Rhythmyx 732_20190510 Patch

Rhythmyx 732_20190510 Patch

Patch id: 732_20190510

This patch includes several security updates and bug fixes.  Developers and Admins should plan to re-install the Developer Tools (Workbench etc) from the server after applying this patch to avoid unnecessary errors related to the Session cookie security update.  A new Input Transform extension has been added to allow Content Type developers to harden their text fields by Sanitizing input for specific HTML markup.


Downloads are available via the support portal at https://support.percussion.com

Previous Patches

This patch includes the following changes:

Change Description

RHYT-1430 - Security: JCR Search: Reflected Cross Site Scripting Vulnerability - CWE ID: 79
An issue was corrected the JCR Search tool where it was possible to inject script via the named parameters and have the script be executed by the client browser when rendering query results. This issue is resolved in this patch.

[RHYT-1874] [RHYT-2619] Security - Workflow Editor: Persisted & Reflected Cross Site Scripting Vulnerability - CWE ID: 79

A security issue was reported for the Workflow Editor in that certain text fields on the Workflow Editor screen could allow for JavaScript or HTML code to be injected and then to be reflected and executed by client browsers.  These issues have been corrected by this patch. 

[RHYT-2632] Security - SQL Test Tool: XSS inject / reflection vulnerability

The SQL Testing tool located at /Rhythmyx/test/sql.jsp was updated to mitigate a script injection / reflection vulnerability. The editor was also updated to encode html and script markup returned in data from the content repository database.

[RHYT-2633] Security - Refused to execute script from 'Rhythmyx/util/getPSSessionID.jsp' because its MIME type ('text/plain') is not executable, and strict MIME type checking is enabled.

With secure headers enabled a script was being blocked by client user agents due to mime/type misconfiguration. This has been corrected in this patch.

[RHYT-2613] - Intermittently Jetty service doesn't stop

Some customers on Windows reported a fault in the ProcRun Service Manager when shutting down the Jetty Service. The problem would intermittently appear and occurred when the Jetty server stopped in under 3 seconds. This patch contains a fix for this issue.

[RHYT-2618] Templating - $pagelink local variable in sys_assembly.vm file resets the value

Several of the System Velocity macros parameter names that matched the $pagelink binding variable name. With the latest Velocity updates the $pagelink template binding would be incorrectly reset when any of those macros were invoked. The System Velocity Macros were updated to not use $pagelink as a parameter name.

[RHYT-2616] Performance - JVM Cache Warmup fails to start and halts server startup due to hibernate locking errors when bad acl data is present

The Startup Process introduced in the previous patch could fail with errors if unexpected Acl, Site, Role, or Workbench Hierarchy data was found when pre-warming the system caches for performance at system startup. These errors could cause the service to fail to start after patching. The startup process will now report any errors it encounters but allow the service to continue to startup and all for other object caches to be initialized.

[RHYT-2631] - Adding sys_lasttransitiondate to the System Content Editor does not make the field accessible in Templates

Support for accessing the Last Transition Date for a Content Item has been added to the Component Summary for all content items. If the field is configured on the system content editor definition, the property can be added to a content item and accessed from templates.

[RHYT-2612] DCE - TinyMCE Editor display redraws as multiples when large content

An issue was reported when the rich text editor could appear to freeze and redraw multiple times when editing large content items.  The problem was caused by a css property in the default theme for the editor.  This issue has been corrected by this patch. 

Known Issues / Limitations

RHYT-2575 Workflow Notifications: Invalid notification template results in template source code being emailed

It is important to validate that Workflow Notifications have valid Velocity syntax when setting up custom notification templates.  Syntax errors will result in malformed notification messages.  This will be resolved in a future patch. 

RHYT-2574 Workflow Notification Content Item Velocity Bindings are only referenceable via ${fieldname} syntax

The bindings for notification templates currently require that ${fieldname} syntax be used to reference content item fields.  $fieldname $!fieldname or $!{fieldname} syntax does not currently work for these bindings.  This will be addressed in a future patch. 

RHYT-2576 Workflow Notifications - double links are sent if ${wflink} or $!{wflink} used intead of $wflink by template developer

When adding links to custom notification templates, the $wflink variable must be used.  $!wflink, ${wflink} or $!{wflink} will result in a second notification link being appended to the notification message.  This will be addressed in a future patch. 

RHYT-1935 - Folder with old name need to be removed manually after publishing.

Once a folder name is changed and publishing is done, the new folder is published to the publish location, however, the folder with the old name is still present in that location and currently needs to be removed manually.