2.1.10升级时上传全部程序会造成无法升级,如果升级只上传补丁即可。
XenForo 2.1.11,以解决潜在的安全漏洞。我们建议所有运行XenForo 2.1的客户升级到2.1.11或尽快使用附带的补丁文件。(对于运行XenForo 2.0的客户,我们只能建议升级到最新版本。)
问题是登录表单上的跨站点请求伪造(CSRF)。这可能会使攻击者意外地将用户登录到攻击者控制的帐户中。在某些情况下,如果用户在登录不正确的帐户时采取了某些措施,则可能会引起隐私问题。请注意,这不会使攻击者拥有对用户真实帐户的任何访问权限。
我们建议进行完整升级以解决此问题,也可以手动上传补丁。有关更多详细信息,请参见下文。
手动应用补丁
程序在此消息附带的2111patch.zip文件中下载补丁程序。它将包含以下文件:
将zip文件解压缩到您的计算机,然后将内容上传到XenForo安装的根目录。这应该用新版本覆盖服务器上的文件。
- src/XF/Admin/Controller/Login.php
- src/XF/Pub/Controller/Login.php
Some of the other changes in XF 2.1.10 include:
- Properly support disabling memory limits when calling setMemoryLimit with -1.
- Prevent a race condition related to double clicking when reacting to content.
- Prevent a server error when trying to edit a super admin via a non-super admin. (Also, allow the bypass permissions option of the API request to bypass this constraint.)
- Do not display unsupported media sites in approved site list
- Properly set average tooltips in stats graphs
- Allow the message body '0' in report comments
- Allow searches for '0' in template and phrase titles and contents
- Don't throw an error when trying to view reactions on a conversation message by a deleted user.
- When deleting warning actions, correctly redirect to the warnings list.
- When deleting template modifications, redirect to the correct template modification type list.
- Set a maximum length for content_type field in the spam trigger log entity.
- Allow users to reconfirm their existing email addresses if emails have previously bounced to it.
- Opt not to show a title for HTML widgets if no explicit title is set.
- Avoid throwing a template error for approval queue items with no user relationship.
- Ensure the MySQL replication adapter throws the correct exception on failure and supports the charset option.
- Adjust the display of conversation filter checkboxes.
- Use the correct modifier when building attachment URLs for the editor.
- Ensure full thumbnail URLs are used when rendering the ATTACH BB code, notably for rendering in emails.
- Properly check required PHP, PHP extension, and MySQL versions during add-on installation
- Don't allow double backslashes for PHP callbacks.
- Redirect back to the option group list after deleting an option group.
- Redirect back to the option group when deleting an option.
- Ensure arrays are always returned from title pair methods
- Don't strip HTML tags on post content choosers.
- Correctly check permissions on user report page
- Correctly handle chargebacks for PayPal Funds Now accounts
- Log IP when TFA check is triggered
- Avoid table locking when checking if the error log table is populated
- Correct our auto-timezone data so that UTC+3 returns Europe/Moscow as expected.
- Slightly adjust the explain text for the boardDescription option to clarify it applies to the "Forums default page".
- Ensure we mark all forum descendants read when marking a forum read - not just its children.
- Opt for more desirable defaults when emailing users
- Fix incorrect type hint on App::service method.
- Attempt to convert incoming <code> tags to relevant BB code.
- Extend the color_picker.js infinite loop protection to allow colors to be resolved more than once up to a limit of 3 times each.
- Expand support for our share buttons to include the page image and send that along with the Pinterest share button clicks.
- Make query for finding newest/next posts in a thread more performant.
- Slightly adjust phrase about unique ad position keys to suggest the key may already be in use.
- Ensure "No permission" placeholder buttons correctly wrap text.
- Throw a clearer error if closure compiler returns an unexpected response when minifying JS.
- Load images when rebuilding recent emoji
- Use a consistent function when checking if CAPTCHA should be shown.
- Add title attributes to most of the style property edit fields to make clearer the specific CSS property being adjusted.
- Allow moderators to expire/delete warnings they issued
- Ensure alt text is correctly displayed when hovering over thumbnail attachments.
- Display field name in required custom field error message
- Ensure integer and float values are correctly casted when using searchers.
- Properly normalize page action criteria
- Implement the ability to extend all XF\CustomField\* classes - specifically Set and DefinitionSet.
- Avoid an error if a user has 25 incomplete subscription purchases with Stripe
- Make the appropriate usage of a language's currency_format value more clear.
- Check breadcrumb hrefs against the full request URI (including scheme and host) as well as the partial request URIs to determine when they should be automatically hidden.
- Prevent table overflow on the user change log with wide browser windows.
- Allow manually triggered rebuild jobs to be resumed via the command line.
- Support URLs being used in moderator log action params.
- When creating a new payment profile, only show providers from active add-ons.
- Fix LESS compilation failure when form input padding is blank
- Allow auto focus into tagging/token input elements.
- Make sure that iOS opens reactions on long press (consistent with previous versions and other mobile devices).
- Disable the CodeMirror code editor (with a fallback to a standard textarea) on Android devices due to compatibility issues.
- Make improvements to the moderator list especially when there are large numbers of moderator records.
- When importing users with invalid email addresses, correctly set their user states.
The following public templates have had changes:
- _help_page_bb_codes
- app_body.less
- bb_code_tag_attach
- code_editor
- conversation_list
- core_datalist.less
- core_input.less
- core_menu.less
- core_overlay.less
- editor.less
- editor_base.less
- editor_dialog_media
- forum_post_quick_thread
- forum_post_thread
- forum_post_thread_chooser
- forum_view
- lightbox.less
- lost_password_confirm
- PAGE_CONTAINER
- payment_cancel_recurring_confirm
- payment_initiate.less
- quick_reply_macros
- share_page_macros
- thread_reply
- thread_view
- widget_html
今天,我们将发布XenForo 2.1.9,以解决可能影响任何使用我们的PayPal付款处理程序的客户的潜在安全漏洞。
以及用户升级,这可能会影响您安装的使用我们的PayPal付款处理程序处理付款的加载项。
我们建议所有受影响的运行XenForo 2.1的客户都升级到2.1.9或尽快使用附带的补丁文件之一。
具体而言,该问题与特制的回调(或IPN)有关,然后使用PayPal的沙盒验证终结点而不是其实时系统成功处理该回调。如果成功,则可以在您的PayPal帐户未实际收到任何资金的情况下完成购买。
此版本中没有其他修复程序。在未来几周内将进一步发布2.1维护版本。
应用修复程序:升级
您可以升级到2.1.9来解决此问题。您应该像升级任何其他版本一样进行升级
We have identified an issue in 2.1.8 that may cause certain template modifications in add-ons to not be applied correctly. This issue is discussed in more detail in this bug report. In order to resolve this, we have released XenForo 2.1.8 Patch 2.
我们在2.1.8中发现了一个问题,该问题可能导致加载项中的某些模板修改无法正确应用。此错误报告中将更详细地讨论此问题。为了解决这个问题,我们发布了XenForo 2.1.8 Patch 2。
- 重建用户缓存时与警告点相关的错误
- 发送带有用户升级/可购买项的付款收据时出错
Some of the changes in XF 2.1.8 include:
翻译:
- Attempt to merge reactions when merging posts
- Only hydrate autoIncrement relation fields if there is no value in the parent entity. If the field has a value in the parent, an exception is now thrown.
- Use \ZipArchive::OVERWRITE flag when creating add-on zip to maintain compatibility with newer libzip versions
- Ensure more consistent sorting is used for class extensions, code event listeners and template modifications.
- Fix method checking when looking for API methods with versions appended.
- Use optimal batch sizing when rebuilding templates and phrases.
- Don't allow moderators to delete / edit warnings they have given if they have no permission to.
- Update GitHub OAuth implementation to use header authorisation.
- Handle rebuilding the active warning points in the User rebuild job.
- Supress warnings when closing file pointer after copying file
- Ensure a boolean value is returned when checking viewing permissions for conversations.
- When importing deletion log entries, ensure the username and reason do not exceed the allowed max lengths.
- Update register navigation item to ensure registration is enabled
- Add widget data attributes to expanded new thread widget
- Only fetch member stat results once on the overview page
- Allow connected account providers to provide additional auth params
- Only enqueue a reaction score rebuild when a reaction's score has changed, and simply rebuild scores for all reactions
- Correctly identify Android version in the attachment manager
- Upgrade jQuery to 3.4.1.
- Validate parent IDs correctly when inserting tree structured data.
- Prevent spam cleaner error when deleting a thread started by a spammer which has a redirect thread pointing to it.
- Add a content template for user reports to improve extensibility.
- Prioritize quick reply editor when multi-quoted quotes are inserted.
- Add a minimum width to user change log cells
- Add account email check to various places before sending mail
- Offset the select-to-quote tooltip whenever touchevents are supported.
- When rendering an unfurl do not double escape the proxied version of the URL.
- Force max length constraint when handling a user ban reason.
- Re-implement shortening of display text for very long URLs.
- Log moderator attachment deletions to the moderator log.
- Display error when trying to add template modification when not in development mode.
- Workaround an issue with multiple color pickers which could prevent some color pickers from behaving as expected.
- When previewing, ensure that sticky form submit rows stay stuck to the right place.
- When importing paid subscriptions from vBulletin ensure user group changes are correctly logged.
- Add a separate 'following' phrase for members others follow
- Check preg_last_error() when processing template modifications
- Improve news feed handler attachment handling
- Prevent an error related to cache clearing of entity relations with an empty condition.
- Reverse some changes related to template editing syntax highlighting which may actually break syntax highlighting entirely in some cases.
- Echo a list of allowed extensions back in the error message given when a file that does not have an allowed extension is uploaded.
- Include file and line number in exception XML response
- Throw an error exception when a ban fails to apply
- Handle failed bans in the warning point change service
- Ensure that emoji conversions are done as expected for all characters.
- Prevent a URL parsing error when following an HTTP request redirect to a path that starts with a "/" and contains a ":".
- Improve styling of responsive data lists, particularly with checkboxes that have headings
- Allow attachment data manipulation before copying files
- Implement search source method to determine if a query is empty
- Do URL canonicalization on the contact page and ensure that we link to misc/contact consistently (no trailing slash).
XF2.1.8中的一些更改包括:
合并帖子时尝试合并反应
只有当父实体中没有值时,才有水合物自增关系字段。如果该字段在父字段中有值,则现在将引发异常。
创建加载项zip时使用\ZipArchive::OVERWRITE标志以保持与较新libzip版本的兼容性
确保类扩展、代码事件侦听器和模板修改使用更一致的排序。
修复查找附加版本的API方法时的方法检查。
重建模板和短语时使用最佳批量调整。
如果版主没有权限,则不允许他们删除/编辑发出的警告。
更新GitHub OAuth实现以使用头授权。
处理重建用户重建作业中的活动警告点。
复制文件后关闭文件指针时抑制警告
检查会话的查看权限时,请确保返回布尔值。
导入删除日志项时,请确保用户名和原因不超过允许的最大长度。
更新注册导航项以确保注册已启用
向扩展的新线程小部件添加小部件数据属性
在概览页上只获取一次成员统计结果
允许连接的帐户提供程序提供其他身份验证参数
只有当一个反应的分数发生变化时,才将一个反应的分数重新排成一个队列,然后简单地为所有反应重新建立分数
在附件管理器中正确识别Android版本
将jQuery升级至3.4.1。
插入树结构数据时正确验证父ID。
防止删除由垃圾邮件发送者启动的线程时出现垃圾邮件清除器错误,该垃圾邮件发送者具有指向该线程的重定向线程。
为用户报表添加内容模板以提高可扩展性。
插入多引号时,对快速答复编辑器设置优先级。
为用户更改日志单元格添加最小宽度
在发送邮件之前将帐户电子邮件支票添加到各个位置
只要支持touchevents,就偏移“选择引用”工具提示。
呈现unfurl时,不要对URL的代理版本进行双重转义。
处理用户禁用原因时强制最大长度约束。
为非常长的url重新实现显示文本的缩短。
将版主附件删除到版主日志。
不在开发模式下尝试添加模板修改时显示错误。
解决多个颜色选择器的问题,这可能会阻止某些颜色选择器按预期运行。
预览时,请确保粘滞的表单提交行始终粘滞在正确的位置。
从vBulletin导入付费订阅时,请确保正确记录用户组更改。
为其他成员添加单独的“following”短语
处理模板修改时检查preg_last_error()
改进新闻提要处理程序附件处理
防止与缓存清除具有空条件的实体关系相关的错误。
反转一些与模板编辑语法突出显示相关的更改,这些更改在某些情况下可能会完全中断语法突出显示。
在上载不具有允许扩展名的文件时,在给定的错误消息中回显允许扩展名的列表。
在异常XML响应中包含文件和行号
当禁令无法应用时引发错误异常
处理警告在更改服务中失败的禁令
确保所有字符的emoji转换都按预期完成。
当跟踪HTTP请求重定向到以“/”开头并包含“:”的路径时,防止出现URL解析错误。
改进响应数据列表的样式,特别是带有标题的复选框
在复制文件之前允许附件数据操作
实现搜索源方法以确定查询是否为空
在联系人页面上执行URL规范化,并确保始终链接到misc/contact(没有尾随
Some of the changes in XF 2.1.7 include:
- Ensure that some jobs do not attempt to complete or otherwise change state inside a transaction.
- Ensure correct URL is used in the bookmark label filter when friendly URLs are not enabled.
- Display correct username styling when viewing users linked to an IP.
- In alerts and the news feed, ensure the "your post" link in the reaction item is clickable.
- Ensure Gravatar rebuild job respects the options sent to it.
- Prevent users from deleting their own accounts
- Check for guest posts in post reaction items
- Ensure login button when viewing a forum as a guest wraps properly.
- Only try to hide the global action indicator if it's actually present.
- Do not redirect back to the login page after a connected account request
- Properly check for tag container inside tagger
- Do not escape outbound email test subject phrase
- Correctly handle add-ons created with incorrect casing when the namespace already exists.
- Add additional wording to make it clear that the rejection reason will be shown to users awaiting approval.
- Remove hard-coded height from payment inputs
- Add missing phrase for 'could_not_find_subscriber_id_for_this_purchase_request'
- Display PHP's memory_limit within server environment report.
- Force choice builder to use temporary variable with set tags
- Remove Google+ URL from the Google connected account template.
- Allow disabling pointer events for nested tooltips
- Remove unused parameter when fetching reaction phrase
- Update promotion history interface for clarity
- Fix post copier attachment regex
- We need to detect if an icon defined as fa includes an fa prefix, such as fab etc., and if it already includes one, don't prepend our own.
- Check that we do actually have some valid content before we start working with it, and bug out if not
- Ensure we don't overwrite the rebuildDefaultData array in rebuild jobs. Additional data should be initialized in the defaultData array as normal.
- When viewing the approval queue, ensure the "Spam clean" option only displays to moderators who have permission to use the spam cleaner.
- Store the master Toggle cookie data for a set time, rather than per session (1 year). Support being able to specify the expiry date of each storage item and default it to 1 day. Fix some bugs which may have prevented entries from expiring when needed.
- Enable Facebook story.php links to embed like normal Facebook posts.
- Generally improve support for Duotone FA icons, especially in usage of addon.json.
- When moving posts into an existing thread, ensure we only change the thread's visibility if the first source post is now the target's first post.
- Fix incorrect logic in AbstractField for entity structures that may not support display grouping.
- Workaround a weird quirk where some browsers may not render a broken image placeholder if the alt/title attributes are empty.
- Add support for the theme attribute when rendering recaptcha. The value comes from the "Style type" style property in the "Color palette" group which has a light/dark value.
- Update Linkedin connected account provider to use their updated API.
- Apply proper fix to ensure the user's correct approval queue counts are displayed.
- Fix an issue that would break prepending a table prefix to table names in the database adapter.
- Reverse a change that allowed admin templates to be called from within public templates.
- Display a more coherent error message when trying to warn a user for content they have already been warned for.
- When deleting an attachment from content, prevent any upload errors.
- Add missing (and undocumented!) structured data to the DiscussionForumPosting entry for the thread view.
- Ensure that xfUniqueId() returns the new id attribute value if one was set.
- Revert a previous change related to the conversion of some non-emoji characters to images.
- Adjust styling of deleted structured list items (thread list etc) so that only the correct parts are underlined.
- In the Admin CP template editor, ensure content of <xf:js> and <xf:css> tags are highlighted appropriately.
- Prevent XF.CheckAll from updating disabled checkboxes.
- In the news feed, ensure the reaction item is consistent so that "your post" links to the actual post.
- If no error message exists when we check the permission for quick close/quick stick then give a generic no permission message.
- Further fixes to sticky form submit row positioning with relation to notices.
- In Markdown parsing, do not match a string of asterisks or underlines as valid blocks of bold or italics.
- Prevent unexpected spacing changes when editing a message in the RTE that has tables
- Support embedding IGTV URLs.
- Prevent conversation reply counts from getting out of sync due to a race condition.
- Fix mentions not always being processed correctly when a dotted capital I is present.
- When filtering bookmarks in the popup, make the "show all" link respect the currently selected label.
- Prevent double change logs when a user registration is outright rejected for spam behaviour.
- Fix potential incorrect behavior when pasting into the RTE from external sources. Improve behavior when pasting from Google Docs.
- Ensure that the RTE code editor dialog consistently automatically focuses the code editor when it is shown.
The following public templates have had changes:
- account_bookmarks_popup
- account_visitor_menu
- captcha_recaptcha
- connected_account_associated_linkedin
- core_contentrow.less
- editor_dialog_code
- lightbox_macros
- reaction_item_post
- structured_list.less
- thread_view
XF 2.1.5中的一些更改包括:
- 正确处理Stripe审核回调
- 修复了数字框元素上的+/-按钮在MS Edge浏览器中不起作用的问题。
- 确保导入许可帮助程序在遇到许可值0时不会掉落。
- 将“真棒字体”更新为5.11,并改进了对双色调图标的支持。
- 查看报告时,在可能的垃圾邮件发送者上添加“垃圾邮件”按钮。
- 退出一些较旧的iOS解决方法,这些解决方法似乎仅适用于与固定元素中的输入相关的非常旧版本的iOS,以便解决这些由iOS 13引起的问题。
- 确保图标/标题警报计数指示器仍显示大于999的计数。
- 在处理付款时尝试查找匹配的交易时,请确保将其限制为来自同一提供商的交易。
- 分析MP4视频ftyp类型时,切换为不区分大小写的匹配项。
- 在来宾页面缓存输出的页面中显示将来的相对时间戳的解决方法。
- 进行更改以允许某些没有结尾斜杠的URL以更可预测的方式工作。
- 仅向有权使用垃圾邮件清除程序的访问者显示“垃圾邮件”按钮。
- 从端点获取新的Oembed数据时,捕获所有异常并返回典型错误输出。
- 解决了滚动时在Safari上固定菜单定位的问题。
- 防止扰流板的左右对齐内容物过度堆积其容器。
- 避免在Firefox中延迟加载的RTF编辑器上做些古怪的操作,该编辑器在首次输入内容时可能会插入一个空行。
- 更新Redis缓存提供程序以使用del函数而不是删除。
- 验证前对URL进行重音和罗马化
- post_date, post_id按照XF1 恢复顺序,以使具有相同日期戳的帖子按顺序进行排序。
- 防止多余的点字符被添加到论坛列表类别锚点链接。
- 为WarningAction实体(return \XF:hrase('warning_points:') . ' ' . $this->points;)创建一个“标题”获取器
- 在测试工具中显示展开错误时,请根据需要包装错误消息。
- 在Admin CP中不要使用的IP列表上,请确保该列表已正确分页。
- 还原到内容的先前版本时禁用验证
- 在尝试读取任何相关的错误之前,请检查跟随/取消跟随忽略/取消忽略结果是否返回了某些内容
- 删除链接URL,因为没有用于线程回复禁令的“编辑”页面,因此链接URL毫无意义
- 在XF Templater中更新fa-warning到fa-exclamation-triangle
- 更新了option_explain_tweet短语中的Twitter开发链接
- 确保未展开的URL以块显示,但可以很好地与浮动图像一起使用。
- 重建字段缓存数据时,在某些情况下要防止发生未定义的索引错误。
- 当站点出于众所周知的原因将完全笨拙的HTTP标头发送回Guzzle时,添加更多的故障转移捕获。
- 使用metadata_macros-> metadata模板宏添加了meta description / og:description / twitter:description
- 导出语言/样式时,请使用URL友好的附加ID。
- 强制在登录表单上显示不可见的reCaptcha。在所有验证码类别中创建次要的BC中断,任何第三方验证码提供商都需要遵守
- 使用新getFullNodeListCached方法减少节点主持人列表上的查询数量。
- 线程合并后更新xf_thread_read表,以反映每个用户对每个源线程的最早读取日期,以便将源线程中的未读帖子合并到原始内容本身已被读取的目标线程中时,不会标记为已读
- 实施交易,并在重复中获取最后的插入ID
- 在事务中包装一堆工作,因此我们在更新它们时从未发现SELECT结果无效
- is_counted从报告线程实施建议的检查
- 在ErrorException中包装Throwable以与Symfony组件兼容
- 删除内容/更改反应分数时,修正用户反应分数周围的逻辑
- 防止由于通用SQL状态代码而在查询中对重复的键异常进行误报检测。
- 插入书签时优雅地处理竞争条件。
- 确保尝试拖动项目时页面不会滚动,从而使列表分类器在触摸设备上更可用。
- 解决了以下情况:如果在表行级别应用了CSS /对齐方式,则表将无法正确转换为BB代码。
- 将XenForo的错误处理设置为startSystem的一部分,而不是standardizeEnvironment的一部分,以确保在调用必要的类/函数之前它们是可用的。
- 修正时区/夏令时变更后的时间戳记问题
- 加载最近使用的表情符号/表情符号时,如果短代码冲突,则优先将表情符号优先于表情符号。(这可能仍会导致显示不正确的图标,但仅当插入有冲突的表情符号而不是表情符号时才显示。)
以下公共模板已更改:
- Approval_item_user
- bb_code.less
- 无核
- core_fa.less
- core_utilities.less
- helper_js_global
- help_page
- 登录
- member_shared_ips_list
- report_view
- setup_fa.less