C1 CMS 6.13 Update 1

C1 CMS 6.13 Update 1 (6.13.8985.15323)

Download

Download C1 CMS 6.13 Update 1

What’s new in C1 CMS 6.13 Update 1?

This release includes a critical security fix, and a few minor bug fixes.

C1 CMS 6.13

Download

Download C1 CMS 6.13

What’s new in C1 CMS 6.13?

This release includes a critical security fix.

Critical security fix

We have performed a critical security fix for a Remote Code Execution vulnerability, where a C1 Console user (with any access level) can complete a remote code execution attack on the website. See the security advisory for details.

Free automated upgrade

To best protect you, Orckestra is providing free, immediate, and direct access to our automated upgrade feature – any C1 installation from C1 version 5.0 and later can now be upgraded to this release, free of charge.

C1 CMS 6.12

C1 CMS 6.12 (6.12.8122.18346)

Download

Download C1 CMS 6.12

What’s new in C1 CMS 6.12?

This release includes a critical security fix, and a few minor bug fixes.

Critical security fix

See the security advisory for details. This vulnerability cannot be exploited by anonymous users, but we urge all of our users to upgrade to this release at the earliest convenient time.

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Free automated upgrade

To best protect you, Orckestra is providing free, immediate, and direct access to our automated upgrade feature – any C1 installation from C1 version 5.0 and later can now be upgraded to this release, free of charge.

Minor changes and bug fixes

#798 Fixing DataFolderElementsTreeNode throwing an exception when the referenced page has multiple versions
SearchAPI: SearchResult is extended to include score and score explanation.
Search indexing: multiple registrations of IDataFieldProcessorProvider weren't supported properly

C1 CMS 6.11

C1 CMS 6.11 (6.11.7982.26191)

Download

Download C1 CMS 6.11

What’s new in C1 CMS 6.11?

This release is mostly focused on stabilization and fixes, including a critical security fix, and requires .NET Framework v4.8.

New features

Support for pluggable image formats for resized images (such as WebP).
Automatically signing resized Media URLs with a hash for additional DoS attack resilience.
Search documents now have a "Boost" property for index time boosting to give users more control of the results displayed.
WebObjectActivator is automatically configured (kudos to @burningice2866)

Critical security fix

We have performed a critical security fix for a Remote Code Execution vulnerability, where a C1 Console user (with any access level) can complete a remote code execution attack on the website. This vulnerability cannot be exploited by anonymous users, but we urge all of our users to upgrade to this release at the earliest convenient time.

A big thanks to Le Ngoc Anh - Sun* Cyber Security Research Team working with Trend Micro Zero Day Initiative for taking the time to analyze, document, and report the vulnerability in a thorough and responsible way.

Free automated upgrade

To best protect you, Orckestra is providing free, immediate, and direct access to our automated upgrade feature – any C1 installation from C1 version 5.0 and later can now be upgraded to this release, free of charge.

Minor changes and bug fixes

Fixing a security issue related to JSON deserialization, having access to the console is a pre-requisite for it.
Xml sitemaps - "EnforceHttps" property of a hostname binding should be taken into account
Fixing FileLogTraceListener blocking execution when there are more than 10 website instances, sharing the same network drive (For example: an Azure AppService with 10+ instances).
Fix #777: Added validation for invalid XML characters that can break UI, such as  (LSEP)
Fix #776: Duplicate <title /> tag in the new rendering pipeline

C1 CMS 6.10

C1 CMS 6.10 (6.10.7583.21856)

Download

Download C1 CMS 6.10

What’s new in C1 CMS 6.10?

CodeBasedFunctionRegistry as a simple way to register a C# method as a C1 function (Documentation)

Bug fixes

Multiple fixes to ResxEditor
Selecting a position for a new page doesn't work if there are multiple versions of any page at the same level of the tree #751
"{body}#xD;" added to TextArea parameter value in function #755

CodeBasedFunctionProvider now creates objects with ActivatorUtilities @burningice2866
Runtime compilation is now based on DotNetCompilerPlatform #735 @burningice2866

Performance and caching fixes

PageObjectCacheFunction evaluating parameters, even when the result value being returned from the cache
CmsPageHttpHandler should disable public caching when there's a function with PreventFunctionOutputCaching == true
PageRenderer should disable output cache when there's a function with PreventFunctionOutputCaching == true

C1 CMS 6.9

C1 CMS 6.9 (6.9.7410.31615)

Download

Download C1 CMS 6.9

What’s new in C1 CMS 6.9?

• Better support for running C1 from the command line.
• A new rendering pipeline
• Donut caching

A new rendering pipeline

There's a new option in Composite.config that allows rendering pages without using ASP.NET Web Forms internally.

<configuration>
  <Composite.Core.Configuration.Plugins.GlobalSettingsProviderConfiguration ..>
    <GlobalSettingsProviderPlugins>
      <add ... omitAspNetWebFormsSupport="false" />

When set to "true", rendering UserControl functions and Masterpage templates is no longer supported, but in exchange, there's a performance gain and it enables us to build some rendering related features on top of it, namely "donut caching".

"Donut caching"

On a page with dynamic/user specific content, where ASP.NET full-page caching is usually not applicable, now it is possible to mark certain functions as "excluded from the cache". By doing so, you will have all the other parts of the content cached server side.

To use the feature:

1. Add or set the attribute value omitAspNetWebFormsSupport="true" in /App_Data/Composite/Composite.config

2. Override PreventFunctionOutputCaching on a Razor function with dynamic content:

@inherits RazorFunction

@functions {
    public override string FunctionDescription { get  { return "Shows a timestamp"; } }
    public override bool PreventFunctionOutputCaching { get { return true; } }
}

<div xmlns="http://www.w3.org/1999/xhtml" style="color:red; font-size:34px">
    Timestamp: @DateTime.Now.ToString("s")
</div>

3. Enable the full page caching in web.config

Minor changes and bug fixes

• Fixed: the console search is not working when SqlDataProvider is used #720
• Fixed: the page selector widget is not showing a previously selected value when being opened.
• Updated: the list of self-closing HTML elements #694

C1 CMS 6.8

C1 CMS 6.8 (6.8.7271.23834)

Download

Download C1 CMS 6.8

What’s new in C1 CMS 6.8?

• new tree selector widget
• support for "version published" content in the C1 Package system
• fix: adding new language and selecting 'give access to all users' will include access to all groups also

New widget, Composite.Widgets.String.TreeSelector

A new widget (UI element to be used in the C1 Console UI for C1 Function configuration or forms) allow you to expose the tree structure from an Element Provider for element selection. The provider used, what property is selected and filters are configured as parameters to the widget.

Parameters:

• ElementProvider: Required. The name of a tree element provider (as defined in Composite.config)
• SelectableElementReturnValue: Required. The name of the element field whose value to return for selection. Typical values here can be DataId (for data trees), Uri (for linkable elements), or EntityToken (for any element). Element providers may provide more fields.
• SelectableElementPropertyName: An element must have this field to be selectable.
• SelectableElementPropertyValue: The value of the property optionally used (if provided) to further identify a selectable tree element by. Seperate multiple values with spaces.
• SerializedSearchToken: A search token, seriallized, to filter which tree elements is shown. To filter what is selectable, use the 'Selection filter' properties.
• Required: Boolean. An option that indicates whether the user is required to make a selection.

Element property names and search tokens depend on what you need and what the element provider is exposing.

Examples

Media selection - show only PDF and DOCX files, only from the folder /Documents - select the media URL:

<f:widgetfunction xmlns:f="http://www.composite.net/ns/function/1.0" name="Composite.Widgets.String.TreeSelector">
	<f:param name="ElementProvider" value="MediaFileElementProvider" />
	<f:param name="SelectableElementReturnValue" value="Uri" />
	<f:param name="SerializedSearchToken">
	    {"MimeTypes":["application/pdf","application/vnd.openxmlformats-officedocument.wordprocessingml.document"],"Folder":"/Documents","$type":"Composite.Plugins.Elements.ElementProviders.MediaFileProviderElementProvider.MediaFileSearchToken, Composite"}
	</f:param>
</f:widgetfunction>

Media selection - show all media, only allow JPEG selection, select the media URL:

<f:widgetfunction name="Composite.Widgets.String.TreeSelector" xmlns:f="http://www.composite.net/ns/function/1.0">
	<f:param name="ElementProvider" value="MediaFileElementProvider" />
	<f:param name="SelectableElementReturnValue" value="Uri" />
	<f:param name="SelectableElementPropertyName" value="ElementType" />
	<f:param name="SelectableElementPropertyValue" value="image/jpeg" />
</f:widgetfunction>

Show all data types and data, like on the data perspective. Allow any node to be selected and return the Entity Token:

<f:widgetfunction name="Composite.Widgets.String.TreeSelector" xmlns:f="http://www.composite.net/ns/function/1.0">
	<f:param name="SelectableElementReturnValue" value="EntityToken" />
	<f:param name="ElementProvider" value="GeneratedDataTypesElementProvider" />
</f:widgetfunction>

Support for "version published" content in the C1 Package system

The Package Creator has been updated to v3.8.0 - new in this version is the ability to safely export content which exists in multiple versions to a C1 Package.

C1 CMS 6.8 support importing a C1 Package containing multi-version content.

These features are usable by users using Orckestra.Versioning.VersionPublication - users should upgrade to C1 CMS v6.8 and re-install the Package Creator to fully update.

Minor changes and bug fixes

• When adding a new language to the system and you say yes to granting access to all existing users, this will be granted to all existing user groups also.

C1 CMS 6.7

C1 CMS 6.7 (6.7.7240.24791)

Download

Download C1 CMS 6.7

What’s new in C1 CMS 6.7?

This release is mostly focused on stabilization and fixes, including a critical security fix.

User Groups can now be assigned access to a given language, this was previously a “User only” setting. For federated authentication systems, where users are managed in AAD, this feature allow better control over language access.

When searching for media in the C1 Console, tags on media are available as facets for result filtering.

Critical security fix

Critical security fix for a Remote Code Execution vulnerability, where a C1 Console user (with any access level) can complete a remote code execution attack on the website. This vulnerability cannot be exploited by anonymous users, but we urge all our users to upgrade to this release at the earliest convenient time. MITRE reference: CVE-2019-18211.

Free automated upgrade

To best protect you, Orckestra is providing free, immediate and direct access to our automated upgrade feature – any C1 installation from 2011 and later can now be upgraded to this release, free of charge.

Details on the exploit should be expected to be published within one month. We suggest you upgrade to this release before January 2020.

For guidance on upgrade, please see issue #696

A big thanks to Florian Hauser, security analyst at @codewhitesec https://twitter.com/codewhitesec, for taking the time to analyze, document and report the vulnerability in a thorough and responsible way.

Minor changes and bug fixes

• Fixing issue with Chrome v74 and later, breaking the calendar UI in the C1 Console.
• In the C1 Console, a “another user is editing this” warning was erroneously shown when another user was editing other language versions of the page.
• Fixing issue with resolving data/page relations, which fx could lead to blog posts from one subsite to appear in search results on another subsite
• Fixing issue preventing you from running C1 in a virtual folder
• Page rendering, fixing issue where duplicate meta tags would surface the first encountered (in a depth first search) rather than the last. This fix ensure you can overwrite a ‘common’ meta tag in the template fx, from an embedded C1 Function.

For a list of all issues fixed in this release, see issues closed in C1 CMS 6.7

C1 CMS 6.6

C1 CMS 6.6 (6.6.6912.30810)

Download

Download C1 CMS 6.6

What’s new in C1 CMS 6.6?

Search/replace support added to visual and code editors. Thanks to @peterpde for contributing!

C1 Log now write to System.Diagnostics.Trace. This enabling log reading from trace listeners, like “Application Log” on Azure Web Apps or Visual Studio's Output window.

Tree Definitions <Element /> and <DataElements /> support new attributes BrowserImage and BrowserUrl. Taking a tilde (~) based URL they control what is shown in the C1 Console browser when an element is selected (instead of a the element icon).

Sitemap Provider now pluggable. Thanks to @BurningIce for contributing!

Minor changes and bug fixes

• System Initialization skips some steps solely used by the C1 Console (faster startup).
• File Data Provider will no longer create directories read from config up front.
• Multiple processes (like web servers running of the same disk) that update StartupHandlersCache.xml no longer break website startup.
• Optimized code for upgrading entity tokens.
• C1 Console will load fine, even if one or more element providers fail.
• Page Menu Titles can exceed 64 characters (languages like Greenlandic may use quite long words)
• Making DataEventSystemFacade.FireExternalStoreChangeEvent( ... ) public (#623).
• <meta /> elements are now filtered by id (deepest instance used, i.e. a function will override template)
• Fixing issue where data item URLs were not correctly converted to public URLs (#621 #339)
• Fixing issue where Global DataType scheduled publishing does not work with "Has caching" enabled (#618)
• Fixing various browser issues (#318, #620, #370)

Thanks to @ai-fwd for contributing fixes.

For a list of all issues fixed in this release, see issues closed in C1 CMS 6.6

C1 CMS 6.5

C1 CMS 6.5 (6.5.6754.25114)

Download

Download C1 CMS 6.5

What’s new in C1 CMS 6.5?

This is a minor release, that mostly provide bug fixes.

WampSharp library have been updated to a release version.

Browsing files on the System and Layout perspective now a preview in the browser for most text file types. DLLs has detailed version information displayed.

Bug fixes

Some major fixes in this release include ...

• C1 Console user workloads no longer serialized, leading to faster response times when working in the C1 Console in multi-user setups.
• URL generation from data no longer used the pipecharacter | (%7c) for encoding. Hypens / dashes (-) no longer replaced with %7c2D
• Re-installing packages with dynamic types while on SQL Server works as expected.
• A great number of fixes for Edge
• Page preview works

For a list of all issues fixed in this release, see issues closed in C1 CMS 6.5