Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: Feedback to: Help us test the release candidate for the upcoming 4.0.7
i just wanted to upgrade an installation to the latest RC and now i’m getting this error:
Warning: Unknown column 'load_order' in 'order clause' select name, code, version from txp_plugin where status = 1 AND type IN (1,3) order by load_order in /textpattern/lib/txplib_db.php on line 82
and when i go to the plugin section:
Warning: Unknown column 'load_order' in 'field list' select name, status, author, author_uri, version, description, length(help) as help, abs(strcmp(md5(code),code_md5)) as modified, load_order from txp_plugin where 1 order by name asc in /textpattern/lib/txplib_db.php on line 82
Last edited by sthmtc (2008-11-23 21:08:15)
Offline
Re: Feedback to: Help us test the release candidate for the upcoming 4.0.7
What version were you updating from?
Offline
Re: Feedback to: Help us test the release candidate for the upcoming 4.0.7
4.0.6
Offline
Re: Feedback to: Help us test the release candidate for the upcoming 4.0.7
Strange, as Textpattern would add the missing column load_order as a part of the update procedure from a clean 4.0.6 to 4.0.7 RC.
This SQL statement would force TXP to reapply all updates: DELETE FROM txp_prefs WHERE name='dbupdatetime' (replace txp_prefs with your prefixed table name like myprefixtxp_prefs)
Offline
Re: Feedback to: Help us test the release candidate for the upcoming 4.0.7
the_ghost wrote:
Do filenames appear in url?
For instance, <txp:file_download_link /> builds clean URIs like so: http://example.com/file_download/42/foo.bar
Offline
Re: Feedback to: Help us test the release candidate for the upcoming 4.0.7
sthmtc wrote:
4.0.6
Sven, was this site installed or updated with 4.0.6 before or after 2008-Nov-07?
Offline
Re: Feedback to: Help us test the release candidate for the upcoming 4.0.7
wet wrote:
For instance,
<txp:file_download_link />builds clean URIs like so: http://example.com/file_download/42/foo.bar
Oops, you’re right. But some idea I have – can’t we left filename’s in native language, but don’t use them in url, or use translitarated version? I think that txp handles right download by id – the filename is for recognition only. And, if it’s so, translitarated url would be the happy medium. Because we can built nice links, where <txp:file_download_name /> would look good and url would be safe.
Providing help in hacking ATM! Come to courses and don’t forget to bring us notebook and hammer! What for notebook? What a kind of hacker you are without notebok?
Offline
Re: Feedback to: Help us test the release candidate for the upcoming 4.0.7
the_ghost wrote:
Oops, you’re right. But some idea I have – can’t we left filename’s in native language, but don’t use them in url, or use translitarated version?
This would probably break existing URIs and backwards compatibility.
Offline
Re: Feedback to: Help us test the release candidate for the upcoming 4.0.7
wet wrote:
This would probably break existing URIs and backwards compatibility.
I have an old 4.0.6 version and filenames aren’t converted threre – only spaces converted into +. If we left current behoviour or make names transliterated it’s very oncomfortable to build files’ archives – because in this way we have only one ontouchable filed – files’ description and we have to use it as file name, ot develop some php code for exploding this field into 2 or more by some special chars (like there is plugin for series of values in one custom_field).
Last edited by the_ghost (2008-11-24 09:56:31)
Providing help in hacking ATM! Come to courses and don’t forget to bring us notebook and hammer! What for notebook? What a kind of hacker you are without notebok?
Offline
#70 2008-11-24 12:27:02
- Olhado
- New Member
- Registered: 2008-10-28
- Posts: 3
Re: Feedback to: Help us test the release candidate for the upcoming 4.0.7
the_ghost wrote:
I have an old 4.0.6 version and filenames aren’t converted threre – only spaces converted into
+.
It’s true :) For example: mp3 with raw russian in filename — TxP 4.0.6 and there is no problems with downloading, playing, etc. And CMS works fine.
But not in 4.0.7
Last edited by Olhado (2008-11-24 12:27:46)
Sorry for bad English
Offline
Re: Feedback to: Help us test the release candidate for the upcoming 4.0.7
Olhado wrote:
It’s true :) For example: mp3 with raw russian in filename (http://khasandivers.co.cc/file_download/2/%D0%91%D0%BE%D0%B9+%D1%83+%D0%BE%D0%B7%D0%B5%D1%80%D0%B0+%D0%A5%D0%B0%D1%81%D0%B0%D0%BD-%D0%90%D0%BD%D1%81%D0%B0%D0%BC%D0%B1%D0%BB%D1%8C+%D0%BF%D0%B5%D1%81%D0%BD%D0%B8.mp3)
We know, that this “works”. But it requires percent-encoded filenames (see above), which might impose a security risk. The sanitization of file names as a security precaution is part of 4.0.7.
Offline
Re: Feedback to: Help us test the release candidate for the upcoming 4.0.7
wet wrote:
Strange, as Textpattern would add the missing column
load_orderas a part of the update procedure from a clean 4.0.6 to 4.0.7 RC.
So could this be a bug? I never had any issues upgrading Textpattern in that particular environment.
Offline
Re: Feedback to: Help us test the release candidate for the upcoming 4.0.7
sthmtc wrote:
So could this be a bug? I never had any issues upgrading Textpattern in that particular environment.
No, but it could be a timing issue.
Offline
Re: Feedback to: Help us test the release candidate for the upcoming 4.0.7
wet wrote:
it requires percent-encoded filenames …which might impose a security risk.
That’s fair enough but I wonder if this will cause other problems. Like, if two entire-cyrillic filenames (except extension) are uploaded and they are both identical types (e.g. .doc) the second will overwrite the first — or error out, not sure which — because they will both try to write to the same file site.com/files/.doc.
Also, when serving a file via /file_download, can’t the ID be used to verify (or even get) the filename from the DB at download time? If the true sanitized filename is kept internal to the DB and not used to determine the actual file path to download, the one in the site.com/file_download/id/some-name-here is just for show; could that be displayed unescaped or is that ultra complicated? (I really don’t know).
The downside to only using the ID is of course that it’s easily guessable and anything could be written after the ID’s slash. But the same is true of the filename now (it can be fairly easily guessed if you have a rigid naming convention) so from that side of things it’s not secure.
When you say security risks do you mean someone could percent encode the equivalent of ../../../passwd as the filename to retrieve and TXP would go ahead and grab it, ignoring the ID and the database check? Just curious what the risk is: I’m not particularly well versed in this arena (sorry if I’m being thick / naive).
Last edited by Bloke (2008-11-24 13:38:11)
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Hire Txp Builders – finely-crafted code, design and Txp
Offline
#75 2008-11-24 13:19:34
- sirblackheart
- New Member
- Registered: 2008-07-04
- Posts: 7
Re: Feedback to: Help us test the release candidate for the upcoming 4.0.7
My question is. Is it possible to write something like this:
<txp:article_custom id='<txp:glz_custom_field name="AutorenOderWerke" />'>
<txp:title />
<txp:body />
<txp:article_custom id='<txp:glz_custom_field name="Werk" />'>
<txp:body />
</txp:article_custom>
</txp:article_custom>I’m calling this in a single article view. It should get the first article id from the main article, and the second article id from the article called with the first id…
sorry for my bad english
Offline