Today sees a long delayed new release of Opus which includes a lot of enhancements and, more importantly, some security fixes. We therefore strongly recommending upgrading to this release.
- In previous releases Opus required register_globals to be on. This is a classic way of opening up the code to hackers. Opus has now been rewritten to work with register_globals turned off and we recommend that having upgraded to this release you explicitly turn it off, either via
.htaccess or whatever control you have of your vhost.
- A security hole in image uploading allowed a visitor who was not logged on to replace a previously uploaded image with one of their own by means of a cleverly crafted web form. (Thanks to Jez for identifying this one.)
- A related and less serious issue meant that a logged in author who didn't have permission to upload images could do so very easily.
It's a long time since the last formal release so there have been many enhancements, many of which are subtle and won't worry you but here's a selection of the more significant ones:
- Support for PayPal allowing Opus to be used for simple e-commerce applications.
- Support for Opus running under SSL/HTTPS.
- Auxiliary fields can now be enabled on a per section basis.
- Changes to mail form processing to stop malicious use.
- Attempts to hide the author login pages from search engines as it's an invitation to hackers to try to log in.
- If your web server supports it then you can rotate, resize and sharpen images when you are uploading them.
- The image browser in the author menu shows image thumbnails.
- Various enhancements to the search function to allow you set up searches which only search some parts of your database and to search on numbers.
- Default diary location now comes from OPUS_DEFAULT_LOCATION, if that's defined in
- Datacards can now have a mapped url (enabled by a "mapurl" attribute for the <datacard> tag).
- New merge fields: datedated, released, papercode, sectioncode, articlecode, documentname, documenttype, documentsize, editlink
- Links to document articles show size and type in brackets after the link (you can disable this via your style sheet).
- The access array has been updated to allow you to decide whether or not authors can extract datacards.
- Various enhancements to blogging, all configurable on a section by section basis.
- The article browser in the author menu lets you browse by section.