Security release Vm3.0.8

Security release VM 3.0.8

Finally after some interim versions, here is the release of VirtueMart 3.0.8.

All fixes were already provided with VM 3.0.6. Additionally we released VM 3.0.6.2 to minimize problems due last security problem in PHP itself (https://github.com/80vul/phpcodz/blob/master/research/pch-020.md).

The other two vulnerabilities were minors (non-persistent XSS) and described here:
.../8692/diff/trunk/virtuemart/administrator/components/com_virtuemart/helpers/vmpagination.php
.../8692/diff/trunk/virtuemart/administrator/components/com_virtuemart/models/product.php.

So what happened in the meantime?
Well, our dear fellow Joomla developers kept us even more busy than usual. :-) We were forced by different circumstances to release minor interim versions. First, we had to react fast to different problems in Joomla. For example in February we were informed by "Appcheck NG", that we were distributing the dangerous file 'uploader.swf' in our Joomla 2.5.x/VM 3.0.x full-installer. After some investigations it became clear, that the file was still distributed by Joomla and was only removed when users updated Joomla. The file has been known as dangerous since J2.5.10, but is still present in the J2.5.28 installer. So we removed the file from our package and added a remove function to our install and update function of VirtueMart 2.6.16+ and 3.0.6+ to ensure that the file is deleted.

Some days later, after we had just adjusted the toolbar javascript to Joomla 3.4.0, version 3.4.1 was released, which broke the validation.js of the toolbar's 'Save' button. The reasons were "optimisations" and "deferrable" changes of low priority issues. In our humble opinion the reason for this probably is the new release strategy of Joomla not having short term and long term releases. We do welcome that Joomla dropped the STR and LTR system, but the new system seems to miss clear rules about which kind of features are allowed to be added within a minor update version. I think the VirtueMart community has already had their fingers burned by the constant implementation of new features. It took us some releases to get a feeling for it and it is a matter of experience and rules. Since Joomla has a more mutating team than VM, it would be better for the Joomla team to write down their knowledge in rules. It remains very interesting as to how the Joomla community will deal with this situation. From a developers point of view, in the past we had to ensure compatibility only for major releases, like j1.0, 1.5, j2.5, 3.3. At present it seems we have to cope with minor releases like 3.4.x, 3.5.x and so on, too. Or to put it bluntly: Joomla becomes unstable. For a developer stable/unstable means not just that the execution of the program is stable, it usually also means that the program behaves the same way as before.

I wrote the above 1 week ago and meanwhile we are suffering from new problems with routing of the language in Joomla 3.4.1, a new problem with canonical urls and more. So let's hope that all the currently open router/SEF fixes, viewable at issues.joomla.org/tracker/joomla-cms/?category=router-sef will be tested and merged into Joomla as soon as possible. A half baked new router system creates many problems for us.

Since there are still security audits for Joomla 2.5.28, even after the announced End Of Life, we currently recommend that multilingual shops stay with Joomla 2.5.28 until we have a stable Joomla 3.4.x or 3.5 version. Our Supporter Membership implies a security maintenance contract and ensures a stable and secure system.

As many live shops show, staying with Joomla 2.5.28 doesn't mean, the system is not responsive or not mobile friendly. There are great templates in the market that offer all the mobile friendly features that are necessary to have an up-to-date e-commerce system with a stable Joomla 2.5 backbone.

We really worked hard on the new version and besides fixing bugs, we also added some features.

  • The vmbeez template is now mobile friendly (Kudos to Stefan Schumacher)
  • New option for Multivariants, which automatically creates the selected customfield "string" in the childs for you. This is very important for search plugins
  • multi variant gives correct numbers of rows (for browsepage)
  • new Sampledata with new images
  • added more not null declarations for sql http://dev.mysql.com/doc/refman/5.7/en/is-null-optimization.html
  • Fallbacks for IE9, various js, missing config values and similar
  • category name understands vmText language keys
  • Added extra option to "is_list" for the customfields S and M
  • Address handling in cart is enhanced
  • Example for making the code more robust: creating of children had a limited due the slug finder (was not doing more than 20 tries). The new function uses the slug of the most recent generated child to find a new slug.
  • Another example: Added function ensureUniqueId to keep all html id tags to ensure unique id tags (not implement for any html function, yet)
  • or Vmprices addtocart works now also with entity button, not just input
  • added vRequest::vmSpecialChars without double encoding, the reason is that lang can be a command in php (thx to Kainhofer for hint and patch)
  • and a lot more, you may investigate the repository yourself dev.virtuemart.net/.../trunk/virtuemart

Furthermore we released the new vm2.6.18, just minor bugfixes.