Skip to content

CHANGELOG.md

Latest commit

 

History

History
335 lines (238 loc) · 25.1 KB

CHANGELOG.md

File metadata and controls

335 lines (238 loc) · 25.1 KB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning conventions adapted to the existing four-component version numbers.

0.31.9.0 - 2026-05-08

Security

  • CSRF Architecture Overhaul: Implemented centralized ajaxPrefilter in ci4ms.js for automatic CSRF token injection on all AJAX requests. elFinder route exempted from CSRF via MediaConfig::$csrfExcept to prevent stale-token 403 errors during multi-request operations.
  • HTMLPurifier Hardening: Removed data: URI scheme from AllowedSchemes to block data:text/html;base64 XSS bypass attacks (Base64 images use a custom placeholder mechanism). Disabled CSS.Trusted to filter dangerous CSS properties. Enabled HTML.TargetBlank for automatic rel="noopener noreferrer" on external links. Ensured Blog and Pages controllers always persist CustomRules::getClean() sanitized content to the database.
  • IP Spoofing Fix: Removed raw $_SERVER['HTTP_X_FORWARDED_FOR'] and $_SERVER['HTTP_CLIENT_IP'] reads from BackendLogFilter. Now relies solely on CI4's $request->getIPAddress() which respects App.proxyIPs config for trusted proxy detection.
  • Raw $_SERVER Elimination: Replaced all raw $_SERVER['HTTP_HOST'], $_SERVER['HTTPS'], and $_SERVER['SERVER_NAME'] reads with CI4's base_url(), site_url(), and parse_url() helpers across Email.php, Ci4ms.php, Install.php, and Settings.php.
  • Fileeditor RCE Prevention: Added $dangerousExtensions blacklist (.php, .phtml, .phar, .htaccess, etc.) to block creating, writing, or renaming executable files via the file editor. Added file_exists() overwrite protection for createFile and realpath boundary validation for renameFile.
  • SQL Restore Hardening: Implemented a SQL statement whitelist (INSERT, CREATE TABLE, DROP TABLE, etc.) and dangerous command blacklist (LOAD_FILE, INTO OUTFILE, GRANT, xp_cmdshell, etc.) in DbBackup::restore(). Added path traversal protection requiring backup files to reside within WRITEPATH.
  • Hardcoded Credentials: Removed plaintext passwords from DevGate configuration. Implemented bcrypt hashed passwords and enabled $useHashedPasswords by default to protect developer credentials.
  • Stored XSS — Blog Content (reported by offset): The html_purify custom validation rule was applied to the Blog content field but did not enforce sanitization during update operations, allowing authenticated authors to persist malicious scripts. Fixed by ensuring CustomRules::getClean() is invoked and its output persisted on both create and update flows in Blog.php controller.
  • Stored XSS — Pages Content (reported by offset): Identical bypass in the Pages module: the html_purify rule ran validation but the raw unsanitized value was written to the database on update. Fixed by enforcing CustomRules::getClean() output persistence in Pages.php controller for both creation and editing endpoints.
  • Fileeditor Destructive Operations Extension Bypass (reported by offset): The dangerous-extension blacklist was only enforced on createFile, saveFile, and renameFile but not on deleteFileOrFolder and renameFile when the target was a critical application file (e.g. .env, composer.json). Added an explicit extension allowlist check to all destructive operations (deleteFileOrFolder, renameFile) so that renaming or deleting files with critical extensions is blocked regardless of the operation type.

Changed

  • DevGate CLI Sync: php spark ci4ms:setup now automatically updates DevGate.php with the admin credentials provided during installation, matching the web installer's behaviour.
  • Proxy Configuration: Added comprehensive Cloudflare and Nginx reverse proxy configuration examples as comments in App.php::$proxyIPs.
  • URI Schemes: Removed unused nntp and news URI schemes from HTMLPurifier configuration.

0.31.8.0 - 2026-04-19

Fixed

  • Security (Session Management): Re-activated user account status verification in Ci4MsAuthFilter. Deactivated or banned users now have their sessions immediately terminated upon their next request, remediating a session bypass flaw.
  • Security (Arbitrary Table Drop): Implemented migration-based whitelist validation in Theme::deleteProcess. This ensures that selectively dropping database tables during theme deletion is restricted exclusively to tables declared within the specific theme's migration files, preventing arbitrary database table deletion.

0.31.7.0 - 2026-04-17

Added

  • UpdateService Library: Introduced a comprehensive UpdateService library (modules/Settings/Libraries/UpdateService.php) to centralize all update logic. Features include GitHub Releases API integration (via releases/latest), atomic file writing with rename(), automatic backup of modified files, concurrency control via ci4ms_update.lock, and pagination-aware file comparison (bypassing GitHub's 300-file API limit).
  • Rollback Management: Added listBackups() and rollbackUpdate() endpoints with a SweetAlert2-based interactive UI for browsing and restoring system backups from the Settings dashboard.
  • Security Advisory: Added security-advisory.md documenting the authenticated RCE vulnerability via theme upload (GHSA-fw49-9xq4-gmx6).

Changed

  • Settings Controller: Refactored checkVersion(), downloadPatch(), and autoUpdate() methods to delegate all logic to the new UpdateService library, reducing controller complexity and improving testability.
  • Setup Command: Updated version reference in Ci4msSetup.php to 0.31.7.0.
  • Settings Routes: Added new listBackups and rollbackUpdate POST routes under the backend/settings group.
  • Settings UI: Added "Backups" button to the settings header and integrated rollback confirmation workflow with progress feedback.
  • Localization: Added 12 new translation keys for backup and rollback features across English and Turkish language files.

0.31.6.0 - 2026-04-15

Added

  • Automatic Update: Introduced a comprehensive UpdateService library in the Settings module. Features include automated GitHub version discovery via releases/latest endpoint, secure file-by-file patching (bypassing 300-file API limits), and automatic database migration support.
  • Atomic Operations: Implemented atomic file writing using temporary storage and rename() to prevent partial updates.
  • Backup & Rollback: Integrated an automatic backup mechanism that captures modified files before patching, with a new manual rollback management interface in the Settings dashboard.
  • Concurrency Control: Added ci4ms_update.lock to prevent concurrent update attempts.
  • Update UI: Modernized the version check and update workflow with an interactive SweetAlert2-based interface and detailed progress feedback.

Changed

  • Internationalization (i18n): Completed full translation support for the Settings module across all 11 supported languages (Arabic, German, English, Spanish, French, Hindi, Japanese, Portuguese, Russian, Turkish, Chinese).
  • Update UI: Modernized the version check and update workflow with an interactive SweetAlert2-based interface.
  • Setup Flow: Enhanced the security and reliability of credential propagation from the web installer to the DevGate configuration.

0.31.5.0 - 2026-04-14

Security

  • XSS Protection: Patched Stored XSS vulnerability in Backup module by mitigating unescaped filename rendering in DataTables.
  • File System Security: Fixed Arbitrary File Write (Zip Slip RCE) via directory traversal inside ZIP processing during Theme::upload and Backup::restore handling.
  • Privilege Escalation: Prevented unauthorized assignment of the superadmin role during user creation and update flows within the UserController.

Changed

  • Funding: Added funding configuration (.github/FUNDING.yml) to support project contributions.
  • Logo: Updated the application's default logo format to optimized WebP.

Fixed

  • Backup Manager: Resolved an underlying syntax error in the Backup controller's restore method.

0.31.4.0 - 2026-04-06

Security

  • XSS Protection: Mitigated Stored XSS vulnerability in UserController by wrapping blacklist status notes in esc().
  • Authorization Bypass: Fortified Fileeditor module by implementing isHiddenPath validation across all file operations (readFile, saveFile, createFile, createFolder, renameFile, deleteFileOrFolder), preventing unauthorized disclosure and modification of protected system files like .env and composer.json.
  • Settings Security: Reformed Google Maps iframe validation (cMap) in Settings controller to utilize a strict preg_replace_callback allowlist, mitigating a sophisticated srcdoc-based Cross-Site Scripting (XSS) exploit.
  • Pages Security: Appended the stringent html_purify validation rule to page creation and update flows to intercept and neutralize injected JavaScript securely.
  • Installation Integrity: Eliminated a volatile cache-dependent installation guard in favor of a persistent filesystem lock (install.lock) verification within both Web (InstallFilter) and CLI (Ci4msSetup.php) boot lifecycles. This successfully remediates a critical post-installation re-entry bypass.
  • Input Validation: Patched a CRLF Injection flaw within the initial environment setup by meticulously stripping \r\n carriage returns from arbitrary injected payload components inside Install.php.

0.31.3.0 - 2026-04-02

Added

  • CLI: Introduced php spark ci4ms:setup command (Ci4msSetup.php) to automate the full application installation — migrations, seeding, and default data creation — from a single command-line call.
  • Install: Added "Site Slogan" support to both CLI and Web installation flows.

Changed

  • Install: Refactored InstallService.php and Install.php controller to support the new ci4ms:setup CLI flow alongside the existing web-based installer.
  • DashboardWidgets: Updated WidgetService.php for improved widget handling.
  • CI/CD: Updated docker-test.yml workflow to use php spark ci4ms:setup instead of separate migrate and seed steps; removed the fragile Paths.php patch workaround.
  • Docs: Synchronized architecture.html and developer-handbook.html with recent structural changes (Shield, Docker, CLI setup) and improved layout/table styling.

Fixed

  • Boot: Added missing $supportDirectory property to app/Config/Paths.php, resolving the Undefined constant "CodeIgniter\Config\SUPPORTPATH" fatal error that occurred during php spark execution in Docker/CI environments on CI4 4.4+.
  • CLI: Fixed directory creation in Ci4msSetup.php by switching from PUBLICPATH to FCPATH and ensured filesystem helper is loaded for route generation.

0.31.2.0 - 2026-04-01

Added

  • Docker Support: Introduced full Docker environment with Dockerfile, docker-compose.yml, Apache virtual host configuration, and custom php.ini for containerized development and deployment.
  • CI/CD: Added GitHub Actions workflow (docker-test.yaml) to automatically build and test the Docker image on push.
  • Documentation: Added DOCKER_SETUP.md with detailed instructions for running the project via Docker.
  • Localization: Added complete translation packs for DashboardWidgets module in 9 languages: Arabic, German, Spanish, French, Hindi, Japanese, Portuguese, Russian, and Chinese.
  • Localization: Added complete translation packs for LanguageManager module in 9 languages: Arabic, German, Spanish, French, Hindi, Japanese, Portuguese, Russian, and Chinese.
  • Routing: Introduced DefaultRoutes.php config for centralized default route management.

Changed

  • Auth: Updated Auth/Config/Auth.php and AuthGroups.php to refine group and permission configurations.
  • Auth: Improved CustomActivationController.php for Shield-compatible activation flow.
  • Backend: Updated AJAX.php and BaseController.php for improved request handling and response consistency.
  • Backend Language: Refreshed Backend translation files across all 11 supported languages.
  • Blog: Updated Blog language files across all 11 supported languages; refined comment list and display views; updated post creation view.
  • Backup: Refined BackupConfig.php, Backup.php controller, and DbBackup.php library for improved reliability.
  • DashboardWidgets: Updated WidgetService.php and DashboardWidgetsConfig.php.
  • Fileeditor: Updated FileeditorConfig.php for consistency with new config patterns.
  • Install: Updated Install.php controller and InstallService.php for improved setup flow.
  • Media / Menu / Pages / Settings / Theme / Users: Updated language files across all supported languages and refined module configs, controllers, and views for consistency.
  • Methods: Updated ModuleInstaller.php and ModuleScanner.php; refined Routes.php and language files across all supported languages.
  • Frontend Language: Updated app/Language/en/Frontend.php with new translation keys.
  • Filters: Updated app/Config/Filters.php for improved filter handling.
  • App Config: Refined app/Config/App.php settings.
  • Git: Updated .gitattributes and .gitignore rules.

0.31.1.0 - 2026-03-30

Added

  • Theme Manager: Added downloadStarter feature offering automated, memory-based ZIP creation to provide a standardized starter boilerplate theme directly from the admin panel.
  • Theme Manager: Smart deletion confirmation GUI that parses theme migration files and allows users to drop associated database tables selectively.
  • Theme Manager: Added a standalone remove_theme_files helper specifically designed to clean up MVC templates and public asset files safely from the project root.
  • Theme Manager: Automated schema migration implementation inside the Settings module that runs database setups upon theme activation via configuration logic.
  • Core UI: Integrated multiple message list support into the SweetAlert _message_block component for enhanced feedback logs.

Changed

  • Theme Manager: Enhanced install_theme_from_tmp to support and copy the Database/Migrations directory automatically upon extracting a new .zip template.
  • Settings UI: Upgraded backend settings view to elegantly display an extra "Delete Theme" action under inactive template cards.

Fixed

  • Theme Manager: Fixed recursive directory deletion method (deleteFldr) in themes_helper.php to resolve missing directory exceptions (by correcting parameter count based on recent code deprecations) and during legacy theme updates.

0.31.0.0 - 2026-03-29

Security

  • CodeIgniter Shield Integration: Fully replaced custom authentication migrations with Shield-compatible structures (auth_groups, auth_identities, auth_groups_users). Removed 14 legacy migration files and introduced 6 new Shield-aligned migrations with proper foreign keys.
  • BackendLogFilter: Added modules/Backend/Filters/BackendLogFilter.php to record detailed user activities (IP, user agent, action, module) in the backend for audit trail and security monitoring.
  • XSS Protection: Implemented global input validation using regex_match[/^[<>{}]*$/u] for common fields to prevent HTML/Script injection.
  • CSRF Protection: Verified and refined CSRF settings. Enhanced mergeCsrfExcept method for improved robustness. Added logic to update CSRF tokens in the UI after AJAX operations to prevent token expiration.
  • Improved Validation: Relaxed seflink regex to allow natural characters while strictly forbidding dangerous ones. Added is_natural_no_zero and valid_email checks where missing.
  • Removed 'seunmatt/codeigniter-log-viewer' vendor dependency.
  • Implemented Modules\Logs\Libraries\LogViewer for better performance and CI4 integration.
  • Standardized log deletion with AJAX POST and SweetAlert2 confirmation.
  • Improved security by escaping log content and removing external vendor code.
  • Updated Logs controller and views to follow internal architecture patterns.

Added

  • Framework Configurations: Added WorkerMode.php and Hostnames.php to support high-performance environments (e.g., Swoole, FrankenPHP).
  • Migration Safeguards: Implemented $lock feature in app/Config/Migrations.php to prevent concurrent migration execution conflicts.
  • Dynamic Sidebar: Implemented auto-configuration for sidebar menus and icons, populated directly from module Config parameters.
  • Shared Logic: Introduced CommonBackendLibrary to centralize common backend operational logic across controllers.
  • Template Settings UI: Comprehensive user-friendly interface for:
    • Dynamically managing theme assets (CSS, JavaScript).
    • Injecting custom CSS and JavaScript code globally.
    • Configuring footer content, including copyright and navigation links.
    • Selecting and previewing Google Fonts.
    • Toggling general display features (breadcrumbs, back-to-top button, dark mode).
    • Controlling sidebar widgets visibility.
  • Version Checker: Implemented version checking mechanism to notify administrators of available application updates.
  • Development Tools: Added a custom module generator hook for streamlined backend module creation.
  • Dynamic Confirmation: Integrated SweetAlert2 for all delete operations across the dashboard.
  • Localization: Added new translation keys (areYouSure, youWillNotBeAbleToRecoverThis, ok, success, error) to all 11 supported languages:
    • Turkish (tr), English (en), Arabic (ar), German (de), Spanish (es), French (fr), Hindi (hi), Japanese (ja), Portuguese (pt), Russian (ru), Chinese (zh).
  • Project Hygiene: Added CONTRIBUTORS.md to .gitignore.

Changed

  • System Requirements: Upgraded minimum PHP requirement to 8.2 across composer.json, public/index.php, and spark to comply with CodeIgniter 4.7.1 standards.
  • Core Dependencies: Bumped codeigniter4/framework to 4.7.1, codeigniter4/shield to 1.3.0, codeigniter4/translations to 4.7.0, and claviska/simpleimage to 4.4.0.
  • Module Management: Refined moduleScan capabilities and introduced new interactive UI elements for better backend module oversight.
  • Auth System Overhaul: Refactored user and permission group management to fully leverage CodeIgniter Shield's capabilities. Removed legacy Backend/Models/UserModel.php in favour of Shield's built-in user entity.
  • Standardized API Responses: Unified response formats across backend Settings endpoints using ResponseTrait.
  • Cache Invalidation: Ensured proper sidebar menu cache invalidation upon permission page creation.
  • Asset Optimization: Migrated heavy frontend dependencies from node_modules to standalone vendor and plugins directories in be-assets and templates. Drastically reduced repository size (~147MB saved) by removing source maps, unminified files, and unused package logic.
  • Fileeditor Enhancements:
    • Implemented robust client-side alphabetical sorting (folders first, with Turkish locale character support).
    • Enhanced Monaco Editor integration with accurate language detection (PHP, JS, CSS, MD, ENV) and vs-dark theme optimization.
    • Cleaned up redundant logic and syntax issues in the file tree view.
  • AJAX Refactoring: Converted all "Delete" actions from GET routes to secure AJAX POST requests.
  • DataTables Improvements: Fixed dynamic element initialization (Bootstrap Switch) by moving logic to the DataTables drawCallback.
  • Module Consistency: Standardized variable names and status indicators across Blog and Pages modules.
  • Routes: Updated Routes.php in multiple modules to support POST method for sensitive actions.
  • Frontend: Updated ci4ms.js with improved global utilities and event handlers.
  • User Management: Configured user 'group' assignments in UserController to support multiple groups via Select2 array inputs. Refactored validation rules (group.*) and role synchronization logic (syncGroups) for user creation and updating. Enhanced user statistics counters to dynamically exclude superadmin accounts.
  • Template Views: Refined base.php, pages.php, post.php, and temp-settings.php for Shield compatibility and new settings UI.

Fixed

  • Tags Architecture: Fixed pivot table insertion logic in CommonTagsLibrary to ensure new tags are always correctly linked and persisted for blog posts.
  • Sidebar Navigation: Fixed the sidebar menu auto-open and active state logic (AdminLTE 3) to accurately reflect the user's current module.
  • Fileeditor Module: Fixed the path validation regex to correctly allow multi-level folder traversal (/ character).
  • PHP Logic: Fixed ternary operator precedence bugs that caused incorrect 'checked' states for status switches.
  • Database Search: Resolved a linting error in count() method calls in controllers.
  • View Cleanup: Deleted unused commentList.php and restructured comment management views.

Removed

  • Deleted 14 legacy authentication/authorization migration files replaced by Shield-compatible schemas.
  • Removed Backend/Models/UserModel.php (superseded by Shield's user management).

0.26.3.4 - 2025-09-27

Added

  • Delivered full translation packs for every module in Spanish, French, German, Chinese, Russian, Japanese, Arabic, Portuguese, and Hindi, including validation to preserve existing placeholders and HTML tokens.

0.26.3.3 - 2025-09-26

Added

  • Seed missing default permissions for file editor actions, the backend theme manager, and the WebP toggle during installation.

Changed

  • Build the settings cache once during filter bootstrap to eliminate redundant database lookups.
  • Move the WebP conversion toggle from the AJAX controller to the Settings controller so cache invalidation happens automatically after updates.
  • Normalize blog created_at values to the standard Y-m-d H:i:s format before persisting entries.
  • Use the correct language keys for blog category headings to resolve localization mismatches.

Fixed

  • Exclude matches that only appear inside HTML comments from frontend autocomplete suggestions and display category labels correctly.
  • Remove the unused backend test route and broaden the blog module CSRF exceptions to cover the required endpoints.

0.26.3.2 - 2025-09-25

Added

  • Automatically add the Logs module to the admin menu during installation so the log viewer is available from the first run.

Changed

  • Ship the .gitattributes file inside distribution packages so attribute rules accompany exported archives.

0.26.3.1 - 2025-09-19

Added

  • Started maintaining this changelog to track release highlights.

Changed

  • Marked documentation and auxiliary files with export-ignore so Composer dist packages stay lean.
  • Refreshed docs to cover the new module generator command, backend log viewer, and changelog access.

0.26.3.0 - 2025-09-19

Added

  • Integrated the CI Log Viewer package and exposed a dedicated backend module for reviewing application logs.
  • Captured per-action permission flags as structured JSON when creating or updating backend methods.

Changed

  • Refreshed backend method management forms, navigation buttons, and module awareness.
  • Loaded SweetAlert assets globally for backend pages and updated in-app documentation links to their GitHub sources.

Removed

  • Dropped the legacy module:create CLI command in favour of the composer-driven module generator dependency.

0.26.2.0 - 2025-09-17

Changed

  • Updated documentation links to reference the project root correctly.

0.26.1.0 - 2025-09-17

Added

  • Published the initial developer documentation set for CI4MS.

0.26.0.0 - 2025-09-17

Added

  • Expanded database migrations and introduced new supporting libraries.