Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Feedback to: Textpattern 4.5.0 released
Please provide any feedback related to Textpattern 4.5.0 released.
Offline
Re: Feedback to: Textpattern 4.5.0 released
A small change in version number, but a giant leap for Textpattern! The biggest thing since the early days of this CMS.
Offline
Re: Feedback to: Textpattern 4.5.0 released
Looking very good!
On my textdrive lifetime joyent shared accellerator json is missing, at least at my server kemp.joyent.us which throws up an error at the bottom when logged in: Fatal error: Call to undefined function json_encode()
Thanks for all your good work!
Kees
Offline
Re: Feedback to: Textpattern 4.5.0 released
I updated 3 blogs and it seems to work fine so far! :-)
Offline
Re: Feedback to: Textpattern 4.5.0 released
kees-b wrote:
at least at my server kemp.joyent.us which throws up an error at the bottom when logged in: Fatal error: Call to undefined function json_encode()
Why would someone compile PHP without JSON. That’s strange as hell, it’s almost guaranteed that something breaks if you do so. Sure there are few exploits for it on its earlier versions for 5.2, but none of those are critical as in allowing injections or arbitrary executions.
Anyways, you should update/recompile PHP tho if it’s missing. Otherwise you get those fatals and JavaScript issues. At least you will not see translation strings in JavaScript based dialogs and such, which is for what json_encode is primarily used for.
Last edited by Gocom (2012-08-27 13:35:49)
Offline
Re: Feedback to: Textpattern 4.5.0 released
kees-b wrote:
Looking very good!
On my
textdrive lifetimejoyent shared accellerator json is missing, at least at my server kemp.joyent.us which throws up an error at the bottom when logged in: Fatal error: Call to undefined function json_encode()
Hi Kees
It’s fine on north
. My high diagnostics read json/1.2.1
> Edit. Updated one of our sites without any visible problems.
I know that this is not the thread for this but are there any plans for an update for postmaster?
Last edited by colak (2012-08-27 14:49:40)
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Online
Re: Feedback to: Textpattern 4.5.0 released
weblog says:
Textpattern 4.5.0 fixes three XSS security vulnerabilities which would allow maleficent attackers to gain administrative access to the site by tricking a legitimate publisher into clicking on a carefully crafted link. We thank Mauro Gentile, Jonathan Claudius, and Sasha Zivojinovic for their responsible disclosure of these issues. An update is highly recommended.
history.txt says:
Is it possible to get more information about the impact of the various security vulnerabilities, including the ones that are listed under “bug and security fixes”? In which situations is should users upgrade ASAP?
- Security: Admin-side disallows framing, sends “X-Frame-Options: SAMEORIGIN” header.
- Security: The ‘txp_login’ cookie is set with a ‘HttpOnly’ attribute.
- Security: Fixed a persistent XSS vulnerability in Textile discovered by Mauro Gentile.
- Security: Fixed a XSS vulnerability in the setup process discovered by Jonathan Claudius of Trustwave SpiderLabs.
- Security: Fixed a persistent XSS vulnerability in the access log panel discovered by Sasha Zivojinovic.
- Bug and security fixes
- every textpattern install
- only if you have comments enabled
- only if you have multiple authors and don’t really trust them all.
- only if you use RPC?
- … and what is the impact of each of the vulnerabilities (worst case)?
- etc.
I’m asking because I have to upgrade a few TXP installs that are highly customized, but which do not require the new features in TXP 4.5. So if I don’t have to upgrade now for security reasons, I can schedule it for some other time in the future or perhaps even wait for 4.6.
Offline
Re: Feedback to: Textpattern 4.5.0 released
You should update if one of these applies:
- Visitor logs are enabled and admin-side users are possibly following the recorded referrer links.
- Comments are enabled and not reviewed for malicious HTML prior to making them public.
- Untrusted authors.
- Textpattern is uploaded into a publicly accessible web location without a completed setup.
We have not had to fix any issues with the RPC server or other components besides Textile, the visitor log panel and the setup procedure.
These are your options if you do not want to upgrade a site to Textpattern 4.5 but gain the security benefits from this release:
- You can use Textile 2.4.1 as a drop-in replacement for older Textpattern installs.
- You are advised to remove the whole setup folder once installation is completed, and of course you are not advised to keep an older uninstalled version of Textpattern lying around in a publicly accessible location.
- You can turn off visitor logs and/or carefully inspect all recorded referrer locations (or just drop them completely).
Offline
Re: Feedback to: Textpattern 4.5.0 released
Gocom wrote:
Why would someone compile PHP without JSON. That’s strange as hell, it’s almost guaranteed that something breaks if you do so. Sure there are few exploits for it on its earlier versions for 5.2, but none of those are critical as in allowing injections or arbitrary executions.
From diagnostics:
PHP version: 5.3.5
PHP extensions: Core/5.3.5, date/5.3.5, ereg, libxml, openssl, pcre, sqlite3/0.7-dev, ctype, fileinfo/1.0.5-dev, filter/0.11.0, hash/1.0, SPL/0.2, session, Reflection/$Revision: 305605 $, standard/5.3.5, SimpleXML/0.1, Phar/2.0.1, tokenizer/0.1, xml, xmlreader/0.1, xmlwriter/0.1, cgi-fcgi, gd, iconv, mbstring, mcrypt, mysql/1.0, mysqli/0.1
Very strange indeed – no json.
Ticket sent to joyent support.
-k
Last edited by kees-b (2012-08-27 15:43:26)
Offline
Re: Feedback to: Textpattern 4.5.0 released
I just did a fresh install and found sbl.spamhaus.org
in advance preferences. Doesn’t this always cause problems? Shouldn’t we delete/disable it by default?
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Online
#11 2012-08-27 16:42:13
- Corfitz Ulfeldt
- New Member
- Registered: 2012-08-27
- Posts: 5
Re: Feedback to: Textpattern 4.5.0 released
Just installed, nice improvements to the installation process and I really like the new admin theme!
One thing though: For unknown reasons the ‘search’ field is displayed twice in my completely fresh installation.
He’re a screenshot: http://i.imgur.com/6uZ88.png
The only thing i did so far was to make backuo copies of the pages and css using the built-in copy feature at the bottom (…or copy page/css as) giving them a ‘backup_’ prefix.
Anyone else have this issue? Latest Firefox.
Here’s the source code as it appears in inspect:
<!— right (complementary) column —>
<div role=“complementary”>
<form role=“search” method=“get” action=“http://www.removed.com/”>
<h4><label for=“search-textbox”>Search</label></h4>
<p><input id=“search-textbox” type=“search” name=“q”><input type=“submit” value=“Go”></p>
</form>
<!— links by default to form: ‘search_input.misc.txp’ unless you specify a different form —>
<form method=“get” action=“http://www.removed.com/”>
<p class=“search_input”><input type=“search” value=”“ name=“q” size=“15” required /><input type=“submit” value=“Go” /></p>
</form>
(UPDATE: Same in Safari)
Last edited by Corfitz Ulfeldt (2012-08-27 16:44:00)
Offline
Re: Feedback to: Textpattern 4.5.0 released
I haven’t been able to install glz_customs_fields (GCF) in a fresh 4.5.0 installation. The plug-in installer script fails to install the required mySQL table and the TXP installation then locks up until I disable the plugin manually via PHPMyAdmin. PHP version is 5.3 and MySQL is version 5. That inhibits me from updating operational sites.
Has anyone else had this difficulty, does updating an existing site that already has a functional installation of GCF work because the table already exists?
Last edited by joebaich (2012-08-27 16:59:38)
Offline