^
Navigate CMS v2.9.1 r1487 (2020/06) Sign up Sign in Your account Sign out

Navigate CMS Update: 2.9.1

22
Jun '20
0
Comments

The Navigate CMS team has just released a software update which includes a second wave of important security fixes, bugs resolved and library upgrades like jQuery UI, IMask, etc. The most important vulnerabilities detected have been reported by the security researcher Sean Wright (website) but we have also to thank all people who have reported issues using GitHub.

Full changelog:

* jQuery UI updated to v1.12.1
* themes, extensions: .htaccess and php.ini files not allowed in packages
* update.class: save commit value when updating and set default as empty
- removed library jQuery InputMask
+ added library IMask v6.0.5
+ webuser: added fields region, company and nin (national identification number)
* orders: save original shipping method definition (in case of future change)
+ nvweb webuser: added mode "customer_account" for shops
+ nv dictionary: added new shopping related strings
+ websites: include option to set "customer account path"
+ nv comments: add CSRF protection when adding comments to a website
* orders: if used, include coupon information in generated PDF
* websites: fixed internationalization table interactions
* layout: sanitize "fid" parameter
* themes,extensions: secure "install_from_hash" functionality
* files, blocks: force using prepared statements for some queries
* nvweb: verify language requested is among the website published languages, if not use the default
* login: make undetermined the forgot password response
* webdictionary: purify input parameters and encode text in the list
* properties: fixed default properties error for new empty languages
* fixed small typos and improve code reading
- removed JAVA_RUNTIME constant (unused)
* use core_terminate or nvweb_clean_exit where appropiate
+ lists: rss to items - find all images in the feed content (saved as item->_rss_images)
* skin cupertino: fix checkbox icon buttons after jQuery UI upgrade
* list: fix order parameter for some cases
* list: split conditionals treatment source code to a separate file
* users: purify username and email inputs
* extensions: don't query installed extensions if current website is null
* misc.php: small changes to get PHP 7.4 compatibility
* orders: modify listing query to avoid SQL error related to GROUP BY
* webuser: region cannot be NULL, default is 0
* website.class: force removing sessions older than 30 days
+ core: added function "core_purify_string" to proxy HTML Purifier usage
* user.class, webdictionary: encode strings when used in application lists
* shop: purify user input in all shop functions
* configuration: purify user input in all configuration functions
* content: purify user input in blocks, files and comments functions
* web: purify user input in templates function
* tools: purify user input in webusers and webusers groups
* files: more security on file uploads
+ lists: add "order" as nv list source to show its lines in a website (in development feature)
* templates: fixed crash after deleting a custom template
* uploads: fixed problem on some systems uploading files using dropzone
* updated jAutochecklist v1.4.1
* websites: purify and protect "wrong_path_redirect" value
* blocks, templates, users, websites, cart, webusers, webdictionary: encode output for some form fields
* items: prevent SQL Injection in items category order
+ naviforms: new field type: iconfield (Font Awesome 4.7 for now)
+ payment_methods: add field "icon" to be shown instead of an image
+ cart: auto-select shipping method if there is only one available
+ cart: display an error message if there are no shipping methods available
* i18n: added new application strings

You can view all source code changes in our Github repository.

To auto update your Navigate CMS instance, sign in as an Administrator and access the Configuration > Update function. You may also download the update package from SourceForge and apply it manually.

 
InformationBlogDevelopment