XenForo 2.3 Released Full Nulled By XnForo.Ir

Releases XenForo 2.3 Released Full Nulled By XnForo.Ir 2.3.7

Register & Get access to index
Overview Updates (20) Reviews (18) History Discussion

XenForo 2.3.0 Candidate 3 Released Full

This week in addition to a bunch of bug fixes, we've also been doing a spot of housekeeping in our code. The following is quite technically heavy so if you're a non-developer, shield your eyes and read the less boring bits.

Much wider usage for class strings​

As a reminder, XenForo 2.3 brings with it support for using native PHP class strings. For example, originally we used "class short names" to point to certain classes. While these were easy to write, it makes refactoring classes difficult, and you need these PHP doc comments to hint to code editors what object is ultimately returned in the code:

PHP: 
/** @var \XF\Entity\User $user **/
$user = \XF::em()->create('XF:User');

Our preference going forwards is using class strings:

PHP: 
$user = \XF::em()->create(\XF\Entity\User::class);

Because PHP natively understands these special strings, the issues with type hinting are no more, and doing things like renames of classes or moving classes becomes a much more trivial exercise.

Throughout the core XF code now, starting with RC3, we have replaced the majority of these legacy class short names with native class strings.

XenForo 2.3.0 Candidate 2 Released Full

Security Fix​

Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers running XenForo 2.3.0 should upgrade to XenForo 2.3.0 Release Candidate 1, including XenForo Media Gallery 2.3.0 Release Candidate 1 if needed.

If you also have active installs of XenForo 2.2 or XenForo 2.1 you should refer to the earlier thread with details and patch.

The issue relates to a potential cross-site request forgery and code injection vulnerability which could lead to a remote code execution (RCE) or cross-site scripting (XSS) exploit.

Shortly after the release of Release Candidate 1, we identified an issue related to editing node-like permissions. A very minor bug was surfaced by the changes today. Specifically one of our view class names was using a \ instead of a :

Due to a localised shortage of version numbers (we cannot increment the version to a patch release for release candidates) we have released Release Candidate 2 to address this.

The specific files with changes are:
  • src/XF/Admin/Controller/Node.php
  • src/XF/Admin/Controller/Permission.php

XenForo 2.3.0 Beta 8 Released Full

As we get ever closer to the fabled "release candidate" stage and the eventual stable release, today we are releasing the eighth beta for XenForo 2.3! Nothing particularly noteworthy this week other than a number of bug fixes.

We strongly recommend anyone testing 2.3 during this beta period upgrade as each beta version is released. Thanks @wikislo
Back
Top Bottom