Experience and lessons learned while upgrading from 1.27 to 1.29 and porting WebCalendar 1.29 to PHP 7.1
Dear Users,
as I do not belong to the project I cannot update the source code (at least as of now).
History
I am using the WebCalendar in Germany for about 50 users on MySQL on a server at a German hosting company. We installed the application via our internet hosting company, that used a PLESK Software to administrate the account, initially on the basis of PHP 5.3.x. In September 2017 the internet provider announced that PHP 5.3.x will no longer be supported because of security concerns. We could choose between 5.6.x, 7.0.x and 7.1.x which in turn did not allow WebCalendar to work.
As the internet provider offered no help and we wanted to keep using WebCalendar, we decided to adapt the code and to make it run under PHP 7.1.x and to keep the data (to avoid re-entering anything). In the end we were successful. The following is a step by step explanation of what we did to make it work.
What we did:
- We downloaded the release 1.29 and installed it alongside the 1.27 release (each in a separate) directory.
- We exported the database from our live system (for backup reasons using PHPMyAdmin).
- We updated the table webcal_config in the MYSQL database, actually just one single record: SERVER_URL must point to the new test site and path where your WebCalendar software is located (in our case the /.
- We updated the file /include/settings.php -> actually all you have to do is to remove the installation password. That causes that you are being asked to provide a new password (which is necessary to proceed in the upgrading process). This step is only necessary if you do not know the old installation password (as I did - reason being the automated install of version 1.27 was done by someone else)
The second necessary change in the file /include/settings.php was the line with the db_type (previous setting mysql) which must be changed to mysqli (i stands for improved). The reason for that is, that the PHP function mysql_connect does not exist in PHP 7.x (was deprecated in 5.5 and later). The new connection method (mysqli) is quite different as it allows several database connection to the same server, but already supported by the WebCalendar code (already in release 1.27).
- Update the source code according to the appended list (incompatible changes in PHP 7.x and the libraries)
- Next you start your browser with the install directory of your /WebCalendar129 (in my case). This will guide you quite nicely through the upgrade process.
- Then start up the calendar in your browser and you are done => WebCalendar runs on PHP 7.1 - which is quite a bit faster as it was before due to improvements in PHP 7.x (over 5.x).
That makes the code work und PHP 7.1.x without any warning messages. We did not check through all functions, but on those we did there was no problem we could find and we use the WebCalendar quite extensively. In fact the changes needed were minimal and the effort to implement the changes took only a few hours. Following the steps above takes an hour or less (my estimate).
In case you have trouble implementing these changes you could send me an e-mail. But beware: It might take some time for me to answer. Please be aware that I am not the project owner of the project WebCalendar I am just using it and I am very grateful for the extensive and well functioning work that had been done by Mr Knudsen. As it is an open source project I am able to adapt it to my needs.
kind regards
Franz Gotsis
Munich, Germany
[email protected]
List of source code changes I did so far (but could not check in).
I did not yet walk through the code systematically, but I did change the code whenever I got errors or unintended behaviour. So be aware that these changes might not be everything that is needed. The changes might as well not be the most elegant ones, I did just enough to make the code work.
a) /includes/menu/index.php)
old: (lines 238 onwards)
$tmp['name'] = $f;
$tmp['url'] = $xurl;
$groups[] = $tmp;
new:
$tmp=array();
$tmp['name'] = $f;
$tmp['url'] = $xurl;
$groups = array();
$groups[] = $tmp;
The reason is that implicit array declarations are no longer supported since PHP 7.0. You have to initialise all array variables before you use them. In this case the arrays groups and tmp had not been initialised before assigning values.
b) /includes/formvar.php (just warnings - but those point to vulnerabilities) - lines 34 onwards
The purpose of these lines of codes (also according to the existing comments) is to prevent attacks on the integrity of the WebCalendar server by adding commands into the post code that should not be there. In line 21 there is a list of tags (words) to look for, that might mean adding code into the post command that could lead to a generation of html pages that might listen on users o trick them into providing passwords or do any other malicious activities.
To prevent the code searching the POST or GET (HTTP) commands from failing because of hiding the names of these tags in escape commands (the tag SCRIPT could be hidden as \x53\x43\x52\x49\x50\x54). The idea of the code was to replace the hexcodes by their proper ASCII characters and then to do a text search. The method intended to achieve that goal was a call to the built-in function preg_replace, which in PHP 5.x allowed not only a replacement by strings, but when given the "/e" option in the first argument (equivalent to #e) to execute function on the matches found.
Starting with PHP 7.x this will not work as the /e option is ignored which leads to a failure of the security mechanism. The PHP function to use now is preg_replace_callback, which calls a user provided function for every match.
Previous code:
$teststr = preg_replace ( "#(\\x[0-9A-F]{2})#e",
"chr(hexdec('\1'))", $instr[$j] );
PHP 5.6 onwards compatible tested replacement:
$teststr = preg_replace_callback(
'/(\\x[0-9A-Fa-f]{2})/',
function($matches){
foreach($matches as $match){
return chr(hexdec($match));
}
},
$instr[$j]
);
====================
These were all the changes (pretty few) that I found necessary to make the code run on a site that uses PHP 7.1 or later (currently - 28.12.2017) the latest PHP release.
None of the changes affects data or the user aware functions of the program WebCalendar.