SECURITY PATCH AND OTHER TWEAKS! Severity: "Bad but not catastrophic"

This update introduces a range of tweaks and corrections - two of which are important.

THE IMPORTANT TWEAKS THAT YOU NEED TO KNOW ABOUT:

1. There is a method (function) on Core.php by the name of draw_error_page(). This function was lacking a die(); statement. Not having a die() statement on draw_error_page() means that it would have been possible to have PHP code continuing to run, even after an error page had been displayed. The die() statement has now been added.

2. On the Trongate_tokens module there was a method called clean(). This method deletes all from Trongate tokens then finishes with an echo "cleaned"; statement. The method does not get called anywhere and it's actually a left over from a very late night coding session. So, I have removed this. I apologise.

The two errors (which have now been fixed) are classed as "Bad but not catastrophic".

I have investigated some worst case scenarios, with the help of Simon and Jake. Our findings are that somebody who knew what they were doing would be able to add records into the Trongate users table. This is alarming. However, since Trongate authentication and authorisation depends on a network of at least two other database tables (all with appropriate keys) being linked together and since trongate_users has no password column, it means that any malicious database insertion into that table would be benign.

I remind you that Trongate uses PDO from top to bottom which makes SQL injection virtually impossible (I have to say 'virtually' in case there is some hypothetically undiscovered method that I'm not aware of). So, as bad as this error was, it's not catastrophic.

With the second error, the ultimate worst case scenario would be that somebody who knew what they are doing could continually log users out by clearing the tokens table. Again, this is a bad error, however, since it does not expose any credentials and since it does not allow admin rights, it also has to be classed as 'bad but not catastrophic'.

Many thanks to Jake Castelli and Simon Field for identifying these bugs and for helping in coming up with solutions along with a "worst case scenario" assessment.

OTHER TWEAKS

There are a few other tweaks that have been carried out. We have a pull request from Tim Lalev who successfully identified something that wasn't being called. Thank you, Tim.

There's also an '=null' declaration on Trongate tokens that was not required. That has gone.

Finally, Jake identified an unused view file on the Comments module.

• RECOMMENDATIONS *

1. Make sure your Trongate engine is updated to v1.3.3018 or higher.
2. Manually replace your Trongate_tokens module with a latest version (available from Github at: https://github.com/davidjconnelly/trongate-framework)

THANK YOU TROOPS, FOR YOUR EXCELLENT WORK AND FOR HELPING TO KEEP THE TRONGATE FRAMEWORK SAFE!!!

Introducing Trongate CSS

This update adds Trongate CSS to the public/css folder. There's also a small correction to our form helper.

For a full tutorial on how to use Trongate CSS please visit: https://youtu.be/2k-8lvHOLHE .

Enjoy!

Intellisense Update

This update - carried out by Jake Castelli and Simon Field - enables intellisense in VSCode and partially in Sublime. The form_helper helper class now has two methods that have been renamed as follows: (1) the checked() method has been renamed to form_checkbox(). (2) radio() has now been renamed to form_radio().

There has also been some general cleaning up of the code. Many thanks to Jake and Simon for this outstanding work!

We Love Jake

This release fixes with a few bugs to do with the framework. The fixes are as follows:

1. module assets can now have unlimited sub folders.

2. image uploading with PNG no longer produces black background.

3. pagination fix (thanks to Jake for this one!)

New File Uploader Validation Rules

Version 1.3.3009 introduces three new validation rules to the Trongate file uploader class. These are:

1. min_width[]
2. min_height[]
3. square

We already have max_width[] and max_height[]. Min width is the same idea except we are enforcing the pictures being AT LEAST 'x' pixels in width or height. You would write the pixel value in the square brackets.

The 'square' validation is for scenarios where you insist that the picture being uploaded is square shaped - in other words, where you'd like the picture's width and height to be the same.

For those using the Trongate Desktop App, below is an example of picture settings with the three new kinds of validation applied:

function _init_picture_settings() {
$picture_settings['targetModule'] = 'store_items';
$picture_settings['maxFileSize'] = 2000;
$picture_settings['maxWidth'] = 1200;
$picture_settings['maxHeight'] = 1200;
$picture_settings['resizedMaxWidth'] = 450;
$picture_settings['resizedMaxHeight'] = 450;
$picture_settings['destination'] = 'store_items_pics';
$picture_settings['targetColumnName'] = 'picture';
$picture_settings['thumbnailDir'] = 'store_items_pics_thumbnails';
$picture_settings['thumbnailMaxWidth'] = 120;
$picture_settings['thumbnailMaxHeight'] = 120;

$picture_settings['minWidth'] = 450;
$picture_settings['minHeight'] = 450;
$picture_settings['square'] = true;
return $picture_settings;
}

This example forces the picture to be square shaped (notice the 'square' value is set to true) and it also enforces a min width and height of 450 pixels.

If you are not using the code generator then you can invoke the new picture tests as validation rules like so:

$validation_str = 'allowed_types[gif,jpg,jpeg,png]|min_width[450]|min_height[450]|square';
$this->validation_helper->set_rules('picture', 'item picture', $validation_str);

In the example above, we are enforcing min width and height of 450px and by adding 'square' we are also enforcing that the picture is a square. So, if somebody uploaded a picture of 700px x 700px then this would pass the validation checks.

Version 1.3.3009 also fixes a potential glitch to do with custom routing.

RELAX - THIS UPDATE IS NON CODE BREAKING.

Improved 'find view file'

Previously, Trongate sometimes ran into problems finding view files on virtual servers. The 'Find view file' feature has now been improved - making the framework perform well on virtual hosts, 'localhost' URLs and live.

Pagination Upgrade

This upgrade allows the desktop app to generate PHP heavy / JS light versions of the modules.

Form validation correction

Previously, 'matches' and 'differs' (form validation checks) were producing validation errors that referenced keys instead of labels. For example, 'The repeat password field does not match the pword field'. This has now been fixed, leaving us with more meaningful validation errors along the lines of, 'The repeat password field does not match the password field.'

Perfect sub modules ahoy!

This update involves a simple tweak to the validation helper. However, with this tweak it would appear that sub modules can now work (including validation callbacks) WITHOUT making __construct or __destruct declarations from within sub modules.

Added vendor asset manager

This feature allows Trongate to quickly and easily load files that have been acquired from Packagist.org. A full explanation of this feature can be found at https://www.youtube.com/watch?v=oVSDrG4ibrI .