HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 2.6 is here - includes security fixes

LincLinc Detroit Admin
edited May 2018 in Releases

Vanilla 2.6 is now available. It requires PHP 7.0 or higher. This release brings a number of great enhancements to Vanilla, most notably the new "Category Following" feature that lets you filter the Recent Discussions page to only show discussions from select categories.

If you are not ready to upgrade to Vanilla 2.6 today, please install Vanilla 2.5.2 immediately (also released today). It maintains PHP 5.6 compatibility and provides important security updates to Vanilla 2.5.1 and lower.

Upgrading

  • Vanilla 2.6 requires PHP 7.0 which is a change from earlier versions. We strongly recommend upgrading to PHP 7.2 as soon as possible. Many hosting plans allow a seamless transition via their control panel.
  • Follow the normal upgrade process, including running /utility/update.
  • Delete plugins/Tagging and plugins/HtmLawed. They are now part of core and may conflict.
  • We strongly recommend deleting the contents of your /cache folder after upgrading, and again if you experience issues after the upgrade.
  • Test your plugin & theme compatibility in a safe place before upgrading your production forum.

Upgrading from Vanilla 2.3 or earlier, note this additional step: Manually delete /applications/vanilla/controllers/class.settingscontroller.php, then clear the cache folder.

Enabling Category Following

Category Following adds a menu to several pages. Therefore, it is OFF by default after upgrading. Please test your theme for compatibility before during it on in production. To turn it on, go to Dashboard -> Settings -> Categories and click the small control panel icon (next to the "Add Category" button). In the popup, toggle the feature 'ON' and click 'Save'.

Getting Help

IF YOU NEED ASSISTANCE, START A NEW DISCUSSION. If you are a developer and locate a reproducible issue, please file it on our GitHub tracker, noting your version as 2.6. We greatly appreciate the assistance.

Thanks

Thanks you everyone who contributed to Vanilla since the 2.5 release whether that was thru filing issues, submitting patches, participating in our HackerOne campaign, or helping folks on this forum. @R_J and @tflight contributed patches to 2.6.

Please upgrade to 2.6 as soon as possible!

«1

Comments

  • LincLinc Detroit Admin
    edited May 2018

    Vanilla 2.5.2 release notes follow. All of these fixes are also in Vanilla 2.6. Cloud customers are already patched.

    Security fixes

    • Prevent activity record data from leaking in AJAX response.
    • Fix XSS in Editor attachment viewer.
    • Fix XSS is SSO connection screen.
    • Regenerate confirmation code when changing email address.
    • Require confirmation of manually-entered emails during SSO.
    • Fix permission check on private conversation participants adding messages.
    • Fix permission-based email leaking in private conversations.
    • Fix permission problem in "getRecord" function.
    • Fix ownership checking of drafts before allowing overwrite.
    • Blacklist the 'download' attribute from user-generated content.
    • Fix our use of cURL to not allow non-HTTP redirects.

    Other fixes

    • Fix MySQL Strict Mode error during install.
    • Fix Chrome-specific bug in WYSIWYG editor.
    • Fix our release-building tool (Phing) so it doesn't omit the default htaccess file.

    Questions & Answers

    Why are there so many security fixes?

    Shortly after the 2.5.1 release, we made our HackerOne campaign public and have gotten a lot of valuable feedback from that community. Most of the security issues listed above were reported via our campaign, and this is our big patch day to roll them all up and distribute them so they can be publicly disclosed. Thanks to everyone who's participated; it's been tremendously valuable.

    Will you continue supporting PHP 5.6 and the Vanilla 2.5.x release?

    No! Barring further high-severity vulnerabilities being reported in the short term, we do not plan to release a Vanilla 2.5.3 at this time. Get thee to PHP 7.0 quickly!

  • LincLinc Detroit Admin

    Vanilla 2.6 release notes follow. These are in addition to the security fixes listed above for 2.5.2.

    Category Following

    • Users may now "Follow" categories.
    • Recent Discussions page may be filtered to only show discussions from followed categories.
    • This feature must be enabled in the Dashboard.
    • Enabling it adds a new menu to the Recent Discussions page, so theming conflicts should be checked.
    • We removed the old "Mute" function for categories to make room for this new feature.

    API v2 In-Dashboard Docs

    • New addon "API v2 Docs" (in plugins/swagger-ui) is now part of the default package and on by default in new installs.
    • It adds API documentation to the Dashbord menu.
    • The API documentation auto-builds when accessed, giving you custom docs that are specific to what addons you currently have enabled on your site.

    API v2 Changes

    • Add API v2 support for search.
    • API change for Q&A addon: A discussion that is a Question can no longer be updated or deleted from the discussion endpoint. It must use the new Ideation or Q&A endpoints. This prevents loss of data integrity for their current status.
    • API: Add pagination information to response headers for multiple endpoints.
    • API: Add filtering by archived status to categories endpoint.
    • Allow the API v2 to authenticate with API v1 access tokens.
    • API docs: Parameters of type 'enum' now correctly list all values that are accepted.

    Changes and fixes:

    • Fix ability to delete items in moderation logs.
    • Fix spider crawling errors for non-existent pages.
    • Fix image upload button not always appearing in Advanced Editor and Signature editing.
    • Fix filter menus showing for guests on Recent Discussions and categories root.
    • Add "none found" message to category pages with no categories.
    • Fix image cropper overflow when editing avatars.
    • Fix broken links to theme documentation from dashboard.
    • Update redirection after adding a category.
    • Update System user's default avatar.
    • Rename database column GDN_Session.DateExpire to DateExpires to match conventions and fix structure update problem.
    • Fix translations for file upload error messages.
    • Fix Google+ SSO link to signin.
    • Make 'image upload' button on by default in Editor.
    • Fix user search by IP not returning results
    • Adjust comment editing permission checks to avoid re-querying the database unnecessarily.
    • Multiple accessibility improvements.
  • This is very cool! 1st time performing an upgrade and was able to upgrade from 2.5.1 to 2.6 easily. Does the community have a roadmap (or list of coming enhancements) for future releases?

  • LincLinc Detroit Admin

    @PackFansNation said:
    Does the community have a roadmap (or list of coming enhancements) for future releases?

    Vanilla 2.7 is due in late summer (northern hemisphere), and features a brand new text editor & posting UI. We're rebuilding it from the ground up to provide a great experience. This release is fully planned & scoped at this time.

    Vanilla 2.8 is projected for late 2018, and tentatively features a complete design refresh of the user-facing areas. Our goal is to make this transition compatible with existing themes. Much remains in flux about the scope and timing of this release.

    Both releases will include new API endpoints. Our goal is to eventually expose 100% of the platform via the API.

  • Thanks for the info, @Linc

  • phreakphreak Vanilla*APP (White Label) & Vanilla*Skins Shop MVP
    edited May 2018

    @Linc: That sounds fantastic. Will the Vanilla 2.7 editor also handle image resizing on upload based on given rules in the dashboard (or the config.php). For example: Community manager can decide to what max. pixel size images should be resized on upload?

    If so then I can concentrate development efforts on other addons. :)

    • VanillaAPP | iOS & Android App for Vanilla - White label app for Vanilla Forums OS
    • VanillaSkins | Plugins, Themes, Graphics and Custom Development for Vanilla
  • R_JR_J Ex-Fanboy Munich Admin

    There are some former plugin features that have been moved to the core. In order to avoid trouble, the plugins should be disabled before upgrading and afterwards those two folders should be deleted:

    /plugins/HtmLawed
    /plugins/Tagging

  • LincLinc Detroit Admin

    @phreak said:
    Will the Vanilla 2.7 editor also handle image resizing on upload based on given rules in the dashboard (or the config.php). For example: Community manager can decide to what max. pixel size images should be resized on upload?

    I'm unsure if that feature is in the first iteration off the top of my head. I'll tag @charrondev, keeper of editor features, in case he has time to swing by.

  • LincLinc Detroit Admin
    edited May 2018

    I've submitted changes to the Vanilla README to take into account file deletions required over the years https://github.com/vanilla/vanilla/pull/7232, most especially the 2 addons that @R_J notes above. I've also added a step to the OP.

  • I'm not sure is it from this version or from before, but my social plugins (FB login, Twitter login) started to act weird.

    When I login with Twitter, my username is automatically renamed to my Twitter username (not just on dashboard, but in DB as well!).
    When I try to login with FB I got "UniqueID is required." which I didn't got before as everything worked fine.

    Google plugin is working ok.

    Anyone else have this problems?

  • Ok, I've found fix for FB.
    In getProfile() method there is file_get_contents which is not allowed on my server (allow_url_fopen set to false) so that is why I got UniqueID error.
    I've changed that with cURL and not it's working fine.
    Btw, maybe API should be updated. At least for FB as version on Vanilla is 2.7 which is deprecated by FB (end of support in October 2018). Oldest FB currently supports is 2.8 while latest is 3.0.

  • LincLinc Detroit Admin

    @smokvinlist said:
    Ok, I've found fix for FB.
    In getProfile() method there is file_get_contents which is not allowed on my server (allow_url_fopen set to false) so that is why I got UniqueID error.
    I've changed that with cURL and now it's working fine.

    A good point. https://github.com/vanilla/vanilla/issues/7235

    @smokvinlist said:
    Btw, maybe API should be updated. At least for FB as version on Vanilla is 2.7 which is deprecated by FB (end of support in October 2018). Oldest FB currently supports is 2.8 while latest is 3.0.

    Thanks. https://github.com/vanilla/vanilla/issues/7234

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP
    edited May 2018

    @Linc

    We haven't got a 2.6 help section.

    On a local XAMPP install, 2.6 gives a 404 error if I just type the folder (localhost/test26)

    but works if I add /index.php?p=/dashboard/setup

    but then I can't get past the installation page, as once I press Continue it reverts to dashboard/setup page.

  • steamsteam www.planamigo.org - #1 foro planes amigo
    edited May 2018

    Hi,
    Many thanks for the new functionality "Category Following"

    But, how to translate "Category Following" strings "All" and "Following". I have been write translation on my locale files and deleted cache but nothing translated.

    https://www.planamigo.org/discussions

    Thanks

  • Error during update /dba/counts

  • DkSDkS New
    edited May 2018

    @whu606 said:
    @Linc

    We haven't got a 2.6 help section.

    On a local XAMPP install, 2.6 gives a 404 error if I just type the folder (localhost/test26)

    I am having the same issue but on a live server did you figure anything out?

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP

    Not yet, unfortunately.

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP

    The resolution is to rename .htaccess.dist to .htaccess

  • I'm trying to perform a Fresh Install of 2.6 but I get this Error on the Installation Page when I click "Continue".

    BTW, I've tried 3 different version of PHP 7, 7.0.30, 7.1.18, and 7.2.6 with no luck.

    Incorrect table definition; there can be only one TIMESTAMP column with CURRENT_TIMESTAMP in DEFAULT or ON UPDATE clause

  • Renaming .htaccess.dist to .htaccess didn't worked for me. I'm using mac osx default apache

Sign In or Register to comment.