Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product

Vanilla 2.1.6 released

LincLinc Director of DevelopmentDetroit Vanilla Staff

This is an important security upgrade for all forums.

Download it: http://vanillaforums.org/addon/vanilla-core-2.1.6

7 file changed. See the code diff.

Summary:

  • Security: Fixes an SQL injection vector.
  • Security: Adds a PDO option to harden against SQL injection.
  • Security: Improves the security of password resets by increasing token length and limiting them to 1 hour expiration.
  • Adds vBulletin 5.1 password hashing to allow seamless password migrations. All previous versions continue to be supported.

Thanks to the team at ZeniMax Online Studios for disclosing the password reset issue and SQL injection vector.

peregrineBleistivtAdrianphreakCharlieCharles
«1

Comments

  • peregrineperegrine MVP
    edited November 2014

    thanks. just upgraded to 2.1.6 BTW, info message at top of screen also needs to be updated above to reflect new version 2.1.6

    function request for next release... https://github.com/vanilla/vanilla/issues/2283

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    CharlieCharles
  • whu606whu606 I'm not a SuperHero; I just like wearing tights... Moderator
    edited November 2014

    @‌Linc

    Should this be an announcement?

  • Anybody know how to upgrade to 2.1.6 from 2.1.5 .do i have to download all the package again? :\

  • @waplist said:
    Anybody know how to upgrade to 2.1.6 from 2.1.5 .do i have to download all the package again? :\

    It is best to follow normal upgrade procedures.

    grep is your friend.

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... Moderator

    @waplist‌

    @x00 is right, but if you check the GitHub page, you can see the 7 updated files, and just upload those, especially as you have only just installed 2.1.5

  • Ok thank you

  • LincLinc Director of Development Detroit Vanilla Staff

    @whu606 said:
    Should this be an announcement?

    There is a bug in the Dashboard News feed that causes an announced discussion to disappear, so no, not if I want folks to see it beyond this site :)

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... Moderator

    Ah, OK.

    I shall try to remember to bump it.

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... Moderator

  • x00x00 MVP
    edited November 2014

    This reminded me of a need for a security tracker.

    http://vanillaforums.org/discussion/28568/security-tracker

    grep is your friend.

  • phreakphreak VanillaAPP - White label iOS and Android App MVP

    @linc: It's really cool to see so much progress around here right now. Thanx for the work!

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... Moderator

  • LincLinc Director of Development Detroit Vanilla Staff

    @whu606 I've added the Bump addon, so you can select "Bump" as an option from the Discussions list now.

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... Moderator

    OK!

    I shall shelve my other 'bump' related gags... :\

    R_JBleistivtperegrine
  • Forwarded to the page index.php?p=/dashboard/setup.

    database in the phpmyadmin is not created.

    config has no blog entries, just white.

    what's the problem?

  • peregrineperegrine MVP
    edited November 2014

    @sadkin said:
    Forwarded to the page index.php?p=/dashboard/setup.

    database in the phpmyadmin is not created.

    config has no blog entries, just white.

    what's the problem?

    best to start a new discussion. state what you did in the new discussion.
    was this an upgrade or new install. put that in your new discussion as well.

    hints for everyone upgrading or installing

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • peregrineperegrine MVP
    edited November 2014

    @Linc‌

    numerous people are getting this error upon upgrading.

    may need to go in and manually fix.

    http://vanillaforums.org/discussion/28583/upgrading-to-2-1-6-from-2-0-18

    I had one person run

    in phpmyadmin and go to your database and

    run this
    
    alter table GDN_Tag drop index UX_Tag
    

    and run /utility/structure again and it fixed it.

    http://vanillaforums.org/discussion/comment/220312/#Comment_220312

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    Bleistivtvrijvlinder
  • LincLinc Director of Development Detroit Vanilla Staff

    @peregrine Is this something specific to 2.1.6, or just a general issue surfacing for the 2.0 -> 2.1 transition?

  • peregrineperegrine MVP
    edited November 2014

    I'm not sure, but it involves upgrading from 2.0.x to 2.1.6

    two people at least were upgrading from 2.0 .18.x - > 2.1.6

    if you have a Tag table as a result of installing tagging plugin in vanilla 2.0.18

    I haven't seen any one report problem before Gillingham reported problem

    but 3 different people (have had the issue and posted a problem).

    I wonder if they don't have drop index permissions - but that would probably result in a permissions error I would think.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • LincLinc Director of Development Detroit Vanilla Staff

    @peregrine OK, would you please file this as an issue? This should be fixed via the structure file & tested before and after with a full upgrade. I don't recall if the Tagging tables are core in 2.0.18 but that's a consideration too - whether the plugin is enabled.

  • @Linc said:
    peregrine OK, would you please file this as an issue? This should be fixed via the structure file & tested before and after with a full upgrade. I don't recall if the Tagging tables are core in 2.0.18 but that's a consideration too - whether the plugin is enabled.

    when I saw the error
    tagging was enabled in 2.0.18 and was disabled prior to upgrade and yes it is in the core in 2.0.18

    https://github.com/vanilla/vanilla/issues/2291

    https://github.com/vanilla/vanilla/tree/2.0/plugins

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • JasonBarnabeJasonBarnabe Cynical Salamander ✭✭
    edited November 2014

    This change broke a custom plug-in I have. The plug-in does $SQL->Where('d.ScriptID IS NULL'); on DiscussionModel_BeforeGet_Handler. The result is:

    PDO Statement failed to prepare
    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '? order by d.DateLastComment desc limit 30' at line 6
    The error occurred on or near: /www/greasyforum/library/database/class.database.php
    
    289:       if (!is_null($InputParameters) && count($InputParameters) > 0) {
    
    290:          $PDOStatement = $this->Connection()->prepare($Sql);
    
    291: 
    
    292:          if (!is_object($PDOStatement)) {
    
    293:             trigger_error(ErrorMessage('PDO Statement failed to prepare', $this->ClassName, 'Query', $this->GetPDOErrorMessage($this->Connection()->errorInfo())), E_USER_ERROR);
    
    294:          } else if ($PDOStatement->execute($InputParameters) === FALSE) {
    
    295:             trigger_error(ErrorMessage($this->GetPDOErrorMessage($PDOStatement->errorInfo()), $this->ClassName, 'Query', $Sql), E_USER_ERROR);
    
    296:          }
    
    297:       } else {
    
    Backtrace:
    
    /www/greasyforum/library/database/class.database.phpPHP::Gdn_ErrorHandler();
    
    [/www/greasyforum/library/database/class.database.php:293] PHP::trigger_error();
    
    [/www/greasyforum/library/database/class.sqldriver.php:1650] Gdn_Database->Query();
    
    [/www/greasyforum/library/database/class.sqldriver.php:674] Gdn_SQLDriver->Query();
    
    [/www/greasyforum/applications/vanilla/models/class.discussionmodel.php:348] Gdn_SQLDriver->Get();
    
    [/www/greasyforum/applications/vanilla/controllers/class.discussionscontroller.php:136] DiscussionModel->GetWhere();
    
    [/www/greasyforum/applications/vanilla/controllers/class.discussionscontroller.php:136] DiscussionsController->Index();
    
    [/www/greasyforum/library/core/class.dispatcher.php:350] PHP::call_user_func_array();
    
    [/www/greasyforum/index.php:46] Gdn_Dispatcher->Dispatch();
    
    Variables in local scope:
    
    [Sql] 'select d2.*, discussionaboutitem.default_name as `DiscussionAboutName`, w.UserID as `WatchUserID`, w.DateLastViewed as `DateLastViewed`, w.Dismissed as `Dismissed`, w.Bookmarked as `Bookmarked`, w.CountComments as `CountCommentWatch`
    from GDN_Discussion d
    join GDN_Discussion d2 on d.DiscussionID = d2.DiscussionID
    left join scripts discussionaboutitem on d.ScriptID = discussionaboutitem.id
    left join GDN_UserDiscussion w on w.DiscussionID = d2.DiscussionID and w.UserID = 1
    where d.ScriptID IS :dScriptID
    order by d.DateLastComment desc
    limit 30'
    
    [InputParameters] array (
      ':dScriptID' => NULL,
    )
    
    [Options] array (
      'ReturnType' => 'DataSet',
    )
    
    [ReturnType] 'DataSet'
    
    [PDOStatement] false
    

    If I comment out the new line, it works again.

  • AnonymooseAnonymoose ✭✭
    edited November 2014

    Some images not optimized.

    The following need compression, percentage savings listed.

    calendar.png 94.5%
    cog-expander.png 15.6%
    bubble-arrow.png 8.5%
    connection-64.png 5.1%
    dashboard-sprites.png 7.3%
    72.gif 1.0%
    usericon.gif 0.9%
    arrow.png 0.8%
    check.png 0.8%
    buttons.gif 0.8%
    75.gif 0.5%
    74.gif 0.4%
    5.gif 0.4%
    77.gif 0.3%
    62.gif 0.2%
    56.gif 0.2%
    18.gif 0.2%
    103.gif 0.1%
    109.gif 0.1%
    45.gif 0.1%
    8.gif 0.1%
    pirate.gif 0.1%
    59.gif 0.1%

  • phreakphreak VanillaAPP - White label iOS and Android App MVP
    edited November 2014
  • AnonymooseAnonymoose ✭✭
    edited November 2014

    Command line and drag and drop for OS X:

    https://imageoptim.com/

    Imageoptim provides lossless compression and integrates PNGOUT, Zopfli, Pngcrush, AdvPNG, extended OptiPNG, JpegOptim, jpegrescan, jpegtran, and Gifsicle.

  • JasonBarnabeJasonBarnabe Cynical Salamander ✭✭

    @JasonBarnabe said:
    This change broke a custom plug-in I have. The plug-in does $SQL->Where('d.ScriptID IS NULL'); on DiscussionModel_BeforeGet_Handler.

    Filed https://github.com/vanilla/vanilla/issues/2303

  • rotaechorotaecho Los Angeles New
    edited December 2014

    Okay, I may be missing a step, so hopefully a reply can get a good solid solution :)

    I have VF 2.1.5 and I want to upgrade to 2.1.6

    The REAME.md is very limiting, so these are the steps I performed:

    1.) Backed up DB

    2.) Created two locations:

    /app/www/vanilla-2.1.5 which symbolic links to /app/www/vanilla

    I expanded 2.1.6 to:

    /app/www/vanilla-2.1.6

    I fixed the permissions to be owned via nginx:nginx as the 2.1.5

    I rsync'd the config.php from the 2.1.5/conf to the 2.1.6/conf directory

    I rsync'd the plugins & applications that I had different from the standard install.

    I fixed the /app/www/vanilla symlink to point to the 2.1.6 branch

    I then attemped to load the: www.myforum.com/index.php?p=/utility/update

    I kept getting the error on the website:

    The update was not successful.

    Any advice would be appreciated. Thanks!

  • peregrineperegrine MVP
    edited December 2014

    .

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited December 2014

    www.myforum.com/index.php?p=/utility/update

    this tells me that the htaccess file is not correct and that pretty URL may not be true thus this outcome.

    check that rewriteUrl is set to true in the config.php and check that the .htaccess file is correct and that

    BaseRewriteUrl is not commented out with a # before BaseRewriteUrl /

    peregrine
  • peregrineperegrine MVP
    edited December 2014

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    vrijvlinder
«1
Sign In or Register to comment.