HotelDruid Wiki

User Tools

Site Tools

Trace:
changelog

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
changelog [2023/03/16 12:17] marcochangelog [2025/12/09 08:47] (current) marco
Line 4: Line 4:
  
 <file> <file>
 +3.0.8 (4/12/2025)
 +======================
 +-don't accept referrer from other domains when login not enabled (CVE-2025-25748)
 +-if defined "C_CARTELLA_CREA_MODELLI" possibility to create folders for webpages
 +-possibility to exclude pages where each document can appear
 +-possibility to use a timezone for hours of difference in "configure and customize"
 +-create again webpages when hours of difference with the server are changed
 +-for email documents in HTML format possibility to add plain text and inline images
 +-fixed bug: commissions not updated when changing rates order or deleting rates
 +-if a user can't modify html documents don't modify emails in html format either
 +-link titular client of a reservation with the main guest even if he's not a guest
 +-in documents API searching by insertion date now searches also by deletion date
 +-new default Spanish/Spain document to transmit guests to Spanish authorities
 +-updated nations/regions/cities/documents IDs/relatednesses lists in Spanish/Spain
 +-possibility to include different localizations for each language
 +-new "locale.php" file in translations for default customizations
 +-fixed bug: XSS vulnerability in photos URLs (CVE-2025-55816)
 +-updated hoteldruid logo
 +-allow only some html tags in error messages of documents not in html format
 +-documents variable [guests_tot_num] now defined also without a guests repetition
 +-create lockfiles while creating database (CVE-2025-44203)
 +-added variable [selected_reservations_number] to documents
 +-conditions in documents text are now grouped on the right
 +-possibility for conditions in documents text to compare 2 variables
 +-added an optional "second surname" field to clients data
 +-fixed bug: unique version id not updated in database after 1000000
 +-fixed bug: XSS vulnerability (CVE-2025-25747)
 +-check minimum password length and complexity (CVE-2025-25749)
 +-for reservations begun in previous year show confirmation, deposit and commissions
 +-fixed bug: specific periods for imported rates not imported in new year
 +-possibility to search both deleted and undeleted reservations in reservations table
 +
 +
 +3.0.7 (15/11/2024)
 +======================
 +-default invoices now calculate VAT on totals (can be disabled in conditions)
 +-fixed bug: sometimes rules 1 not imported correctly when adding periods
 +-fixed bug: room inventory was lost when changing room name
 +-new document variables with lists of inventory items in units repetitions
 +-consider privileges to view rooms in documents
 +-added PWA web app manifest and offline service worker
 +-fixed bug: sometimes wrong taxes rounding in documents when there was a discount
 +-new C_FILE_JS_PERS and C_URL_MANIFEST in includes/costanti.php to customize themes
 +-when importing costs now user privileges and webpage selections are also imported
 +-fixed bug: in month table sometimes old assigned rooms reappeared when moving a
 + reservation from mobile to fixed assignment and back to mobile
 +-you can insert reservations with multi-rooms rates in rooms with different capacity
 +-fixed bug: no custom suffix for not saved documents viewed from api
 +-fixed bug: room name not changed in deleted reservations
 +-finished fixing warnings from php 7.4 and enabled them again in the logs
 +-fixed bug: lost nearby rooms when modifying the name of 2 nearby rooms at once
 +-assign correctly extra beds when inserting a reservation with a rate for multiple
 + rooms and number of people over the capacity of all rooms
 +-possibility to upload css and js files when creating webpages
 +-fixed bug: costs excluded from total percentage not calculated correctly in
 + documents opened from tables or from modifying multiple reservations
 +-possibility to search reservation numbers from previous year in documents API
 +-possibility to view deleted reservations from documents API
 +-added ENT_COMPAT to htmlspecialchars when storing values in database (php 8.1)
 +-possibility to delete also clients with only deleted reservations in past years
 +-when searching a reservation number show also deleted reservations
 +-possibility to add both a fixed price and a % price when importing rate prices
 +-importing rate prices you can now import fixed price from per person or viceversa
 +-fixed bug: empty documents repetition in new year reservations before year archived
 +-when C_CREA_ANNO_MANUALMENTE is set to NUOVO user can create new year when begun
 +-possibility to modify money paid by reservations not permanently deleted
 +-possibility to try to restore reservations not deleted permanently
 +
 +
 +3.0.6 (03/11/2023)
 +======================
 +-when using a remote server smtp.gmail.com suggest to create an app password
 +-if email in structure data has a public provider suggest to use their remote server
 +-don't pass anymore unregistered _REQUEST variables (register globals off)
 +-when changing reservation client, possibility to replace him also in payments made
 +-added "doesn't contain" to "if" comparisons in document conditions
 +-new privilege for normal users to change their password
 +-updated Italian document ROSS1000 to use residence data from main guest if missing
 +-insert from modification page a copy of the reservation(s), also for deleted ones
 +-fixed bugs: XSS vulnerabilities (CVE-2023-43375) (CVE-2023-43376) (CVE-2023-43377)
 +-fixed bug: possible SQL injection in personalizza.php (CVE-2023-43374)
 +-fixed bug: possible SQL injection in interconnessioni.php (CVE-2023-43373)
 +-customization of upper/lower case format in names, surnames, nations, etc.
 +-don't upload files in documents table if user can't modify any document, no html
 + suffix if he can't mofify html documents (CVE-2022-45592)
 +-global privilege to don't allow users to modify documents in html format
 +-fixed bug: avoid cross site scripting in errors from database (CVE-2023-47164)
 +-fixed bug: custom comments deleted when inserting check-out and sometimes check-in
 +-fixed bug: remote code execution in backup from administrator user (CVE-2023-34854)
 + as disclosed by Glen Husman and Donovan Jasper
 +-fixed bugs: some cross site scripting vulnerabilities in backend (CVE-2023-34537)
 +-fixed bug: SQL injection in creaprezzi.php (CVE-2023-33817) (CVE-2023-43371)
 +-fixed bug: sometimes extra bed not added when searching availability from main menu
 +-fixed bug: possible SQL injection from administrator user in privilegi_utente.php
 +-fixed bug: identity document type not inserted in clients data
 +-fixed bug: wrong update of api documents from 3.0.4
 +
 +
 3.0.5 (16/03/2023) 3.0.5 (16/03/2023)
 ====================== ======================
 -in rules 1 table show rates in natural order -in rules 1 table show rates in natural order
 -insert deposits and commissions for "all rates" or all rates with existing value -insert deposits and commissions for "all rates" or all rates with existing value
--translate html special characters in predefined variables in HTML documents (CVE)+-encode html characters in predefined variables in HTML documents (CVE-2023-29839)
 -optional "transaction date" for reservations and cashbox payments -optional "transaction date" for reservations and cashbox payments
 -optional "notes" when inserting reservation payments -optional "notes" when inserting reservation payments
changelog.1678969033.txt.gz · Last modified: 2023/03/16 12:17 by marco