Журнал изменений

Core changes:

1. config/search.php, config/security.php:
2. Replace (c) with © in copyright header
3. sitemap.xml:
4. Update lastmod dates to 2026-03-17

Benefits: - Consistent copyright notation across all files - Sitemap reflects current modification dates

Technical notes: - No functional changes

Constants verified unused across all PHP files outside lang directories. Removed from all six locales simultaneously.

Core changes:

1. lang/*.php (de, en, fr, pl, ru, uk):
2. Remove _ACTIV (replaced by _ACTIVATE / _ACTIVATE2 in admin)
3. modules/forum/lang/*.php (de, en, fr, pl, ru, uk):
4. Remove _THANK (thank-you button feature removed)
5. Remove _WARNM (moderator report feature removed)

Benefits: - Smaller lang files, no dead definitions - Prevents accidental reuse of removed feature constants

Technical notes: - Verified with grep: no usage outside define() lines

Replace direct counter/backup.log file read with getSchedulerState('dbbackup') so the last backup timestamp comes from the same source as the scheduler UI.

Core changes:

1. getLastBackupRunLabel (admin/modules/monitor.php):
2. Remove backup.log file read
3. Use getSchedulerState('dbbackup')['last_success'] instead
4. Keep BACKUP_DIR mtime fallback unchanged

Benefits: - Single source of truth for backup timestamps - No dependency on a separate counter file

Technical notes: - backup.log is no longer read by monitor; file can be removed from disk

Remove the separate $ext map and hardcode .log extension throughout, since all log files now share the same format. Add dump_skip path sanitization on save. Restore sess_d, sess_b, log_b and log_d fields to the conf form and confsave handler.

Core changes:

1. Log file listing (admin/modules/security.php):
2. Remove $ext map; all log files are .log
3. Replace whitelist skip array with preg_match on .log extension
4. Remove database, dump_map and monitor entries from $labels
5. dump_skip sanitization (admin/modules/security.php):
6. Normalize line endings, strip leading ./, collapse slashes
7. Reject lines containing .. (path traversal)
8. Ensure each entry ends with /; deduplicate
9. Conf form + confsave (admin/modules/security.php):
10. Add sess_d, sess_b, log_b to conf form output
11. Add log_d field and restore _SEC_LOG_D row
12. Save sess_d, sess_b, log_b, log_d in confsave handler

Benefits: - No more silent loss of sess_d/sess_b/log_b/log_d on settings save - dump_skip entries are normalized before storage - Log list does not depend on a manually maintained extension map

Technical notes: - $ext variable removed; fileview/down/del now always use .log - Copyright header encoding fixed (© instead of ©)

Consolidate getSchedulerNextTime and getSchedulerPlannedTime into a single function to eliminate the redundant two-step call chain. Simplify the boot sequence in system.php by replacing inline conditional blocks with a direct require_once of the common includes.

Core changes:

1. Scheduler time resolution (core/system.php):

2. Remove getSchedulerConfig, getSchedulerDir, getSchedulerFile, getSchedulerBeat, getSchedulerBase, getSchedulerJob, getSchedulerSettings (moved to dedicated scheduler core)

3. Merge getSchedulerNextTime into getSchedulerPlannedTime * Now computes next run directly from last_run state * Removes unused $from parameter

4. Boot sequence (core/system.php):
5. Replace scattered require logic with require_once for security, user/admin and template

Benefits: - Fewer function calls per scheduler dispatch cycle - Simpler call site in scheduler.php (one function instead of two) - Boot sequence is now linear and readable

Technical notes: - getSchedulerPlannedTime signature unchanged (array $job, array $state) - Removed functions were unused outside core; no external API break

Rename all SCHEDULER* constants exceeding 18-char limit to comply with the updated constants.md naming rule (max 18 chars for lang constants). Add two new warning constants with a direct link to Security settings.

Core changes: - _SCHEDULER_NEXT_RUN → _SCHEDULER_NEXTRUN - _SCHEDULER_LAST_RUN → _SCHEDULER_LASTRUN - _SCHEDULER_DURATION → _SCHEDULER_RUNTIME - _SCHEDULER_SCHEDULE → _SCHEDULER_SCHED - _SCHEDULER_PRIORITY → _SCHEDULER_PRIO - _SCHEDULER_PRIORITY_INFO → _SCHEDULER_PRIOTIP - _SCHEDULER_PRIORITY_DUP → _SCHEDULER_PRIODUP - _SCHEDULER_UNLOCKED → _SCHEDULER_UNLOCKD - _SCHEDULER_URL_INFO → _SCHEDULER_URLINFO - _SCHEDULER_SYSTEM_INFO → _SCHEDULER_SYSINFO - _SCHEDULER_SCHEDULE_INFO → _SCHEDULER_CRONFMT - _SCHEDULER_WARN_DMAP → _SCHEDULER_WARNLOG - Add _SCHEDULER_WARN_DB, _SCHEDULER_WARNLOG, _SCHEDULER_WARN_GO (all 6 locales) - scheduler.php: show config warnings when log_b/log_d disabled, link to security settings

Benefits: - All SCHEDULER* constants now ≤18 chars (rule compliant) - Warnings inform admin where to enable the feature

Technical notes: - Updated in all 6 locales simultaneously (de, en, fr, pl, ru, uk) - Warning text uses correct semantic mapping: log_b=DB backup, log_d=file scan

File is runtime state and already covered by .gitignore (/storage/counter/*). Was tracked only because it existed in the index before the ignore rule.

Replace string-based function_exists() dispatch and four wrapper functions with a typed match dispatcher. System jobs are now identified by a fixed 'system' key in config instead of a callable handler string. Sitemap admin trigger is routed through the scheduler flow.

Core changes:

1. Dispatcher (core/system.php):

2. Add addSchedulerSystemJob() with match on 'backup'/'filescan'/'sitemap'/'newsletter' * Replaces dynamic function_exists($handler) call * Unknown system key returns failed status with explicit message

3. Remove addSchedulerBackup(), addSchedulerFilescan(), addSitemapTask() wrappers * Renamed doSitemap() to addSitemapTask() for naming consistency

4. Update addSchedulerRun() dispatch to call addSchedulerSystemJob()
5. Update getSchedulerJob() to normalize 'system' field instead of 'handler'
6. Update getSchedulerNextJob() validity checks to use type + system
7. Config (config/scheduler.php):

8. Replace 'handler' field with 'system' in all 4 system jobs * dbbackup -> system: backup * filescan -> system: filescan * newsletter -> system: newsletter * sitemap -> system: sitemap

9. Admin UI (admin/modules/scheduler.php):
10. Show 'system' value (readonly) instead of handler string
11. save() persists 'system' field instead of 'handler'
12. Remove 'handler' key from default new custom job
13. Sitemap admin (modules/sitemap/admin/index.php):

14. Replace direct doSitemap() call with addSchedulerRun('sitemap', 'manual') * Uses lock mechanism, prevents race conditions

Benefits: - Eliminates dynamic function dispatch via string from config (security improvement) - Single dispatch point for all system jobs - Consistent naming: addBackupTask, addFilescanTask, addSitemapTask

Technical notes: - BREAKING CHANGE: 'handler' field is no longer read at runtime - Existing configs without 'system' field will treat jobs as invalid - doSitemap() renamed to addSitemapTask(); all call sites updated - Verified: dbbackup, filescan, sitemap manual run successful; error logs clean

Harden authentication, SQL queries, and input handling across admin and modules; migrate Bootstrap 5 and HTMX to plugins/ with proper structure.

Core changes:

1. Authentication fixes (core/security.php, core/system.php, admin/index.php):
2. isAdmin(): remove substr() truncation on bcrypt hash (was 72 chars, now full)
3. is_user(): replace loose == with hash_equals() for timing-safe comparison
4. check_admin(), add_admin(): header('Location:') replaced with setRedirect()
5. logout(): raw SQL concatenation replaced with prepared statement + setRedirect()
6. changeeditor(): raw SQL replaced with prepared statement; $_POST → getVar()
7. login(): raw $_POST['aname'], $_POST['aemail'] → getVar()
8. SQL hardening — LIKE prepared statements (8 modules):

9. modules/news, media, files, links, faq, pages, shop: $let interpolation replaced with :let placeholder + ['let' => $let.'%'] params

10. modules/help: $let and $uid both replaced with named placeholders
11. news: removed redundant addslashes() on $let
12. Security headers (core/system.php):
13. Added X-Content-Type-Options: nosniff
14. Added X-Frame-Options: SAMEORIGIN
15. Added Referrer-Policy: strict-origin-when-cross-origin
16. Frontend plugin structure (plugins/, config/global.php):
17. Bootstrap 5 (CSS + JS bundle + Icons) moved to plugins/bootstrap/
18. HTMX moved from templates/admin/js/ to plugins/htmx/
19. bootstrap-icons.css, fonts/ removed from templates/admin/
20. script_f and css_f updated to reflect new paths
21. Scheduler module (admin/modules/scheduler.php, config/scheduler.php):
22. Full scheduler module implementation with cron-based job execution
23. Newsletter module (admin/modules/newsletter.php, config/newsletter.php):
24. Newsletter configuration and admin module updates

Benefits: - Timing-safe password comparison prevents brute-force timing attacks - Prepared statements on LIKE queries eliminate SQL injection vectors - Security headers protect against MIME sniffing, clickjacking, referrer leakage - Centralised plugin paths simplify future library updates

Technical notes: - bcrypt hashes are 60 chars; old 40-char substr caused login failure after migration - setRedirect() calls exit internally; explicit exit after header() no longer needed - params array passed as 10th arg to setArticleNumbers() — already supported

Small maintenance changes to newsletter module and sitemap configuration to align with scheduler-based job dispatch and updated admin panel.

Core changes:

1. Newsletter (admin/modules/newsletter.php, admin/info/newsletter/*.html):
2. Minor adjustments following scheduler integration refactor
3. Sitemap (config/sitemap.php, modules/sitemap/admin/index.php, sitemap.xml):
4. Sitemap config and admin panel aligned with current module structure
5. sitemap.xml regenerated

Benefits: - Consistent state after scheduler refactor - Info pages reflect current system behavior