HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 2.1.7 released

LincLinc Detroit Admin

This is a critical security upgrade for all forums.

Download it now: http://vanillaforums.org/addon/vanilla-core-2.1.7

9 files changed. View the diff.

Security:

  • Fix for CSRF potential in posting & editing discussions.
  • Fix for allowing unauthorized Format changes to discussions (possible XSS vector when combined with the above CSRF).
  • Harden Gdn_Database against MySQL injection attacks by closing possible multiple-query-per-statement vector.

Hat tip to ZeniMax Online Studios' security team for disclosing the SQL injection vector.

Another hat tip to Dingjie Yang of Qualys, Inc for disclosing the CSRF & XSS vectors.

Both these contributors have responsibly disclosed previous security flaws as well, and we deeply appreciate their assistance.

Additional Patches:

  • Fix for "u.Photo isn't in GROUP BY" Fatal Error (thx @Shadowdare‌)
  • Fix for detecting locales in enabled application (thx @hgtonight‌)
  • Fix for IS NULL WHERE clauses (thx @imnotjames‌)
  • Added a new "Class Gdn not found" exception if ini files are out of date to avoid obscure errors (me)

Thanks all!

In other news, we made significant headway in our pull request backlog over the holidays and are moving to get the 2014 ones cleared as quickly as possible. We appreciate the contributions & activity (both on PRs and elsewhere) greatly.

Comments

  • please i want a good link on how to learn how to upgrade from 2.1.6 to 2.1.7. Thank you

  • LincLinc Detroit Admin

    @martin2008 said:
    please i want a good link on how to learn how to upgrade from 2.1.6 to 2.1.7. Thank you

    It is included with Vanilla in the README: https://github.com/vanilla/vanilla/blob/master/README.md#upgrading

  • LincLinc Detroit Admin
    edited January 2015

    @R_J It did, there was simply a second commit that revised the message to be briefer & platform-agnostic. There was no check there previously at all. The "obscure errors" I mention are ones that could be any missing resource depending on what happens to get requested first. Now we have 1 error that only means exactly this.

  • AaronWebsteyAaronWebstey Headband Afficionado Cole Harbour, NS ✭✭✭

    @Linc‌ , any idea if this release fixes the issue some of us were having with advanced notifications causing incorrect mention notifications? http://vanillaforums.org/discussion/28709/mention-notifications-going-to-wrong-user#latest

  • LincLinc Detroit Admin

    @AaronWebstey No, no one submitted a pull request to backport that fix as far as I know. I don't think 2.1.8 is very far away, so there's an opportunity to get it in next week.

  • AaronWebsteyAaronWebstey Headband Afficionado Cole Harbour, NS ✭✭✭

    @Linc‌ thanks! Can I do anything to help?

  • @Linc‌ This will be my first time upgrading, being that I am new to vanilla and just downloaded 2.1.6 a few weeks ago. Any guidance you have for me to upgrade smoothly? I'm sure it's simple, I just don't want to mess up anything.

  • peregrineperegrine MVP
    edited January 2015

    @skisma said: @Linc‌ This will be my first time upgrading, being that I am new to vanilla and just downloaded 2.1.6 a few weeks ago. Any guidance you have for me to upgrade smoothly? I'm sure it's simple, I just don't want to mess up anything.

    @linc previously said: http://vanillaforums.org/discussion/comment/223394/#Comment_223394

    I think he suggested reading the read me in a previous comment.

    for me: I always make backups of database and backups of source. and keep a backup copy of my config.php and my .htaccess file on my pc.

    and making sure the .htaccess is correct and updated after the upgrade, because it will probably be overwritten.

    this is a pretty simple upgrade compared to upgrade from 2.0 so it should just be a matter of focusing and carefully reading the readme in the downloaded core zip.

    this might be helpful for people as well: http://vanillaforums.org/discussion/28420/faq/p1

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • AnonymooseAnonymoose ✭✭
    edited January 2015

    Exciting feeling seeing these files move around and patch vanilla to be the best it can be.

  • @peregrine‌ Awesome thanks.

  • peregrineperegrine MVP
    edited January 2015

    @Skisma said:
    peregrine‌ Awesome thanks.

    the other general rule that I do when upgrading vanilla.

    I check to see if I have the latest version of plugins.

    if the plugin is updated in the add-ons section of this forum (rather than github).

    this may be helpful to you.

    http://vanillaforums.org/addon/versioncheck-plugin

    another handy thing to check is this thread - particularly if you upgrade from 2.0.x, but still gives you insights about plugins for 2.1.x

    http://vanillaforums.org/discussion/26703/plugins-themes-that-work-and-dont-work-in-vanilla-2-1

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • LincLinc Detroit Admin

    @AaronWebstey said:
    Linc‌ thanks! Can I do anything to help?

    You could track down the commit in master that fixed that bug. It's probably attached to an issue about it on GitHub. If you're feeling code-savvy, create a pull request against the 2.1 branch that adds that commit. Or, see if one of the other fine ladies or gents around here would be willing to do that part once it's found.

  • AaronWebsteyAaronWebstey Headband Afficionado Cole Harbour, NS ✭✭✭

    @Linc‌ I've been tinkering with VF code for a couple months now, and am still somewhat new to it and even more new to github (all my old coding jobs used CVS and my current job, well let's just say a server breakdown or 2 could be disastrous :stuck_out_tongue_closed_eyes: ).

    For those reasons, I'd love to sort through github issues and do my first pull request, unless someone else does it first. I may get at it this afternoon and if not, probably tonight.

    Thanks again!

  • Very nice update process from 2.1.6 to 2.1.7 :-)

  • Just a little squeak not many people will notice and won't matter to hardly anyone... but the diff @Linc pointed to seems to include one change (library/database/class.database.php) that was already in the 2.1.6 zip (at least the one from github).

    I downloaded 2.1.6 and 2.1.7 from github and built my own diff and compared it with the github diff and noticed I had only 8 file changes instead of 9. I confirmed my production version 2.1.6 already had the change to library/database/class.database.php as well.

    Again-- this will impact probably close to zero people and the patch process will probably recognize it is already there as well.

  • DenisSDenisS My brain hurts Buriram ✭✭

    I up-graded to 2.1.7 from 2.1.6 today no issues yet! If can do it anyone can. :wink:

Sign In or Register to comment.