New Features
- Added a Switch Language option to the Top Navigation Bar, allowing the navigation bar to present a list of site languages and facilitate switching between them for the given page (thanks hissy)
Behavioral Improvements
- Express Detail block now has support for getSearchableContent: pages that contain this block will have that block’s content properly added to the search index.
- We now display the minimum and maximum username length when adding users in the Dashboard (thanks ounziw)
- Prevent loading full tree views when not needed, improving performance with large topic trees in topic attributes, large file manager trees on Dashboard user and file manager pages.
- Add package name and version to the message displayed after a package update (thanks JohnTheFish)
- Improvements to clarity in field layout when resetting a user’s password from the Dashboard (thanks iampedropiedade)
- Page List block outputs canonical path only when ccm_paging_p is 2 or greater (thanks ccmEnlil)
- Site-wide attributes will now be grouped by set if sets have been enabled for site attributes (thanks parasek)
- Added links to the images in the Atomik blog summary templates.
- Updating some automatically created directories to use the proper directory permissions (thanks mlocati)
- Clicking the labels of the checkboxes in the Rich Text Editor Settings Dashboard page will not check the appropriate checkbox (thanks mlocati)
Bug Fixes
- Fixed bug where page attributes were added to the attribute index immediately upon saving, even if the version they were joined to had not yet been approved.
- Fixed bug where announcements might not have been displayed to certain users who should see them.
- Fixed bug when using advanced permissions in file manager with File Uploader access entity under certain conditions.
- Fixed bug in the Atomik theme where a board would error if certain properties on a page were not set.
- Fixed bug in advanced permissions that made it impossible to select a custom date/time range for a permission access entity.
- Fixed: Page with gallery block breaks if deletes an image from the File manager.
- jQuery UI is no longer required to use the core date/datetime attribute (thanks hamzaouibacha)
- Fixed: Help block for related topics on page list form is incorrect (thanks ccmEnlil)
- Fixed: Can't delete a user who is favoriting a folder in the file manager (thanks mlocati)
- Fixed error where Page not found after updating URL slug of a page in composer.
- Improved compatibility with PHP 8.2 and greater.
- Fixed: ResponseAssetGroup::requireAsset required "core/rating" but "core/rating" is not a valid asset group handle
- Fixed: Feature Link block: Undefined variable $buttonColor error on PHP8
- Removed directory selector from File manager add file dialog because it could slow things down significantly.
- Fixed bug where certain marketplace files would be marked as incompatible with the current version when they were not actually incompatible under PHP versions lower than 8.
- Fixed Undefined variable $calendarID with PHP 8 when working with calendar boards configuration under PHP 8.
- Fixed bug where Multi-site default site attributes at the Site Type level were not working.
- Fixed: --env command option is ignored on v9 (thanks jscott-rawnet)
- Fixed issue where users who were granted the ability to edit page type drafts were not actually able to publish those drafts.
- Link settings in an image block will now export properly when using the Migration Tool (thanks hissy)
- Fixed issue where if you’re filtering by a topic using custom code, similarly named topics would return objects assigned to both topics (thanks pszostok)
- Fix error when an invalid file is passed into the download file single page (thanks JohnTheFish)
- Fixed bug where nested groups would show HTML for their breadcrumbs when viewed in the user group search in the user advanced search.
- Fixed some instances where the CollectionSearchIndexAttributes table might be updated based on the latest version instead of the approved version (thanks biplobice)
- Fixed concrete/attributes/email/controller.php:33 Undefined array key "value" (thanks mlocati)
- Fixed: PHP 8 deprecation warnings on login page (thanks mlocati)
- Remove HTML from user_group attribute form.
- Prevents PHP8 undefined key exception in Snippet::getByHandle() (thanks bikerdave)
- "Invalid or Empty Node passed to getItem constructor." error on adding express form in certain languages (thanks hissy)
- Bug fixes to the download file page under PHP8 (thanks JohnTheFish)
- Fix error when logging in as another user with multisite enabled under PHP8.
- Fixed Undefined variable $user on /login/session_invalidated under PHP 8 (thanks hissy)
- Fixed bug where certain users may not have been able to dismiss announcements.
- Fixed issue where "Subpage Permissions" setting is ignored when draft pages are inherited from defaults (thanks hissy)
- Add missing t() in "Edit Page List" block view so it can be translated (thanks mlocati)
- Fixed bug when trying to use Calendar summary templates to select a specific sub-set of summary templates as available for a particular event.
- Fixed errors when accessing Express attribute keys programmatically if they had the phrase “get” at any point in them.
- Load fresh version object instead of cached one when running update (thanks pszostok)
- Fixed: Express Form Block's Form Name doesn't get changed after first setting (thanks hamzaouibacha)
- Sanitize the output of the Accordion block title field (thanks ismeashim)
- We now properly sanitize the output of files uploaded through Express Forms.
- Updated to Guzzle 7.8, remediating INSERT ISSUE HERE!!!
- Updated League OAuth2 Server dependency to 8.4.2 to fix security issue.
- Better sanitization of Plural handles in Express objects.
- Better sanitizing of Custom labels in Express objects.
Developer Improvements
- Added new capabilities for custom theme documentation pages (pages that use site page types and page templates for support elements, but still live in the documentation pages area.)
Made ReindexPageCommand fully synchronous, and added a new QueueReindexPageCommand that is asynchronous for use when developers want to queue a page for reindexing asynchronously.
Added new console command
concrete:theme:activate
andconcrete:theme:activate-skin
.- Added the ability to affect the new page’s display order and page path when using the on_page_duplicate event.
- Enhance DeleteGroupCommand to customize its handling of sub-groups (thanks mlocati)
- Developers can now override the PageItem and Navigation classes within the Top Navigation Bar using custom code if they choose to do so (thanks danklassen)
Security Fixes
- Updated the Guzzle HTTP library to 7.8 to ensure Concrete CMS is not vulnerable to Guzzle CVE-2023-29197 Thank you Danilo Costa for reporting H1 2132287
- Fixed
Directories could be created with insecure permissions since file creation functions gave universal access (0777) to created folders by default. Excessive permissions could be granted when creating a directory with permissions greater than 0755 or when the permissions argument was not specified. The Concrete CMS Security team scored this 6.6 with CVSS v3 vector AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Thanks tahabiyikli-vortex for reporting H12122245. Thanks Mlocati for providing the fix. Fixed in commit 11677 - Fixed
stored XSS on the Concrete Admin page by sanitizing uploaded file names. The Concrete CMS Security team scored this 3.5 with CVSS v3 vector AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N Thanks @akbar_jafarli for reporting H1 2149479. Fixed in commit 11695 - Fixed CVE-2023-44761 Admin can add XSS via Data Objects with this commit
- Fixed CVE-2023-44765 Stored XSS Associations (via data objects) with commit 11746