^
Navigate CMS v2.9.3 r1525 (2020/12) Regístrate Identifícate Tu cuenta Cerrar sesión

Actualización de Navigate CMS: 2.9.1

22
jun '20
0
Comentarios

El equipo de Navigate CMS acaba de lanzar una actualización que incluye una segunda tanda de importantes mejoras a nivel de seguridad, resolución de errores y actualización de librerías como jQuery UI, IMask, etc. Las vulnerabilidades detectadas más importantes han sido reportadas por el investigdor de seguridad Sean Wright (sitio web), pero también tenemos que agradecer a todos los que han informado de problemas a través de GitHub.

Lista de cambios (en inglés):

* jQuery UI updated to v1.12.1
* themes, extensions: .htaccess and php.ini files not allowed in packages
* update.class: save commit value when updating and set default as empty
- removed library jQuery InputMask
+ added library IMask v6.0.5
+ webuser: added fields region, company and nin (national identification number)
* orders: save original shipping method definition (in case of future change)
+ nvweb webuser: added mode "customer_account" for shops
+ nv dictionary: added new shopping related strings
+ websites: include option to set "customer account path"
+ nv comments: add CSRF protection when adding comments to a website
* orders: if used, include coupon information in generated PDF
* websites: fixed internationalization table interactions
* layout: sanitize "fid" parameter
* themes,extensions: secure "install_from_hash" functionality
* files, blocks: force using prepared statements for some queries
* nvweb: verify language requested is among the website published languages, if not use the default
* login: make undetermined the forgot password response
* webdictionary: purify input parameters and encode text in the list
* properties: fixed default properties error for new empty languages
* fixed small typos and improve code reading
- removed JAVA_RUNTIME constant (unused)
* use core_terminate or nvweb_clean_exit where appropiate
+ lists: rss to items - find all images in the feed content (saved as item->_rss_images)
* skin cupertino: fix checkbox icon buttons after jQuery UI upgrade
* list: fix order parameter for some cases
* list: split conditionals treatment source code to a separate file
* users: purify username and email inputs
* extensions: don't query installed extensions if current website is null
* misc.php: small changes to get PHP 7.4 compatibility
* orders: modify listing query to avoid SQL error related to GROUP BY
* webuser: region cannot be NULL, default is 0
* website.class: force removing sessions older than 30 days
+ core: added function "core_purify_string" to proxy HTML Purifier usage
* user.class, webdictionary: encode strings when used in application lists
* shop: purify user input in all shop functions
* configuration: purify user input in all configuration functions
* content: purify user input in blocks, files and comments functions
* web: purify user input in templates function
* tools: purify user input in webusers and webusers groups
* files: more security on file uploads
+ lists: add "order" as nv list source to show its lines in a website (in development feature)
* templates: fixed crash after deleting a custom template
* uploads: fixed problem on some systems uploading files using dropzone
* updated jAutochecklist v1.4.1
* websites: purify and protect "wrong_path_redirect" value
* blocks, templates, users, websites, cart, webusers, webdictionary: encode output for some form fields
* items: prevent SQL Injection in items category order
+ naviforms: new field type: iconfield (Font Awesome 4.7 for now)
+ payment_methods: add field "icon" to be shown instead of an image
+ cart: auto-select shipping method if there is only one available
+ cart: display an error message if there are no shipping methods available
* i18n: added new application strings

    Puedes ver los cambios del código fuente en nuestro repositorio de Github.

    Para actualizar automáticamente tu instancia de Navigate CMS, inicia sesión como Administrador y entra en la función Configuración > Actualizar. También puedes descargarte la actualización desde SourceForge y aplicarla manualmente.

     
    InformaciónBlogDesarrollo