Release Stable with patched ckeditor

[shawn_a]

I created a new branch that contains the stable version with patched ckeditor to 4.x

This special version of GS contains, the latest gs release ( usually )
patched with a new ckeditor
Ckeditor is 4.3.2 full
and contains
codemirror editor for source ( from svn )
color moono skin for default skin ( as GS for legacy support )

EDIT: This is now posted in the download page
http://get-simple.info/download

Under Other Downloads
"Stable with CKEditor patched to v4.3.2"


Feel free to test it out.

https://github.com/GetSimpleCMS/GetSimpleCMS/issues/743

*cke 4.3 is already slated for 3.4 release, thanks to karamo for helping with this.

UPDATE:
Updated CKE to v4.3.2
Updated GS to 3.3.3 ( merged stable in )

[marrco]

I just upgrade a website to this build, all is fine, new editor is working.

Only issue (but that's not with this specific build but with every version, already reported) that sometimes i get a wrong warning "Your settings could not be saved" or "Error: Unable to continue: Unable to write the configuration file. CHMOD 755 or 777 the /data, /backups folders & sub-folders and retry" when in fact modified options get saved. (ie. when in general setting modify the timezone, or in Theme/Basic contact setting change that plugin options).

[shawn_a]

I have no idea , been trying to track that one down, assuming it is because chmod fails on some hosts. Do not know why or how to check. Right now we return the same failure for both though save fail OR chmod fail.

do yo have GSCHMOD set to anything special ?

[shawn_a]

Just checked in fix for cke inline changes not generating change events.

[marrco]

Hi shawn, on hosts i manage i do disable many php options, set open_basedir and define many other security measures. I guess these are part of standard setup for multisite/multiuser environment.

Code:

disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source, phpinfo

permission are fine, infact getsimple is able to write and modify files, only the test and warning messages are wrong. I default to sftp-username:www-data (can be root:www-data and sticky bit not set when sftp access is not needed) so i mostly user 640 and 750 or 664/775

for a full upgrade i use a scheme like this:

Code:

; --- gs update
/bin/cp gs/admin/* /home/sftp-username/mywebsite.org/admin/ -R
/bin/cp gs/index.php /home/sftp-username/mywebsite.org/index.php
/bin/cp gs/temp.gsconfig.php /home/sftp-username/mywebsite.org/gsconfig.php

chown -R sftp-username:www-data //home/sftp-username/mywebsite.org
find //home/sftp-username/mywebsite.org -type f -exec chmod 640 {} \;
find //home/sftp-username/mywebsite.org -type d -exec chmod 750 {} \;
find //home/sftp-username/mywebsite.org -type d | xargs chmod g+s


find /home/sftp-username/mywebsite.org/data -type f -exec chmod 664 {} \;
find /home/sftp-username/mywebsite.org/data -type d -exec chmod 775 {} \;
find /home/sftp-username/mywebsite.org/backups -type f -exec chmod 664 {} \;
find /home/sftp-username/mywebsite.org/backups -type d -exec chmod 775 {} \;

/bin/rm /home/sftp-username/mywebsite.org/admin/install.php
/bin/rm /home/sftp-username/mywebsite.org/admin/setup.php
/bin/rm /home/sftp-username/mywebsite.org/admin/update.php

chmod 664 /home/sftp-username/mywebsite.org/sitemap.xml

Then i modify gsconfig.php and upload and chmod -R g+w my themes. I still miss a wiki entry with best permissions, so i'm just trying to guess the minimal, most secure, settings. Goal is that even if (when) a malicious file gets uploaded to getsimple upload dir, it can't be executed (in my nginx setup i do my best to disallow that risk, even if the file is disguised as an image or the attacker uses other tricks to run it) and offer maximum protection to files and folders so that it would not be easy to compromise the site or, worst, the full server.

One issue with actual GS version is that tries to use php verbs (exec chmod etc) that are commonly disabled in secure setups. And are not needed at all. In fact everything works fine, but a few wrong error messages sometimes popup. I think the problem is not about setting GSCHMOD to anything special, but testing should be done on capabilities (or error messages).
After i successfully modify a file (ie, i change Local Timezone) on some setup an error popup telling gs is unable to write files and suggesting me to chmod 777 a few directories. But that files has already been successfully modified! So getsimple works fine, but the error message is wrong.

That's not a problem for me, i'm able to modify my servers to suit my needs, but maybe for GS 3.3 we could try to get a more secure setup and a build that works even on secure machine. Or at least provide complete guidelines about directory permissions, and per-site php settings needed.

[marrco]

i just did a few a tests with the newest version (changing Setting/Local Timezone) and even if the change worked fine, i received error is "FastCGI sent in stderr: "PHP Warning: chmod(): Operation not permitted in..." so it looks like that getsimple after successfully updating the configuration tries to chmod the changed file and fails. But I don't know why it tries.

[shawn_a]

yeah thats what i said.
"Right now we return the same failure for both though save fail OR chmod fail."

So we need to add a chmod check somehow, how do i set my host up to not allow chmod to test this ?

[marrco]

I usually have a global php-security.ini where i disable a few functions on the server (some guidelines are here: http://phpsec.org/projects/phpsecinfo/tests/) and then a per-site config file where i set open_basedir and specific allow/disallow.

Some hosts allow users to modify php.ini via .htaccess or other apache config files. I can't tell about your host php security settings.

[shawn_a]

Yes I know this but do you have any insight on what makes chmod permission denied ? Relevance.

[marrco]

no idea, i'll try to do a check tomorrow. On my logs it get recorded as:
[09-Apr-2013 17:09:01] PHP Warning: chmod(): Operation not permitted in /var/www/mysite.org/admin/inc/basic.php on line 312

But i just noticed a new warning, appeared yesterday, after i updated to 3.2.1, never seen in the last few months:

[09-Apr-2013 17:24:25] PHP Notice: Trying to get property of non-object in /var/www/mysiste.org/plugins/googlemap.php on line 470

PHP Code:

    // si no hay mapas en contenido ni en componentes: devulve false
    if (strpos($data_index->content, '(%googlemap') === false AND $contcomp === false){  return false; }; 


map plugin seems to work fine, and only thing changed should be the 3.2.1 w/ patched ckeditor upgrade.

[shawn_a]

This plugin should be using the global $content not $data_index, but I guess I will fix this for backwards compatability.

[benrwhite]

Just checked in fix for cke inline changes not generating change events.

Sorry if this is a little O/T, but how does one go about editing inline with this branch? Or is something that has to be implemented into the frontend theme?

[shawn_a]

It has not been looked into yet.

[benrwhite]

It has not been looked into yet.

Ah, ok.

Is this a planned or possible feature for 3.3?

EDIT:
Though I suppose that implementing this would get fairly complicated when you have content from multiple "pages" on one page (e.g., as one might do when implementing columns or something similar).

[marrco]

Are you going to release an updated version with patched ckeditor?

[shawn_a]

yeah I guess i need to pull stable back into this branch, ill try to update it today.

[shawn_a]

I merged, patch should match stable now.

[marrco]

great, thanks, I updated a few sites to that version. No problem atm.

Just a quick note, on my server i have many php vers disabled, su i get these 2 warnings:

[30-Apr-2013 13:00:34] PHP Warning: file_get_contents(): http:// wrapper is disabled in the server configuration by allow_url_fopen=0 in /var/www/mysite.com/admin/inc/template_functions.php on line 1055
[30-Apr-2013 13:00:34] PHP Warning: file_get_contents(http://get-simple.info/api/start/v3.php?v=3.2.1): failed to open stream: no suitable wrapper could be found in /var/www/mysite.com/admin/inc/template_functions.php on line 1055

and of course in health-check.php

GetSimple Version 3.2.1 - Upgrade Check Failed !

considering that i have curl installed and server setup test reports:

cURL Module Installed - OK

maybe we can have an alternative version check for servers with tight security.

[shawn_a]

What alternative, that means curl is failing, fget is already the fallback alternative, this needs to be discussed i the 3.2.1 thread, i know you brought this up before.

[n00dles101]

looks like this is a problem on the GS site , API is broken at the moment, I'm working on it.

[n00dles101]

API is sorted again now. Can you check and see if that makes a difference.

[marrco]

@n00dles101 it's working now, it was my fault. I had in php-ini as disabled_functions=curl_exec but i didn't realize it was failing because GS healt check marks cURL Module as Installed - OK
and i had allow_url_fopen=Off too.
@shawn_a ok sorry, i'll move this discussion to the 3.2.1 thread

correct solution, since you can't just allow curl_exec per site is to keep that function disabled, and only for [HOST=www.mysite.com] use allow_url_fopen = On

[shawn_a]

Back to the topic,

This breaks some plugins that use the core ckeditor, mostly because the getsimple theme is now defunct and removed, replacing it with one of the "newer" themes renamed to "getsimple" will fix it.

Ideally there is also the uiColor to fix, as it used to be set to white.

You can simply fix these both by adding this to your gsconfig

PHP Code:

define('GSEDITOROPTIONS', 'skin:\'moono\',uiColor:null'); 


This will override both, IF the plugin makes use of GSEDITOROPTIONS.

In the meantime I will find a way to fix this in the branch with a fake getsimple theme, as the old one has to be rewritten.

[shawn_a]

Updated with new getsimple theme ( moonocolor ), should fix some plugins.
uiColor still an issue.

[shawn_a]

Updated with critical plugin fix for acf, moved acf override to config.js so it is applied to plugins that use core ckeditor.

also updated to 4.1.1, and some codemirror icon fixes

disabling acf is necessary, because if you do not then you can lose existing content when you save your fields.

ACF does 2 things, it matches your toolbar to your allowed content, or restricts your allowed content to your toolbar. This is very cool, because you do not wind up with buttons that you are not allowed to use, and it allows a certain level of filtering and allows you to restrict content you allow. This is all great for web page inputs, but is awful for a cms. It will essentially remove any non allowed content from your field if you are pre-populating it when it loads. So say you try to stick a form in there in source mode, click source again and it will be removed. Or if it had a form before and you load it it will not show up and will be gone forever.

Plugins and users can use inline config ( inline overrides config.js as does GSEDITOROPTIONS) to override this if they actually want this behavior of allowed content, but one has to remember that this is a bad idea if you have existing content that might become corrupted.


more info here
http://docs.ckeditor.com/#!/guide/dev_ad...ent_filter