Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
Categories
Vanilla 2.1.3 - security release
Linc
Vanilla's Bard (and Director of Development)Detroit Vanilla Staff
Announcing the availability of 2.1.3, a security & bug fix release for the 2.1 branch.
This is an important security release for all users of 2.1.
- 3 newly discovered XSS vectors were fixed.
- The timezone bug introduced in 2.1.1 is fixed.
- Fixes invalid DeliveryType in plugins management.
The diff is here. 6 files changed in total.
Thanks to Dingjie Yang of Qualys, Inc for 2 of the XSS reports, and Jason Barnabe for the third. We greatly appreciate responsible security reports, which can be directed to support [at] vanillaforums.com.
Hat tip to @bleistivt for making sure the timezone bug was properly filed on GitHub so it wasn't missed for this release.
Comments
Where's 2.0.18.14?
Only 1 of these 3 XSS exploits found in 2.1 are possible in 2.0.18.13, and it's quite a trick to pull off, and it will only work if your target is running IE8 or below.
I'll patch it soon, but it won't be this week; I've run out of time.
Will this update on its own in my Joomla in the back of my go daddy. Sorry Im a noob.
I'm sorry, I don't understand the question.
@Linc I installed my theme and did everything from the backend of Go Daddy and Joomla. I says update from the back of Go Daddy just not sure how to do so.
@dportis I'm not familiar with GoDaddy's system. I suspect you may need to wait for them to update to the latest version. You should contact them directly with any questions.
@Linc Awesome thank you
Don't use installers that come in the some hosts panel. Install vanilla yourself using the installation instructions.
grep is your friend.
Okay thank you. @x00 can you help me with my Facebook and Twitter log in?
This release seems to have introduced a bug in global.js
In Safari I'm getting
TypeError: 'undefined' is not a function (evaluating 'gdn.url('/utility/sethouroffset.json')') in global.js:313@peregrine thanks for taking the time to look into this... I'm currently not using vanilla in production, so I'll just revert to 2.1.1 until someone comes out with a proper fix.
if a moderator wants to delete all my previous comment clutter or blank them out in this discussion thread, since they don't apply and confuse the issue. And this sums it all up that would be great.
if the hour offset in user table doesn't match the hour offset on the client's computer derived by js.
pretty much all functionality in vanilla is lost due to a js error. cog wheels won't work, button bar won't work, admin can't sign out if there hour is off, to name just a few problems
https://github.com/vanilla/vanilla/issues/2071
@linc in my continuing obsession with global.js
I left the same functions, but rearranged timeoffset placement and it works better I think.
if the user table has an offset that doesn't match client houroffset now it will not create a js crash and gdn.url is defined.
it now correctly works with this positional change in code
take this code and move it to
https://github.com/vanilla/vanilla/blob/2.1/js/global.js#L309
to here
https://github.com/vanilla/vanilla/blob/2.1/js/global.js#L1177
so in the end the lines are delete from 309 -316 are deleted and inserted in the position shown above.
actually if you wanted everything between lines 25 to 86 could be moved into position here
https://github.com/vanilla/vanilla/blob/2.1/js/global.js#L25
through
https://github.com/vanilla/vanilla/blob/2.1/js/global.js#L86
https://github.com/vanilla/vanilla/blob/2.1/js/global.js#L1177
below is a modified global.js you can extract and replace that has the 5 or 6 line movement of lines.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
the above zip can be extracted and copy it over the global.js in
/js/golobal.js
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
I was not able to manage category in back-end. Impossible to select & drag categories orders.
However, I solved it by editting '/js/global.js'
As peregrine metioned above, I moved that code from line 309 into 1177.
Now my category managing feature works well.
The MeBox not work correctly after update.
EDIT:
Dashbooard, MeModule, Inbox andmore not work correctly after update.
I reuse Vanilla 2.1.1.
Can someone download 2.1.1 and 2.1.2 and do a comparison? We can't have people ignoring XSS bugs because javascript doesn't work, that's not smart.
Since @peregrine is obsessed with global.js, I'm asking you, can you do it please? I always used WinMerge to compare those versions, long time ago.
What to do if I get a Bonk Error?
Vanilla Wiki : Join and help edit our Wiki! | View all Vanilla issues on GitHub | Report a new Vanilla issue on GitHub
Deploying a new Forum and adding a Theme | Give thanks to the Vanilla Developers!
True, I would upgrade to 2.1.2 - it is more secure than 2.1.1 but I would make one of the change options below.
there is already a comparison. linc posted a diff.
https://github.com/vanilla/vanilla/compare/217901796812bb3bbff6c2a76e6d02999a2b6346...47cb085066596c2003a016783a3c19f434e6775c
the simple change is upgrade and just modify the global.js or keep the old 2.1.1 global.js
upgrade to 2.1.2 and keep a copy the old global.js from 2.1.1 which doesn't break the js and copy it over the 2.1.2 installation. The js change has nothing to do with the XSS bugs.
or reposition the lines suggested in my previous comment.
or use the global.js I zipped up which fixes the intended houroffset bug, without breaking other things in the process.
or copy 5 of the files and NOT global.js
it will fix the XSS vulnerabilities w/o the backport of global.js
In 2.1.2 there was a backport of houroffset fix to global.js, it was just placed in a sub-optimal place in code.
the introduction of two separate diverging forks of vanilla even number and odd number
e.g.
2.1 (and 2.3 in future) for open-source
2.2 (and 2.4 in future) for hosted
makes it really hard for the developers in some respects ( duplication, maintenance upgrades backporting security fixes extra qc). , but allows them to maintain more features in hosted version. I don't envy maintaining two separate diverging forks.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
Maybe someone, preferably a moderator, could make a new zip of Vanilla 2.1.2 with the global JS bug fixed and upload it here.
I think it really hurts the software if the newest version people should download is in a somewhat broken state.
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
True. but ....
then 2.1.2 would be two versions. and that would lead to more complications.
2.1.2a or 2.1.3 would be better but index.php should reflect that.
someone should call Lincoln or Todd on the phone to alert them. they must have their e-mail turned off
i sent the Admins in North America (Adrian, Todd and Linc) a pm last night, but expectations of them working on weekends is probably unreasonable.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
Yes, a new version number would be better.
Something should be done, because the situation right now encourages people not to update and people will be sceptical about updates in the future.
Even worse, people have broken forums and they don't even notice it (but their users do).
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
True. Affected users on a particular forum may not be able to post or use buttonbar either to alert forum owner.
i suspect it will be sorted out soon. sent kasper and tim a message too
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
Thanx guys for discovering the issue. thumbsUp
VanillaAPP - Your native App for Vanilla // Press Theme is ready for Vanilla 2.3+ - Check it out! // Made by VanillaSkins.com
I'm completely new to Vanilla forum and was wondering why nothing was working, spent ages trying to figure it out. Turns out there's a bug in the javascript and its been left broken for the weekend. It's not a good first impression.
man.. i should have scrolled down before messing with troubleshooting for an hour
eh.. it happens.
At least you read the announcement and came back to read the comments later. thats a plus, if it helped.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
@peregrine, thanks for the fix with the global.js file.
Add Pages to Vanilla with the Basic Pages app | Publish articles with the Articles app
I will release 2.1.3 today. Apologies for the oversight.
Nice thanks guys fixed my issues
What is driving me mad is this: No one can seem to explain why the previous call in 2.1 worked but the one in 2.1.2 doesn't. The fact of the fix doesn't interest me half as much as knowing why it happened so I can prevent another faulty release in the future.
it didn't work in 2.1 - the hours were never updated. and the method of getting defintions changed. it just didn't crash.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
@Linc
the way i figure it....
evaluation of expression was always false in 2.1
if (hourOffset != $(this).val()) { // they were always equal in all cases
thats why the houroffset never worked correctly
http://vanillaforums.org/discussion/comment/213937/#Comment_213937
http://vanillaforums.org/discussion/comment/214078/#Comment_214078
and it was masked by the fact that admins were ususally setting their own timezones so it didn't matter and they never noticed the time was off.
it may have been working in 2.1b2 - not sure.
that is why so many new fourm owners are having problem 2.1 never updated user table correctly, hence with 2.1.2 the houroffset was always different js vs db table (as a result of all users created during 2.1 phase) and just fresh install of 2.1.2 it finally evaluated gdn.url which was never defined early enough.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.