Releases · e107inc/e107

26 Apr 04:15

Deltik

v2.3.4

009145d

e107 v2.3.4 Latest

Latest

Caution

v2.3.4 is a bug-fix release for sites on v2.3.3 or earlier.
Upgrade from v2.3.3 or earlier 2.x. If your site tracks the master branch, you are already past v2.3.4, so installing it would be a downgrade. v2.4.x is planned to be the next forward step.

Important

v2.3.4 collects the most overdue work in the queue: security advisory fixes for password reset, comment editing, and Media Manager imports; the PHP 8.x compatibility patches that have been accumulating; and the bug fixes that really needed to ship. It's not a feature release; the goal is to give v2.3.x sites a stable point release they can adopt while v2.4 work continues separately.

Highlights

[Security] Critical Broken Access Control on comment edit (GHSA-5w63-63rh-99q6). comment.php previously allowed any authenticated user to overwrite another user's comment by passing that comment's itemid. The updateComment() SQL now requires the row's comment_author_id to match the editor's USERID, so cross-user edits return "Update Failed" instead of succeeding silently. (23961a8f)
[Security] Server-Side Request Forgery in Media Manager imports (GHSA-92fr-7h4f-22pp). e_file::getRemoteFile() and getRemoteContent() now reject URLs that resolve to private, loopback, link-local, or otherwise reserved IP addresses, and limit cURL to HTTP/HTTPS. Sites that legitimately need to fetch from intranet hosts can opt back in by defining e_REMOTE_FILE_ALLOW_PRIVATE to true. (5f98cc9f, 40b2d111)
[Security] Host Header Injection in password reset (GHSA-7pmw-jwvr-cq2x). The emailed password-reset link no longer trusts the incoming HTTP Host header. Requests with a Host that doesn't match the configured siteurl are rejected, and fpw.php now refuses to run at all if siteurl is unset rather than falling back to HTTP_HOST. (04511f9f, b0dee823, c4f9f71b)
[Security] Privilege hardening. Media Manager preferences and avatar settings now require Main Admin. The default userclass visibility and edit permissions are also Main Admin by default (previously Admin). (#5489, #5477)
Admin area usability. Numerous fatal-error and rendering fixes across admin search, admin UI grids, mailout, polls, datetimepicker, phpinfo, and legacy admin pages. (#5211, #5464, #5271, #5473)
Email reliability. Fixes to CC handling, DKIM identity, persistent-recipient leakage across sendEmail() calls, and IP logging in notifications. (#5498, #5535, #5545)
PHP 8.x compatibility. Several warnings and fatals on PHP 8.0–8.5 removed from db_verify, thumb.php, file_class, theme_handler, and rating-/forum-info rendering. (#4501, #5443, #5482)
Forum info restored. sc_foruminfo now renders active-user counts and the newest member again. Two long-standing bugs had been hiding the whole block: the SELECT for the newest user was commented out, and the e_TRACKING_DISABLED ternary condition was inverted so the block was only shown when tracking was disabled, which is never the default. (0e23f651, 54e4b9de)

Note

A note from the maintainer, @Deltik:

v2.4 is going to need more time before it's at the quality level the e107 community deserves. Here's what's upcoming:

MyISAM → InnoDB as the default engine, for crash recovery, row-level locking, and proper transactions

utf8mb3 → utf8mb4 for native emoji support and full Unicode in usernames, posts, and comments

Implicit FULLTEXT indexes that work on InnoDB, so search no longer pins us to MyISAM

JWT-backed CAPTCHAs where the challenge carries its own server-signed solution token, eliminating the need to stash state in a guest session

No more sessions for guests. Every anonymous visitor today gets a server-side session row; that goes away.

New admin area skin with a collapsible sidebar, badges, and mobile navigation

Bootstrap 5.3 + FontAwesome 6 UI refresh across the front-end and admin

Admin change history with revert for auditable database edits

Custom domains per page and static URL mapping for editorial control over URLs

Schema.org (JSON-LD) support for better SEO, with news schema baked in

Sitemap index support for sites past the single-sitemap limit

Image alt-attribute management in Media Manager

Plugin test runner so plugin authors can ship PHPUnit/Codeception tests with their plugins

The community PR backlog finally getting reviewed and processed

For Administrators

Added

Misconfiguration error on fpw.php when the siteurl preference is empty, so admins get a visible signal instead of silently broken password-reset emails. (GHSA-7pmw-jwvr-cq2x, 04511f9f)

Changed

Comment editing (security). comment.updateComment() now scopes the SQL update to the editor's own user id, so cross-user comment edits via /comment.php?mode=edit are rejected. Ref: GHSA-5w63-63rh-99q6. (23961a8f)
Remote file fetching (security). e_file::getRemoteFile() and getRemoteContent() now block private, loopback, link-local, and reserved IP ranges by default and limit cURL to HTTP/HTTPS. Define e_REMOTE_FILE_ALLOW_PRIVATE = true to opt back in for intranet/self-hosted use. Ref: GHSA-92fr-7h4f-22pp. (5f98cc9f, 40b2d111)
Password reset (security). fpw.php now refuses to process any request when the siteurl preference is unset, and builds the reset link from the pref directly rather than from SITEURL (which could be derived from HTTP_HOST). Ref: GHSA-7pmw-jwvr-cq2x. (04511f9f)
Host header validation (security). The core URL bootstrap now rejects requests whose Host header doesn't match the configured siteurl or the site_hosts config entry, with subdomain support. Misconfigured setups now fail fast with a "Site Configuration Issue" message. (#5458, GHSA-7pmw-jwvr-cq2x, b0dee823, c4f9f71b)
Media Manager permissions (security). Media Manager Preferences and Avatar settings now require Main Admin. Media Category management is restricted to the A2 permission. (#5489)
Userclass defaults (security). Default userclass visibility and edit permissions now default to Main Admin instead of Admin. (#5477)
Admin area theme gate. Non-bootstrap3 admin themes that were known to break the admin area are no longer accepted; the admin falls back to a working theme. (3b7097e0)
Site redirection. www. → bare-domain (and vice versa) handling was refactored out of class2.php into a dedicated method. (#5097)

Fixed

Fatal errors on the admin search page (#5211), the admin-UI with custom method attribute+filter (#5464), the polls form column selector (#5271), and the plugin-repair extended-user-field path (#5483).
Admin user area: avatar rendering (#5146), extended user fields restored after plugin refresh (#5483), unbanned users keeping "not verified" status (e875515d), oversized navigation icons (#5345).
Admin email/mailout: CC recipients added correctly, DKIM identity corrected, recipients no longer persist across multiple sendEmail() calls, core prefs no longer stored on instance, mailout mailer-type restriction that was blocking pref saves. (#5498, #5535, #4123, #5355)
Admin log: query-speed optimization and indexing improvements, duplicate column removed from the rolling log, debug SQL query output. (#5490, #5473)
Admin phpinfo page: responsive layout, dark-on-dark text readability in modern-light theme, refactored rendering for theme compatibility, and sidebar menu added to legacy admin pages. (730245ef, 929f5494, 48b30bc8)
Password reset: Bootstrap 5 fpw template rendering. (#5336)
Avatars: remote file checks (#5146, #5387), missing-avatar fallback (295a5dad), default avatar rendering (81ae03c3), MIME type handling for remote images (#5387), .wav audio (#5390) and video dimension handling (#5396) in the media parser.
Forum plugin: newforumposts_menu page rendering (#5340), shortcodes now use e_HTTP for online.php links (PR #5340), sc_foruminfo now renders the active-users block and the newest-member link (previously hidden by an inverted condition, with the underlying user lookup query commented out) (0e23f651, 54e4b9de).
Ratings: widget renders cleanly for items that have not been rated yet; previously a missing rating row triggered a PHP...

Contributors

Deltik

Assets 12

23 Nov 20:39

e107releasecreator

v2.3.3

29b7e6d

e107 v2.3.3

Features

Add missing setMetaTitle() method to e_admin_response #5112
Change length of newsfeed_image field in db #5108
Add option to alt_auth plugin #5107
Improve system notifications handling in the admin area. #5106
Display current time when settings timezone in admin preferences. #5099
Add option to e_file::getRemoteFile() to prevent time out on larger files or slow connections. #5098
Allow developers to choose which fields to export in e107Export(). #5094
Render favicon in admin area the same way as on frontend #5062
Add option to email any critical error message to an admin #4986
Add {NEWS_MODIFIED} shortcode for modified date #4978
Add FontAwsome 6 support #4969
Add support for PUT or JSON POST to e_file::initCurl() method #4941
Provide more options to resize the rich text editor. (bbarea, Tinymce) #4927
Allow plugins to provide their own routing for notifications. #4922
Allow plugins to use their own email templates when using e107::getEmail()->sendEmail(); #4919
Improved Database SQL Verify page use of space by using 3 columns. #4907
Admin-UI: Allow for entry of Primary ID in create/edit modes if needed. #4906
Enhance e107 to allow for third-party email address validation. #4900
Update plupload #4887
Add eventName to Featurebox like News #4841
Add dedicated Pages/Menus "delete" perms #4827
Allow plugins to create siteLinks in areas other than the main navigation. #4810
Exclude the currently viewed news item for the 'latest news' menu. #4786
Custom SEO title for News and Pages #4783
Add This Week, This Month and This Year to Admin-UI date filtering options. #4778
Allow developers to set the URL that users will be directed to after they log out #4777
Add support for images in plugin-generated sitemaps. #4760

Fixes

Comments without ajax issue #5111
Cron Schedule might not trigger with some timezones set in the preferences. #5096
Admin-UI: Using the label 'True' or 'False' in a select (dropdown) displays incorrect labels. #5093
Plugin Builder - Generated customPage method contains an error. #5092
Errors showing up in error_log when running cron. #5091
Admin-UI: renderValue() of type boolean ignores custom true/false readParm string values when inline editing is not enabled. #5089
activatejavascript.org as found in default header is a broken link #5087
Array order not being retained by x-editable inline dropdown/checkbox list. #5083
PHP 8.1 - Fatal error: Uncaught Error: Undefined constant "USERNAME" in ***\ehandlers\mail.php on line 451 #5080
"Force user to update settings" breaks home page for logged in users on PHP 8 #5052
An Admin with only "Quick Add User" permission can see all users and access inline edit for all #5045
Force user to update settings causes fatal error im PHP 8.2 #5041
sendEmail() may render an 'info' message "Could not access file:" under some circumstances. #5020
Emptying browser cache adds "Empty Thumbnail Cache" to the system logs. #5017
Admin-UI: Setting readonly=true for a field containing an array value, posts 'Array' in the form results. #5016
e107 corrupts form-submitted array values when GET method is used. #5005
Canonical URL is not consistent when parked domains are in use. #4994
Fatal errors - userposts.php - IMODE is not defined #4966
Banner plugin - banner_campaign is saving only first campain #4959
$_GET contains 'configure' key on all pages of admin area. #4945
Flexpanel layout is not working #4940
Cron 'Last-Run' value in admin area is always empty #4933
National characters in title are not converted to sef url correctly. #4925
sendMail() not using latest PHPMailer methods. #4924
data-modal-submit attribute fails when an input tag is used instead of a button tag #4923
Anomoly with some plugins losing their entry from e_url_list after upgrading others. #4917
FAQs - PHP 8 error #4916
Bootstrap-notify won't display alerts in admin area #4915
Wrong HTML markup for date field in advanced search #4904
PHP 8 - Fatal error LAN_PLUGIN_DOWNLOAD_NAME in comment's search #4890

User Contributions

Bump guzzlehttp/guzzle from 7.4.3 to 7.4.4 in /e107_tests by @dependabot #4791
Bump guzzlehttp/guzzle from 7.4.4 to 7.4.5 in /e107_tests by @dependabot #4796
Some corrections by @yesszus #4788
#4844: File Inspector: Do not traverse above the base directory by @Deltik #4845
#4830: Sensible no delete log in admin_log_ui::maintenanceProcess() by @Deltik #4831
Add support for wrappers in contact menu by @Jimmi08 #4850
Fix for #4860 and correct fix for #3983 - correct second authorization by @Jimmi08 #4864
Login flow consistency: Do not use redirect in admin area login box by @Deltik #4865
sef-url for RSS news - category news #4868 by @Jimmi08 #4870
Add support for wrapper in custom menus by @Jimmi08 #4873
Bump twig/twig from 3.4.1 to 3.4.3 in /e107_tests by @dependabot #4877
Fix #4847 - mistypo in route by @Jimmi08 #4882
add wrapper support on fpw page #4883 by @Jimmi08 #4884
Fix for #4895 - wrong message chatbox plugin by @Jimmi08 #4896
#4897 class parameter for CB_AVATAR shortcode by @Jimmi08 #4898
Tests: MDEV-29446 workaround: Ignore COLLATE clause in SHOW CREATE TABLE by @Deltik #4913
Hotfix for tests failing after PHP 8.2 released by @Deltik #4921
missing national character from toAscii() by @Jimmi08 #4926
#4929: Fix type mismatch in usage of e107forum::getForumClassMembers() by @Deltik #4931
#4938: Workaround for PHP 8.2.0 segmentation fault / assertion error by @Deltik #4939
Reintroduce automated acceptance tests by @Deltik #4943
fix for ranks in top.php #4967 by @Jimmi08 #4975
Fix news category breadcrumbs by @RichardBarrell #4982
deprecated static::method() calls for PHP 8.2 by @Jimmi08 #4988
news: Fix category link in both breadcrumb and menu by @Deltik #4984
#4991: Fix improper array access in sc_signup_extended_user_fields by @Deltik #4993
Bump guzzlehttp/psr7 from 2.4.3 to 2.5.0 in /e107_tests by @dependabot #4995
partial fix #4517 - fix for sett...

Contributors

RichardBarrell, Deltik, and 3 other contributors

Assets 11

07 Apr 21:57

CaMer0n

v2.3.2

a6e1c0b

e107 v2.3.2

What's Changed

Handle previously unhandled exceptions with social plugin and Hybridauth by @Deltik in #4643
Bump twig/twig from 3.3.4 to 3.3.8 in /e107_tests by @dependabot in #4691
New API to concatenate an array of HTML attributes by @Deltik in #4688
fix for templating signature bbcodes by @Jimmi08 in #4709
use the same markup (bootstrap) for pagination in forum and topic by @Jimmi08 in #4714
Forum breadcrumbs on topic view with 3 forums #4286 by @Jimmi08 in #4710
fix for not clearing forum cache by @Jimmi08 in #4716
fix for access / check for access to forum type in forum post by @Jimmi08 in #4717
Fix for Forum permissions for creating topics by @Jimmi08 in #4718
Update theme.html by @brwnie in #4632
Fix for Recalculation forum replies in Tools by @Jimmi08 in #4721
#4724 forum - possibility to add forum ID as column by @Jimmi08 in #4729
#4715 correct display of Last Post info by @Jimmi08 in #4723
#4659 forum main admin as silent moderator by @Jimmi08 in #4730
#4712 canonical URLs for paged forum topic by @Jimmi08 in #4733
#3470 login error message is loaded 2x by @Jimmi08 in #4734
#4670 ranks issue for first level by @Jimmi08 in #4735
#4708 load bbcode buttons only if HTML is allowed for user by @Jimmi08 in #4732
#4665 correct user last visit information by @Jimmi08 in #4741
#4245 stay on correct page after editing paginated topic by @Jimmi08 in #4742

Full Changelog: v2.3.1...v2.3.2

Contributors

Deltik, Jimmi08, and 2 other contributors

Assets 2

02 Dec 22:56

Deltik

v2.3.1

e03e077

v2.3.1

Highlights

Support for PHP 5.6 through PHP 8.1 (#4554) – e107 v2 now adds PHP 8.0 and 8.1 support while maintaining support for PHP 5.6.
New Admin Theme Skins – Modern Light and Modern Dark. May now be selected during initial installation of e107.
Collapsible Navigation Panel – Option to reduce left-panel admin area navigation to icons only, for increased screen real-estate where it matters.
Database session handler performance improvement (#4575) – e107 v2.3.0 introduced a non-blocking session handler backed by the database; however, a missing index causes gradually slower performance the more rows there are in the session table. This release fixes that bug by adding the missing index through a database update (migration).
Thumbnail Generator rebuilt to use Intervention library.
WebP image support (#4270) – e107 can now serve WebP images to compatible browsers and convert existing images on-the-fly. Requires PHP 7.0+ with the GD WebP extension installed.
More reliable file uploads – A common complaint with e107 v2.3.0 was rejected file uploads. To fix this, e107 now recognizes files based on their MIME type.
Increased protection against cross-site scripting (XSS) – There is now improved layering of HTML tag rendering to reduce the likelihood of corrupting pages with bad HTML.
Increased protection against cross-site request forgery (CSRF) – Nonces have been added to some forms to prevent external sites from submitting them unbeknown to the authenticated user.
New theming features – Theme developers can now take advantage of Bootstrap 5 and customisable breadcrumbs.
SEO optimizations for Google, Facebook (Open Graph) and Twitter.
New "Hero" plugin for home page carousel management. Supports animated bullet points and buttons. (see e107.org home page for example)
News item Previous/Next navigation shortcode options.
jQuery updated to v3.6.0
FontAwesome updated to v5.14.0

Assets 12

02 Dec 18:56

CaMer0n

v2.3.0

7214b75

v2.3.0

Highlights

Support for PHP 5.6 through PHP 7.4 – e107 v2 now adds PHP 7.4 support while maintaining support for PHP 5.6. Note that PHP 8.0 support is not yet available but will be added in a future release (after #4269).
Support for MySQL 8.0 (#4216) – Database integrity checks no longer persist their warnings on MySQL 8.0. MySQL 5.5 through MySQL 5.7 and MariaDB 10.0 through MariaDB 10.5 remain supported.
New session handler with improved performance (#4113) – Non-blocking session handler backed by the database allows multiple concurrent requests to the e107 site per user session. A site administrator can enable this session handler at Settings » Preferences » Advanced Options » Security & Protection » Session Save Method and setting the value to "Database". New installations will use the database session handler by default.
More social login providers (#3492) – The full list of supported social login providers can be found here.
Code quality improvements – Automated tests are being introduced to reduce the chance of future changes breaking intended behavior.
Many bugfixes – A ton of issues have been fixed both in the frontend and in the Admin-UI. Details about most of them can be found below.