HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 2.0.18.11 security release

LincLinc Detroit Admin

Vanilla 2.0.18.11 is available for download. It is strongly recommended for all sites running Vanilla 2.0 to upgrade immediately. It contains 3 security patches and ditches the troublesome "Remove" option on the plugins page.

If you are currently running 2.0.18.10, no other steps are required than copying the new files over your old ones.

Download Here

Feeling a little selective? These are the exact files that changed:

  • applications/dashboard/controllers/class.settingscontroller.php
  • applications/dashboard/views/settings/plugins.php
  • applications/vanilla/controllers/class.discussioncontroller.php
  • applications/vanilla/controllers/class.postcontroller.php
  • applications/vanilla/views/drafts/drafts.php
  • index.php (version number only)

Please note that 2.1 is currently in release candidate stage, so it is imminent for stable release. We will continue to support 2.0 with security patches thru the end of 2014.

«1

Comments

  • Thanks! Unfortunately, the Preview function isn't working for me after updating everything; nothing shows up in the preview. After I reverted back to the old class.postcontroller.php it started working again. Changing the theme to the default Vanilla theme didn't do anything. Anyone else have this problem?

  • LincLinc Detroit Admin

    @Shmizzle The only thing that changed in the post controller was the editdiscussion method, which added a permission check. What version were you on previously? Did you clear your browser cache?

  • ShmizzleShmizzle New
    edited April 2014

    I was on 2.0.18.10 and did try clearing the cache. The weird thing is draft saving doesn't work anymore either. Reverting back to the 2.0.18.10 class.postcontroller.php fixes that too.

  • it sound more like the whole file isn't being read. check the permissions.

    grep is your friend.

  • Thanks for the suggestion. Permissions are 0644 like all the other files.

  • LincLinc Detroit Admin

    If anyone else is experiencing this or can reproduce it, I'd be extremely keen to know.

  • After playing around in the file, commenting out line 329:

    $FormValues = $this->CommentModel->FilterForm($FormValues);

    Fixed the issues.

  • I was having one of my blond moments there.

    nevertheless less it is worth checking the network traffic, for the ajax request, status code and response.

    grep is your friend.

  • x00x00 MVP
    edited April 2014

    FilterForm is required security, but it is a hint. I wondering if you are not getting back an array for $FormValues = $this->Form->FormValues();

    grep is your friend.

  • Personally I would not bother with being "selective" just run through the normal update process.

    grep is your friend.

  • ShmizzleShmizzle New
    edited April 2014

    I put an echo before/after the call and I'm getting an error popup now that says:

    {"Code":256,"Exception":"The \"CommentModel\" object does not have a \"xFilterForm\" method.|CommentModel|xFilterForm|"}

    I like the selective update because over the years I've made several minor changes to the core files. I really should have documented the changes I made, but unfortunately I didn't.

    Update: It appears that at some point I must not have done a proper selective-update, as I noticed quite a few of the files on my server are different from the files in the current release despite me not modifying them. How that happened and everything still worked okay up until this point I'm not sure, but I'll get around to doing a proper update and let you know if I still have any issues. Sorry for the false alarm guys!

  • hgtonighthgtonight ∞ · New Moderator

    @Shmizzle said:
    I like the selective update because over the years I've made several minor changes to the core files. I really should have documented the changes I made, but unfortunately I didn't.

    Not trying to harp on you specifically, but this is an excellent reason to never modify the core files. Glad you got your issue sorted. :D

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • FilterForm is inherited from Gdn_Model. I suggest your problem is as you say, you are maintaining a fork.

    As a maintainer of a fork it is your responsibility to maintain and merge any necessary changes.

    grep is your friend.

  • @x00 said:
    As a maintainer of a fork it is your responsibility to maintain and merge any necessary changes.

    But of course. :)

    I think what must have happened is I missed one of the 2.0.18.x updates along the way. Probably one that came out a couple of years ago before I subscribed to the RSS feed.

  • LincLinc Detroit Admin

    Glad you got it sorted. No harm done.

    ...except the days shaved off my life by the momentary panic of thinking I'd done a bad release somehow. :D

  • @Lincoln said
    ...except the days shaved off my life by the momentary panic

    To all users, please don't send Lincoln into a panic, we need him. A toast you your long life.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • @Lincoln said:
    Glad you got it sorted. No harm done.

    ...except the days shaved off my life by the momentary panic of thinking I'd done a bad release somehow. :D

    Sorry. o:):wink:

    I do still definitely appreciate the fact that you always let us know what files changed since the last release though. :)

    @peregrine said:
    To all users, please don't send Lincoln into a panic, we need him. A toast you your long life.

    Indeed!

    (Here's to everyone else living a long life as well.)

  • LincLinc Detroit Admin

    Disclaimer: the 2.1 upgrade can't be selective :) It's cray-cray.

  • I never received an email notification about this release. Should I have? Is there a mailing list I'm not on?

Sign In or Register to comment.