Version 1.5.7 introduced a number of security improvements. Because of the nature of the issues, the patches were not introduced into SVN until shortly before release so they only had a few hours of JBS testing. Introducing them earlier would have given the bad guys information about the vulnerabilities and the time gap between introduction and release would have given them opportunity to attack many sites. (This is the reason we also ask people not to post vulnerabilities in the forums, but rather to visit the security center and send them to the JSST privately.)

One of the fixes addressed issues when there is a redirect. A new JURI method--isInternal($url)-- was created to address this issue. This fix made changes to the controllers for user, content, polls and mailto so that they use the new method when redirecting.    This fix relies on a function that is only available in  php 5, not php 4. As a result you may see problems with content submission, login, mailto, and  polls if you have PHP 4.

If you have a PHP 4 site we urge you to update to php 5. If for some reason you can't,  add this to the end of /libraries/joomla/utilities/compat/php50x.php

if(!function_exists('stripos')) {
 function stripos($haystack, $needle, $offset = 0) {
  return strpos(strtolower($haystack), strtolower($needle), $offset);
 }
}

This fix will be applied in the normal release of 1.5.8.

However an even better solution if you care about security is to upgrade to PHP 5. I have sites on a number of hosts and some were extremely slow or made it difficult to get PHP 5, but since the end of life on August 8, they have  all come around. Usually you can just submit a help ticket and the host will take care of it or tell you what to do. Since PHP 4 is no longer going to have security releases, if you want to protect your site you must switch to php 5; don't wait for a vulnerability in PHP 4 to be discovered. As we saw with the Joomla vulnerability fixed in 1.5.6, even if a threat is fixed in just a few hours, that is plenty of time for script kiddies to hack hundreds of sites. In PHP 4's case a responsible host would not apply an unofficial patch. Who knows, maybe it would get them finally to upgrade? But in the meantime, your site would be vulnerable. So submit that support ticket today.

If you were unfortunate enough to be impacted by the exploit discovered yesterday, you may need to recover your admin password. Of course, you can do this in the user manager if you had another super admin account and nothing was changed in the user table. But assuming that's not the case, here are instructions for how to do it.

Here is a link to a wiki explanation of how to recover your administrator password.

Here is a video of the process made by James Ramsay as a GHOP project. Thanks James!

Last week I was lucky enough to spend some time at the Googleplex with Tomasz  Dobrzyński bug squad member and Joomla! grand prize winner in the Google Highly Open Participation Contest, his mother, and the students, parents and mentors from the nine other open source projects that participated in GHOP.

Thursday we had a fun day starting with Ghop at Ihop for breakfast (for non Americans IHOP is a chain of pancake restaurants). Then on Friday, we had the award ceremony and an amazing day of talks about things like Google infrastructure, Android, the Google App Engine and, my personal bug squad favorite, testing.

You can read more about it in Leslie's post at the Google Open Source Program blog

For a long time the oldest unresolved issue in the tracker was # 8369 "Issues with Page Title and Menu Item Layouts." It went into the tracker on December 12, 2007 and  and was actually based on a forum report from June 2007.  I look at the oldest issues in the tracker pretty regularly and this one was really bothering me. Leandro Bergantiños had done a tremendous amount of work just to write the report which makes it just the kind of report that is usually easy to deal with. In the forum Johan said it was important for it to be dealt with before RC2 and then according the the tracker Louis was going to deal with it in January, so plenty of coding power there. Why wasn't it fixed?

So, I decided to really try to understand what Leandro was showing with his spreadsheet. It took me a while to understand what he had discovered. It turned out that there was a tremendous amount of inconsistency in how the menu title parameters were  being handled. In some cases they were being completely ignored.

So then I thought that maybe the issue had been fixed piecemeal, and it was the case that there were a number of reports about issues relating to titles and specific types of menu links. So I recreated Leandro's spreadsheet by looking at each core menu link type. Wow did that give me an appreciation for the work Leandro had done. There are 25 core views and each one had to tested with the 4 possible combinations of "Show Title" (yes or no) and Page Title (blank or not blank). And you had to look two places, at the page title and at the browser or blue bar title. Strangely enough, not that many people volunteered to help me with this.

Once that was done, I realized that before any code was changed what was actually needed was to decide what the intended behavior was. This is an issue that is really important to people like me who are webmasters, but maybe not so very interesting to others, so for a while I felt like I was waving my hands and no one was paying attention. Except, Ian was, so finally I had someone to discuss it with. We looked the spreadsheet over together and came up with some proposed rules. For example, when Show Page Title is set to no, no title should show on the actual page.  Also, when text is entered in the Page Title field and Show Page Title is set to yes, that text should be used.  When the page title is shown, the browser title and the page title should be the same.

Then Ian began to look at the code. Well to make a very long story short, the final patch file has 1199 lines in it. Creating that was a huge job and Ian should get at least an extra week's pay as a bonus for doing it. :)  Third party developers will want to look at that file to see how to make changes so their components behave in the same way as the core components.

Then JBS started testing like crazy. Again, this was really time consuming because of the 100 possible combinations of links and parameters. Thanks especially to Amy for helping with this multiple times as fixes were made to the patch.

Then, we thought we were done, but we realized that because some of the layout over rides in Beez and JA Purity used the old code, we had to decide whether to make changes in those. The whole point of a layout over ride is that a designer can change how the parameters (among other things) work. After some consultation with Jennifer who besides bug squading spends a tremendous amount of time moderating and helping people in the template forums, we decided that they should behave in the same way on this as the core.  So, off to make two more patch files, test them, and we were finally done.

Never was I so happy to see an issue marked "Fixed in SVN."

Amazingly, the next oldest open  issue (9701) was submitted February 10, more than two months after 8369. Wow.

Thanks to everyone who helped to put this one to bed.

Last Saturday while lots of people were working on issues in the tracker as part of PBF, I was giving a talk to computer science teachers in San Antonio, Texas at the CS/IT symposium. It was a great coincidence that PBF was going on at the same time since so many students were making important contributions by fixing bugs and creating documentation and my talk a was all about how encouraging their students to participate in free and open source software projects would help them learn computer science.

It was a great event, and it was great to meet so many passionate teachers.  I was stunned to learn that the number of college computer science majors in the United States has been declining. Well, I hope Joomla! can help do something about that, whether through GHOP or just by having a community that is welcoming to students. It was also fun for me to combine my interest in pedagogy with my interest in Joomla! :).

My session had a full house with lots of knowlegable people. The focus of my talk was on how participating in a real project, with hundreds of thousands of users and in which you have to work in a collaborative manner can teach things that are hard to get out of even the best book. It was so hard to chose, but I highlighted two GHOP projects, Marieke van der Tuin's Digg module and Michael Casha's  Narellan Rural Fire Brigade website and the report he wrote on it. I said that I thought these were reasonable kinds of projects for high schools students to undertake.  I also talked about how Miarieke and Michael have become such important contributors to Joomla!.

So why am I posting this in the bug squad blog? Well, we do have a lot of high school and college students in th JBS and we would love to have more. So, come on and join us.

 Here are the slides from my presentation. Thanks to the Computer Science Teacher's Association for inviting me to speak and Leslie Hawthorn from Google for putting them in touch with me.