Zenphoto 1.5.6
9 November 2019
Zenphoto version 1.5.6 is now available (security release).
Upgrading to Zenphoto 1.5.6
Zenphoto 1.5.6 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Zenphoto updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Zenphoto install to test the 1.5.6 upgrade prior to applying it live. Get started managing your Zenphoto installations with Installatron
What's New in Zenphoto 1.5.6
1.5.6
Bug Fixes
- Fix issue with too strict backend HTTP security headers breaking the jQuery-uploader
Plugins
- openstreetmap: Fix undefined variable $selectedlayerslist and remove the discontinued “OpenStreetMap.BlackAndWhite” map/layer from options.
- scriptless-socialsharing: Fix broken URLs being shared
TranslationsTop
- Argentinian Spanish
- Dutch
- German
- Spanish
1.5.5
Security
- elFinder: See plugin section below
- Backend headers: The backend now sets some additional headers by default
- We got a security report that hijacking clicks by embeding sites using frames/iFrames is possible. We decided not to inlcude any standard headers hardcoded as this requires special configuration. We know of lot sites that go the "lazy way" of simply embedding Zenphoto within their own main site via iFrame that could then break. Instead we introduce the new http_security_headers plugin (see below) so site owners can configure it as needed and also some other security related headers. However we have setup some defaults that cover this by default. We set a few headers but because of lots of especially legacy JS code we had to make them pretty relaxed as otherwise things break.
Bug Fixes
- "updateddate" is now set for an album and/or parents if file system contents change ("lastchange" which all item types have is for non file system content like title, descriptions etc.). The database field "updateddate" is there since forever and was formlery only triggered if a new image was added. This means it is set if a new image or subalbum is discovered/added, subalbum/image removal, copying (for the destination) or moving (for both source and desination). It has also been added to the sorting selectors on the Options > Gallery and each of the album's selectors.
- Fix "return unpublished" search option not being set correctly on dynamic album creation
- Fix issue with search/dynamic albums wrongfully returning published items from unpublished parent items which are considered unpublished by hierachical inheritance. Introduces new class method isPublic() for all theme object classes called which checks parents for their publish state as the existing getShow() method just checks the item itself
- Fixes issue with custom sortorders for albums and images
- If the site is set to maintenance mode (aka “closed for update”) it now sends the correct HTTP status code "503 Service Unavailble" instead of "302 Found". Retry request is set to 3600 seconds
Plugins
- cookieconsent: Script updates; JS/CSS loading disabled for loggedin users so they do not unnecessarily get the overlay
- downloadList: Default Matomo content tracking support corresponding the new Matomo plugin option
- elFinder: Update elFinder to 2.1.50 which fixes several security issues of the elFinder script according to its developer
- http_security_headers: Allows basic setting of various security related HTTP header policies. Beware that this is advanced usage and misconfiguration may break your site.
- matomo: Adds content tracking options. To use this your site may require special HTML attribute markup. See the matomo docs for more info
- openstreetmap: Update leaflet-providers
- reCaptcha: Add CSS styles
- sitemap-extended: Fix wrong dynamic album URL‘s in sitemap. Some visibiliy check improvements and prevent empty image sitemaps being generated
- static_html_cache: Emphasize the importance of certain excluded pages
- zenphotoDonate: Form does not load external file from Paypal anymore
Utilities
- http_header_inspector: A small utility to view which headers the frontend or backend send. Usefull for checking the use of the http_security_headers plugin or adding HTTP headers in other ways
Themes
- basic: Center login form properly
Translations
- Danish
- Dutch
- French
- Italian
- Slovak