AjaXplorer 3.2

This is a major and stable release, including a huge enhancing of the security level, thanks to the tests, reports and help from Michael Von Dach at DreamLab Technologies AG. We fixed many of the very current leaks of a web application (xss, csrf, etc.). Thus, UPGRADE IS RECOMMENDED for every user, even if it’s tedious for people that have heavily customized their distribution. For « standard »‘ users, it should not be problematic, see upgrade instructions below.

A lot of other bugs were also fixed in the core and in the plugins, mostly bugs reported in the forum : see the complete list in the release note.

Changes Log

[Security]

  • Sanitize inputs whenever possible and necessary. Do not display file/line in error message if not in Debug Mode.
  • Implement password strength and password length check whenever necessary.
  • Use secure token against CSRF. Massive changes.
  • Protect against brute force attack by using Captcha instead of blocking user account (can lead to denial of service).
  • Detect HTTPS usage and set secure flag accordingly. Do not set user’s preferences in cookie, this is useless.
  • Set session cookie_httpOnly flag.

[Core Bugs]

  • fix crossRepositoryCopy when no users enabled (shutdown_function does not seem to properly save the session…)
  • Fix ZIP default actions
  • Remove the systematic “root listing” called BEFORE repository switch.
  • Fix Remember me that was broken
  • Fix various GUI loading issues : no need to manually call fireContextRefresh() after ajxp is loaded if the TreeView is not present. Impacted gui.mobile and widget_sample in consequence. Also, do not send context_changed event when in fact the node did not change : less call to the server for saving ls_history.
  • It seems that some php version have problems with parse_url and utf8, so call utf8 decoding after getting the “realFSReference”
  • In Settings : do not create “Shared Elements” from GUI / Do not display Meta Sources edition for read-only repositories

[Gui]

  • Do not set padding in percentage for IE
  • Make sure that IE submits the form on “ENTER”
  • Small touches of CSS3 – Added Modernizr library.
  • Don’t forget to call destroy() on protomenu to avoid multiplication of unused divs in the HTML.
  • Line-height here and there for cross browser homogenisation.
  • Fix this old lightbox beeing to high / Fix IE login box display bug.

[Plugins]

  • All textual editors : Fix the \n problem in JS alerts, Add jsp extension to codepress and text editors
  • editor.ckeditor : Bind to the proper CKEditor events instead of listening for modifications in a loop…
  • conf.sql : Shared Elements were not properly implemented when using CONF.SQL driver.
  • conf.sql : Fixed Performance issue when having a huge number of users in a db. There’s still some pagination to implement on the users listing.
  • auth.remote : Add a checkPassword parameter to the “login” action
  • meta.exif : UTF8 encode exif values
  • meta.exif : Do not depend on access.fs
  • meta.exif : Colspan display bug in longitude cell
  • access.ssh : is now too far from the trunk, won’t be supported anymore in 3.2
  • meta.svn : Fix svn download : no size retrieven case / download inside an iframe.
  • meta.svn : use PHP_EOL constant instead of rn

File Changes since AjaXplorer 3.1.1

Massive changes, as the security changes impacted every part of the code.

>> svn diff -r 1791:1846 –summarize

  • M       content.php
  • D       pluginsaccess.ssh
  • A       pluginsmeta.exifi18nes.php
  • M       pluginsmeta.exifclass.ExifCellRenderer.js
  • M       pluginsmeta.exifclass.ExifMetaManager.php
  • M       pluginseditor.diaporamaclass.Diaporama.js
  • M       pluginseditor.imagickclass.IMagickPreviewer.js
  • M       pluginseditor.ckeditorclass.AjxpCkEditor.js
  • M       pluginsaccess.ftpclass.ftpAccessDriver.php
  • M       pluginsauth.ftpclass.ftpAuthDriver.php
  • M       pluginsauth.ftpmanifest.xml
  • M       pluginsgui.mobilemanifest.xml
  • A       pluginsmeta.svni18nes.php
  • M       pluginsmeta.svnclass.SVNLogger.js
  • M       pluginsmeta.svnclass.SvnManager.php
  • M       pluginslog.textclass.textLogDriver.php
  • M       pluginsgui.ajaxajxpclient_actions.xml
  • M       pluginsgui.ajaxclass.AJXP_ClientDriver.php
  • M       pluginsgui.ajaxwidget_sample.html
  • M       pluginsaccess.ajxp_confclass.ajxp_confAccessDriver.php
  • M       pluginsaccess.ajxp_confi18nhu.php
  • M       pluginsaccess.ajxp_confi18nfi.php
  • M       pluginsaccess.ajxp_confi18nen.php
  • M       pluginsaccess.ajxp_confi18nes.php
  • M       pluginsaccess.ajxp_confi18nfr.php
  • M       pluginsaccess.ajxp_confi18nde.php
  • M       pluginsaccess.ajxp_confajxp_confActions.xml
  • M       pluginsaccess.ajxp_confclass.ConfigEditor.js
  • M       pluginsaccess.fsclass.fsAccessDriver.php
  • M       pluginsaccess.fsfsActions.xml
  • A       pluginseditor.exifi18nes.php
  • M       pluginseditor.exifclass.ExifEditor.js
  • M       pluginseditor.exifmanifest.xml
  • M       pluginsaccess.remote_fsclass.remote_fsAccessDriver.php
  • M       pluginsconf.sqlcreate.sql
  • M       pluginsconf.sqlclass.AJXP_User.php
  • M       pluginsconf.sqlclass.sqlConfDriver.php
  • A       pluginseditor.openlayeri18nes.php
  • M       pluginseditor.openlayermanifest.xml
  • M       pluginseditor.openlayerclass.OLViewer.js
  • M       pluginseditor.pixlrclass.PixlrEditor.php
  • M       pluginseditor.pixlrclass.PixlrEditor.js
  • M       pluginseditor.audioclass.AudioPreviewer.php
  • M       pluginseditor.audioclass.AudioPreviewer.js
  • M       pluginsaccess.ajxp_sharedi18nes.php
  • M       pluginsaccess.ajxp_sharedclass.ajxpSharedAccessDriver.php
  • M       pluginsaccess.ajxp_sharedmanifest.xml
  • M       pluginsauth.remoteglueCode.php
  • M       pluginseditor.videoclass.VideoPreviewer.js
  • M       pluginsconf.serialclass.AJXP_User.php
  • M       pluginsconf.serialclass.serialConfDriver.php
  • A       pluginsaccess.mysqlresourcesi18nes.php
  • A       pluginsaccess.wmsi18nes.php
  • M       pluginsuploader.flexflash_tpl.html
  • M       pluginsuploader.flexmanifest.xml
  • M       pluginseditor.textmanifest.xml
  • M       pluginseditor.textclass.TextEditor.js
  • M       pluginseditor.codepressmanifest.xml
  • M       pluginsuploader.jumploaderjumploader_tpl.html
  • M       pluginsuploader.jumploadermanifest.xml
  • M       pluginsuploader.htmlclass.XHRUploader.js
  • M       serverxmlstandard_auth_actions.xml
  • A       serverteststest.SSLEncryption.php
  • M       serverteststest.ServerEncoding.php
  • M       serverconfbase.conf.php
  • M       serverconfconf.php
  • M       serverclassesclass.AbstractAjxpUser.php
  • M       serverclassesclass.AbstractConfDriver.php
  • A       serverclassessecurimageLICENSE.txt
  • A       serverclassessecurimageREADME.FONT.txt
  • A       serverclassessecurimagegdfontsautomatic.gdf
  • A       serverclassessecurimagegdfonts
  • A       serverclassessecurimageimagesrefresh.gif
  • A       serverclassessecurimageimages
  • A       serverclassessecurimagesecurimage.php
  • A       serverclassessecurimageREADME.txt
  • A       serverclassessecurimageAHGBold.ttf
  • A       serverclassessecurimagewordswords.txt
  • A       serverclassessecurimagewords
  • A       serverclassessecurimage
  • M       serverclassesclass.AbstractAccessDriver.php
  • M       serverclassesclass.AbstractAuthDriver.php
  • M       serverclassesclass.ConfService.php
  • A       serverclassesclass.CaptchaProvider.php
  • M       serverclassesclass.HttpClient.php
  • M       serverclassesclass.AJXP_XMLWriter.php
  • M       serverclassesclass.AuthService.php
  • M       serverclassesclass.AJXP_Utils.php
  • M       serverclassesclass.UserSelection.php
  • M       clienti18nja.php
  • M       clienti18neus.php
  • M       clienti18nhe.php
  • M       clienti18nfi.php
  • M       clienti18nen.php
  • M       clienti18ncs.php
  • M       clienti18nes.php
  • M       clienti18nfr.php
  • M       clienti18ngr.php
  • M       clienti18nzh-tw.php
  • M       clienti18nnl.php
  • M       clienti18npl.php
  • M       clienti18nno.php
  • M       clienti18nhu.php
  • M       clienti18nit.php
  • M       clienti18nkr.php
  • M       clienti18nzh.php
  • M       clienti18nca.php
  • M       clienti18nda.php
  • M       clienti18npt-br.php
  • M       clienti18ntr.php
  • M       clienti18nru.php
  • M       clienti18nde.php
  • M       clienti18nsv.php
  • M       clienthtmlgui.html
  • M       clienthtmlgui_debug.html
  • M       clientthemesoxygenimagesToolbarBg.gif
  • M       clientthemesoxygenimagesToolbar.psd
  • M       clientthemesoxygencssscreen.css
  • M       clientthemesoxygencssallz.css
  • M       clientthemesoxygencssajaxplorer.css
  • M       clientjsscriptslist.txt
  • M       clientjsajaxplorer.js
  • M       clientjsajaxplorer_boot.js
  • M       clientjslibleightboxlightbox.js
  • M       clientjslibprototypeproto.menu.js
  • A       clientjslibprototypeprotopass.js
  • M       clientjslibprototypeshadower.js
  • A       clientjslibmodernizrmodernizr.min.js
  • A       clientjslibmodernizr
  • M       clientjslibwebfxajxptree.js
  • M       clientjsajaxplorerclass.Connexion.js
  • M       clientjsajaxplorerclass.AjxpAutoCompleter.js
  • M       clientjsajaxplorerclass.Ajaxplorer.js
  • M       clientjsajaxplorerclass.TreeSelector.js
  • M       clientjsajaxplorerclass.AjxpBootstrap.js
  • M       clientjsajaxplorerclass.AbstractEditor.js
  • M       clientjsajaxplorerclass.AjxpDataModel.js
  • M       clientjsajaxplorerclass.ActionsToolbar.js
  • M       clientjsajaxplorerclass.ActionsManager.js
  • M       clientjsajaxplorerclass.Modal.js
  • M       clientjsajaxplorerclass.FilesList.js
  • M       clientjsbootlist.txt

One Response to “AjaXplorer 3.2”