February 2018 Archives

On February the 20th, Six Apart made available Movable Type v6.3.7.

This release includes both security fixes, as well as new and improved functions.

SECURITY PATCHES

  • Changed to verify blog_id strictly when creating and saving objects.
  • Changed to verify user permission strictly for objects that have an alias name.
  • Prevent system permission record change on saving display options.
  • Prevent cross site scripting.
  • Prevent displaying search results for assets without proper permissions.
  • Prevent saving display options for a list without proper permissions.
  • Changed to verify blog_id strictly for each request.

NEW AND IMPROVED FUNCTIONS

SEARCH

  • mt-search.cgi now supports AND operator for categories by following notation: [category:"Foo AND Bar"]

CONTENT SYNC

  • Name of content sync settings is now logged.

NEW CALLBACK FUNCTIONS

cms_class_param_filter.$TYPE

From this version, Movable Type prohibited in principle updating the class value of an object by input from the outside by security reason.

This constraint applies to all MT::Object saved via MT::CMS::Common::save method. If you want to avoid this constraint on objects that the plugin adds, You need to implement the cms_class_param_filter.$TYPE callback. $TYPE is the type of object specified by the '_type' parameter.

When callback returns 1, Movable Type allows 'class' parameter.

CALLBACK PARAMETER

$cb, $app

EXAMPLES

By Method:

sub cms_class_param_filter {
    return 1;
}

By config.yaml:

applications:
    cms:
        callbacks:
            cms_class_param_filter.category: >
                sub {
                    return 1;
                }

NEW CONFIGURATION DIRECTIVES

XXSSProtection

If specified, Movable Type will output that value as the X-XSS-Protection in response headers. Default value is not specified.

EXAMPLE
XXSSProtection 1; mode=block

DefaultClassParamFilter (all | moderate | none)

As mentioned above, Movable Type does not accept the 'class' parameter in principle, but with this configuration directive you can specify the scope of the object to be targeted.

If a value other than 'none' is specified, the result of cms_class_param_filter.$TYPE takes precedence. (If the callback result is 1, allow 'class' parameter)

The default value is 'all'.

POSSIBLE VALUES
  • all: Not accept by all of MT::Object
  • moderate: Not accept on objects provided by Movable Type.
  • none: Not check

MISCELLANEOUS

Edit asset screen now supports copying permalink and viewing asset by one click.

MT News now opens in a new tab.

UPDATED FUNCTIONS

FOR DEVELOPERS

MT::App::permissions subroutine now returns undef when current user does not have proper permissions for requested blog/website.

The following code may result in an error:

If ( $app->permissions->can_xxxxxx ) {
    ......
}

That code should be:

my $perms = $app->permissions;
If ( $perms && $perms->can_xxxxxx) {
    .......
}

Also, MT::CMS::Common::save subroutine disallows 'class' input value if entity class (e.g. Entry, Category) has 'class_type' attribute. An error occurs if the request contains 'class' input value. Please use original save method if you want to accept 'class' input value.

MOVABLE TYPE FOR AWS / MOVABLE TYPE ADVANCED FOR AWS

  • The initial user email address and system email address are now optional in accordance with AWS Marketplace regulations. However, Movable Type still uses the system email address settings for sending email. If you want to send an email by Movable Type, please configure system email address in system preferences. Of course, you can enter system email address at initial setup process.

ASSET

  • Edit asset screen now displays user display name instead of user name.

MISCELLANEOUS

  • Display options for edit entry screen are now not saved when a system administrator has no association with blog or website.

RESOLVED ISSUES

ASSET

  • Screen now moves to asset listing screen when upload is finished if EnableUploadCompat is enabled and current user has proper permissions.
  • Asset editing now works when clicking 'edit' link after upload.
  • Asset chooser for user picture now works.
  • Asset list for user picture now lists current user's asset.

SMARTPHONE OPTION

  • Old asset upload screen is never shown when accessed by PC after accessed by smartphone if running on PSGI environment.

DYNAMIC PUBLISHING

  • MTWidgetSet/MTWidgetManager with parent="1" now works.
  • MTAssetURL now uses support directory path instead of mt-static path.
  • Sort results of MTSubCategories/MTSubFolders are now the same as static publishing.
  • MTPageNext/MTPagePrevious with by_folder now works.
  • Database connection is now closed explicitly at the end of request.
  • MT->display() function now works when called directly.
  • MTEntries with tag modifier now works when using NOT operator.

TEMPLATE

  • Included widget templates now display modules when module is called by identifier modifier.

TEMPLATE TAGS

  • MTIf with ne modifier now works when variable is not defined.
  • MTEntryAssets/MTPageAssets with lastn modifier now works as last 'n' days.
  • Resolved self-reference error within MTIncludeBlock.
  • MTMultiBlog with mode="context" now works when specified with include_with_website="1"
  • MTBuildTemplate outputs correct template id when previewing template.

USER

  • Username now accepts '0' as a value.

ROLE AND PERMISSION

  • Resolved an issue where "Website administrator" permissions are removed from roles when saving roles containing "Manage Member Blogs".

MISCELLANEOUS

  • Site Selector now displays accessible websites and blogs only.
  • mt-check.cgi now works on newer version of perl.
  • Fix typo.
  • Improves judgement logic of is_url.
  • Install wizard now works when support directory is not writable.
  • Improve parameters of reset_password subroutine.
  • Remove debug code.
  • Validate memcached key.

Please try movable type v6.3.7 from:

https://www.movabletypedemo.org/v6x/cgi-bin/mt/mt.cgi

And login using:

- u: demo

- p: testthis

Enjoy,
Mihai

Support

If this initiative is useful for you, please consider making a paypal donation or getting your movable type project done with PRO IT Service.

We're the right people for movable type consultancy services including: installations, upgrades, themes, templates, consulting, troubleshooting as well as hosting.

The complete range of movable type services you might be looking for!

Services

We would love to work on any movable type jobs you might have! To find out more about the movable type services we're offering click here.

You may like to know that we're offering a broad range of web development services as well as professional website hosting service in partnership with Pair Networks, Inc. from Pittsburgh, PA, USA.

Check out everything we're proudly doing by visiting https://www.pro-it-service.com/

Newsletter

Would you like to be updated every time there is a movable type release? If you do, then subscribe for email updates filling out the form below.

Subscribe

Delivered by FeedBurner

Disclaimer

This is a personal website and doesn't have anything to do with Six Apart nevertheless Chris Alden, the former Six Apart CEO, appreciated my idea when he saw it available online.