SHA1 is not an ideal password hash, even when salted, because it is cheap to compute. Since version 5.5 PHP offers bcrypt built in, which is a more expensive and secure hash function specifically suited for passwords
The prior code stored encrypted user data in the cookie that was then checked. This new approach is cleaner, as it only stores a token, and it does not use problematic crypto functions deprecated in PHP 7.2
To prevent situations like in
https://board.s9y.org/viewtopic.php?f=10&t=21591
where the following files were modified by FTP text transfer type but
not handled as such in serendipity_FTPChecksum()
bundled-libs/katzgrau/klogger/phpunit.xml
bundled-libs/simplepie/simplepie.inc
templates/2k11/admin/font/fontello.svg
templates/next/font/fontello.svg
All these *are* text files.
Maybe simplepie.inc should rather be renamed to simplepie.inc.php as well.
All messages and errors were appended to $msg
and $errormsg, respectively, creating one long
unformatted string - mostly unreadable.
So we make $msg and $errormsg arrays instead
and iterate over those arrays in the template,
displaying each message separately.
Fixes#525.
Signed-off-by: Thomas Hochstein <thh@inter.net>
Initial motivation for this rework was to add support for the responsive thumbnnails (#474). But it also is a re-implementation instead of an enahncement of the existing code because the moveMediaDirectory function had grown into a mess. It was very hard to debug possible renaming bugs, like https://board.s9y.org/viewtopic.php?f=3&t=21185. This approach uses several small functions instead that can be combined and re-used.
The freetags plugin sets this->displaytag in the frontend_fetchentries hook, and only sets clean_page if it sees that variable in the entry_display hook. The result is that wrong entries are shown on tag pages. Adding the smartyvars allows caching the correct $entries the plugin would have returned, working around that limitation without simulatign the frontend_fetchentries hook.
fetchEntries is heaviliy realient on glboal state variables, and that was missed initially. The last commit c8bbb35aacee7af8527820f3d3d5fd47d1dbf340 fixed that partially, but did not catch all global state variables. Additionally, this fixed the clean_page mode as used by staticpage by adding the logic and event hook to printEntriesCached
Refer users to the code primer on docs.s9y.org
and serendipity_config.inc.php for a list of
special variables and their defaults.
Fixes#469.
Signed-off-by: Thomas Hochstein <thh@inter.net>
See #488 for the discussion.
Merge `dashboardLimit` and `dashboardDraftLimit`
to `dashboardEntriesLimit`
Signed-off-by: Thomas Hochstein <thh@inter.net>
Partially revert 7a0a9e215600284eb5aeea201d79563368f4c45b
serendipity_specialchars() and others were made to
return "" when fed something that is not a string.
So boolean values (1 or TRUE) will be returned as "",
i.e. FALSE, breaking the blog in interesting ways
(i.e. displaying wrong configuration values and
saving them to the database).
Closes#476.
Signed-off-by: Thomas Hochstein <thh@inter.net>
