HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Security Update: Vanilla 2.0.18.9
We've released an important security update that should be applied immediately to anyone running 2.0.18.*. The new version can be found here.
Here is a summary of what we've done:
- 2013-11-26 Use SafeRedirect() instead of Redirect() in the discussion controller.
- 2013-11-26 Added TrustedDomains() and SafeRedirect().
- 2013-11-26 Don't allow user id override on post.
- 2013-08-25 Fix Flagging security flaw
- 2013-08-25 Filter discussion title on categories/all
- 2013-06-20 Comment notifications should only be sent to people with the "NewComment" preference set.
- 2013-06-13 Twitter: Change api version to 1.1.
- 2013-05-08 Tagging: Fix xss bug in tagging.
- 2013-05-02 Do not add linebreaks twice on search.
20
Comments
Thanks. Is it safe to just make the modifications shown in those commits that you have listed?
@Shmizzle, it should be yes.
Cool, thanks.
Thanx @Todd.
Can anyone explain the significance of "Use SafeRedirect() instead of Redirect() in the discussion controller."?
Is this to fix some kind of request forgery vuln that isn't caught by a transient key check?
@50sQuiff the transient key should offer the protection, but since it is in the url we want to add additional protection. In more current versions of Vanilla we've been making sure that most operations like this are in the POST rather than the GET.
That being said when we semantically want to offer an "in-site" redirect we want to start using SafeRedirect() because it's the right thing to do and lets us not worry about these kind of attacks. We have a config setting to whitelist other domains which can be used for integrations to other trusted sites.
After updating vanilla will all the installed plugins work perfectly.
I assume, nobody will dare to answer such a general question with a simple "yes" or "no". Best thing would be to start a new discussion where you list all the plugins you are using.
I get "FirstName required" and "Lastname required" when updating to 2.0.18.9 with no user input boxes available. How do I get around this so that I can complete the upgrade?
@shasa, R_J is right that we can't say a simple yes or no, but there are no material changes in this release. There are just security fixes.
I'm using v2.1b2 on my site right now, but I'm having some problems with it referring to the embed comments function, that it does not work on Wordpress due to an error on a .js file, either from the Wordpress plugin or one of the Vanilla js files, or both.
Can I "downgrade" from that version to 2.0.18.9 to test if this version works ok? I would like to use the original files included in the 2.0.18.9 package, overwriting only the necessary files to maintain categories, posts, users and avatars. I think that all that information is included on the database, so I assume that I only need to upload the 2.0.18.9 files to another folder, install the forum software as if it was the first time, use a new database (created before the installation process, of course), and then import a backup of my actual database to the new one.
When I upgraded from 2.0.18.8 to 2.1b2, I had to execute a process to upgrade the database. Do I need to do a similar process to "downgrade" the database to be compatible with 2.0.18.9?
Thanks in advance.
@Shinji3rd
2.1b2 is not recommended for production use. It is pretty stable, but 2.0.18.9 is the stable self hosted version.
I suggest you:
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
And Only do that if you know what you're doing
There was an error rendering this rich post.
@hgtonight
I've installed 2.0.18.9 according your advise, and now everything works great. Thank you.
Cool hearing about those new features and bugs fixes.
Here's a probably stupid question: what do you mean by “just make the modifications show in those commits”? Is this just upgrading some PHP files? If so, where are they listed?
Here they are
So how do I upgrade?
reading the documentation on upgrading on the Vanilla Documentation Page would certainly give you a boost on the process. When all else fails - reading documentation may be a fallback .
http://vanillaforums.org/docs/installation-upgrade
searching the forum for upgrade and duplicate forums and reading the wiki can also provide other insights.
backup might not be a bad idea either
http://vanillaforums.org/discussion/21192/which-files-should-i-back-up#latest
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
Don't forget : http://vanillawiki.homebrewforums.net/index.php/Upgrading and http://vanillawiki.homebrewforums.net/index.php/Updates and http://vanillaforums.org/discussion/12740/vanilla-2-upgrading-tips but the most important thing is : From 2.0.18.8 to 2.0.18.9 all you do is have to replace the files. No database updates, etc. It all depends on the version you are coming from.
There was an error rendering this rich post.