HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 2.8.1 is now available - Security Patches & Bug Fixes

charrondevcharrondev Developer Lead (PHP, JS)Montreal Vanilla Staff

Vanilla 2.8.1 contains multiple security and bug fixes. Please upgrade immediately.

If you are upgrading from a release prior to 2.8, read the 2.8 release notes first and follow those steps to upgrade. If you were not aware of the additional upgrade step (clearing the /dist folder and additional files from 2.6, please be sure to do all of the steps with this update.)

A few notes to repeat from the last release notes:

  • Vanilla 2.6 is no longer supported and has unpatched security vulnerabilitiesIt is recommended to upgrade as soon as possible.
  • The self-hosting, installation, & upgrade docs have been moved out of the README and into our public documentation. Contributions can still be made over at [https://github.com/vanilla/docs].
  • There is and EXTRA STEP being added to the standard upgrade process, as well as specific notes for upgrading from Vanilla 2.6 -> Vanilla 2.8 https://docs.vanillaforums.com/developer/installation/self-hosting/#upgrading
  • We are taking steps to ensure that release and documentation makes it out in a more timely manner. As we've expanded our developer teams(s) we are now able to share the burden of making these notes and will be trying to do proactively as we add features and fixes.

Release notes follow.

Security

7 medium-severity security issues were patched. Details are included below, but the linked issues with their details are currently still private. It is recommend to upgrade immediately.

Keystone Fixes

  • Fix responsive theme support for keystone.
  • Fix keystone NewFlyouts feature flag not directly tied to the theme being enabled.
  • theme-boilerplate ThemeHooks removed. No longer necessary.
  • Keystone no longer forces itself as the mobile theme.
  • #8473 - Fix keystone javascript error for signed out users (preventing refresh on signin).
  • #8475 && #8508 - Fix Advanced Editor flyouts on mobile with keystone. Thanks @MichaelTyson for assistance with debugging this.

Rich Editor

  • #8414 - Fix clearing of rich editor for conversations and activity
  • #8397 - Fix formatting of notifications & emails for the following post formats: Rich, BBCode, Markdown

Previously these post formats were being sent out "raw" in notifications & emails. This looked particularly bad for the Rich format.

  • #8516 - Fix undo/redo actions for embeds while creating rich posts
  • #8492 & #8540 - Fix a bug causing partially loaded rich embeds from crashing the page.

Pockets

  • #8455 - Pockets: Fix typo in pockets permissions
  • #8431 - Fix casing of pockets CSS class location

Other

  • #8502 - Fix installation on windows. Thanks @austins (github username)
  • #8447 - Put back missing cache folder
Tagged:

Comments

  • JasonBarnabeJasonBarnabe Cynical Salamander ✭✭

    This release contains a __MACOSX folder at the top level. No big deal to delete but FYI.

  • charrondevcharrondev Developer Lead (PHP, JS) Montreal Vanilla Staff

    This release contains a __MACOSX folder at the top level. No big deal to delete but FYI.

    Damnit. I even made a new reproducible build script for this release, but went and looked inside to double check after creating the build.

  • Here's a question: if we're supposed to be deleting everything in "dist" after we've extracted the new release, why have that folder in the distribution at all?

  • ShadowdareShadowdare r_j MVP
    edited March 2019

    @MichaelTyson, I followed that step too, but it appears that JS and CSS files are required from the /dist folder.

    Current Upgrading instructions say:

    1. Backup your database, .htaccess and conf/config.php file somewhere safe.

    2. Upload the new release’s files so they overwrite the old ones.

    3. Delete all files in /cache (except .htaccess if you use Apache).

    4. Delete all files in /dist.

    5. Follow all version-specific instructions below. It is critcal you delete the listed files.

    6. Go to example.com/utility/update to run any database updates needed. (404? See next paragraph.) If it fails, try it a second time by refreshing the page.

    Is step 2 supposed to go after 3 and 4?

    Add Pages to Vanilla with the Basic Pages app

  • charrondevcharrondev Developer Lead (PHP, JS) Montreal Vanilla Staff
    edited March 2019

    Actually 4 is supposed to go before 2. That’s my bad.

    I’ll fix the docs. Those dist files are required. Increasingly more of our frontend styles and scripts will be located there.

    It’s not actually critical for this first release (previous releases didn’t have this folder), but may be important moving forward as the distribution of built javascript bundles changes.

  • charrondevcharrondev Developer Lead (PHP, JS) Montreal Vanilla Staff

    @MichaelTyson @Shadowdare would either of you be able to assist in vetting future OSS releases? I’m trying my best in my spare time but I’d rather be able to fix more bugs or add more features to the Vanilla than manually test these upgrades.

    My own local installations and test sites are installed the same way we do on Vanilla cloud (not bundled with phing) which adds some extra burden for testing. I’m currently working on a 1 click digital ocean marketplace version of Vanilla that will be installed similar to how our cloud infrastructure works and potentially be able to auto update, but I’m guessing we’ll still be supporting this type of installation for some time.

  • Certainly, I'd be happy to @charrondev. I can't promise a particularly thorough job, but I'm happy to try out releases on forum.audiob.us's staging server in advance and flag anything obvious if I see it.

  • R_JR_J Ex-Fanboy Munich Admin


    All files and folders have full permission. 775 for /cache, /conf, /uploads and 755 for the rest would be sufficient. It would be great if this could be changed by your script, too.

  • xorgxorg New
    edited March 2019

    I really appreciate your hard work guys, keep it up!

    But there are few bugs on phone, the buttons for editing the post are not rightly appearing, and the notifications are not showing properly tho:


    Everything else works so far...

    p.s

    Tested with: samsung j3 2016, samsung j7, amazon fire, samsung s5 and with samsung s9 plus.. on opera and chome browsers.

  • charrondevcharrondev Developer Lead (PHP, JS) Montreal Vanilla Staff
    edited March 2019

    @xorg There's definitely a configuration setting that's not being set properly. Could you check a couple things?

    I'll note that things like the mobile header & flyouts should be unmodified between what I shipped in that 2.8.1 and what this site runs.

    I'm wondering if this is similar to


  • $Configuration['Features']['NewFlyouts']['Enable'] there is no such line in my config file

    Make sure your theme has a settings/configuration.php file with $Configuration['Feature']['NewFlyouts']['Enabled'] = true;

    it is already sir..

  • charrondevcharrondev Developer Lead (PHP, JS) Montreal Vanilla Staff

    Actually looking at, it seems that is working properly. Are you using the default theme, and do you have any javascript errors in your console?

  • xorgxorg New
    edited March 2019

    If you mean the console from browser in developer tools than:

    i should mention that i m using Cloudflare as proxy server, and the cloudflare settings for speed like auto minify for html, js and cs..

    And now i have turned Rocket loader completly off and other settings..

    Edit/

    Yes i m using default boiler theme.. and everything worked before well, instead of few things which are fixed now after the new 2.8.1 version sir.

  • xorgxorg New
    edited March 2019

    Srry for double post sir, now it seems to be fixed after i have turned off Cloudflare settings to minify html, js and css, and rocket loader is turned off tho.. and just to mention that google adsense will penlize the websites runed on vanillas current boiler theme, because they arent accepting my ads anymore because the whole theme is not optimized for phones, i hope that this is goin to be fixed in next versions..

  • charrondevcharrondev Developer Lead (PHP, JS) Montreal Vanilla Staff

    Ah yes. Vanilla & RocketLoader don't work well together. I'd recommend changing your mobile theme to what you were using before. If you have concerns about it not being optimized for mobile, I'd recommend filing an issue or making a separate thread for it.

    SEO is something that we pay attention to, but we're not concerned for optimizing specifically for mobile. Rather we are intending to optimize the site overall.

  • @charrondev, I'll be happy to help whenever I upgrade Vanilla on my dev and production environments! 😀 I have a site running Vanilla on Windows so I'll keep an eye out for OS-related bugs as well.

    Add Pages to Vanilla with the Basic Pages app

  • Hi all, I'm new in Vanilla, I've a self hosted forum running Vanilla 2.8.0, how could I upgrade it to 2.8.1 safely? Thank you all

  • charrondevcharrondev Developer Lead (PHP, JS) Montreal Vanilla Staff
  • I've already done, I found that file yet, anyway thank you a lot!

  • I really appreciate ur efforts in building this update. But it has bugs on phone . Would u please check it

Sign In or Register to comment.