Vanilla 2.6 is here - includes security fixes

Linc

Vanilla 2.6 is now available. It requires PHP 7.0 or higher. This release brings a number of great enhancements to Vanilla, most notably the new "Category Following" feature that lets you filter the Recent Discussions page to only show discussions from select categories.

If you are not ready to upgrade to Vanilla 2.6 today, please install Vanilla 2.5.2 immediately (also released today). It maintains PHP 5.6 compatibility and provides important security updates to Vanilla 2.5.1 and lower.

Upgrading

• Vanilla 2.6 requires PHP 7.0 which is a change from earlier versions. We strongly recommend upgrading to PHP 7.2 as soon as possible. Many hosting plans allow a seamless transition via their control panel.
• Follow the normal upgrade process, including running /utility/update.
• Delete plugins/Tagging and plugins/HtmLawed. They are now part of core and may conflict.
• We strongly recommend deleting the contents of your /cache folder after upgrading, and again if you experience issues after the upgrade.
• Test your plugin & theme compatibility in a safe place before upgrading your production forum.

Upgrading from Vanilla 2.3 or earlier, note this additional step: Manually delete /applications/vanilla/controllers/class.settingscontroller.php, then clear the cache folder.

Enabling Category Following

Category Following adds a menu to several pages. Therefore, it is OFF by default after upgrading. Please test your theme for compatibility before during it on in production. To turn it on, go to Dashboard -> Settings -> Categories and click the small control panel icon (next to the "Add Category" button). In the popup, toggle the feature 'ON' and click 'Save'.

Getting Help

IF YOU NEED ASSISTANCE, START A NEW DISCUSSION. If you are a developer and locate a reproducible issue, please file it on our GitHub tracker, noting your version as 2.6. We greatly appreciate the assistance.

Thanks

Thanks you everyone who contributed to Vanilla since the 2.5 release whether that was thru filing issues, submitting patches, participating in our HackerOne campaign, or helping folks on this forum. @R_J and @tflight contributed patches to 2.6.

Please upgrade to 2.6 as soon as possible!

Linc

Vanilla 2.5.2 release notes follow. All of these fixes are also in Vanilla 2.6. Cloud customers are already patched.

Security fixes

• Prevent activity record data from leaking in AJAX response.
• Fix XSS in Editor attachment viewer.
• Fix XSS is SSO connection screen.
• Regenerate confirmation code when changing email address.
• Require confirmation of manually-entered emails during SSO.
• Fix permission check on private conversation participants adding messages.
• Fix permission-based email leaking in private conversations.
• Fix permission problem in "getRecord" function.
• Fix ownership checking of drafts before allowing overwrite.
• Blacklist the 'download' attribute from user-generated content.
• Fix our use of cURL to not allow non-HTTP redirects.

Other fixes

• Fix MySQL Strict Mode error during install.
• Fix Chrome-specific bug in WYSIWYG editor.
• Fix our release-building tool (Phing) so it doesn't omit the default htaccess file.

Questions & Answers

Why are there so many security fixes?

Shortly after the 2.5.1 release, we made our HackerOne campaign public and have gotten a lot of valuable feedback from that community. Most of the security issues listed above were reported via our campaign, and this is our big patch day to roll them all up and distribute them so they can be publicly disclosed. Thanks to everyone who's participated; it's been tremendously valuable.

Will you continue supporting PHP 5.6 and the Vanilla 2.5.x release?

No! Barring further high-severity vulnerabilities being reported in the short term, we do not plan to release a Vanilla 2.5.3 at this time. Get thee to PHP 7.0 quickly!

Linc

Vanilla 2.6 release notes follow. These are in addition to the security fixes listed above for 2.5.2.

Category Following

• Users may now "Follow" categories.
• Recent Discussions page may be filtered to only show discussions from followed categories.
• This feature must be enabled in the Dashboard.
• Enabling it adds a new menu to the Recent Discussions page, so theming conflicts should be checked.
• We removed the old "Mute" function for categories to make room for this new feature.

API v2 In-Dashboard Docs

• New addon "API v2 Docs" (in plugins/swagger-ui) is now part of the default package and on by default in new installs.
• It adds API documentation to the Dashbord menu.
• The API documentation auto-builds when accessed, giving you custom docs that are specific to what addons you currently have enabled on your site.

API v2 Changes

• Add API v2 support for search.
• API change for Q&A addon: A discussion that is a Question can no longer be updated or deleted from the discussion endpoint. It must use the new Ideation or Q&A endpoints. This prevents loss of data integrity for their current status.
• API: Add pagination information to response headers for multiple endpoints.
• API: Add filtering by archived status to categories endpoint.
• Allow the API v2 to authenticate with API v1 access tokens.
• API docs: Parameters of type 'enum' now correctly list all values that are accepted.

Changes and fixes:

• Fix ability to delete items in moderation logs.
• Fix spider crawling errors for non-existent pages.
• Fix image upload button not always appearing in Advanced Editor and Signature editing.
• Fix filter menus showing for guests on Recent Discussions and categories root.
• Add "none found" message to category pages with no categories.
• Fix image cropper overflow when editing avatars.
• Fix broken links to theme documentation from dashboard.
• Update redirection after adding a category.
• Update System user's default avatar.
• Rename database column GDN_Session.DateExpire to DateExpires to match conventions and fix structure update problem.
• Fix translations for file upload error messages.
• Fix Google+ SSO link to signin.
• Make 'image upload' button on by default in Editor.
• Fix user search by IP not returning results
• Adjust comment editing permission checks to avoid re-querying the database unnecessarily.
• Multiple accessibility improvements.

PackFansNation

This is very cool! 1st time performing an upgrade and was able to upgrade from 2.5.1 to 2.6 easily. Does the community have a roadmap (or list of coming enhancements) for future releases?

Linc

@PackFansNation said:
Does the community have a roadmap (or list of coming enhancements) for future releases?

Vanilla 2.7 is due in late summer (northern hemisphere), and features a brand new text editor & posting UI. We're rebuilding it from the ground up to provide a great experience. This release is fully planned & scoped at this time.

Vanilla 2.8 is projected for late 2018, and tentatively features a complete design refresh of the user-facing areas. Our goal is to make this transition compatible with existing themes. Much remains in flux about the scope and timing of this release.

Both releases will include new API endpoints. Our goal is to eventually expose 100% of the platform via the API.

PackFansNation

Thanks for the info, @Linc

phreak

@Linc: That sounds fantastic. Will the Vanilla 2.7 editor also handle image resizing on upload based on given rules in the dashboard (or the config.php). For example: Community manager can decide to what max. pixel size images should be resized on upload?

If so then I can concentrate development efforts on other addons.

R_J

There are some former plugin features that have been moved to the core. In order to avoid trouble, the plugins should be disabled before upgrading and afterwards those two folders should be deleted:

/plugins/HtmLawed
/plugins/Tagging

Linc

@phreak said:
Will the Vanilla 2.7 editor also handle image resizing on upload based on given rules in the dashboard (or the config.php). For example: Community manager can decide to what max. pixel size images should be resized on upload?

I'm unsure if that feature is in the first iteration off the top of my head. I'll tag @charrondev, keeper of editor features, in case he has time to swing by.

Linc

I've submitted changes to the Vanilla README to take into account file deletions required over the years https://github.com/vanilla/vanilla/pull/7232, most especially the 2 addons that @R_J notes above. I've also added a step to the OP.

smokvinlist

I'm not sure is it from this version or from before, but my social plugins (FB login, Twitter login) started to act weird.

When I login with Twitter, my username is automatically renamed to my Twitter username (not just on dashboard, but in DB as well!).
When I try to login with FB I got "UniqueID is required." which I didn't got before as everything worked fine.

Google plugin is working ok.

Anyone else have this problems?

smokvinlist

Ok, I've found fix for FB.
In getProfile() method there is file_get_contents which is not allowed on my server (allow_url_fopen set to false) so that is why I got UniqueID error.
I've changed that with cURL and not it's working fine.
Btw, maybe API should be updated. At least for FB as version on Vanilla is 2.7 which is deprecated by FB (end of support in October 2018). Oldest FB currently supports is 2.8 while latest is 3.0.

Linc

@smokvinlist said:
Ok, I've found fix for FB.
In getProfile() method there is file_get_contents which is not allowed on my server (allow_url_fopen set to false) so that is why I got UniqueID error.
I've changed that with cURL and now it's working fine.

A good point. https://github.com/vanilla/vanilla/issues/7235

@smokvinlist said:
Btw, maybe API should be updated. At least for FB as version on Vanilla is 2.7 which is deprecated by FB (end of support in October 2018). Oldest FB currently supports is 2.8 while latest is 3.0.

Thanks. https://github.com/vanilla/vanilla/issues/7234

whu606

@Linc

We haven't got a 2.6 help section.

On a local XAMPP install, 2.6 gives a 404 error if I just type the folder (localhost/test26)

but works if I add /index.php?p=/dashboard/setup

but then I can't get past the installation page, as once I press Continue it reverts to dashboard/setup page.

steam

Hi,
Many thanks for the new functionality "Category Following"

But, how to translate "Category Following" strings "All" and "Following". I have been write translation on my locale files and deleted cache but nothing translated.

https://www.planamigo.org/discussions

Thanks

Ivan_Gurin

Error during update /dba/counts

DkS

@whu606 said:
@Linc

We haven't got a 2.6 help section.

On a local XAMPP install, 2.6 gives a 404 error if I just type the folder (localhost/test26)

I am having the same issue but on a live server did you figure anything out?

whu606

Not yet, unfortunately.

whu606

The resolution is to rename .htaccess.dist to .htaccess

Syclops

I'm trying to perform a Fresh Install of 2.6 but I get this Error on the Installation Page when I click "Continue".

BTW, I've tried 3 different version of PHP 7, 7.0.30, 7.1.18, and 7.2.6 with no luck.

Incorrect table definition; there can be only one TIMESTAMP column with CURRENT_TIMESTAMP in DEFAULT or ON UPDATE clause

martin28

Renaming .htaccess.dist to .htaccess didn't worked for me. I'm using mac osx default apache