XenForo 2.1.12 Released Full | XenForo 2.1 ENXF

Released 2x XenForo 2.1.12 Released Full | XenForo 2.1 ENXF 2.1.12

No permission to download
Today, we are releasing XenForo 2.1.12 to address two potential security vulnerabilities. We strongly recommend that all customers running XenForo 2.1 upgrade to 2.1.12 or use the attached patch file as soon as possible.

The issues are XSS vulnerabilities. XSS (Cross Site Scripting) issues allow scripts and malicious HTML to be injected into the page, potentially allowing data theft or unauthenticated access.

XenForo extends thanks to security researcher Vincent ibn Winnie for reporting the issues.

We recommend doing a full upgrade to resolve the issues, but a patch can be applied manually. See below for further details.

If you are currently running 2.1, the automatic upgrade check will now allow you to upgrade to 2.1.12 within your control panel. Once you are running the latest 2.1 release, it will report that an upgrade to 2.2 is available. If you would like to upgrade to 2.1.12 and the control panel reports that 2.2.0 is available, you may manually check for upgrades via Tools > Check for upgrades.

Please be aware that XenForo 2.0 is no longer supported or receiving security updates. We strongly recommend that customers running 2.0 upgrade to the current version.
Applying a patch manually

Download the patch in the 2111patch.zip file attached to this message. It will contain the following files:
  1. src/XF/Admin/Controller/Login.php
  2. src/XF/Pub/Controller/Login.php
Extract the zip file to your computer and upload the contents to the root of your XenForo installation. This should overwrite the files on your server with the new version.

Note: If you decide to patch the files instead of doing a full upgrade, your "File health check" will report these three files as having "Unexpected contents". Because these files no longer contain the same contents your version of XF was shipped with, this is expected and can be safely ignored.
Some of the other changes in XF 2.1.10 include:
  • Properly support disabling memory limits when calling setMemoryLimit with -1.
  • Prevent a race condition related to double clicking when reacting to content.
  • Prevent a server error when trying to edit a super admin via a non-super admin. (Also, allow the bypass permissions option of the API request to bypass this constraint.)
  • Do not display unsupported media sites in approved site list
  • Properly set average tooltips in stats graphs
  • Allow the message body '0' in report comments
  • Allow searches for '0' in template and phrase titles and contents
  • Don't throw an error when trying to view reactions on a conversation message by a deleted user.
  • When deleting warning actions, correctly redirect to the warnings list.
  • When deleting template modifications, redirect to the correct template modification type list.
  • Set a maximum length for content_type field in the spam trigger log entity.
  • Allow users to reconfirm their existing email addresses if emails have previously bounced to it.
  • Opt not to show a title for HTML widgets if no explicit title is set.
  • Avoid throwing a template error for approval queue items with no user relationship.
  • Ensure the MySQL replication adapter throws the correct exception on failure and supports the charset option.
  • Adjust the display of conversation filter checkboxes.
  • Use the correct modifier when building attachment URLs for the editor.
  • Ensure full thumbnail URLs are used when rendering the ATTACH BB code, notably for rendering in emails.
  • Properly check required PHP, PHP extension, and MySQL versions during add-on installation
  • Don't allow double backslashes for PHP callbacks.
  • Redirect back to the option group list after deleting an option group.
  • Redirect back to the option group when deleting an option.
  • Ensure arrays are always returned from title pair methods
  • Don't strip HTML tags on post content choosers.
  • Correctly check permissions on user report page
  • Correctly handle chargebacks for PayPal Funds Now accounts
  • Log IP when TFA check is triggered
  • Avoid table locking when checking if the error log table is populated
  • Correct our auto-timezone data so that UTC+3 returns Europe/Moscow as expected.
  • Slightly adjust the explain text for the boardDescription option to clarify it applies to the "Forums default page".
  • Ensure we mark all forum descendants read when marking a forum read - not just its children.
  • Opt for more desirable defaults when emailing users
  • Fix incorrect type hint on App::service method.
  • Attempt to convert incoming <code> tags to relevant BB code.
  • Extend the color_picker.js infinite loop protection to allow colors to be resolved more than once up to a limit of 3 times each.
  • Expand support for our share buttons to include the page image and send that along with the Pinterest share button clicks.
  • Make query for finding newest/next posts in a thread more performant.
  • Slightly adjust phrase about unique ad position keys to suggest the key may already be in use.
  • Ensure "No permission" placeholder buttons correctly wrap text.
  • Throw a clearer error if closure compiler returns an unexpected response when minifying JS.
  • Load images when rebuilding recent emoji
  • Use a consistent function when checking if CAPTCHA should be shown.
  • Add title attributes to most of the style property edit fields to make clearer the specific CSS property being adjusted.
  • Allow moderators to expire/delete warnings they issued
  • Ensure alt text is correctly displayed when hovering over thumbnail attachments.
  • Display field name in required custom field error message
  • Ensure integer and float values are correctly casted when using searchers.
  • Properly normalize page action criteria
  • Implement the ability to extend all XF\CustomField\* classes - specifically Set and DefinitionSet.
  • Avoid an error if a user has 25 incomplete subscription purchases with Stripe
  • Make the appropriate usage of a language's currency_format value more clear.
  • Check breadcrumb hrefs against the full request URI (including scheme and host) as well as the partial request URIs to determine when they should be automatically hidden.
  • Prevent table overflow on the user change log with wide browser windows.
  • Allow manually triggered rebuild jobs to be resumed via the command line.
  • Support URLs being used in moderator log action params.
  • When creating a new payment profile, only show providers from active add-ons.
  • Fix LESS compilation failure when form input padding is blank
  • Allow auto focus into tagging/token input elements.
  • Make sure that iOS opens reactions on long press (consistent with previous versions and other mobile devices).
  • Disable the CodeMirror code editor (with a fallback to a standard textarea) on Android devices due to compatibility issues.
  • Make improvements to the moderator list especially when there are large numbers of moderator records.
  • When importing users with invalid email addresses, correctly set their user states.
The following public templates have had changes:
  • _help_page_bb_codes
  • app_body.less
  • bb_code_tag_attach
  • code_editor
  • conversation_list
  • core_datalist.less
  • core_input.less
  • core_menu.less
  • core_overlay.less
  • editor.less
  • editor_base.less
  • editor_dialog_media
  • forum_post_quick_thread
  • forum_post_thread
  • forum_post_thread_chooser
  • forum_view
  • lightbox.less
  • lost_password_confirm
  • PAGE_CONTAINER
  • payment_cancel_recurring_confirm
  • payment_initiate.less
  • quick_reply_macros
  • share_page_macros
  • thread_reply
  • thread_view
  • widget_html
Today, we are releasing XenForo 2.1.9 to address a potential security vulnerability that may affect any customer who makes use of our PayPal payment handler.

As well as user upgrades, this may affect add-ons you have installed which process payments using our PayPal payment handler.

We recommend that all affected customers running XenForo 2.1 upgrade to 2.1.9 or use one of the attached patch files as soon as possible.

Specifically, the issue relates to a specially crafted callback (or IPN) which is then processed successfully using PayPal's sandbox validation endpoint instead of their live system. If successful, a purchase could be completed without your PayPal account actually receiving any funds.

There are no other fixes included in this version. There will be a further 2.1 maintenance release in the coming weeks.

Applying a Fix: Upgrading

You may upgrade to 2.1.9 to fix this issue. You should upgrade as you would to any other release.
We have identified an issue in 2.1.8 that may cause certain template modifications in add-ons to not be applied correctly. This issue is discussed in more detail in this bug report. In order to resolve this, we have released XenForo 2.1.8 Patch 2.
We have fixed two issues in XenForo 2.1.8 which cause errors or unexpected behavior:
  • Error relating to warning_points when rebuilding user caches
  • Error when sending a payment receipt with user upgrades/purchasables
Some of the changes in XF 2.1.8 include:
  • Attempt to merge reactions when merging posts
  • Only hydrate autoIncrement relation fields if there is no value in the parent entity. If the field has a value in the parent, an exception is now thrown.
  • Use \ZipArchive::OVERWRITE flag when creating add-on zip to maintain compatibility with newer libzip versions
  • Ensure more consistent sorting is used for class extensions, code event listeners and template modifications.
  • Fix method checking when looking for API methods with versions appended.
  • Use optimal batch sizing when rebuilding templates and phrases.
  • Don't allow moderators to delete / edit warnings they have given if they have no permission to.
  • Update GitHub OAuth implementation to use header authorisation.
  • Handle rebuilding the active warning points in the User rebuild job.
  • Supress warnings when closing file pointer after copying file
  • Ensure a boolean value is returned when checking viewing permissions for conversations.
  • When importing deletion log entries, ensure the username and reason do not exceed the allowed max lengths.
  • Update register navigation item to ensure registration is enabled
  • Add widget data attributes to expanded new thread widget
  • Only fetch member stat results once on the overview page
  • Allow connected account providers to provide additional auth params
  • Only enqueue a reaction score rebuild when a reaction's score has changed, and simply rebuild scores for all reactions
  • Correctly identify Android version in the attachment manager
  • Upgrade jQuery to 3.4.1.
  • Validate parent IDs correctly when inserting tree structured data.
  • Prevent spam cleaner error when deleting a thread started by a spammer which has a redirect thread pointing to it.
  • Add a content template for user reports to improve extensibility.
  • Prioritize quick reply editor when multi-quoted quotes are inserted.
  • Add a minimum width to user change log cells
  • Add account email check to various places before sending mail
  • Offset the select-to-quote tooltip whenever touchevents are supported.
  • When rendering an unfurl do not double escape the proxied version of the URL.
  • Force max length constraint when handling a user ban reason.
  • Re-implement shortening of display text for very long URLs.
  • Log moderator attachment deletions to the moderator log.
  • Display error when trying to add template modification when not in development mode.
  • Workaround an issue with multiple color pickers which could prevent some color pickers from behaving as expected.
  • When previewing, ensure that sticky form submit rows stay stuck to the right place.
  • When importing paid subscriptions from vBulletin ensure user group changes are correctly logged.
  • Add a separate 'following' phrase for members others follow
  • Check preg_last_error() when processing template modifications
  • Improve news feed handler attachment handling
  • Prevent an error related to cache clearing of entity relations with an empty condition.
  • Reverse some changes related to template editing syntax highlighting which may actually break syntax highlighting entirely in some cases.
  • Echo a list of allowed extensions back in the error message given when a file that does not have an allowed extension is uploaded.
  • Include file and line number in exception XML response
  • Throw an error exception when a ban fails to apply
  • Handle failed bans in the warning point change service
  • Ensure that emoji conversions are done as expected for all characters.
  • Prevent a URL parsing error when following an HTTP request redirect to a path that starts with a "/" and contains a ":".
  • Improve styling of responsive data lists, particularly with checkboxes that have headings
  • Allow attachment data manipulation before copying files
  • Implement search source method to determine if a query is empty
  • Do URL canonicalization on the contact page and ensure that we link to misc/contact consistently (no trailing slash).
Some of the changes in XF 2.1.7 include:
  • Ensure that some jobs do not attempt to complete or otherwise change state inside a transaction.
  • Ensure correct URL is used in the bookmark label filter when friendly URLs are not enabled.
  • Display correct username styling when viewing users linked to an IP.
  • In alerts and the news feed, ensure the "your post" link in the reaction item is clickable.
  • Ensure Gravatar rebuild job respects the options sent to it.
  • Prevent users from deleting their own accounts
  • Check for guest posts in post reaction items
  • Ensure login button when viewing a forum as a guest wraps properly.
  • Only try to hide the global action indicator if it's actually present.
  • Do not redirect back to the login page after a connected account request
  • Properly check for tag container inside tagger
  • Do not escape outbound email test subject phrase
  • Correctly handle add-ons created with incorrect casing when the namespace already exists.
  • Add additional wording to make it clear that the rejection reason will be shown to users awaiting approval.
  • Remove hard-coded height from payment inputs
  • Add missing phrase for 'could_not_find_subscriber_id_for_this_purchase_request'
  • Display PHP's memory_limit within server environment report.
  • Force choice builder to use temporary variable with set tags
  • Remove Google+ URL from the Google connected account template.
  • Allow disabling pointer events for nested tooltips
  • Remove unused parameter when fetching reaction phrase
  • Update promotion history interface for clarity
  • Fix post copier attachment regex
  • Fixed - XF.CheckAll no longer works as expected
You can perform the upgrade directly from your control panel by going to Tools > Check for upgrades
Top