[ANN] Radiant CMS 0.6.1 - Stone Cutter (Security Update)

Looks like it’s time for another release of Radiant:

http://radiantcms.org/download/

This release contains an important security update. Passwords since 0.5
have been written straight into the log files without filtering of any
kind. This could enable a malicious user with read permissions on the
log files to discover other users’ passwords. We’ve repaired the problem
in 0.6.1. It is recommended that everyone upgrade immediately. You
should also delete production.log and development.log.

This release also includes a few minor bug fixes.

WHAT IS RADIANT CMS?

Radiant is a no-fluff content management system made for designers and
programmers and is ideal for use on small teams. It is similar to
Movable Type or Textpattern, but is much more than a blogging engine.

Radiant features:

• An elegant user interface
• The ability to arrange pages in a hierarchy
• Flexible templating with layouts, snippets, page parts, and a
  custom tagging language (Radius: http://radius.rubyforge.org)
• A dynamic extension system
• A simple user management/permissions system
• Support for Markdown and Textile as well as traditional HTML
  (it’s easy to create other filters)
• Operates in two modes: dev and production depending on the URL
• A caching system which expires pages every 5 minutes
• Built using Ruby on Rails (which means that extending Radiant is
  as easy as any other Rails application)
• Licensed under the MIT-License
• And much more…

There’s even a live demo over on the project Web site:

http://radiantcms.org/demo/

WHAT’S NEW IN THIS RELEASE?

• Fixed a security vulnerability which caused passwords to appear in the
  logs
• Fixed a bug in the site map code which caused it to forget which rows
  were expanded
• The find_by_url method has been optimized to improve performance
  [Daniel S.]
• GET requests are now the only requests that are cached [Daniel
  Sheppard]
• Added rudimentary support for extension depencency specification
  through directory prefixing [Daniel S.]
• Fixed syntax error in fixture loading extension [Sean C.]
• Minor documentation fix for date tag [Sean C.]
• Fixed a bug in the migrations that prevented 0.5.x users from
  upgrading properly [Sean C.]

INSTALLATION

We’ve worked hard to make it easy to install Radiant. For starters you
can download it with Ruby Gems:

% gem install --include-dependencies radiant

Once the Radiant gem is installed you have access to the radiant
command. The radiant command is similar to the rails command (if you
are from the Rails world. It’s how you generate a new Radiant project
for a website. So cd to the directory where you would like your
instance to be installed and type:

% radiant -d [mysql|postgres|sqlite3] .

Next, edit config/database.yml to taste. Then run the rake bootstrap
task:

% rake production db:bootstrap

And start up the test server:

% script/server -e production

Finally, hit the /admin/ URL and you should be off to the races. See the
README file in the release for additional details.

If you are interested in other download options, visit the download
page: http://radiantcms.org/download/.

UPGRADING FROM 0.6.0

1. Update the Radiant gem:

   % gem update radiant

2. Change the RADIANT_GEM_VERSION constant in config/environment.rb
   to “0.6.1”.

3. Run the update rake task:

   rake radiant:update

4. Restart the server

UPGRADING FROM 0.5.x

The upgrade process changed significantly from last release, so listen
up! To upgrade an existing installation, BACKUP YOUR DATABASE, update
the gem, and create a new Radiant project using the instructions above.
Then point Radiant to the right database by editing config/database.yml
and execute the following command in your project directory:

% rake db:migrate

If you have problems during the upgrade, please let us know.

CONTRIBUTORS

Radiant wouldn’t be possible without the help of some fine people. The
following people have made contributions to this release:

• Alexander H. * Sean C.

Thanks guys! If you’d like to hop on the development band wagon head on
over to our dev site (http://dev.radiantcms.org/).

SUPPORT

The best place to get support is definitely on the Radiant mailing list.
There’s a crowd of people there who have been hanging around for many
moons now. Newbie questions are welcome! To sign up, go to:

http://radiantcms.org/mailing-list/

The Radiant mailing list is also accessible via Ruby forum:

http://www.ruby-forum.com/forum/21

Enjoy!

–
John L.
http://wiseheartdesign.com
http://radiantcms.org

rake radiant:update

4. Restart the server

Just a quick note: it took me a few minutes to realize that I needed
to run the rake task over the production side of things to get fcgi
to work. “rake production radiant:update”

It’s a novice mistake on my part, but hopefully this will help the
other novices out there.

Matt

Matt B. wrote:

Just a quick note: it took me a few minutes to realize that I needed
to run the rake task over the production side of things to get fcgi
to work. “rake production radiant:update”

No, the rake radiant:update task doesn’t require production mode. It
handles updating scripts, javascripts, and images. When there are
database changes then you will need to run rake production db:migrate.

–
John L.
http://wiseheart

Is there any plans to include localization (other languages in the
admin interface) support in Radiant or anything available for use at
the moment?

Best Regards,
Gustaf Lindqvist

6 maj 2007 kl. 02.26 skrev John W. Long:

That’s odd… cgi worked, but fcgi wouldn’t until I called that
command. Perhaps it was simply a fcgi restart-lag-thing (I had to
kill -9 the dispatch.fcgi to get it to exit; then it wouldn’t
restart.) Sorry for the mis-information.

Matt

Gustaf Lindqvist wrote:

Is there any plans to include localization (other languages in the
admin interface) support in Radiant or anything available for use at
the moment?

We have plans to support localization post 1.0.

I was interested to learn that Beast was recently globalized with
Gibberish from Err the Blog:

http://errtheblog.com/post/4396

I really like the syntax that he has come up with for it.

–
John L.
http://wiseheartdesign.com

The best way to tell what is going wrong is to login to your hosting
server, go to the directory where your Radiant instance is, and run

tail -f log/production.log

Now try to hit /admin/pages/. See what error is printed. That said,
here’s my guess. Between 0.6.0 and 0.6.1, the way it holds onto which
pages you have expanded in the sitemap has changed slightly. You may
need to logout, clear your cookies and try again.

Sean

Hello there!

I am having an issue with 0.6.1 this morning. I just upgraded to 0.6.1
from 0.6.0 and now suddenly I can’t acces /admin/pages/ - I can log in
and everything, but when I try to go to /admin/pages/ it gives me this:

Application error (Apache)

Change this error message for exceptions thrown outside of an action
(like in Dispatcher setups or broken Ruby code) in public/500.html

I can go to my main site fine, as well as hit up all the other admin
pages (Snippits, layout, extensions, etc.) There is no errors or
anything coming up in my logs either, so I am stumped at this one. Any
ideas what might have broken?

Thanks!
Andrew

Hello Sean!

Thanks, I managed to get it. Some reason my extension_meta was gimped; I
backed up, cleared it, and redid the rake db:migrate:extensions and it
worked. No clue why, but it did.

Thanks a lot!
Andrew

Hello Sean!

Thanks for the help. It seems that even though I’ve moved my extensions
over, it is not loading the extensions for some unknown reason. The
extensions are in my extensions_meta but doesn’t pick them up at all.
Any ideas what I can do to get them to launch again?

Thanks!
Andrew

Make sure to run rake db:migrate. The last migration adds optimistic
locking.

Sean

On 5/10/07, Sean C. [email protected] wrote:

Make sure to run rake db:migrate. The last migration adds optimistic locking.

I did and I am at version 15 with the lock_version colums in the
tables… It worked for a time and then not any more.

On 5/9/07, Sean C. [email protected] wrote:

Now try to hit /admin/pages/. See what error is printed. That said,
here’s my guess. Between 0.6.0 and 0.6.1, the way it holds onto which
pages you have expanded in the sitemap has changed slightly. You may
need to logout, clear your cookies and try again.

I get the generic 500 error now whan I try to save a modified page.

Processing PageController#edit (for 217.24.84.11 at 2007-05-10
10:54:02) [GET] Session ID: db5dc5ae7607680e30ca096040614127
Parameters: {“action”=>“edit”, “id”=>“33”,
“controller”=>“admin/page”}Rendering within
layouts/applicationRendering admin/page/editCompleted in 0.07775 (12
reqs/sec) | Rendering: 0.07143 (91%) | DB: 0.00527 (6%) | 200 OK
[http://www.keltia.net/admin/pages/edit/33]Processing
PageController#edit (for 217.24.84.11 at 2007-05-10 10:54:14) [POST]
Session ID: db5dc5ae7607680e30ca096040614127 Parameters:
{“commit”=>“Save Changes”, “part”=>{“0”=>{“name”=>“body”,
“filter_id”=>“Textile”, “content”=>"h2. Qu’est-ce ?\r\n\r\n« Advanced
Dungeons and Dragons From Hell » ou ADDFH pour faire court, est un
jeu de rÃŽles basÃ(c) sur AD&D mais depuis largement rÃ(c)Ã(c)crit et
transformÃ(c) par Nikos dans un monde appelÃ(c) "Terre
Seconde":http://www.terre-seconde.org/. Ã<80> peu prÚs tous les
aspects du jeu ont Ã(c)tÃ(c) transformÃ(c)s et rÃ(c)Ã(c)crits pour
obtenir un systÚme qui se rapproche un peu de Rolemaster and d’autres
jeux, plus Ã(c)voluÃ(c)s que AD&D.\r\n\r\nLes parties ont lieu à peu
prÚs tous les mois selon les disponibilitÃ(c)s.\r\n\r\h2.
Kallhyl\r\n\r\nUne petite partie des notes, les plus anciennes,
dÃ(c)crivent les aventures de Kallhyl, enfant-dragon mage voleur qui Ã
la suite d’un combat,u sa nature humaine et devenu dragon de
rubis.\r\n\r\nAprÚs un combat avec le gardien de la Koa de KhÎme
qu’il a tuÃ(c), Kallhyl, assez gravement blessÃ(c) s’est endormi pour
mieux se reconstruire et peut-être, un jour,
renaÃ(r)tre.\r\n\r\nPendant ce combat, une communication s’est
Ã(c)tablie avec Gwyddion Desloys, glantrien de Brâme, sorcier d’Io.
Celui-ci a donc accÚs à une partie de la mÃoire de Kallhyl (ce qui
lui permet entre autres de connaitre les autres joueur
s).\r\n\r\nh2. Le journal\r\n\r\nVoici une sorte de journal des
derniÚres parti
es, plus une sÃ(c)rie de notes prises lors des parties qu’un journal
formel et com
plet.\r\n\r\n

\r\n<r:children:each by="slug" order="desc">\r\n
• \r\n\r\n

\r\n"}}, "action"=>"edit", "id"=>"33", "controller"=>"admin/page", "page"=>{"slug"=>"ADDFH", "class_name"=>"ArchivePage ", "title"=>"ADDFH logbook", "breadcrumb"=>"ADDFH logbook", "lock_version"=>"", "status_id"=>"100", "layout_id"=>"3"}}

NoMethodError (undefined method +' for nil:NilClass): /usr/local/lib/ruby/gems/1.8/gems/radiant-0.6.1/vendor/rails/activerecord/li b/active_record/locking/optimistic.rb:64:in update_without_callbacks’
/usr/local/lib/ruby/gems/1.8/gems/radiant-0.6.1/vendor/rails/activerecord/li
b/active_record/callbacks.rb:267:in `update_without_timestamps’

It seems to be locking-related:

  def update_with_lock #:nodoc:
    return update_without_lock unless locking_enabled?

    lock_col = self.class.locking_column
    previous_value = send(lock_col)
    send(lock_col + '=', previous_value + 1)            <<<<< line 

64

    affected_rows = connection.update(<<-end_sql,

“#{self.class.name} Update with optimistic locking”)
UPDATE #{self.class.table_name}
SET #{quoted_comma_pair_list(connection,
attributes_with_quotes(false))}
WHERE #{self.class.primary_key} = #{quote_value(id)}
AND #{self.class.quoted_locking_column} =
#{quote_value(previous_value)}
end_sql

Maybe I missed something?