Журнал изменений

Harden authentication, SQL queries, and input handling across admin and modules; migrate Bootstrap 5 and HTMX to plugins/ with proper structure.

Core changes:

1. Authentication fixes (core/security.php, core/system.php, admin/index.php):
2. isAdmin(): remove substr() truncation on bcrypt hash (was 72 chars, now full)
3. is_user(): replace loose == with hash_equals() for timing-safe comparison
4. check_admin(), add_admin(): header('Location:') replaced with setRedirect()
5. logout(): raw SQL concatenation replaced with prepared statement + setRedirect()
6. changeeditor(): raw SQL replaced with prepared statement; $_POST → getVar()
7. login(): raw $_POST['aname'], $_POST['aemail'] → getVar()
8. SQL hardening — LIKE prepared statements (8 modules):

9. modules/news, media, files, links, faq, pages, shop: $let interpolation replaced with :let placeholder + ['let' => $let.'%'] params

10. modules/help: $let and $uid both replaced with named placeholders
11. news: removed redundant addslashes() on $let
12. Security headers (core/system.php):
13. Added X-Content-Type-Options: nosniff
14. Added X-Frame-Options: SAMEORIGIN
15. Added Referrer-Policy: strict-origin-when-cross-origin
16. Frontend plugin structure (plugins/, config/global.php):
17. Bootstrap 5 (CSS + JS bundle + Icons) moved to plugins/bootstrap/
18. HTMX moved from templates/admin/js/ to plugins/htmx/
19. bootstrap-icons.css, fonts/ removed from templates/admin/
20. script_f and css_f updated to reflect new paths
21. Scheduler module (admin/modules/scheduler.php, config/scheduler.php):
22. Full scheduler module implementation with cron-based job execution
23. Newsletter module (admin/modules/newsletter.php, config/newsletter.php):
24. Newsletter configuration and admin module updates

Benefits: - Timing-safe password comparison prevents brute-force timing attacks - Prepared statements on LIKE queries eliminate SQL injection vectors - Security headers protect against MIME sniffing, clickjacking, referrer leakage - Centralised plugin paths simplify future library updates

Technical notes: - bcrypt hashes are 60 chars; old 40-char substr caused login failure after migration - setRedirect() calls exit internally; explicit exit after header() no longer needed - params array passed as 10th arg to setArticleNumbers() — already supported

Small maintenance changes to newsletter module and sitemap configuration to align with scheduler-based job dispatch and updated admin panel.

Core changes:

1. Newsletter (admin/modules/newsletter.php, admin/info/newsletter/*.html):
2. Minor adjustments following scheduler integration refactor
3. Sitemap (config/sitemap.php, modules/sitemap/admin/index.php, sitemap.xml):
4. Sitemap config and admin panel aligned with current module structure
5. sitemap.xml regenerated

Benefits: - Consistent state after scheduler refactor - Info pages reflect current system behavior

Expands the security statistics panel to cover all files in storage/logs/, replacing the .log-only filter with a label-based allowlist approach. Removes hardcoded .log extension throughout; .json files (dump_map, monitor) are now handled via an $ext exception map.

Core changes:

1. Security module (admin/modules/security.php):

2. $labels array extended: database, dump, dump_log, dump_map, error_file, error_php, error_site, error_sql, hack, log, log_admin, log_user, monitor, warn

3. $ext map: ['dump_map' => 'json', 'monitor' => 'json']
4. security(): replaced preg_match('.log') with skip-list + isset($labels)
5. fileview(), down(), del(): use $ext[$file] ?? 'log' for path and filename
6. confsave(): persists sess_d, sess_b, log_b, log_d; dump_skip field added
7. Info pages (admin/info/security/*.html — all 6):
8. Reference to hardcoded interval setting replaced with Scheduler module link
9. Config (config/security.php):
10. dump_skip default removed (now managed via Scheduler/confsave)
11. log_d default adjusted

Benefits: - .json log files (dump_map, monitor) now visible and downloadable in UI - No unknown files shown: only keys present in $labels are rendered - .htaccess and index.html automatically skipped

Technical notes: - filterVar strips dots, so file extensions cannot be passed via URL - Extension is derived server-side from $ext map with 'log' fallback

Introduces a configurable task scheduler with cron-format schedules, per-job state tracking, lock/timeout protection, and a HTMX-powered live status panel. Replaces hardcoded filereport/backup/sitemap/newsletter triggers in index.php with a unified scheduler dispatch.

Core changes:

1. Scheduler module (admin/modules/scheduler.php):
2. Live status table with HTMX auto-refresh per job
3. Add/edit/delete custom jobs, unlock stuck jobs, manual run trigger
4. Cron-format schedule field with format hint
5. Scheduler engine (core/system.php):
6. getSchedulerConfig(), getSchedulerDir(), getSchedulerFile()
7. addSchedulerRun(): dispatches filereport, backup, sitemap, newsletter
8. checkSchedulerAccess(): validates cron/manual token access
9. dump.json renamed to dump_map.json to avoid key conflict with dump.log
10. Dispatcher (index.php):
11. New case 'scheduler' in go==3 branch: validates access, runs job, returns JSON
12. Config (config/scheduler.php, config/modules.php):
13. Default scheduler config with system jobs (filescan, backup, sitemap, newsletter)
14. scheduler module entry added to modules.php
15. Lang (admin/lang/*.php — all 6 languages):

16. SCHEDULER* constants: status, last_run, last_ok, next_run, trigger, duration, fails, schedule, handler, priority, lock, unlock, run, jobkey, url, saved, deleted, unlocked, running, idle, addjob, editjob, url_info, system_info, saveerr, manual, batch, schedule_info

17. _SEC_STAT_DB, _SEC_STAT_DMAP, _SEC_STAT_MON: security log labels for database.log, dump_map.json, monitor.json

Benefits: - Decoupled scheduling from HTTP request cycle - Per-job state files with lock/timeout prevent concurrent execution - Extensible: custom jobs configurable without code changes

Technical notes: - Job state stored in storage/logs/scheduler/<job>.json - Cron schedule validated server-side; manual runs bypass schedule check - dump_map.json replaces dump.json (breaking: rename existing file)

Integrate the preserved local work back into master after fast-forwarding the branch to the latest origin/master state. This keeps the remote updates and the local language, configuration, setup, and test changes together without any history rewrite.

Core changes:

1. Remote synchronization (master):
2. Fast-forward local master to origin/master
3. Keep upstream changes from the latest GitHub state
4. Local work integration (config, language, setup, tests):
5. Merge the backup branch with the preserved local changes
6. Resolve the config/global.php conflict in favor of the saved local sitekey

Benefits: - Leaves master up to date with GitHub and your local work intact - Provides a recoverable backup branch and commit history - Avoids destructive Git operations and force-based workflows

Technical notes: - Merge commit created after fast-forward sync - No rebase and no history rewrite - Working tree should be clean after commit

Preserve the current in-progress local work on language files, configuration, and setup flow before updating master from origin/master. This creates a safe restore point for merge-based synchronization without rewriting history.

Core changes:

1. Language and config updates (admin/lang/.php, lang/.php, config/*.php):
2. Save current local edits across translations and configuration files
3. Preserve in-progress constant and module/security adjustments
4. Setup and test updates (setup/index.php, tests/LanguageConstantsUsageTest.php):
5. Save local setup workflow changes
6. Preserve related test adjustments for later integration

Benefits: - Provides a recoverable checkpoint before remote synchronization - Reduces risk of losing uncommitted work during merge operations - Keeps the update flow aligned with repository safety rules

Technical notes: - No history rewrite - Local backup commit only - Backward compatibility to be validated after merge

• database: simplify navi() signature, remove unused $opt and $legacy params
• database: align op/case/handler to project standard (del/del/del())
• database: replace filter_input() with getVar() for consistency
• database: fix $conf['db']['name'] → $dbname for safe query building
• database: translate German comments to English, fix parse-branch indent
• database: use LOGS_DIR constant in addDblog()
• monitor: rename monitor_metrics.json → monitor.json

Three bug fixes identified via error log analysis (2517 entries, period 2026-03-13 to 2026-03-15). Closes the dominant error (2504 occurrences) and hardens input validation against encoded path traversal probes.

Core changes:

1. Search module (modules/search/index.php):

2. Guard $conf['search'] with is_array() before accessing ['mods'] * $conf['search'] is a string when config is scalar, causing TypeError * Affected every bot crawling ?name=search (Bing, Google, Baidu, etc.)

3. Monitor (admin/modules/monitor.php):

4. Check open_basedir before calling is_dir() on extension_dir * Used array_reduce over PATH_SEPARATOR-split paths * Avoids E_WARNING when ext dir is outside allowed open_basedir paths

5. Security (core/security.php):

6. Extend $quote pattern in checkGet: '../' → '..[/\%]' * Now catches ../ (direct), ..\ (Windows), ..% (URL-encoded: ..%2F etc.) * Blocks double-encoded path traversal (e.g. %252F) after PHP auto-decode

Benefits: - Eliminates 2504 TypeError entries from error_php.log - Removes 9 recurring open_basedir warnings in monitor - Path traversal attempts now logged to hack.log via addHackReport()

Technical notes: - No config or schema changes - Backward compatible

Extended monitor.php with exec() fallbacks for /proc/meminfo, /proc/cpuinfo, /proc/net/dev when open_basedir blocks direct file reads; lscpu/nproc/free used as secondary sources. Improved getMetricStorePath() to resolve writable directory dynamically. Added unloaded PHP extensions detection.

Core changes: - monitor.php: exec-fallbacks for Linux /proc reads, dynamic metrics path, lscpu/nproc support, unloaded extensions list - core/system.php: no-image.png fallback for missing upload files; onerror handler on BB/Markdown img tags; better alt text from filename - security.php + config/security.php: new dump_skip config field with textarea UI and sanitized save logic - modules/forum/index.php: rename $massiv→$rows, $params→$pars; cleaner named placeholders - modules/account/admin/index.php: fix SQL WHERE clauses with table alias u. - admin/info/admins/ru.html → ru.md migration; add admin/info/monitor/ help pages - templates: add no-image.png to all three themes; add find/view admin icons

Benefits: - Monitor works on hosts with restricted open_basedir - Broken images show placeholder instead of broken icon - dump_skip allows excluding paths from file change scanner - Forum and account SQL queries more robust against ambiguous column names