pkgsrc-WIP-cvs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: wip/joomla



Module name:    wip
Committed by:   obache
Date:           Fri Sep  1 15:29:20 UTC 2006

Modified Files:
        wip/joomla: Makefile PLIST distinfo

Log Message:
UUpdate joomla to 1.0.11

Changelog:

---------------- 1.0.11 Stable Released -- [28-August-2006 20:00 UTC] 
------------------


This Release Contains the following 26 Security Fixes

Joomla! utilizes the Open Web Application Security Project (OWASP) Top Ten 
Project to categorize security vunerabilities found within Joomla!
http://www.owasp.org/index.php/OWASP_Top_Ten_Project

--- - - - - - - - - ---

04 HIGH Level Threats fixed

A1 Unvalidated Input
 * Secured mosMail() against unvalidated input
 * Secured JosIsValidEmail() - in previous versions the existance of an email 
address somewhere in the string was sufficient
 
A6 Injection Flaws 
 * Fixed remote execution issue in PEAR.php
 * Fixed Zend Hash Del Key Or Index Vulnerability
 
--- - - - - - - - - ---
 
04 MEDIUM Level Threats fixed

A1 Unvalidated Input
 * globals.php not included in administrator/index.php
 
A2 Broken Access Control  
 * Added Missing defined( '_VALID_MOS' ) checks
 * Limit Admin `Upload Image` from uploading below `/images/stories/` directory
 * Fixed do_pdf command bypassing the user authentication

--- - - - - - - - - ---

18 LOW Level Threats fixed

A1 Unvalidated Input
 * Hardened Admin `User Manager`
 * Hardened poll module
 * Fixed josSpoofValue function to ensure the hash is a string
 
A2 Broken Access Control  
 * Secured com_content to not allow the tasks 'emailform' and 'emailsend' if 
$mosConfig_hideEmail is set
 * Fixed emailform com_content task bypassing the user authentication
 * Limit access to Admin `Popups` functionality 
 
A4 Cross Site Scripting 
 * Fixed XSS injection issue in Admin `Module Manager`
 * Fixed XSS injection issue in Admin `Help` 
 * Fixed XSS injection issue in Search 

A6 Injection Flaws 
 * Harden loading of globals.php by using require() instead of include_once();
 * Block potential misuse of $option variable
 * Block against injection issue in Admin `Upload Image`  
 * Secured against possible injection attacks on ->load()
 * Secured against injection attack on content submissions where frontpage is 
selected
 * Secured against possible injection attack thru mosPageNav constructor
 * Secured against possible injection attack thru saveOrder functions
 * Add exploit blocking rules to htaccess
 * Harden ACL from possible injection attacks 


-- -- -- -- -- ---- -- ---- -- ---- -- ---- -- ---- -- ---- -- ---- -- ---- -- 
---- -- ---- -- --


28-Aug-2006 Rey Gigataras
 # SECURITY A6 [ LOW Level ]: Block potential misuse of $option variable


28-Aug-2006 Andrew Eddie
 # SECURITY A6 [ LOW Level ]: Harden ACL from possible injection attacks 


24-Aug-2006 Rey Gigataras
 # SECURITY A6 [ LOW Level ]: Add exploit blocking rules to htaccess
 # SECURITY A6 [ LOW Level ]: Harden loading of globals.php by using require() 
instead of include_once();
 
 + Installation Security Warning check 
 + Admin & Installation Version age warning 


23-Aug-2006 Rey Gigataras
 # SECURITY A2 [ MEDIUM Level ]: Missing defined( '_VALID_MOS' ) checks
 
 + Admin Security Warning check 
 

21-Aug-2006 Rey Gigataras
 # SECURITY A1 [ LOW Level ]: Hardened Admin `User Manager`
  

19-Aug-2006 Rey Gigataras
 # SECURITY A2 [ MEDIUM Level ]: Limit Admin `Upload Image` from uploading 
below `/images/stories/` directory
 # SECURITY A2 [ LOW Level ]: Limit access to Admin `Popups` functionality 
 # SECURITY A4 [ LOW Level ]: [topic,73761] : XSS injection issue in Admin 
`Module Manager`
 # SECURITY A4 [ LOW Level ]: [topic,73761] : XSS injection issue in Admin 
`Help` 
 # SECURITY A4 [ LOW Level ]: [topic,73761] : XSS injection issue in Search 
 # SECURITY A6 [ LOW Level ]: [topic,73761] : Block against injection issue in 
Admin `Upload Image` 


19-Aug-2006 Enno Klasing
 # SECURITY A1 [ HIGH Level ]: Secured mosMail() against unvalidated input
 # SECURITY A1 [ HIGH  Level ]: Secured JosIsValidEmail() - in previous 
versions the existance of an email address somewhere in the string was 
sufficient
 # SECURITY A2 [ LOW Level ]: Secured com_content to not allow the tasks 
'emailform' and 'emailsend' if $mosConfig_hideEmail is set
 
 # Fixed : Empty subject in com_content mail2friend no longer possible
 # Fixed : Show error message if com_content mail2friend fails
 # Fixed : Show error message if com_contact mail fails
 ^ Moved all instances of is_email() amalgamated into JosIsValidEmail in 
/includes/joomla.php


18-Aug-2006 Rey Gigataras
 # SECURITY A1 [ MEDIUM Level ]: globals.php not included in 
administrator/index.php 
 # SECURITY A2 [ MEDIUM Level ]: do_pdf command bypasses the user authentication
 # SECURITY A2 [ LOW Level ]: emailform com_content task bypasses the user 
authentication
 # SECURITY A1 [ LOW Level ]: harden poll module
 
 # Fixed [topic,72209] : Mambots fired on Modules
 + enable selective disabling of `Email Cloaking` bot via {emailcloak=off}


17-Aug-2006 Rey Gigataras
 + PERFORMANCE : Cache handling expanded to com_content showItem
 # Fixed [artf5266] : Blog-view shows "more..." even without intros
 # Fixed [topic,81673] : frontend.php itemid issue


17-Aug-2006 Mateusz Krzeszowiec
 # Fixed logging query before applying LIMIT 


15-Aug-2006 Marko Schmuck
 # SECURITY A6 [ LOW Level ]: possible injection attacks on ->load()


15-Aug-2006 Andrew Eddie
 # SECURITY A6 [ HIGH Level ]: remote execution issue in PEAR.php


15-Aug-2006 Mateusz Krzeszowiec
 # PERFORMANCE [topic,83325] : SQL LIMIT in com_content frontend


14-Aug-2006 Andrew Eddie
 # SECURITY A6 [ LOW Level ]: Injection attack on content submissions where 
frontpage is selected
 # SECURITY A6 [ LOW Level ]: possible injection attack thru mosPageNav 
constructor
 # SECURITY A6 [ LOW Level ]: possible injection attack thru saveOrder functions


07-Aug-2006 Andrew Eddie
 # SECURITY A6 [ HIGH Level ]: Zend Hash Del Key Or Index Vulnerability
 # SECURITY A1 [ LOW Level ]: josSpoofValue function to ensure the hash is a 
string


28-July-2006 Robin Muilwijk
 # Fixed [artf5291] : missing onChange javascript code for filter field


27-July-2006 Robin Muilwijk
 # SECURITY A2 [ MEDIUM Level ]: [artf5335] : missing direct access line
 
 # Fixed [artf5282] : missing table row tag and self closing tag
 # Fixed [artf5297] : small html errors


17-July-2006 Robin Muilwijk
 # Fixed [artf5157] : typo in media manager
 # Fixed [artf5218] : duplicate entry of artf5157, typo in media manager


03-July-2006 Rey Gigataras
 # Fixed [artf5181] : 5 step for unrecoverable admin-page crash.
 # Fixed [artf5123] : Wrong name of function in joomla.cache.php
 # Fixed [artf5126] : includes/database.php uses deprecated function
 # Fixed [artf5171] : mosGetParam Default value issue
 # Fixed [artf5112] : A mere mistake in the file contact.html.php
 

---------------- 1.0.10 Stable Released -- [26-June-2006 00:00 UTC] 
------------------


This Release Contains following Security Fixes

Joomla! utilizes the Open Web Application Security Project (OWASP) web 
application security system to categorize security vunerabilities found within 
Joomla!
http://www.owasp.org/index.php/OWASP_Top_Ten_Project


03 HIGH Level Threats fixed in 1.0.10 

A1 Unvalidated Input
 * A1 - Secured `Remember Me` functionality against SQL injection attacks
 * A1 - Secured `Related Items` module against SQL injection attacks
 * A1 - Secured `Weblinks` submission against SQL injection attacks
 
 
01 MEDIUM Level Threats fixed in 1.0.10 

A4 Cross Site Scripting
 * A4 - Secured SEF from XSS vulnerability


05 LOW Level Threats fixed in 1.0.10 

A1 Unvalidated Input
 * A1 - Hardened frontend submission forms against spoofing
 * A1 - Secured mosmsg from misuse
 * A1 - Hardened mosgetparam by setting variable type to integer if default 
value is detected as numeric

A4 Cross Site Scripting
 * A4 - Secured com_messages from XSS vulnerability
 * A4 - Secured getUserStateFromRequest() from XSS vulnerability

-- -- --


25-June-2006 Rey Gigataras
 # SECURITY A1 [ Low Level ]: mosgetparam sets variable type to integer if 
default value is detected as numeric
 
 # Fixed [artf5091] : Missing closing "}" in one of PatFactory templates
 # Fixed [topic,71858] : Content Archive issue when caching on
 # Fixed [topic,71859] : Unable to login frontend
 # Fixed [topic,67902] : SEF.php breaking community builder homepages


23-June-2006 Rey Gigataras
 # SECURITY A1 [ Low Level ]: mosmsg hardened
 
 # Fixed [artf5059] : Blog ordering, items by - most hits 
 # Fixed [artf4969] : Missing Itemid in readmore with multi category blog
 # Fixed [artf5083] : Problem with Description/Description Image parameters of 
"List - Content Section"
 # Fixed [topic,67719] : Email Cloaking Ads extra space after cloaked address
 # Fixed [topic,66966] : E-mailing Cloaking Issue
 # Fixed [topic,67141] : pathway empty when showing poll results
 # Fixed [topic,67068] : Caching of Custom Heads still not working (not a full 
fix)


21-June-2006 Alex Kempkens
 # Fixed [artf5051] : Making cache aware of different languages
 ! Be aware that it is now important to include all parameters, even optional 
once, in the cached calls.


21-June-2006 David Gal
 # Fixed [topic,66858] : Can't set language 


21-June-2006 Rey Gigataras
 # SECURITY A4 [ Medium Level ]: XSS vulerability when using SEF
 # SECURITY A4 [ Low Level ]: XSS vulerability in com_messages
 # SECURITY A4 [ Low Level ]: XSS vulerability in getUserStateFromRequest()

 # Fixed [artf4976] : htaccess file instructions confusing users
 # Fixed [artf4917] : PHP getenv function fails in ISAPI mode
 # Fixed [topic,69083] : mambots not being applied to `User` Module content 
 # Fixed [topic,69894] : Filter doesn't work when cache on


20-June-2006 Rey Gigataras
 # Fixed [artf5025] : Category Titles with an Apostraphe leave a leading slash
 # Fixed [artf4927] : blocked user receives wrong error message
 # Fixed [topic,70612] : Very small text error in file sample_data.sql
 # Fixed [topic,69871] : mossef notice 
 # Fixed [topic,68031] : Problems with banner.php
 # Fixed [topic,67826] : content.html weblinks.html display issues in Opera
 # Fixed [topic,67594] : Extra space in content.html.php
 # Fixed [topic,67016] : ATOM 0.3 Always enable even I disable ATOM 0.3 in 
Administrator Panel


19-June-2006 Rey Gigataras
 # SECURITY A1 [ High Level ]: `Remember Me` functionality SQL injection 
vulnerability
 # SECURITY A1 [ High Level ]: `Related Items` module SQL injection 
vulnerability
 # SECURITY A1 [ High Level ]: `weblinks` submission SQL injection vulnerability
 # SECURITY A1 [ Low Level ]: frontend submission forms hardened against 
spoofing

 # Fixed [artf5031] : Frontend Editing of Content Changes Start Publishing Time
 # Fixed [artf4951] : author submitting content gets error message
 # Fixed [artf5028] : Page navigation incorrect on pages viewed through archive 
module


16-June-2006 Rey Gigataras
 # Fixed [artf5006] : Contact-item print button
 # Fixed [artf4925] : alt="" not always output 1.0.9
 # Fixed [artf4921] : anchor links break
 # Fixed [artf4888] : too many columns in table layout of params
 # Fixed [topic,66859] : Table views of content category in backend
 # Fixed [topic,68201] : Permissions check page missing /mambots/system/
 # Fixed [topic,67115] : Error warning frontend.php
 # Fixed [topic,67144] : Check for status of SEF in mossef incorrectly 
commented out
 # Fixed [topic,67279] : Voting/Rating not working when disabled globally, but 
enabled locally for selected items
 
 # PERFORMANCE [topic,63468] : mod_fullmenu unnecessary count of archived items 
in section query


12-June-2006 Rey Gigataras
 # Fixed [artf4913] : Poll Module breaks "Add Article"
 # Fixed [artf4929] : Finish date not shown
 # Fixed [artf4881] : Extra space in English email text string
 # Fixed [topic,68467] : If 2 polls published - voiting on second poll not work


10-June-2006 Robin Muilwijk
 # Fixed [topic,68168] : Typo 
/administrator/components/com_content/admin.content.html.php - line 478
 # Fixed [topic,68168] : Typo 
/administrator/components/com_typedcontent/admin.typedcontent.html.php - line 
266


---------------- 1.0.9 Stable Released -- [05-June-2006 16:00 UTC - Rev 3876] 
------------------


This Release Contains following Security Fixes

Joomla! utilizes the Open Web Application Security Project (OWASP) web 
application security system to categorize security vunerabilities found within 
Joomla!
http://www.owasp.org/index.php/OWASP_Top_Ten_Project


12 Low Level Threats in 1.0.9 

A1 Unvalidated Input
 * A1 - Harden mosmsg
 * A1 - Hardening of backend `User Manager` to stop 'Adminstrators' from being 
able to create 'Super Administrator' users
 
A2 Broken Access Control 
 * A2 - Breadcrumbs title visibility even when access restricted
 * A2 - 'Edit Your Details' page now needs a published menu item to be 
accessible
 * A2 - 'Check-In My Items' page now needs a published menu item to be 
accessible
 * A2 - 'Submit News' page now needs a published menu item to be accessible
 * A2 - 'Submit Weblink' page now needs a published menu item to be accessible
 * A2 - Add ability to selectively disable certain types of syndicated feeds
 * A2 - Ensure module caching does not inadvertently make special level modules 
visible to registered users
 * A2 - Add ability to totally disable access to frontend login page
 * A2 - Add ability to disable frontend user params
 
A3 - Broken Authentication and Session Management
 * A3 - Changes to access level of user account will kill any active session 
for that user

--


04-June-2006 Rey Gigataras
 # Fixed [artf4878] : inlegal dates in mysqll tables 
 # Fixed : missing content cache clearing calls


03-June-2006 Rey Gigataras
 # Fixed [artf4864] : /includes/frontend.php
 # Fixed [topic,66138] : Invailid Session at Admin login
 # Fixed [topic,66044] : Installation checks
 # Fixed [topic,66276] : admin password ="0"
 # Fixed : No ability to set Cache time for Syndication modules
 # Fixed : `Remember Expired Admin page` functionality changed from 600 seconds 
to half the `Admin Session Lifetime` value
 # Fixed : Admin session purge (to limit only one active session per account) 
deleting frontend logged in session


03-June-2006 Robin Muilwijk
 # Fixed [topic,66360] : Fatal error com_contact/contact.php


01-June-2006 Rey Gigataras
 # Fixed : New Global Config params (added in 1.0.9) not created on clean 
install
 
 
31-May-2006 Rey Gigataras
 # SECURITY A2 [ Low Level ]: New `Global Config` param to allow disabling of 
Frontend Login
 # SECURITY A2 [ Low Level ]: New `Global Config` param to allow disabling of 
Frontend User params

 # Fixed [artf4844] : initial setup failure on IIS when installed in 
subdirectory
 # Fixed [topic,65009] : "Email to Friend" Can Send Unusable URLs
 # Fixed [topic,65604] : Notices when adding static content
 # Fixed [topic,65485] : Bug with menu item selector
 # Fixed : DB error when attempting a checkin action after cancelling from 
creating a New item


30-May-2006 Rey Gigataras
 # Fixed [topic,65381] : Override Created Date
 # Fixed [artf4830] : top menu items reversed in madeyourweb template


29-May-2006 Rey Gigataras
 # SECURITY A2 [ Low Level ]: [artf4752] : caching makes modules assigned to 
special user visible to registered users
 
 # Fixed [artf4812] : In footer.php (C) should be (c)
 # Fixed [artf4806] : typo in mambots/search/contacts.searchbot.php causes sef 
errors
 # Fixed [artf4752] : patTemplate strip comments problems 
 # Fixed [artf4752] : rss.php unnecessary logic code check 
 # Fixed [topic,64994] : problem with related items
 # Fixed [topic,64046] : adding new content Frontend fails with Authorization 
Error


27-May-2006 Rey Gigataras
 # Fixed [topic,64308] : cache and content items on frontpage
 # Fixed [topic,63824] : Notice on com_contact
 # Fixed [artf4801] : inputFilter::filterTags prints unexpected text


23-May-2006 Rey Gigataras
 # Fixed [topic,63674] : MySQL 5 strict mode in Admin Backend


22-May-2006 Rey Gigataras
 # PERFORMANCE [topic,63468] : slow auto-login because of new MD5 calculations 
on whole users DB
 
 # Fixed [topic,63446] : Category and Section


21-May-2006 Rey Gigataras
 # Fixed [artf4714] : Can't add Menu Item :: Link - Static Content 
 # Fixed : "Unique Itemid" handling for `Link - Content Item`
 # Fixed : Add "Unique Itemid" handling for `Link - Static Content`
 # Fixed [artf4714] : Can't add Menu Item :: Link - Static Content 
 # Fixed [topic,62056] : Copyright date


20-May-2006 Rey Gigataras
 # Fixed [artf4733] : Module Manager reorder via save button broken
 # Fixed [artf4736] : Quotation marks in Site Name
 # Fixed [topic,63257] : Notice when creating new category


18-May-2006 Rey Gigataras
 # Fixed [artf4700] : pathway ampReplaces item name twice
 # Fixed [artf4712] : 'type' of $mosConfig_error_reporting does not match code
 
 + Remember Expired Admin page functionality


17-May-2006 Rey Gigataras
 # Fixed [artf4673] : setlocale
 # Fixed [artf4685] : unhandled fragment identifier with core SEF enabled 
 # Fixed [artf4678] : Print, PDF and email buttons aren't accessible
 # Fixed [topic,62124] : Hover for icons when editing content in front-end
 # Fixed [topic,62165] : Canot login - admin_session_life not set


15-May-2006 Rey Gigataras
 # Fixed [topic,61926] : Frontend static language text
 # Fixed [topic,61971] : E-mail cloaking broken, TinyMCE `mce_href` problem
 # Fixed : Frontend Content editing does not display correct publishing 
date/time 
 # Fixed : Frontend Content editing incorrect handling of 'Never' in `Finish 
Publishing`
 # Fixed : Incorrect date/time values on `Content Items Manager` and `Static 
Content Manager` pages


14-May-2006 Rey Gigataras
 * SECURITY A2 [ Low Level ]: add ability to selectively disable certain types 
of syndicated feeds
 
 ^ Upgrade to TinyMCE 2.0.6.1
 
 # Fixed [topic,61897] : Changing any parameter for logged user returns to 
login screen


13-May-2006 Rey Gigataras
 * SECURITY A1 [ Low Level ]: [artf4529] : User with access to administration 
area can easly create super administrator.
 
 # Fixed [artf4555] : Slight Bug in registration system
 # Fixed [artf4641] : Module sites with one template - modules should not show 
up - itemid issue
 # Fixed : `Itemid=99999999` appearing in next & prev navigation links
 # Fixed : `Itemid=` appearing in `Blog` links items
 

13-May-2006 Andrew Eddie
 # Fixed [artf3302] : PatTemplate custom Functions getpage() undefined


12-May-2006 Louis Landry
 # Fixed [artf4284] : database::load() resets private properties


12-May-2006 Rey Gigataras
 # Fixed [topic,60970] : Finish Publishing Time not working as expected


11-May-2006 Rey Gigataras
 # Fixed [artf4614] : Warning in mosCreateGUID
 # Fixed [artf4619] : task=category shows unpublished items
 # Fixed [artf4621] : Media manager with long filenames = no button
 # Fixed [artf4613] : Sub Menu Item deletion Security Bug 
 # Fixed [artf4613] : Restoring menu items without a valid parent
 # Fixed [topic,59258] : bug when editing user profile
 # Fixed [topic,61190] : Menu Item Inconsistency


10-May-2006 Sam Moffatt
 # Fixed issue with login directly after activation causing error, now 
redirects to index.php


09-May-2006 Rey Gigataras
 # Fixed [artf4577] : saveUser in com_user has incorrect escaping for password


28-Apr-2006 Alex Kempkens
 # Fixed artf : Language loading incorrect in offline mode (related to 
Joom!Fish language changes)
 
 
27-Apr-2006 Rey Gigataras
 + Support for restricting ability to access certain functionality for demo 
sites

 # Fixed [artf4527] : incorrect style in function botNoEditorEditorArea
 # Fixed [topic,57926] : mod_poll.php Warning 
 

26-Apr-2006 Rey Gigataras
 # Fixed [artf3912] : Pear's cache lite and safe_mode
 # Fixed [artf3711] : mosemailcloak generates invalid XHTML
 # Fixed [artf3251] : Wrong file count in Media Manager
 # Fixed [artf3196] : com_media does not properly manage file names with simple 
quotes (')


25-Apr-2006 Rey Gigataras
 ^ PERFORMANCE [topic,54215] : MOSimage array affects edit page load time


24-Apr-2006 Rey Gigataras
 * SECURITY A3 [ Low Level ]: logged in user session are not affected by 
changes of user account

 # Fixed [artf4503] : Hardcoded text in page navigation
 # Fixed [artf4473] : Bad char in search
 # Fixed [artf4499] : Editing Quotated Menu Item
 # Fixed [artf4472] : Creating New User system message only sends to superusers
 # Fixed : Unable to 'Delete' `Super Administrator` - with check to ensure at 
least one active `Super Administrator` still exists
 # Fixed : Unable to 'change' group of `Administrator` & `Super Administrator` 
- with check to ensure at least one active `Super Administrator` still exists


20-Apr-2006 Rey Gigataras
 * SECURITY A3 [ Low Level ]: Allow only one session per user account in Admin 
Backend
 
 + Allow `save` and `apply` actions to be completed before logging out expired 
sessions


20-Apr-2006 Andrew Eddie
 # Fixed slow query in com_polls
 # Fixed return address errors in patErrorManager
 # Fixed MySQL 5 error when saving menu items


18-Apr-2006 Rey Gigataras
 + Javascript validation checks to mod_poll


16-Apr-2006 Rey Gigataras
 # Fixed [artf4424] : gethostbyaddr(): Address is not a valid IPv4 or IPv6 
address
 # Fixed [artf4407] : Image preview doesn't work with custom directory
 # Fixed [topic,54741] :  Who's Online guest count increments with RSS feed 
access


14-Apr-2006 Rey Gigataras
 # Fixed [artf4400] : Search: Itemid in mod_search also finds trashed Itemid's
 # Fixed [artf4399] : Search title in com_search is never from language file


12-Apr-2006 Rey Gigataras
 # Fixed [artf4346] : $mainframe->login($username,$pwd) compatibility broken
 # Fixed : `body` parameter for mailto tags


11-Apr-2006 Rey Gigataras
 # Fixed [artf4340] : Itemid on menu - multiple links to same content
 # Fixed : cache support for `Blog - Content Section Archive` & `Blog - Content 
Category Archive`
 # Fixed : SEF.php incorrect handling of `mailto` & `javascript` links
 # Fixed : $shownoauth default value in `configuration.php-dist`
 # Fixed : `live_bookmarks` not being disbaled properly by security check;
 # Fixed : admin `contact` and `weblink` ordering 


08-Apr-2006 Rey Gigataras
 # Fixed [topic,45136.0] : stop Cache system from creating large amount of 
Cache files
 # Fixed [artf4302] : 'Read more' link is always displayed if 'Linked Titles' 
option enabled
 # Fixed [artf4304] : Bugs in search.html.php
 # Fixed : Content Popup page behaviour


07-Apr-2006 Rey Gigataras
 # Fixed [artf4294] : InputFilter failed escaping string
 # Fixed [artf4050] : mod_mainmenu.php not setting id=active_menu


06-Apr-2006 Rey Gigataras
 * SECURITY A2 [ Low Level ]: check for menu item added to 'Edit Your Details' 
page
 * SECURITY A2 [ Low Level ]: check for menu item added to 'Check-In My Items' 
page
 * SECURITY A2 [ Low Level ]: check for menu item added to 'Submit News' page
 * SECURITY A2 [ Low Level ]: check for menu item added to 'Submit Weblink' page
 
 # Fixed [artf4282] : Extra Empty Menu Span Tags


05-Apr-2006 Rey Gigataras
 # Fixed [artf4010] : When creating new module. Two modules are created when 
clicking save


02-Apr-2006 Rey Gigataras
 # Fixed [artf3575] : Correction needed in stylesheet
 # Fixed [artf4089] : Problem with domit, extended characters and PHP 5.0.2


01-Apr-2006 Rey Gigataras
 # Fixed [topic,50547.0.html] : Print statement left in class.inputfilter.php
 # Fixed [topic,48908.0.html] : Duplicate usernames / Length Checking


31-Mar-2006 Rey Gigataras
 # Fixed [topic,46614.0.html] : mod_templatechooser not working when templates 
name has dashes


30-Mar-2006 Rey Gigataras
 * SECURITY A1 [ Low Level ]: [artf3702] : breadcrumbs: information gathering 
possible by simple urlhacks

 # Fixed [topic,47932.0.html] : 1.0.8 com_contact - incorrect URL?

 ^ Upgrade to Geshi 1.0.7.8


29-Mar-2006 Rey Gigataras
 # Fixed [artf4133] : Blog - Content Section Archive
 # Fixed [artf4093] : No parameter tool tip when ' is used in module.xml
 # Fixed [artf4028] : url to the site is added to the entered link in a menu 
item (SEF disabled)
 # Fixed [artf4102] : mosimage.php - Erroneous right alignment of images
 # Fixed [artf4131] : com_contact displays non-localized message
 
 ^ Upgrade to TinyMCE 2.0.5.1
 ^ Upgrade to TinyMCE compressor 1.0.8
 ^ TinyMCE remove `Help` tab in help popup
 ^ TinyMCE 'word wrap' by default for html source mode


27-Mar-2006 Alex Kempkens
 # corrcted searchbot; finding dynamic content while searching for static
 # updated core-SEF support for new multilingual_content config var
 
 
24-Mar-2006 Alex Kempkens
 + Check for mambot/system directory in installer and installation dialogs
 # [artf4066]    content sections not being translated


16-Mar-2006 Rey Gigataras
 # Fixed [artf3913] : [artf3809]: Error with < AND > in tinymce - static 
content manager
 # Fixed : checked out lock icon visible for same user
 # Fixed : Global Config JS error when no session_type value yet set - issue 
only when upgrading
 # Fixed [topic,44206.0.html] : XML help files no longer supported


15-Mar-2006 Rey Gigataras
 # Fixed [artf3927] : Typo in Installer Screen
 # Fixed [artf3940] : single quotes/apostrophes (') 
 # Fixed [topic,46202.0.html] : Problem found in Session id function 
 

13-Mar-2006 Rey Gigataras
 ^ PERFORMANCE : com_content only add call to jos_content_rating where voting 
option activated


12-Mar-2006 Rey Gigataras
 # Fixed [topic,44117.0.html] : com_menumanager can not handle simple quotes (')
 # Fixed [topic,34821.0.html] : Allow search on static contents not linked to a 
menu

 ^ PERFORMANCE : com_statistics `Search Engine Text` page, results returned off 
by default as highly query intensive and can cause site lockup
 ^ `Page Hits` into `Content` sub-menu


11-Mar-2006 Alex Kempkens
 # Fixed some queries missing primary key for translations (contact, newsfeed)


11-Mar-2006 Rey Gigataras
 # Fixed [artf3873] : Invalid Itemid for com_content Category Link
 # Fixed [topic,45343.0.html] : Random image default behavoir

 + PERFORMANCE : Auto purge of expired messages for com_messages [default of 7 
days]


10-Mar-2006 Rey Gigataras
 # Fixed [artf3885] : Remove the last hardcoded texts
 # Fixed [artf3713] : Joomla still doesn't work with SQL mode enabled
 
 ^ Ensure showPathway is only called once


09-Mar-2006 Rey Gigataras
 # Fixed [artf3863] : mod_whosonline double ONLINE
 # Fixed [topic,44644.0.html] : Miss spelled Position as Postition
 # Fixed [topic,41593.0.html] : Table - content section - filter works only for 
the first page


08-Mar-2006 Rey Gigataras
 # Fixed [artf3847] : A mistake in joomla_admin template
 # Fixed [artf3748] : Archive - Access Denied
 # Fixed [artf3592] : Archive Pagination Problem
 # Fixed [topic,41627.0.html] : "Undefined variable: filter"
 # Fixed [topic,43315.0.html] : Static text in content.php
 # Fixed [topic,41466.0.html] : NullDate AND '0000-00-00 00:00:00'
 
 ^ Global define of _CURRENT_SERVER_TIME
 ^ sef.php optimization


07-Mar-2006 Rey Gigataras
 + Show whether Cache directory is writable where it is used - com_newsfeeds, 
com_syndicate, custom modules
 
 # Fixed [artf3818] : Path error for agent_browser.php in joomla.php
 # Fixed ensure all require and include calls are using absolute paths


06-Mar-2006 Rey Gigataras
 # Fixed [artf3756] : mossef bot rewrites javascript:void(0) in href
 # Fixed [artf3745] : includes/joomla.php on line 790 setSessionGarbageClean
 # Fixed [topic,41619.0.html] : mosimage caption problem
 # Fixed [topic,42023.0.html] : sample data error with Link - Static Content 
CID value
 

02-Mar-2006 Rey Gigataras
 # Fixed [artf3728] : Error if change the "Syndicate" name in db table 
"jos_components"
 # Fixed [artf3731] : mod_newsflash shows errors when no items are available
 # Fixed [artf3733] : Site (frontend): url to the site is added to the entered 
link in a content item. 
 # Fixed [artf3696] : Typo Site Mambot: Edit [ TinyMCE WYSIWYG Editor ] 
 # Fixed [artf3658] : "New" Content Link/Image Showing With No Categories 
Present
 # Fixed [artf3697] : sefreltoabs error with links to other sites


01-Mar-2006 Rey Gigataras
 * SECURITY A1 [ Low Level ]: Harden mosmsg
 
 # Fixed [artf3656] : contact-component, dropdown


28-Feb-2006 Rey Gigataras
 # Fixed [artf3655] : Login module error
 # Fixed [artf3668] : mosemailcloak bug with mailto:
 # Fixed [artf3681] : invalid markup in com_content showCategories() 
 # Fixed [artf3688] : Hardcoded text in contact.html.php 
 # Fixed [artf3664] : Image links gets preceeded by "Live Site" URL after 
v1.0.8 upgrade 
 # Fixed [artf3703] : configuration.php-dist has a typo 
 # Fixed [topic,41404.0.html] : configuration.php-dist missing `;`


---------------- 1.0.8 Stable Released -- [26-Feb-2006 05:00 UTC] 
------------------

This Release Contains following Security Fixes

Medium Level Threat
 * Hardening of Remember Me login functionality
 * Protect against real server path disclosure via syndication component
 * Limit arbitrary file creation via syndication component
 * Protect against real server path disclosure in mod_templatechooser

 * Disallow `Weblink` item from being accessible when 'unpublished'
 * Disallow `Polls` item from being accessible when 'unpublished'
 
 * Disallow `Newfeeds` item from being accessible when category 'unpublished'
 * Disallow `Weblinks` item from being accessible when category 'unpublished' 
 
 * Disallow `Content` item from being accessible despite section/category 
'access level'
 * Disallow `Newsfeed` item from being accessible despite category 'access 
level'
 * Disallow `Weblink` item from being accessible despite category 'access 
level' 
 
 * Disallow `Content` item from being visible despite category 'access level' 
in `Content Section` view  - `Blog - Content Section` & `Blog - Content Section 
Archive`

 * Disallow `Content` items from being viewable when category/section 
'unpublished' - mod_newsflash 
 
 
 Low Level Threat
 * Harden frontend Session ID
 * Harden against multiple Admin SQL Injection Vulnerabilities
 * Disable ability to enter more than one email address in Contact Component 
contact form
 * Harden Contact Component with param option to check for existance of session 
cookie - enabled by default
 * Addiotnal check for correct Admin session name 

 * Disallow access to syndication functionality
 * Disallow `Newsfeeds` Categories from being accessible when 'unpublished'
 * Disallow `Contact` Categories from being accessible when 'unpublished'
 * Disallow `Weblink` Categories from being accessible when 'unpublished'
 * Disallow `Content Section` from being accessible when section 'unpublished' 
- `List - Content Section`
 * Disallow `Content Category` from being accessible when category/section 
'unpublished' - `Table - Content Category`

 * Disallow `Contact` Categories from being accessible as per category 'access 
level'
 * Disallow `Newsfeeds` Categories from being accessible as per category 
'access level'
 * Disallow `Weblinks` Categories from being accessible as per category 'access 
level'
 * Disallow `Content Section` from being accessible as per section 'access 
level' - `List - Content Section`
 * Disallow `Content Category` from being accessible as per section/category 
'access level' - `Table - Content Category`
 * Disallow `Content Category` from being accessible as per category 'access 
level' - `Blog - Content Category` & `Blog - Content Category Archive`

 * Disallow `Content` item links from being visible as per category/section 
'access level' - mod_newsflash, mod_latestnews, mod_mostread

 * Disallow Category Search returning items despite section 'access level' & 
section 'state'
 * Disallow Contact Search returning items despite 'access level' & category 
'state'
 * Disallow Content Search returning items despite section 'access level'
 * Disallow Newsfeed Search returnings items despite category 'state'
 * Disallow Weblink Search returning items despite category 'state'

---


25-Feb-2006 Rey Gigataras
 # Fixed [topic,40568.0.html] : Conversion of & to & when editing 'new' 
modules, breaking xhtml compliance
 # Fixed [topic,40568.0.html] : Itemid=99999999 visible when navigating polls
 # Fixed artf3630 : Site name printed twice in the popup window title (print, 
email to friend)
 
 ^ Upgraded to TinyMCE 2.0.4
 
 - Depreciated Admin templates - mambo_admin & mambo_admin_blue


24-Feb-2006 Rey Gigataras
 * SECURITY [ Low Level ]: Add check for correct Admin session name 
 
 # Fixed HTTP_ACCEPT_ENCODING problems
 # Fixed incorrect handling of external links with mossef
   
 ^ Special Flag to allow different login behaviour of site for Production vs 
online Demo site


23-Feb-2006 Robin Muilwijk
 # Fixed [topic,39449.0.html] : typo in menu manager


23-Feb-2006 Rey Gigataras
 ^ Global Config session life only controls purging of frontend logged in 
sessions
 ^ Guests session separately purged at a hardcoded 900 seconds


22-Feb-2006 Rey Gigataras
 # Fixed artf3591 : Error if unpublish menu item
 # Fixed [topic,39295.0.html] : SEF handling of custom .htaccess reconfigured 
urls
 # Fixed [topic,39295.0.html] : mod_login return value incorrectly returning 
'index.php?' if coming from site homepage
 
 ^ Frontend Session Tracking cookie uses `Expire at End of Session`, rather 
than expiry by a set time to resolve issues with incorrect system clocks
 

21-Feb-2006 Rey Gigataras
 * SECURITY [ Medium Level ]: Real server path disclosure in mod_templatechooser

 # Fixed [topic,39295.0.html] : Incorrect favicon path in installer 
 # Fixed [topic,39295.0.html] : Admin logout does not clear/delete session 
being logged out
 
 ^ Remember Me Cookie amalgamated into a single cookie.


20-Feb-2006 Rey Gigataras
 # Fixed [topic,39295.0.html] : error in TinyMCE 2.0.3 (toggle fullscreen mode)


20-Feb-2006 Andrew Eddie
 # Fixed filelist param - would always show list entries related to images for 
default and do not use


19-Feb-2006 Rey Gigataras
 # Fixed [topic,36462.0.html] : time check incorrectly being based on local 
time - rather than server time
 # Fixed [topic,39103.0.html] : utf-8 encoded newsfeeds in a ISO-8559-1 site


18-Feb-2006 Rey Gigataras
 # Fixed [topic,39101.0.html] : Newsfeeds do not display

 ^ PERFORMANCE : General query reduction work
 ^ PERFORMANCE : Reduce queries used by search bots to load params
 ^ PERFORMANCE : 'editor-xtd' bot group loaded only once - affect = reduction 
in queries
 ^ Refactored session handling code for Admin sessions
 
 + session.gc_maxlifetime setting for Admin Sessions


17-Feb-2006 Rey Gigataras
 # Fixed artf3543 : Rev 2393 Language Manager Error
 # Fixed [topic,22061.0.html] : Wrapper Autoheight ability set to off by 
default, as causes javascript errors when used on sites not on your domain
 # Fixed [topic,30542.0.html] : MySQL 5 support in strict mode 
 # Fixed artf3605 : Spelling error when saving content
 # Fixed artf3576 : Javascript conflict in mod_wrapper

 ^ PERFORMANCE : `dynamic` Itemid checks store previous query results - affect 
= reduction in queries
 ^ PERFORMANCE : `static` Itemid counters now loads only once - affect = 
reduction in queries
 ^ PERFORMANCE : 'content' bot group loaded only once instead of each time 
content is loaded - affect = reduction in queries
 ^ PERFORMANCE : individual 'content' bot query to pull params loaded only once 
instead of each time content is loaded - affect = reduction in queries

 + new Admin Session Life Global Config param, allowing setting of admin 
session idle logout time
 + query debug mode to backend
 

16-Feb-2006 Rey Gigataras
 # Fixed artf3523 : mosemailcloak issue with mailto params
 # Fixed : disable mossef bot from working on mailto links
 # Fixed [topic,36637.0.html] : SEF deactivated relative & absolute url handling
 # Fixed [topic,36637.0.html] : Session username not correct for those coming 
from `Remember Me` cookie
 
 + PERFORMANCE : Simple check for all bots to determine whether they should 
process further 
 ^ PERFORMANCE : Reduce queries used by bots to load params - mosemailcloak, 
mosimage, mosloadposition, mospaging - affect = reduction in queries
 ^ PERFORMANCE : 'editor-xtd' bot group loaded only when needed - affect = 
reduction in queries


15-Feb-2006 Rey Gigataras
 # Fixed artf3527 : "New" Content Link and Image Not Present When Category Empty
 # Fixed [topic,36462.0.html] : Static Content Start/Finish publishing time is 
based on server time, not local time
 # Fixed : Publisher submission message for frontend content editing/submission


14-Feb-2006 Rey Gigataras
 * SECURITY [ Low Level ]: Disable ability to enter more than one email address 
in Contact Component contact form
 
 # Fixed artf3144 : NULL values from SQL tables not loaded
 # Fixed [topic,31769.0.html] : $access variable conflict com_content
 # Fixed [topic,32201.0.html] : mod_related_items urls not xhtml compliant
 # Fixed [topic,31185.0.html] : heading in pagination not working
 # Fixed [topic,10947.0.html] : Add Prefix check to installer  
 # Fixed artf3082 : Template preview *still* not available 
 # Fixed artf2925 : mosGetParam has side affects
 # Fixed [topic,38017.0.html] : Content -> New -> Cancel 
 
 ^ Upgraded TinyMCE to 2.0.3 & TinyMCE GZip Compressor to 1.0.7


13-Feb-2006 Rey Gigataras
 * SECURITY [ Medium Level ]: Hardening of Remember Me login functionality
 * SECURITY [ Low Level ]: Harden Contact Component with param option to check 
for existance of session cookie - enabled by default


12-Feb-2006 Rey Gigataras
 * SECURITY [ Low Level ]: Multiple Admin SQL Injection Vulnerabilities
 * SECURITY [ Low Level ]: Category Search returns items despite section 
'access level' & section 'state'
 * SECURITY [ Low Level ]: Contact Search returns items despite 'access level' 
& category 'state'
 * SECURITY [ Low Level ]: Content Search returns items despite section 'access 
level'
 * SECURITY [ Low Level ]: Newsfeed Search returns items despite category 
'state'
 * SECURITY [ Low Level ]: Weblink Search returns items despite category 'state'
 
 # Fixed artf3391 : Aphostrophes in Category: Edit
 # Fixed artf3291 : Alert() problem
 # Fixed artf3188 : Unnecessary table cell in contact.html.php
 # Fixed artf3121 : css errors in tiny_mce and rhuk_solarflare_ii template
 # Fixed artf3181 : Task routing class
 # Fixed artf3400 : showCalendar does not get value of date
 # Fixed artf3348 : Bold tag overrides css in mod_poll.php 
 # Fixed artf3120 : &and & &link not defined in admin.categories.php
 # Fixed artf3446 : Problems with mosimage with caption
 # Fixed artf3100 : Incorrect Response Headers for Missing Pages
 # Fixed artf3220 : Search bug: No way to update referenced search component
 # Fixed artf3438 : RSS Feed Created it not base on the same encoding of the 
content
 # Fixed artf3108 : Joomla 1.0.7 core SEF bug gives 404 on homepage
 # Fixed artf3169 : RSS feeds does not work with SEF disabled


11-Feb-2006 Rey Gigataras
 * SECURITY [ Medium Level ]: Protect against real server path disclosure via 
syndication component
 * SECURITY [ Medium Level ]: Limit arbitrary file creation via syndication 
component
 
 # Fixed artf3397 : link to menu and loss of images list
 # Fixed artf3109 : 1.0.7 "The XML page cannot be displayed ERROR" ob_gzhandler 
issue
 # Fixed artf3447 : TinyMCE and relative urls
 # Fixed artf3183 : Sub-menu items of separators not showing in module menu 
selection list
 # Fixed artf3103 : $mosConfig_cachepath not used everywhere
 # Fixed artf3114 : mod_related_items outputs nothing
 # Fixed artf3234 : mod_related_items unitialized mosConfig_offset variable
 # Fixed artf3402 : Missing param in module
 # Fixed artf3067 : Reopen: Unhandled fragment identifier with core SEF enabled
 # Fixed [topic,31813.0.html] : new .htaccess gives proper 404s [Steve Graham]
 
 + Disable session.use_trans_sid to .htaccess


10-Feb-2006 Rey Gigataras
 * SECURITY [ Low Level ]: Harden frontend Session ID
 
 # Fixed artf3421 : Session cleanup relies on administrator login
 # Fixed artf3307 : Error in code - non critical, but logout setcookie not 
working
 # Fixed artf3126 : Short open PHP tag in pathway.php 
 # Fixed artf3126 : artf3413 : small problem with variable in 
xml_domit_lite_parser.php
 # Fixed [topic,34620.0.html] : Excessive Joomla Sessions, and AOL Login 
Problem [Steve Graham]
 # Fixed mosWarning() $title error
 
 + New Session Type Global Config param 

08-Feb-2006 Rey Gigataras
 * SECURITY [ Medium Level ]: # Fixed : `Content` items viewable when 
category/section 'unpublished' - mod_newsflash 
 * SECURITY [ Low Level ]: # Fixed : `Content` item links visible despite 
category/section 'access level' - mod_newsflash, mod_latestnews, mod_mostread
 
 # Fixed artf3393 : Latestnews doesn't show static content


07-Feb-2006 Robin Muilwijk
 # Fixed artf3328, 1.0.7 EN Installation Typo - Step 1
 # Fixed artf3401 : Spelling errors in two modules


31-Jan-2006 Rey Gigataras
 + Additional Contact Component hardening


30-Jan-2006 Rey Gigataras
 * SECURITY [ Medium Level ]: # Fixed : `Content` item accessible despite 
section/category 'access level'
 * SECURITY [ Medium Level ]: # Fixed : `Content Section` view `Content` items 
visible despite category 'access level' - `Blog - Content Section` & `Blog - 
Content Section Archive`
 * SECURITY [ Medium Level ]: # Fixed : `Newsfeed` item accessible despite 
category 'access level'
 * SECURITY [ Medium Level ]: # Fixed : `Weblink` item accessible despite 
category 'access level'
 * SECURITY [ Low Level ]: # Fixed : `Contact` Categories accessible despite 
category 'access level'
 * SECURITY [ Low Level ]: # Fixed : `Newsfeeds` Categories accessible despite 
category 'access level'
 * SECURITY [ Low Level ]: # Fixed : `Weblinks` Categories accessible despite 
category 'access level'
 * SECURITY [ Low Level ]: # Fixed : `Content Category` view accessible despite 
section/category 'access level' - `Table - Content Category`
 * SECURITY [ Low Level ]: # Fixed : `Content Category` view accessible despite 
category 'access level' - `Blog - Content Category` & `Blog - Content Category 
Archive` 
 * SECURITY [ Low Level ]: # Fixed : `Content Section` view accessible despite 
section 'access level' - `Table - Content Section`

 ^ Contact Items display Authorization block text if category 'access level' 
denies access
 ^ Blog pages display Authorization block text if section/category 'access 
level' denies access
 
 
29-Jan-2006 Rey Gigataras
 * SECURITY [ Medium Level ]: # Fixed : `Weblinks` item accessible when 
category 'unpublished' 
 
 ^ Blog pages display Authorization block text if section/category being 
unpublished


25-Jan-2006 Rey Gigataras
 * SECURITY [ Low Level ]: # Fixed : No way to disable access to syndication 
functionality


17-Jan-2006 Rey Gigataras
 * SECURITY [ Medium Level ]: # Fixed : `Weblink` item accessible when 
'unpublished'
 * SECURITY [ Medium Level ]: # Fixed : `Polls` item accessible when 
'unpublished'
 * SECURITY [ Medium Level ]: # Fixed : `Newfeeds` item accessible when 
category 'unpublished'
 * SECURITY [ Low Level ]: # Fixed : 'unpublished' `Newfeeds` Categories 
accessible
 * SECURITY [ Low Level ]: # Fixed : 'unpublished' `Contact` Categories 
accessible
 * SECURITY [ Low Level ]: # Fixed : 'unpublished' `Weblink` Categories 
accessible
 * SECURITY [ Low Level ]: # Fixed : `Content Section` accessible when section 
'unpublished' - `List - Content Section`
 * SECURITY [ Low Level ]: # Fixed : `Content Category` view accessible when 
category/section 'unpublished' - `Table - Content Category`


---------------- 1.0.7 Released -- [15-Jan-2006 21:00 UTC] ------------------
 
 
 15-Jan-2006 Rey Gigataras
  # Fixed : database password being incorrectly overwritten with a blank
 
 
 ---------------- 1.0.6 Released -- [15-Jan-2006 15:00 UTC] ------------------
 
 
 This Release Contains following Security Fixes
 
 Low Level Threat
 * Disallow Author from publishing items or changing publish state
 * Hardened Contact Component against misuse
 * Added simple filtering control ability to Contact Component
 * Hardened misuse of Contact Component `email copy` ability when not activated
 * Hardened misuse of Contact Component `VCard` ability when not activated
 * `VCard` & `Email Copy` options set to hide by default
 * Multiple Vulnerabilities in TinyMCE Compressor
 * Hardened Itemid against misuse
 * Hide database password in Global Configuration
 
 ---
 
 15-Jan-2006 Rey Gigataras
  * SECURITY [ Low Level ]: Hide database password in Global Configuration
  # Fixed artf3064 : Warning: Invalid argument supplied mod_fullmenu Line 57
  # Fixed artf3063 : Poll Component Output Display Error
 
 14-Jan-2006  Louis Landry
  # Fixed Caching `Blog` pagination problem
 
 14-Jan-2006 Rey Gigataras
  * SECURITY [ Low Level ]: disallow Author from publishing items or changing 
publish state 
    [identified Max Dymond]
  # Fixed artf3055 : Weblink submit, no email to admin
  # Fixed artf3045 : Unhandled fragment identifier with core SEF enabled
  # Fixed artf3032 : 1783: Can't get custom CSS in Tiny MCE
  # Fixed artf3052 : Contact Component Re-Direct Issue
  # Fixed artf3043 : Login & Logout redirecting to $mosConfig_live_site
  # Fixed artf3040 : Site Modules | Display can be duplicated on Pages
  # Fixed problem with display mod_rssfeed twice on a page
  ^ Contact Component confirmation now uses mosredireect msg, rather than JS
 
 13-Jan-2005 Andrew Eddie
  # Fixed bug in database::loadRowList that reutrn assoc and not numerical array
  # Fixed bug in index2.php where joomlajavascript.js is not included
 
 13-Jan-2006 Rey Gigataras
  * SECURITY [ Low Level ]: + simple filter check to Contact Component
  # Fixed artf3038 : Warning: array_search(): Wrong datatype for second 
argument in
  # Fixed artf3037 : New 404 tags aren't translated
  # Fixed artf3035 : Bug with mod_newsflash
  
 12-Jan-2006 Alex Kempkens
  # Fixed mosFormateDate, handling offset's with value 0
 
 12-Jan-2006 Rey Gigataras
  * SECURITY [ Low Level ]: changed `Email Copy` param option for new Contacts 
now set to `hide`
  # Fixed artf2070 : mosHTML:encoding_converter() breaks with o"
  # Fixed missing <li> tag in newsfeed component
  # Fixed artf1487 : Media Manager breaks when illegal characters in uploaded 
file name
  # Fixed artf2108 : Saving a parent inside of a child 
  + caching support to `Frontpage` component
  + missing param for `Table - Weblink Category`
  - sef handling in mod_search.php as SEF
  - unnecessary `checked out` check in  mod_latestnews.php and mod_mostread.php 
  - unnecessary param variable in mod_latestnews.php
 
 10-Jan-2006 Rey Gigataras
  * SECURITY [ Low Level ]: Fixed artf2386 : Preventing Spambots through 
com_contact
  # Fixed artf2622 : admin.users.php session_start called when a session is 
already open
  # Fixed artf2789 : invalid xhtml
  # Fixed artf2989 : User WYSIWYG editor setting resets after adding new user 
from backend
  # Fixed artf2986 : Wrong link to image-icon in weblinks
 
 08-Jan-2006 Johan Janssens
  * SECURITY [ Low Level ]: Fixed Security Vulnerability in TinyMCE Compressor
 
 08-Jan-2006 Rey Gigataras
  * SECURITY [ Low Level ]: Fixed artf2950 : Information leak with Vcard hide 
function
  * SECURITY [ Low Level ]: changed `VCard` param option for new Contacts now 
set to `hide`
  # Fixed DOMIT bugs [identified by sarahk] 
    http://sarahk.pcpropertymanager.com/blog/using-domit-rss/225/
  # Fixed artf2793 : New user confirmation link warning on login 
  # Fixed artf2732 : Pagination in the Blog section/category doesnt work 
  # Fixed artf2943 : Incorrect Redirect for Weblinks
  # Fixed artf2945 : Undefined constant in php_http_exceptions.php
 
 07-Jan-2006 Rey Gigataras
  # Fixed artf2933 : Pathway problem on Windows
 
 06-Jan-2006 Rey Gigataras
  ^ changed mod_archive so that no Itemid is assigned, meaning it uses the 
default Itemid=99999999
  # Fixed artf2738 : Incorrect SEF links for archive com_content links
  # Fixed artf1809 : mospagebreak problem with "Special Characters"
  # Fixed artf2861 : article_seperator glitch
 
 05-Jan-2006 Rey Gigataras
  # Fixed artf2825 : RSS module SEF urls
 
 04-Jan-2006 Rey Gigataras
  * SECURITY [ Low Level ]: Fixed artf2050 : Itemid in index2.php
  # Fixed Related items Module shows Expired items - Mambo Tracker [#7590] 
  # Fixed artf2185 : Changing weblinks possible for everyone
 
 03-Jan-2006 Andy Miller
  ^ Updated copyright information for iCandy Junior icons
 
 03-Jan-2005 Rey Gigataras
  # Fixed XHTML validation error in `Blog` view with decmimal value widths
  # Fixed XHTML validation error in `Table - Content Category`
  # Fixed artf2791 : RSS item links not SEF'd
  # Fixed artf2791 : RSS items have no category
  # Fixed artf2813 : Media Manager doesn't support ICO files
 
 02-Jan-2006 Rey Gigataras
  # Fixed artf2802 : All content made bold for Rss module published on the 
frontpage
  # Fixed artf2780 : Newsflash Read More bad link
  # Fixed artf2786 : Newsflash module not picking up "linked title" global 
setting
  # Fixed artf2810 : 1.0.x changelog incorrectly states release date of 1.0.5
  
 30-Dec-2005 Rey Gigataras
  # Fixed `Unlimited` banner impressions option
  # Fixed artf2776 : Multiple banners not possible
  # Fixed artf2788 : admin template css errors
 
 29-Dec-2005 Rey Gigataras
  # Fixed artf2646 : name="" not valid XHTML
  # Fixed artf2747 : title_alias is missing in mambots
  # Fixed `Reset Clicks` button not working in admin component `Banner Manager`
  # Fixed artf2712 : Clicks reset on save 
 
 29-Dec-2005 Andrew Eddie
  ^ SEF error handling throws to new /templates/404.php file
  # Rolled back changes to database::insertObject
  + New prototype MySQL 5 driver
 
 24-Dec-2005 Emir Sakic
  # Fixed a bug with 404 header being returned for homepage when SEF activated
  # Fixed a bug with all items on frontpage returning Itemid=1 (duplicate 
content)
   
Low Level Threat
 * Disallow Author from publishing items or changing publish state
 * Hardened Contact Component against misuse
 * Added simple filtering control ability to Contact Component
 * Hardened misuse of Contact Component `email copy` ability when not activated
 * Hardened misuse of Contact Component `VCard` ability when not activated
 * `VCard` & `Email Copy` options set to hide by default
 * Multiple Vulnerabilities in TinyMCE Compressor
 * Hardened Itemid against misuse
 * Hide database password in Global Configuration
 
 ---
 
 15-Jan-2006 Rey Gigataras
  * SECURITY [ Low Level ]: Hide database password in Global Configuration
  # Fixed artf3064 : Warning: Invalid argument supplied mod_fullmenu Line 57
  # Fixed artf3063 : Poll Component Output Display Error
 
 14-Jan-2006  Louis Landry
  # Fixed Caching `Blog` pagination problem
 
 14-Jan-2006 Rey Gigataras
  * SECURITY [ Low Level ]: disallow Author from publishing items or changing 
publish state [identified Max Dymond]
  # Fixed artf3055 : Weblink submit, no email to admin
  # Fixed artf3045 : Unhandled fragment identifier with core SEF enabled
  # Fixed artf3032 : 1783: Can't get custom CSS in Tiny MCE
  # Fixed artf3052 : Contact Component Re-Direct Issue
  # Fixed artf3043 : Login & Logout redirecting to $mosConfig_live_site
  # Fixed artf3040 : Site Modules | Display can be duplicated on Pages
  # Fixed problem with display mod_rssfeed twice on a page
  ^ Contact Component confirmation now uses mosredireect msg, rather than JS
 
 13-Jan-2005 Andrew Eddie
  # Fixed bug in database::loadRowList that reutrn assoc and not numerical array
  # Fixed bug in index2.php where joomlajavascript.js is not included
 
 13-Jan-2006 Rey Gigataras
  * SECURITY [ Low Level ]: + simple filter check to Contact Component
  # Fixed artf3038 : Warning: array_search(): Wrong datatype for second 
argument in
  # Fixed artf3037 : New 404 tags aren't translated
  # Fixed artf3035 : Bug with mod_newsflash
  
 12-Jan-2006 Alex Kempkens
  # Fixed mosFormateDate, handling offset's with value 0
 
 12-Jan-2006 Rey Gigataras
  * SECURITY [ Low Level ]: changed `Email Copy` param option for new Contacts 
now set to `hide`
  # Fixed artf2070 : mosHTML:encoding_converter() breaks with o"
  # Fixed missing <li> tag in newsfeed component
  # Fixed artf1487 : Media Manager breaks when illegal characters in uploaded 
file name
  # Fixed artf2108 : Saving a parent inside of a child 
  + caching support to `Frontpage` component
  + missing param for `Table - Weblink Category`
  - sef handling in mod_search.php as SEF
  - unnecessary `checked out` check in  mod_latestnews.php and mod_mostread.php 
  - unnecessary param variable in mod_latestnews.php
 
 10-Jan-2006 Rey Gigataras
  * SECURITY [ Low Level ]: Fixed artf2386 : Preventing Spambots through 
com_contact
  # Fixed artf2622 : admin.users.php session_start called when a session is 
already open
  # Fixed artf2789 : invalid xhtml
  # Fixed artf2989 : User WYSIWYG editor setting resets after adding new user 
from backend
  # Fixed artf2986 : Wrong link to image-icon in weblinks
 
 08-Jan-2006 Johan Janssens
  * SECURITY [ Low Level ]: Fixed Security Vulnerability in TinyMCE Compressor
 
 08-Jan-2006 Rey Gigataras
  * SECURITY [ Low Level ]: Fixed artf2950 : Information leak with Vcard hide 
function
  * SECURITY [ Low Level ]: changed `VCard` param option for new Contacts now 
set to `hide`
  # Fixed DOMIT bugs [identified by sarahk] 
http://sarahk.pcpropertymanager.com/blog/using-domit-rss/225/
  # Fixed artf2793 : New user confirmation link warning on login 
  # Fixed artf2732 : Pagination in the Blog section/category doesnt work 
  # Fixed artf2943 : Incorrect Redirect for Weblinks
  # Fixed artf2945 : Undefined constant in php_http_exceptions.php
 
 07-Jan-2006 Rey Gigataras
  # Fixed artf2933 : Pathway problem on Windows
 
 06-Jan-2006 Rey Gigataras
  ^ changed mod_archive so that no Itemid is assigned, meaning it uses the 
default Itemid=99999999
  # Fixed artf2738 : Incorrect SEF links for archive com_content links
  # Fixed artf1809 : mospagebreak problem with "Special Characters"
  # Fixed artf2861 : article_seperator glitch
 
 05-Jan-2006 Rey Gigataras
  # Fixed artf2825 : RSS module SEF urls
 
 04-Jan-2006 Rey Gigataras
  * SECURITY [ Low Level ]: Fixed artf2050 : Itemid in index2.php
  # Fixed Related items Module shows Expired items - Mambo Tracker [#7590] 
  # Fixed artf2185 : Changing weblinks possible for everyone
 
 03-Jan-2006 Andy Miller
  ^ Updated copyright information for iCandy Junior icons
 
 03-Jan-2005 Rey Gigataras
  # Fixed XHTML validation error in `Blog` view with decmimal value widths
  # Fixed XHTML validation error in `Table - Content Category`
  # Fixed artf2791 : RSS item links not SEF'd
  # Fixed artf2791 : RSS items have no category
  # Fixed artf2813 : Media Manager doesn't support ICO files
 
 02-Jan-2006 Rey Gigataras
  # Fixed artf2802 : All content made bold for Rss module published on the 
frontpage
  # Fixed artf2780 : Newsflash Read More bad link
  # Fixed artf2786 : Newsflash module not picking up "linked title" global 
setting
  # Fixed artf2810 : 1.0.x changelog incorrectly states release date of 1.0.5
  
 30-Dec-2005 Rey Gigataras
  # Fixed `Unlimited` banner impressions option
  # Fixed artf2776 : Multiple banners not possible
  # Fixed artf2788 : admin template css errors
 
 29-Dec-2005 Rey Gigataras
  # Fixed artf2646 : name="" not valid XHTML
  # Fixed artf2747 : title_alias is missing in mambots
  # Fixed `Reset Clicks` button not working in admin component `Banner Manager`
  # Fixed artf2712 : Clicks reset on save 
 
 29-Dec-2005 Andrew Eddie
  ^ SEF error handling throws to new /templates/404.php file
  # Rolled back changes to database::insertObject
  + New prototype MySQL 5 driver
 
 24-Dec-2005 Emir Sakic
  # Fixed a bug with 404 header being returned for homepage when SEF activated
  # Fixed a bug with all items on frontpage returning Itemid=1 (duplicate 
content)
 
21-Dec-2005 Andrew Eddie
 # Fixed slow query in com_content (Author text in a content item is now set to 
Written By)
 # Fixed bug in backend poll entry with ' is in option name
 # Fixed bug where content modified date is not updated on a bluck 
publish/archive operation
 + Added TEMPLATEURL to patTemplate preloaded variables
 ^ patTemplate Translate now recognises 1.0 version language constants

20-Dec-2005 Emir Sakic
 # Fixed artf2432 : Apostrophe in paths isn't escaped properly

20-Dec-2005 Johan Janssens
 # Fixed artf2389 : gzip compression not operational
 # Fixed artf2599 : loosing Itemid afet submitting "ask for new password"
 # Fixed artf1712 : Search Mambots return duplicate results
 # Fixed artf2534 : Template chooser no longer able to manage SEF urls / XHTML 
validation
 # Fixed artf1410 : 'Special' access menu locks out 'public' menu's articles 
"read more" content
 # Fixed artf2595 : Deleted "mass mail" item menu in component menu
 # Fixed artf2518 : mod_latestnews problem
 # Fixed artf2591 : mosMakePath problem with mkdir on strato
 # Fixed artf2665 : Most Read module generates incorrect class for <li> 
statement
 # Fixed artf2666 : Pagination Error in Category Manager
 # Fixed artf2407 : parameter type=mos_category show only "- Select Content 
Category -"

16-Dec-2005 Andy Miller
 # Fixed mod_whosonline not rendering list properly

07-Dec-2005 Andrew Eddie
 + Added database::getAffectedRows to db connectors

10-Dec-2005 Emir Sakic
 # Fixed artf2517 : "Cancel" the editing of content after "apply" not possible

09-Dec-2005 Emir Sakic
 # Fixed artf2324 : SEF for components assumes option is always first part of 
query
 # Fixed artf1955 : Search results bug

07-Dec-2005 Andrew Eddie
 # Fixed unitialised array in mosHTML::MenuSelect method
 + Added mosBackTrace debugging function
 # Fixed bug in mosDBTable::load where null table values don't overwrite 
properly

07-Dec-2005 Johan Janssens
 # Fixed artf2430 : invalid values in tabpane.css
 # Fixed artf2457 : VCard bug IS a bug
 # Fixed artf2218 : RSS Newsfeed module generates wrong rendering output
 # Fixed artf2453 : Random Image Module
 # Fixed artf2251 : Poll title error
 # Fixed artf2393 : Original editor cannot open content item if checked out
 # Fixed artf2323 : overlib_hideform_mini.js parse error
 # Fixed artf2248 : Incorrect hits count on multipage articles
 # Fixed artf2342 : getBlogCategoryCount
 # Fixed artf2464 : Contacts Component image path error
 # Fixed artf2404 : Contact detail html bug
 ^ Replaced install.png with transparent image - contributed by joomlashack
 # Fixed artf2245 : RSS not showing enclosure tags
 # Fixed artf2247 : RSS newsfeed on Frontend missing link
 # Fixed bug in Domit lite parser
 # Fixed mosMail() is missing "ReplyTo:" field to avoid anti-spam rules (SPF)
 # Fixed Small typo in mosBindArrayToObject

06-Dec-2005 Alex Kempkens
 # Fixed artf2434: Typo in database.php checkout function line 1050
 # Fixed artf2398 : Parameter Text Area field name

06-Dec-2005 Johan Janssens
 # Fixed artf2418 : Banners Client Manager Next Page Issue: Joomla 1.04
 # Fixed artf2156 : memory exhastion error in joomla.xml.php
 # Fixed artf2378 : mosCommonHTML::CheckedOutProcessing not checking if the 
current user
                    has checked out the document
 # Fixed artf1948 : Pagination problem still exists
 ^ Upgraded TinyMCE Compressor [1.0.4]
 ^ Upgraded TinyMCE [2.0.1]

01-Dec-2005 Andrew Eddie
 # Fixed nullDate error in mosDBTable::checkin method
 # Removed $migrate global in mosDBTable::store method
 # Fixed some MySQL 5 issues (still very unreliable)
 + Component may force frontend application to include joomla.javascript.js by:
   $mainframe->set( 'joomlaJavascript', 1 );

01-Dec-2005 Andrew Eddie
 # Fixed limit error in sections search bot
 # Bug in gacl_api::add_group query [c/o Mambo bug #8199]
 # Search highlighting fails when a "?" is entered [c/o Mambo bug #8260]

30-Nov-2005 Emir Sakic
 + Added 404 handling for missing content and components
 + Added 404 handling to SEF for unknown files

30-Nov-2005 Andrew Eddie
 # Site templates allowed to have custom index2.php (fixes problems where 
custom code is required in index2)

29-Nov-2005 Andrew Eddie
 # Fixed artf2258 : Parameter tooltips missing in 1.0.4

28-Nov-2005 Andrew Eddie
 # Fixed artf2329 : mosMainFrame::getBasePath refers to non-existant JFile 
class.
 # Fixed artf2246 : Error in frontend.html.php
 # Fixed artf2190 : mod_poll.php modification
 # Fixed artf2292 : [WITH FIX] Sql query missing hits

24-Nov-2005 Emir Sakic
 # Fixed artf2225 : Email / Print redirects to homepage
 # Fixed artf1705 : Not same URL for same item : duplicate content

23-Nov-2005 Johan Janssens
 # Fixed : Content Finish Publishing & not authorized

22-Nov-2005 Marko Schmuck
 # Fixed artf2240 : 1.0.4 URL encoding entire frontend?
 # Fixed artf2222 : ampReplace in content.html.php
 + Versioncheck for new_link parameter for mysql_connect.

22-Nov-2005 Levis Bisson
 # Fixed artf2221 : 1.0.4: includes/database.php faulty on PHP < 4.2.0
 # Fixed artf2219 : Bug in pageNavigation.php - added "if not define _PN_LT or 
_PN_RT"

22-Nov-2005 Johan Janssens
 # Fixed artf2224 : Problem with Media Manager
 # Fixed : Can't create new folders in media manager



To generate a diff of this commit:
cvs -z3 rdiff -u -r1.1.1.1 -r1.2 wip/joomla/PLIST wip/joomla/distinfo
cvs -z3 rdiff -u -r1.5 -r1.6 wip/joomla/Makefile

To view a diff of this commit:
http://pkgsrc-wip.cvs.sourceforge.net/pkgsrc-wip/wip/joomla/PLIST?r1=1.1.1.1&r2=1.2
http://pkgsrc-wip.cvs.sourceforge.net/pkgsrc-wip/wip/joomla/distinfo?r1=1.1.1.1&r2=1.2
http://pkgsrc-wip.cvs.sourceforge.net/pkgsrc-wip/wip/joomla/Makefile?r1=1.5&r2=1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
pkgsrc-wip-cvs mailing list
pkgsrc-wip-cvs%lists.sourceforge.net@localhost
https://lists.sourceforge.net/lists/listinfo/pkgsrc-wip-cvs



Home | Main Index | Thread Index | Old Index