forum.coppermine-gallery.net

No Support => Announcements => Topic started by: Joachim Müller on April 20, 2005, 09:31:09 am

Title: cpg1.3.3 released - upgrade strongly recommended
Post by: Joachim Müller on April 20, 2005, 09:31:09 am

The coppermine team has released a maintenance version of coppermine v1.3: cpg1.3.3 is the most recent stable version that is strongly recommended to be used. We originally planned to release cpg1.4.x pretty soon, but we were forced to publish the maintenance release first, because possible security issues that relate to cpg1.3.0, cpg1.3.1 and cpg1.3.2 have been discovered:

Possible IP spoofing and XSS vulnerability as posted on Bugtraq: Vulnerability in Coppermine Photo Gallery 1.3. (http://www.securityfocus.com/archive/1/396080)
(non-critical) mySQL injection issue

Coppermine 1.3.3 fixes other minor issues as well - as usual, it's the best coppermine version we could think of - it's recommended to use in production environments.

There are instructions included in the package (in the docs folder) how to upgrade existing installs as well as fresh install instructions - please read the documentation carefully.

Download cpg1.3.3 (http://prdownloads.sourceforge.net/coppermine/cpg1.3.3.zip?download)

Joachim

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: Nibbler on April 20, 2005, 07:54:07 pm

For those wishing to fix the XSS security issue without making a full update, here is the change that is required:

file: include/init.inc.php

find:

Code: [Select]

// Record User's IP address
$raw_ip = stripslashes($HTTP_SERVER_VARS['REMOTE_ADDR']);

if (isset($HTTP_SERVER_VARS['HTTP_CLIENT_IP'])) {
    $hdr_ip = stripslashes($HTTP_SERVER_VARS['HTTP_CLIENT_IP']);
} else {
    if (isset($HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR'])) {
        $hdr_ip = stripslashes($HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR']);
    } else {
        $hdr_ip = $raw_ip;
    }
}

and add after it, the following 2 new lines:

Code: [Select]

if (!preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $raw_ip)) $raw_ip = '0.0.0.0';
if (!preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $hdr_ip)) $hdr_ip = '0.0.0.0';

Please note that a full update is preferable where possible as other issues are also addressed in this update.

Thankyou.

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: flog on April 20, 2005, 08:42:36 pm

Thank you very much for this important message

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: Titooy on April 20, 2005, 11:07:20 pm

Maybe you should change "Latest downloads ::." on the home page. It still points to cpg1.3.2

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: SaigonK on April 21, 2005, 03:54:32 am

What other fixes are there?

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: neodragon on April 21, 2005, 08:53:52 am

I think one user's gallerry is not shown if there is no public album in it. (for a visitor of course)

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: Joachim Müller on April 21, 2005, 09:02:37 am

Quote from: SaigonK on April 21, 2005, 03:54:32 am

What other fixes are there?

Roughly: a lot of language files in the cpg1.3.2 contained errors that were fixed in cpg1.3.3; additionally, a vulnerability in the way favorites are handled has been fixed. There are too many fixes to mention them all - please refer to the changelog for exact data and to the postings in the "cpg1.3 testing / bugs (http://forum.coppermine-gallery.net/index.php?board=19.0)" board.

Quote from: neodragon on April 21, 2005, 08:53:52 am

I think one user's gallerry is not shown if there is no public album in it. (for a visitor of course)

This is expected behaviour.

Joachim

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: neodragon on April 21, 2005, 10:41:44 am

Quote from: GauGau on April 21, 2005, 09:02:37 am

This is expected behaviour.

With 1.3.2, i had some users galleries with no public album, that were shown for visitor.

But anyway, it's ok for me. I like this "new" (or not new that's the question ;D) behavior.

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: JTynes on April 21, 2005, 11:03:58 am

What is the best way to go about an upgrade? Can you simply FTP the new files and run install as before? How does this affect data and MySQL already established. I'd love to find a step by step guide on upgrading? Does one exist?

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: Joachim Müller on April 21, 2005, 11:11:18 am

inside the docs that come with the package, as suggested above ::):

Quote from: GauGau on April 20, 2005, 09:31:09 am

There are instructions included in the package (in the docs folder) how to upgrade existing installs as well as fresh install instructions - please read the documentation carefully.

In fact: yes, you upload all new files to your webspace, overwriting the older coppermine files. Make sure to backup before doing so, as you might lose customizations (e.g. anycontent.php or bridging) and you will have to re-apply them after the udpate. Make sure to run update.php as well.

Joachim

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: Joachim Müller on April 21, 2005, 11:20:08 pm

split unrelated topic and moved it to proper board: http://forum.coppermine-gallery.net/index.php?topic=17195.0

@all: do not reply to this thread on particular issues you have with setting up coppermine. This is an announcement thread that is only meant for news to the fix itself (i.e. the security flaws that were fixed with the release). All other issues you may have with cpg1.3.3 should be addressed in the proper board: "CPG 1.3 Standalone Support (http://forum.coppermine-gallery.net/index.php?board=20.0)" and its sub-boards.

Joachim

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: cdrake on April 21, 2005, 11:27:30 pm

what files have been edited?

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: Casper on April 21, 2005, 11:42:26 pm

Quote from: GauGau on April 21, 2005, 09:02:37 am

There are too many fixes to mention them all - please refer to the changelog for exact data and to the postings in the "cpg1.3 testing / bugs (http://forum.coppermine-gallery.net/index.php?board=19.0)" board.

It would be much easier to just replace them all, unless you have loads of mods applied.

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: cdrake on April 21, 2005, 11:51:47 pm

Quote

Unless you have loads of mods applied.

:P :P :P I do

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: Joachim Müller on April 21, 2005, 11:57:45 pm

nearly all, that's why you're suggested to do a full update, not just replacement of 2 or 3 files.
This is a list of the file versions. Compare them to your file versions of your cpg1.3.2 install (the last column in versioncheck.php):

addfav.php	1.6
addpic.php	1.9
admin.php	1.6
albmgr.php	1.6
anycontent.php	1.6
banning.php	1.7
calendar.php	1.4
catmgr.php	1.7
config.php	1.13
db_ecard.php	1.5
db_input.php	1.9
delete.php	1.7
displayecard.php	1.6
displayimage.php	1.11
ecard.php	1.12
editOnePic.php	1.12
editpics.php	1.8
faq.php	1.4
forgot_passwd.php	1.6
getlang.php	1.6
groupmgr.php	1.7
image_processor.php	1.5
index.php	1.17
install.php	1.14
installer.css	1.4
login.php	1.6
logout.php	1.6
modifyalb.php	1.7
phpinfo.php	1.6
picEditor.php	1.4
profile.php	1.7
ratepic.php	1.6
register.php	1.11
reviewcom.php	1.6
search.php	1.6
searchnew.php	1.10
showthumb.php	1.6
thumbnails.php	1.6
update.php	1.9
upgrade-1.0-to-1.2.php	1.7
upload.php	1.14
usermgr.php	1.7
util.php	1.13
versioncheck.php	1.8
xp_publish.php	1.8
zipdownload.php	1.5
bridge/invisionboard.inc.php	1.9
bridge/phpbb.inc.php	1.11
bridge/punbb.inc.php	1.3
bridge/smf.inc.php	1.8
bridge/vbulletin.inc.php	1.7
bridge/vbulletin23.inc.php	1.7
bridge/vbulletin30.inc.php	1.8
bridge/vbulletin3gamma.inc.php	1.6
bridge/woltlab21.inc.php	1.7
bridge/yabbse.inc.php	1.9
include/archive.php	1.4
include/crop.inc.php	1.5
include/exif_php.inc.php	1.7
include/exifReader.inc.php	1.4
include/functions.inc.php	1.24
include/imageObjectGD.class.php	1.5
include/imageObjectIM.class.php	1.4
include/init.inc.php	1.15
include/iptc.inc.php	1.4
include/mailer.inc.php	1.6
include/media.functions.inc.php	1.4
include/picmgmt.inc.php	1.10
include/search.inc.php	1.6
include/select_lang.inc.php	1.7
include/slideshow.inc.php	1.9
include/smilies.inc.php	1.6
include/sql_parse.php	1.6
lang/arabic.php	1.11
lang/arabic-utf-8.php	1.12
lang/brazilian_portuguese.php	1.9
lang/brazilian_portuguese-utf-8.php	1.10
lang/bulgarian.php	1.6
lang/bulgarian-utf-8.php	1.8
lang/catalan.php	1.6
lang/catalan-utf-8.php	1.7
lang/chinese_big5.php	1.11
lang/chinese_big5-utf-8.php	1.12
lang/chinese_gb.php	1.11
lang/chinese_gb-utf-8.php	1.12
lang/croatian.php	1.9
lang/croatian-utf-8.php	1.10
lang/czech.php	1.10
lang/czech-utf-8.php	1.11
lang/danish.php	1.11
lang/danish-utf-8.php	1.11
lang/dutch.php	1.10
lang/dutch-utf-8.php	1.11
lang/english.php	1.18
lang/english-utf-8.php	1.13
lang/estonian.php	1.10
lang/estonian-utf-8.php	1.11
lang/finnish.php	1.7
lang/finnish-utf-8.php	1.8
lang/french.php	1.15
lang/french-utf-8.php	1.14
lang/german.php	1.13
lang/german-utf-8.php	1.13
lang/german_sie.php	1.4
lang/german_sie-utf-8.php	1.4
lang/greek.php	1.8
lang/greek-utf-8.php	1.9
lang/hebrew.php	1.9
lang/hebrew-utf-8.php	1.11
lang/hungarian.php	1.8
lang/hungarian-utf-8.php	1.9
lang/indonesian.php	1.7
lang/indonesian-utf-8.php	1.8
lang/italian.php	1.10
lang/italian-utf-8.php	1.11
lang/italian2.php	1.3
lang/italian2-utf-8.php	1.4
lang/japanese.php	1.9
lang/japanese-utf-8.php	1.10
lang/kurdish.php	1.2
lang/kurdish-utf-8.php	1.3
lang/latvian.php	1.10
lang/latvian-utf-8.php	1.12
lang/malay.php	1.3
lang/malay-utf-8.php	1.4
lang/norwegian.php	1.9
lang/norwegian-utf-8.php	1.10
lang/polish.php	1.6
lang/polish-utf-8.php	1.8
lang/romanian.php	1.7
lang/romanian-utf-8.php	1.8
lang/romanian_no_diacritics.php	1.2
lang/romanian_no_diacritics-utf-8.php	1.3
lang/russian.php	1.13
lang/russian-utf-8.php	1.14
lang/slovak.php	1.5
lang/slovak-utf-8.php	1.6
lang/slovenian.php	1.7
lang/slovenian-utf-8.php	1.8
lang/spanish.php	1.7
lang/spanish-utf-8.php	1.9
lang/swedish.php	1.9
lang/swedish-utf-8.php	1.10
lang/turkish.php	1.8
lang/turkish-utf-8.php	1.9
lang/uighur.php	1.3
lang/uighur-utf-8.php	1.4
lang/vietnamese.php	1.5
lang/vietnamese-utf-8.php	1.6
sql/basic.sql	1.8
sql/schema.sql	1.4
sql/update.sql	1.14
themes/classic/style.css	1.2
themes/classic/template.html	1.2
themes/classic/theme.php	1.8
themes/eyeball/style.css	1.3
themes/eyeball/template.html	1.5
themes/eyeball/theme.php	1.10
themes/fruity/style.css	1.3
themes/fruity/template.html	1.6
themes/fruity/theme.php	1.9
themes/hardwired/style.css	1.3
themes/hardwired/template.html	1.7
themes/hardwired/theme.php	1.12
themes/igames/style.css	1.3
themes/igames/template.html	1.6
themes/igames/theme.php	1.11
themes/mac_ox_x/style.css	1.3
themes/mac_ox_x/template.html	1.5
themes/mac_ox_x/theme.php	1.10
themes/project_vii/style.css	1.3
themes/project_vii/template.html	1.5
themes/project_vii/theme.php	1.10
themes/rainy_day/style.css	1.3
themes/rainy_day/template.html	1.7
themes/rainy_day/theme.php	1.10
themes/water_drop/style.css	1.3
themes/water_drop/template.html	1.5
themes/water_drop/theme.php	1.10

Quote from: Casper on April 21, 2005, 11:42:26 pm

It would be much easier to just replace them all, unless you have loads of mods applied.

Quote from: cdrake on April 21, 2005, 11:51:47 pm

:P :P :P I do

It's generally a drawback of heavily modifying any web app: upgrading gets harder. Use a diff viwer like winmerge to handle your mods issue.

Joachim

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: cdrake on April 22, 2005, 03:39:56 am

Thanks for the help. WinMerge is a great tool!

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: nanothree on April 22, 2005, 11:24:49 am

will this mess up my phpBB bridge?

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: Nibbler on April 22, 2005, 01:11:46 pm

You'll have to redo the integration steps, that's all.

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: Makc666 on April 23, 2005, 03:25:45 am

========================
Step 0.
All steps were made under FreeBSD.
You can read about patch here:
http://www.phpbb.com/support/documents.php?mode=install#upgradeSTABLE_patch

========================
Step 1.
First of all!
I removed
/cpg132/lang/
/cpg133/lang/
dirs before patching, as it:
- becomes to big
- there is problems with patching in Japan (etc. country) languages.
- you can update lang files manually

========================
Step 2.
Second I run:
diff -crbBN cpg132 cpg133 >cpg-1.3.2_to_1.3.3.patch

========================
Step 3.
Then I made a copy of gallery folder which I was going to patch
cp -R coppermine coppermine-new

========================
Step 4.
Also you must have to copy these files into your directory.
/coppermine/CHANGELOG
/coppermine/COPYING
/coppermine/install.php

You can take them from cpg1.3.2.zip, as you need old one:
http://prdownloads.sourceforge.net/coppermine/cpg1.3.2.zip?download

========================
Step 5.
Put your patch file into:
/coppermine-new/cpg-1.3.2_to_1.3.3.patch

========================
Step 6.
patch -cl -d /coppermine-new/ -p1 < /coppermine-new/cpg-1.3.2_to_1.3.3.patch
In this case you will see all results on your screen.
So make your Scroll Buffer big enough.
It will be about 1200 lines!

========================
Step 7.
Update your
/coppermine/lang/
dir with necessary files.
For example I use only Eng, Ger, Rus.

###########################
###!!! READ THIS ONE !!!###
###########################
During patch process you will (can) see two main information strings:
--> Hunk #3 succeeded at 216.
--> Hunk #1 failed at 1.

Example below.
Word "succeeded" means that there is no problems with patching of that part of code.
Word "failed" means there was some problem.

If you see "failed" for some file, you have to open file with name "FILENAME_WITH_ERROR.rej"
below for example it is "zipdownload.php.rej"
and look what the patch couldn't change and fix that manually.

After all such fixes you will have to delete all *.rej and *.orig files from coppermine directory and subdirs!

Word "done" means that patch go throw all "cpg-1.3.2_to_1.3.3.patch" file.

###########################
###### EXAMPLE START ######
###########################

--------------------------
|diff -crbBN cpg132/xp_publish.php cpg133/xp_publish.php
|*** cpg132/xp_publish.php Sat Jul 24 17:03:00 2004
|--- cpg133/xp_publish.php Tue Apr 19 05:17:00 2005
--------------------------
Patching file xp_publish.php using Plan A...
Hunk #1 succeeded at 1.
Hunk #2 succeeded at 205.
Hunk #3 succeeded at 216.
Hunk #4 succeeded at 333.
Hunk #5 succeeded at 571.
Hmm... The next patch looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|diff -crbBN cpg132/zipdownload.php cpg133/zipdownload.php
|*** cpg132/zipdownload.php Sat Jul 24 17:03:00 2004
|--- cpg133/zipdownload.php Tue Apr 19 05:17:00 2005
--------------------------
Patching file zipdownload.php using Plan A...
Hunk #1 failed at 1.
Hunk #2 succeeded at 57.
1 out of 2 hunks failed--saving rejects to zipdownload.php.rej
done

###########################
###### EXAMPLE END ########
###########################

========================
Step 8.
Run: http://your.gallery.com/update.php

- If you have not already done so, create a folder called "edit" within your "albums" directory - this folder will be used by coppermine as a temporary folder, do not ftp-upload files there. Make sure the new "edit"-folder is CHMODed the same way your albums-directory is (755 or 777, depending on your server's config)
- Run the file "update.php" in the coppermine directory once in your browser (e.g. http://yourdomain.tld/coppermine/update.php). This will update your coppermine install by making all necessary changes in the database.

Taken from:
/cpg133/docs/index.htm#13
3.4 Upgrading from cpg1.2.0rc2 or better to version cpg1.3.3

========================
That it!
(c) Makc666 :)

makc666 [at] newmail.ru
makc666 [at] yahoo.com

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: nanothree on April 23, 2005, 10:26:50 am

thanks Makc666

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: Satyr on April 24, 2005, 05:54:22 am

Can i use my old template without problems? I have a custum theme (modified classic), Version 1.3.2.

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: donnoman on April 24, 2005, 06:33:02 am

There's no changes required in your custom themes that I'm aware of.

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: Satyr on April 24, 2005, 06:48:51 am

Update is done, no probs occured.
Gothic Model Gallery (http://www.gothicmodels.net)

Btw: I am much promoting Coppermine.
All of them who i have recommended and installed love it! ^_^

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: Joachim Müller on April 24, 2005, 09:42:37 am

@Makc666: I can't see the point of the patch you describe above? Why not do as the dev team suggests and simply replace all cpg1.3.2 files with cpg1.3.3 files?

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: a-amp on April 24, 2005, 11:30:03 am

I am using 1.3.0 for phpnuke.

My web site is accessible from here http://www.ixuz.com

does the upgrade apply to 1.3.0 for phpnuke?

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: Joachim Müller on April 24, 2005, 11:38:50 am

no, refer to http://forum.coppermine-gallery.net/index.php?topic=13667.0 and the other sticky threads on the board http://forum.coppermine-gallery.net/index.php?board=18.0

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: dj2big on April 24, 2005, 09:29:47 pm

no instructions on how to update in the docs

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: Nibbler on April 24, 2005, 09:35:43 pm

Not even in the bit called "3.4 Upgrading from cpg1.2.0 (or better) to version cpg1.3.3" ? how odd...

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: Joachim Müller on April 26, 2005, 07:36:40 am

Split two unrelated replies to separate threads:

IP logging (http://forum.coppermine-gallery.net/index.php?topic=17346.0)
Creating sub-directories (http://forum.coppermine-gallery.net/index.php?topic=17349.0)

@all: please do not ask for support or new features on this thread; just use it for what it is meant for: postings related to the maintenance release itself. Spliting unrelated postings from this thread is quite labor-intensive, I will stop this from now on. Every unrelated reply will just get deleted.

Joachim

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: Makc666 on April 27, 2005, 06:53:15 am

Quote from: GauGau on April 24, 2005, 09:42:37 am

@Makc666: I can't see the point of the patch you describe above? Why not do as the dev team suggests and simply replace all cpg1.3.2 files with cpg1.3.3 files?

Because I have modes installed which change some of the files.
The patch allow me not to change every file from the beginning if I copy new files of ver. 1.3.3 over old-modified files ver. 1.3.2
All the same way as for phpBB patches.

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: joksi on April 30, 2005, 03:39:49 pm

I have a problem with the upgrade, like some other here.
I have literally modificated 80% of the orig files with own functions etc. etc.
Is there a "simpler" way to upgrade?
Or would some nice soul out there tell me exactly which parts of codes are the most "important" ones so i can modify it manually, it would take me 1-2 weeks to go through everything if not.

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: Nibbler on April 30, 2005, 03:44:08 pm

Well, I have posted what you need to change for the main security issue, there is a patch file posted, or you can a diff tool to merge the changes together.

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: Joachim Müller on April 30, 2005, 05:11:33 pm

...or use the method described by Makc666 here (http://forum.coppermine-gallery.net/index.php?topic=17134.msg80171#msg80171). Please read the full thread before replying. Generally speaking: you just discovered the main drawback of heavily modifying web applications - it get's harder to update!

Joachim

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: ElevenBravo on May 05, 2005, 05:47:30 pm

So I log on to your site needing some support for phpnuke coppermine. I come to this forum "CPG 1.2 PHPnuke/Postnuke Support" and click on it. The first link I see is this thread. So I think," O there is an update" so I download 1.3.3 and reinstall it over my working verison only to find out that 1.3.3 is for standalone. I would like to suggest maybe moving this thread out of here since it has nothing to do with phpnuke coppermine.

Title: Re: cpg1.3.3 released - upgrade strongly recommended
Post by: Joachim Müller on May 06, 2005, 08:19:15 am

a) You're meant to read all the stickies
b) the board "CPG 1.2 PHPnuke/Postnuke Support" has a sticky thread that says in bold: no support for nuke!
c) This thread is a "global sticky" that is visible throughout all sub-boards, we can't remove it from a singular sub-board. It's all or none!
d) Always read before blindly downloading and applying any software, there are various places where we noted that cpg1.3.3 is not for nuke.

We don't know nuke. Our software was never written with nuke in mind. We're not to blame if nuke users think they could use our software together with nuke. Please don't hijack announcement threads. I'll lock this thread now, as nobody seems to have to say something that really applies to the release of cpg1.3.3 itself. It's a pity nobody dared to say "thank you"...