Composr Version 11 beta2 (bleeding-edge, manual)
This is the manual installer (as opposed to the regular quick installer) for version 11 beta2. This version is a beta release of the next major version of Composr. Please read the changelog for important upgrade information. Upgrading to this release is unrecommended for live sites.
- If you have password change days set, Composr will not (correctly) check against past passwords members used prior to 11.beta1. So members will be able to use a prior password if they used it before you upgraded to 11.beta2.
- Passwords in f_members using the old hashing will be accepted but updated automatically to the new and more secure hashing the next time a member logs in or changes their password. As such, members should still be able to log in despite this change.
- This change does not affect the maintenance password in _config.php
Please report any issues to the tracker if you encounter any.
The following tracker issues have been resolved since version 11.beta1…
The following changes were made via git since version 11.beta1…
Special thanks to these members for resolving the issues above:
Special thanks to these members for reporting the issues above:
Special thanks to these individuals who contributed code to the git repository for this release:
Changes to password hashes
The method of hashing passwords has changed (previously, MD5 hashing was used before bcrypt; this was very insecure). As such, please note the following implications:- If you have password change days set, Composr will not (correctly) check against past passwords members used prior to 11.beta1. So members will be able to use a prior password if they used it before you upgraded to 11.beta2.
- Also, Composr will only check the most recent 10 passwords a member used from now on.
- Passwords in f_members using the old hashing will be accepted but updated automatically to the new and more secure hashing the next time a member logs in or changes their password. As such, members should still be able to log in despite this change.
- This change does not affect the maintenance password in _config.php
Please report any issues to the tracker if you encounter any.
Changes to crypt.php
Generally no action is needed for this. But 11 beta2 changes how crypt is used. Session IDs now use base32 (numbers and lowercase letters except 0, 1, l, and o). Cookie log-in uses a much more secure/complex base64 string. And new site installs have a much more secure / randomised site salt. The use of md5 hashing is also removed in crypt because it is very insecure and negates the point of cryptographic security / randomness.
Please report any issues to the tracker if you encounter any.
The following tracker issues have been resolved since version 11.beta1…
- Inactive big tab content goes behind the page [core_rich_media]
- Undefined array key group_leader [actionlog]
- Hotfixes via upgrader extracted no files [core_upgrader]
- Quick installer does not run install_env health checks [installer]
- Possibly no validation on disable_cron_hook [errorlog]
- No validation for id parameter in stats module [stats]
- Improve keep_fatalistic [core]
- Apache now blocks spaces / control characters as part of mod_rewrite [core]
- Broken URL tool can easily exceed POST request size [actionlog]
- Changes to default cookie names and handling for prefixes [core]
- Hash and salt the member_hash value in the database like we do passwords [core_cns]
- Make get_secure_random_string more secure [core]
- Remove all uses of md5 in crypt and increase general crypt security [core]
The following changes were made via git since version 11.beta1…
- Fix username length check problems
- Documentation tweak, explain MEDIA_IMAGE_WEBSAFE OpenGraph behavior
- Specifically define the step for hotfix application
- Too many END directives
- Do not force rule declaration on upgrade or on new installs (except after Setup Wizard)
- Tidy up icons on rank tab
- Reduce profile tab squishing
- Telemetry test / fixes
- Don't attach message if a locked hook is also disabled
- Content stats hook needs to query category
- Profile debugging on stats
- Seems our stats hang-up is on views; debug further
- Add set_value and get_value commands for ease of use
- Missing floats on framed attachments
- Only initialise Hybridauth session if we initialise Hybridauth itself (may be reverted if this breaks Hybridauth)
- Update max tested software versions
- Add file_array_scandir to make_release
- Merge branch 'v11' of gitlab.com:composr-foundation/composr into v11
- Move magic 7 day number for warning content deletion to a single value
- Health Check changes / improvements especially to language (needs migrated to lang strings)
- Merge remote-tracking branch 'origin/v11' into v11
- Remove Trickstr (and programe)
- Add concise rules about alpha/beta/RC and when to bump minor/major versions
- Also add rules about not re-releasing versions
- Add more stripping in stack traces; Add additional failsafe if error notifications > 256 kb
- We should also truncate for telemetry errors
- Additional changes necessary so Telemetry always receives the actual error
- Alright strip_comcode will not work (infinite loop); just have to deal with ugly error dumps
- Also add total size checking for errors folder
- Also add manual check for files in data_custom/errors
- Document field name conventions that should be used based on type
- Edge case: Possible the hook is running multiple times in parallel (but very unlikely)
- Missing require
- Missing join bit in sortable
- Missing require lang
- Disastr bugs
- Filter errors on admin_cmsusers
- TODO fix this
- Missing index.html for templates_cached
- Oops actually that is a theme that should not have been created
- Zones might not always be required when we reach this block
- Shorten value name so less likely to trigger db errors
- English
- Remove concerning CSP disabling line
- Enable CSP on WYSIWYG, but allow inline_js for it to work
- Update comments
- Add new privilege for specifying custom message in recommend addon
- Whoops, wrong defaults
- Add missing done_something
- Potential Tempcode inequality
- We do not need to limit webservice requests to 130 chars anymore
- Truncate sent error message to errorservice down to first 8 kb
- Third party changes for new current_fatalistic
- Start of Mantis updates
- Additional MantisBT upgrade progress WIP
- Additional MantisBT updates (WIP)
- Additional fixes
- Implementing points escrow in tracker sponsorship
- Additional work on points sponsorships
- Fix modularisation
- Bug fixes with tracker integration
- Mantis integration improvements
- Improve sponsorship block
- Update language for sending points versus sending in escrow
- More bugs...
- On karma doc, add distinction from points
- Quick debrand clarification
- Testing and fixes for Tempcode logic symbols
- Merge branch 'v11' of gitlab.com:composr-foundation/composr into v11
- Missing addon guards for post_read_history_days
- Actually located in privacy
- FORUM_DB could be undefined
- FORUM_DB could be undefined
- Missing require_code for failure
- Misc detected bugs from random addon uninstall testing
- Additional bug fixes from addon uninstall testing
- Add a safeguard: retrieve public key from homesite if not exists
- Meta might not be set
- incorrect array structure and placement
- Default to Composr's feed; MyNews now requires a subscription
- Add a more detailed explanation for JS errors so users know what to do
- Misinterpretation fix; clarify JavaScript alert privilege
- Update build files
- Refactor sponsorship code so Composr can use it internally (e.g. hotfixes)
- Oops, that's 8 characters not 7
- results table of broken URLs can be wide, so don't show helper panel
- Do we need to remove cache against?
- Let's try not using cache in the task...
- Missing r alias
- Also make site salts more secure
- Re-structure test suite (WIP)
- Various test suite fixes
Special thanks to these members for resolving the issues above:
Special thanks to these members for reporting the issues above:
Special thanks to these individuals who contributed code to the git repository for this release:
- Lovinity (Patrick Schmalstig)
- Chris Graham