Movable Type 6.3.7 Release Notes
This version of Movable Type was released February 20, 2018.
Movable Type version 6.3.7 includes several changes, including security fixes that affect plugin compatibility. When updating, it is strongly recommended that you take a snapshot of the database before updating, then install in a different directory instead of overwriting your current installation.
Please see Securing Movable Type for additional steps to protect your installation.
Security Patches
- [MTC-24856][MTC-24811][MTC-24830] Changed to verify blog_id strictly when creating and saving objects.
[MTC-24858] Changed to verify user permission strictly for objects that have an alias name.
[MTC-24888] Prevent system permission record change on saving display options.
- [MTC-10795][MTC-24813] Prevent cross site scripting.
- [MTC-24812][MTC-24833] Prevent displaying search results for assets without proper permissions.
- [MTC-24798] Prevent saving display options for a list without proper permissions.
- [MTC-24831] Changed to verify blog_id strictly for each request.
New And Improved Functions
Search
- [MTC-9375] mt-search.cgi now supports AND operator for categories by following notation: [category:”Foo AND Bar”]
Content Sync
- [MTC-13483] Name of content sync settings is now logged.
New Callback functions
cms_class_param_filter.$TYPE
From this version, Movable Type prohibited in principle updating the class value of an object by input from the outside by security reason.
This constraint applies to all MT::Object saved via MT::CMS::Common::save method. If you want to avoid this constraint on objects that the plugin adds, You need to implement the cms_class_param_filter.$TYPE callback. $TYPE is the type of object specified by the ‘_type’ parameter.
When callback returns 1, Movable Type allows ‘class’ parameter.
Callback Parameter
$cb, $app
Examples
By Method:
sub cms_class_param_filter {
return 1;
}
By config.yaml:
applications:
cms:
callbacks:
cms_class_param_filter.category: >
sub {
return 1;
}
NEW CONFIGURATION DIRECTIVES
XXSSProtection
If specified, Movable Type will output that value as the X-XSS-Protection in response headers. Default value is not specified.
Example
XXSSProtection 1; mode=block
DefaultClassParamFilter (all | moderate | none)
As mentioned above, Movable Type does not accept the ‘class’ parameter in principle, but with this configuration directive you can specify the scope of the object to be targeted.
If a value other than ‘none’ is specified, the result of cms_class_param_filter.$TYPE takes precedence. (If the callback result is 1, allow ‘class’ parameter)
The default value is ‘all’.
Possible Values
- all: Not accept by all of MT::Object
- moderate: Not accept on objects provided by Movable Type.
- none: Not check
Miscellaneous
- [MTC-9923] Edit asset screen now supports copying permalink and viewing asset by one click.
- [MTC-13502] MT News now opens in a new tab.
Updated Functions
For Developers
MT::App::permissions subroutine now returns undef when current user does not have proper permissions for requested blog/website.
The following code may result in an error:
If ( $app->permissions->can_xxxxxx ) {
......
}
That code should be:
my $perms = $app->permissions;
If ( $perms && $perms->can_xxxxxx) {
.......
}
Also, MT::CMS::Common::save subroutine disallows ‘class’ input value if entity class (e.g. Entry, Category) has ‘class_type’ attribute. An error occurs if the request contains ‘class’ input value. Please use original save method if you want to accept ‘class’ input value.
Movable Type for AWS / Movable Type Advanced for AWS
- [MTC-10076][MTC-24941] The initial user email address and system email address are now optional in accordance with AWS Marketplace regulations. However, Movable Type still uses the system email address settings for sending email. If you want to send an email by Movable Type, please configure system email address in system preferences. Of course, you can enter system email address at initial setup process.
Asset
- [MTC-13179] Edit asset screen now displays user display name instead of user name.
Miscellaneous
- [MTC-24799] Display options for edit entry screen are now not saved when a system administrator has no association with blog or website.
RESOLVED ISSUES
Asset
- [MTC-9870] Screen now moves to asset listing screen when upload is finished if EnableUploadCompat is enabled and current user has proper permissions.
- [MTC-24853] Asset editing now works when clicking ‘edit’ link after upload.
- [MTC-24982] Asset chooser for user picture now works.
- [MTC-25013] Asset list for user picture now lists current user’s asset.
Smartphone Option
- [MTC-9997] Old asset upload screen is never shown when accessed by PC after accessed by smartphone if running on PSGI environment.
Dynamic Publishing
- [MTC-9902] MTWidgetSet/MTWidgetManager with parent=”1” now works.
- [MTC-9933] MTAssetURL now uses support directory path instead of mt-static path.
- [MTC-9965] Sort results of MTSubCategories/MTSubFolders are now the same as static publishing.
- [MTC-9978] MTPageNext/MTPagePrevious with by_folder now works.
- [MTC-10022] Database connection is now closed explicitly at the end of request.
- [MTC-10069] MT->display() function now works when called directly.
- [MTC-10074] MTEntries with tag modifier now works when using NOT operator.
Template
- [MTC-10072] Included widget templates now display modules when module is called by identifier modifier.
Template Tags
- [MTC-9935] MTIf with ne modifier now works when variable is not defined.
- [MTC-9974] MTEntryAssets/MTPageAssets with lastn modifier now works as last ‘n’ days.
- [MTC-10037] Resolved self-reference error within MTIncludeBlock.
- [MTC-12989] MTMultiBlog with mode=”context” now works when specified with include_with_website=”1”
- [MTC-10056] MTBuildTemplate outputs correct template id when previewing template.
User
- [MTC-10052] Username now accepts ‘0’ as a value.
Role and Permission
- [MTC-10024] Resolved an issue where “Website administrator” permissions are removed from roles when saving roles containing “Manage Member Blogs”.
Miscellaneous
- [MTC-24857] Site Selector now displays accessible websites and blogs only.
- [MTC-24916] mt-check.cgi now works on newer version of perl.
- [MTC-25008][MTC-10073] Fix typo.
- [MTC-10027] Improves judgement logic of is_url.
- [MTC-10077] Install wizard now works when support directory is not writable.
- [MTC-13386] Improve parameters of reset_password subroutine.
- [MTC-25017] Remove debug code.
- [MTC-25054] Validate memcached key.
ACKNOWLEDGEMENTS
The release of Movable Type 6.3.7 brings with it a large number of improvements that were made possible by the help and support of Movable Type community members. We would like to include a special shout out to the following members for their contributions to this update:
- Shingo Watanabe@alfasado (MTC-9923, MTC-10073, MTC-10072)
- Norio Saito (MTC-24916)
- Junnama Noda (MTC-24856, MTC-24857, MTC-24858, MTC-24812, MTC-24811, MTC-9933, MTC-9935, MTC-24798, MTC-24799, MTC-25068)
- tinybeans (MTC-25008)
- takatoshi kondoh (MTC-24813, MTC-10024)
- naoki onozaki (MTC-10074)
- Ryuji Sakai (MTC-25069)