The Nucleus CMS core development team has released Nucleus CMS v3.62. This release includes bug fixes, new features, and a minor security enhancement.
If you are running 3.33 or later and the installation is operational, there are no urgent security fixes in this release so that you do not need to hurry the upgrade. But we recommend to update so that your blog software is up to date and will work with all plugins. Abandoned installations that are missing the config.php file are vulnerable in rare cirumstances. These installations should be removed or updated immediately.
List of all new features in Nucleus CMS 3.62:
- CHANGE: add redundant safeguards against security issues caused by case where register_globals is on and the config.php file is missing (Rare!!!)
- CHANGE: make CONF variable, AdminCSS, to hold name of admin area style to use. default to original.
- FIX: use of strripos in cleanFileName() not PHP4 compatible, switched to use of strrpos() since no functionality lost.
- FIX: replace ereg* functions in remaining core files, including core plugins..
- FIX: multiple newlines in comment body being reduced to only one newline.
- FIX: highlight() function still using ereg* functions.
- CHANGE: cleanFileName() function simplified to replace all but a-z0-9-.
- FIX: install problem when only mysqli _* is available.
- FIX: fix comment body text not appearing on Edit Comment form.
List of all new features in Nucleus CMS 3.61:
- FIX: fix comment body being lost
- FIX: fix edit comment form formatting
- FIX: fix search title and body of items not displayed in search results
List of all new features in Nucleus CMS 3.60:
- ADD: MediaUploadFormExtras event to nucleus/media.php to allow plugin to add extra fields to media uploader form. See NP_ImageLimitSize (0.20+) for example of using event.
- CHANGE: use sql_real_escape_string() function in place of addslashes() in all but 2 places where sql_real_escape_string() doesn't make sense.
- ADD: mysql_real_escape_string() function to wrapper for mysqli (libs/mysql.php).
- FIX: globalfunctions.php. PostParseUrl event only firing when using urlmode=pathinfo (fancyurls).
- FIX: sql_affected_rows() function in nucleus/libs/sql/mysql.php. Was causing error in ban deletion.
- CHANGE: ACTIONS::_searchlink() to improve creation of next/prev link for index skin parts. Also, add $navigationItems global that can be set by plugin to affect next/prev link when plugin lists items on index page, see NP_Ordered 1.37.
- ADD: if-else-elseif-ifnot-ifelsenot-endif to the Item Body actions. Same as in Item Templates. see help.html for details.
- ADD: cleanFileName() function to globalfunctions.php and then use in nucleus/media and in MEDIA.php to clean up filenames of uploaded files to avoid problems with spaces and other characters. Thanks WillyP.
- ADD: global $currentcomentid and $currentcommentarray during item template processing so can get comment info in phpinclude called from comment template.
- ADD: if-else-elseif-ifnot-ifelsenot-endif to the comment field templates. see help.html for details.
- ADD: global $currentitemid during item template processing so can get item info in phpinclude called from item template.
- ADD: if-else-elseif-ifnot-ifelsenot-endif to the item field templates. see help.html for details.
- FIX: bug where categorylist with blogname parameter did not work on member, error, or special skin parts.
- FIX: bug in commentform skinvar where form showing to nonmembers when bpublic=0. Thanks WillyP.
- CHANGE: length of bnotify column in blog table to 128 characters to allow for longer lists of notification recipients.
- ADD: recount parameter to nextlink skinvar to force recalculation of iAmountOnPage for nextlink instead of using amountfound from last blog skinvar. Helpful in more advanced situations where multiple blog skinvars used on single page.
- FIX: tightened security around includes in PLUGINADMIN class.
- ADD: globalfunctions: include_libs() and include_plugins() to be used to safely include libs and plugins..
- REMOVE: config.php. rename to config.php.sample to avoid overwrite during upgrade. config.php created by build.xml during generation of full install package and modified by install.php.
- FIX: tune db tables in sqlinstall.
- ADD: yourprofileurl parameter value to member skinvar to produce url to logged on member's profile for use in link to member profile.
- FIX: Fixes to NP_SecurityEnforcer suggested by cacher at Japanese Forum.
- FIX: When changing settings for a member, call to PrePasswordSet event was happening even if password not being changed. Admin.php, action_changemembersettings() method.
- ADD: PostParseURL event to globalfunctions. Triggers right after url is fully parsed (by ParseURL in globalfunctions). Useful to tweak global variables before selector() runs or to set something based on path-related globals. Used by new version of NP_EventBlog (min 3.60) to display future posts (events) on item pages skin part.
- CHANGE: selector() itemid, change itemexists check to be aware of allowDrafts and allowFuture.
- ADD: $CONF settings for allowDrafts and allowFuture so can set selector to permit showing of these items if needed. Can be set in config.php or in plugin event (probably authentication related for timing).
- CHANGE: BLOG::readLogFromList() and BLOG::getSqlItemList() methods to add parameters permitting drafts or future items to be shown.
- FIX: unloaded ITEM class error casued by NP_Ping when creating new weblog. See here
- FIX: convert/livejournal.php set to use sql_table for prefixes. suggested by quandary (see here).
- FIX: improvements to isValidMailAddress() function as suggested by quandary here