Zenphoto 1.5.7

    This is a bugfix and security release.

    Developer note

    This will be possibly the last 1.5.x release. We will only try to fix serious bugs. The 1.5.x release stream is therefore frozen now. The next release will hopefully be the planned "major release" we already mentioned several times. Due to serious time issues we can't afford to work on two release streams simultaneously anymore. That's why, from now on, we will concentrate our efforts on the next major release only. Note that almost everything we wrote on https://www.zenphoto.org/news/developer-note-the-mysterious-next-major-release/ still applies. Thanks for understanding.


    • Fixes XSS issue in /page/search/ parameters [acrylian – Thanks to gwen001]
    • Fixes local file disclosure related to log files on backend pages [acrylian – Thanks to gwen001]
    • Fixes setup process code injection [acrylian – Thanks to gwen001]
    • Fixes authenticated SQL injection in postAlbumSort() on backend pages [acrylian – Thanks to gwen001]
    • Editing executional theme files via the basic theme editor now requires full admin rights. Theme rights are not sufficient anymore. This is only suitable for quick simple edits so you should use a proper editor on a local test server anyway [acrylian – Thanks to the SEC Consult Vulnerability Lab]
    • Fixes upload of arbitrary files in elFinder plugin. Details below.
    • Fixes possible XSS issue in the html_encodeTagged() function used e.g. for printing album, image descriptions or page and news article content. [acrylian – Thanks to JPCERT/CC]
    • Removes very old third PCLZIP fallback library not being able to filter supported file formats contained wiithin archives, which would potentially allow to sneak in unwanted and executional files.This library had no updates since 2009. Therefore the native PHP ZipArchive extension now required for extracting zips. Setup now checks for this [acrylian – Thanks to JPCERT/CC]


    • Fix placeholder page not loading properly if the site_upgrade plugin is used to close the site. Also add default placeholder page within the root index.php in case the site_updated placeholder files are not generated properly or the site is closed via the config file directly [acrylian]
    • Fixes broken sortdirection for images in dynamic albums/search if sorted by title [acrylian]
    • Fix unnecessary exceeding of the server side max_input_vars limit if saving image sortorder for large albums. Add a form post truncation warning if using a bulk action and exceeding its limit. Consolidate messages and update post truncation message to tell about the actual issue [acrylian - Thanks to adrav]
    • New function printLangAttribute() function that prints a "lang" attribute with a locale. It for example can (and should) be added to your theme as <html<?php printLangAttribute(); ?>>. Locales like en_US get the underscores replaced by hyphens (en-US) using the new getLangAttributeLocale() function to be vaild [acrylian]
    • Fixes a bug that unpublished albums and their images were shown as search results even if the logged in user did not have appropiate rights to this. [acrylian]
    • Fix MySQL issue with getNotViewableImages() affecting e.g. tag_suggest plugin in check tag access mode and there are no non-viewable albums [acrylian]
    • Several user interface changes regarding scheduled publishing (= future publishing and expiration) for singe edit pages and also list display. [acrylian, fretzl]
      • There are now new icons indicating the publish status regarding future publishing or expiration. If you have set both future publishing and expiration lists will indicate future publishing by specific icons.
      • The album list now display the future publishing and/or the expire date if set. 
      • Also there are now better visual notes regarding the status. Since future published items need to be already published (in order to be "ready to be published"), the checkbox now actually reflects that status. 
    • The publish status icon on the image thumbnail tab has been relocated below the thumbnail with some re-ordering of the existing icons, e.g. the checkbox for bulk actions is now on the right as on all other content lists for consistency. It also reflects any future publishing or expiration schedule active. The icon is now also a button/link so you can directly change the pubish status of an image. 
    • Setup now lists the server software found and throws a warning if it is/seems to be neither Apache or Nginx as we primarily test on Apache. Also the admin main page lists this info now.
    • The MySQL handler is deprecated now and will throw a constant debug log notice if you are still on older PHP versions than 7. Setup also will throw a warning. The PHP MySQL handler has been removed in PHP 7 already. Use MySQLi or PDO_MySQL instead. [acrylian]
    • Safe mode checks have been removed as it has been removed since PHP 5.4. already [acrylian]
    • Several deprecations for PHP 7.4+ compatibility fixed [acrylian, fretzl]:
      • Removes any usages of magic_quotes since its functionality is already gone since PHP 5.4 anyway 
      • Fixes deprecated array and string offset access syntax with curly braces
      • Fixes deprecated unparenthesized ternary operators
    • You can now set the MySQL port via the config file if you need to. Add $conf['mysql_port'] = "<port>"; to /zp-data/zenphoto.cfg.php. Setup willl add the default port 3306 if not present yet which is sufficient for most web servers. Note that the port will be ignored if you use "localhost" as the database server name, use the IP address instead. On a new install you can add it via the form to enter your credentials [acrylian]
    • The Content-Security-Policy header on the Zenphoto backend now allows browsers to look for images in the server root. This way browsers can check if a favicon.ico file is present without being blocked [fretzl]
    • secureServer function: consider https requests behind reverse proxies https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ [ballinette]


    • auto_backup/backup_restore: Change wording that this actualy does not backup the database itself but the content of it. For a real database backup you need to use tools like phpMyAdmin [acrylian] 
    • class-video: Update getID3 to 1.9.19. [fretzl]
    • class-textobject: The wrapper generated is now a <div> instead a <span> to allow a wider array of HTML elements to be used within it [acrylian]
    • defaultCodeblocks: Fix option class method declared static incorrectly [acrylian]
    • downloadList:
      • Adds printFullImageDownloadURL() for easier image download usage [acrylian]
      • Fixes support for external albums folder [fretzl|
      • Fixes zips from cache. Note that this uses default sized images and will fail if these are not already generated (not every theme uses these sizes) [acrylian]
    • elFinder:
      • Uploading abritary like php files, any application/* mime type files and html files that may be directly executed is now forbidden for users with only theme rights or files rights. You need full admin rights for this now. This was submitted as a general security issue to us. We did agree that lower rank possibly should not have this ability but didn't agree that the full admin shouldn't as at least the site owner is full admin always. If he grants anyone else such high rights it is his responsibility to do so. [acrylian - Thanks to the SEC Consult Vulnerability Lab]
      • Update elFinder to 2.1.53 [fretzl]
    • html_meta_tags: Removes htmlmeta_pragma options as it offers invalid selections "cache" and "no-cache" but this attribute actually only allows "no-cache" or should not be set at all. So if you enable the http-equiv='pragma' option in the HTML meta tags checkbox list option it is automatically set to "no-cache". Check your settings also with other cache related meta tags  to avoid issues! [acrylian]
    • jquery-uploader: Lost support for uploading and extraction zip archives with supported file formats has been restored (native PHP extension ZipArchive required) [acrylian]
    • menu_manager [acrylian, fretzl]
      • Changes behaviour of function getCurrentMenuItem() which neither did what the function name suggested (the full item array) nor the sort_order as the doc block told. In fact it returned the key of the item within the items array. There is now a new second parameter $field that allows to either get the full item array, a certain field of the item or the key to cover all use cases. The sort_order field is the default as that was the general use case. If you used this in custom code you need to update accordingly.
        • Fixes also getMenuItemChilds() and getParentMenuItems() to actually get those items.
      • Fixes parent menu items not being assigned an active class if a child item is active; correctly assigns top active class to top level items and active class to sub items only. Also the sub active class now has the correct level of the item added as the order was reversed somehow.
        • Fixes the related issue with "invented menu items". Generally the menu_manager is for custom structures outside the actual site structure, so parents only get active if there is a menu sub item to them. There are two exceptions from this: Images within an album and news articles in relation of the newsindex. Images and news articles have no menu item type and therefore are "invented" to trigger their album respectively the newsindex. 
      • Fixes unwantedly active menu entry if selectiing a Zenpage category
      • Fix minor bug with updating menulabel type menu entries
      • Fix menu_manager issue that using the show/hide menu entry button didn't return to the selected menuset
      • Fix album/image or category count appearing on other menu entry types.
      • Support for using static class methods as menu function
    • openstreetmap: Upgrade leafleat 1.6 + leaflet-providers 1.9.1 [vincent3569]
    • PHPMailer [fretzl]
      • Update the PHPMailer to 6.1.3.
      • Override behaviour where encryption is automatically enabled when advertised by the server, even if you have set the plugin option "Secure mail" to "no".
    • Zenpage: Several user interface changes regarding scheduled publishing. See General above for detals [acylian, fretzl]


    • Dutch [fretzl]
    • French [vincent3569]
    • German [acrylian]
    • Italian [bic-ed]
    • Slovak [tangorn]

    For questions and comments please use the forum or discuss on the social networks.

    Related items