Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2012-08-27 06:49:58

wet
Developer Emeritus
From: Schoerfling, Austria
Registered: 2005-06-06
Posts: 3,330
Website Mastodon

Feedback to: Textpattern 4.5.0 released

Please provide any feedback related to Textpattern 4.5.0 released.

Offline

#2 2012-08-27 08:58:39

argi
Plugin Author
Registered: 2012-06-17
Posts: 8
Website

Re: Feedback to: Textpattern 4.5.0 released

A small change in version number, but a giant leap for Textpattern! The biggest thing since the early days of this CMS.

Offline

#3 2012-08-27 11:50:54

kees-b
Member
From: middelburg, nl
Registered: 2004-03-03
Posts: 235
Website

Re: Feedback to: Textpattern 4.5.0 released

Looking very good!

On my textdrive lifetime joyent shared accellerator json is missing, at least at my server kemp.joyent.us which throws up an error at the bottom when logged in: Fatal error: Call to undefined function json_encode()

Thanks for all your good work!

Kees

Offline

#4 2012-08-27 13:06:58

SuMu
Member
From: Germany - Wuppertal
Registered: 2008-03-06
Posts: 242
Website

Re: Feedback to: Textpattern 4.5.0 released

I updated 3 blogs and it seems to work fine so far! :-)


viele Grüße
SuMu

Psychomuell + blogZicke

Offline

#5 2012-08-27 13:32:41

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Feedback to: Textpattern 4.5.0 released

kees-b wrote:

at least at my server kemp.joyent.us which throws up an error at the bottom when logged in: Fatal error: Call to undefined function json_encode()

Why would someone compile PHP without JSON. That’s strange as hell, it’s almost guaranteed that something breaks if you do so. Sure there are few exploits for it on its earlier versions for 5.2, but none of those are critical as in allowing injections or arbitrary executions.

Anyways, you should update/recompile PHP tho if it’s missing. Otherwise you get those fatals and JavaScript issues. At least you will not see translation strings in JavaScript based dialogs and such, which is for what json_encode is primarily used for.

Last edited by Gocom (2012-08-27 13:35:49)

Offline

#6 2012-08-27 14:03:30

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,093
Website GitHub Mastodon Twitter

Re: Feedback to: Textpattern 4.5.0 released

kees-b wrote:

Looking very good!

On my textdrive lifetime joyent shared accellerator json is missing, at least at my server kemp.joyent.us which throws up an error at the bottom when logged in: Fatal error: Call to undefined function json_encode()

Hi Kees

It’s fine on north. My high diagnostics read json/1.2.1

> Edit. Updated one of our sites without any visible problems.

I know that this is not the thread for this but are there any plans for an update for postmaster?

Last edited by colak (2012-08-27 14:49:40)


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#7 2012-08-27 14:56:25

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Feedback to: Textpattern 4.5.0 released

weblog says:

Textpattern 4.5.0 fixes three XSS security vulnerabilities which would allow maleficent attackers to gain administrative access to the site by tricking a legitimate publisher into clicking on a carefully crafted link. We thank Mauro Gentile, Jonathan Claudius, and Sasha Zivojinovic for their responsible disclosure of these issues. An update is highly recommended.

history.txt says:

  • Security: Admin-side disallows framing, sends “X-Frame-Options: SAMEORIGIN” header.
  • Security: The ‘txp_login’ cookie is set with a ‘HttpOnly’ attribute.
  • Security: Fixed a persistent XSS vulnerability in Textile discovered by Mauro Gentile.
  • Security: Fixed a XSS vulnerability in the setup process discovered by Jonathan Claudius of Trustwave SpiderLabs.
  • Security: Fixed a persistent XSS vulnerability in the access log panel discovered by Sasha Zivojinovic.
  • Bug and security fixes

Is it possible to get more information about the impact of the various security vulnerabilities, including the ones that are listed under “bug and security fixes”? In which situations is should users upgrade ASAP?
  • every textpattern install
  • only if you have comments enabled
  • only if you have multiple authors and don’t really trust them all.
  • only if you use RPC?
  • … and what is the impact of each of the vulnerabilities (worst case)?
  • etc.

I’m asking because I have to upgrade a few TXP installs that are highly customized, but which do not require the new features in TXP 4.5. So if I don’t have to upgrade now for security reasons, I can schedule it for some other time in the future or perhaps even wait for 4.6.

Offline

#8 2012-08-27 15:10:30

wet
Developer Emeritus
From: Schoerfling, Austria
Registered: 2005-06-06
Posts: 3,330
Website Mastodon

Re: Feedback to: Textpattern 4.5.0 released

You should update if one of these applies:

  • Visitor logs are enabled and admin-side users are possibly following the recorded referrer links.
  • Comments are enabled and not reviewed for malicious HTML prior to making them public.
  • Untrusted authors.
  • Textpattern is uploaded into a publicly accessible web location without a completed setup.

We have not had to fix any issues with the RPC server or other components besides Textile, the visitor log panel and the setup procedure.

These are your options if you do not want to upgrade a site to Textpattern 4.5 but gain the security benefits from this release:

  • You can use Textile 2.4.1 as a drop-in replacement for older Textpattern installs.
  • You are advised to remove the whole setup folder once installation is completed, and of course you are not advised to keep an older uninstalled version of Textpattern lying around in a publicly accessible location.
  • You can turn off visitor logs and/or carefully inspect all recorded referrer locations (or just drop them completely).

Offline

#9 2012-08-27 15:40:32

kees-b
Member
From: middelburg, nl
Registered: 2004-03-03
Posts: 235
Website

Re: Feedback to: Textpattern 4.5.0 released

Gocom wrote:

Why would someone compile PHP without JSON. That’s strange as hell, it’s almost guaranteed that something breaks if you do so. Sure there are few exploits for it on its earlier versions for 5.2, but none of those are critical as in allowing injections or arbitrary executions.

From diagnostics:

PHP version: 5.3.5

PHP extensions: Core/5.3.5, date/5.3.5, ereg, libxml, openssl, pcre, sqlite3/0.7-dev, ctype, fileinfo/1.0.5-dev, filter/0.11.0, hash/1.0, SPL/0.2, session, Reflection/$Revision: 305605 $, standard/5.3.5, SimpleXML/0.1, Phar/2.0.1, tokenizer/0.1, xml, xmlreader/0.1, xmlwriter/0.1, cgi-fcgi, gd, iconv, mbstring, mcrypt, mysql/1.0, mysqli/0.1

Very strange indeed – no json.

Ticket sent to joyent support.

-k

Last edited by kees-b (2012-08-27 15:43:26)

Offline

#10 2012-08-27 15:55:59

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,093
Website GitHub Mastodon Twitter

Re: Feedback to: Textpattern 4.5.0 released

I just did a fresh install and found sbl.spamhaus.org in advance preferences. Doesn’t this always cause problems? Shouldn’t we delete/disable it by default?


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#11 2012-08-27 16:42:13

Corfitz Ulfeldt
New Member
Registered: 2012-08-27
Posts: 5

Re: Feedback to: Textpattern 4.5.0 released

Just installed, nice improvements to the installation process and I really like the new admin theme!
One thing though: For unknown reasons the ‘search’ field is displayed twice in my completely fresh installation.
He’re a screenshot: http://i.imgur.com/6uZ88.png
The only thing i did so far was to make backuo copies of the pages and css using the built-in copy feature at the bottom (…or copy page/css as) giving them a ‘backup_’ prefix.
Anyone else have this issue? Latest Firefox.

Here’s the source code as it appears in inspect:

<!— right (complementary) column —> <div role=“complementary”> <form role=“search” method=“get” action=“http://www.removed.com/”> <h4><label for=“search-textbox”>Search</label></h4> <p><input id=“search-textbox” type=“search” name=“q”><input type=“submit” value=“Go”></p>
</form> <!— links by default to form: ‘search_input.misc.txp’ unless you specify a different form —>
<form method=“get” action=“http://www.removed.com/”>
<p class=“search_input”><input type=“search” value=”“ name=“q” size=“15” required /><input type=“submit” value=“Go” /></p>
</form>

(UPDATE: Same in Safari)

Last edited by Corfitz Ulfeldt (2012-08-27 16:44:00)

Offline

#12 2012-08-27 16:51:11

joebaich
Member
From: DC Metro Area and elsewhere
Registered: 2006-09-24
Posts: 507
Website

Re: Feedback to: Textpattern 4.5.0 released

I haven’t been able to install glz_customs_fields (GCF) in a fresh 4.5.0 installation. The plug-in installer script fails to install the required mySQL table and the TXP installation then locks up until I disable the plugin manually via PHPMyAdmin. PHP version is 5.3 and MySQL is version 5. That inhibits me from updating operational sites.

Has anyone else had this difficulty, does updating an existing site that already has a functional installation of GCF work because the table already exists?

Last edited by joebaich (2012-08-27 16:59:38)

Offline

Board footer

Powered by FluxBB