issues](https://img.shields.io/github/issues-raw/ImpressCMS/impresscms.svg?maxAge=3600&logo=github&logoColor=white)](https://github.com/ImpressCMS/impresscms/issues) [![Build Status](https://img.shields.io/travis/ImpressCMS/impresscms.svg?branch=branches/impresscms_1.4&maxAge=3600&logo=travis)](https://travis-ci.org/ImpressCMS/impresscms) [![Test Coverage](https://api.codeclimate.com/v1/badges/b27536db6688e64deef8/test_coverage)](https://codeclimate.com/github/ImpressCMS/impresscms/test_coverage) [![Maintainability](https://api.codeclimate.com/v1/badges/b27536db6688e64deef8/maintainability)](https://codeclimate.com/github/ImpressCMS/impresscms/maintainability) [![Website](https://img.shields.io/website-up-down-green-red/https/naereen.github.io.svg?maxAge=3600)](https://impresscms.org/) [![Twitter Follow](https://img.shields.io/twitter/follow/ImpressCMS.svg?color=%2338A1F3&label=twitter&style=flat&logo=twitter)](https://twitter.com/ImpressCMS) [![FaceBook](https://img.shields.io/badge/facebook-%3F%3F%3F-%233C5A99.svg?logo=facebook)](https://www.facebook.com/ImpressCMS/) [![Slack](http://invite.impresscms.org/badge.svg)](http://invite.impresscms.org)
 
-# ImpressCMS 1.4.3 RC
+# ImpressCMS 1.4.3 RC 2
 
 ImpressCMS is a community developed Content Management System. With this tool maintaining the content of a website becomes as easy as writing a word document. ImpressCMS is the ideal tool for a wide range of users: from business to community users, from large enterprises to people who want a simple, easy to use blogging tool. ImpressCMS is a powerful system that gets outstanding results and it is free!
 

docs/changelog.txt → docs/changelog.md

@@ -1,5 +1,41 @@
 # ImpressCMS ChangeLog
 
+## ImpressCMS 1.4.3 RC2
+* Date : 12 Jan 2022
+* DB Version: 46
+* Build Version : 102
+
+This release contains mainly fixes for several security vulnerabilities that where found during HackerOne security Checks. 
+
+## What's Changed
+* Fixed some warnings and notices in installer for newer PHP versions by @MekDrop in https://github.com/ImpressCMS/impresscms/pull/882
+* Protector get_magic_quotes_gpc fix for php 7.4 by @MekDrop in https://github.com/ImpressCMS/impresscms/pull/884
+* Smiles in misc.php now are escaped by @MekDrop in https://github.com/ImpressCMS/impresscms/pull/890
+* Fix "#881 trying to send mails with SMTP auth gives missing smtp class" by @MekDrop in https://github.com/ImpressCMS/impresscms/pull/889
+* Added exception handler by @MekDrop in https://github.com/ImpressCMS/impresscms/pull/888
+* Fixed bug when handlers from module separate files cant be loaded by @MekDrop in https://github.com/ImpressCMS/impresscms/pull/887
+* Fixes 'Notice: Only variables should be passed by reference in /home/vagrant/impresscms/htdocs/libraries/icms/config/Handler.php on line 237' by @MekDrop in https://github.com/ImpressCMS/impresscms/pull/886
+* Fixed bug when admin menu can't regenerate when module folder is removed before uninstalling by @MekDrop in https://github.com/ImpressCMS/impresscms/pull/897
+* Fixed syntax error in include/registerform.php by @MekDrop in https://github.com/ImpressCMS/impresscms/pull/896
+* fix vulnerability in autoloader by @fiammybe in https://github.com/ImpressCMS/impresscms/pull/913
+* block path traversal in image editor, transform .. to _ by @fiammybe in https://github.com/ImpressCMS/impresscms/pull/915
+* Fixes/ipf table filtering - limitsel missing POST value by @skenow in https://github.com/ImpressCMS/impresscms/pull/937
+* Adjusted template file inclusion for correct path. Fixes #603 by @skenow in https://github.com/ImpressCMS/impresscms/pull/944
+* Increase input sanitizing for system module and submodules by @skenow in https://github.com/ImpressCMS/impresscms/pull/943
+* Dev/jquery inclusion by @skenow in https://github.com/ImpressCMS/impresscms/pull/935
+* Fix for modules admin; user language files - fix #948 by @skenow in https://github.com/ImpressCMS/impresscms/pull/949
+* Update release_notes.md by @fiammybe in https://github.com/ImpressCMS/impresscms/pull/1058
+* Added filtering to the input in setSortOrder in icms_ipf_table by @fiammybe in https://github.com/ImpressCMS/impresscms/pull/966
+* filter url variable in findusers.php by @fiammybe in https://github.com/ImpressCMS/impresscms/pull/967
+* Remove the old FCKEditor - no longer supported by @fiammybe in https://github.com/ImpressCMS/impresscms/pull/833
+* add CKEditor 4.17.1 by @fiammybe in https://github.com/ImpressCMS/impresscms/pull/1095
+* Protector updates - PHP8 compatibility, update and remove legacy code by @skenow in https://github.com/ImpressCMS/impresscms/pull/1098
+* Preparations for the 1.4.3 RC release by @fiammybe in https://github.com/ImpressCMS/impresscms/pull/1099
+* Add a default parameter to addSlashes by @fiammybe in https://github.com/ImpressCMS/impresscms/pull/1108
+
+
+**Full Changelog**: https://github.com/ImpressCMS/impresscms/compare/v1.4.2...v1.4.3
+
 ## ImpressCMS 1.4.2
 Date: 24 Dec 2020
 DB Version: 45

htdocs/include/version.php

@@ -10,7 +10,7 @@
  * @version		$Id: version.php 12500 2015-06-15 20:03:56Z fiammy $
  */
 
-define('ICMS_VERSION_NAME', 'ImpressCMS 1.4.3 RC');
+define('ICMS_VERSION_NAME', 'ImpressCMS 1.4.3 RC2');
 
 // For backward compatibility with XOOPS
 define('XOOPS_VERSION', ICMS_VERSION_NAME);
@@ -32,7 +32,7 @@
  */
 // impresscms_1.3.10 = 82, 2.0.0 alpha 4 = 73, 1.4,1 beta : 94, 1.4.1 RC = 98
 
-define('ICMS_VERSION_BUILD', 101);
+define('ICMS_VERSION_BUILD', 102);
 
 /**
  * Latest dbversion of the System Module

htdocs/modules/system/icms_version.php

@@ -46,7 +46,7 @@
  */
 $modversion = array (
 		'name' => _MI_SYSTEM_NAME,
-		'version' => '1.4.3 RC',
+		'version' => '1.4.3 RC2',
 		'description' => _MI_SYSTEM_DESC,
 		'author' => "fiammybe",
 		'credits' => "The ImpressCMS Project",
@@ -66,7 +66,7 @@
 /**  Development information */
 	'status_version' => "RC",
 		'status' => "RC",
-		'date' => "04 Dec 2021",
+		'date' => "12 Jan 2022",
 		'author_word' => "",
 		'warning' => _CO_ICMS_WARNING_RC,
 

htdocs/modules/system/include/update-13.php

@@ -7,27 +7,29 @@
  * @package		core
  * @since		1.0
  * @author		malanciault <marcan@impresscms.org)
+ */
 
-/*  Begin upgrade to version 1.3 */
+/* check for previous release's upgrades - dbversion < this release's version */
+if ($dbVersion < 40) include 'update-112-to-122.php';
+
+/* Begin upgrade to version 1.3 */
 if (!$abortUpdate) $newDbVersion = 41;
 
 if ($dbVersion < $newDbVersion) {
 	/* Add new tables and data for the help suggestions and quick search */
 	$table = new icms_db_legacy_updater_Table('autosearch_cat');
 	if (!$table->exists()) {
-		$table->setStructure(
-			"`cid` int(11) NOT NULL auto_increment,
+		$table->setStructure("`cid` int(11) NOT NULL auto_increment,
 				 `cat_name` varchar(255) NOT NULL,
 				 `cat_url` text NOT NULL,
-				 PRIMARY KEY (`cid`)"
-		);
+				 PRIMARY KEY (`cid`)");
 		if (!$table->createTable()) {
 			$abortUpdate = TRUE;
 			$newDbVersion = 40;
 		}
 		if (!$abortUpdate) {
 			icms_loadLanguageFile('system', 'admin');
-			$search_cats = array(
+			$search_cats = array (
 				"NULL, '" . _MD_AM_ADSENSES . "', '/modules/system/admin.php?fct=adsense'",
 				"NULL, '" . _MD_AM_AUTOTASKS . "', '/modules/system/admin.php?fct=autotasks'",
 				"NULL, '" . _MD_AM_AVATARS . "', '/modules/system/admin.php?fct=avatars'",
@@ -49,7 +51,8 @@
 				"NULL, '" . _MD_AM_PAGES . "', '/modules/system/admin.php?fct=pages'",
 				"NULL, '" . _MD_AM_TPLSETS . "', '/modules/system/admin.php?fct=tplsets'",
 				"NULL, '" . _MD_AM_RANK . "', '/modules/system/admin.php?fct=userrank'",
-				"NULL, '" . _MD_AM_VERSION . "', '/modules/system/admin.php?fct=version'");
+				"NULL, '" . _MD_AM_VERSION . "', '/modules/system/admin.php?fct=version'"
+			);
 			foreach ($search_cats as $cat) {
 				$table->setData($cat);
 			}
@@ -60,23 +63,21 @@
 
 	$table = new icms_db_legacy_updater_Table('autosearch_list');
 	if (!$table->exists() && !$abortUpdate) {
-		$table->setStructure(
-			"`id` int(11) NOT NULL auto_increment,
+		$table->setStructure("`id` int(11) NOT NULL auto_increment,
 				 `cat_id` int(11) NOT NULL,
 				 `name` varchar(255) NOT NULL,
 				 `img` varchar(255) NOT NULL,
 				 `desc` text NOT NULL,
 				 `url` text NOT NULL,
-				 PRIMARY KEY (`id`)"
-		);
+				 PRIMARY KEY (`id`)");
 		if (!$table->createTable()) {
 			$abortUpdate = TRUE;
 			$newDbVersion = 40;
 		}
 		if (!$abortUpdate) {
 			icms_loadLanguageFile('system', 'admin');
 			icms_loadLanguageFile('system', 'preferences', TRUE);
-			$search_items = array(
+			$search_items = array (
 				"NULL, 1, '" . _MD_AM_ADSENSES . "', '/modules/system/admin/adsense/images/adsense_small.png', '" . _MD_AM_ADSENSES_DSC . "', '/modules/system/admin.php?fct=adsense'",
 				"NULL, 2, '" . _MD_AM_AUTOTASKS . "', '/modules/system/admin/autotasks/images/autotasks_small.png', '" . _MD_AM_AUTOTASKS_DSC . "', '/modules/system/admin.php?fct=autotasks'",
 				"NULL, 3, '" . _MD_AM_AVATARS . "', '/modules/system/admin/avatars/images/avatars_small.png', '" . _MD_AM_AVATARS_DSC . "', '/modules/system/admin.php?fct=avatars'",
@@ -217,7 +218,9 @@
 	unset($table);
 
 	/* reset default source editor if jsvi is used */
-	$configs = icms::$config->getConfigs(icms_buildCriteria(array("conf_name" => "sourceeditor_default")));
+	$configs = icms::$config->getConfigs(icms_buildCriteria(array (
+		"conf_name" => "sourceeditor_default"
+	)));
 	if (count($configs) == 1 && $configs[0]->getVar("conf_value") == "jsvi") {
 		$configs[0]->setVar("conf_value", "editarea");
 		icms::$config->insertConfig($configs[0]);
@@ -227,24 +230,30 @@
 	$table = new icms_db_legacy_updater_Table("config");
 
 	// retrieve the value of the position before the config to be inserted.
-	$configs = icms::$config->getConfigs(icms_buildCriteria(array("conf_name" => "purifier_HTML_AttrNameUseCDATA")));
+	$configs = icms::$config->getConfigs(icms_buildCriteria(array (
+		"conf_name" => "purifier_HTML_AttrNameUseCDATA"
+	)));
 	$p = $configs[0]->getVar('conf_order') + 1;
-	//move all the other options down
+	// move all the other options down
 	$icmsDatabaseUpdater->runQuery($sql = "UPDATE `" . $table->name() . "` SET conf_order = conf_order + 2 WHERE conf_order >= " . $p . " AND conf_catid = " . ICMS_CONF_PURIFIER, sprintf(_DATABASEUPDATER_MSG_QUERY_SUCCESSFUL, $sql), sprintf(_DATABASEUPDATER_MSG_QUERY_FAILED, $sql));
 	$icmsDatabaseUpdater->insertConfig(ICMS_CONF_PURIFIER, 'purifier_HTML_FlashAllowFullScreen', '_MD_AM_PURIFIER_HTML_FLASHFULLSCRN', '0', '_MD_AM_PURIFIER_HTML_FLASHFULLSCRNDSC', 'yesno', 'int', $p);
-	$icmsDatabaseUpdater->insertConfig(ICMS_CONF_PURIFIER, 'purifier_Output_FlashCompat', '_MD_AM_PURIFIER_OUTPUT_FLASHCOMPAT', '0', '_MD_AM_PURIFIER_OUTPUT_FLASHCOMPATDSC', 'yesno', 'int', $p++);
+	$icmsDatabaseUpdater->insertConfig(ICMS_CONF_PURIFIER, 'purifier_Output_FlashCompat', '_MD_AM_PURIFIER_OUTPUT_FLASHCOMPAT', '0', '_MD_AM_PURIFIER_OUTPUT_FLASHCOMPATDSC', 'yesno', 'int', $p++ );
 
 	// retrieve the value of the position before the config to be inserted.
-	$configs = icms::$config->getConfigs(icms_buildCriteria(array("conf_name" => "purifier_Filter_YouTube")));
+	$configs = icms::$config->getConfigs(icms_buildCriteria(array (
+		"conf_name" => "purifier_Filter_YouTube"
+	)));
 	$p = $configs[0]->getVar('conf_order') + 1;
-	//move all the other options down
+	// move all the other options down
 	$icmsDatabaseUpdater->runQuery($sql = "UPDATE `" . $table->name() . "` SET conf_order = conf_order + 1 WHERE conf_order >= " . $p . " AND conf_catid = " . ICMS_CONF_PURIFIER, sprintf(_DATABASEUPDATER_MSG_QUERY_SUCCESSFUL, $sql), sprintf(_DATABASEUPDATER_MSG_QUERY_FAILED, $sql));
 	$icmsDatabaseUpdater->insertConfig(ICMS_CONF_PURIFIER, 'purifier_Filter_AllowCustom', '_MD_AM_PURIFIER_FILTER_ALLOWCUSTOM', '0', '_MD_AM_PURIFIER_FILTER_ALLOWCUSTOMDSC', 'yesno', 'int', $p);
 
 	// retrieve the value of the position before the config to be inserted.
-	$configs = icms::$config->getConfigs(icms_buildCriteria(array("conf_name" => "purifier_Core_RemoveInvalidImg")));
+	$configs = icms::$config->getConfigs(icms_buildCriteria(array (
+		"conf_name" => "purifier_Core_RemoveInvalidImg"
+	)));
 	$p = $configs[0]->getVar('conf_order') + 1;
-	//move all the other options down
+	// move all the other options down
 	$icmsDatabaseUpdater->runQuery($sql = "UPDATE `" . $table->name() . "` SET conf_order = conf_order + 1 WHERE conf_order >= " . $p . " AND conf_catid = " . ICMS_CONF_PURIFIER, sprintf(_DATABASEUPDATER_MSG_QUERY_SUCCESSFUL, $sql), sprintf(_DATABASEUPDATER_MSG_QUERY_FAILED, $sql));
 	$icmsDatabaseUpdater->insertConfig(ICMS_CONF_PURIFIER, 'purifier_Core_NormalizeNewlines', '_MD_AM_PURIFIER_CORE_NORMALNEWLINES', '1', '_MD_AM_PURIFIER_CORE_NORMALNEWLINESDSC', 'yesno', 'int', $p);
 
@@ -256,42 +265,51 @@
 		echo sprintf(_DATABASEUPDATER_UPDATE_OK, icms_conv_nr2local($newDbVersion)) . '<br />';
 	}
 }
-/*  1.3 beta|rc|final release  */
+/* 1.3 beta|rc|final release */
 
 if (!$abortUpdate) $newDbVersion = 42;
 /* 1.3.2 release - HTML Purifier 4.4.0 update */
 
 if ($dbVersion < $newDbVersion) {
-	/* New HTML Purifier options -
-     * purifier_URI_SafeIframeRegexp. after purifier_URI_AllowedSchemes
-    * purifier_HTML_SafeIframe, after purifier_HTML_SafeObject
-    */
+	/*
+	 * New HTML Purifier options -
+	 * purifier_URI_SafeIframeRegexp. after purifier_URI_AllowedSchemes
+	 * purifier_HTML_SafeIframe, after purifier_HTML_SafeObject
+	 */
 	$table = new icms_db_legacy_updater_Table("config");
 
 	// retrieve the value of the position before the config to be inserted.
-	$configs = icms::$config->getConfigs(icms_buildCriteria(array("conf_name" => "purifier_URI_AllowedSchemes")));
+	$configs = icms::$config->getConfigs(icms_buildCriteria(array (
+		"conf_name" => "purifier_URI_AllowedSchemes"
+	)));
 	$p = $configs[0]->getVar('conf_order') + 1;
 
-	//move all the other options down
+	// move all the other options down
 	$icmsDatabaseUpdater->runQuery($sql = "UPDATE `" . $table->name() . "` SET conf_order = conf_order + 2 WHERE conf_order >= " . $p . " AND conf_catid = " . ICMS_CONF_PURIFIER, sprintf(_DATABASEUPDATER_MSG_QUERY_SUCCESSFUL, $sql), sprintf(_DATABASEUPDATER_MSG_QUERY_FAILED, $sql));
 	$icmsDatabaseUpdater->insertConfig(ICMS_CONF_PURIFIER, 'purifier_URI_SafeIframeRegexp', '_MD_AM_PURIFIER_URI_SAFEIFRAMEREGEXP', 'http://www.youtube.com/|http://player.vimeo.com/video/|http://blip.tv/play/', '_MD_AM_PURIFIER_URI_SAFEIFRAMEREGEXPDSC', 'textsarea', 'text', $p);
 
 	// retrieve the value of the position before the config to be inserted.
-	$configs = icms::$config->getConfigs(icms_buildCriteria(array("conf_name" => "purifier_HTML_SafeObject")));
+	$configs = icms::$config->getConfigs(icms_buildCriteria(array (
+		"conf_name" => "purifier_HTML_SafeObject"
+	)));
 	$p = $configs[0]->getVar('conf_order') + 1;
-	//move all the other options down
+	// move all the other options down
 	$icmsDatabaseUpdater->runQuery($sql = "UPDATE `" . $table->name() . "` SET conf_order = conf_order + 2 WHERE conf_order >= " . $p . " AND conf_catid = " . ICMS_CONF_PURIFIER, sprintf(_DATABASEUPDATER_MSG_QUERY_SUCCESSFUL, $sql), sprintf(_DATABASEUPDATER_MSG_QUERY_FAILED, $sql));
 	$icmsDatabaseUpdater->insertConfig(ICMS_CONF_PURIFIER, 'purifier_HTML_SafeIframe', '_MD_AM_PURIFIER_HTML_SAFEIFRAME', 0, '_MD_AM_PURIFIER_HTML_SAFEIFRAMEDSC', 'yesno', 'int', $p);
 
 	// append iframe info to allowed elements and allowed attributes
 	// need to unserialize the array, append the values, then serialize it again
-	$allowElements = icms::$config->getConfigs(icms_buildCriteria(array("conf_name" => "purifier_HTML_AllowedElements")));
+	$allowElements = icms::$config->getConfigs(icms_buildCriteria(array (
+		"conf_name" => "purifier_HTML_AllowedElements"
+	)));
 	$eleValue = $allowElements[0]->getConfValueForOutput();
 	array_push($eleValue, 'iframe');
 	$newElements = addslashes(serialize($eleValue));
 	$icmsDatabaseUpdater->runQuery($sql = "UPDATE `" . $table->name() . "` SET conf_value ='" . $newElements . "' WHERE conf_name = 'purifier_HTML_AllowedElements'", sprintf(_DATABASEUPDATER_MSG_QUERY_SUCCESSFUL, $sql), sprintf(_DATABASEUPDATER_MSG_QUERY_FAILED, $sql));
 
-	$allowAttributes = icms::$config->getConfigs(icms_buildCriteria(array("conf_name" => "purifier_HTML_AllowedAttributes")));
+	$allowAttributes = icms::$config->getConfigs(icms_buildCriteria(array (
+		"conf_name" => "purifier_HTML_AllowedAttributes"
+	)));
 	$attrValue = $allowAttributes[0]->getConfValueForOutput();
 	array_push($attrValue, 'iframe.src', 'iframe.width', 'iframe.height');
 	$newAttributes = addslashes(serialize($attrValue));
@@ -355,7 +373,7 @@
 }
 
 if (!$abortUpdate) $newDbVersion = 44;
-/* 1.3.11 release - change in module version storage type (smallint -> varchar)*/
+/* 1.3.11 release - change in module version storage type (smallint -> varchar) */
 
 if ($dbVersion < $newDbVersion) {