CMS Airship

CSPR.NG

Indistinguishable from line-noise.

CSPR.NG Blog

Cryptographically Secure Pseudorandom Number Generator

Airship 1.1.0

CMS Airship Version 1.1.0 is out! Get it while it's hot. If you've enabled minor updates in your Bridge, this update should be applied automatically.

When we released version 1.0 earlier this week, we weren't counting on receiving as much great feedback from the community, and we certainly didn't expect anyone to contribute significantly enough to tag 1.1 so soon. I'm delighted to say, our expectations weren't high enough.

Let's dive into what's changed in version 1.1.0:

Input Type Filters on all POST Data

What's the point in using declare(strict_types=1) judiciously if we turn around and process POST data (a multidimensional array that the end user provides)? In version 1.1, all POST data goes through the input filter feature we already created (but didn't utilize everywhere) in version 1.0.

Every input case we handle has its own filter class. For example, if you attempt to comment on this blog post, this is the filter that will be applied:

<?php
declare(strict_types=1);
namespace Airship\Cabin\Hull\Filter\BlogPosts;

use \Airship\Engine\Security\Filter\{
    InputFilterContainer,
    IntFilter,
    StringFilter
};

/**
 * Class CommentFilter
 * @package Airship\Cabin\Bridge\Filter\Account
 */
class CommentFilter extends InputFilterContainer
{
    /**
     * CommentFilter constructor.
     */
    public function __construct()
    {
        $this->addFilter('name', new StringFilter())
            ->addFilter('email', new StringFilter())
            ->addFilter('url', new StringFilter())
            ->addFilter('author', new IntFilter())
            ->addFilter('message', new StringFilter());
    }
}

This adds strict type enforcement which is processed before CSRF tokens are validated. If you attempt to send an array where a string is expected, it will throw a TypeError.

The Landing base class has been modified to accept an invokable FilterContainer as an optional argument. If the filter throws a TypeError, it will catch it and return FALSE.

In short, both cases of invalid POST data (bad CSRF token or unexpected data types) are rejected. Filters can be as basic as "verify the type" or as complicated as "run it through a series of callbacks".

Easy Deployment with Docker

We now have a Dockerfile (and corresponding Docker image), courtesy of @kelunik and @co60ca. If you're a Docker user, this should be the easiest way to get started with CMS Airship.

Paragon Initiative Enterprises is working on other avenues for easy install. We'll have more to announce later this month (I hope).

Design Improvements

Several members of the community offered feedback on the UI for version 1.0, and some of them offered specific actionable suggestions for quickly and effectively improving the aesthetic. I'm quite happy with the current interface. If anyone isn't, I invite you to create your own Motif and skin your Airship to look the way you want.

Onwards to Version 1.2.0

Barring any emergencies, Airship should see a new minor release on October 1, 2016. Version 1.3.0 and 2.0.0 should arrive on January 1, 2017 (assuming PHP 7.1 isn't significantly delayed).

Changelog for Version 1.1.0

  • #41: Don't raise an E_NOTICE upon receiving an invalid CSRF token.
  • #42: We now have a Dockerfile for easy deployment. Thanks @kelunik and @co60ca.
  • #47: If you make a typo when filling in the database credentials on first run, it will no longer proceed silently then fail catastrophically in the last step.
  • #50: Display the correct version in the Installer.
  • #56: If libsodium is not set up correctly, show an error page explaining the problem and guiding the user towards the solution. Thanks @co60ca.
  • Various user interface improvements based on feedback from the initial launch.
  • You can now pass an input filter to $this->post() from a landing and it will be enforced upon the POST data. If a type error occurs, it simply returns false.
  • Fixed a bug that prevented CAPTCHAs from loading on static blog posts. Thanks @kyhwana for reporting this.
  • The "parent category" select box now renders properly.
  • The authors' photos menu is properly prepopulated by the contexts we use in Airship. Extensions are free to supply their own contexts.

Thanks for reading and happy hacking.

About the Author

Captain

Airship Captain

The captain of this Airship!

Comments

  1. p"><svg/onload=alert()> Link Reply

    https://xn--80ak6aa92e.com

Leave a Comment

:
:
:
: