Missed the 3.0 release? Check out the upgrade & release notes here.
Hi everyone! The team has been hard at work over the last month fixing bugs and security holes and even squeezing in a new feature. There should be no breaking changes in this release so it should be a very straightforward update.
- Vanilla 3.x requires PHP 7.1 which is a change from earlier versions. We strongly recommend upgrading to PHP 7.3 as soon as possible. Many hosting plans allow a seamless transition via their control panel.
- Follow the normal upgrade process, including running /utility/update.
- Follow additional specific upgrade instructions.
- Test your plugin & theme compatibility in a safe place before upgrading your production forum.
Get over in the addon directory. https://open.vanillaforums.com/addon/vanilla-core-3.1
For the forum I host, I needed to create a plugin that would allow for filtering searches, without the use of additional software (like Sphinx), as my server host does not support it. This lead to the creation of the FilterForumSearch plugin:
You can find the plugin here: https://open.vanillaforums.com/addon/filteredforumsearch-plugin-2.0
The plugin supports the following filters:
- Q&A status
- Comment/Reply count
The plugin has no dependencies outside of Vanilla and the Q&A plugin. This allows it to work with Shared hosting plans and other server plans that otherwise wouldn't allow for filtered searching through additional software. The plugin works by using an SQL query to retrieve data based on the parameters passed in, using Vanilla's SQL interface to (hopefully) minimize SQL injection potential.
Hopefully this plugin will be helpful for others who are looking for search filters but cannot install additional software.
Motivation behind creation
One of the members of the forum I host mentioned that they would prefer additional search parameters/filters to make it easier to find if similar questions have already been answered by using the search page in Vanilla. To me, this was a reasonable request, so I set about finding a solution.
One of the admins on the forum suggested the SphinxSearch plugin, which would have worked great and provided everything we need. Unfortunately, I discovered that my server provider does not have Spinx support with the hosting plan I have bought, making this plugin unusable for the forum.
I found the CategorySearch plugin, which uses SQL queries to filter the search, which looked like exactly what I was looking for. However, the plugin didn't work with the version of Vanilla the forums is using, 2.8.3 currently. After trying to get it to work for a few hours with no result, which is probably due to my lack of PHP experience, I decided to rewrite the non-working parts of the plugin entirely, using a slightly different method than the original.
Having made this decision, I set about rewriting a good chunk of the plugin, using the CategorySearch plugin as a reference. After a couple days of work, testing, and debugging, I finally had a working plugin that filters searches using direct SQL queries.
After this, it was pointed out to me that using SQL queries directly could introduce security vulnerabilities, so I rewrote the plugin to use Vanilla's SQL interface instead and removed all direct SQL queries, hopefully removing and vulnerabilities I introduced through the plugin.
Once I had that working, I cleaned a few things up, changed the plugin info, and uploaded it both here and to the GitHub repository holding all of the modified plugins for the forum I'm hosting.
Huge thanks to @R_J, the creator of the CategorySearch plugin! Using the plugin as a base was extremely helpful and greatly sped up the time it would have taken to write the plugin if I wrote it entirely from scratch.
One major thing I am not sure about, is the PHP code I wrote for the plugin.
While I have SQL experience, I only have used PHP minimally, so the code may be poorly written. If someone with PHP/SQL experience does not mind looking at the plugin and it's code, I would highly appreciate it! I think the code is probably stable and secure enough for most cases, but I'm concerned that I might have missed something obvious.
Get it right here: https://open.vanillaforums.com/addon/vanilla-core-2.8.4
This release contains CRITICAL security patches.
- Patched SSRF in HTTP client.
- Updated release file system permissions to be less permissive.
It has been brought to our attention that our file system permissions were far to open in our open source releases. These concerns were initially dismissed because in our version control repository and on all of our infrastructure the permissions were correct.
Thanks to the insistence of @R_J I discovered a bug in our OSS release build tool that reset all of the file permissions to 777 (very dangerous).
Starting in this release file system permissions are essentially 755 for directories and 644 for files.
Please upgrade to the latest version of Vanilla as soon as possible. No other changes from 2.8.3 are in this version.