Patches

Rhythmyx 7.3.2 Latest Patch

Patch id: 732_20190717

This patch includes several security updates and improvements.

Download

Downloads are available via the support portal at https://support.percussion.com

Previous Patches

Please note that all Patches are cumulative.  The links here are to provide reference access to the release notes for everything that is included in this patch.  Prior patches do not need to be installed before installing this patch.

This patch includes the following changes:

Change Description

[RHYT-323] - Security - Sensitive Form Field Has Not Disabled Autocomplete

The Login form now disables autocomplete by default.  This feature will not disable auto completion if Password Management is enabled in the browsers, most modern web browsers ignore the autocomplete="off" attribute for forms. 

[RHYT-2661] - Security: Multiple Cross-Site Scripting vulnerabilities in /sys_cx/cxpage.html XML application

A reflected cross site scripting vulnerability was reported in the sys_cx/cxpage.html XML application used by the Content Explorer.  The vulnerability could potentially allow script to be injected as a query parameter to the application and then be reflected in JavaScript and potentially executed on the client.  This patch resolves this problem.

[RHYT-2662] - Security: Some security auditors would like the option to disable the SQL Tool

The SQL Tool restricts access to users in the Admin role, however in some implementations where many users/developers have the Admin role, more explicit access or no access to the tool may be desired.  This patch introduces a new rxconfig/Server/server.properties file option that when set will disable all access to the SQL Tool.  Adding enableSQLTool=false to the properties will block access to the tool for all users regardless of role. 

[RHYT-2663] - Security: The JCR Query debugger doesn't restrict users to the admin role

The JCR Query debugger allows developers access to search the Content Repository with JCR queries for the purposes of testing JCR queries for use in Templates, Slots, or Content Lists.  This tool has been updated to require that users be in the Admin role.  A server property has also been added to allow for the JCR Query debugger to be disabled.  Adding enableJCRTool=false to the rxconfig/Server/server.properties file will disable all access to the Query Debugger. 

[RHYT-2668] - Variables with hyphen are not getting processed with latest velocity2.1 update if a velocity macro file has an error in them

A problem was discovered where any compilation errors in rx_resources/vm VelociMacro files would reset the Velocity configuration to the defaults on initialization of the Template engine.  This would then cause Page and Snippet templates to fail to compile as hyphens are disabled by default.  An update was made that will stop loading rx_resources/vm files if they do not compile, and to re-initialize Velocity with the standard Percussion settings.   User Velocity Macro files can be re-enabled by correcting compilation errors in the Velocity Macro files, and rendering a template with the sys_reinit=true query parameter on the Assembly URL. 

[RHYT-2670] - Remove "#" and "$" from the Velocity Pre-compiler they are not needed after the update to 2.1 version

The Velocity Precompiler no longer needs to pre-compile scripts to work around the "#" and "$" bugs in Velocity 2.0.  These options have been removed from the rxconfig/Server/velocity-precompile.properties file. 

Known Issues / Limitations

RHYT-2575 Workflow Notifications: Invalid notification template results in template source code being emailed

It is important to validate that Workflow Notifications have valid Velocity syntax when setting up custom notification templates.  Syntax errors will result in malformed notification messages.  This will be resolved in a future patch. 

RHYT-2574 Workflow Notification Content Item Velocity Bindings are only referenceable via ${fieldname} syntax

The bindings for notification templates currently require that ${fieldname} syntax be used to reference content item fields.  $fieldname $!fieldname or $!{fieldname} syntax does not currently work for these bindings.  This will be addressed in a future patch. 

RHYT-2576 Workflow Notifications - double links are sent if ${wflink} or $!{wflink} used intead of $wflink by template developer

When adding links to custom notification templates, the $wflink variable must be used.  $!wflink, ${wflink} or $!{wflink} will result in a second notification link being appended to the notification message.  This will be addressed in a future patch. 

RHYT-1935 - Folder with old name need to be removed manually after publishing.

Once a folder name is changed and publishing is done, the new folder is published to the publish location, however, the folder with the old name is still present in that location and currently needs to be removed manually.