A new version of Gesbit has been released. It is a security update so it is highly recommended to update your Gesbit installation.
Some of the changes:
- Fixed "option /e" issue.
- PHP mailer updated to newer version.
- Control panel uses
<select> for boolean values (yes/no) instead of text input. You can download it from the downloading page.
Finally, I have check that the changes I did to remove the /e option are running. They needed some changes because I commit few mistakes applying the fixes.
Also, I've fixed some bugs on the gbSimple theme. Now it renders the link to comments correctly. It has also more style rules for more labels, as <code>, for example.
Does it mean that version 2.1.0 will be released soon? I hope, but I can't say a date. Also I need to revise a few more stuff.
Now, I'm dealing with the control panel. You see, some option values are boolean (that is
NOT). Currently this is managed by a text input field where your should write 1 or 0 depending you want activate or deactivate that option. Really ugly and confusing. What happens if you put 2, or 134? Actually, an error message appears.
I'm replacing all that fields by selection lists with Yes or No values, which are less confusing and also avoids configuration errors. I would use checkboxes but that would need to change current validation code.
May be I should tell to you that the preg_replace /e option issue is on the way to be fixed.
What's the /e option issue
It is fully explained in this page, but basically the
/e option is added at the end of the regular expression to tell to function
preg_replace it must call to a function with every result of the search.
The problem appears when it is used to format or validate data sent by user to be displayed in a page. In that case it can be used to inject PHP code. A fast fix is to substitute
preg_replace_callback. Another fix is to use other algorithms or code to do the work.
What I'm doing to fix it
I'm doing a simple update to the Gesbit core to fix it. In some cases I've updated some third party libraries that fixes this issue by themselves. In other cases I've modified several core lines. This last cases I'm doing the "fast fix" I talked previously.
I didn't test all them so may be they don't work properly at the moment. If you find any issue, please tell me.
As promised, I've just uploaded version 2.0.1.
Changes are described in the previous post, and are mostly aesthetics.
You can download it from the downloading page.