This version is compatible with GLPI 10.0.
⚠️ This release contains a fix which solves loss of file uploads when a validator edits the requester's answers before approval. This fix requires a patch for GLPI 10.0.7 or older. It is recommended to apply it. The patch is available here.
⚠️ This release contains a fix to prevent multiple form submission, causing requesters to submit several times their request. This fix depends on an other fix in GLPI 10.0.7 or older available here.
Full changelog and download: click here
New version GLPI 10.0.7: A new GLPI version is available.
This release fixes several security issues that have been recently discovered. Update is recommended!
You can download the GLPI 10.0.7 archive on GitHub.
We still maintain maintain the 9.5 branch for security fixes and we also release a new version for it: GLPI 9.5.13 archive
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - High] SQL injection and Stored XSS via inventory agent request (CVE-2023-28849).
- [SECURITY - High] Account takeover by authenticated user (CVE-2023-28632).
- [SECURITY - High] SQL injection through dynamic reports (CVE-2023-28838).
- [SECURITY - Moderate] Stored XSS through dashboard administration (CVE-2023-28852).
- [SECURITY - Moderate] Stored XSS on external links (CVE-2023-28636).
- [SECURITY - Moderate] Reflected XSS in search pages (CVE-2023-28639).
- [SECURITY - Moderate] Privilege Escalation from technician to super-admin (CVE-2023-28634).
- [SECURITY - Low] Blind Server-Side Request Forgery (SSRF) in RSS feeds (CVE-2023-28633).
Also, here is a short list of main changes done in this version:
- [SECURITY] Optional GLPI router to be able to use a safer web server root directory.
- [FEATURE] Support of SMTP OAuth authentication.
- [FEATURE] Improved inventory file upload feature.
- [FIX] Many fixes and improvements on native inventory.
- [FIX] Some bugs on PHP 8.2.
- [FIX] Caching issues on entities.
- [FIX] Boolean FullText operator not working on knowledge base search.
- [FIX] Unexpected search results when using negative condition on ticket actors.
- [FIX] Issues with LDAP filters/DN.
- [FIX] Unexpected results when searching on knowledge base categories.
The full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Download GLPI now: https://glpi-project.org/downloads/
Regards.
This version is compatible with GLPI 10.0.
⚠️ File / image upload removed from public forms
In GLPI 10.0.5 contains a fix which breaks ability to upload files from a public form. It not possible restore this feature without introducing a security problem. Therefore, in this version, it is no longer possible to add a question of type File in a public form. Questions of type Textarea won't allow users to upload pictures anymore.
It is recommended to update your public forms to remove questions of type File. If you don't, then requesters will encounter problems when they try to upload files.
Upgrade from 2.13.0 or later
A database sanity check is done before running the upgrade. If the tables of the plugin have a difference with the expected schema the upgrade will fail with a message similar to the following:
The database schema is not consistent with the installed Formcreator 2.13.0. To see the logs enable the plugin and run the command bin/console glpi:database:check_schema_integrity -p formcreator
It is required to fix the database, using the diff produced by the CLI command given in the message. Once done, try again to upgrade.
ℹ️ If you know what you are doing you may bypass the sanity check from CLI with the following command.
bin/console glpi:plugin:install formcreator -f -p skip-db-check
Bug Fixes
- add missing domain for public forms translation (#3162) (970f183c6)
- duplicate key when updating a profile (1bd6a2ab6)
- remote glpi prefix for commands (651444a27)
- abstractitiltarget: set priority from urgency and impact (#3178) (1269edd51)
- checkboxes: better display (f8fe93a63)
- checkboxes: padding between items (a62f879ce)
- condition: infinite loop detection (172d5e8eb)
- dropdownfield: prevent ambiguous column name (b54523219)
- form: remove obsolete translations on update (3cc58ac7d)
- form: rename form answer properties tab (a3395179d)
- form_language: avoid persistent rich editor toolbar when closing modal (11a8808b5)
- form_language: display problems when translating (93073e656)
- form_language: filter out obsolete translations (b38555c5e)
- formanswer: access restriction (a9451d982)
- install: distinguish error messages for sanity check (b798bf264)
- notifications: missing lang tags (3cad18562)
- question: missing conditions count after update (ea185beb8)
- question: updating a question returns sanitized label (936ccd475)
- radios: update escaping of valies (c940e1764)
- radiosfield: better display (fe6c2e8d0)
- restrictedformcriteria: bad key when generating error message (6cabca1fe)
- targetchange,targetproblem: harmonize implemetnation with targetticket (1ba402de0)
- targetchange,targetproblem: missed code refactor (e24d2fc13)
- targetticket: wrong property label (fd3d30973)
- textareafield: target ticket shows HTML when image uploaded (56fc8d54d)
- translation: avoid rn when using formatted rich (html) text (24113a353)
Features
This version is compatible with GLPI 10.0.
Upgrade from 2.13.0 or later
A database sanity check is done before running the upgrade. If the tables of the plugin have a difference with the expected schema the upgrade will fail with a message similar to the following:
The database schema is not consistent with the installed Formcreator 2.13.0. To see the logs enable the plugin and run the command bin/console glpi:database:check_schema_integrity -p formcreator
It is required to fix the database, using the diff produced by the CLI command given in the message. Once done, try again to upgrade.
ℹ️ If you know what you are doing you may bypass the sanity check from CLI with the following command.
bin/console glpi:plugin:install formcreator -f -p skip-db-check
Bug Fixes
- handle undefined setting for service catalog homepage (411ae3597)
- typo in french locale (f61ded17a)
- abstractitiltarget: multiple tag questions set but not displayed in designer (90f2a95d8)
- checkboxesfield,multiselectfield: default value not displayed (8f36ab726)
- composite: ignore link to non existing ticket (8502d4b16)
- condition: allow longer texts (eecdf8a2a)
- condition: display of tested question shows wrong item (5d34da8b4)
- condition: width of question dropdown (ce0389efd)
- dropdownfield: empty SQL IN statement when restricted tickets rights (5c5244a85)
- form: image upload handling in header field (5dc66a5ef)
- formanswer: default search filter hides legit access (2dc9f8e3f)
- formanswer: malformed search option (5339b7912)
- formanswer: missing newline between sections of fullform tag (61122bc93)
- formanswer: temporary disable debug mode (e9e8da484)
- formanswer, textfield, textareafield: escaping (3e0666d4d)
- glpiselectfield: cannot set empty value by default for entity question (fe2130bbe)
- glpiselectfield: restore entity restriction for users (e525b3a82)
- helpdesk: better handling of users that can't see tickets (a93f03126)
- install: add empty schema for new version (817a9ec7e)
- install: resync not needed in upgrade to 2.13.4 (d66a12017)
- install: typo in method name (eac5d77ac)
- issue: follow entity change on ticket transfer (434bd3572)
- issues: Tooltip consistency with core (c45d21550)
- question: subtype plural and appliance in bad group (1f780370a)
- tagfield: php warning (cc4b673a8)
- targetticket: allow more itemtypes to associated elements (#3155) (cee504c24)
- textfield: useless HTML entity encode (c3d03b51e)
Features
- drop support for GLPI 10.1 (a99a8bcb2)
- dropdownfield: always show ticket id (0190adac9)
- issue: access tickets from service catalog (a6b4f19d0)
- question: add support for database sub itemtype (45126012d)
- wizard: selectable home page in service catalog (95103fe54)
A new GLPI version is available.
This release fixes several security issues that have been recently discovered. Update is recommended!
You can download the GLPI 10.0.6 archive on GitHub.
We still maintain maintain the 9.5 branch for security fixes and we also release a new version for it: GLPI 9.5.12 archive
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - High] Unauthorized access to inventory files (CVE-2023-22500)
- [SECURITY - Moderate] XSS on browse views (CVE-2023-22722)
- [SECURITY - Moderate] XSS on external links (CVE-2023-22725)
- [SECURITY - Moderate] XSS in RSS Description Link (CVE-2023-22724)
- [SECURITY - Moderate] Unauthorized access to data export (CVE-2023-23610)
- [SECURITY - Low] Stored XSS inside Standard Interface Help Link href attribute (CVE-2022-41941)
Also, here is a short list of main changes done in this version:
- [FEATURE] Unmanaged devices can be handled like a real asset.
- [FEATURE] Handle more actions for stale inventory agents.
- [FEATURE] Added new dictionnary rules for OS.
- [CHANGED] Removed
glpi: prefix on console commands. - [FIX] PHP 8.2 support.
- [FIX] Many fixes and improvements on native inventory.
- [FIX] Reservation display on self-service profile.
- [FIX] Mail collector issues with emails sent from Outlook.
- [FIX] Dashboard issues on “All” tab.
- [FIX] Ticket input is restored when submitted form is not complete.
- [FIX] Notification was not sent when ticket status was set to “pending”.
The full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.
We are happy to announce our longterm partner in Spain - TICGAL has become a GOLD level!
TICGAL is a company built around GLPI. In our short history, they have helped more than 200 clients set up the standard solution or reshape GLPI to fit their needs by integrating standard and custom-tailored solutions.
Beyond the ITSM & ITAM native GLPI capabilities, TICGAL has transformed it into a CMMS or an ESM. They also edit a successful multiplatform mobile solution with geolocation capabilities.
Among many solutions, TICGAL offers:
- GLPI Support: consulting, installation, migrations, development, integrations and hosting;
- GLPI Developments: Plugins and extensions;
- GApp: a GLPI App, a project born from the need to provide an easy mobile access to GLPI, specially for end users, a.k.a. self-service.
Website: https://tic.gal/en/
We are excited that GLPI ITSM solution is becoming more and more represented all over the world and GLPI Network (our support offer for on-premises – get your IT Infrastructure secured) subscription service will be available for more customers through our new partners.
Our large partnership network is always open for new collaborations. If you are interested in representing one of our products in your country, get in touch with us: https://portal.glpi-network.com/marketplace/formcreator/front/formdisplay.php?id=15
Being a partner means:
- Having an a direct access to the Teclib´s tech expertise;
- Get special discounts;
- Access official support;
- Many other tools which will help you to gain more customers and increase reputation on the market by adding open source ITSM to your portfolio.
Discover all benefits of being a partner here: https://glpi-project.org/partners/
This version is compatible with GLPI 9.5.5 or later only. Users of GLPI 10 must use Formcreator 2.13 or later. Support of GLPI 9.5.4 and earlier has been dropped, see notes of version 2.11.3 to know the reason.
⚠️ Version 2.12.6 had missing files for LDAP questions. This release address this problem.
Help / Contribution needed
- Locales updates: Some languages don't have maintainer, or are late (many untranslated content). Please contribute on Transifex.
- documentation review and updates
Bug Fixes
This version is compatible with GLPI 10.0.
Upgrade from 2.13.0 or later
A database sanity check is done before running the upgrade. If the tables of the plugin have a difference with the expected schema the upgrade will fail with a message similar to the following:
The database schema is not consistent with the installed Formcreator 2.13.0. To see the logs enable the plugin and run the command bin/console glpi:database:check_schema_integrity -p formcreator
It is required to fix the database, using the diff produced by the CLI command given in the message. Once done, try again to upgrade.
ℹ️ If you know what you are doing you may bypass the sanity check from CLI with the following command.
bin/console glpi:plugin:install formcreator -f -p skip-db-check
Possible encoding problems in tickets created in GLPI 9.5 or older
⚠️ GLPI 10.0 encodes rich text content in a different way compared to GLPI 9.5. This revealed some bugs in the plugin in previous versions and GLPI may display old tickets with HTML tags. A CLI tool is available to fix 3 types of inconsistencies. You should test the command in a testing environment or do a backup first.
bin/console glpi:plugins:formcreator:clean_tickets
Bug Fixes
- abstractitiltarget: copy may generate unwanted ouput to navigator (8792ed3dc)
- abstracttarget: support for sla and ola from question (e4c6ffeb6)
- category: do not access page if the plugin is not active (a959839c7)
- category: don't activate plugin to access categories (4cd4f600e)
- checkboxesfield: back to BR (c8908f265)
- checkboxesfield: back to BR (56d1e7e94)
- checkboxesfield, radiosfield: checkboxes and radios backslashes (#3050) (47da0ea0a)
- common: captcha check (b2b7efc89)
- dashboard: fix dashboard height (712bdc8ad)
- datefield: change event and comparison (9da947783)
- filefield: do not assume index of files (a02a9c7ce)
- form: delete question does not reset preview tab (ad87ddc87)
- form: prevent SQL error (17aa94309)
- form: prevent sending two csrf tokens (c04c71bab)
- form: tab name must obey 'show count' setting (b89232eb3)
- form_language: call to undefined method (137a66047)
- formanswer: page switching loose filter (14d3ed7ac)
- install: bad command in error message (f357d9ca4)
- install: handle possible null while changing fields (0a847af4c)
- issue: access to saved searches from service catalog (b7481825a)
- issue: default joint for issue (631888e47)
- issue: show save button for followup edit (810c854f1)
- issue: sync issue fails when a ticket has several validators (3f51fbdd9)
- issue: useless criteria nesting (369fdb57b)
- selectfield: too many unescaping (706b70faa)
- targetticket: set request source if no rule specified (2e04680eb)
- textareadifield: error when deduplicating uploads (666d81395)
- wizard: consistent breadcrumb on several pages (6639cda03)
Features
This version is compatible with GLPI 9.5.5 or later only. Users of GLPI 10 must use Formcreator 2.13 or later. Support of GLPI 9.5.4 and earlier has been dropped, see notes of version 2.11.3 to know the reason.
⚠️ This version intends to fix compatibility with GLPI 9.5.10 and 9.5.11 which contains an upgrade of TinyMCE (used for rich text editors). Some other fixes are also available in this release; see the changelog.
⚠️ Important note: Some administrators use business rules relying on the request source field in tickets to distinguish tickets created by Formcreator. A change has been done in the plugin to allow customization of the request source via ticket templates. Target ticktets without template will lose the request source "Formcreator". If business rules use the request source "Formcreator" it is recommended to add a ticket template to target tickets, with a predefiend field "request source" set to "Formcreator".
Bug Fixes
- abstracttarget: retrieve sub itemtype from question (eccf3d1a)
- condition: empty sql IN statement (8e4d0491)
- dropdownfield,glpiselectfield: shiw item ID only on user preference (53dc3aeb)
- form: lightbulb always gray in darker theme (76a42bb4)
- glpiselectfield: bad WHERE criteria with entities (154a3531)
- glpiselectfield: comparison with regex (e6986b04)
- issue: performance problem in sync issue query (0e1761c9)
- issue: performance problem in sync issue query (74b38ec0)
- issue: requester replaced by author on ticket update (a8580a79)
- issue: sync issues problem when a ticket has several validators (backport 2.12) (#2971) (e3011590)
- radiosfield: accessibility from keyboard (e528aae7)
- targetticket: assign group actor from object (42aaadd4)
- textareafield: compatibility with GLPI 9.10 (a325a948)
- textareafield: compatibility with GLPI 9.5.10 (7f2ff1a9)
- textfield: remove invalid 'r' tokens (#3065) (da9d8dca)
- wizard: bad label when searching KB items (f469d048)
Features
- ldapselectfield: lazy loading (1afc6753)
Help / Contribution needed
- Locales updates: Some languages don't have maintainer, or are late (many untranslated content). Please contribute on Transifex.
- documentation review and updates
Following the last releases of 10.0.4 and 9.5.10, an annoying issue has been detected in one of the security fixes provided.
The user is logged out when he tries to switch to another entity.
So, we release new versions to address the bug, you can download them on github:
