Page 1 of 1

Plugins, Addons and Templates from 3-magi.net

Posted: Mon Jun 30, 2014 12:00 pm
by cmb
Hello Community,

[A German translation is available.]

I have to confirm the security warning of Gert Ebersbach regarding Plugins, Addons and Templates from 3-magi.net, that some of my latest plugins (beta versions) allow to access the plugin adminstration without authentication, when used in CMSimple (all versions) and CMSimple_XH < 1.5.4.

Of course, I will make updates available as soon as possible, which will fix this issue. I've hade emailed Gert asking for details on how to best deal with the issue, but he didn't answer to me directly. Obviously, he does not want that I write plugins for CMSimple. So all my future releases will work solely in CMSimple_XH. Even if all my existing plugins explicitely state that they require CMSimple_XH (and the minimum version), I will do my best to check for unsupported versions and variants of CMSimple, and let the plugin act appropriately.

I recommend to immediately uninstall my plugins from systems which do not fulfill the plugin requirements as stated in the manual (aka. help files). There will be neither bugfix releases nor security patches from me, which allow you to run the plugins under unsupported systems.

Another option is to upgrade to a supported version of CMSimple_XH.

Sorry for the inconvenience,
Christoph
http://3-magi.net/

Re: Plugins, Addons and Templates from 3-magi.net

Posted: Mon Jun 30, 2014 1:13 pm
by mikey
great to see you are on top of it matey :)

the trust is always with XH coders to bring cmsimple to where it is now

can i just confirm something, did gert's forum show this, without advising XH developers ?

Re: Plugins, Addons and Templates from 3-magi.net

Posted: Mon Jun 30, 2014 1:24 pm
by svasti
There are plugins
  1. that are supposed to work on both XH and CMSimple 4.x
  2. that are supposed to work only on XH
  3. that are supposed to work only on CMSImple4.x
If a plugin nr 2 or 3 is installed on the wrong system, unwanted problems occur. It would be better if the plugins find out right away if they are on the wrong system and give out a warning.

Plugins nr 3 could check, on which system they are and adjust some internal processes so that they function correctly with the system.

A marker would be helpful, as neither XH nor Gert's version look like going to disappear in the near future, and a name change of CMSimple_XH seems most unlikely. Rather, it looks like the present situation may continue for some time to come :roll:

What about

Code: Select all

$cms = defined('CMSIMPLE_VERSION')
? 'CMSimple 4.x detected'
: 'CMSimple_XH detected'; 

Re: Plugins, Addons and Templates from 3-magi.net

Posted: Mon Jun 30, 2014 1:55 pm
by cmb
mikey wrote:can i just confirm something, did gert's forum show this, without advising XH developers ?
At least, Gert didn't advise me.
svasti wrote:A marker would be helpful, as neither XH nor Gert's version look like going to disappear in the near future, and a name change of CMSimple_XH seems most unlikely.
Even if one of the names would change to something completely different, that wouldn't solve the issue per se. So a marker would indeed be helpful. I'm not even against introducing another marker to CMSimple_XH (even though there are already CMSIMPLE_XH_VERSION et. al.). Of course, a plugin could check itself for e.g. defined(CMSIMPLE_VERSION), but is there any guarantee that this won't change? And besides, that would not solve the issue for classic CMSimple and CMSimple classic, which still is in use.

Regarding plugin nr 2, I think it is best to do the following check:

Code: Select all

defined(CMSIMPLE_XH_VERSION) && strpos(CMSIMPLE_XH_VERSION, 'CMSimple_XH') === 0
(plus an additional check with version_compare(), if necessary)

Re: Plugins, Addons and Templates from 3-magi.net

Posted: Mon Jun 30, 2014 4:21 pm
by svasti
I just looked at Gert's code, which has:

Code: Select all

// version-informations
define('CMSIMPLE_XH_VERSION', 'CMSimple 4.4.3'); //for compatibility CMSimple_XH
define('CMSIMPLE_XH_BUILD', 2014060801); //for compatibility CMSimple_XH
define('CMSIMPLE_XH_DATE', '2014-06-08'); //for compatibility CMSimple_XH

define('CMSIMPLE_VERSION', 'CMSimple 4.4.3');
I understand that he has CMSIMPLE_XH_VERSION, because he starts out with XH 1.5.3, but then he should rather stay with the original:

Code: Select all

define('CMSIMPLE_XH_VERSION', 'CMSimple_XH 1.5.3');
define('CMSIMPLE_XH_BUILD', 2012031901);
define('CMSIMPLE_XH_DATE', '2012-03-19');

Now XH has

Code: Select all

define('CMSIMPLE_XH_VERSION', 'CMSimple_XH 1.6.2');
define('CMSIMPLE_XH_BUILD', '2014052201');
define('CMSIMPLE_XH_DATE', '2014-05-22');
So it should be possible for a plugin to determine if XH is used.

Re: Plugins, Addons and Templates from 3-magi.net

Posted: Mon Jun 30, 2014 4:58 pm
by cmb
svasti wrote:I understand that he has CMSIMPLE_XH_VERSION, because he starts out with XH 1.5.3, but then he should rather stay with the original:

Code: Select all

define('CMSIMPLE_XH_VERSION', 'CMSimple_XH 1.5.3');
define('CMSIMPLE_XH_BUILD', 2012031901);
define('CMSIMPLE_XH_DATE', '2012-03-19');
+ 1