Archive for October, 2008
I’m sure Packt Publishing needs no introduction. They published nine books on Joomla so far,
donate portions of their sales back to Joomla, and organize yearly open source awards. Joomla has taken home a bunch of these awards in the past (is anyone keeping track?). This week the 2008 winners will be announced.
This year, a new category was added: “Open Source CMS Most Valued Person“. I’m pleased to announce that our own Johan Janssens was selected for his work on Joomla by his community peers. Johan is one of the co-founders of Joomla, and has led the development of Joomla 1.5. Thanks to his efforts, Joomla has moved away from the spaghetti code it inherited from Mambo, and now has a super-flexible, object-oriented framework.
With almost 3500 commits (aka code changes or additions in the code repository), Johan has written more Joomla than anyone else, and it’s gonna take a while before anyone catches up. He’s also a top 10 poster in the official Joomla forums, spoke at numerous events, helped set up structures like the working groups and OSM, and led the development working group
That’s why I’m extremely proud to be working alongside Johan on Nooku. He always has great ideas, knows more about software architecture than anyone I’ve ever met, and he’s always happy to share his knowledge.
What can you expect from Johan in the future? Let me just say this: if you paid close attention, you already figured out that Nooku is not going to be ‘just’ a multilingual extension for Joomla, and it’s even going to be very useful for mono-lingual sites. You’ve come to expect great things from Johan, and we’re not settling for anything less. Stick around for some surprises about the upcoming Nooku 0.6.
During the Joomla Security Bootcamp, in my presentation on cross site scripting, we discovered a serious vulnerability in Joomla 1.5.2 up to 1.5.7. This issue allows an attacker to inject malicious javascript into a Joomla site. Joomlatools reported this issue to the Joomla Security Strike Team on October 4. Later on the issue was also reported on the bug trackerbut, it was removed without explanation. So far no official patch was released, so we have decided to make our own. Normally the Joomla project acts very fast when issues are discovered. It is our hope that a new patched version will be released with this patch as soon as possible.
All Joomla 1.5.x installations are vulnerable.
>
Update: My patch was a bit too extreme: it filtered out perfectly legal html as well. The link above now points to the updated version.
In Joomla 1.5.2, a new set of options was added to the article parameters (see screenshot). These options allow you to set less strict filtering rules for different user groups, allowing for example managers to insert iframes in articles. However, in a default Joomla installation, no user groups are selected by default, meaning that submitted articles are not filtered at all, leaving them open for cross scripting attacks. Proper testing could have avoided this issue. Especially when messing with security, one has to be extra careful. My patch completely removes this feature, for a number of reasons:
Update: If you do not wish to apply to the patch, you can get the same level of protection by changing some settings.
Last weekend I was invited by the Hungarian community for their second Joomladay. In 2007 I already had the pleasure to be at their first event in the role of Joomla! project manager, back then I gave one of my now almost famous ‘Joomla! To Infinity and Beyond‘ talks. People must have liked it because this year they asked me to give not one but two presentations ! One about search engine optimization for Joomla! 1.5 and one about Nooku, the multi-lingual component we are working on.
In my presentation about SEO I tried to explain that search engine optimization isn’t black magic. It’s fairly trivial and something everybody can do it just takes time and effort. I explained a bit how keyword targeting works and used Nooku.org as an example. I also explained why so called SEF extensions are not needed anymore with Joomla! 1.5 and why they can do more damage then good. But that’s a topic for another blog post.
At the end of the day and to my surprise I received a life time honorary membership of the Hungarian User Association as an appreciation for my help with starting up the Hungarian association and setting up their new community at joomla.org.hu.
Finally, a big thanks goes to Tibor, Annamari, and Tamás who I’m proud to call my friends, for the invitation and for the great hospitality. You guys did an excellent job organizing your second Joomladay. I’m already looking forward to next year.
Pictures of the event can be found on flickr and for our Hungarian readers : a full write-up of the Joomladay can be found on the Hungarian PC World Online site.
A commenter on Johan’s post about Joomla 1.0′s end-of-life wrote:
“Also its the old argument, why upgrade if its working fine? Why move to 1.5 when 1.0 is working just fine for me and my users? Why move to Vista if XP is working just fine for me and my users.”
I absolutely agree that you don’t need to upgrade when a site is working fine and doing everything you need. However, if a security vulnerability is discovered in Joomla 1.0, and no one fixes it, you are in trouble. So it’s best to upgrade to 1.5 before the expiration date of 1.0.
Software versions are never maintained ad infinitum. Some projects, like Ubuntu, have a strict end-of-life policy for each release. You always know in advance exactly how much time you have to upgrade.
Joomla hasn’t set an official end-of-life date yet for 1.0 (or 1.5 for that matter). This might sound like you still have a lot of time to upgrade, but that might not be the case. Joomla is a volunteer driven open source project. It’s dependent on how much people ‘feel like’ maintaining an older version. I doubt anyone in the project feels like doing a lot of work on 1.0 anymore, so in reality, the lifecycle could already have ended without any of us knowing it.
So that’s why we feel it’s important for the Joomla project to announce an official date for Joomla 1.0′s end-of-life asap. It serves as a promise to the community that until this date, issues will be fixed. We propose March 6, aka 03/06/09. That leaves everyone plenty of time, and it’s an easy date to remember.
It’s up to the community now to speak up: do you agree, do you think it’s too soon, or too late? Are you upgrading to 1.5 or not at all? This way we help the Joomla project to make an informed decision.
