Latest from the umbraco blog

Yesterday we got informed that there' was an "Open Redirect Vulnerability" issue in Umbraco 4. We fixed it this morning. While we don't agree with the security consultants that it's a major issue, we do our best to fix reported security issues as fast as possible and have full disclosure.

Is this issue relevant for you?

The issue means that someone could make your editors click a link (in an e-mail or on a 3rd party website) pointing to the back office of your site, but then change where the editor would be redirected afterwards if they login. This will require that you run Umbraco with the back office fully open and that it's an active editor that logins into the site. For instance:
http://yoursite.com/umbraco/?redir=http://myevilsite.com

Once your editor have authenticated, they'd be redirected to the evil site. No data is shared with that evil site, but it could add a fake Umbraco login page and try to fake your editor to submit their credentials again. That way they could then jump to your website and login. All this would require a number of ifs and ifs, but the risk is real and may be important enough for you to upgrade…

How to upgrade

In a hurry, you can go download the 4.7.1.478 nightly which contains the fix. If you're running 4.7.1.1, all you need to do is to overwrite the "/bin/umbraco.dll" file. If running older versions, please refer to the upgrade guide.

4.7.1.2 next week

We'll be releasing an official 4.7.1.2 early next week.

Umbraco 5

This issue is present in Umbraco 5 as well and will be fixed for 5.0.1.

Questions?

Feel free to submit questions in the comments.

Today is a pretty big milestone for the Umbraco 5 team. It's the end of January 2012, we've had seven progressively stable preview builds over the past months, and now it's time to put a stake in the ground.

After a lot of hard work, late nights, and invaluable help from the community testing our many preview builds, we've hit our first production milestone.

Umbraco 5.0 RTM is on CodePlex!

Please do grab a copy - take two, if you like - it's free after all!

Thanks to you

This is a release build and includes all of the fixes from the RC3 which we put out there last Wednesday. Since that time, we've already had almost 1000 downloads, which has made us incredibly proud. From our testing and that of the reported issues, it's ready for you to build your next live website.

Features

This is called "version 5 of Umbraco", but it's important to remember the history of the v5 project. We always intended to respect the vibrant culture and history of the Umbraco CMS as it has gone so far, and make a product that was on a fresh & rewritten technology stack but enabling the same common goals.

Our target for "5-point-0" out of the box is the most commonly used features of 4.7. We have a lot of features in 5.0 that enable you to go into production for the vast majority of site builds, and we have taken an approach of getting the core features done first - and stable.

We are now going to be iterating quickly with new features as the months progress, so that we reach feature parity with 4.7 and move beyond that quickly. So, yes it's like a "1.0" in some senses, but it already has a tonne of features that we think make it a great CMS.

• Design and produce templates quickly using the excellent Razor syntax
• Access your content in those templates using an intuitive dynamic API for both querying and walking up and down your content structure
• Tailor content types with a variety of customisable fields, meaning you can focus on your content structure without a hard link to its layout
• Use multiple templates with pages so you can easily adjust to your site's needs, do A/B testing, cater for mobile handsets, or generate RSS feeds
• Have document types that inherit from one or more other types, making it simple to organise common fields for things like SEO that are shared across all of your articles
• Create, preview and publish content in a naturally organised way using folders that can automatically create your site navigation, if you like
• Create, preview and publish media and other types of assets
• Store those assets on your server or in the cloud
• Use a rich set of permissions to tailor backoffice access for your editing team
• Plug in your own existing data in a way that Umbraco natively understands, rather than the only option being to migrate everything under Umbraco's control
• Plug in your own backoffice editors, dashboards, and custom trees
• Expose the underlying MVC stack for mixing in your own application, controllers and views with the content-managed portion
• Share common pieces of functionality like Macros with your team
• Share your own data providers, common templates, handy helpers and more using NuGet packages
• Have those packages dynamically add configuration to a user's website so that uninstalling rolls back configuration seamlessly

There are many more, but you didn't come here for a list of bullet points - here's that download link again!

Documentation & help

In the next few weeks we'll be hard at work making tutorials, documentation and answering questions on the Our forums. Warren has already got off to a great start with some example Macros for common scenarios.

Here's to a bright future

5.0 is a great foundation for you to build on now, but we aren't stopping here. In the coming months we'll be focussing on adding great support for backoffice editing of your own membership data, and add some great APIs for reading and writing data to Hive in your own controllers and packages. We'll also be adding a few exotic things such as distributed caching and the like - if you have a feature idea, feel free to add it to our issue tracker and appeal for votes!

Performance

You might have seen the post I put up earlier this month about our approach to performance tuning as we approached RTM, and I also mentioned it in a recent uNews-letter. If not, or at least to put it here for posterity, here's a few of those figures.

I've been using the same content within each build of v5, and the same load script on my own development machine for each test run. It basically uses all 4 cores on my machine to both generate and serve the load from my local IIS.

To put those final figures into context, I re-ran the test against RTM with 1000 requests instead, and obtained around 2900rps.

This seems a steady improvement followed by an astronomical leap, what could it be?

It's a technique commonly referred to as "micro-caching". By default, the base controller that serves Umbraco 5 RTM requests caches the page output for 1 second. This technique sits on top of the existing steady improvements in the codebase, and provides the icing on the cake to help if your websites get a high peak load. So it's a setting that you might not notice in daily use (unless you're hitting refresh .. a lot), but your server will thank you if you get a sudden influx of traffic.

You can of course tweak this if you prefer; the setting is in configuration, and we'll be enabling more settings and handy "set it and forget it" defaults like this as we add features in the future.

Happy downloading!

To those of you who have followed us along the way, and to those who have helped us code and test, a massive thank you. And to those who will be helping us in the future, too. Have fun with Umbraco 5, and please do let us know what you think.

Here's that download link one more time.

All the best

Team 5

It's weird how something that seems to be perfect, can slowly turn into a monster. For me it often happens just as I dare to lean back in the chair, take a deep breath of satisfaction and pat my own back thinking, "nailed it". Maybe it's because you're exhausted, maybe because you get lazy or maybe it's because you start "choosing your battles". Prioritizing if you will. Maybe even maturing.

My number one pet - the Umbraco community - has certainly matured. What started out as a crazy dream by a selected few is now the daily life of thousands. And during the journey - which is seven years in a few weeks - we've all been doing a great job of adjusting. What seemed right in 2005 may not be that great in 2012!

Why all this rambling? Well, because it's time to make an adjustment of what I thought was an evergreen in the Umbraco community - the MVP program - our "Most Valued People". It was started in 2007 as a way to recognize the selected few who really made a difference. The crazy ones. It was easy then because there weren't more than a few to pick from and I knew what every one had done. Read every post, tried every package.

As time went on and things grew, I couldn't keep up. Who could? So in 2010 I moved the responsibility to nominate the MVPs to the collective intelligence of the community. Based on the 20 community members who had the most karma, the community voted and the top five were honored with the recognition of being an MVP. Over five years Casey, Doug, Jesper, Per, Thomas, Warren, Dirk, Morten, Paul, Tim, Lee, Richard, Darren, Matt, Sebastiaan and Jan wrote a little bit of Umbraco history as the Umbraco MVPs.

We've been blessed with this fantastic bunch of people who were crazy enough to believe in an unknown project like Umbraco, crazy enough to help because it came naturally to them and crazy enough to share their work for free because it felt right.

Because it felt right. Not because they searched for recognition. Not because they wanted a badge, an honor, an ego boost. But simply because it was the building blocks Umbraco is made of. And the MVPs that followed went in the footsteps of what became known as the Umbraco culture - we really became the friendly cms. These are our roots.

Our culture is fragile, yet it's our most important asset and what really sets us apart. Our culture is about helping and sharing because it's the most natural thing to do and because we can't help it. Not because we strive for recognition. Before that becomes the norm, I've decided to close the MVP program. It's not worth striving for. What is worth striving for - while much harder - is a community that helps each other despite not getting anything tangible in return.

So the MVPs of 2011 will be the last ones. There won't be any voting this year nor the years that follow. The MVP program is history and we'll only miss it because it never got devalued. Kudos to the MVPs who brought us here and created a culture that made recognition obsolete. What a community!

"The unselfish effort to bring cheer to others will be the beginning of a happier life for ourselves.", Helen Keller