Posts: 6,266
Threads: 181
Joined: Sep 2011
2013-03-04, 05:15:56
http://get-simple.info/download/
Settings $LANG persistent xss injection.
Version missing from footer
xss vulns in backupedit, filebrowser, error_checking, edit
health check plugins.xml chmod check 644 writable
Some javascript i18n missing
ajax.php dir traversal
ununsed antixss typo
removed extra install.php from core
Undo link missing for page deletions
Data leakage via traversal inclusion on frontend
removed loadtab.php, arbitrary code execution
Default index.xml date is sep 2009, now install date
slug creation problems, servers with no mb extension
page options parent is blank
attempt to fix 3.0 upgrade issues, missing cache folder
Identify page on edit titlebar and footer
filebrowser cannot read space foldernames in uploads
Posts: 12
Threads: 1
Joined: Feb 2013
No errors or problems on my boxes.
Anything specific to check for?
Posts: 1,204
Threads: 30
Joined: Jun 2010
Just a minor thing with translations.
In plugins tab, there's a hardcoded "Disabled Plugin" label (no var in translation file for it), and harcoded in js "Plugin Updated" notice after changing plugin status.
I stumbled upon couple errors (like function checking php ver in inc/common.php, changing admin path) and http 500's under php 5.4 environment. But switching between 5.2/5.3 and back to 5.4 somewhat unstucked GS and everything started working. I need to install couple more GS instances to make sure if it wasn't a short webserver caprice.
Addons: blue business theme, Online Visitors, Notepad
Posts: 6,266
Threads: 181
Joined: Sep 2011
do you have any reports yojoe ?
Posts: 1,204
Threads: 30
Joined: Jun 2010
I did a fresh install of 321b; php 5.4.6, default GS config (no custom vars and changes), GS installation in /getsimple subdir
Changing path in define('GSADMIN', 'newdir'); leads to an empty page, both frontend and backend.
Not a single php error appears, logs stay empty.
After contacting with hosting support the problem might lay in the way of use global vars under php5.4, especially paths.
Those are only thoughts.
Addons: blue business theme, Online Visitors, Notepad
Posts: 6,266
Threads: 181
Joined: Sep 2011
Posts: 1,204
Threads: 30
Joined: Jun 2010
Shawn: did you test/check on a production environment (webhosting with 5.4.x) or only on a localhost (win/lin?) ?
I have to find the reason why on php5.2.x GS works out of box, but after switching to p5.4.6 fresh GS instance with changed admin path refuses to work without any error output :/
Addons: blue business theme, Online Visitors, Notepad
Posts: 6,266
Threads: 181
Joined: Sep 2011
Did you just rename the admin folder and change the config ?
I cannot imagine why that would have any issues.
Posts: 6,266
Threads: 181
Joined: Sep 2011
Can you just set it to 'admin' and see if that works ?
Posts: 6,266
Threads: 181
Joined: Sep 2011
Posts: 1,204
Threads: 30
Joined: Jun 2010
(2013-03-13, 23:02:14)shawn_a Wrote: Can you just set it to 'admin' and see if that works ? Enabling and leaving GSADMIN in gsconfig with default value worked all the time. After I installed 3.2.1B1 3rd time, changed path started to work. None of the files were corrupt in earlier instances. Not even one error appear.
I just don't get it.
I hope B2 works on my current webhost from first shot. I'll check it on couple other webhosts also.
Addons: blue business theme, Online Visitors, Notepad
Posts: 6,266
Threads: 181
Joined: Sep 2011
Could have been a permissions issue on the folder rename or something odd there.
Could it be an issue with upgrades on a system with a admin path ?
I have to admit I have never tested that.
Posts: 1,204
Threads: 30
Joined: Jun 2010
I've looked at directory attributes, and both 705/755 work now - I dodn't look at the permissions earlier, but assuming I didn't do anything else, that couldn't be the reason.
I can't remind myself if GS was ever making any changes to data structure or content of files in /admin dir.
Although some plugins were accessing and changing core files, but I didn't install any in test environment.
It's really odd, thus it would be great if anyone tests beta versions too on a production server with php 5.4
Addons: blue business theme, Online Visitors, Notepad
Posts: 6,266
Threads: 181
Joined: Sep 2011
This thread is about 3.2.1beta
Posts: 3
Threads: 0
Joined: Mar 2013
2013-03-16, 14:12:31
I seem to have encountered a minor bug in the latest master branch (as of 3 hours before posting this). Freshly downloaded and installed on a local XAMPP server and with pretty urls as well as mod-rewrite enabled, I got a "'Page not found" when clicking the "Home" link on the frontend's menu bar. Likewise when entering the proper url directly into the browser address field
The immidiate problem was that the check in index.php on line 51:
if (!array_key_exists($id, $pagesArray)) returned true because there in fact was no key: "index" in that array - there only was a key: "index " (with a space).
My temporary solution was to trim the value in function pageCacheXMLtoArray($xml) (caching_functions.php) as this:
line 325 before: $key = (string) $page->url;
line 325 after: $key = (string) trim($page->url);
Of course the more permanent solution should be to sanitize matters a bit closer to the origin.
Posts: 3
Threads: 0
Joined: Mar 2013
Just to add that the temporary solution above also is only a partial one. If one view the source as rendered by the browser the: link rel="canonical" href="http://localhost/trv/cms/index /" still has the extra space and therefore doesn't work.
All this only applies to the default index page. All is and was okay with my own test pages.
Posts: 1,928
Threads: 88
Joined: Apr 2010
what this means in version 3.2.1 Beta 2
Code: Apache web server LiteSpeed - Error
Warning: Server Setup non-Apache
PHP Version 5.2.17
Posts: 3,491
Threads: 106
Joined: Mar 2010
@Oleg06
It's since 3.2.0
It means your server is not Apache, so GS doesn't know if .htaccess is supported (deny files...).
So you should make sure that your data files (pages, users, backups, etc.) cannot not be viewed with a browser, either because actually .htaccess is supported, or because you protected those data folders yourself.
If you're sure your site is secured properly, you can disable that warning by adding (or uncommenting) this in gsconfig:
define('GSNOAPACHECHECK', true);
( http://get-simple.info/forums/showthread.php?tid=4334 )
Posts: 1,928
Threads: 88
Joined: Apr 2010
2013-03-16, 18:07:36
(This post was last modified: 2013-03-16, 18:08:59 by Oleg06.)
once you've shoved me out of this topic, so I downloaded the beta and asked again
thanks for the tip
Posts: 6,266
Threads: 181
Joined: Sep 2011
Thanks oleg, I do not want to spend time on something not current. Making sure issues are reported against current versions.
Its on my list for later but maybe we should go ahead and add a fucking link to the wiki , since noone reads the damn install requirements. Or maybe we can add some other apache clones to the list of aprooved web servers.
Please report false positives on this, as the apache detection code is not the best but helps us alot in identifying why htaccess are not working for folks.
Posts: 3,491
Threads: 106
Joined: Mar 2010
Too much html decoding in 3.2.1 betas.
Try creating a page with this content (in source code mode)
a<b
It's being rendered as:
a<b
(broken tag)
Posts: 6,266
Threads: 181
Joined: Sep 2011
We didn't change anything directly related to that.
I added sanitizers to some post fields maybe that did it.
Posts: 6,266
Threads: 181
Joined: Sep 2011
Any ideas?
Before save issue or rendering issue ?
edit
xml
Code: <content><![CDATA[a&lt;b]]></content>
Posts: 3,491
Threads: 106
Joined: Mar 2010
Rendering issue.
I've just checked again just in case.
Here is an example:
Editor in WYSIWYG mode:
Same content but in source code mode is:
The XML file is saved as:
Code: ...
<content><![CDATA[<p>love &lt;3</p>
]]></content>
...
Rendered HTML (broken) by GS 3.2.1 beta is now:
GS 3.2.0, 3.1.2, etc. properly rendered it as:
Posts: 6,266
Threads: 181
Joined: Sep 2011
Ok ill fix it, I know what caused it.
We are using getcontent now to load the global, so its running twice. Just like the filter was running twice and we fixed that.
We need to just change that to raw and exclude this also
$content = stripslashes(htmlspecialchars_decode($data->$field, ENT_QUOTES));
|