Skip to content

Textcube-NG 1.10.10+php85.r2 — PHP 8.5 port

Latest

Choose a tag to compare

@deokio deokio released this 31 May 16:14

OpenID Connect reimplementation and security-hardening release, on top of the
PHP 8.5 port (r1).

✨ Highlights

  • OpenID 2.0 (EOL) → OpenID Connect (OIDC) — full reimplementation.
    • Double opt-in, disabled by default: activating the CL_OpenID plugin alone does not enable it — you must also turn it on in the plugin config and provide issuer / client_id / client_secret.
    • Dependency-free (openssl + JSON + curl only, no composer): Authorization Code flow + PKCE (S256) + id_token (RS256) verification (JWKS signature, iss/aud/exp/nonce).
    • Legacy phpopenid (53 files) removed.
  • Security re-audit & reclassification — only one HIGH item remains, and it is intentional (see below).
  • XMLRPC security audit + adversarial PoC — XXE, external-DTD, billion-laughs and authorization paths, all verified safe.

🔒 Security status

Severity Open Notes
HIGH 1 Unsalted MD5 passwords — intentionally retained for drop-in compatibility
MEDIUM 0 jpgraph (QPL) and OpenID 2.0 EOL — both resolved
LOW 1 Outdated static assets — audited (inventory + CVEs), upgrade deferred

25 issues resolved across all severity levels. Full details in documents/SECURITY.md.

🔁 Changed since r1

  • Raw SQL reclassified HIGH → FIXED — SQLi defense adversarially verified (no actual vulnerability; full prepared-statement migration is best-practice debt only).
  • jpgraph (QPL) → dependency-free inline SVG chart.
  • OpenID 2.0 → OIDC (above).
  • New adversarial test suites for OIDC and XMLRPC.
  • Docs synced: SECURITY.md, CHANGELOG, README / README.ko, NOTICE / NOTICE.ko, VERSION, bower.json.

⬆️ Upgrading from r1

These directories are no longer used and should be removed (cmd):

  rmdir /s /q "library\contrib\phpopenid"
  rmdir /s /q "plugins\StatGraph\count"

No database schema changes. Existing OpenID 2.0 guest-comment data is preserved.

⚠️ Known issues

  • MD5 passwords (no salt) — intentional, for drop-in hosting compatibility; safe migration requires care (on-login rehashing is irreversible).
  • Static assets (jQuery, Lodash, TinyMCE) — audited; upgrade deferred due to behavior-change risk (notably the customized TinyMCE plugins).
  • XMLRPC handler-level acl enforcement is covered by unit/static analysis; end-to-end enforcement belongs to real-DB integration testing.

✅ Target

Built and published for PHP 8.5, MySQL 5.7, Apache 2.4.

Internal STAGE builds for older PHP lines (7.4 / 8.2 / 8.4) are maintained but not published: 7.4 and 8.2 are at or near end-of-life, and 8.4 runs the same code as this forward-compatible 8.5 build.


한국어 요약

OIDC 재구현 + 보안 강화 릴리즈 (PHP 8.5 이식본 r1 기반)

  • OpenID 2.0(EOL) → OpenID Connect(OIDC) 전면 재구현. 이중 옵트인(기본 비활성) — 플러그인 활성화만으로는 동작하지 않고, 설정에서 추가 활성화 + Provider 정보 입력이 필요합니다. 의존성 없는 자체
    구현(PKCE·RS256 JWT 검증), 레거시 phpopenid(53파일) 제거.
  • 보안 재분류: Raw SQL은 적대적 검증으로 HIGH→FIXED, jpgraph→SVG, OpenID→OIDC, 정적자산 audit 완료. 남은 HIGH는 의도적으로 유지한 MD5 비밀번호뿐입니다.
  • XMLRPC 보안 audit + 적대적 PoC: XXE·billion-laughs·권한 모두 안전 검증.
  • r1 → r2 업그레이드: library\contrib\phpopenid, plugins\StatGraph\count 삭제. DB 스키마 변경 없음.

공개 대상은 PHP 8.5 입니다. 7.4/8.2(EOL 임박·도달)와 8.4(8.5 빌드와 코드 동일·상위호환)는 별도 공개하지 않습니다.