We've just released an incremental update for PivotX 2.3. It contains minor updates and fixes, as well as patches for two recently discovered security issues. While these issues can not be exploited when someone is not logged in in PivotX, we nevertheless recommend this update for all PivotX users. For more information about the security issues / patches, see the page dedicated to Security issues.
These are the changes since PivotX 2.3.2:
- Added some extra sanitychecks to the various file-operations in media-management.
- Bugfix: Closing file disclosure vulnerability reported by Secunia Research. This vulnerability can only be exploited by administrators and hence Secunia decided to not make an advisory for it.
- Bugfix: Closing cross-site scripting vulnerability reported by High-Tech Bridge.
- Updated jQuery to 1.7.2.
- Updated: PHP Markdown to version 1.0.1o.
- Replaced "echo" with "debug" in set_entry when warning about pasting directly from Word.
- Bug fix: Insert dialogs for the editor is now using the current user's language, not the default installation language.
- Relaxing validation for comment notify email field so it allows multiple addresses (like we intended to).
- Added: when the feed_entry and feed_comments hooks return an empty array, the entire entry/comment is skipped in the Feed.
- Added: If config option upload_max_filesize is lower than the server value, use that one
- Changed: MAX_KEYS in spamkiller is now set to 1000
- Added: 'return' parameter to [[category_list]]
- Added: debug statement when an upload is blocked because of wrong file type.
- Fixed: Minor layout fix for the category_list format parameter.
- Fixed: the TimThumb config so it works for multi-site setups again.
- Added: style to hr extended element in tinyMCE / removed 1 of the double defined extended element iframe
- Added: some file extensions so a better download icon is selected when using [[download]]
- Fixed: Correcting widgets page to be similar to extensions page in light of translated strings, display of version
- Fixed: Made the extension check case insensitive in the image preview.
- Added: [[getpage]]now accepts uid / type in textile link
- Fixed: only ignore Smarty cache file if they are in the cache directory
The PivotX 2.3.3 release can be downloaded from this location: pivotx.net/files/pivotx_latest.zip (or pivotx.net/files/pivotx_latest.tgz, if you prefer.tgz files). For setup instructions, we point you to our documentation: Getting the files & installing. If you're having trouble downloading the files, you can also download them from our sourceforge mirror.
Hi! It's been pretty quiet here for a while, but that doesn't mean we haven't been busy. We're hard at work on the next major version of PivotX, and in the meantime we've released PivotX 2.3.2 as a maintenance release for all PivotX users. It contains a bunch of minor fixes, improvements and updates, as you can see below.
Important: If you are still running PivotX 2.2.6 or older, you might be vulnerable to a security exploit, that was patched previously. Version 2.3.0 already fixed this issue, but any older version of PivotX might be vulnerable. To fix this, you should do one of the following:
- Either update your old installs to PivotX 2.3.2.
- Or just replace the faulty timthumb.php. Download timthumb_2011-10-14.zip, extract it, and replace the file timthumb.php in pivotx/includes/
For more information about security issues / patches, see the page dedicated to Security issues.
These are the changes since PivotX 2.3.0:
- Refactored loading/saving of configuration files, to prevent config file corruption
- Rewritten Hashcash implementation: works better, and more transparent for the user.
- Added hidden setting to set a custom hashcash message.
- Enabled our "first line of defense" (against spam) again.
- Bug fix: ensuring that uploaded files and thumbnails get the correct file permission.
- Fixed the image preview, when selecting an existing file by browsing when inserting an image or a popup image in the editor.
- Added: [[getpage]] can now also retrieve a page by uid.
- Fixed bug: only show published entries in [[category_list]].
- Some improvements to [[category_list]] : Added %count% to formatting and added 'category', 'start' and 'end' parameters to the tag.
- Some amendments for [[category_link]].
- Updated Plupload to version 1.5.2
- Updated jQuery UI to 1.8.17.
- Updated jQuery to version 1.7.1.
- Updated TinyMCE to version 3.4.7.
- Updated timthumb to version 2.8.4, which is a complete rewrite from the previous version 1.35.
- Split timthumb's config to a seperate file to facilitate upgrades.
- Fixed an issue where 'latest comments' would show too few comments.
- Made the filepaths to jQuery and jQueryUI more consistent.
- Fixed a bug in renderSpecial related to the before_parse hook.
- Fixed the before_parse issue in renderTag.
- [[tagcloud]] description updated.
- Removed (deprecated) split() call and replaced with preg_split().
- Fixed bug for paging inside a weblog when using mod_rewrite.
- Updated/improved Spanish translation.
- Updated/completed Hungarian translation.
- Added "ignorearchive" parameter to subweblog so you can have a subweblog displaying entries outside the archive period on an archive page.
- Removing additional %foo% parameters from [[comments]]-blocks.
- Fixed a (nasty) bug in the flatfile implementation of read_entries where the offset didn't work because of 'timed publish' entries.
- Fixed various issues related to the comment moderation queue.
- Changed the way jQuery.noConflict() works. Now even less conflicting!
- Fixed standard search-weight function so it cannot return negative values anymore.
- Added 'addtoTopMenu' for extensions.
- Fixed bug in MagPie's RSS fetching to stop display warnings on screen.
- Fixed bug for Atom feeds. Using the entries year in the id tag, not the current year.
- Now automatically clearing the cache when website comes back online, after it was set to 'offline'
- Now rewriting HTML before writing to cache, fixing an issue where cached files were not parsed fully.
- Added filters to outputsystem, Minify now goes through an outputsystem filter. fixes problems where minify wasn't working
- Slightly tweaked the replacement for leftover %tags%, to allow percentage signs in comments.
- Fix for canonicals in our 'smart' global smarty_link() call.
- Fixed bug for multiple selects in formclass that actually have multiple selected values
- Added additional search text hooks
- Added 'author user' ability. You can now set *any* user as 'author user'.
- Added X-UA-Compatible header for Internet Explorer.
- Removed the offline message from the html if the site is online and add a backup message.
The PivotX 2.3.2 release can be downloaded from this location: pivotx.net/files/pivotx_latest.zip (or pivotx.net/files/pivotx_latest.tgz, if you prefer.tgz files). For setup instructions, we point you to our documentation: Getting the files & installing. If you're having trouble downloading the files, you can also download them from our sourceforge mirror.
If you are still running PivotX 2.2.6, you might be vulnerable to a security exploit, that was patched previously. Version 2.3.0 doesn't have this issue, but any older version of PivotX might be vulnerable. To fix this, you should do one of the following:
- Either update your old installs to PivotX 2.3.0
- or just replace the faulty timthumb.php. Download timthumb_2011-10-14.zip, extract it, and replace the file timthumb.php in pivotx/includes/
We're close to releasing PivotX 2.3.2, so if you're planning to wait for that release, just replace your existing timthumb.php with the version linked above.
For more information about security issues / patches, see the page dedicated to Security issues.
We've released PivotX 2.3 as a recommended upgrade to all PivotX users. We've decided to bump the version to 2.3.0, since we feel enough has been changed since 2.2 to warrant this change.
Changes since 2.2.6:
- Added: Less obscure 'ajaxy' saving, more consistency in showing a 'save' button for editing config and weblogs.
- Notify the user when leaving a configuration page, 'Edit entry' or 'Edit Page', when there are unsaved changes.
- Added: template tag [[user_list]] that lists users/authors in your PivotX.
- Added an option in hidden settings to make the search always do an "AND" for keywords, instead of making a guess between "OR" and "AND".
- Added parameter request_method to search tag so you can select between GET or POST.
- Added a [[nocache]] template block (as can be found in Smarty 3).
- Added "%counter%" formatting tag to the [[archive_list]] template tag.
- Added new configuration setting timthumb_zc, to specify what kind of zoom crop you want timthumb to execute as default.
- Added template tag [[sitedescription]]
- Added new position to add html to: LOC_TITLEEND
- Added an 'explode' modifier to Smarty.
- Reworked latest/moderate comments part, they are now separated.
- Updated and improved the Hashcash spam protection.
- Fixed the underscore=" " option in [[tags]].
- Updated timthumb to version 1.35, fixing a possible security issue.
- Updated jQuery to version 1.6.2.
- Updated jQueryUI to 1.8.14.
- Updated TinyMCE to version 188.8.131.52.
- images produced by timthumb.php aren't broken by PHP warnings.
- Bug fix: The only parameter of category_list was not checked against the category display name (in addition to the internal name).
- On the entries overview, don't wrap the status over two lines (if the status is more than one word in a translation).
- Bug fix: fixed the comment_after_parse hook.
- Bug fix: Events going through ajaxhelper.php are saved with the correct username, not "A visitor".
- Bug fix: Don't output the username for user fields that doesn't exist.
- Fixed a database setup inconsistency.
- Fixed: [[getpage]]/[[resetpage]] would be at fault when used within a subweblog loop on weblog pages.
- Fixed: "view weblog"-links weren't opening in new window.
- Fixed: A lot of 'optional' or 'non optional' fields in setup, configuration and weblog configuration work more consistently.
The release can be downloaded from this location: pivotx.net/files/pivotx_latest.zip (or pivotx.net/files/pivotx_latest.tgz, if you prefer.tgzfiles). For setup instructions, we point you to our documentation: Getting the files & installing. If you're having trouble downloading the files, you can also download them from our sourceforge mirror.
We've released PivotX 2.2.6, as a maintenance release for PivotX 2.2. This update contains some smaller improvements, updates to used libraries and various other bugfixes and tweaks. The list of changes is as follows:
- Added: [[subweblog]] now has an ignoreuser option.
- Added: Search OR can be disabled if AND doesn't give any results.
- Changed: is_object is now an allowed function in Smarty templates.
- Changed: Extra attributes for [[paging]].
- Changed: Output system can now also add just after the </title> tag (LOC_TITLEEND).
- Changed: Minor improvements and fixes to built-in validations.
- Updated: Plupload updated to v184.108.40.206.
- Updated: bgiframe fix. This fixes problems with modal popups in Internet Explorer 9.
- Updated: jQuery updated to v1.5.2 and jQuery-UI to v1.8.11.
- Updated: TinyMCE updated to v3.4.1.
- Updated: Timthumb updated to the latest version.
- Plus, quite a few other smaller fixes and changes.
Note: Some people missed the announcements earlier, but we've dropped support for PHP 4, starting with PivotX 2.2. This release will not work on PHP 4! If you're still stuck on PHP 4, you should really put some pressure on your hosting provider to upgrade your environment.
The release can be downloaded from this location: pivotx.net/files/pivotx_latest.zip (orpivotx.net/files/pivotx_latest.tgz, if you prefer .tgz files). For setup instructions, we point you to our documentation: Getting the files & installing. If you're having trouble downloading the files, you can also download them from our sourceforge mirror.