Subscribe: Blog Dotclear
http://www.dotclear.net/log/feed/rss2
Preview: Blog Dotclear

Dotclear News



Blog management made easy



Published: Wed, 30 Nov 2016 00:49:59 +0100

Copyright: Dotclear © 2003-2016
 



Dotclear 2.10.4

Wed, 02 Nov 2016 10:53:00 +0100

A tiny update which fixes a database connection problem for installation using PostgreSQL lower than 9.1

If you are not in this case, the automatic update will run as usual.

If you are in this case, in order to do this very next automatic update, you have to follow this procedure:

  1. Open the file /inc/libs/clearbricks/dblayer/class.pgsql.php
  2. Insert a new line before the line number 103 and put the following code in this line, then save the file:
return;

You should have something like that:

		/** @ignore */
		private function db_post_connect($handle,$database)
		{
return;
			$result = $this->db_query($handle,"SELECT * FROM pg_collation WHERE (collcollate LIKE '%.utf8')");
			if($this->db_num_rows($result) > 0) {
				$this->db_result_seek($result, 0);
				$row = $this->db_fetch_assoc($result);
				$this->utf8_unicode_ci = '"'.$row['collname'].'"';
			}
		}

This modification will give you again access to your installation.

In order to apply the automatic update, you will have, first, to install a specific plugin, FakeMeUp (available on the DotAddict website), which allow to bypass the control of modified files before update.

Once this plugin installed, make the update and when finished, disable or uninstall the FakeMeUp plugin, as you wish.

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.


CHANGELOG of this release :

Dotclear 2.10.4 - 2016-11-02
===========================================================
* PostgreSQL < 9.1 fix



Dotclear 2.10.3

Tue, 01 Nov 2016 15:26:00 +0100

A tiny update to fix two minor security vulnerabilities and to allow some specific proxy/ssl server configuration.

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.


CHANGELOG of this release :

Dotclear 2.10.3 - 2016-11-01
===========================================================
* Security: Fix CVE-2016-7903: Password Reset Address Spoof — Thank's Hongkun Zeng for report
* Security: Fix CVE-2016-7902: Media Manager, unrestricted File Upload — Thank's Hongkun Zeng for report
* CSP: Cope with external sources used in editor's iframe to preview public external content
* Fix: Cope with post.post_position field during flat import
* Fix: Prevents precondition failed during currently activated theme update
* Fix: Remove unecessary header (cope by dotclear) in page plugin
* Fix: Let some proxies playing with standard http and https ports
* Fix: Let SSL runs through a proxy, it may be ok, sometimes
* 🐛 → Various bugs and typos fixed



Dotclear 2.10.2

Wed, 17 Aug 2016 10:23:00 +0200

A tiny update to fix a problem which prevents correct update on installations using the PostgreSQL database system.

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.




Dotclear 2.10.1

Mon, 15 Aug 2016 09:19:00 +0200

A tiny update to fix a problem which prevents the backend for new installation from correctly displaying (updates are not concerned). A too strict application of the CSP (Content-Security-Policies) is the cause of it. It also demonstrates that this protection might be efficient!

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.




Dotclear 2.10 : warning!

Sun, 14 Aug 2016 10:30:00 +0200

I've just been informed about a problem that prevents CSS stylesheets and Javascript scripts from being loaded in the backend of Dotclear, but only for the fresh new installation.

If you are concerned by this problem, download the 2.9.1 release instead, install it, and then do the upgrade to the 2.10 proposed on your dashboard. The upgrade is not concerned by this bug.

You may also wait tomorrow to download the future 2.10.1 which will fix that.




Dotclear 2.10

Sat, 13 Aug 2016 13:13:00 +0200

We should celebrate the 13th anniversary of Dotclear today so here it is, the 2.10 release is available now and very soon on your dashboard[1]! The menu of this release (non exhaustive list, see CHANGELOG for further details) : Some vulnerabilities have been fixed Lot of bugs killed (some may still remain) A new template-set, named dotty, using as far as possible the new HTML5 semantic tags New options to customize and improve the use your Dotclear backend (favorites folders in media manager, optional columns for posts and pages lists, …) Implementation of the Content-Security-Policies for the backend, prelude to an implementation in public side (blogs) for the future 2.11 release[2] New facilities and opportunities for plugins developers (they are detailed below) Some javascript libraries have been updated (CKEditor, Codemirror, …) Not a revolution but developments for a more secure and robust application ; and finally, happy birthday Dotclear \o/ PS : This release requires PHP 5.3 at least but I would strongly advise you to switch to PHP 5.6 or PHP 7 without delay — this last one offers a very welcome increase in speed. Anyway, the next version of Dotclear might require a newer version than the already obsolete 5.3. Some technical details for plugins (and themes) developers and for blogs administrators: CSP, aka Content-Security-Policies Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. [ Wikipedia « Content Security Policy » ] The parameters used (activation and directives) are available via the about:config module (System settings menu, see “system” part) ; these parameters are: csp_admin_on : activation/deactivation csp_admin_default : default-src CSP directive csp_admin_img : img-src CSP directive csp_admin_script : script-src CSP directive csp_admin_style : style-src CSP directive A 3rd party plugin needing some external services may complete one or many of these directives using the behavior adminPageHTTPHeaderCSP which provides as parameter an key-indexed array. Each of these keys refers to the according CSP directive (see list above), its value giving the list of authorized sources (separated by space). Example : Imagine a plugin using the Google Maps API (for scripts), it should add the corresponding Google server by this way: $core->addBehavior('adminPageHTTPHeaderCSP',array('myAdminBehaviors','adminPageHTTPHeaderCSP')); class myAdminBehaviors { public static function adminPageHTMLHead($csp) { if (isset($csp['script-src'])) { $csp['script-src'] .= ' maps.googleapis.com'; } else { $csp['script-src'] = 'maps.googleapis.com'; } } } Private folder /var A new folder, named var, has been created with the 2.10 release of Dotclear. It is at the main level (as the cache folder is) and should be used for local storage that should normally not be set in cache folder. Note that this cache folder may be deleted at every moment without any negative consequences for the installation. A new constant, DC_VAR, is available and may be customized in the config.php file in order to build paths. Two new functions are also available to retrieve URLs: dcPage::getVF() for an URL based on the backend root URL of the installation dcBlog::getVF() for a public URL (based on the public URL of the blog) Plugin developers are encouraged to create their own directory within this directory /var to maintain a semblance of order. Code highlighting with Codemirror The Codemirror library, used by the theme editor, is now available (in the backend) for every plugin. Two functions are available to load and run this library : dcPage::jsLoadCodeMirror() for loading dcPage::jsRunCodeMir[...]



Dotclear 2.9.1

Sun, 27 Mar 2016 11:16:00 +0200

A new maintenance release which fixes several bugs of the previous 2.9. I remind you that Dotclear is fully compatible with the new PHP 7 (it's performances are highly improved comparing with PHP 5.n)[1].

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.

Note

[1] If you use MySQL for your database, take care to use the mysqli driver rather than the old mysql which is not more supported by PHP 7 (see in your configuration file inc/config.php).




Dotclear 2.9

Mon, 29 Feb 2016 13:17:00 +0100

My lambs, it's time to update, the new 2.9 version awaits you!

Fédor Balanovitch (coming out of the bus, almost) — Zazie in the metro, R. Queneau

On the menu of this version essentially what make life a little easier for those who spend time on the side of the administration of their(s) blog(s). A search and last visited folders available in the media manager, better sorted menus and lists some more filterable, some welcome updates for the javascript libraries used[1].

And then we also need to make Dotclear run properly with the new version 7 of PHP, quite impressive release in terms of speed gain, and you will note in passing that the minimum required version of PHP 5.3, as it is had announced at the time of the release of the release of the version 2.8[2].

A lot of bugs were eradicated, a few new opportunities have been implemented for developers of plugins and theme designers, and finally a more robust application for everyone.

The future version 2.10 will be mainly focused on two aspects. First an "overhaul" of JavaScript scripts used in the administration od Dotclear, as we have some old stuff in our "collection", and second, a "soft" migration to more HTML5 / CSS3 templates and themes side. But tell us if you'd prefer something else!

The updated proposal of your installation should appear on your dashboard today or tomorrow (depending on the settings of your accommodation) and a patch is available to developers preferring to apply this method.

Notes

[1] The jQuery 2.2.0 version is now available for the public side of your blogs, if necessary.

[2] Hosting services with less than 5.3 version of PHP begins hard to find, and it's a good news.




Dotclear 2.8.2

Sun, 25 Oct 2015 09:41:00 +0100

A new maintenance release which fixes one potential XSS vulnerability in comments's list and enforce media extension before upload[1] (thanks to Tim Coen, Curesec Gmbh, for reporting them) and two other bugfixes.

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.

Note

[1] You may also create an .htaccess file at the root of your public folder, with an php_flag engine Off directive to prevent any PHP code execution from your media library.




Dotclear 2.8.1

Wed, 23 Sep 2015 15:36:00 +0200

A new maintenance release which fixes one potential XSS vulnerabilities (thanks to Yuji Tounai of NTT Com Security (Japan) KK, via Keiko Yashiki from JPCERT/CC) and two other bugfixes.

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.




Dotclear 2.8

Thu, 13 Aug 2015 08:59:00 +0200

Some time after the 2.7.5 release, here it is, today, right on the Dotclear's 12th birthday, the 2.8 release which comes with a new companion, the proud Dotty[1], our new mascot[2] :

(image)

Dotty

This new version introduces a new mechanism to cope with module dependencies (plugins for this release and will be declined for themes soon), also includes the Breadcrumb plugin that some of you already use, updates the CKEditor editor and the jQuery library, and fixes lots of bugs et somes minor cosmetic issues.

The heritage/extension templating system has been applied to the legacy mustek templateset, in order to simplify the developpement of themes using it ; some new criteria and filters have been added for posts and comments (and spams) lists ; the tags and widgets are now lexically sorted for latin languages, and so on… We will give you some details about all of this in further posts here.

Important : If you have already installed the breadcrumb plugin, please uninstall it before doing this update.

Another point : we will drop the PHP 5.2 support and will require, at least, the PHP 5.3 version (which is already obsolete). Note that Dotclear has been tested with PHP versions 5.3 to 5.6.

Your dashboard should offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.

Notes

[1] We due the pretty name to Noé (aka Lomalarch) and when we, french guys, have discovered what dotty means, we decided that was really suitable !

[2] This illustration has been designed by our friend and artist Alain Korkos.




Contribute to Dotclear — Yes you can!

Wed, 20 May 2015 22:22:00 +0200

I have been into open source pretty much since the first time I encountered the idea.

As a user, of course—who's to say no to free (as in beer) software? With forums where you can contact the developers to ask for help or new features? And the possiblity, for a programmer (like myself), to tweak here and add there and make it do exactly what you want? Even before I started considering the meaning of free as in

For years, however, I felt a bit uncomfortable. Taking was good, but what about giving back? My own fixes were often too hacky and personal to be shared with others. And what about all the non-technical people I was trying to convert to the cause? What could they contribute?

And then I met the Dotclear community.

I was on another continent. Blogging to keep in touch with the homeland, one way or the other. That's how I started using the software. Little by little, I also started exchanging with the contributors. Pouring over the documentation; asking for help in the forums; and, more and more, reading their blogs. Soon enough, this had become much more than a piece of software; this was a group of pals, thrown together into an adventure. An adventure I wanted a part of.

I started by the proud "powered by Dotclear" footers on my webite(s). If I could make only one person switch blogging engines, or decide for Dotclear when starting their own blog, that would already be a big deal.

And then I realized Dotclear was also an association. To which you can donate money.

Since then, I have moved back closer to the headquarters, first on the other side of the Rhine, now on the same side of the Seine. I have started contributing a bit more directly (mostly by translating blog posts once in a blue moon, but hey, I'm part of the team).

But still, if you like Dotclear, and that you want to contribute, there's no need to have the skills, time and desire to become a core dev. You can start by becoming a Dotclear member, and donating to the association.

Don't hesitate!

For full disclosure, I should also add that this is the kind of attitude that leads you to wanting to meet other Dotclearians, and from then on to picnics, crepes, beers, and fits of laughter.




Dotclear 2.7.5

Wed, 25 Mar 2015 10:39:00 +0100

A new maintenance release which fixes two potential XSS vulnerabilities (thanks to the SecPod Research Team Member Shakeel) and three other bugfixes.

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.




Dotclear 2.7.4

Fri, 13 Feb 2015 09:59:00 +0100

A maintenance release with some bugfixes and improvements. Nice friday the 13th with “The Cat“!

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.




Dotclear 2.7.3

Tue, 13 Jan 2015 10:30:00 +0100

A bugfix release which restores advanced editing of category description, fixes some non-required warning messages, fixes also pagination in some specific contexts, …

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.




Dotclear 2.7.2

Thu, 25 Dec 2014 14:08:00 +0100

A bugfix release in order to allow again normal user (not admin) to use the Dotclear Wiki editor.

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.




Dotclear 2.7.1

Thu, 25 Dec 2014 08:26:00 +0100

You can now download Dotclear 2.7.1. This maintenance release includes several fixes for bugs discovered since the 2.7 release and some cosmetic enhancements in Berlin theme and Currywurst templateset.

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.




Dotclear 2.7

Sat, 13 Dec 2014 00:01:00 +0100

Woohoo! TL;DR — There's a new WYSIWYG editor, and HTML5 all over. Update and enjoy :-) It's now been thirteen months[1] since 2.6 came out. It's now about time (at last!) to move on. Dotclear 2.7, being released today, is less spectacular than the previous version, with its updated administration graphics chart, but it brings forth significative changes for users (on the admin side) and its rendering (on the public side). On the admin side We have integrated (she typed, as if she had done any of that) a new editor, dcCKEditor, which is built, as you can imagine, on the CKEditor library. You will therefore find a more advanced editor (presentation-wise). The old editor is still here, and is now called dcLegacyEditor. As several editors (two with this version) can be installed, you'll have to pick your favorite for each of the proposed syntaxes (wiki and XHTML, so far). Go and have a look at the "My Options" tab under "My Preferences", and check the "Edition" frame. You'll probably need to clear your browser's cache as well. It's not all on the administration side, as we have also started to integrate, together with the switch to HTML5, the main ARIA Roles. (If, like the author of that note, you are wondering what ARIA Roles are, you can read this, which is the first link she decided to click on that topic. If you don't want to read, know that the first of those As stands for Accessibility and that accessibility is A Good Thing.) On the rendering side Well let's talk about HTML5 some more. We've implemented two sets of templates, upon which the basic themes are built. The first one is called "mustek" and corresponds to Dotclear's old default theme (that good old Blowup). The second one is called "currywurst" and corresponds to Dotclear's shiny new default theme, named... you guessed it, Berlin. Both sets of templates and themes are now in HTML5 and include ARIA Roles. For those of you who use Dotclear's wiki syntax, do note that the XHTML code it produces is now HTML5 compatible. You'll note that it is not any longer mandatory to copy the default theme repository when using an external repertory. You can also choose, in the blog's parameters, the jQuery version that must be loaded on the public side (both 1.4.2 and 1.11.1 are shipped with this version of Dotclear). We certainly advise you, after having upgraded, to clear the templates' cache (see the Maintenance plugin), to ensure that your blog's rendering is up to date. Moreover, new options have been added to let you tune your blog's appearance more finely. You can for instance deactivate widgets without needing to delete them. You can also define a number of notes to be displayed specific to the home page (and which can be different from that of the following pages). Back to HTML5, now that audio files and videos will, as much as possible, be integrated to your notes with HTML5 tags (



Dotclear 2.6.4

Mon, 18 Aug 2014 14:13:00 +0200

You can now download Dotclear 2.6.4. This maintenance release includes fixes for two potential security defaults on XML-RPC system and on media manager.

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.




Dotclear 2.6.3

Fri, 16 May 2014 14:40:00 +0200

You can now download Dotclear 2.6.3. This maintenance release includes fixes for two potential security defaults on XML-RPC authentification and on category ordering. Many thanks to Egidio Romano for his advices about them.

He also warned us on the possibility to send PHP scripts into the media folder and to get them executed from there. Dotclear cannot entirely protect against this kind of defect and you should ensure to not leave such files in your medias, or if it's necessary, to make sure that they are not executable. In order to do so, a few methods exist and rely essentially on the web host and the sofware used for the server.

For Apache in example, a .htaccess file located in the public folder and including the following directive allows to avoid the issue:

php_flag engine off

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.