CuteNews 1.5.0 release notes.
1.0 CHANGELOG
- Updated modules system (they are saved in php files now and gets own template from skins/base_skin folder);
- Almost completely rewritten code in a standard programming (in order to be more readable);
- Fixed a function “send_mail” (in case of an error the message will be saved in the log file);
- Fixed ban by IP and ban by mask errors;
- Improved the Administration Panel performance, also accelerated user login identification;
- Improved reading of big archives (only brief description of archives are loaded into memory);
- Completely rewritten installation script (this allows to simplify the installation process);
- Created updating script from 1.4.7 to 1.5.0 version (this will simplify the transfer of data with respect to any
original charset);
- Improved the data filter for news and comments;
- Using HTTP header “Content-Type: UTF-8”
- More safe template use (if there is no template, the template `Default.tpl` is selected);
- Call of the file through “./” is not used anymore. The absolute path is calculated by dirname;
- Removed deprecated functions (this allows to launch CuteNews by using PHP from the version 4.0.3 and higher);
- Fixed bugs by the comment addition;
- Fixed composing bugs in the text editors;
- Saving configuration won't redirect user to the new empty window anymore;
- Simplified the password changing procedure in the Privacy settings (This hasn't effected its safety in no way);
- Fixed images inserting bug in the text editors;
- Fixed images showing bug in Manage Images;
- Fixed the comment saving by the news editing from the Administration Panel (now supports UTF-8);
- Text can be divided into parts without spaces;
- Improved the access to the news categories for users with different kinds of permissions;
- A new check for the correct completion of the comment field (Captcha can be seen in case the field has been filled
incorrectly);
- A new way of the guest data storage in Cookies and password checking on Remember (by the comment addition is used
SHA256);
- Fixed the data backup bug;
- Fixed bug of warning on wrong inserting the script, news, archives and search;
- Fixed archives show bug;
- Removed session authorization;
- Minimized CHMOD bugs;
- Support for UTF-8: any UTF8 strings converts into Unicode;
- Session storage in Cookies (encrypted in XXTEA/BASE64);
- Added SHA256 hash;
- Improved the XSS and CSRF safety;
- Developed a system of internal templates;
- Added use of PHP templates and frontend code;
- Use of serialize/unserialize functions to expand the record presentation in the database;
- Developed record storage as hash keys to speed up the access to data (such as users, news, IP ban);
- Error log is now in a separate file;
- Added an ability to write your own plug-ins;
- Plug-ins structure allows to change the CuteNews code (forks) completely;
- Added date formation by user;
- Added system of compilable hooks which can be controlled from the Administration Panel;
- Inserted “Breadcrumbs” into some modules of the Administration Panel;
- Created user log (record of information on log in, log out, unauthorized access to personal data errors);
- Added function of changing date for the “since” format;
- Locking users after 3 unsuccessful log in attempts to Administration Panel within the 6 hours;
- Added {star-rate} field for embedding the build-in voting form;
- Added {year}, {month}, {day} fields into the full news and RSS pattern;
- Added new special symbols (umlauts);
- Added check for the avatar URL on the correctness and existence and automatic storage to the server;
- Added captcha for comments: with numbers and letters;
- More safety by user registration and password restore;
- Added check for password strength by registration;
- Proper display of the complete article, included in multiple categories.
- Improved Dashboard at the main page of Administration Panel;
- A more precise definition of permissions to read / write files;
- Added CKEDitor text editor (without CKFinder);
- Removed outdated RTE editor;
- Added build-in Facebook comments;
- Added to the templater editor a new template “Customize Search” that allows to customize the search field;
- Added code dump storage module for further sending into consideration (for licensed versions only!);
- Integrated module of additional substitution of words, which allows the user to specify the rules of regular
expressions, how to convert news data;
- Added X-Fields, additional fields that can be used for expanding information on every news;
- Added ban by IP and by nickname;
- Added build-in news sorting option (“$orderby” before including show.news.php), the algorithm QuickSort is used;
- Added the ability to mix the news randomly;
- Added news displaying by user name.
Fixed in beta-stage
- Fixed CSRF login window
+ Add IP checker for authenticated sessions
- Fixed [link] $template var
- Fixed bug showing list of news: users can view news which category is not allowed
- Fixed bug: editor can't delete news without category
- Fixed sort news bug
+ Security bug fix: anyone may delete users
- Remove deprecated function:over_tpl
+ Add styling for button in default.skin.tpl
+ Add gradient panel for admin
- Fixed bug with table at editnews
- Change logic to show authors in editnews listing: using real author names
- Fixed autologin, login cookies bug
+ Add safe redirects
+ Add print.php hack
+ Add Update function
- Remove /skins/images/Thumbs.db
- Remove db.fulltext.php
- Remove deprecated template skins/base_skin/images/quick.tpl
- Remove CKEditor unused language packets
- Remove default search template
+ Add reorder news in admin panel
- For authorized user disable enter passcode; for admin - disable captcha anyway
+ Add possibility to [edit]edit news[/edit] from news
- Fixed discus thread [link]...[/link]
+ Add backup for news
- Refactor image module: fix wysiwyg insertion, fix preview
- Fixed some warnings
+ Add $config_push_users for user kicks
- Fixed user check existed status
+ Add version checker to main page
+ Add userlist imod
- Fixed path disclosure in options.php:do_template
- Fixed exit_cookies and send_cookies authorization
+ Use $GLOBALS in proc_tpl
+ Add to function proc_tpl language translation support
+ Add plugin manager
- Fixed migration/installation bug
- Security fix for data section
- Fixed: show "No category" in add/edit news
+ Add "no cache" headers
+ Add CSRF checking in images, archives, backup, personal, xfiels, massactions, comments
- Fixed template error in backup
- Change 'cellpading' to 'cellpadding'
- Remove hooks.php from code, reason: unused
- Increase performance by using encrypted login session, remove weak CSRF checking
- Remove function check_login
+ Add .htaccess in installation process
- Move 'more fields' at news.txt db
- Shorten links
- Fixed date formatting, add new fields {weekday}, {since}
+ Add the possibility of uploading images from server to CKEditor
- Fixed bugs concerning removing comments, execution persmission status in admin panel, xss security: add allowed tags
for iframe,object,param,embed
- Remove xss_strip deprecated function
+ Add [truncate=N]...[/truncate] possibility
+ Add linked categories hacks
+ Add possibility for adding options with plugins
- Don't allow posting urls in comments
- Fixed UTF8 html encoding for comments only for the author/comment
- Fixed bug concerning adding comment to broken link in comments.txt
+ Added a field for selection of the XSS level
- Fixed XSS in register.php
- Fixed reflected cross site scripting in search.php, editnews, categories module
- Fixed partial file disclosure $source in addnews, editnews, massaction
- Remove [link] bbcode from all cutenews codes
- Fixed file Path Disclosure in search.php mktime in search.php
+ Add a XSS level "Total Filter" for disable all disallowed tags
- Fixed CSRF with adding/editing users and categories: high vulnerable
- Fixed PHP Code Injection for categories module
- Fixed saving 'skin path' with invalid characters
+ Modify Postponed news logic
- EOL is always transformed into BR while saving without visual editing program
- The tick 'Use html' is kept
+ Change of the appearance of administrative board: enlargement of the space on the left side
- The check up of the empty comments while archiving was deleted
+ Users logs are sorted by decrease
+ Option of users logs turning up
+ Option of compulsory turning up of UTF-8 on the site
+ The migration script has been changed: copying of all files non registering codepage excepting users/ipban
(they are separate)
- Fix string truncation
+ Hook for CKEditor modification through plug-ins is added
+ The feature of changing the date of news publication is added
- Assortment of the news at the listing
- The news listing it's possible now to change a certain category by just a click
- Correction of mistakes while adding comments to the news
- Change of documentation and simplification of templates' editing
- Additional fields has become not obligatory field
- Fixed bug of the avatar from multi-category
- The bug that concerns editing the news category that is deleted has been fixed
- The XSS while editing additional fields for news is fixed
- There is a search by key words
+ Mod_rewrite is added for several section experimentally
+ The constructions {if $var}...{/if} and {if !$var}...{/if} are added to the template engine
+ After adding the news it is passed for editing
+ Add preview of news on add news in admin panel
+ Add hooks for Additional fields in template add/edit news
+ Add stripslashes for templates
+ Add more data for hook in core.php:template_replacer_news
+ Add "Deprecated message" at main panel
+ Add hook for bottom of active news
- Remove fv_serialize function
- Use user_add, user_update, user_search, user_delete insead b-tree operations with users file
- More compartible upgrade process from 1.4.7 version
- Wrap into hidden panel xfields
- Function build_uri now uses $QUERY_STRING
- preg_split to explode: more stable splitting
- Fixed draft saving
- Fixed using PHP_SELF value
- Fixed pagination (also in archives)
1.1 Requirements
- PHP 4.1.0 version is desired. Please use the older versions at your own risk;
- There is “iconv” library available, in case of using a charset different from UTF-8.
________________________________________________________________________________________________________________________
2.0 Safety improvements
A In order to authenticate and verify the security algorithm used XXTEA session Cookies. The essence of the method
implementation:
1. In the session is added REMOTE_ADDR to block repeated requests;
2. Serialize $_SESS array into serialized string;
3. Serialized string is encrypted using a randomly selected XXTEA with “salt” for the site;
4. Encrypting a string is passed to the Cookies named `session`.
What it gives?
Protection against CSRF and open view of identification user data. In order to properly encrypt data and send them
fraudulent manner, you need a “salt” and the IP address of the sender. Salt is unique for each site and set consists
of a 512-bit encryption. The probability of selection of the cipher salt is actually zero. Each time you update a
random number issued to confirm the return to the user, which is stored in an encrypted session.
You also can not resend the same token to another IP-address, since the encrypted data is IP-address of the sender
and any attempt to send the wrong line leads to unlogin.
However, nothing can protect any data from the session, and “listening” to, if not using a secure https-connection.
To install it you have to buy a registrar certificate for your domain. Read more here
http://en.wikipedia.org/wiki/HTTP_Secure
B CAPTCHA
The main problem in the web space is still spam. For writing news comments and for account registration captcha has
been added, which uses session encryption mechanism through the Cookies, so that hacking by robot is impossible,
too. The information is stored securely.
C A function cleaning almost every XSS written by an offender in the comments or posts has been created.
D Enhanced protection from the folder view with .htaccess has been added.
________________________________________________________________________________________________________________________
3.0 Installation procedure
The latest version of CuteNews features a more convenient and simplified installation procedure. To install scripts
onto the server just take the following steps:
3.1 Create a folder for CuteNews (cnews, for instance);
3.2 Upload all files into this folder;
3.3 Set up the script from the specified folder(yourdomain.com/cnews, for instance);
3.4 Fill in the administrator fields (login, password, email)
________________________________________________________________________________________________________________________
4.0 Instruction on how to upgrade CuteNews from the older versions
3.1 Install Cutenews 1.5.0 in the specified folder;
3.2 Try to login.
________________________________________________________________________________________________________________________
5.0 The use of embedded code
CuteNews has been designed to provide the most convenient process of embedding code into the site.
The server must support PHP to run the script. The launch is to be made in a file of php extension accordingly.
An example of embedding code:
/folder/where/located/yourfile.php
+---------------------------------------------------+
| <html> <head> .... <body> ... YOUR SITE |
| ... |
| <?php CN_INCLUDE1; ?> |
| ... |
| +----------------------+ |
| Content | <?php CN_INCLUDE2;?> | |
| Content | | |
| Content | | |
| | | |
| +----------------------+ |
| |
| +-----------------------------------------------+ |
| + Footer <?php CN_INCLUDE3;?> + |
| +-----------------------------------------------+ |
+---------------------------------------------------+
Page layout is selected arbitrarily here. There are three CN_INCLUDE blocks. Every block is placed separately and it
shows a defined template, which was selected in the parameters of its show. For example, CN_INCLUDE1 block shows
full type news, CN_INCLUDE2 - static news, CN_INCLUDE3 - archives of the headlines pattern.
When clicking the “Read More” or “Comments” links, the usual page update is provided, but with the transfer of other
parameters.
If the module is static, then the changes in his body will not happen; if it is dynamic, as CN_INCLUDE1, the
corresponding content will be shown. This means that if there is subaction=showcomments in a GET-query, the template
will be changed to full news with comments.
This is the simplest way to embed news. If you are an experienced php user, you can make more changes in the same
block, as well as modify block options depending on the data taking from the GET/POST query.
5.1 How to embed news
First of all, check the files and folders structure on the server. It is better to use absolute paths, if possible.
For example:
- /home/userdir/www/news/ - There is code of the CuteNews Administration Panel saved in this folder.
- /home/userdir/www/my_script.php - This folder contains script, which we call.
my_script.php:
<html><body><h1>Hi, World!</h1> <?php include ('/home/userdir/www/news/show_news.php'); ?> </body></html>
Using this example code, you will call the correct script and the build-in news will be successfully displayed.
Please note that the script show_news.php can't be called directly! In the case of calling it directly you will
face the 503 error.
5.2 Options for embedding news
Before to turn on the show_news.php script the following options can be set:
$_GET['ucat'] - news category index. Show news from the specified categories only;
$static - allows to show only active news;
$category - list of allowed categories;
$template - template name;
$reverse - show news in the reverse order;
$sortbylastcom - order news by last comment;
$archive - use archive ID;
$only_active - if =true is selected, only active news without archives are shown;
$number - number of news (there are 10 by default);
$no_prev - if =true is selected, do not use << Prev link;
$no_next - if =true is selected, do not use Next >> link;
$start_from - skip some news by specific number;
$static_path - set the static paths of all the links (e.g. comments link, fullstory link, etc) included in
the show_news.php;
$user_by - if this option is selected, only news of specified user will be shown;
5.3 Archives
Archives are displayed in the same way as news. In the absence of the $archive option a list of archives will be
displayed. It is important to remember that the embedded code with the archives will display full story, if certain
parameters are passed.
It is recommended to hidden the direct code inclusion with archives and to install static=true, if it is placed in
the sidebar.
For example:
The code <?php include ('show_archives.php'); ?> is embedded into the sidebar.
If you click the “Read more” link, the full news will be displayed in the sidebar instead of list of archives.
5.4 RSS
RSS feed can be configured via Administration Panel in the Options > Integration Wizards >
RSS Setup and Integration.
It is necessary to follow the instructions which are presented in the Wizards.
________________________________________________________________________________________________________________________
5.5 Embedding search form
This can be done in two ways:
1) By using the code <?php include('search.php'); ?>
If =true for the $search_form_hide option is selected before include('search.php'), the form of the search
query will not be displayed in search results.
2) By placing an arbitrary search form anywhere
<form action="url_where_the code_is"> and insert this code where you want to see the search results:
<?php if ($_REQUEST['do'] == "search" or $_REQUEST['dosearch'] == "yes")
{ $subaction = "search"; $dosearch = "yes"; include("search.php"); } ?>
Once the values $do = 'search' и dosearch = 'yes' have been shown in the URL- or Post query, search results will
be displayed.
5.6 Facebook comments form
To start using this form you need to add your Facebook AppID to the Options > System Configurations > Facebook.
It is possible to embed Facebook comments form by adding the following META-tag:
<meta property="fb:admins" content="012345678901234"/>
inside the <head> tag to the template displayed on the web site. Where 012345678901234 is a numeric user ID on
Facebook. Embedding this meta tag allows you to administer comments.
5.7 Custom date formatting
Insert code {month} into the template - the month will be shown in English.
Or use {month|jan,feb,....,dec} - listing of the months' titles is required.
________________________________________________________________________________________________________________________
6.0 Internal hooks and their use
This section is for developers only.
________________________________________________________________________________________________________________________
7.0 Plug-ins
Plug-in files are loaded from the folder ./cdata/plugins every time you call a page that uses the CuteNews engine.
It is necessary to register internal hooks for plug-ins by using the callback-functions.
Use add_hook function to add a hook:
<?php // Plug-in code
add_hook('system_modules_expand', 'myPluginSystem');
function myPluginSystem($modules) { return $modules; }
?>
myPluginSystem function won't work properly without adding a hook.
All plugins located at /cdata/plugins directory with *.php extension.
________________________________________________________________________________________________________________________
8.0 Standard forms for the web site news construction
The preliminary testing information: CuteNews is installed in the catalog: /home/yoursite/www/cnews.
8.1 The simplest form
Script location: yoursite.com/index.php
Code:
...
<?php include ('cnews/show_news.php'); ?>
...
This allows to show the active news. By clicking the comments form or the “Read more” link you will see the full
text of an article with the comments.
8.2 News are displayed in another folder
Absolute server path: /home/yoursite/www/
Script location: yoursite.com/mynews/index.php
Code:
...
<?php include ('/home/yoursite/www/cnews/show_news.php'); ?>
...
This allows to show active news in the same folder from which they are called.
8.3 Display news from every block at the main web page.
For example, the box with Headlines templates is available in the sidebar or footer. These blocks can be called by
using the $static = true option. It is necessary to display news at the main web page by clicking the Sidebar link.
File 1:
Absolute server path: /home/yoursite/www/
Script location: yoursite.com/pages/lines/index.php
Code embedded in the sidebar:
<?php $static = true;
$static_path = '/index.php';
$template = 'Headlines';
include ('/home/yoursite/www/cnews/show_news.php'); ?>
File 2:
Absolute server path: home/yoursite/www/
Script location: yoursite.com/index.php
Code embedded in the sidebar:
<?php include ('/home/yoursite/www/cnews/show_news.php'); ?>
8.4 The search form is embedded in the sidebar, but you need to display search results in the news block:
<form action="URL, where you want the search results to be displayed">
<input type="hidden" name="dosearch" value="yes" /> <!-- indication of $dosearch option required -->
<input type="text" name="story" value="" /> <!-- specify the search form -->
</form>
In the script where search is being performed allow search by dosearch
<?php if ( isset($_REQUEST['dosearch']) && $_REQUEST['dosearch'] = 'yes')
include ('/home/yoursite/www/cnews/search.php'); ?>
If hidden of the search form is required, you will need to add $search_form_hide:
<?php if ( isset($_REQUEST['dosearch']) && $_REQUEST['dosearch'] = 'yes')
{
$search_form_hide = true;
include ('/home/yoursite/www/cnews/search.php');
} ?>
________________________________________________________________________________________________________________________
9.0 Administration Panel
9.1 Following new options added:
9.1.1 Report Bug Dump -- Saves and send CuteNews dump
9.1.2 User logs -- Users authorization logs
9.1.3 Hooks and plug-ins -- Internal hooks and plug-ins control; Plug-ins control in CuteNews 1.5.0 is not supported
9.1.4 Word replacement -- Word replacement uses the regular expressions
9.1.5 Additional fields -- Additional fields to the news editing