News

Zenphoto 1.5.5

    This is a bugfix and minor security release. 

    This release was sponsored by:

    General

    • "updateddate" is now set for an album and/or parents if file system contents change ("lastchange" which all item types have is for non file system content like title, descriptions etc.). The database field "updateddate" is there since forever and was formlery only triggered if a new image was added. This means it is set if a new image or subalbum is discovered/added, subalbum/image removal, copying (for the destination) or moving (for both source and desination). It has also been added to the sorting selectors on the Options > Gallery and each of the album's selectors.
    • Fix "return unpublished" search option not being set correctly on dynamic album creation [acrylian]
    • Fix issue with search/dynamic albums wrongfully returning published items from unpublished parent items which are considered unpublished by hierachical inheritance. Introduces new class method isPublic() for all theme object classes called which checks parents for their publish state as the existing getShow() method just checks the item itself. [acrylian, fretzl - Special thanks to mironb]
    • Fixes issue with custom sortorders for albums and images [acrylian]
    • If the site is set to maintenance mode (aka “closed for update”) it now sends the correct HTTP status code "503 Service Unavailble" instead of "302 Found". Retry request is set to 3600 seconds [acrylian]

    Security

    • elFinder: See plugin section below
    • Backend headers: The backend now sets some additional headers by default:
      • X-Frame-Options header to prevent framing and clickhijacking [acrylian]
      • Some basic Content-Security-Policy headers which will prevent loading external data. If you use any custom admin plugins you may need to add additional headers to allow these external sources by using the "admin_headers" filter.
        • Because of extensive usage of inline scripts and handlers everywhere we couldn't use strict settings against XSS attempts by default as all those would break. We plan to get rid of these usages in the future anyway. [acrylian]
      • Also some Cache-Control headers are set by default [acrylian]
      • If logging out a complete Clear-Site-Data header is send to ensure proper logout. Some browsers' caches seemed to be too persistent at times so this should help newer browsers [acrylian]
    • We got a security report that hijacking clicks by embeding sites using frames/iFrames is possible. We decided not to inlcude any standard headers hardcoded as this requires special configuration. We know of lot sites that go the "lazy way" of simply embedding Zenphoto within their own main site via iFrame that could then break. Instead we introduce the new http_security_headers plugin (see below) so site owners can configure it as needed and also some other security related headers. However we have setup some defaults that cover this by default. We set a few headers but because of lots of especially legacy JS code we had to make them pretty relaxed as otherwise things break. [acrylian - Thanks to bic-ed and Rooghz]

    Plugins

    • cookieconsent: Script updates; JS/CSS loading disabled for loggedin users so they do not unnecessarily get the overlay [fretzl, acrylan]
    • downloadList: Default Matomo content tracking support corresponding the new Matomo plugin option [acrylian]
    • elFinder: Update elFinder to 2.1.50 which fixes several security issues of the elFinder script according to its developer [acrylian]
    • http_security_headers: Allows basic setting of various security related HTTP header policies. Beware that this is advanced usage and misconfiguration may break your site. [acrylian|
    • matomo: Adds content tracking options. To use this your site may require special HTML attribute markup. See the matomo docs for more info [acrylian]
    • openstreetmap: Update leaflet-providers [vincent3569]
    • reCaptcha: Add CSS styles [fretzl]
    • sitemap-extended: Fix wrong dynamic album URL‘s in sitemap. Some visibiliy check improvements and prevent empty image sitemaps being generated [acrylian - Thanks to bic-ed]
    • static_html_cache: Emphasize the importance of certain excluded pages [fretzl]
    • zenphotoDonate: Form does not load external file from Paypal anymore [acrylian]

    Utilities

    • http_header_inspector: A small utility to view which headers the frontend or backend send. Usefull for checking the use of the http_security_headers plugin or adding HTTP headers in other ways [acrylian]

    Themes

    • basic: Center login form properly [fretzl]

    Translations

    • Danish [jesdnissen]
    • Dutch [fretzl]
    • French [vincent3569]
    • Italian [bic-ed|
    • Slovak [tangorn]

     

    For questions and comments please use the forum or discuss on the social networks.

    Related items