XOOPS 2.0.10 RC Released - XOOPS - XOOPS News - XOOPS Web Application System

Re: XOOPS 2.0.10 RC Released

Cheeze Published 04/03/2005 10:00 Just popping in Joined 11/16/2004 Comments 38

Hi, does this include the fixes for the security loophole exposed by the avatar uploader prior to version 2.9.3?

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/03/2005 11:15 XOOPS is my life! Joined 06/21/2003 Comments 6320

Yes - this release includes also the 2.0.9.3 fixes

The full changelog (minus the fixes of bugs introduced by 2.0.10 betas):

2005/04/03: Version 2.0.10 RC
============================
- Implemented new token system for validating form origination and increased protection against CSRF (Mithrandir/Onokazu)
- Security fix to avoid the usage of fopen and unlink when previewing (Onokazu)
- Fixed bug - Missing </a> in news/templates/blocks/news_block_bigstory.html (Mithrandir/blacKurd)
- Fixed bug in header.php – assign $xoops_lblocks (Mithrandir/phppp)
- Fixed bug #1087786 Can"t assign to $this in PHP5 (Mithrandir)
- Included 2.0.9.3 fixes in 2.0.10 patch for easy upgrade from 2.0.9.2 (Mithrandir/rowd)
- Fixed bug #1157029 - Bug in include/checklogin.php (Onokazu/sudhaker)
- Fixed bug #1060061 - renderValidationJS showing htmlentities instead of intended characters (Onokazu/theCat)

Re: XOOPS 2.0.10 RC Released

Gambero[removed] Published 04/03/2005 13:45 Quite a regular Joined 01/13/2005 Comments 393

I am planing to make a new language file for my language. Can you please list the language changes from version 2.0.9.3 ?

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/03/2005 13:51 Updated 04/03/2005 13:53 XOOPS is my life! Joined 06/21/2003 Comments 6320

Easy - there are none.

There will be quite some new constants in 2.1/2.2 as we clean up the various hard-coded English comments, but 2.0.10 does not add any.

Re: XOOPS 2.0.10 RC Released

Tenguka Published 04/03/2005 13:56 Just popping in Joined 02/25/2005 Comments 15

Does this security fix allow for the removal of the Protector module? Or is it best to keep the Protector module installed?

Re: XOOPS 2.0.10 RC Released

Herko Published 04/03/2005 13:58 XOOPS is my life! Joined 02/04/2002 Comments 4238

There is some redundancy with the protector module now, but not every function of the Protector module has been incorprated into this release, nor has the token system been implemented in the same way.

Herko

Re: XOOPS 2.0.10 RC Released

Tandy Published 04/03/2005 14:07 Not too shy to talk Joined 08/11/2003 Comments 110

Is it then advisable to continue the use of the Protector module, or do you foresee some incompatibilities?

Re: XOOPS 2.0.10 RC Released

m0nty Published 04/03/2005 14:11 XOOPS is my life! Joined 10/24/2003 Comments 3337

that's the idea of beta testing and RC releases..

keep using protector, and if any problems arise report them and they will be fixed..

Re: XOOPS 2.0.10 RC Released

tjnemez Published 04/03/2005 14:19 Home away from home Joined 09/21/2003 Comments 1594

Quote:

Is it then advisable to continue the use of the Protector module, or do you foresee some incompatibilities?

this question needs to be answered.

Quote:

keep using protector, and if any problems arise report them and they will be fixed..

for some users its not that simple.

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/03/2005 14:28 XOOPS is my life! Joined 06/21/2003 Comments 6320

Whether it is advisable to continue the use of the Protector module, I'll let GIJOE answer. My guess is that he will say yes - and I don't see a problem with it, if you are a happy Protector user.

It should not cause problems to run Protector on XOOPS 2.0.10 - however, some checks will be performed twice.

Re: XOOPS 2.0.10 RC Released

m0nty Published 04/03/2005 14:28 XOOPS is my life! Joined 10/24/2003 Comments 3337

well thats the idea isn't it?

if users are worried about their site breaking or can't afford to have problems. then they should not update their stable site to a BETA version.. that's my opinion..

it is obvious that a beta version will have bugs.. and you can't get rid of those bugs until someone has tried using it and reported those bugs.. so the only way to find out is to try it.. which is y they are called BETA releases and not meant for production sites..

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/03/2005 14:41 XOOPS is my life! Joined 06/21/2003 Comments 6320

Erhm... this is a RC release, m0nty, not a beta.

We believe this is stable, but still warn people against putting it on a production site until they have tested that it works in their server configuration.

Re: XOOPS 2.0.10 RC Released

rowdie Published 04/03/2005 14:56 Just can't stay away Joined 07/21/2004 Comments 846

I'm having problems with the mailing system.

New XOOPS 2.0.10RC install, new database.

Click on System admin->mail users gives me a red area above the form. Should be an error message I think, but there's no message.

Same for find users(all users)->[select user]send mail , again a red area above the form.

Trying to register a new user from the front end of the site gives PHP notice and warning :


Notice [PHP]: Undefined index: XOOPS_TOKEN_SESSION in file c:program filesapache groupapachehtdocsxoops10classxoopssecurity.php line 152

Warning [PHP]: array_filter(): The first argument should be an array in file c:program filesapache groupapachehtdocsxoops10classxoopssecurity.php line 152

(testing locally, as you can see)

I see the same PHP messages everytime I log in and try System admin->mail users, though not for second or more attempts. Log out, then in and try again and there they are again. Not very important I guess, but thought I should mention it.

I haven't actually managed to get the email from the site working yet, but then I always have trouble with that. Probably has nothing to do with the RC

Re: XOOPS 2.0.10 RC Released

m0nty Published 04/03/2005 15:01 XOOPS is my life! Joined 10/24/2003 Comments 3337

ahh i oughta get my eyes tested.. just tiredness i guess..

altho the concept is still there.. i guess i'm just more broader in my terms.. i use the concept "if it's an alpha, beta or RC release then it's not a full stable version and 'could' still need testing" it's not final till it's final.. but generally yes when software gets to an RC release it is pretty much complete and final..

Re: XOOPS 2.0.10 RC Released

phppp Published 04/03/2005 15:13 XOOPS Contributor Joined 01/25/2004 Comments 2857

Seems that files in full package are different from those in diff package.

And, bitwise operator "|" is used in somewhere while logical operator "||" somewhere else, any special reason?

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/03/2005 15:16 XOOPS is my life! Joined 06/21/2003 Comments 6320

Thanks, Rowdie - these were just messages (or lack hereof) right? There were no real mal-functions, correct? Except the problem with actually mailing, that can have numerous causes, I mean.

Re: XOOPS 2.0.10 RC Released

rowdie Published 04/03/2005 16:15 Updated 04/03/2005 16:28 Just can't stay away Joined 07/21/2004 Comments 846

That's correct, just missing error messages that I wanted to report. And PHP debug messages showing.

No malfunctions to report.

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/03/2005 16:33 XOOPS is my life! Joined 06/21/2003 Comments 6320

Quote:

Seems that files in full package are different from those in diff package.

Which?
I did a diff on my patch dir and my full dir. Only modified file was include/version.php, the rest were either the same or removed in the patch

Quote:

And, bitwise operator "|" is used in somewhere while logical operator "||" somewhere else, any special reason?

To enforce the check and garbage collection.

|| does not (to my knowledge) perform the right-hand-side computation if the left-side fails, but in these cases, I wanted the ->check() to be called no matter what, to force the token garbage collection.

Of course, I could have just put the ->check() on the left side, but I had put them to the right in the first beta, where I did not think of the difference, and wanted as small a change as possible.

Re: XOOPS 2.0.10 RC Released

Peekay Published 04/03/2005 16:36 XOOPS is my life! Joined 11/20/2004 Comments 2335

Quote:

Click on System admin->mail users gives me a red area above the form. Should be an error message I think, but there's no message.

I also saw that on beta 3. Mail worked fine on b3 with the default php mail() usr/sbin/sendmail settings.

Re: XOOPS 2.0.10 RC Released

domifara Published 04/04/2005 1:29 Updated 04/04/2005 7:00 Just popping in Joined 09/11/2003 Comments 25

Thank you xoops2.0.10RC

Typo bug .only a little
modules/contact/index.php
line 29
| --> ||


if (empty($_POST['submit']) | !$GLOBALS['xoopsSecurity']->check()) {

to


if (empty($_POST['submit']) || !$GLOBALS['xoopsSecurity']->check()) {

sorry
---------------
search.php
I think ,It is necessary to receive $_GET['mids']?
like.. about from line27


$mids = $temp_mids = array();

if (!empty($_GET['mids'])) {

  $temp_mids = $_GET['mids'];

} elseif (!empty($_POST['mids'])) {

  $temp_mids = $_POST['mids'];

}

if (!empty($temp_mids)) {

    if (is_array($temp_mids)) {

        foreach ($temp_mids as $v) {

            $mids[] = intval($v);

        }

    }

}

Re: XOOPS 2.0.10 RC Released

domifara Published 04/04/2005 4:43 Updated 04/04/2005 4:44 Just popping in Joined 09/11/2003 Comments 25

Warning [PHP] at xoopssecurity.php
Quote:

Notice [PHP]: Undefined index: XOOPS_TOKEN_SESSION in file class/xoopssecurity.php line 152
Warning [PHP]: array_filter(): The first argument should be an array in file class/xoopssecurity.php line 152

maybe


$_SESSION['XOOPS_TOKEN_SESSION'] = array_filter($_SESSION['XOOPS_TOKEN_SESSION'], array($this, 'filterToken'));

to


if (isset($_SESSION['XOOPS_TOKEN_SESSION']) && !empty($_SESSION['XOOPS_TOKEN_SESSION'])){

    $_SESSION['XOOPS_TOKEN_SESSION'] = array_filter($_SESSION['XOOPS_TOKEN_SESSION'], array($this, 'filterToken'));

}

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/04/2005 7:51 XOOPS is my life! Joined 06/21/2003 Comments 6320

Thanks, Domi - the XoopsSecurity was already reported by Rowd and changed for the final 2.0.10 release

Regarding the search.php is it a showstopping bug? Or just an inconvenience? If it is the latter, I will look at it for XOOPS 2.1 (which I started porogramming yesterday)

Do you want to help me clean up the code in 2.1, domi? Just PM me and we can figure it out.

Re: XOOPS 2.0.10 RC Released

domifara Published 04/04/2005 11:56 Just popping in Joined 09/11/2003 Comments 25

Quote:

Regarding the search.php is it a showstopping bug? Or just an inconvenience?

About $_GET['mids'] in search.php

taking the place of
extract($_GET);
extract($_POST, EXTR_OVERWRITE);
in xoops2.0.9.2

This value seems not to have been received in xoops2.0.10RC

checkbox value searchform to make done the same as xoops2.0.9.2
I only thought that it was for an existing user, I think that that is kinder.

I am expecting xoops2.0.10 final

Thank you Mithrandir

Re: XOOPS 2.0.10 RC Released

hervet Published 04/04/2005 12:37 Friend of XOOPS Joined 11/04/2003 Comments 2267

From a completly fresh install.

Impossible to edit User Info Settings, I always have this error message :
Quote:

Valid token expired
If the page does not automatically reload, please click here

While I can modify the general preferences and I just stay the time to read and change the parameters.
Same message when I try to change the "Meta Tags and Footer","Word Censoring Options", "Search options" and "Mail Setup"
I was able to change the "General Settings" but after this, I can't modify any preference anymore.
Sometimes when I'm going on "Mail Setup", I have a blank page.

I'm using Microsoft-IIS/5.1 with Windows XP Pro, the problem is the same with Mozilla and IE
Session cookies are enabled and I'm working on local without any firewall.

I can't clone a template.
What ever I'm trying to do, I still have this error message...
Impossible to manage pictures inside the image manager.
Impossible to install any module
Impossible to clone a tempate
etc etc
The first time I have set the preferences, I was able to set the php debug's mode but never received any warning.

Re: XOOPS 2.0.10 RC Released

hervet Published 04/04/2005 12:58 Friend of XOOPS Joined 11/04/2003 Comments 2267

In the function filterToken, print_r($token); gives :
Quote:

Array ( [id] => 56622ec43991a4043089268ff30153a4 [expire] => 1112616693 )
Array ( [id] => 56622ec43991a4043089268ff30153a4 [expire] => 1112616693 )

Re: XOOPS 2.0.10 RC Released

Herko Published 04/04/2005 13:20 XOOPS is my life! Joined 02/04/2002 Comments 4238

Quote:

Hervet wrote:
From a completly fresh install.

Impossible to edit user Info Settings, I always have this error message :
Quote:

Valid token expired
If the page does not automatically reload, please click here

While I can modify the general preferences and I just stay the time to read and change the parameters.
Same message when I try to change the "Meta Tags and Footer","Word Censoring Options", "Search options" and "Mail Setup"
I was able to change the "General Settings" but after this, I can't modify any preference anymore.
Sometimes when I'm going on "Mail Setup", I have a blank page.

I'm using Microsoft-IIS/5.1 with Windows XP Pro, the problem is the same with Mozilla and IE
Session cookies are enabled and I'm working on local without any firewall.

I can't clone a template.
What ever I'm trying to do, I still have this error message...
Impossible to manage pictures inside the image manager.
Impossible to install any module
Impossible to clone a tempate
etc etc
The first time I have set the preferences, I was able to set the php debug's mode but never received any warning.

IMHO these are showstoppers for a 2.0.10 stable release, untill this has been verified and tested on other IIS servers.

Herko

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/04/2005 13:29 XOOPS is my life! Joined 06/21/2003 Comments 6320

Hervé - what are your settings for the custom session expiration time?

Re: XOOPS 2.0.10 RC Released

hervet Published 04/04/2005 13:40 Friend of XOOPS Joined 11/04/2003 Comments 2267

Name for user cookies : xoops_RC
Use custom session : yes
Session name : xoops_RC
Session expiration : 2147483647

Re: XOOPS 2.0.10 RC Released

phppp Published 04/04/2005 14:28 XOOPS Contributor Joined 01/25/2004 Comments 2857

Quote:

======================
Quote:
Seems that files in full package are different from those in diff package.
======================

Which?
I did a diff on my patch dir and my full dir. Only modified file was include/version.php, the rest were either the same or removed in the patch

Sorry I was fighting for several versions when I synchronized the files. It is a "fault alarm".

Block issue:
As mentioned in Beat 1 (or beta 2?), there are still some problem managing module blocks. One of them:
Prob: no admin interface for duplicated blocks
Desc: when a module is upgraded with new blocks and/or block orders[in xoops_versions.php] different from old ones, some blocks will be duplicated (This is supposed having been fixed in 2.09, no idea why still there).
Additional: block description is not updated correspondingly if a block is changed to another one by, such as, changing orders.

Possible solutions:
no idea what a perfect solution is, but duplicated blocks could be identified as: same show/edit func, same template, same options

Re: XOOPS 2.0.10 RC Released

ponerse Published 04/04/2005 16:17 Updated 04/04/2005 16:23 Just popping in Joined 01/29/2003 Comments 2

I had to type in Include statements in form.php and formhiddentoken.php to get them to work.

I'm also getting this warning on the front page of the site:

Warning [Xoops]: Smarty error: unable to read resource: "db:system_block_dummy.html" in file Smarty.class.php line 1084

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/04/2005 17:15 XOOPS is my life! Joined 06/21/2003 Comments 6320

Quote:

Warning [Xoops]: Smarty error: unable to read resource: "db:system_block_dummy.html" in file Smarty.class.php line 1084

Upgrade from 2.0.9.2, 2.0.9.3 or a 2.0.10 beta by uploading all files in the 2.0.9.2-2.0.10 RC patch and update the system module through modules administration.

Re: XOOPS 2.0.10 RC Released

hervet Published 04/04/2005 17:18 Friend of XOOPS Joined 11/04/2003 Comments 2267

ponerse,

Try to upgrade the system module.

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/04/2005 17:18 XOOPS is my life! Joined 06/21/2003 Comments 6320

Phppp, I'll look at the module installation routines in the development of 2.1, right now I just want the token system to work for Hervé (and everyone else, naturally) and save further bugfixes for 2.1

Re: XOOPS 2.0.10 RC Released

ponerse Published 04/04/2005 17:58 Just popping in Joined 01/29/2003 Comments 2

That did the trick, thanks!

Quote:

Upgrade from 2.0.9.2, 2.0.9.3 or a 2.0.10 beta by uploading all files in the 2.0.9.2-2.0.10 RC patch and update the system module through modules administration.

Re: XOOPS 2.0.10 RC Released

brash Published 04/05/2005 5:27 Friend of XOOPS Joined 04/10/2003 Comments 2206

Quote:

Herve wrote:

From a completly fresh install.

Impossible to edit User Info Settings, I always have this error message :
Quote:

Valid token expired
If the page does not automatically reload, please click here

While I can modify the general preferences and I just stay the time to read and change the parameters.
Same message when I try to change the "Meta Tags and Footer","Word Censoring Options", "Search options" and "Mail Setup"
I was able to change the "General Settings" but after this, I can't modify any preference anymore.
Sometimes when I'm going on "Mail Setup", I have a blank page.

I'm using Microsoft-IIS/5.1 with Windows XP Pro, the problem is the same with Mozilla and IE
Session cookies are enabled and I'm working on local without any firewall.

I can't clone a template.
What ever I'm trying to do, I still have this error message...
Impossible to manage pictures inside the image manager.
Impossible to install any module
Impossible to clone a tempate
etc etc
The first time I have set the preferences, I was able to set the php debug's mode but never received any warning.

What version of PHP are you using Herve, and in what configuration (ISAPI or CGI)? I've been testing 2.0.10RC on my Windows XP Pro test machine running SP2 and IIS 5.1 in ISAPI mode with PHP 4.3.8 with no problems at all.

Re: XOOPS 2.0.10 RC Released

hervet Published 04/05/2005 5:56 Friend of XOOPS Joined 11/04/2003 Comments 2267

php 4.3.10 + eaccelerator, ISAPI mode

Re: XOOPS 2.0.10 RC Released

brash Published 04/05/2005 6:12 Updated 04/05/2005 6:13 Friend of XOOPS Joined 04/10/2003 Comments 2206

I'm running PHP 4.3.8 with mmcache (still to give eaccelerator a try) in ISAPI mode. I'll see if I can give a few different PHP versions/configurations a try over the next few days.

*EDIT*

Also, is it possible for you to define in point form exactly what you do after install to get your error? Just so we can be sure everyone is testing for the exact same thing.

Re: XOOPS 2.0.10 RC Released

hervet Published 04/05/2005 6:20 Friend of XOOPS Joined 11/04/2003 Comments 2267

I'm going to update to php 4.3.11
Just after the install ? I went to the configuration's section of my website, that's all.

Re: XOOPS 2.0.10 RC Released

brash Published 04/05/2005 6:28 Friend of XOOPS Joined 04/10/2003 Comments 2206

If you are going to upgrade Herve, can you give John Lim's PHP EasyWindows Installer? It does use mmcache rather than eaccelerator, but it has been absolutley rock solid for me for a long time, and I seem to be able to use 2.0.10 without any of the issues you are experiencing.

Re: XOOPS 2.0.10 RC Released

hervet Published 04/05/2005 7:10 Updated 04/05/2005 7:11 Friend of XOOPS Joined 11/04/2003 Comments 2267

I have desactivated eaccelerator and xdebug (I forgotted to say that I was using it), same result.
I have upgraded to php 4.3.11, same result too.
I have also reupdated my XOOPS version.

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/05/2005 7:27 XOOPS is my life! Joined 06/21/2003 Comments 6320

Hervé, in the check() method on the xoopssecurity class, can you format the expiration time to a more readable format and format time() with the same format so we can perhaps spot a faulty expiration time.

Re: XOOPS 2.0.10 RC Released

hervet Published 04/05/2005 7:36 Friend of XOOPS Joined 11/04/2003 Comments 2267

In the filterToken function I have added a :
Quote:

echo "<br>".date("Y/n/j G:i:s",$token['expire']);

Here is the result :
Quote:

2005/4/5 8:49:35
2005/4/5 8:49:35

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/05/2005 7:38 XOOPS is my life! Joined 06/21/2003 Comments 6320

and what is the current time?

Re: XOOPS 2.0.10 RC Released

hervet Published 04/05/2005 7:43 Friend of XOOPS Joined 11/04/2003 Comments 2267

Current time is the one you can read plus or or two seconds more.

But this runs :
Quote:

return (!empty($token['expire']) && (intval($token['expire']) <= time()));

instead of this :
Quote:

return (!empty($token['expire']) && (intval($token['expire']) >= time()));

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/05/2005 10:00 XOOPS is my life! Joined 06/21/2003 Comments 6320

I'll look into it, Hervé, I think it is exactly that line that is messing up.

Will check when I get home tonight.

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/05/2005 15:32 XOOPS is my life! Joined 06/21/2003 Comments 6320

I can't see your change being the right one, Hervé.

The method should return true, if the token is NOT expired.

Therefore, could you in the filterToken() method put this in:


echo "<br />expire: ".date("Y/n/j G:i:s",$token['expire']);

echo "<br />now: ".date("Y/n/j G:i:s", time());

return (!empty($token['expire']) && $token['expire'] >= time());

the expire time should be _bigger_ than the current time.

Re: XOOPS 2.0.10 RC Released

SawLoserUKLF Published 04/05/2005 22:03 Updated 04/05/2005 22:09 Just popping in Joined 01/16/2005 Comments 4

Im now geting this token error when try to change anything on site.One of the messgaes is Valid token expired
Would there be a fix out for this soon or do need to roll back?www.fps.intelzone.co.uk

Re: XOOPS 2.0.10 RC Released

toddherrold Published 04/05/2005 22:11 Quite a regular Joined 06/13/2004 Comments 274

flawless upgrade from 2.0.9.2! XOOPS continues to ROCK! Thanks for the great work.

Re: XOOPS 2.0.10 RC Released

SawLoserUKLF Published 04/05/2005 22:42 Just popping in Joined 01/16/2005 Comments 4

2 other site ive crried this out on are ok. Just the one site with this problem.

Re: XOOPS 2.0.10 RC Released

brash Published 04/05/2005 23:31 Friend of XOOPS Joined 04/10/2003 Comments 2206

You do realise that 2.0.10 is still in the release candidate stage, and is not yet deemed suitable for using in a production environment?

Re: XOOPS 2.0.10 RC Released

SawLoserUKLF Published 04/06/2005 9:43 Just popping in Joined 01/16/2005 Comments 4

good job then me sites are for fun and i do back ups

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/06/2005 11:28 XOOPS is my life! Joined 06/21/2003 Comments 6320

Is there a pattern in those (only two?) examples of tokens making it impossible to submit forms?

Platform, PHP version, whatever...

Hervé, did you try dumping both time() and $token['expire'] in a human-readable format? I did find that the XoopsFormHiddenToken constructor set the timeout to 360 seconds by default where it should send 0 by default, thus not setting the expiration time of the token to the session duration time.

Re: XOOPS 2.0.10 RC Released

brash Published 04/06/2005 13:50 Friend of XOOPS Joined 04/10/2003 Comments 2206

Hi Herve,

Would I be able to get a copy of your php.ini file at all? I've tried reproducing this error on both Windows XP Pro SP2 / IIS 5.1 and Windows 2003 Server / IIS 6 without result, I just can't reproduce the token error with 2.0.10RC. Just hoping it might be a PHP environment issue and looking to do a diff between your php.ini and mine.

Re: XOOPS 2.0.10 RC Released

hervet Published 04/06/2005 14:37 Friend of XOOPS Joined 11/04/2003 Comments 2267

I have added this code :
Quote:

echo "<br>Token=".date("d/m/Y G:i:s",$token['expire']);
echo "<br>Time=".date("d/m/Y G:i:s",time());

here is the result :
Token=06/04/2005 15:51:04
Time=06/04/2005 15:52:06

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/06/2005 14:51 XOOPS is my life! Joined 06/21/2003 Comments 6320

OK, so the filter is working correctly - the token expires before time() so it should fail.

Let's take a look at the createToken() method, then.
Can you do a similar check on the token's expiration time (compared to time() ) when the token is set?

Re: XOOPS 2.0.10 RC Released

hervet Published 04/06/2005 16:19 Friend of XOOPS Joined 11/04/2003 Comments 2267

Inside filterToken - Token=06/04/2005 17:21:00
Inside filterToken - Time=06/04/2005 17:33:15
Inside filterToken - Token=06/04/2005 17:21:29
Inside filterToken - Time=06/04/2005 17:33:15
Inside filterToken - Token=06/04/2005 17:21:34
Inside filterToken - Time=06/04/2005 17:33:15
Inside filterToken - Token=06/04/2005 17:21:41
Inside filterToken - Time=06/04/2005 17:33:15
Inside filterToken - Token=06/04/2005 17:28:55
Inside filterToken - Time=06/04/2005 17:33:15
Inside filterToken - Token=06/04/2005 17:29:08
Inside filterToken - Time=06/04/2005 17:33:15
Inside filterToken - Token=06/04/2005 17:29:31
Inside filterToken - Time=06/04/2005 17:33:15
Inside filterToken - Token=06/04/2005 17:29:57
Inside filterToken - Time=06/04/2005 17:33:15
Inside filterToken - Token=06/04/2005 17:30:08
Inside filterToken - Time=06/04/2005 17:33:15
Inside filterToken - Token=06/04/2005 17:30:29
Inside filterToken - Time=06/04/2005 17:33:15
Inside filterToken - Token=06/04/2005 17:31:54
Inside filterToken - Time=06/04/2005 17:33:15
Inside createToken - token_id=ee0e28f37f864c446e3f52f88243a94d
Inside filterToken - expire=06/04/2005 17:32:15

Re: XOOPS 2.0.10 RC Released

Speed Published 04/06/2005 18:40 Quite a regular Joined 05/18/2004 Comments 310

Thank you hervet and mithrandir for your ongoing tracking of these elusive bugs via this comment thread rather than private emails. I tend to take many things for granted, often due to not really understanding how much time testing can often take. Seeing how much work happens behind the scenes is very important I think.

You are all doing a damn fine job! Every single person that contributes to the ongoing success of XOOPS has my utmost appreciation and respect!

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/06/2005 22:05 XOOPS is my life! Joined 06/21/2003 Comments 6320

Hervé could you focus on createToken instead of filterToken. Since the filterToken filters out tokens that have an expiration date before time() it is working correctly, so the problem must be that the expiration time is set incorrectly.

In createToken() could you do some similar echo's of the timeout, the token expiration time and the output of time() so we can see where the problem comes from?

Re: XOOPS 2.0.10 RC Released

brash Published 04/07/2005 0:11 Friend of XOOPS Joined 04/10/2003 Comments 2206

I'm reasonably confident this isn't a PHP environment thing now. I've copied all Herve's PHP.ini settings so that mine is the same, with the exception of paths that is. As long as the paths and permissions are correct I don't see that being an issue though. I even tried just using Herve's PHP.ini directly. Anyway, I just can't seem to reproduce this token error at all.

How is the token expiration time actually generated? Does this token error happen every time, or is it a random thing? What ISAPI filters do you have enabled Herve? Have you used anything like the IIS lockdown tool?

Re: XOOPS 2.0.10 RC Released

Chappy Published 04/07/2005 1:51 Friend of XOOPS Joined 12/14/2002 Comments 456

I, too, like Speed, am appreciative of this open debugging process. It's instructive, both as to process and extent of work involved. It puts comments like "Why can't you put out the next release any sooner?" into perspective (not that that's ever been said by anyone at XOOPS ).

Re: XOOPS 2.0.10 RC Released

hervet Published 04/07/2005 6:54 Updated 04/07/2005 6:55 Friend of XOOPS Joined 11/04/2003 Comments 2267

I found how to solve the problem but not the reason.

In fact I was using the gzip compression.
The gzip compression runs perfectly on all my other websites. After turning it off, everything is ok.

I don't have, except Php, any ISAPI filter activated and the problem occurs every time I want to do something.

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/07/2005 7:36 XOOPS is my life! Joined 06/21/2003 Comments 6320

OK, just leave gzip compression off. I will take a better look at it in 2.1
gzip is only used in the administration area, anyway, so the performance gain is minimal, I think.

Re: XOOPS 2.0.10 RC Released

hervet Published 04/07/2005 11:25 Updated 04/07/2005 11:26 Friend of XOOPS Joined 11/04/2003 Comments 2267

Hello,

I have made some tests as an anonymous user.

1) The contact us module
When I go in the module to submit a comment, I have this warnings :
Quote:

Notice [PHP]: Undefined index: XOOPS_TOKEN_SESSION in file xoopsrc\class\xoopssecurity.php line 164
Warning [PHP]: array_filter(): The first argument should be an array in file xoopsrc\class\xoopssecurity.php line 164

2) Newbb
I have used the button to create a new post, preview it and submit it
Quote:

Fatal error: Cannot redeclare newbb_notify_iteminfo() (previously declared in xoopsrc\modules\newbb\include\notification.inc.php:28) in xoopsrc\modules\newbb\include\notification.inc.php on line 28

Same message when I submit as a registred user

3) After I have logged (as admin), when I go and see my private messages
Quote:

Notice [PHP]: Undefined index: XOOPS_TOKEN_SESSION in file xoopsrc\class\xoopssecurity.php line 164
Warning [PHP]: array_filter(): The first argument should be an array in file xoopsrc\class\xoopssecurity.php line 164

4) Idem, jut after logging, when I want to see my notifications
Quote:

Notice [PHP]: Undefined index: XOOPS_TOKEN_SESSION in file xoopsrc\class\xoopssecurity.php line 164
Warning [PHP]: array_filter(): The first argument should be an array in file xoopsrc\class\xoopssecurity.php line 164

5) Just after my connection, when I edit my profile
Quote:

Notice [PHP]: Undefined index: XOOPS_TOKEN_SESSION in file xoopsrc\class\xoopssecurity.php line 164
Warning [PHP]: array_filter(): The first argument should be an array in file xoopsrc\class\xoopssecurity.php line 164

6) When I want to submit a private message (and when i'm not logged as an admin)
The first time I try to do it I have :
Quote:

Notice [PHP]: Undefined index: XOOPS_TOKEN_SESSION in file xoopsrc\class\xoopssecurity.php line 164
Warning [PHP]: array_filter(): The first argument should be an array in file xoopsrc\class\xoopssecurity.php line 164

7) I gave a user the admin's right on the download module and on the FAQ module
Once logged with this user, when I want to modify the module's preferences, I have :
Quote:

Sorry, you don't have the permission to access this area.
If the page does not automatically reload, please click here

Despite this, I can manage the modules without problems

8) I gave to the previous group I was talking of, the admin's right for avatars.
When I go to manage them I have :
Quote:

Notice [PHP]: Undefined index: XOOPS_TOKEN_SESSION in file xoopsrc\class\xoopssecurity.php line 164
Warning [PHP]: array_filter(): The first argument should be an array in file xoopsrc\class\xoopssecurity.php line 164

9) When I click on "Lost password" just after I have logged out
Quote:

Notice [PHP]: Undefined index: XOOPS_TOKEN_SESSION in file xoopsrc\class\xoopssecurity.php line 164
Warning [PHP]: array_filter(): The first argument should be an array in file xoopsrc\class\xoopssecurity.php line 164

10) Same message when I try to register just after I have logged out
Quote:

Notice [PHP]: Undefined index: XOOPS_TOKEN_SESSION in file xoopsrc\class\xoopssecurity.php line 164
Warning [PHP]: array_filter(): The first argument should be an array in file xoopsrc\class\xoopssecurity.php line 164

11) Some questions about the code
- Contact us module
When you read the file /xoops/modules/contact/index.php, you can see this :
Quote:

if (empty($_POST['submit']) | !$GLOBALS['xoopsSecurity']->check()) {

Is this normal ?

- System/admin/findusers/main.php
Quote:

elseif ($op == "submit" & $GLOBALS['xoopsSecurity']->check()) {

- system/admin/smilies/main.php :
Quote:

if ($id <= 0 | !$GLOBALS['xoopsSecurity']->check()) {

This code is present two times

- system/admin/tplsets/main.php
Quote:

if ($id <= 0 | !$GLOBALS['xoopsSecurity']->check()) {

This code is present two times

- system/admin/userrank/main.php
Quote:

if ($rank_id <= 0 | !$GLOBALS['xoopsSecurity']->check()) {

This code is present two times

Bye,
Hervé

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/07/2005 11:42 XOOPS is my life! Joined 06/21/2003 Comments 6320

Quote:

Undefined index: XOOPS_TOKEN_SESSION

was reported earlier and I have fixed that in next RC.

Please look up my reply to Phppp on the use of & and |

A user with module admin rights but not system preferences rights will not be able to set the module's preferences. This is normal.

I'll look at the newbb fatal error.

Thanks for your lengthy report and hard work.

Re: XOOPS 2.0.10 RC Released

jctsup1 Published 04/08/2005 6:05 Not too shy to talk Joined 05/23/2002 Comments 146

I will test this on IIS 5.1 & 6 this weekend & let you know if I run into any problems. Will do both upgrade & fresh install

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/08/2005 15:00 XOOPS is my life! Joined 06/21/2003 Comments 6320

Quote:

Fatal error: Cannot redeclare newbb_notify_iteminfo() (previously declared in xoopsrc\modules\newbb\include\notification.inc.php:28) in xoopsrc\modules\newbb\include\notification.inc.php on line 28

I believe I have found the cause of this. Will test and release 2.0.10 RC2 during the weekend.

Re: XOOPS 2.0.10 RC Released

yokonozco Published 04/09/2005 21:13 Just popping in Joined 03/27/2005 Comments 25

Mith,

Which version of XOOPS i need to use in a production site?

The site is online and run XOOPS 2.0.9.2 Stable.

Must i migrate to XOOPS 2.0.10 RC Full?

Thanks for the help.

Sorry for the ignorance.

Re: XOOPS 2.0.10 RC Released

zimmi88 Published 04/10/2005 6:20 Just popping in Joined 03/09/2005 Comments 57

Hello. when i uploaded this upgrade to my site, it... well... broke.
to the end user, nothing seems wrong, but when i try to access the admin menu, it acts like the menu's being used for the first time and displays "This is your first time to enter the administration section. Press the button below to proceed." But, when i click the submit button, another page pops up that says "failed open file" with a gray box that says "Logging you in..." then directs me back to the page i mentioned above with the submit button on it.
However, for some reason, in newbb2, if i click on the button to take me to the board's control panel, it goes there, but the images for the modules don't display on the sidebar.
is this a bug with the new release? thanks.
-zimmi88 =)

Re: XOOPS 2.0.10 RC Released

jdseymour Published 04/10/2005 8:52 Friend of XOOPS Joined 11/11/2004 Comments 3782

Quote:

Which version of XOOPS i need to use in a production site?

This is an RC release candidate. Although tested and thought to be ready for release, it is still a test version. It will become the final version if no additional bugs are found.

Re: XOOPS 2.0.10 RC Released

shalommemphi Published 04/11/2005 6:54 Not too shy to talk Joined 04/05/2005 Comments 118

Lost password retrieval issue. I posted this in the forums but wondering if others noticed that the retrieve lost password is not working. It sends the email that a request was made and to click on a link, but your only redirected to the page that you used to request a lost password, You never get the email that sends a new temporary password??

XOOPS 2.0.10 RC Released and Auto Login Hack

killpuschel Published 04/11/2005 15:43 Just popping in Joined 03/21/2005 Comments 4

Have anybody some information about the auto log-in hack in combination with this release?

Re: XOOPS 2.0.10 RC Released

Marco Published 04/11/2005 18:44 Updated 04/11/2005 18:54 Home away from home Joined 03/15/2004 Comments 1256

Fresh Install, on WinXP using easyphp 1.8, so PHP 4.3.10, MySql 4.1.9.

- First : I've downloaded zip file from xoops's home page , latest version block, 2.0.10 RC full ((released 03 apr '05). If you click, you go tohttps://xoops.org/modules/core/singlefile.php?cid=3&lid=53, Released: Sat, 26-Mar-2005. I took zip file. Could you change Release date, plz ?

- install warning, but without impact (see after)
. Notice: Undefined index: HTTPS in c:\program files\easyphp1-8\www\test\install\class\settingmanager.php on line 75

. Notice: Use of undefined constant XOOPS_ROOT_PATH - assumed 'XOOPS_ROOT_PATH' in c:\program files\easyphp1-8\www\test\install\index.php on line 258

- test (connected as admin, and debug php mode to ON)
edit/change profil, edit/change general settings, create forum&post, create/modify news in news module, create category in xoopslinks, create category/entry in xoopsdownloads, gzip activated, all are ok.

I'll go further and report here if I discover some mistakes.
Next step could be to test an upgrade with data backup.

@+
marco

Re: XOOPS 2.0.10 RC Released

Marco Published 04/11/2005 21:45 Home away from home Joined 03/15/2004 Comments 1256

more tests, more feedback (debug mode ON)
- I confirm that gzip option makes XOOPS mad. After having enabled it, you can't update modules except system module any more :xoops loops
- Seems that Token system gives XOOPS quite an autologin feature ! I mean, XOOPS remembers last login and put it in log box, waiting for your pass. you have to edit+validate a new profile to save another login in XOOPS "memory".
- If you put a wrong password, here are warnings
. Notice [PHP]: Undefined index: XOOPS_TOKEN_SESSION in file c:\program files\easyphp1-8\www\test\class\xoopssecurity.php line 152
. Warning [PHP]: array_filter(): The first argument should be an array in file c:\program files\easyphp1-8\www\test\class\xoopssecurity.php line 152

I've noticed other errors, like this one :
. Warning [Xoops]: Smarty error: unable to read resource: "db:news_item.html" in file c:\program files\easyphp1-8\www\test\class\smarty\Smarty.class.php line 1084
. Notice [PHP]: Undefined variable: topicalign
. Notice [PHP]: Undefined index: anonpost
. etc....

But I think there are old errors, without real impact.

hope this help !

bye
marco

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/11/2005 21:53 XOOPS is my life! Joined 06/21/2003 Comments 6320

Thanks Marco.

Re. gzip, I have already warned that it should not be enabled. It has no effect on front-side anyway and needs to be rethought.

The "autologin" feature must be a part of your browser. It has nothing to do with the token system at least.

I'll look at the case where you put in a wrong password.

The news PHP notices and warnings are old ones, except the Smarty error - which depends on where and how you experience that one. If it is during module installation/update, it has no real impact.

Re: XOOPS 2.0.10 RC Released

Marco Published 04/11/2005 22:20 Updated 04/11/2005 22:22 Home away from home Joined 03/15/2004 Comments 1256

hy mith

Quote:

The "autologin" feature must be a part of your browser. It has nothing to do with the token system at least.

No !
Because this feature is desactivated on my browser, and it doesn't occur on 2.0.9.3.
For me it's a new behavior.

Quote:

except the Smarty error - which depends on where and how you experience that one. If it is during module installation/update

no, it's during use of news1.1.

marco

Re: XOOPS 2.0.10 RC Released

daibt Published 04/12/2005 6:00 Not too shy to talk Joined 03/26/2005 Comments 191

Dear all,

I am using XOOPS 2.0.10. I am facing with 2 problems as:
- Defauft theme is fine, but any other is not work. I get the blank page when I change new theme
- The module Newbb 2 - I get the blank page for this module (I have make categories, forums and it is in active status)

Could you help me?
Truong Dai - Vietnam

Re: XOOPS 2.0.10 RC Released

Mithrandir Published 04/12/2005 7:43 XOOPS is my life! Joined 06/21/2003 Comments 6320

@daibt: please refer to the forums for blank page troubleshooting. Also check the FAQ section

Quote:

feature is desactivated on my browser

well, it is not something I have made... so where it comes from, I don't know.

Quote:

no, it's during use of news1.1.

Hmm... but nothing is broken?

Re: XOOPS 2.0.10 RC Released

Marco Published 04/12/2005 10:53 Home away from home Joined 03/15/2004 Comments 1256

Quote:

Quote:

feature is desactivated on my browser

well, it is not something I have made... so where it comes from, I don't know.

Just try to connect with a wrong password
then it will occur.
I will try tonight with a new install
marco

Re: XOOPS 2.0.10 RC Released

Peekay Published 04/12/2005 22:48 Updated 04/12/2005 22:52 XOOPS is my life! Joined 11/20/2004 Comments 2335

Apologies if this has been addressed, but like Ponerse and MarcoFR I got a warning installing the Xdirectory 1.5 module: Quote:

Warning [Xoops]: Smarty error: unable to read resource: "db:xdir_listingfull.html" in file class/smarty/Smarty.class.php line 1084

Module seems to work o.k.

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

XOOPS: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

XOOPS 2.0.10 RC Released and Auto Login Hack

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released

Re: XOOPS 2.0.10 RC Released