Concrete 5 CMS changelog

Changelog History

Page 1

• v9.1.1 Changes

  Behavioral Improvements

  • ✨ Enhancement: adding the ability to pass association ID through request and pick it up in the form
  • ➕ Adding associations to Express form notifications
  • Top Navigation Bar block now honors the nav_target custom attribute, if it exists (thanks ccmEnlil)

  🐛 Bug Fixes

  • 🛠 Fixed bug in /ccm/system/upgrade script on PHP 8.1 (thanks ccmEnlil)
  • 🛠 Fixed upgrade inconsistencies that could cause problems for installers like Softaculous
  • 🛠 Fixed Accordion Block: when the initial state set to 'all items open' or 'all items closed' the collapsed state is not always correct (thanks danklassen)
  • 🛠 Fixed compatibility with PHP 8.1 when installing with Composer.
  • 🛠 Fixing bug where Express entries with multiple associations could not be filtered accurately in advanced search
  • 🛠 Fixing bug where submitted values do not persist in Express association forms
  • 🛠 Fixed: Changing the page template of a draft breaks block versioning (thanks jaromirdalecky)
  • 🛠 Fixed: Duplicating file as non-super admin does not work due to permissions key (thanks danklassen)
  • 🛠 Fixed: core search block: the form tag has two class attributes
  • 🛠 Fixed null pointer Exceptions when using area layouts under certain conditions (thanks biplobice)

  Backward Compatibility Notes

  ⚡️ Developer Updates

  • ⚡️ Laminas cache laminas/laminas-cache-storage-adapter-memory library updated to 2.0 in order to restore compatibility with PHP 8.1 when installing via Composer
  • 🛠 Fixed: Block::isOriginal() returns opposite value (thanks jaromirdalecky)

• v9.1.0 Changes

  🆕 New Features

  • 👌 Improved appearance and functionality when editing block, area, layout and container styles inline in the page (thanks deek87)
  • ➕ Added the ability for an Express attribute to be marked as unique, provided its attribute type supports it. Unique attributes will be useful for SKUs, enforcing email uniqueness, etc…
  • Much improved version comparison feature that can compare the HTML of two page versions and highlight differences (thanks deek87 and hissy)
  • 🔋 Feature Link block improvements: Adds option for 'link' styled button using BS5 .btn-link button class, Adds the option to include an icon in the button and to have icon only buttons. Moves some construction of the button to the view file to allow easy comprehension/modification/extension in Block Templates by novice developers (thanks Katalysis)
  • 💅 Hero Image block improvements: Adds option for 'link' styled button using BS5 .btn-link button class, Adds the option to include an icon in the button and to have icon only buttons. Moves some construction of the button to the view file to allow easy comprehension/modification/extension in Block Templates by novice developers (thanks Katalysis)
  • ➕ Added new Security Policy page in the Dashboard (thanks hissy)
  • ➕ Added a “Revert to Draft” command button on published pages in the Composer interface (thanks hissy)
  • 👌 Improvements and refinements to Dashboard file details screen in desktop and mobile views.
  • ➕ Added the ability to move a file folder in the Dashboard file manager.
  • ➕ Added the tree view back to the Groups Dashboard page.
  • ➕ Add title field for YouTube and Video block types for better accessibility (thanks Mesuva)

  Behavioral Improvements

  • Express attributes no longer need to be unique across all Express objects. Instead attribute handles can be reused provided they’re not reused within the same object.
  • 🆕 New Express forms will be created when Express Form blocks that have been copied are edited in their new locations (thanks Xanweb)
  • 🛠 File chooser has improved view and functionality; bug fixes; adding width, height and size to list and grid view; adding detail image callout on hover.
  • 🚚 Task Options in the Dashboard have have been moved into a modal dialog when present, so they’re harder to miss (thanks deek87)
  • Express entity attribute handles now can be reused as long as they’re not reused within the same Express object.
  • You can now click on the entire row of a Dashboard results table (like the page search, file manager, etc…) and go to the detail URL.
  • 👍 Better display of inline floating commands for things like containers and block move.
  • We now show the container name when hovering over containers in edit mode.
  • 👍 Reinstated CSS and JavaScript asset post-processing cache setting; restructured the Dashboard Cache Settings page for better grouping of functionality and explanation.
  • 👌 Improve display of Recaptcha settings page.
  • Appearance improvements to Waiting for Me and the Dashboard desktop.
  • Active classes for pages added to the output of the Top Navigation Bar block (thanks danklassen)
  • Locale home page is now undeleteable when using multilingual sites.
  • 🐎 Miscellaneous performance improvements for logged-in users (thanks hissy)
  • ➕ Added rate limiting to Forgot Password using the built-in IP Allowlist/Denylist functionality
  • 👍 Better usage of meta canonical tag in page under certain circumstances (thanks hissy)
  • File folders now cannot be deleted if they have sub-folders or sub-files in them.
  • 💅 Display improvements to inline style dropdown (no more too-dark panels with no contrast.)
  • 👍 Better automatic display of the “Approve Stack” button when editing block parameters, styles and permissions in the stacks Dashboard page.
  • 🚚 Don’t allow users to delete site types until they have removed all sites of that type.
  • 👌 Improvements when Concrete is installed in a subdirectory instead of the root directory of a website.
  • ➕ Added the ability to view a user’s public profile from their Dashboard user details page.
  • ➕ Added --session-handler to the console install utility. Set to database if you’d like to override the default file-based sessions.
  • Gotten rid of the behavior where certain dynamic trees cause pages to scroll to them on load (visible on Express Object details edit, adding groups, using the Groups selector in custom Dashboard pages, and more)
  • 🍱 JavaScript and CSS assets now have the timestamp of when the cache was last cleared appended to them (thanks deek87, haeflimi)
  • ➕ Added the link back to the “Data Objects” Express management interface from the header of that Express objects results page.
  • ➕ Added URL Path as a column that can be added to the Page Search interface.
  • 🛠 Fixed: Login page forces gray background on custom themes
  • 🛠 Fixed: Scheduled page publishing doesn't purge the page cache (thanks hissy)
  • ➕ Added more caching to certain objects to improve performance (thanks hissy)
  • Pre-selected File Storage Location For Nested Folder

  🐛 Bug Fixes

  • 🛠 Much improved PHP 8 compatibility fixes for all core block types (thanks deek87)
  • 🛠 Fixed user permissions for searching users with non super admin not working in sites upgraded from 8.5 until permissions were reset.
  • 🛠 Fixed inability to assign groups, users, group sets or group combinations to group permissions when updating from 8.5.
  • 👌 Improvements to core libraries to allow for installation on PHP 8.1 w/Composer.
  • 🛠 PHP 8 compatibility fixes for Calendar (thanks deek87)
  • 🛠 Fixed: Database Character Set is no longer showing current character set.
  • 🛠 Fixed: Missing font selection for body font in Atomik customizer when using Default skin.
  • 🛠 Fixed: Batch Task with empty batch does not finish running
  • 🛠 Fix Top Navigation Bar block 'include sticky nav' setting not set appropriately when editing the block
  • 🛠 Fixed inability to drag an individual block out of the stacks panel in a page.
  • 🛠 Fixed: Document Library advanced search fields do not display
  • 🛠 Fixed “Express form error dirty entity” error that users might see when creating forms on the front-end.
  • 🛠 Fixed bug where attribute data validation routines weren’t being run when updating certain objects and certain objects in bulk.
  • 🛠 Fixed: Express Calendar and Calendar Event Attributes Not Correctly Implemented
  • 🛠 Fixed: "Added to Page" File search filter doesn't work
  • 🛠 Fixed: Schedule Guest Access doesn't work (thanks HamedDarragi)
  • 🛠 Fixed: Page Search in chooser dialog doesn’t work (thanks HamedDarragi)
  • 🛠 Fixed: The multilingual panel/page relations panel didn’t allow you to create pages in the multilingual trees from the related page - and it used to.
  • 🛠 Fixed strange appearance in Dashboard sitemap selector when using multisite and multiple locales.
  • 🛠 Fixed bugs with using custom file attributes with the Document Library block.
  • 🛠 Fixed theme customizer not working on legacy LESS-based themes when being used with a large number of LESS variables.
  • 🛠 Fixed inability to see sort icons on attributes in the Dashboard.
  • 🛠 Fix Auto-Nav showing duplicate tabs in themes based on Bootstrap 3 (thanks lvanstrijland)
  • 🛠 Fixed: When using more than one user search criteria by group, one to include groups and one to exclude groups, we get the wrong results (thanks mnakalay)
  • 🛠 Fixed: Accordion block doesn't load required assets when not using BS5 based theme.
  • 🛠 Fixed Error when try to edit 'express details block' (thanks Ruud-Zuiderlicht)
  • 🛠 Fixed edit page type basic details error on PHP 8.
  • Tooltips now work properly again in Composer interface (thanks danklassen)
  • 🛠 Fixed inability to create and update skins for themes that had a large number of parameters under certain conditions.
  • 🛠 Fixed errors that would occur when creating a site, enabling multilingual, setting a new source locale, and deleting the original default locale.
  • 🛠 Fixed: User activation workflow, Activate action not working
  • 🛠 Fixed: 9.0.2 Seo Bulk Updater for multilingual site not showing results when selecting All Levels (thanks danklassen)
  • 🛠 Fixed: Placing a Sticky "Top Navigation Bar" in Global "Navigation" using Atomik blocks editing of page
  • 🛠 Fixed: Topics Attribute Search Form is not getting translated on Frontend (thanks 1stthomas)
  • Re-enabled the ability to edit a user’s avatar from their Dashboard details page.
  • 🛠 Fixed: Clipboard - Unable to remove broken clipboard entries/clipboard doesnt remove deleted blocks
  • 🛠 Fixed: When placing a stack, the edit mode menu is not displayed
  • 🛠 Fixed: Adding Options To Option List Page Attribute Undefined Array Key under PHP 8
  • 🛠 Fixed: Multilingual copy site tree with alias pages (thanks hissy)
  • 🛠 Fixed: v9 Elemental Block Edit Nav Tabs Broken (thanks ccmEnlil)
  • 🛠 Fixed: Error in updating package from marketplace incorrectly displaying itself under certain conditions (thanks JohnTheFish)
  • 🛠 Fixed: Accordion block editing interface rich text editor doesn’t have access to Concrete-specific features like file manager, sitemap, etc…
  • 🛠 Fixes ErrorException - Undefined property: Concrete\Core\Permission\Access\Entity\GroupCombinationEntity::$label under PHP 8 (thanks 1stthomas)
  • Legacy form's "reply to this email address" checked state was not properly passed (thanks katzueno)
  • 🛠 Fixed errors with the legacy form (thanks mlocati)
  • 🛠 Fixed: Updating an express form handle can result in a table name that is too long for mysql
  • 🛠 Fix several user search fields not retaining their selected values (thanks mnakalay)
  • 🛠 Fixed: install with Elemental full fails due to undefined array key "titleFormat" under PHP 8
  • 🛠 Fix YouTube block responsive size class issue (thanks katalysis)
  • 🛠 Fixed Marketplace dashboard page broken under PHP 8
  • Conversation rating stars now appear properly (thanks deek87)
  • 🛠 Fixed inability to remove an entry from the trash when that entry is an alias to an external link (thanks Ruud-Zuiderlicht)
  • 🛠 Fixed bug where core “Parallax Image” area custom template (deprecated) now works again
  • 🛠 Fix a bug with having multiple image blocks with on-hover attribute set on the page didn’t work reliably (thanks evgk)
  • 🛠 Fixed: Toolbar title styling interfering with intelligent search results in accessibility mode (thanks Mesuva)
  • 🛠 Fixed: Switch Language block default view does not work
  • 🛠 Fixed inability to use the “Express Entry Selector Multiple” form control type.
  • 🛠 [V9 RC]Fixed cookie not being cleared properly to open "add block panel" when using the sticky add panel and installing Concrete in a sub-directory
  • 🛠 Fixed: Position of the reCAPTCHA badge not shown correctly after saving
  • 🛠 Fixed errors in waiting for me when groups or users were deleted.
  • 🛠 Fix inability to set storage location from file details Dashboard page.
  • 🛠 Fixed bugs with thumbnails on alternate storage locations (thanks mnakalay)
  • 🛠 Fixed: concrete.debug.hide_keys' not working on Globals do to commented Code
  • 🛠 Fix IpAccessControlService check against specific access control category (thanks mlocati)
  • Access Control: fix sorting categories in the dashboard page (thanks mlocati)
  • 🛠 Fixed bug: When there's no time window, we currently ban IP addresses forever, even if we configure Concrete to only ban for X seconds. (thanks mlocati)
  • 🛠 Fixed bug: "Illegal mix of collations" when running reindex task when running under certain database conditions.
  • ➕ Added “snippet.png” back into rich text editor so you can see that button.
  • 🛠 Fixed: Removing Author User From Page Attributes & Saving Throws Error
  • 🛠 Fixed: Deleting Containers throws Access Denied error under certain in-page editing conditions.
  • 🛠 Fixed: Rich Text Page Attribute Composer "Source" Editing Hindered By Composer Autosave
  • 🛠 Fixed a bug in image processing (Imagine Library) that could lead to segmentation faults under certain conditions (thanks mlocati)
  • 🛠 Fixed: PlaceholderService error in thumbnail overview (thanks haeflimi)
  • 🛠 Fixed: Deleting Containers shows multiple delete modal windows under certain in-page editing conditions.
  • 🛠 Fixed: Top navigation block always loads the default site tree even in multilingual sites (thanks danklassen)
  • 🛠 Fixed inability to override session handler to database in config prior to installation and then install successfully.
  • 🛠 Fix missing none option in attribute display block (thanks JohnTheFish)
  • 🛠 Fixed: Stacks with no approved versions do not appear in stacks list

  Backward Compatibility Notes

  • ⚡️ The Concrete\Core\Express\Form\Validator\Routine\RoutineInterface class and all classes that implement it has changed. The validate method now takes a nullable third parameter for the Concrete\Core\Entity\Express\Entry object that may or may not exist. This replaces the request type attribute. The request type can now be inferred - if the entry does not exist, we assume this to be an ADD operation. If the entry exists within the validate method, you are running an UPDATE operation.
  • Block::duplicate() has changed its secondary parameter from $isCopiedWhenPropagated to $controllerMethodToTryAndRun. This lets us choose duplicate_master or the new duplicate_clipboard in certain situations. It is very unlikely that this should impact any custom code you have written as this is pretty deep in the Concrete internals.
  • If you have customized the Document Library view template, please ensure that your <form> tag has a valid input button with the name ”search”. This is checked in the controller in order to ensure searching is actually occurring. If you want to search by advanced file attributes, you’ll need this to be in place or else the Document Library controller will not check for attribute searching.

  ⚡️ Developer Updates

  • Added on_page_version_delete event (thanks hathawayweb)
  • ⚡️ Mail Importer code running on ancient Zend Mail code updated to PHP 7+ (thanks KevinBLT)
  • Patches to third party libraries to allow for installation on PHP 8.1 w/Composer (thanks mlocati)
  • ⚡️ htmlawed HTML sanitization library updated for better compatibility with HTML5.
  • IP Access Control: add IpAccessControlCategory::describeTimeWindow() (thanks mlocati)
  • 👍 Allow Date service class to work with DateTimeImmutable objects (thanks mlocati)
  • 👌 Improvements and bug fixes to route building and controller syntax (thanks mlocati)
  • More reliable running of on_start() in block controllers before page contents are rendered (thanks hissy)
  • 🚚 Moved concrete5/dependency-patches to the core composer.json instead of the separate composer project (thanks mlocati)
  • 👌 Improved code commenting throughout all core blocks (thanks deek87)
  • 🛠 Fix list_syntax rule of PHP-CS-Fixer (thanks mlocati)
  • ⚡️ Significant list of third party PHP script minor updates.
  • Simplify c5:exec return code (thanks mlocati)
  • 🛠 Fixed: Task scheduling command is incorrect on dashboard page and in documentation, needs more detail
  • 🏗 Concrete\Core\Http\ResponseFactory used to take $session as its first constructor dependency, even though that was not used. This caused problems in the event response factory was used prior to sessions being available or being configured for database sessions that were not yet installed. This parameter has been removed. If you use the $app->make() method of building this class, you should not be affected.
  • Now using https:// for communication with the Concrete marketplace even when the user’s site is not https://

  🔒 Security Fixes

  • 🛠 Fixed: https://hackerone.com/reports/1483104
  • 🛠 Fixed several places where we weren’t sanitizing file names in the file manager and stacks page.

• v9.0.2 Changes

  Behavioral Improvements

  • 🌐 Many translation fixes, including new components that weren’t localized (thanks mlocati)
  • 👍 Better appearance of inline toolbars. Updates to remove potential style collisions between block design toolbar and themes.
  • 👌 Improvements to the process of publishing page type default blocks to child pages (thanks deek87)
  • 🔒 Rehash passwords when needed to ensure adherence to the latest security standards.
  • 🛠 Fixed display of the FAQ block in edit mode.
  • 📈 Use base64 encoding/decoding on submitting tracking codes in the Dashboard to avoid triggering mod_security (if present) on submit (thanks Mesuva)
  • ➕ Added a settings tab with new options to Accordion block type (thanks katalysis)
  • Concrete file choosers once again limit by file type and extension in certain contexts (e.g. no longer able to choose non-image files if the code requires image files be chosen.)
  • Two Column Light and Light Stripe containers in Atomik theme renamed to Two Column Highlight and Highlight Stripe to avoid confusion.
  • 👍 Stacked and Stacked Primary custom templates for Feature block in Atomik have nicer padding, better behavior when used to link elsewhere.
  • 👍 Hero Image “Offset Title” custom template in Atomik now has better behaviors: it honors the height setting and looks nicer in the theme whether the container is enabled or not.
  • 💅 Miscellaneous style classes added to the rich text editor when using Atomik theme.
  • 👌 Improvements to the new “configurable thumbnails” responsive thumbnails in the Image block.
  • 👌 Improvements to logo custom template and feature link CSS in Atomik theme.

  🐛 Bug Fixes

  • 🛠 Fixed fatal error when viewing Express object listings with associations in their list in a site updated from 8.5.x.
  • 🛠 Fixed Hero Image block button not linking anywhere
  • 🛠 Fixed Feature Link block button not linking anywhere
  • 🛠 Fixed error where block template view.css and view.js files were not loading properly.
  • 🛠 Fixed inability to start from a customized theme when using the legacy theme customizer.
  • 🛠 Fixed inability to delete files or clear sample data content when files were being used in a Board.
  • Canonical URLs no longer include arbitrary query strings.
  • 🛠 Fixed inability to uninstall tasks when working with packages that had installed custom tasks.
  • 🛠 Fixed error when connecting to marketplace under PHP 8.
  • 🛠 Fix issue where sitemap is inaccessible to users on multilingual sites if the user doesn't have access to view the default locale in the sitemap.
  • 🛠 Fixed weird behavior when attempting to edit theme grid layouts in Atomik and other Bootstrap 5 themes.
  • 🛠 Fixed bug when deleting containers that had been aliased out from a master page removing the container on the master page as well.
  • 🛠 Fixed inability to sort entries in the Image Slider block.
  • File trackability works much more reliably and across more core block types than before.
  • 🛠 Fixed: CollectionSearchIndexAttributes table is updated without approving the page version
  • 🛠 Fixed missing icons in Share this Page block (thanks hissy)
  • 🛠 Fixed: Layout toolbar partially off page window. Add Layout Function not working
  • 🛠 Fixed custom CSS not showing up in the customizer when editing a custom skin.
  • 🛠 Fixed fatal error when rendering /dashboard root page in PHP 8+.
  • 🛠 Fixed fatal error rendering Dashboard file detail screen in PHP 8+.
  • 🛠 Fixed fatal error when rendering gallery add block interface in PHP8+.
  • 🛠 Fixed bug where border radius wasn’t being saved properly in block/area design settings.
  • 🛠 Fixed error in Gallery block when images in it had been removed from the file manager.
  • 🛠 Fixed error “Trying to access array offset on value of type bool “ when logging in with a username that doesn’t exist under PHP 8 (should get an error that explains what you did wrong better than this).
  • 🛠 Many additional fixes for core block types in PHP 8 (thanks deek87)
  • 🛠 Fix “division by zero” error under some conditions when running queueable commands.
  • 🛠 Fixed bug where custom block cache override settings are reset on new version approval (thanks hissy)
  • 🛠 Fixed: If by any chance $buttonColor is unset, the class tag of the <div> is never closed (thanks puka-tchou)
  • 📱 Theme responsive image breakpoints are now in the proper order to support the picture tags on mobile devices in Atomik.
  • Color picker in image editor now displays properly (thanks mlocati)
  • 🛠 Fixed: Dashboard favorites menu aren’t localized properly (thanks mlocati)
  • 🛠 Fixed bugs with Hero Image block under PHP 8
  • 🛠 Fixed bugs with Feature Link block under PHP 8
  • 🛠 Fixed error in YouTube block view when using PHP 8.
  • 🛠 Fixed errors in Top Navigation Bar block under PHP 8
  • 🛠 Fixed error in Testimonial block when using PHP 8 (thanks hissy)
  • 🛠 Fix "Undefined array key" warning for advanced page search on [email protected] (thanks hissy)
  • 🛠 Fix "variable is undefined" errors when adding Conversation blocks when using PHP 8 (thanks mlocati)
  • 🛠 Fixed Exception thrown when attempting to reload strings (thanks mlocati)
  • 🛠 Fixed inability to download files in the file manager via the “Download File” option in the file menu.
  • 🛠 Fixed broken Site attribute type.
  • 🛠 Fixed: When configuring a select attribute to allow a single selection but also allow end user additions, an error is received.
  • 🛠 Fixed: Adding a user unless multiple languages are installed fails under PHP 8
  • 🛠 Fixed: Board "Error Call to a member function getStylesheet() on null" when rendering a Board in the Dashboard.
  • 🛠 Fixing issues viewing users in groups in Dashboard for sub-admins.
  • 🛠 Fixed: Exception uninstalling package/theme when package has installed containers
  • 🛠 Fixed: List of themes ready to install broken and has design issues (thanks mnakalay)
  • 🛠 Fix c5:entities:refresh CLI command (thanks mlocati)
  • 🛠 Fixed error when using files with UUIDs in the content block (thanks mnakalay)
  • 🛠 Fix position of caption in Language Details dialog (thanks mlocati)
  • 🛠 Fixed error adding Document Library block to the page.
  • 🛠 Fixed error “Unknown named parameter $html” when attempting to reset a password on PHP 8.
  • Fixed: Document Library Block: Click on a folder leads to Invalid folder ID
  • 🛠 Fixed magnifying glass button in the search in the navigation bar is not working in the Top Navigation Bar block.
  • 🛠 Fixed some edge case errors with package uninstall and Doctrine entities
  • 🛠 Fixed error where database entities weren’t showing their directory locations on the Database Entities Dashboard page.
  • 🛠 Fixed error where uninstalling a package and reinstalling it doesn’t create the block type record in the package if there is only a single block type in the package and nothing else.
  • 🛠 Fixed errors installing Atomik documentation under PHP 8.
  • 🐛 Bug Fixes to Event List block in PHP 8.
  • 🛠 Fixed: Featured Event Toggle Not Working in Event List block.
  • 🛠 Fixed double select appearance on Edit File Thumbnail Dashboard screen.
  • 🛠 Fixed PHP 8 Error: Error on editing Page List block on brand new 9.0.1 install
  • 🛠 Fixed inability to set permissions against a particular user in advanced permissions mode (thanks hamzaouibacha)
  • Dashboard Reports page now links over to legacy form results page when necessary (thanks mnakalay)
  • 🛠 Fix for broken area edit menu when advanced permissions were enabled under some conditions (thanks mnakalay)
  • 🛠 Fixed: Contrast off for edit button label when toolbar titles setting enabled
  • 🛠 Fixed image libraries check not running in Image Options single page (thanks mnakalay)
  • 🛠 Fixed: Elemental theme, Version 9.0.1: New Accordion Block not working properly

  ⚡️ Developer Updates

  • ⏪ Reverted Form helper behavior so that passing in class will append the CSS classes to whatever the default class was, rather than replace it fully. Added a new classes key that will fully replace the classes if present.
  • ⬆️ Upgrade gettext/languages and punic/punic (thanks mlocati)
  • Theme grid preset layouts now export properly and import properly when using the exporter/Content XML format (thanks mlocati)
  • 🏷 The canonical URL query string handler has been changed from excluded to included – meaning that if you as a developer want to include a query string parameter in your various canonical URLs, you’ll need to add the parameter key/name to the site.siteName.seo.canonical_tag.included_querystring_parameters parameter.
  • ⚡️ CKEditor updated to 4.17.1 (thanks hissy)

• v9.0.1 Changes

  Behavioral Improvements

  • 👌 Improvements to scheduled page version publishing (thanks hissy).
  • 🛠 Fixed login welcome back/desktop in Atomik theme (previously had JavaScript errors.)
  • 🐎 Performance improvements when retrieving access entities for users (thanks hissy)
  • ⚡️ Updated translation library to 1.7.0 to allow 9.0 to be fully translated (thanks mlocati)

  🐛 Bug Fixes

  • 🛠 Fixed error when installing Elemental on PHP 8 (https://github.com/concrete5/concrete5/issues/10003)
  • 🛠 Many display issues fixed when browsing marketplace from within your 9.0 site.
  • 🛠 Fixed issue where updating from 8.5.6 would disable concrete extensions in rich text editor.
  • 🛠 Fixed Unknown column 'folderItemName' in 'field list’ in folder item list custom code used by add-ons.
  • 🛠 Fixed time dropdowns not working when editing a calendar event.
  • 🛠 Fixed inability to install 9.0 with Composer.
  • 🛠 Fixed some missing social icons for social link types.
  • 🛠 Fixed inability for legacy LESS themes to support rgb and rgba colors.
  • 🛠 Fixed broken Dashboard page: Excluded URL Word List
  • 🛠 Fixed inability to see proper options selected when editing user attribute key.
  • 🛠 Fixed ImageValue::setImageFileID() must be of the type int, string given when updating some legacy theme customizer values (thanks martinkouba)
  • 🛠 Fixed page summary templates link not working in page design panel.
  • 🛠 Fixed inability to open block custom design toolbar in PHP 8.
  • 🐛 Bug fixes to theme updates that use the text type customizer in certain situations (thanks martinkouba)
  • 🛠 Fixed: Non super admin cannot move a block pasted from clipboard (thanks jaromirdalecky)
  • 🐛 Bug fixes to legacy theme customizer with themes that used the same variable for different variable types.
  • 🛠 Fixed error Base table or view not found: 1146 Tablemessengerscheduledtasks' doesn't exist when upgrading from 8.5.x to 9.0.
  • 🛠 Fixed: Country select menu has the form-control class instead of form-select.

  ⚡️ Developer Updates

  • 🔨 Banned Words validation service classes completely refactored and modernized (thanks hissy)
  • 👉 Make it so users can disable core middlewares (thanks mlocati)

  🔒 Security Fixes

  • 🛠 Fixed CVE-2021-22970: Concrete allowed local IP importing causing the system to be vulnerable to a. SSRF attacks on the private LAN servers and b. SSRF Mitigation Bypass through DNS Rebinding. Concrete now disabes all local IPs through the remote file uploading interface. Concrete CMS security team gave this a CVSS v3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N This CVE is shared with HackerOne Reports #1364797 (Thanks Adrian Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) and #1360016 (Thanks Bipul Jaiswal) This fix is also in Concrete v 8.5.7

• v9.0.0 Changes

  Major New Features

  • Boards
  • Summary Templates
  • 👍 Multisite support.
  • 🆕 New modern theme for 2021 – Atomik
  • 🆕 New Gallery block built into the core.
  • 💻 Completely rebuilt file manager that has much better folder and advanced search support, support for home folders, favorite folders, external file providers, a new file upload UI and much much more.
  • 🔌 Completely new upload experience that adds support for additional service provider plugins.
  • A completely new integrated image editor
  • 👍 Overhauled theme customizer, with support for skins, non-customizable skins, SCSS support, Bootstrap 5 and more.
  • ⏱ Tasks: a completely rebuilt, much improved version of classic Concrete Jobs, with support for queueing, scheduling, unified input/output within the console and web interfaces, live output with Mercure and more.
  • 👉 User Group Types: Add the ability to create types of groups, including roles within groups, group management based on roles within groups, and more.
  • 💻 An overhauled UI built off of Bootstrap 5 and Concrete Bedrock

  Other New Features and Improvements

  • 👍 Express now supports multisite.
  • ➕ Added the ability to edit page aliases from within the Dashboard sitemap (thanks mlocati)
  • ➕ Added the ability to customize the from name registration email parameter (thanks katzueno)
  • 🆕 New Breadcrumb Navigation block now available (thanks hissy)
  • 🐎 Much improved performance throughout, due to better navigation caching, and cache optimization (hissy and core team)
  • ➕ Added pagination to clipboard panel and the ability to reset all clipboards from the Dashboard (thanks bitterdev)
  • ➕ Added configuration for whether to log email body contents or just metadata (thanks bitterdev)
  • 👌 Support for interactive theme documentation and block preview.
  • ➕ Added bulk page permissions commands to the page search interface (thanks bitterdev)
  • ➕ Added the ability to upload a CSV of users to assign to a particular group. (thanks bitterdev)
  • 🔌 Completely new image editor plugin framework. Ships with TUI Image Editor.
  • 🆕 New icon selector component when working with block types like Feature that allow users to select icons.
  • ➕ Added logging for file uploads and file deletions (thanks bitterdev)
  • 📇 File manager can now automatically populate file attributes from EXIF metadata on upload (thanks bitterdev)
  • Implement Clear-Site-Data header after a successful login (thanks ahukkanen)
  • ➕ Added block title format for Date Navigation block (thanks katalysis)
  • Much improved Image block, including the ability to load images in lightboxes, display thumbnails of image in the page, and much more.
  • ➕ add delete button to package that is just uninstalled or download (thanks hissy)
  • 👌 Improved login performance when logging in with Remember Me cookie.
  • 🆕 New Page Version Comment field available in page composer (thanks hissy)
  • 🔒 Introduce new middlewares for security options (thanks hissy)
  • 👉 User must now confirm the existing password when changing their own password or another user’s password in the Dashboard.
  • Much improved asynchronous thumbnail generation process, with enhancements from the CLI task runner and Mercure (thanks bitterdev)

  🐛 Bug Fixes

  • Files are not placed in a folder's selected storage location if it has a custom storage location (thanks danklassen)
  • 🛠 Fixes bug where files moved to folders were not using those folders storage locations (thanks danklassen)
  • If a form redirects to an external page that includes a query parameter, the result is a malformed URL. (thanks JeffPaetkau)
  • 🛠 FIxed error when marking URL slug as required in composer form (thanks httnnnkrng)
  • 🛠 Fixed: User workflows - User activation does not trigger on admin email validations (thanks bitterdev)
  • Document Library - Handle missing folder
  • Avoid an exception on express_entry_detail block when the express form ID is not exists (thanks biplobice)
  • Copied block with no edit mode has "edit block" link which throws excepetion (thanks gutig)
  • 🛠 Fixed bugs within Redis-powered full page caching driver (thanks matt9mg)

  ⚡️ Developer Updates

  • 🚚 Badges and community points have been removed from the core. If you need this functionality, install the Community Badges add-on from https://github.com/concrete5/community_badges prior to upgrading your site.
  • Concrete now runs on PHP 8.
  • 📦 Tools have been completely removed, including from blocks and packages. Their functionality has been more securely and flexibly available with the routing and controller systems for many years now. (thanks mlocati!)
  • Completely rebuilt new queue system, built on Symfony Messenger.
  • Completely new command/message system, built on Symfony Messenger.
  • ⚡️ Many core components updated to their latest version, including Laravel and Symfony components.
  • ➕ Add overridable collection handle generator (thanks hissy)
  • Removing old process.php script for backend requests.
  • Introducing a new command bus pattern. Developers can use to encapsulate their commands, reusing them with one or two lines in multiple places.
  • Swapped underlying HTTP client with Guzzle and PSR7.
  • 👍 Router adds support for single action controllers with __invoke (thanks shahroq)
  • 👍 Allow Form helper to handle new HTML input types (thanks JohnTheFish)
  • https://github.com/concrete5/concrete5/pull/9479 (thanks jeffPaetkau)
  • Blacklist/whitelist terminology renamed throughout the core.

  Backward Compatibility Notes

  • 📚 If you use Core::make(), $app->make() or anything similar in your packages, and provide arguments to these classes at the same time, recent updates to the Laravel Container class may break some older code. Please see this tutorial for more information: https://documentation.concretecms.org/tutorials/add-developers-get-your-add-ons-ready-concrete-cms-90
  • Beginning in version 8, we added the ability to override core elements from within your themes. For example, if the core requires an element via View::element(‘conversations/add_post’; the core looks for this add-on in concrete/elements/conversations/add_post.php. However, if the currently active theme provides this element in themes/my_theme/elements/concrete/conversations/add_post.php, it will be used instead. We are changing this to remove the concrete/ directory from the elements directory within your theme. That means in order to override any core element from within your theme, you only need to make it available at the same path within the elements/ directory of your theme.
  • 👀 If you register custom help for specific pages in your package, make sure to do so from within your package’s on_start method rather than from within the Dashboard page. Our new help panel requires this. See https://github.com/concrete5/concrete5/issues/9869#issuecomment-927136592 for more information.
  • Console command c5:blacklist:clear has been renamed c5:denylist:clear
  • If you work with Concrete cookies directly in your server configurations, be aware that they have been renamed. The default session cookie has been changed from CONCRETE5 to CONCRETE; the default is-logged-in cookie has been changed from CONCRETE5_LOGIN to CONCRETE_LOGIN.

• v8.5.9 Changes

  🐛 Bug Fixes

  • 🛠 Fixed inability to upload files when file chunking is disabled.
  • 🛠 Fixed bug that prevented file chunking from also working.
  • ⏪ Reverted code that accidentally made the core require PHP 5.6+ in some situations.

• v8.5.8 Changes

  Behavioral Improvements

  • 🍱 JavaScript and CSS assets now have the timestamp of when the cache was last cleared appended to them (thanks deek87, haeflimi)
  • 📇 Renamed concrete5 to Concrete CMS and Concrete during the installation process.
  • ⚡️ Nicer version history view in add-on update screen (thanks biplobice)

  🐛 Bug Fixes

  • 🛠 Fixed error that would occur if you deleted an Express entry and then attempted to reorder that same entry on the page before reloading (thanks biplobice)
  • Fixed error where users, files and sites weren’t being reindexed when running the index_search_all job.
  • 🛠 Fixed error where copying conversation blocks out from page defaults made them all one instance of the same conversation (thanks hissy)
  • Validating Express, User and Page attribute types now works when used with Composer and Expres (thanks hissy)
  • 🛠 Fixed bug in Redis caching backend when saving a primitive value.
  • 🛠 Fixed: when using the Express Form block, and a file is uploaded through the form, it creates two versions of the file, which are seemingly identical (thanks 1stthomas)
  • 🛠 Fixed: Clear old page versions in all site trees when running remove page versions job (thanks Ruud-Zuiderlicht)
  • 🛠 Fixed bug where OAuth2 and sign in as user functionality could lead to someone unintentionally joining their user account to a different account.
  • 0️⃣ Render single pages like 404, 403, login, register in default site locale (thanks hissy)
  • 🛠 Fixed: : error message doesn't display when upload file failed via drag & drop (thanks hissy)
  • 🛠 Fixed invalid and unhelpful displaying on marketplace connection failures during certain conditions (thanks JohnTheFish)
  • Topics Attribute Search Form is not getting translated on Frontend (thanks 1stthomas)
  • 🛠 Fixed: Multilingual copy site tree with alias pages (thanks hissy)
  • 🛠 Fix migration bug on fix overlapping start end dates when custom page publishing dates had been set in some cases (thanks hissy)
  • 🛠 Fixed null pointer Exceptions when using area layouts under certain conditions (thanks biplobice)

  🔒 Security Fixes

  • ⚡️ CKEditor updated from 4.16.2 to 4.18.0 (thanks hissy)
  • 🔒 Remediated CVE-2022-21829 - Concrete CMS Version 9.0.2 and below and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even if a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting on HackerOne - https://hackerone.com/reports/1482520
  • 🔒 Remediated CVE-2022-30117 - Concrete CMS version 9.0.2 and below and 8.5.7 and below allowed traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations.Concrete CMS Security team ranked this 5.8 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H. Credit to Siebene for reporting https://hackerone.com/reports/1482280
  • 🔒 Remediated CVE-2022-30120 - XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are output can be exploited for Concrete CMS version 9.02 and below and Concrete CMS 8.5.7 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Dashboard Stacks page sort URLs are now sanitized. Concrete CMS Security team ranked this vulnerability 3.1 with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting https://hackerone.com/reports/1363598
  • 🔒 Remediated CVE-2022-30119 - XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are output can be exploited for Concrete CMS version 9.02 and below and Concrete CMS 8.5.7 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Thanks zeroinside for reporting https://hackerone.com/reports/1370054
  • 💻 Remediated CVE-2022-30118 - XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: \ old browsers only. 🔒 When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete CMS version 9.02 and below and Concrete CMS 8.5.7 and below can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting https://hackerone.com/reports/1370054

• v8.5.7 Changes

  🐛 Bug Fixes

  • 🛠 Fixed issue where remote updater would read the entire update into memory, leading to potential out of memory errors when updating the core.
  • 🛠 Fixed error when setting global calendar permissions in the Dashboard.
  • 🛠 Fixed issue where reset users weren’t properly notified when logging in that their passwords needed to be changed (thanks hissy)
  • 🛠 Fixed: reCAPTCHA timout after 2min (thanks JeffPaetkau)
  • 🛠 Fixed: fatal error on upgrade french version 8.5.5 to 8.5.6, "2 plural forms instead of 3" (thanks mlocati)
  • 🛠 Fixed error with rich text conversation editor not working (Thanks hissy)
  • 🛠 Fixed issue with URLs being case sensitive in some internationalization cases (thanks dimger)
  • 🛠 Fixes to topic attribute search index content (thanks hissy)
  • 🚧 Maintenance mode now returns the 503 HTTP error code when running (thanks hissy)
  • 🛠 Fix Call to a member function isDefault() on null" error on the site upgraded from 5.7 when using the migration tool (thanks hissy)
  • 🛠 Fixed issue where rich text attribute type wasn’t showing a full toolbar (note: in the future we want to make this an option, and strongly recommend users use this smaller, sanitized toolbar – but it should be an option, not the default.)
  • If a file has a password in the file manager, you will not be able to view it inline in the rich text editor.
  • 🛠 Fixed: Changing database charset in dashboard throws error: call to a member function add() on null (thanks myq)

  ⚡️ Library Updates

  • ⬆️ Bump CKEditor from 4.16.1 to 4.16.2 (thanks hissy)

  🔒 Security Fixes

  • 🛠 Fixed CVE-2021-22966 - Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a bulk update permission security check. Concrete CMS Security team CVSS scoring: 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H Credit for discovery: "Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )" This fix is also in Concrete version 9.0.0
  • 🛠 Fixed CVE-2021-40101: Admin users must now provide their password when changing another user’s password from the Dashboard.Concrete CMS security team CVSS scoring is 6.4 AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H. Credit for discovery: "S1lky”. This fix is also in Concrete version 9.0.0
  • 🛠 Fixed CVE-2021-22968: A bypass of adding remote files in Concrete CMS File manager lead to remote code execution. We added a check for the allowed file extensions before downloading files to a tmp directory. Concrete CMS Security Team gave this a CVSS v3.1 score of 5.4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N Thanks Joe for reporting! This fix is also in Concrete version 9.0.0
  • 👀 Fixed CVE-2021-22951: “Unauthorized individuals could view password protected files using view_inline”. Concrete CMS now checks to see if a file has a password in view_inline and if it does we don’t render the file. Concrete CMS security team CVSS scoring is 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Credit for discovery: "Solar Security Research Team". This fix is also in Concrete version 9.0.0
  • 🔒 Follow up fix for CVE-2021-40107: Stored XSS in comment section/FileManger via "view_inline" option. We were informed the fix put into version 8.5.6 was not sufficient. Thanks "Solar Security Research Team". We now check to see if a file has a password in view_inline and, if it does, we don’t render the file. Concrete CMS security team CVSS scoring is 5.3: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N This fix is also in Concrete version 9.0.0
  • 🛠 Fixed CVE-2021-22967: insecure indirect object reference (IDOR); an unauthenticated user was able to access restricted files by attaching them to a message in a conversation. To remediate this, we added a check to see if a user has permissions to view files before attaching the files to a message in "add / edit message”. The Concrete CMS security team gave this a CVSS v3.1 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Thanks Adrian H for reporting! This fix is also in Concrete version 9.0.0
  • 🛠 Fixed CVE-2021-22969 : SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys. To fix this, Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading rather than relying on DNS. The Concrete CMS team gave this a CVSS v3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N . Discoverer: Adrian Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) Please note that Cloud IAAS provider mis-configurations are not Concrete CMS vulnerabilities. A mitigation for this vulnerability is to make sure that the IMDS configurations are according to a cloud provider's best practices. This fix is also in Concrete version 9.0.0
  • 🛠 Fixed CVE-2021-22970: Concrete allowed local IP importing causing the system to be vulnerable to a. SSRF attacks on the private LAN servers and b. SSRF Mitigation Bypass through DNS Rebinding. Concrete now disabes all local IPs through the remote file uploading interface. Concrete CMS security team gave this a CVSS v3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N This CVE is shared with HackerOne Reports #1364797 (Thanks Adrian Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) and #1360016 (Thanks Bipul Jaiswal) This fix is also in Concrete v 9.0.1

• v8.5.6 Changes

  🆕 New Features

  • ➕ Added Session Options Dashboard page that will allow administrators to configure many aspects of the session cookie.

  Behavioral Improvements

  • ➕ Added support for translation placeholders (thanks shahroq)
  • 💻 Re-enabled connect to community for the marketplace; reworked to sidestep issues with browser cookie compatibility
  • ➕ Add autocomplete=off to various password fields.
  • ⚡️ "Index Search Engine - Updates" job should not re-index all entries (thanks hissy)
  • 🛠 Fix default formatting of datetime exports in express export csv (thanks deek87)
  • 👌 Improvements to IP parsing for actions like allowlist/blocklist (thanks mlocati)

  🐛 Bug Fixes

  • 🛠 Fixed error when pages weren’t getting accurately set in the full page cache.
  • 🛠 Fixes for errors/warning occurring with PHP 7.3 and 7.4 when "Consider warnings as errors" is set (thanks arielkamoyedji)
  • ➕ Additional dialogs within CKEditor link dialog (Sitemap, Browse Server) prevent further page scrolling even after being closed (thanks hissy)
  • 🛠 Fix error attaching a Facebook account to a user profile (thanks biplobice)
  • 🛠 Fixed disappearing survey and calendar event dialogs in some cases (thanks hissy)
  • 🐛 Bug fixes on switching language using the Switch Language block (thanks biplobice)
  • 🛠 Fixed inability to save channel logging settings on the Dashboard page (thanks Hmone23)
  • 🛠 Fixed bug where layouts can’t be moved above blocks (thanks Haeflimi)
  • 🛠 Fixed bug in the 8.5 file manager when selecting on single file in multi-file selector (thanks deek87)
  • 🛠 Fix to show page drafts created by the current user (thanks hissy)
  • 🛠 Fix user selector attribute being un-searchable (Note: you will have to recreate your attributes before they are properly searchable).

  • 🐛 Bug fixes to search popup with pagination (thanks deek87, katz, hissy)

  • 🛠 Fixed 403 Error in Page Defaults when using REDIS for Caching (thanks deek87)

  🔒 Security Fixes

  🔒 (Special thanks to Solar Security Research Team and Concrete CMS Japan)

  • 🛠 Fixed Hackerone report 1102067, CVE-2021-40097: Authenticated path traversal to RCE by adding a regular expression
  • 🛠 Fixed Hackerone report 1102080, CVE-2021-40098: Path Traversal leading to RCE via external form by adding a regular expression
  • 🛠 Fixed Hackerone report 982130, CVE-2021-40099: RCE Vulnerability by making fetching the update json scheme from concrete5 to be over HTTPS (instead of HTTP)
  • 🛠 Fixed Hackerone report 616770, CVE-2021-40100: Stored XSS in Conversations (both client and admin) when Active Conversation Editor is set to "Rich Text"
  • 🛠 Fixed Hackerone report 921288, CVE-2021-40102: Arbitrary File delete via PHAR deserialization
  • 🛠 Fixed Hackerone report 1063039, CVE-2021-36766: Security issues when allowing phar:// within the directory input field. (thanks deek87)
  • 🛠 Fixed Hackerone report 1102211, CVE-2021-40103: Path Traversal to Arbitrary File Reading and SSRF
  • 🛠 Fixed Hackerone report 1102088, CVE-2021-40104: SVG sanitizer bypass by swapping out the SVG sanitizer in the core with this third party library darylldoyle/svg-sanitizer
  • 🛠 Fixed Hackerone report 1102054, CVE-2021-40105: Fixed XSS vulnerability in the Markdown Editor class in the conversation options
  • 🛠 Fixed Hackerone report 1102042, CVE-2021-40106: Unauth stored xss in blog comments (website field)
  • 🛠 Fixed Hackerone report 1102020, CVE-2021-40107: Stored XSS in comment section/FileManger via "view_inline" option
  • 🛠 Fixed Hackerone report 1102018, CVE-2021-40108: Adjusted core so that ccm_token is verified on "/index.php/ccm/calendar/dialogs/event/add/save" endpoint
  • 🛠 Fixed Hackerone report 1102225 which was split into two CVEs: An attacker could duplicate topics and files which could possibly lead to UI inconvenience, and exhaustion of disk space.
  • For CVE-2021-22949: Added checking CSRF token when duplicating files in the File Manager.
  • For CVE-2021-22953: Added checking CSRF token when cloning topics in the sitemap.
  • 🛠 Fixed Hackerone report 1102177, CVE-2021-22950: To fix CSRF in conversation attachment delete action, updated core to verify ccm_token when conversation attachments are deleted.
  • 🛠 Fixed Hackerone report 1102105, CVE-2021-40109: To fix a reported SSRF vulnerability, the core was updated to disable redirects on upload, add an http client method to send request without following redirects, and put in a number of url/IP protections (examples: blocked big Endian urls, blocked IP variants from importing, prevented importing from hexadecimal/octal/long IPs)

• v8.5.5 Changes

  🆕 New Features

  • Let user specify the SMTP HELO/EHLO domain for their SMTP server (thanks mlocati)

  Behavioral Improvements

  • ✂ Removed version from meta generator tag.
  • ⚡️ CKEditor updated to 4.15.0 (thanks mlocati)
  • Page drafts are now viewable by the view page draft permission (thanks HMone23)
  • ⚡️ Updated list of UK counties (thanks Mesuva)
  • ⚡️ Update CKEditor from 4.15.0 to 4.15.1 (thanks mlocati)
  • 🛠 Fix: make email log readable by decode quoted printable text (thanks hissy)

  🐛 Bug Fixes

  • 🛠 Fixing bug where accidentally re-saving a theme preset layout (e.g. “Left Sidebar”) as a user preset would cause a site to become unresponsive.
  • 🛠 Fixed bug where pages indexed through the CLI search index job weren’t indexed properly (thanks haeflimi)
  • Page Selector attribute now properly searchable (thanks dimger)
  • 👷 No longer fire event execute_job twice (thanks deek87)
  • 🛠 Fixing error when rescanning a multilingual locale (thanks mlocati)
  • 🛠 Fixed error or max execution timeout that can occur when logging out of multilingual websites (thanks hissy)
  • 🛠 Fixed: [CKEDITOR] Error code: editor-element-conflict. (thanks mlocati)
  • 🛠 Fixed error: No such file or directory error when editing an aliased block which is not editable (thanks mlocati)
  • 🛠 Fix some issues when using tags on multilingual site (thanks hissy)
  • 🛠 Fix duration of IP bans (they were supposed to last seconds but instead used the same value and in minutes) (thanks mlocati)
  • 🛠 Fixed: Stacks don't update if caching is enabled (thanks hissy)
  • 📜 Correctly parse non-decimal IP addresses (thanks mlocati)
  • 🛠 Fix: enable to send private message to all groups at once (thanks hissy)
  • 🛠 Fixed: Redis cookie handler always use the session name as a prefix (thanks mlocati)
  • 🛠 Fixed an error where 404 does not work in multi language cases under certain situations (thanks hissy)
  • ⬆️ More resilient upgrade routine when dealing with conflicting character sets in mysql (thanks mlocati)
  • 🛠 Fix issue where a rich text field on a form block doesn't re-populate contents after submit (thanks Mesuva)
  • 🛠 Fixed: Express Forms - CSV Export does not respect datetime format from config (thanks 1stthomas)
  • 🛠 Fix bug: Express Form can generate same attribute keys for multiple attribute keys (thanks hissy)
  • 🛠 Fixes filtering by multiple topic attributes on an item list (thanks hissy)
  • Banned words with multibyte characters are now accurately detected (thanks hissy)
  • 👉 Use UserMessageException when invalid path traversal is detected (thanks mlocati)
  • 🚚 Do not remove picture elements on rendering textarea attribute value (thanks hissy)
  • 🛠 Fix "call to a member function overrideCollectionPermissions() on a non-object" in AreaAssignment (thanks mlocati)

  🔒 Security Fixes

  • 🛠 Fixed CVE-2021-28145 XSS in Surveys fixed (thanks deek87)
  • 🛠 Fixed CVE-2021-3111 Stored XSS on express entries H1 report 873474

  ⚡️ Developer Updates

  • 👍 Allow routes with optional arguments (thanks mlocati)

• 1
• 2
• 3
• 4
• 5
• Next ›
• Last »