HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Vanilla 2.1.7 released
This is a critical security upgrade for all forums.
Download it now: http://vanillaforums.org/addon/vanilla-core-2.1.7
9 files changed. View the diff.
Security:
- Fix for CSRF potential in posting & editing discussions.
- Fix for allowing unauthorized Format changes to discussions (possible XSS vector when combined with the above CSRF).
- Harden Gdn_Database against MySQL injection attacks by closing possible multiple-query-per-statement vector.
Hat tip to ZeniMax Online Studios' security team for disclosing the SQL injection vector.
Another hat tip to Dingjie Yang of Qualys, Inc for disclosing the CSRF & XSS vectors.
Both these contributors have responsibly disclosed previous security flaws as well, and we deeply appreciate their assistance.
Additional Patches:
- Fix for "u.Photo isn't in GROUP BY" Fatal Error (thx @Shadowdare)
- Fix for detecting locales in enabled application (thx @hgtonight)
- Fix for IS NULL WHERE clauses (thx @imnotjames)
- Added a new "Class Gdn not found" exception if ini files are out of date to avoid obscure errors (me)
Thanks all!
In other news, we made significant headway in our pull request backlog over the holidays and are moving to get the 2014 ones cleared as quickly as possible. We appreciate the contributions & activity (both on PRs and elsewhere) greatly.
10
Comments
please i want a good link on how to learn how to upgrade from 2.1.6 to 2.1.7. Thank you
It is included with Vanilla in the README: https://github.com/vanilla/vanilla/blob/master/README.md#upgrading
@Linc: that one didn't made it into 2.1.7: https://github.com/vanilla/vanilla/commit/6f45f626f634837fda697d0915811b58d1183e87
See: https://github.com/vanilla/vanilla/blob/2.1/bootstrap.php#L44
@R_J It did, there was simply a second commit that revised the message to be briefer & platform-agnostic. There was no check there previously at all. The "obscure errors" I mention are ones that could be any missing resource depending on what happens to get requested first. Now we have 1 error that only means exactly this.
@Linc , any idea if this release fixes the issue some of us were having with advanced notifications causing incorrect mention notifications? http://vanillaforums.org/discussion/28709/mention-notifications-going-to-wrong-user#latest
@AaronWebstey No, no one submitted a pull request to backport that fix as far as I know. I don't think 2.1.8 is very far away, so there's an opportunity to get it in next week.
@Linc thanks! Can I do anything to help?
@Linc This will be my first time upgrading, being that I am new to vanilla and just downloaded 2.1.6 a few weeks ago. Any guidance you have for me to upgrade smoothly? I'm sure it's simple, I just don't want to mess up anything.
@linc previously said: http://vanillaforums.org/discussion/comment/223394/#Comment_223394
I think he suggested reading the read me in a previous comment.
for me: I always make backups of database and backups of source. and keep a backup copy of my config.php and my .htaccess file on my pc.
and making sure the .htaccess is correct and updated after the upgrade, because it will probably be overwritten.
this is a pretty simple upgrade compared to upgrade from 2.0 so it should just be a matter of focusing and carefully reading the readme in the downloaded core zip.
this might be helpful for people as well: http://vanillaforums.org/discussion/28420/faq/p1
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
Exciting feeling seeing these files move around and patch vanilla to be the best it can be.
@peregrine Awesome thanks.
the other general rule that I do when upgrading vanilla.
I check to see if I have the latest version of plugins.
if the plugin is updated in the add-ons section of this forum (rather than github).
this may be helpful to you.
http://vanillaforums.org/addon/versioncheck-plugin
another handy thing to check is this thread - particularly if you upgrade from 2.0.x, but still gives you insights about plugins for 2.1.x
http://vanillaforums.org/discussion/26703/plugins-themes-that-work-and-dont-work-in-vanilla-2-1
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
You could track down the commit in
master
that fixed that bug. It's probably attached to an issue about it on GitHub. If you're feeling code-savvy, create a pull request against the 2.1 branch that adds that commit. Or, see if one of the other fine ladies or gents around here would be willing to do that part once it's found.@Linc I've been tinkering with VF code for a couple months now, and am still somewhat new to it and even more new to github (all my old coding jobs used CVS and my current job, well let's just say a server breakdown or 2 could be disastrous :stuck_out_tongue_closed_eyes: ).
For those reasons, I'd love to sort through github issues and do my first pull request, unless someone else does it first. I may get at it this afternoon and if not, probably tonight.
Thanks again!
@AaronWebstey Sounds good! I won't be doing 2.1.8 before Monday unless something crazy happens, so you have plenty of time. Feel free to poke me here or on GitHub if you need guidance.
Very nice update process from 2.1.6 to 2.1.7 :-)
Just a little squeak not many people will notice and won't matter to hardly anyone... but the diff @Linc pointed to seems to include one change (library/database/class.database.php) that was already in the 2.1.6 zip (at least the one from github).
I downloaded 2.1.6 and 2.1.7 from github and built my own diff and compared it with the github diff and noticed I had only 8 file changes instead of 9. I confirmed my production version 2.1.6 already had the change to library/database/class.database.php as well.
Again-- this will impact probably close to zero people and the patch process will probably recognize it is already there as well.
I up-graded to 2.1.7 from 2.1.6 today no issues yet! If can do it anyone can.