Merge branch 'release/0.9.4'

.htaccess

@@ -2,7 +2,24 @@
 
 RewriteEngine On
 
-##
+## Begin - Exploits
+# If you experience problems on your site block out the operations listed below
+# This attempts to block the most common type of exploit `attempts` to Grav
+#
+# Block out any script trying to base64_encode data within the URL.
+RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
+# Block out any script that includes a <script> tag in URL.
+RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
+# Block out any script trying to set a PHP GLOBALS variable via URL.
+RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
+# Block out any script trying to modify a _REQUEST variable via URL.
+RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
+# Return 403 Forbidden header and show the content of the root homepage
+RewriteRule .* index.php [F]
+#
+## End - Exploits
+
+## Begin RewriteBase
 # If you are getting 404 errors on subpages, you may have to uncomment the RewriteBase entry
 # You should change the '/' to your appropriate subfolder. For example if you have
 # your Grav install at the root of your site '/' should work, else it might be something
@@ -11,29 +28,29 @@ RewriteEngine On
 
 # RewriteBase /
 
-# Access site
+## End - RewriteBase
+
+## Begin - Index
+# If the requested path and file is not /index.php and the request
+# has not already been internally rewritten to the index.php script
+RewriteCond %{REQUEST_URI} !^/index\.php
+# and the requested path and file doesn't directly match a physical file
 RewriteCond %{REQUEST_FILENAME} !-f
+# and the requested path and file doesn't directly match a physical folder
 RewriteCond %{REQUEST_FILENAME} !-d
+# internally rewrite the request to the index.php script
 RewriteRule .* index.php [L]
+## End - Index
 
-# Block various user files from being accessed directly
-RewriteRule ^user/accounts/(.*)$ error [R=301,L]
-RewriteRule ^user/config/(.*)$ error [R=301,L]
-RewriteRule ^user/(.*)\.(txt|md|html|php|yaml|json|twig|sh|bat)$ error [R=301,L]
-
-# Block cache/
-RewriteRule ^cache/(.*) error [R=301,L]
-
-# Block bin/
-RewriteRule ^bin/(.*)$ error [R=301,L]
-
-# Block system/
-RewriteRule ^system/(.*)$ error [R=301,L]
-
-# Block vendor/
-RewriteRule ^vendor/(.*)$ error [R=301,L]
+## Begin - Security
+# Block all direct access for these folders
+RewriteRule ^(cache|bin|logs)/(.*) error [L]
+# Block access to specific file types for these folders
+RewriteRule ^(system|user|vendor)/(.*)\.(txt|md|html|yaml|php|twig|sh|bat)$ error [L]
+## End - Security
 
 </IfModule>
 
-# Prevent file browsing
+# Begin - Prevent Browsing
 Options -Indexes
+# End - Prevent Browsing

CHANGELOG.md

@@ -1,3 +1,28 @@
+# v0.9.4 beta
+## 10/29/2014
+
+1. [](#new)
+    * New improved Debugbar with messages, timing, config, twig information
+    * New exception handling system utilizing Whoops
+    * New logging system utilizing Monolog
+    * Support for auto-detecting environment configuration
+    * New version command for CLI
+    * Integrate Twig dump() calls into Debugbar
+2. [](#improved)
+    * Selfupgrade now clears cache on successful upgrade
+    * Selfupgrade now supports files without extensions
+    * Improved error messages when plugin is missing
+    * Improved security in .htaccess
+    * Support CSS/JS/Image assets in vendor/system folders via .htaccess
+    * Add support for system timers
+    * Improved and optimized configuration loading
+    * Automatically disable Debugbar on non-HTML pages
+    * Disable Debugbar by default
+3. [](#bugfix)
+    * More YAML blueprint fixes
+    * Fix potential double // in assets
+    * Load debugger as early as possible
+
 # v0.9.3 beta
 ## 10/09/2014
 

bin/gpm

@@ -28,12 +28,14 @@ if (!file_exists(ROOT_DIR . 'index.php')) {
 
 $grav = Grav::instance(array('loader' => $autoload));
 $grav['config']->init();
+$grav['streams'];
 $grav['plugins']->init();
 $grav['themes']->init();
 
 $app = new Application('Grav Package Manager', GRAV_VERSION);
 $app->addCommands(array(
     new \Grav\Console\Gpm\IndexCommand(),
+    new \Grav\Console\Gpm\VersionCommand(),
     new \Grav\Console\Gpm\InfoCommand(),
     new \Grav\Console\Gpm\InstallCommand(),
     new \Grav\Console\Gpm\UpdateCommand(),

composer.json

@@ -13,7 +13,9 @@
         "symfony/console": "~2.5",
         "symfony/event-dispatcher": "~2.5",
         "doctrine/cache": "~1.3",
-        "tracy/tracy": "2.3.*@dev",
+        "maximebf/debugbar": "dev-master",
+        "filp/whoops": "1.2.*@dev",
+        "monolog/monolog": "~1.1",
 	    "gregwar/image": "~2.0",
         "ircmaxell/password-compat": "1.0.*",
         "mrclay/minify": "dev-master",

htaccess.txt

@@ -0,0 +1,56 @@
+<IfModule mod_rewrite.c>
+
+RewriteEngine On
+
+## Begin - Exploits
+# If you experience problems on your site block out the operations listed below
+# This attempts to block the most common type of exploit `attempts` to Grav
+#
+# Block out any script trying to base64_encode data within the URL.
+RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
+# Block out any script that includes a <script> tag in URL.
+RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
+# Block out any script trying to set a PHP GLOBALS variable via URL.
+RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
+# Block out any script trying to modify a _REQUEST variable via URL.
+RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
+# Return 403 Forbidden header and show the content of the root homepage
+RewriteRule .* index.php [F]
+#
+## End - Exploits
+
+## Begin RewriteBase
+# If you are getting 404 errors on subpages, you may have to uncomment the RewriteBase entry
+# You should change the '/' to your appropriate subfolder. For example if you have
+# your Grav install at the root of your site '/' should work, else it might be something
+# along the lines of: RewriteBase /<your_sub_folder>
+##
+
+# RewriteBase /
+
+## End - RewriteBase
+
+## Begin - Index
+# If the requested path and file is not /index.php and the request
+# has not already been internally rewritten to the index.php script
+RewriteCond %{REQUEST_URI} !^/index\.php
+# and the requested path and file doesn't directly match a physical file
+RewriteCond %{REQUEST_FILENAME} !-f
+# and the requested path and file doesn't directly match a physical folder
+RewriteCond %{REQUEST_FILENAME} !-d
+# internally rewrite the request to the index.php script
+RewriteRule .* index.php [L]
+## End - Index
+
+## Begin - Security
+# Block all direct access for these folders
+RewriteRule ^(cache|bin|logs)/(.*) error [L]
+# Block access to specific file types for these folders
+RewriteRule ^(system|user|vendor)/(.*)\.(txt|md|html|yaml|php|twig|sh|bat)$ error [L]
+## End - Security
+
+</IfModule>
+
+# Begin - Prevent Browsing
+Options -Indexes
+# End - Prevent Browsing

index.php

@@ -11,7 +11,6 @@
 }
 
 use Grav\Common\Grav;
-use Grav\Common\Debugger;
 
 // Register the auto-loader.
 $loader = require_once $autoload;
@@ -22,13 +21,11 @@
 
 $grav = Grav::instance(
     array(
-        'loader' => $loader,
-        'debugger' => new Debugger(Debugger::PRODUCTION)
+        'loader' => $loader
     )
 );
 
 try {
-    $grav['debugger']->init();
     $grav->process();
 
 } catch (\Exception $e) {

system/assets/debugger.css

@@ -0,0 +1,54 @@
+div.phpdebugbar {
+    font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+}
+
+.phpdebugbar pre {
+    padding: 1rem;
+}
+
+.phpdebugbar div.phpdebugbar-header > div > * {
+    padding: 5px 15px;
+}
+
+.phpdebugbar div.phpdebugbar-header > div.phpdebugbar-header-right > * {
+    padding: 5px 8px;
+}
+
+.phpdebugbar div.phpdebugbar-header, .phpdebugbar a.phpdebugbar-restore-btn {
+    background-image: url(grav.png);
+}
+
+.phpdebugbar a.phpdebugbar-restore-btn {
+    width: 13px;
+}
+
+.phpdebugbar a.phpdebugbar-tab.phpdebugbar-active {
+    background: #3DB9EC;
+    color: #fff;
+    margin-top: -1px;
+    padding-top: 6px;
+}
+
+.phpdebugbar .phpdebugbar-widgets-toolbar {
+    padding-left: 5px;
+}
+
+.phpdebugbar input[type=text] {
+    padding: 0;
+    display: inline;
+}
+
+.phpdebugbar dl.phpdebugbar-widgets-varlist, ul.phpdebugbar-widgets-timeline li span.phpdebugbar-widgets-label {
+    font-family: "DejaVu Sans Mono", Menlo, Monaco, Consolas, Courier, monospace;
+    font-size: 12px;
+}
+
+ul.phpdebugbar-widgets-timeline li span.phpdebugbar-widgets-label {
+    text-shadow: -1px -1px 0 #fff, 1px -1px 0 #fff, -1px 1px 0 #fff, 1px 1px 0 #fff;
+    top: 0;
+}
+
+.phpdebugbar pre, .phpdebugbar code {
+    margin: 0;
+    font-size: 14px;
+}

system/assets/whoops.css

@@ -0,0 +1,110 @@
+body {
+    background-color: #eee;
+}
+
+body header {
+    background: #349886;
+    border-left: 8px solid #29796B;
+}
+
+body .clipboard {
+    width: 28px;
+    height: 28px;
+    background: transparent url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABwAAAAcAQMAAABIw03XAAAAA3NCSVQICAjb4U/gAAAABlBMVEX///////9VfPVsAAAAAnRSTlP/AOW3MEoAAAAJcEhZcwAACxIAAAsSAdLdfvwAAAAcdEVYdFNvZnR3YXJlAEFkb2JlIEZpcmV3b3JrcyBDUzbovLKMAAAAFnRFWHRDcmVhdGlvbiBUaW1lADEwLzE1LzE0xr/LJAAAADhJREFUCJlj+P///wcGBPGDQR5E8OMi2IEEczOIaAQRHSCioQBGHAAR/7AT/z+DiA8MMALVXhABAJf9Sr5aY+UFAAAAAElFTkSuQmCC);
+}
+
+body .exc-title-primary {
+    color: #1C3631;
+    text-shadow: none;
+}
+
+body .exc-title {
+    color: #2F5B52;
+    text-shadow: none;
+}
+
+body .data-table-container label {
+    color: #0082BA;
+}
+
+body .frame {
+    border: 0;
+}
+
+body .frames-container {
+    overflow-y: auto;
+    overflow-x: hidden;
+}
+
+body .active .frame-class {
+    color: #E3D8E9;
+}
+
+body .frame-class {
+    color: #9055AF;
+}
+
+body .frame.active {
+    border: 0;
+    box-shadow: none;
+    background-color: #9055AF;
+}
+
+body .frame:not(.active):hover {
+    background: #e9e9e9;
+}
+
+body .frame-file, body .data-table tbody {
+    font-family: "DejaVu Sans Mono", Menlo, Monaco, Consolas, Courier, monospace;
+    font-size: 13px;
+}
+
+body .frame-code {
+    background: #305669;
+    border-left: 8px solid #253A47;
+    padding: 1rem;
+}
+
+body .frame-code .frame-file {
+    background: #253A47;
+    color: #eee;
+    text-shadow: none;
+    box-shadow: none;
+    font-family: inherit;
+}
+
+body .frame-code .frame-file strong {
+    color: #fff;
+    font-weight: normal;
+}
+
+body .frame-comments {
+    background: #283E4D;
+
+    box-shadow: none;
+}
+
+body .frame-comments.empty:before {
+    color: #789AAB;
+}
+
+body .details-container {
+    border: 0;
+}
+
+body .details {
+    background-color: #eee;
+    border-left: 8px solid #ddd;
+    padding: 1rem;
+}
+
+body .code-block {
+    background: #2C4454;
+    box-shadow: none;
+    font-family: "DejaVu Sans Mono", Menlo, Monaco, Consolas, Courier, monospace;
+    font-size: 13px;
+}
+
+body .handler.active {
+    background: #666;
+}