Wavelog

Important Security Update

This release fixes a critical vulnerability affecting all existing Wavelog installations from version 1.8 onward. While we have no indication of exploitation in the wild, the risk profile changes once the fix is public and we recommend updating to 2.4.2 promptly.
If you cannot update right away, block external access to the /install/ directory at your webserver level as a temporary mitigation.

A full security advisory will be published in approximately 30 days.

Changes

• Add lightweight search page for qrz.com embedding (by @tallcode)
• Added User agent for JWKS request in sso implementation (by @HadleySo)
• Added ability to skip the first login wizard for clubstation members on first login (by @HadleySo)
• Fixed logout redirect when SSO is enabled (by @HadleySo)
• fixed a bug, where bandplan saved/adjusted by instanceowner wasn't correctly processed for user (by @int2001)
• Added automatic DXCC-Lookup at 1st login Wizard (by @int2001)
• Made the selectable OQRS-Deliverymethods configurable (by @int2001)
• Fixed a bug for Notes, where titles could be "null" (by @int2001)
• Added an option to print the OP-Field also on a label (by @int2001)
• Added SIG/SIG_INFO to LBA-Batchedit (by @int2001)
• Fixed the duplicate check in the Advanced Logbook. In some cases, it would not show duplicates (by @AndreasK79)
• Fixed the 13cm band designator in cabrillo export (by @phl0)
• Made last LoTW upload check a bit more specific (by @phl0)
• Added links to eqsl.cc and Clublog for callbook search results (by @phl0)
• Added propagation modes GWAVE and LOS (by @phl0)
• Fixed some vulnerabilities in the installer (by @HB9HIL, found by BA7LAC)
• Fixed a bug in CAT URL handling with http and https (by @HB9HIL)

This is a maintenance release fixing a number of bugs (see details below) and refactoring a few pages like DX-Cluster, Advanced Logbook and JCC award.

• Fixed a bug in logic for ITU zone awards (by @phl0)
• Refactored the code to import POTA references to also check for QSOs with /P while looking for matches (by @phl0)
• Fixed a bug where DXCC-Stats were not shown, when prop_mode was NULL (by @int2001)
• Extended filters for get_contacts_adif API (by @int2001)
• Fixed a bug at visitor page, which caused a 500-error (by @int2001)
• Fixed home-qth calculation at map for DXCluster (by @int2001)
• Added Sourcefilter to DXCluster/Bandlist (by @int2001)
• Added mode and heatmap to the Timplotter (by @AndreasK79)
• Added wrapping of CQ and ITU zones in the map in the Advanced Logbook (by @AndreasK79)
• Fixed Quicksearch in the Advanced Logbook (by @AndreasK79)
• Fixed Winkey dialog not wanting to close (by @AndreasK79)
• Fixed a duplicate mode issue in the filter dropdown in the Advanced Logbook (by @AndreasK79)
• Added QSO merge functionality to the Advanced Logbook (by @AndreasK79)
• Fixed a bug in cronmanager when calculated time hit exactly between 2-3am during DST switch (by @HB9HIL)
• Fixed names of Italian cities (by @iu2frl)
• Refactored JCC award with major speed increase (by @cebarobot)
• Added an (optional) check for MY_GRIDSQUARE for ADIF imports (by @cebarobot)
• Fixed QSO details for JCCs that have Kus (by @cebarobot)
• Added band slots to the DXCC summary for "All Bands" view (by @sm6srw)
• Fixed a but with flickering local time display in logging view while changing callsigns (by @sm6srw)

This release brings support for Single Sign-On (SSO) over OIDC and reflects the latest changes in ADIF 3.1.7. Alongside with some security bugfixes and other improvements. It is important to know that this introduces FT2 (among others) as a new (sub)mode. This has no impact on other external and 3rd party services and their handling of the new modes. With this release Wavelog handles those modes correctly. Please allow other services to pick up the changes in ADIF standard and do not file bugs like "LoTW/eQSL/Clublog etc. is not confirming my FT2 QSOs correctly".

Disclaimer and a little note:
A heated discussion has erupted around the topic of FT2 in recent weeks and the Wavelog Dev Team also had to deal with this. The Wavelog Dev Team does not want to be part of this politics. We adhere to the ADIF standard and stand for the values of OpenSource Software. There is nothing more to say about it.

• OIDC Implementation for SSO Support (by @HadleySo and @HB9HIL)
• Added frequency to batch edit in the Advanced Logbook (by @AndreasK79)
• Added the WAIP award (by @AndreasK79)
• Fixed some Winkey visibility issues in the QSO entry (by @AndreasK79)
• Fixed so that the dupe check respects chosen location(s) in the Advanced Logbook (by @AndreasK79)
• QSO information is refreshed is you edit a qso in the Advanced Logbook (by @AndreasK79)
• Harmonized RX/TX Display for CAT-Status (by @int2001)
• Added grand total (absolute and percentage) to QSL-Analytics (by @int2001)
• Several securityfixes regarding CSRF-Vulnerabilities (by @int2001)
• Fixed a bug at default timeranges where "Last-Year" or "This-Year" wasn calculated in the wrong way (by @int2001)
• Added an indicator at Logbookadvanced to see if a filter is set or not (by @int2001)
• Improved ADIF-Importer regarding multibyte columns (by @int2001)
• Fixed CSV-Download at Logbookadvanced (by @int2001)
• Added Clublog-Stats to Dashboard (by @int2001)
• Refactored the API endpoint for worked grids so that logbook id can be used instead of public slug. This allows for querying the API without the logbook needing to be publicly available (by @phl0)
• Fixed some faulty code that did not process logbook and station location relationsships correctly (by @phl0)
• Refactored LBA edit function for LoTW sent to comply with ADIF standard (by @phl0)
• Changed default FT8 reports to 2-digit style and CW reports for AUR QSOs to "59A" (by @phl0)
• Integrated changes needed for ADIF 3.1.7 (by @phl0)
• Fixed some variable input satinizing to prevent code injection (by @HB9HIL)
• Refactored cookie handling (by @HB9HIL)
• Prevent invasive log flooding with cache buster logs (by @HB9HIL)
• Added new language Ukrainian (by @HB9HIL)
• Fixed a bug in email notifications for club members over sendmail (by @HB9HIL)

This release fixes a number of bugs and has some improvements for the advanced logbook. Also the support for satellites which are not (yet) supported by LoTW was improved. Pleaes note: We moved our documentation from the classic Github Wiki to https://docs.wavelog.org

Please note: With this release several database migrations where merged. Due to this some files were renamed and some old ones deleted. This may lead to errors for people updating Wavelog by (only) copying over new files (e.g. via FTP). In order for this update to apply properly please follow the instructions at https://docs.wavelog.org/getting-started/updating/#updating-via-zip-file carefully. (Hotfix: In case you run into troubles with an error message complaining about multiple migrations with version number 170 simply delete the file applications/migrations/170_tag_2_6_3.php. But take care of the rest of the instructions on the wiki as well).

• Added location dropdown for DBTools in the Advanced Logbook (by @AndreasK79)
• All modes are not visible (regardless of active status) for edit in the Advanced Logbook (by @AndreasK79)
• Added column selection for the text search filter in the DXCluster (by @AndreasK79)
• Major award speedup for CQ, ITU, DXCC, VUCC, WAC and WAE (by @AndreasK79)
• Added QSO duration column and filter in the Advanced Logbook (by @AndreasK79)
• Advanced Logbook page load speedup (by @AndreasK79)
• Split callsign and gridsquare option in printed labels (by @AndreasK79)
• Added satellite info to timeline filters with SAT as prop mode (by @phl0)
• Added a hint for wrongly entered single grid into VUCC grids field (by @phl0)
• Changed hamqth code to also set DARC DOK from queried information (by @phl0)
• Added an API function to pull all worked / confirmed grids from a logbook (by @phl0)
• Fixed some QSO lists which were showing dupes due to satellites without LoTW support (by @phl0)
• Fix regarding LoTW-Upload and EndDates (by @int2001)
• Prevent Downloading Full LoTW-Report for Users with no QSO in Log (by @int2001)
• Fixed a bug where the DXCC was accidently updated to the wrong DXCC (by @int2001)
• Use the DOK at HamQTH (when HamQTH configured) for "Update from Callbook" (by @int2001)
• Added the Logbook-ID to Station-Profile View (by @int2001)
• Fixed a security issue with public-logbooks (by @int2001)
• Added Option to disable Map at QSO-Form for mobile use (by @int2001)
• Simplify lookup at QSO-Form regarding previous QSOs (by @int2001)
• Simplify views when working Split on same QRG - show only one Frequency (by @int2001)
• Fixed a bug at Distance-Analytics (by @int2001)
• Merged 170 migrations into the install.sql to reduce filecount and improve installer performance (by @HB9HIL)
• Introduced the cache_buster function which helps reducing support cases cause by browsercaching (by @HB9HIL)
• Websocket can now be chosen as default radio, also clubstations can set default radios (by @HB9HIL)
• DXcluster Improvements for performance (by @HB9HIL)
• Removed old/unused stuff (by @HB9HIL)
• Fixed old http:// links and replaced them by https:// (by @HB9HIL)
• Fixed the "QTH Lookup" feature in QSO logging (by @HB9HIL)
• Fixed Callbook session key persistence to improve callbook lookup performance (by @HB9HIL)
• New installations will now use APCu caching by default (by @HB9HIL)
• HamQSL Widget on the dashboard got now some colored dots (by @HB9HIL)
• Updated Wiki Links for the new documentation (by @HB9HIL)

Dear community

This is our 2nd anniversary release and the 38th release in total! In February 2024 we presented Wavelog to the world. In the last two years Wavelog has gone through big changes, improvements, some bugs (that's normal, trust us) and was battle tested by you! We say thank you to all contributors, translators, testers and everyone who appreciates our work. TNX!

This release brings some essential improvements. The biggest enhancement lies in performance. We completely refactored the DXCC lookup for faster and more reliable identification. Session handling now uses HMAC SHA256 instead of bcrypt – this alone makes session key generation significantly faster. The caching system has been rebuilt from the ground up: besides the default file-based caching, Wavelog now supports Redis, Memcached and APCu for those who want to squeeze out even more speed. A new garbage collector takes care of expired cache files automatically.

Beyond performance, we've added useful features to the Advanced Logbook, improved the DXCluster, cleaned up legacy code for PHP 8.5 compatibility, and squashed numerous bugs along the way.

Check the full changelog below for details. 73!

• Added dataformat 'd M y' (by @kc9uhi)
• Fixed a bug where satellites w/o LoTW name weren't properly handled (by @kc9uhi)
• Fixed UI so date preset buttons default to UTC (by @kc9uhi)
• Fixed UI in create and edit station locations so pages are consistent, Fixed bug in US County dropdown (by @kc9uhi)
• Fixed db collation (by @kc9uhi)
• Added silent hybrid websocket connection for thirdparty tool (by @TnxQSO-Admin)
• Improved DXCC identification (by @AndreasK79)
• Fixed duplicate search in the Advanced Logbook (by @AndreasK79)
• Adjusted cat color in the DXCluster for bright themes (by @AndreasK79)
• Added a map for invalid gridsquares in DBTools (by @AndreasK79)
• Changed main link for VUCC DXCC gridsquare list to be fetched from our Github mirror (by @AndreasK79)
• Added potential DXCC for gridsquare search in Quick Lookup (alt-l) (by @AndreasK79)
• Added a check for IOTA against DXCC in DBTools (by @AndreasK79)
• Fixed public search so that only activated search logbooks are searched (by @AndreasK79)
• Can now blank CQ and ITU zones in batch edit in the Advanced Logbook (by @AndreasK79)
• Can now set blank CQ and ITU zone in QSO edit (by @AndreasK79)
• Callbook update in the Advanced Logbook now sets CQ zone (if not already set) (by @AndreasK79)
• Redesigned column and map options in the Advanced Logbook (by @AndreasK79)
• Added sort order and direction in the Advanced Logbook (by @AndreasK79)
• Fixed a message about selection QSOs in DBTools and CQ Zone checker (by @AndreasK79)
• Fixed error 500 if unit is set to mi or nmi in the Advanced Logbook (by @AndreasK79)
• Speed up Accumulated Statistics queries (by @AndreasK79)
• Fixed an issue for QSO display in Timeline when mode was selected (by @AndreasK79)
• Removed redundant incorrect CQ/ITU zone checker under search (use DBTools) (by @AndreasK79)
• Refactored LoTW login code to catch more possible errors (by @phl0)
• Added column with last modification time to LBA for debugging puposes (by @phl0)
• Reworked code for LoTW cert uploads to handle password-protected certificates and inform user accordingly (by @phl0)
• Rafactored LoTW code to catch rate limits on LoTW side properly (by @phl0)
• Added link to Wiki with LoTW FAQs on LoTW cert upload page (by @phl0)
• Fixed a bug where DCL QSL received was set when updating the DARC DOK (by @phl0)
• Fixed a bug where empty frequency of QSOs led to empty column (by @phl0)
• Fixed a bug that caused QRZ-re-upload on changes to DCL QSL state (by @phl0)
• Made LoTW match code more relaxed as except SAT prop modes are not taken into account while matching (by @phl0)
• Added file filter expression for various file uploads (by @phl0)
• Fixed a security issue with webadif functions (by @phl0)
• Enabled "Add sked partner" if at least one satellite is selected (by @phl0)
• Enhanced satellite list to show whether the sat is supported/known by LoTW (by @phl0)
• Added callsign filter in the gridsquare map (by @phl0)
• Changed code to handle satellites which are not (yet) supported by LoTW properly (by @phl0)
• Changed date format on debug page to respect user configured date format (by @phl0)
• Fixed issues with map display of QSOs which happened in the same grid square (by @phl0)
• Fixed an issue where callbook lookups where executed even if credentials where missing in the config file (by @phl0)
• Aligned QSL colors in last QSOs partial view (by @phl0)
• Wavelog now uses HMAC SHA256 for session key generation. This is much much faster then the previous old solution with bcrypt keys (by @HB9HIL)
• Removed old functions which had no effect since PHP8+ and get rid of some deprecation warnings for PHP8.5 (by @HB9HIL)
• Cleaned up the create_qso() which were cluttered over the years. Also gives a little bit more performance (by @HB9HIL)
• Fixed a bug in the new DXCC Lookup class which caused a faulty DXCC result if callsign is lowercase (by @HB9HIL)
• Small improvements to the import() function to make ADIF import more efficient (by @HB9HIL)
• Refactored the whole caching usage. Wavelog now supports next to the default file caching the way over redis, memcached or apcu. Allows nifty users to speed up their Wavelog instance even more. The debug view now shows some information about caching (by @HB9HIL)
• Implemented a global garbage collector for file based caching. Redis, Memcached and APCu have their own gc, but file based caching needs a regular cleanup. This garbage collector cleans up file based cache on their expired TTL's by a dynamicly generated probability (depends on traffic)
• Fixed the DXcluster caching to work properly with the refactored caching logic (by @HB9HIL)
• Fixed some localizations (by @HB9HIL)
• Fixed a bug in multicallbook configuration where the lookup failed in case of multiple callbooks and the first try were sucessfull (by @HB9HIL)
• Performance-tuning for QSO-Save (by @int2001)
• Performance-tuning for DXCC-Lookup at DXCluster (by @int2001)
• Performance-tuning for Dashboard and Logbook-Overview (by @int2001)
• Fixed a bug, where wrong API-Usage could lead into 500/ServerError (by @int2001)
• Emit logged ADIF to websocket as preparation for future UDP/2333 usage (by @int2001)
• Emit Az/Ele when working SAT via websocket as preparation for future Rotator-Control via WavelogGate (by @int2001)
• Fixed a security issues, where permissions/grants were not properly checked (by @int2001)
• Enhanced private_lookup-API with callbook-lookup (by @int2001)
• Introducing optional/configureable Ratelimit for APIs (by @int2001)
• Improved Clublog-Interface again (by @int2001)
• Implemented additional SSL-Communication from WL to WavelogGate / fallback still Non-SSL (by @int2001)
• Fixed a bug at DXCluster, where precision of spots was lost (by @int2001)
• Made API for "create_station" more relaxed/failsafe (by @int2001)
• Changed click on "DXCluster-Spot" to ensure it's filled into live-logging and not post-logging (by @int2001)
• Fixed an issue where the Map at "Overview" wasn't in sync with the QSO-List (by @int2001)
• Fix several issues with "non-LoTW"-SATs (by @phl0 and @int2001)