9.2.2 Release Notes


Let us know by posting here.

New Features

  • Added a Switch Language option to the Top Navigation Bar, allowing the navigation bar to present a list of site languages and facilitate switching between them for the given page (thanks hissy)

Behavioral Improvements

  • Express Detail block now has support for getSearchableContent: pages that contain this block will have that block’s content properly added to the search index.
  • We now display the minimum and maximum username length when adding users in the Dashboard (thanks ounziw)
  • Prevent loading full tree views when not needed, improving performance with large topic trees in topic attributes, large file manager trees on Dashboard user and file manager pages.
  • Add package name and version to the message displayed after a package update (thanks JohnTheFish)
  • Improvements to clarity in field layout when resetting a user’s password from the Dashboard (thanks iampedropiedade)
  • Page List block outputs canonical path only when ccm_paging_p is 2 or greater (thanks ccmEnlil)
  • Site-wide attributes will now be grouped by set if sets have been enabled for site attributes (thanks parasek)
  • Added links to the images in the Atomik blog summary templates.
  • Updating some automatically created directories to use the proper directory permissions (thanks mlocati)
  • Clicking the labels of the checkboxes in the Rich Text Editor Settings Dashboard page will not check the appropriate checkbox (thanks mlocati)

Bug Fixes

  • Fixed bug where page attributes were added to the attribute index immediately upon saving, even if the version they were joined to had not yet been approved.
  • Fixed bug where announcements might not have been displayed to certain users who should see them.
  • Fixed bug when using advanced permissions in file manager with File Uploader access entity under certain conditions.
  • Fixed bug in the Atomik theme where a board would error if certain properties on a page were not set.
  • Fixed bug in advanced permissions that made it impossible to select a custom date/time range for a permission access entity.
  • Fixed: Page with gallery block breaks if deletes an image from the File manager.
  • jQuery UI is no longer required to use the core date/datetime attribute (thanks hamzaouibacha)
  • Fixed: Help block for related topics on page list form is incorrect (thanks ccmEnlil)
  • Fixed: Can't delete a user who is favoriting a folder in the file manager (thanks mlocati)
  • Fixed error where Page not found after updating URL slug of a page in composer.
  • Improved compatibility with PHP 8.2 and greater.
  • Fixed: ResponseAssetGroup::requireAsset required "core/rating" but "core/rating" is not a valid asset group handle
  • Fixed: Feature Link block: Undefined variable $buttonColor error on PHP8
  • Removed directory selector from File manager add file dialog because it could slow things down significantly.
  • Fixed bug where certain marketplace files would be marked as incompatible with the current version when they were not actually incompatible under PHP versions lower than 8.
  • Fixed Undefined variable $calendarID with PHP 8 when working with calendar boards configuration under PHP 8.
  • Fixed bug where Multi-site default site attributes at the Site Type level were not working.
  • Fixed: --env command option is ignored on v9 (thanks jscott-rawnet)
  • Fixed issue where users who were granted the ability to edit page type drafts were not actually able to publish those drafts.
  • Link settings in an image block will now export properly when using the Migration Tool (thanks hissy)
  • Fixed issue where if you’re filtering by a topic using custom code, similarly named topics would return objects assigned to both topics (thanks pszostok)
  • Fix error when an invalid file is passed into the download file single page (thanks JohnTheFish)
  • Fixed bug where nested groups would show HTML for their breadcrumbs when viewed in the user group search in the user advanced search.
  • Fixed some instances where the CollectionSearchIndexAttributes table might be updated based on the latest version instead of the approved version (thanks biplobice)
  • Fixed concrete/attributes/email/controller.php:33 Undefined array key "value" (thanks mlocati)
  • Fixed: PHP 8 deprecation warnings on login page (thanks mlocati)
  • Remove HTML from user_group attribute form.
  • Prevents PHP8 undefined key exception in Snippet::getByHandle() (thanks bikerdave)
  • "Invalid or Empty Node passed to getItem constructor." error on adding express form in certain languages (thanks hissy)
  • Bug fixes to the download file page under PHP8 (thanks JohnTheFish)
  • Fix error when logging in as another user with multisite enabled under PHP8.
  • Fixed Undefined variable $user on /login/session_invalidated under PHP 8 (thanks hissy)
  • Fixed bug where certain users may not have been able to dismiss announcements.
  • Fixed issue where "Subpage Permissions" setting is ignored when draft pages are inherited from defaults (thanks hissy)
  • Add missing t() in "Edit Page List" block view so it can be translated (thanks mlocati)
  • Fixed bug when trying to use Calendar summary templates to select a specific sub-set of summary templates as available for a particular event.
  • Fixed errors when accessing Express attribute keys programmatically if they had the phrase “get” at any point in them.
  • Load fresh version object instead of cached one when running update (thanks pszostok)
  • Fixed: Express Form Block's Form Name doesn't get changed after first setting (thanks hamzaouibacha)
  • Sanitize the output of the Accordion block title field (thanks ismeashim)
  • We now properly sanitize the output of files uploaded through Express Forms.
  • Updated to Guzzle 7.8, remediating INSERT ISSUE HERE!!!
  • Updated League OAuth2 Server dependency to 8.4.2 to fix security issue.
  • Better sanitization of Plural handles in Express objects.
  • Better sanitizing of Custom labels in Express objects.

Developer Improvements

  • Added new capabilities for custom theme documentation pages (pages that use site page types and page templates for support elements, but still live in the documentation pages area.)
  • Made ReindexPageCommand fully synchronous, and added a new QueueReindexPageCommand that is asynchronous for use when developers want to queue a page for reindexing asynchronously.

  • Added new console command concrete:theme:activate and concrete:theme:activate-skin.

  • Added the ability to affect the new page’s display order and page path when using the on_page_duplicate event.
  • Enhance DeleteGroupCommand to customize its handling of sub-groups (thanks mlocati)
  • Developers can now override the PageItem and Navigation classes within the Top Navigation Bar using custom code if they choose to do so (thanks danklassen)

Security Fixes

  • Updated the Guzzle HTTP library to 7.8 to ensure Concrete CMS is not vulnerable to Guzzle CVE-2023-29197 Thank you Danilo Costa for reporting H1 2132287
  • Fixed Directories could be created with insecure permissions since file creation functions gave universal access (0777) to created folders by default. Excessive permissions could be granted when creating a directory with permissions greater than 0755 or when the permissions argument was not specified. The Concrete CMS Security team scored this 6.6 with CVSS v3 vector AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Thanks tahabiyikli-vortex for reporting H12122245. Thanks Mlocati for providing the fix. Fixed in commit 11677
  • Fixed stored XSS on the Concrete Admin page by sanitizing uploaded file names. The Concrete CMS Security team scored this 3.5 with CVSS v3 vector AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N Thanks @akbar_jafarli for reporting H1 2149479. Fixed in commit 11695
  • Fixed CVE-2023-44761 Admin can add XSS via Data Objects with this commit
  • Fixed CVE-2023-44765 Stored XSS Associations (via data objects) with commit 11746