Today, we are releasing XenForo 2.0.13 to address a potential security vulnerability that may affect any customer who makes use of our PayPal payment handler.
As well as user upgrades, this may affect add-ons you have installed which process payments using our PayPal payment handler.
We recommend that all affected customers running XenForo 2.0 upgrade to 2.0.13 or use one of the attached patch files as soon as possible.
Specifically, the issue relates to a specially crafted callback (or IPN) which is then processed successfully using PayPal's sandbox validation endpoint instead of their live system. If successful, a purchase could be completed without your PayPal account actually receiving any funds.
There are no other fixes included in this version. There will be a further 2.0 maintenance release in the coming weeks.
Applying a Fix: Upgrading
You may upgrade to 2.0.13 to fix this issue. You should upgrade as you would to any other release.
XenForo 2.0.12 is now available for all licensed customers to download. We recommend that all customers running previous versions of XenForo 2.0 upgrade to this release to benefit from increased stability.
This version makes a number of changes to improve compatibility with PHP 7.3.0. However, at this time, we do not recommend using PHP 7.3.0 in production due to a bug that can cause code to execute incorrectly, potentially leading to data loss. We believe this bug will be resolved in PHP 7.3.1 when it's released.
Download XenForo 2.0.12
Some of the changes in XF 2.0.12 include:
Improve PHP 7.3 compatibility.
If available and different from the server version, grab a more detailed version for the Server environment report.
If the $_SERVER['SERVER_SOFTWARE'] value isn't available or valid then just don't display that entry in the report, because it's mostly not essential.
Adds some additional phrases for the "Server environment report"
Fix an issue which affects building add-on releases on Windows where local paths included a leading slash.
Incrementally update the job state of the Sitemap job so that a fatal error shouldn't disrupt the process and introduce corrupted/duplicate items.
Adjust error message given when attempting to edit a user's permissions for a content type without a valid user_id.
Standardize the locale information used by PHP.
Use a different approach to loading icons on the add-ons list in the Admin CP. To avoid issues with multiple database connections, the icon image data is instead converted to a data URI.
User upgrades should not check canPurchase() before processing a payment that has been received, as this method is really only for limiting the UI/purchase setup.
Add some additional trusted IP ranges for Google.
Ensure 'nullable' entity property is reflected in generated code
Ensure node navigation entries use their assigned title
Ignore custom field errors during admin edit and include custom field title with errors
Convert warning notes field to structured text
Correctly apply admin user message leave options
Prevent new messages being duplicated in Firefox
Ensure multi quote quotes are inserted into the correct editor
Hide 'Start a new conversation' link if visitor doesn't have permission to start conversations.
Allow permanent redirects to be stickied and unstickied.
Ensure xfagenav tags use correct router.
Remove extra save call when ignoring member
Remove UTC check from server environment report and link PHP version to phpinfo page
Prevent loading of Setup.php if addon.json requirements aren't met
Make xf-dev:entity-class-properties CLI command correctly handle subdirectories
Return 'complete' response from UserGroupPromotion job if no active promotions are found.
Ensure 'From name' and 'From email' fields are applied when batch emailing users
Hide editor draft menu from guests
Ensure cron entries run at zero valued time units if multiple time values are selected.
Check for missing hash in IPSForums3x authentication handler.
Add missing hint parameter to discouraged checkbox on user edit page
Remove invalid relation from SpamTriggerLog entity
Use content type phrase when rebuilding the search index
Fix incorrect URL on conversation message likes list
Fix broken 'Delay duration' option for floating notices
Allow invalid users to be unfollowed
Re-add explain text in the user_edit form to clarify non-valid user states behaviour.
Include table name in message for any exception occurring in SchemaManager methods.
Implement custom stack trace builder to mask passwords in method arguments
Add deleted item styling to news feed items
When restoring spam cleaned threads, ensure threads which were originally moved are restored back to the correct forum.
Return an error phrase upon invalid callback validation when performing spam clean actions. Note that the method name switches to ucfirst(\XF\Util\Php::camelCase($action)) in XF 2.1 but remains as ucfirst($action) in XF 2.0.
When handling a Stripe webhook that is missing required metadata, when attempting to find a previous related log, ensure said log actually contains a purchase_request_key.
Improve BB code parsing of incomplete tags within plain-child tags.
Migrate user field criteria during upgrade from XF 1.x to 2.x
By default, do not allow cookies to be retrieved as arrays to prevent unexpected behavior. (Array support can now be opted into explicitly.)
Prevent an error when trying to delete a payment profile when there is an invalid purchasable definition.
Track when a preview is pending to prevent multiple simultaneous preview loads.
Prevent a PHP notice when deleting a poll for a thread started by a guest
Include breadcrumb in edit history view and compare templates.
Pass unused $ellipsis variable into wholeWordTrim.
Prevent long select options from causing overflow on iOS.
Enable the HTML to BB code simplification process to handle additional situations
Resolve some situations where the new messages indications while composing a reply wouldn't take you to the expected location.
Validate advertisement html before saving.
Prevent tel/sms links being converted to bbcode
Remove the insert icode option when extended text formatting is disabled. Allow end user modification to the "allow this BB code in signatures" option on add-on-defined custom BB codes.
Call the canPurchase method instead of can_purchase in UserUpgrade::getFilteredUserUpgradesForList.
Correctly combine multiple custom field-related limits to the user and thread searchers.
Correctly apply the "not in secondary groups" user search condition (users cannot be in any of the listed groups).
When building a release and testing a JSON, only consider an error if decoding the build.json does not return an array.
When submitting spammers to StopForumSpam, convert binary IP address to readable string.
When saving style templates through the admin UI, force version/last_edit_date to be updated like XF 1.x
When merging threads, always redirect to the target thread.
Fix currency code for Belarusian Ruble (BYR => BYN)
No longer cache the preview container object in the PreviewClick handler. If there are multiple handlers per page, the cached container becomes incorrect if using different handlers.
When form filling, if the control is a textarea with a textarea-handler, trigger its update method to ensure the textarea is resized appropriately.
Prevent an array-to-string conversion when throwing a bulkInsert exception if a missing column is detected.
Ensure that the user following cache cannot include your own user ID.
Add missing mod_log.thread_poll_reset phrase.
Attempt to exclude dot files/directories from our vendor dependencies.
Number boxes are too wide and cause units to overflow their container, fixed with max-width.
Add "Please do not reply to this message" text to outgoing conversation emails.
Reassign user group changes when merging users
Ensure PasswordChange service errors on any UserAuth error.
Fetch more threads for new threads widget
Ensure exceptions in sub-processes stop execution, and always exit with non-zero error code on error.
Make Disabler system compatible with select options.
Ensure FieldAdder handles Disabler elements correctly
Ensure prefix of destination thread is shown in moved post alert.
Trigger change event on select when prefix selected
Remove the "mixed" stuff from CodeMirror's PHP mode so that the opening tag is no longer required.
Update broken link to Apple support in cookie help page text (and in XF 1.5).
Adjust top border radii of blocks within overlays.
Allow non-user selectable styles to be used for the email style. Also, add several email-related style properties to allow email colors to be overridden more directly, without creating a new style.
Implement a "notice watcher" system for bottom fixed notices. This calculates the total visible notice height in the bottom fix location and adds a footer margin to the same value so that no content can be covered by the notice(s).
Adjust how we parse search query modifiers to be more strict. (- and + require whitespace before and none after, | requires whitespace on both sides. Don't parse doubled up modifiers.)
Adjust trophies phrase capitalization
Include no_date_limit in the rel=canonical link for forums when needed
Attempt to reduce cases where conversation reply_count values could potentially get out of sync. Allow the reply count and other parts to be rebuilt via the conversation rebuild tool.
By default, reject email addresses as invalid if there are no dots in the domain part.
Add a bit of left padding on contentRow-suffix elements.
Include the forum a thread is in in the RSS feeds (only for global feeds)
Fix add-on development data not being removed as expected when the last entry of a type has been removed. (The metadata JSON file must still exist.)
Relax URL validation a tiny bit, notably don't block adjacent path separators in the path section.
Ensure phrase is escaped in HTML attribute.
Ensure usage of phrase within HTML attribute is escaped.
In the AbstractSearcher ensure that the day end value is converted properly to the end of the day.
Never allow the XF add-on to appear in add-on lists.
Handle avatar deletes via the spam cleaner for gravatars too.
Make add-on action finalization more robust when uninstalling legacy add-ons.
When importing dev output, ignore any invalid columns.
Add some block border radius to the member header block so that it fits within its parent block.
Ensure permissions are rebuilt on add-on active change.
Update child navigation entries directly when the parent ID changes to ensure dev output is written correctly.
Use the correct maxlength value for the public navigation structure. Additionally, bump AdminNavigation ID lengths up to 50 from 25.
Add support for partial indexes to schema manager conflict resolution system
Fix multiple issues that make it hard to use XF\Import\Data\AbstractEntityData
Consistently use code paths which result in the canView method of the report entity (rather than the handler) being used.
The following public templates have had changes:
Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.
As always, new releases of XenForo are free to download for all customers with active licenses, who may now grab the new version from the customer area.
Note: add-ons, customizations and styles made for XenForo 1.x are not compatible with XenForo 2.x. If your site relies upon these for essential functionality, ensure that a XenForo 2 version exists before you start to upgrade. We strongly recommend you make a backup before attempting an upgrade.
Please note that XenForo 2.0.x has higher system requirements than XenForo 1.x.
The forthcoming XenForo 2.1.x release will have higher system requirements again (PHP 5.6).
The following are minimum requirements:
PHP 5.4 or newer (PHP 7.2 recommended)
MySQL 5.5 and newer (Also compatible with MariaDB/Percona etc.)
All of the official add-ons require XenForo 2.0.
Enhanced Search requires at least Elasticsearch 2.0.
Installation and Upgrade Instructions for XenForo 2.0
Full details of how to install and upgrade XenForo can be found in the XenForo 2 Manual.
Note that when upgrading from XenForo 1.x, all add-ons will be disabled and style customizations will not be maintained. New versions of add-ons will need to be installed and customizations will need to be redone. We strongly recommended that you make a backup before attempting an upgrade. Once upgraded, you will not be able to downgrade without restoring from a backup.