Skip to content
tenzap edited this page Mar 9, 2022 · 21 revisions

Version 0.8

Upgrade to CodeIgniter 3

  • Kalkun upgraded from CodeIgniter 1 to CodeIgniter 3.1.13

Library updates

  • You need PHP Composer tool. Many libraries that used to be copied in the source code of Kalkun have been removed from the code base. They are now fetched using PHP composer.


  • Phone number input is now checked towards the libphonenumber-for-php library based on Google's libphonenumber.

  • Before entering the database, the phone number is checked for validity. Then reformatted to international format for storage in the database.

  • Whenever you edit an existing user or contact that was added before the use of libphonenumber, the number will pass through this library, will be checked for validation. If you save it, it will be updated to international format in the database.

  • If you use an API (JSONRPC, REST...) phonenumber is checked too. Be sure you enter a valid phone number in international format when using an API. Otherwise your request might be rejected for "invalid phone number".

  • Besides, you can check a number for validity by calling (PR #396):


    or by doing a POST request to


    with parameters: phone=PHONENUMBER&region=REGION

    The output is a json encoded string: "true" if the number is valid, or the message error reported by libphonenumber.

Change the default encryption_key

  • To improve security, it's higly recommended to change the default encryption_key in application/config/config.php. See setting your encryption key.
  • On unix/linux you may run
php -r 'echo bin2hex(random_bytes(16)), "\n";'

Write the value in application/config/config.php and enclose it in a call to hex2bin() function. For example:

$config['encryption_key'] = hex2bin('32_CHAR_LONG_ENC_KEY');

Password update

  • Algorithm to store user password changes with 0.8. Thus old passwords stored with v0.7.1 won't work anymore.
  • You need to tell your users to reset their password.
  • If you still use the default password, it is updated during upgrade process.
  • To manually set a password in the database:
    1. Compute a hash for the given password this way:
    php -r 'echo password_hash("new_password", PASSWORD_BCRYPT) . "\n";'
    1. Insert it in the DB. SQL QUERY would be
      1. for MySQL syntax
      UPDATE user SET password = 'HASH_COMPUTED_ABOVE'
      WHERE id_user = 1 AND username = 'kalkun';
      1. for PostgreSQL syntax
      UPDATE public."user" SET password = 'HASH_COMPUTED_ABOVE'
      WHERE id_user = 1 AND username = 'kalkun';

Encryption library

  • During migration to CodeIgniter 3 we switched from the older CI3 Encrypt Library to the CI3 Encryption Library for security reasons. This required to update the default encryption key. The password you may have stored with the older version can't be recovered with the new encryption key.
  • If you were using these plugins: sms to wordpress or sms to xmpp you need to update their credentials.

Enable CSRF Protection

  • CSRF Protection as provided by CodeIgniter 3 is now enabled by default in Kalkun.
  • By doing this change, some HTTP requests were changed from POST to GET. (PR #397)
  • You can disable it in the application/config/config.php file.

XSS (cross site scripting) mitigation strategy

  • The CodeIgniter methods that were used in Kalkun have been deprecated in CI3. Kalkun now does XSS filtering on output and not on input as suggested.

Cookie SameSite policy

  • It is set to 'Strict' (PR #402)

Redirection to the requested page

  • If when requesting a URL of Kalkun you are no more logged in, you get redirected to the login screen. Once logged it, you will be directed to the page you originally requested with the Query (?key=value...) attached to that URL. Any data POSTed will be kept until the first page reached after successful login.

Ability to open the compose window by URL

  • It is now possible (PR #395) to arrive directly to the compose window and to have the form prefilled with phone number and message. To do so:

For an clean compose window:

  • This can also be done with a POST request

Plugins configuration

  • The configuration of the plugins which used to be part of the plugins/plugin_name/plugin_name.php file have been extracted and moved to the plugins/plugin_name/config/plugin_name.php file.
  • Be sure to make a backup of your configuration and restore the values back to the new file.
  • Impacted plugins:
    • phonebook_ldap
    • phonebook_lookup
    • simple_autoreply
    • sms_credit
    • sms_member
    • sms_to_twitter
    • sms_to_email
    • sms_to_wordpress
    • sms_to_xmpp
    • stop_manager

SMS charset auto detection

  • Kalkun now automatically detects if a SMS has to be sent with Unicode or GSM charset. This change is in the GUI as well as for those using the APIs.
  • It is not needed anymore to pass the encoding when using the REST API.

b8 spam filter

  • upgrade to b8 v0.7
  • b8 table schema is upgraded to v3 during kalkun update
  • The old b8_wordlist table is backed up as b8_wordlist_v2

JSONRPC plugin

  • The plugin now uses datto/json-rpc-http which implements the JSONRPC 2.0 standard. In the previous version of Kalkun, it was JSONRPC 1.1 standard

Browser support

  • With upgrade of jQuery to v3.6.0, you need a modern browser. See jQuery Browser Support
  • The older Statistics display tool (open-flash-chart based on adobe flash player) is replaced by a Chart.js

Dropped cubrid DB support

There is no SQL script to create db for cubrid in gammu. See: So we drop support. This hasn't been updated for years anyway.

Clone this wiki locally