To address a backwards compatibility issue with some add-ons, we are today releasing XenForo 2.3.0 Release Candidate 4. If you are running Release Candidate 3 already we encourage you to upgrade as soon as possible. If you were previously affected by issues with certain add-ons or experience other issues, please let us know via a bug report in the first instance.
This release also fixes the issue with admin search returning an error.
This week in addition to a bunch of bug fixes, we've also been doing a spot of housekeeping in our code. The following is quite technically heavy so if you're a non-developer, shield your eyes and read the less boring bits.
Much wider usage for class strings
As a reminder, XenForo 2.3 brings with it support for using native PHP class strings. For example, originally we used "class short names" to point to certain classes. While these were easy to write, it makes refactoring classes difficult, and you need these PHP doc comments to hint to code editors what object is ultimately returned in the code:
PHP:/** @var \XF\Entity\User $user **/ $user = \XF::em()->create('XF:User');
Our preference going forwards is using class strings:
PHP:$user = \XF::em()->create(\XF\Entity\User::class);
Because PHP natively understands these special strings, the issues with type hinting are no more, and doing things like renames of classes or moving classes becomes a much more trivial exercise.
Throughout the core XF code now, starting with RC3, we have replaced the majority of these legacy class short names with native class strings.
Security Fix
Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers running XenForo 2.3.0 should upgrade to XenForo 2.3.0 Release Candidate 1, including XenForo Media Gallery 2.3.0 Release Candidate 1 if needed.
If you also have active installs of XenForo 2.2 or XenForo 2.1 you should refer to the earlier thread with details and patch.
The issue relates to a potential cross-site request forgery and code injection vulnerability which could lead to a remote code execution (RCE) or cross-site scripting (XSS) exploit.
Shortly after the release of Release Candidate 1, we identified an issue related to editing node-like permissions. A very minor bug was surfaced by the changes today. Specifically one of our view class names was using a \ instead of a :
Due to a localised shortage of version numbers (we cannot increment the version to a patch release for release candidates) we have released Release Candidate 2 to address this.
The specific files with changes are:
- src/XF/Admin/Controller/Node.php
- src/XF/Admin/Controller/Permission.php