v1.4.3-rc

What's Changed

• Fixed some warnings and notices in installer for newer PHP versions by @MekDrop in #882
• Protector get_magic_quotes_gpc fix for php 7.4 by @MekDrop in #884
• Smiles in misc.php now are escaped by @MekDrop in #890
• Fix "#881 trying to send mails with SMTP auth gives missing smtp class" by @MekDrop in #889
• Added exception handler by @MekDrop in #888
• Fixed bug when handlers from module separate files cant be loaded by @MekDrop in #887
• Fixes 'Notice: Only variables should be passed by reference in /home/vagrant/impresscms/htdocs/libraries/icms/config/Handler.php on line 237' by @MekDrop in #886
• Fixed bug when admin menu can't regenerate when module folder is removed before uninstalling by @MekDrop in #897
• Fixed syntax error in include/registerform.php by @MekDrop in #896
• fix vulnerability in autoloader by @fiammybe in #913
• block path traversal in image editor, transform .. to _ by @fiammybe in #915
• Fixes/ipf table filtering - limitsel missing POST value by @skenow in #937
• Adjusted template file inclusion for correct path. Fixes #603 by @skenow in #944
• Increase input sanitizing for system module and submodules by @skenow in #943
• Dev/jquery inclusion by @skenow in #935
• Fix for modules admin; user language files - fix #948 by @skenow in #949
• Update release_notes.md by @fiammybe in #1058
• Added filtering to the input in setSortOrder in icms_ipf_table by @fiammybe in #966
• filter url variable in findusers.php by @fiammybe in #967
• Remove the old FCKEditor - no longer supported by @fiammybe in #833
• add CKEditor 4.17.1 by @fiammybe in #1095
• Protector updates - PHP8 compatibility, update and remove legacy code by @skenow in #1098
• Preparations for the 1.4.3 RC release by @fiammybe in #1099

Full Changelog: v1.4.2...v1.4.3-rc

v2.0.0 alpha 11 🌈

What's Changed

🚀 Features

• Added ImpressCMS/codemirror-integration to default installation & fixed installer bug for installing from there @MekDrop (#1051)
• Added asset-packagist repo to composer for installing frontend assets as composer packages (if there is a need) @MekDrop (#1019)
• Added phpseclib/bcmath_compat to make it possible to install without bcmath extension @MekDrop (#1000)
• Remove all editors from core @MekDrop (#800)
• PARTIAL use editor contracts from imponeer to make editors plugable @MekDrop (#1007)
• Do not show module version for unreleased modules in modules admin @MekDrop (#1012)
• Available modules list function now uses module describers @MekDrop (#1011)
• Added possibility for module to copy assets from vendor/ @MekDrop (#1005)
• Use criteria lib from Imponeer @MekDrop (#927)
• Using Composer 2.x API for internal operations @MekDrop (#796)
• Most of Smarty plugins now implemented as composer libraries from @imponeer + xoops_link smarty function removed @MekDrop (#919)
• add install instructions to readme for 2.0 @fiammybe (#917)
• Added smarty 'trans' block and 'trans' variable modifier for translations @MekDrop (#874)
• Added ping to extend sessions automatically @MekDrop (#869)
• Fix/Improvement for cases when a theme was selected but than removed @MekDrop (#855)
• Removed reflex theme from core @MekDrop (#854)
• Site closed view functionality as dynamic SiteClosedMiddleware @MekDrop (#725)
• Code about multi_login moved from common.php into separate HTTP Middlware @MekDrop (#724)
• Session moved from container to middleware + theme changing now from HTTP middleware @MekDrop (#723)
• Added possibility to describe themes (also support for composer themes!) @MekDrop (#770)
• Added possibility to load modules definitions from different type of info files (like icms_version.php or composer.json) @MekDrop (#768)
• Smarty plugins can now be defined as services in container @MekDrop (#752)
• System waiting block is now can be expanded with services defined in container @MekDrop (#750)
• Upgraded middlewares/referrer-spam to 2.0.2 for PHP 8.0 and Composer 2.0 supporr @MekDrop (#826)
• Replace "ICMS_URL . '/modules/' -> ICMS_MODULES_URL . '/'" and "ICMS_ROOT_PATH . '/modules/' -> ICMS_MODULES_PATH . '/'" @MekDrop (#749)
• Using properties instead of setVar when setting database object properties everywhere where is possible @MekDrop (#745)
• Added new translator service @MekDrop (#801)
• Use league/mime-type-detection for dealing with mimetype detection & deprecated icms_Utils @MekDrop (#738)
• Using object property instead of getVar everywhere where is possible @MekDrop (#744)
• Fixed #733: Rename using the proper naming convention (This is a public var) @MekDrop (#736)
• Removed some old openid related code + migration to update openid related fields @MekDrop (#747)
• Added Roave Security Advisories to composer [dev] @MekDrop (#742)
• Encrypt cookies automatically with middleware if such preference is set @MekDrop (#740)
• Timers visible as Server-Timing header (using HTTP Middleware) @MekDrop (#727)
• Messengers fields from user settings where removed @MekDrop (#746)
• Fixed 'Rename using the proper naming convention (this is a public var)' for #731 @MekDrop (#737)
• Removed old style redirect @MekDrop (#726)
• Using FireWall middleware for bad ips checking instead of Security class @MekDrop (#720)
• Replaced DB_SALT env variable with APP_KEY @MekDrop (#739)
• Removes textsanitizer plugins and default DHTMLEditor @MekDrop (#735)
• Removed checkSuperGlobals from Security class @MekDrop (#721)
• Checks referers with HTTP middleware instead of security class @MekDrop (#719)
• Upgraded phpunit to 9.4 and test to make sure PHP 8.0 compatible @MekDrop (#802)
• Changed way how paths in subfolder would be handled @MekDrop (#797)

🐛 Bug Fixes

• Added ImpressCMS/codemirror-integration to default installation & fixed installer bug for installing from there @MekDrop (#1051)
• Fixes few installer errors @MekDrop (#1020)
• Fixed template file source resolving for tplsets @MekDrop (#1018)
• Use editor contracts (second part) @MekDrop (#1017)
• Fixed wrong constant for uptating module config data @MekDrop (#1016)
• Fixes bug with constants translations for console @MekDrop (#1015)
• Fixed bug when module model couldn't load unreleased module info @MekDrop (#1014)
• If database was already initialized, do not go back in installer without message @MekDrop (#1009)
• Better non installed icms detection @MekDrop (#1008)
• Added phpseclib/bcmath_compat to make it possible to install without bcmath extension @MekDrop (#1000)
• Remove all editors from core @MekDrop (#800)
• Available modules list function now uses module describers @MekDrop (#1011)
• Fixed bug when composer.json module describer failed with unreleased modules due release date @MekDrop (#1010)
• Fixed bug when there are no editors of type @MekDrop (#1006)
• Fixed a bug for templates during installation @MekDrop (#1003)
• Fix bug with mindplay/composer-locator old version @MekDrop (#1001)
• Fixed few security issues with packages @MekDrop (#974)
• Fixed tuupola/server-timing-middleware requirements @MekDrop (#975)
• CacheClearSetup steps moved to same namespace/path as other steps @MekDrop (#892)
• Smiles in misc.php now are escaped @MekDrop (#891)
• Fixed bug when was not possible to automatically resolve correct Route Strategy service due missing escape character in beginning @MekDrop (#870)
• Fix/Improvement for cases when a theme was selected but than removed @MekDrop (#855)
• Fixed includeq not working in smarty anymore bug @MekDrop (#849)
• Fixed null response bug for root path instalations @MekDrop (#844)
• Fixed bug with too long cookie names for Table component @MekDrop (#842)
• Upgraded middlewares/referrer-spam to 2.0.2 for PHP 8.0 and Composer 2.0 supporr @MekDrop (#826)
• Fixed #733: Rename using the proper naming convention (This is a public var) @MekDrop (#736)
• Remove whitesource config @MekDrop (#837)
• Removed some old openid related code + migration to update openid related fields @MekDrop (#747)
• Messengers fields from user settings where removed @MekDrop (#746)
• Fixed 'Rename using the proper naming convention (this is a public var)' for #731 @MekDrop (#737)
• Fixed short if bug for newer PHP in BlockHandler @MekDrop (#798)
• Prevents using submitted filenames with ../ for modelcontroller @MekDrop (#813)
• Fixed possible file system exposing due language cookie on installer (reported by hackerone_success) @MekDrop (#822)
• switch to a more explicit form of comparison @fiammybe (#809)
• Changed way how paths in subfolder would be handled @MekDrop (#797)
• Fix '0.0.0/composer-include-files 1.5.0 requires composer-plugin-api ^1.0 -> found composer-plugin-api[2.0.0] but it does not match the constraint.' with newer composer @MekDrop (#787)
• Fixes deprecation 'Array and string offset access using curly braces' @MekDrop (#786)

🧰 Maintenance

• Bump monolog/monolog from 2.3.2 to 2.3.4 @dependabot (#995)
• Bump symfony/translation from 5.3.7 to 5.3.9 @dependabot (#996)
• Bump league/mime-type-detection from 1.7.0 to 1.8.0 @dependabot (#997)
• Bump phpunit/phpunit from 9.5.4 to 9.5.10 @dependabot (#998)
• Bump .homestead from 42def2e to ee603d7 @dependabot (#994)
• Bump .homestead from 7192301 to 42def2e @dependabot (#986)
• Bump symfony/translation from 5.2.6 to 5.3.7 @dependabot (#987)
• Bump symfony/console from 5.2.6 to 5.3.7 @dependabot (#988)
• Bump phpmailer/phpmailer from 6.5.0 to 6.5.1 @dependabot (#991)
• Bump lulco/phoenix from 1.9.0 to 1.10.0 @dependabot (#989)
• Bump league/flysystem from 1.1.4 to 1.1.5 @dependabot (#990)
• Bump lulco/phoenix from 1.7.0 to 1.9.0 @dependabot (#980)
• Bump league/container from 3.3.5 to 3.4.1 @dependabot (#982)
• Bump http-interop/http-factory-guzzle from 1.0.0 to 1.2.0 @dependabot (#983)
• Bump monolog/monolog from 2.2.0 to 2.3.2 @dependabot (#981)
• Bump .homestead from cb987fb to 7192301 @dependabot (#979)
• Bump symfony/polyfill-iconv from 1.22.1 to 1.23.0 @dependabot (#984)
• Bump actions/stale from 3.0.19 to 4 @dependabot (#977)
• Bump phpmailer/phpmailer from 6.4.1 to 6.5.0 @dependabot (#976)
• Fixed few security issues with packages @MekDrop (#974)
• Fixed tuupola/server-timing-middleware requirements @MekDrop (#975)
• Bump .homestead from 47ce122 to cb987fb @dependabot (#973)
• Use criteria lib from Imponeer @MekDrop (#927)
• Bump .homestead from 51bc66d to 47ce122 @dependabot (#970)
• Bump actions/cache from 2.1.5 to 2.1.6 @dependabot (#969)
• skip vulnerable versions of composer/composer @fiammybe (#968)
• Bump actions/stale from 3.0.18 to 3.0.19 @dependabot (#964)
• Bump phpmailer/phpmailer from 6.4.0 to 6.4.1 @dependabot (#963)
• Bump middlewares/base-path from 2.0.1 to 2.1.0 @dependabot (#960)
• Bump defuse/php-encryption from 2.2.1 to 2.3.1 @dependabot (#961)
• Bump symfony/console from 5.2.3 to 5.2.6 @dependabot (#959)
• Bump league/mime-type-detection from 1.5.1 to 1.7.0 @dependabot (#957)
• Bump actions/cache from v2.1.4 to v2.1.5 @dependabot (#956)
• Bump .homestead from 9923e00 to 51bc66d @dependabot (#958)
• Bump lulco/phoenix from 1.5.0 to 1.7.0 @dependabot (#962)
• Bump phpunit/phpunit from 9.5.2 to 9.5.4 @dependabot (#951)
• Bump symfony/translation from 5.2.3 to 5.2.6 @dependabot (#952)
• Bump phpmailer/phpmailer from 6.3.0 to 6.4.0 @dependabot (#953)
• Bump league/container from 3.3.3 to 3.3.5 @dependabot (#954)
• Bump .homestead from 455252c to 9923e00 @dependabot (#950)
• Bump symfony/polyfill-iconv from 1.20.0 to 1.22.1 @dependabot (#955)
• Bump actions/stale from v3.0.17 to v3.0.18 @dependabot (#938)
• Bump symfony/translation from 5.2.2 to 5.2.3 @dependabot (#931)
• Bump league/route from 4.5.0 to 4.5.1 @dependabot (#930)
• Bump phpmailer/phpmailer from 6.2.0 to 6.3.0 @dep...

v1.4.2

This release fixes several bugs that were found during the HackerOne initial penetration test run on the 1.4.1 release. Some improvements and bugfixes are present as well.

This is a repackaged version of 1.4.2, because a small fix in the installer was necessary.

Fixes

• #574 Test 1.4 on PHP 7.4 PHP7 (fiammybe)
• #692 Include new version of profile PHP7 (fiammybe)
• #845 PHP 7.4 : access array offset on value of type null in include/functions.php 1037 php 7.4 (fiammybe)
• #852 anti-clickjacking security vulnerability (report #1055589 by jrckmcsb on HackerOne) (fiammybe)
• #825 Improve path sanitizing bug security vulnerability (MekDrop)
• #814 Better sanitize database queries in installer bug (report #983710 by solov9ev on HackerOne) (fiammybe)
• #637 Notice on admin pages in PHP 7.4 duplicate php 7.4 (fiammybe)
• #843 Fix the amount of cookies (fiammybe)
• #805 Missing templates in system module (skenow)
• #838 Remove whitesource config (Mekdrop)
• #834 + #836 Limit maximum length of password (report #1033373 by f1v3 on HackerOne) (fiammybe)
• #821 Fixed possible file system exposing due language cookie on installer (MekDrop)
• #812 Prevents using submitted filenames with ../ for controller (report #1035311 by siva12 on HackerOne) (MekDrop)
• #815 Better sanitize database queries in installer (report #983710 by solov9ev on HackerOne) (fiammybe)
• #811 Remove phpopenid example folder bug (report #1042838 by hackerone_success on HackerOne) (fiammybe)
• #810 more strict comparison of variables (report #1036883 by hodorsec on HackerOne) (fiammybe)
• #806 Include the missing templates for the image manager (skenow)
• #603 Issue with image inclusion on TinyMCE (fiammybe)

Improvements

• #636 errors in form fields on admin account creation page of the installer (fiammybe)
• #848 Cleanup deprecated functions in functions.php (fiammybe)
• #694 remove the icms_banner reference. No longer present (fiammybe)

1.4.2 Release Candidate

A bugfix and security release :

• Limit Maximum length of password (#836)
• Fixed possible file system exposing due language cookie on installer (#821)
• Better sanitize DB queries in installer (#815)
• Prevents using submitted filenames with ../ (#812 )
• Stricter comparison of variables (#810)
• Include the missing templates for the image manager (#806)
• Remove the icms_banner references - no longer present (#694)

v2.0.0 Alpha 10 🌈

What's Changed

• Prepare for the 2.0a10 release @fiammybe (#783)
• Bump league/container from 3.3.1 to 3.3.3 @dependabot-preview (#775)
• Bump composer/composer from 1.10.10 to 1.10.13 @dependabot-preview (#776)
• Bump dompdf/dompdf from 0.8.5 to 0.8.6 @dependabot-preview (#777)
• Bump symfony/console from 5.1.5 to 5.1.6 @dependabot-preview (#778)
• Added PHP 8.0 for tests @MekDrop (#741)
• Bump typo3/class-alias-loader from 1.1.2 to 1.1.3 @dependabot-preview (#761)
• Bump composer/composer from 1.10.9 to 1.10.10 @dependabot-preview (#760)
• Bump league/flysystem from 1.0.70 to 1.1.3 @dependabot-preview (#759)
• Bump symfony/polyfill-iconv from 1.18.0 to 1.18.1 @dependabot-preview (#757)
• Bump symfony/console from 5.1.3 to 5.1.5 @dependabot-preview (#758)
• Run CI tests also for composer.json and composer.lock file changes @MekDrop (#743)
• [ImgBot] Optimize images @imgbot (#751)
• Bump league/route from 4.3.1 to 4.5.0 @dependabot-preview (#715)
• Bump league/flysystem from 1.0.69 to 1.0.70 @dependabot-preview (#713)
• Bump monolog/monolog from 2.1.0 to 2.1.1 @dependabot-preview (#714)
• Bump phpmailer/phpmailer from 6.1.6 to 6.1.7 @dependabot-preview (#712)
• Bump symfony/polyfill-iconv from 1.17.1 to 1.18.0 @dependabot-preview (#716)
• Bump vlucas/phpdotenv from 3.6.6 to 3.6.7 @dependabot-preview (#711)
• Bump composer/composer from 1.10.8 to 1.10.9 @dependabot-preview (#709)

🚀 Features

• change link to Hackerone to the security form @fiammybe (#782)
• Added 'Security Policy' file @MekDrop (#779)
• Clears cache when saving config items @MekDrop (#718)
• Clears cache when installing, uninstalling or updating module @MekDrop (#708)
• Using request middleware for detecting module + tags middleware.global support for all routes @MekDrop (#707)
• Message confirm screen use build in form elements instead of internally hardcoded HTML elements @MekDrop (#706)
• Gzip/Deflates encoder based on HTTP Middlewares @MekDrop (#717)
• Renders legacy routes as groups in cache file @MekDrop (#704)
• there is now a possible way to define required permissions for routes @MekDrop (#698)
• sanitizePath in Logger now works faster (caches real path) @MekDrop (#697)
• Removed old theme functions @MekDrop (#763)
• Most core classes now moved into namespaces (with backward compability) @MekDrop (#691)
• Filesystems doesn't use Mountmanager. Instead we using container services for each filesystem. @MekDrop (#696)
• IPF Handler uses in most cases mysql param bindings @MekDrop (#626)
• Routes defined in composer.json @MekDrop (#620)
• Update CONTRIBUTING.md @fiammybe (#690)

🐛 Bug Fixes

• Replace | to || @idetinkin (#781)
• Fixed URLs for GPLv2 license in php files @MekDrop (#773)
• Fixes license in composer.json @MekDrop (#772)
• Fixed bug when ImpresCMS was installed in subfolder and route grouping functionality prevendted to add correct prefixes @MekDrop (#771)
• Fixed #767: logging into admin gives db error @MekDrop (#769)
• correct the interface path for the setupsteps @fiammybe (#766)
• Fixes 'Deprecation Notice: Unparenthesized a ? b : c ? d : e is deprecated. Use either (a ? b : c) ? d : e or a ? b : (c ? d : e) in include/cp_functions.php:277' @MekDrop (#700)
• When handling HTTP errors index.php now correctly detects status code @MekDrop (#699)
• Removed todo 'Use language constants for messages' from IPF Handler @MekDrop (#748)
• Composer now has local storage path @MekDrop (#755)
• Replaced mibe/feedwriter with suin/php-rss-writer because of license conflicts @MekDrop (#756)
• Fixes bug when if value in criteria is not a string some comparisons fails @MekDrop (#753)
• Replace tecnickcom/tcpdf with dompdf/dompdf due license incompatibility @MekDrop (#762)
• Fixes session cookies path for modules @MekDrop (#705)
• IPF Handler uses in most cases mysql param bindings @MekDrop (#626)
• Fixed downloading and cloning in admin tplsets @MekDrop (#624)

v1.4.1

This release resolves some regressions that were introduced with 1.4.0, makes sure everything works fine with PHP 7.3 and also resolves a long-lasting bug with blank pages after login.

• Stored XSS on ImpressCMS 1.4.0 ( #659 ) @MekDrop
• Existence of banners folder results in errors ( #600 ) @fiammybe
• module admin menu is not shown in 1.4 ( #604 ) @skenow
• ImageManager : admin can no longer preview images ( #590 ) @skenow
• Fatal error during installation at page_tablescreate.php ( #576 ) @skenow
• Test 1.4 on PHP 7.3 ( #573 ) @fiammybe
• Login in Chrome points to blank page ( #100 ) @fiammybe
• update profile module to support PHP 7.3 @fiammybe

v1.4.1 beta

This release fixes several bugs in the 1.4.0 release

Fixes

• Stored XSS on ImpressCMS 1.4.0 ( #659 )
• Existence of banners folder results in errors ( #600 )
• module admin menu is not shown in 1.4 ( #604 )
• ImageManager : admin can no longer preview images ( #590 )
• Fatal error during installation at page_tablescreate.php ( #576 )
• Test 1.4 on PHP 7.3 ( #573 )
• Login in Chrome points to blank page ( #100 )

v1.3.12

Security Release

This release is a security release to fix a SQL Injection vulnerability when using a PDO database, discovered by Sebastian Fabry at RIPStech. It is recommended to upgrade to ImpressCMS 1.4, where the vulnerability is not present.

If, for some reason, upgrading to ImpressCMS 1.4 is not possible, the vulnerability is also fixed in this release for the 1.3 branch.

Please note that the 1.3 branch does not support PHP7. Support for PHP7 is available starting with ImpressCMS 1.4.0.

v2.0.0 alpha 9 🌈

What's Changed

• Bump smarty/smarty from 3.1.34 to 3.1.36 @dependabot-preview (#640)
• Bump simplepie/simplepie from 1.5.4 to 1.5.5 @dependabot-preview (#641)
• Bump league/flysystem from 1.0.66 to 1.0.67 @dependabot-preview (#642)
• Bump lulco/phoenix from 1.2.0 to 1.3.0 @dependabot-preview (#639)
• Bump vlucas/phpdotenv from 3.6.2 to 3.6.3 @dependabot-preview (#643)
• Bump lulco/phoenix from 1.1.1 to 1.2.0 @dependabot-preview (#631)
• Bump vlucas/phpdotenv from 3.6.0 to 3.6.2 @dependabot-preview (#634)
• Bump symfony/polyfill-iconv from 1.14.0 to 1.15.0 @dependabot-preview (#635)
• Bump league/flysystem from 1.0.64 to 1.0.66 @dependabot-preview (#633)
• Bump phpmailer/phpmailer from 6.1.4 to 6.1.5 @dependabot-preview (#632)
• Bump tecnickcom/tcpdf from 6.3.2 to 6.3.5 @dependabot-preview (#609)
• Bump league/flysystem from 1.0.63 to 1.0.64 @dependabot-preview (#611)
• Bump symfony/polyfill-iconv from 1.13.1 to 1.14.0 @dependabot-preview (#610)
• Bump league/flysystem from 1.0.62 to 1.0.63 @dependabot-preview (#597)
• Bump monolog/monolog from 2.0.1 to 2.0.2 @dependabot-preview (#598)
• Bump lulco/phoenix from 1.1.0 to 1.1.1 @dependabot-preview (#599)
• Increase stale GitHub action run period to every 4 months @MekDrop (#595)
• Run tests only for master branch and if new commits has correct extensions @MekDrop (#596)

🚀 Features

• Improved bad code handling in autotasks @MekDrop (#628)
• Added console commands support based on symfony/console @MekDrop (#629)
• Added setup step to copy/update module assets @MekDrop (#622)
• Installer use same core module functions to install modules as core @MekDrop (#621)
• Autotask systems registration with container @MekDrop (#619)
• Added module migrations support @MekDrop (#616)
• Container defined editors and sourceeditors @MekDrop (#618)
• Service providers, services and preloads now can be defined in composer.json @MekDrop (#615)
• Plug-able module install, update, uninstall functionality + possibility to use module change, activate, deactivate methods not only in web @MekDrop (#614)
• icms_getModuleHandler use container functionality @MekDrop (#521)
• Replace existing Smarty files with Smarty 3 composer instalation @MekDrop (#249)
• Automatic API documentation to Wiki @MekDrop (#602)
• Rewritten logger to use Monolog @MekDrop (#561)

🐛 Bug Fixes

• Improved bad code handling in autotasks @MekDrop (#628)
• When property is string with highlighting field correct control will be selected @MekDrop (#627)
• Fixed bug in smarty template touch function @MekDrop (#617)
• Fixes release drafter @MekDrop (#594)

2.0.0 alpha 8

Lots and lots of bugfixes and improvements.

• PHP 7.3 compatibility
• Database migrations
• Better PSR-4 definitions for core classes
• moving to Aura.SQL for database support
• Bootstrap upgraded to 3.4.1
• now using .env library for environment variable handling
• moving multiple external libraries from inclusion in the core to inclusion via composer