The Piwik development team is releasing Piwik 0.5 to address issues with performance, PHP 5.3.1 compatibility, and a potential security vulnerability in earlier versions of Piwik. We strongly encourage all Piwik users to update. In addition, users will also benefit from new features and bug fixes in this release.

Automated update
The automated update was inadvertently broken in 0.4.4 and 0.4.5. If you are running either of these versions, please update manually to 0.5 (see How to update Piwik manually?), preferably by installing Piwik in a fresh folder. Our apologies for the inconvenience.

Security
In disclosing this security risk, we urge all Piwik users to update to this release as soon as possible. If you are unable to update at this time, you should make the following changes immediately to secure your Piwik installation:

  • In “core/Cookie.php“, apply this patch
  • Remove the third-party file “libs/open-flash-chart/php-ofc-library/ofc_upload_image.php” (if it exists). (Reference: SA37078 advisory)

A special thanks to security researcher, Stefan Esser of SektionEins, for his assistance.

New report

This release adds a new report to “Actions | Pages” which displays the page Title.  There are now two page reports, Page URLs and Page Titles. The page title can be set via setDocumentTitle(). (Refer to Piwik’s JavaScript tracking API for more info.) In addition, this release addresses a significant table index bottleneck experienced by the largest Piwik instances. As a result of this performance enhancement, this release contains a schema update. If you have a large Piwik database, updates might take too long to run in the browser. If this situation applies to you, you can execute the updates from the shell (command line), e.g.,: $ php path/to/piwik/index.php.

Live! plugin

The “alpha” version of the “Live!” visitor plugin has also been updated, thanks to jr-ewing. To activate this plugin, go to “Settings | Plugins” and click on the “Activate” link. This will allow you to add a live visitor widget to the dashboard, and access the “Visitor Log” report from the menu. Please test-drive this plugin and provide feedback on the forum for further improvement. This is a beta release only.

New Features

  • #530 – Report actions by html page title as well as reporting by URL (or custom page name)
  • #708 – Hash the “name” column (using CRC32 algorithm) to speed up the SELECT idaction in piwik.php
  • #997 – widget+data loaded in a single fetch cutting round-trip delays (latency)

Bug Fixes

  • #693 – Visit Generator should ask for user confirmation before generating data
  • #905 – tag cloud line breaks
  • #947 – truncated translation string in Flash widget when “no data”; this is now styled consistently with “no data” for tables and tag clouds
  • #959 – Show website name in UI when displaying JavaScript tracking code
  • #967 – non-superuser admin could reduce own access to view/no access
  • #981 – add ORDER BY NULL clause where order doesn’t matter (faster)
  • #994 – set content type to application/JSON for OFC data feed
  • #1004 – add/delete user after changing site selection causes FF to prompt re: resending information
  • #1010 – auto-update failing
  • #1012 – “Database usage” (DBStatus menu) not translated
  • #1013 – html entities not decoded in User Country/Continent data tables
  • #1020 – “Save image locally” (right-click pop-up menu) only worked for last chart; also close stream on ‘Export as image’ pop up window
  • #1033 – archive.sh: readlink -f is not a valid option on FreeBSD
  • #1034 – undefined variable after resetting password
  • #1037 – URL match on ampersand fails on sanitized URL
  • #1039 – Class Piwik_Apiable not found when updating from pre-0.2.10
  • #1053 – suppress “add site” link for non-superuser
  • checking for writable session.savepath

Maintenance

  • #510 – update to jQuery 1.3.2 and jQuery UI 1.7.2
  • #946 – some CSS cleanup
  • #986 – handle Firefox variant user agent strings (eg development, alpha, or nightly builds)
  • #1029 – replace thickbox 3.1 with jquery ui dialog
  • #1049 – peephole optimizations (assignment to temporary variable before returning it)
  • sync up with Zend Framework 1.9.6

Piwik core developers Anthon, Maciej, and Matt contributed the bulk of updates for this release, with patches from jr-ewing, kurakin, manne, ogs22, and pebosi. And of course, thank you to the Piwik community and sponsors for your continued support and feedback.