• 欢迎 游客 您的光临,下载之前请先阅读 积分规则 。任何技术问题请在论坛提问,本站定制插件、模板主题。售前、售后问题请联系QQ:5916171
    本站自由发布资源可赚取积分及人民币(可提现)(保证资源真实可用,如被举报封号处理。谨慎分布)。
  • 即日起发表主题、回帖、发布&更新资源、创建&回复私信、发布&回复个人动态均需要验证手机号码,其它不受影响。如不便可进群提问。点击链接加入群聊【XenForo讨论社区】:群号1:143277648
XenForo 正式版

程序包 XenForo 正式版 2.1.11

没有下载权限
2.1.10升级时上传全部程序会造成无法升级,如果升级只上传补丁即可。

XenForo 2.1.11,以解决潜在的安全漏洞。我们建议所有运行XenForo 2.1的客户升级到2.1.11或尽快使用附带的补丁文件。(对于运行XenForo 2.0的客户,我们只能建议升级到最新版本。)

问题是登录表单上的跨站点请求伪造(CSRF)。这可能会使攻击者意外地将用户登录到攻击者控制的帐户中。在某些情况下,如果用户在登录不正确的帐户时采取了某些措施,则可能会引起隐私问题。请注意,这不会使攻击者拥有对用户真实帐户的任何访问权限。

我们建议进行完整升级以解决此问题,也可以手动上传补丁。有关更多详细信息,请参见下文。

手动应用补丁

程序在此消息附带的2111patch.zip文件中下载补丁程序。它将包含以下文件:
  1. src/XF/Admin/Controller/Login.php
  2. src/XF/Pub/Controller/Login.php
将zip文件解压缩到您的计算机,然后将内容上传到XenForo安装的根目录。这应该用新版本覆盖服务器上的文件。
Some of the other changes in XF 2.1.10 include:

The following public templates have had changes:
  • _help_page_bb_codes
  • app_body.less
  • bb_code_tag_attach
  • code_editor
  • conversation_list
  • core_datalist.less
  • core_input.less
  • core_menu.less
  • core_overlay.less
  • editor.less
  • editor_base.less
  • editor_dialog_media
  • forum_post_quick_thread
  • forum_post_thread
  • forum_post_thread_chooser
  • forum_view
  • lightbox.less
  • lost_password_confirm
  • PAGE_CONTAINER
  • payment_cancel_recurring_confirm
  • payment_initiate.less
  • quick_reply_macros
  • share_page_macros
  • thread_reply
  • thread_view
  • widget_html
今天,我们将发布XenForo 2.1.9,以解决可能影响任何使用我们的PayPal付款处理程序的客户的潜在安全漏洞。

以及用户升级,这可能会影响您安装的使用我们的PayPal付款处理程序处理付款的加载项。

我们建议所有受影响的运行XenForo 2.1的客户都升级到2.1.9或尽快使用附带的补丁文件之一。

具体而言,该问题与特制的回调(或IPN)有关,然后使用PayPal的沙盒验证终结点而不是其实时系统成功处理该回调。如果成功,则可以在您的PayPal帐户未实际收到任何资金的情况下完成购买。

此版本中没有其他修复程序。在未来几周内将进一步发布2.1维护版本。

应用修复程序:升级

您可以升级到2.1.9来解决此问题。您应该像升级任何其他版本一样进行升级
We have identified an issue in 2.1.8 that may cause certain template modifications in add-ons to not be applied correctly. This issue is discussed in more detail in this bug report. In order to resolve this, we have released XenForo 2.1.8 Patch 2.

我们在2.1.8中发现了一个问题,该问题可能导致加载项中的某些模板修改无法正确应用。此错误报告中将更详细地讨论此问题。为了解决这个问题,我们发布了XenForo 2.1.8 Patch 2。
  • 重建用户缓存时与警告点相关的错误
  • 发送带有用户升级/可购买项的付款收据时出错
Some of the changes in XF 2.1.8 include:
  • Attempt to merge reactions when merging posts
  • Only hydrate autoIncrement relation fields if there is no value in the parent entity. If the field has a value in the parent, an exception is now thrown.
  • Use \ZipArchive::OVERWRITE flag when creating add-on zip to maintain compatibility with newer libzip versions
  • Ensure more consistent sorting is used for class extensions, code event listeners and template modifications.
  • Fix method checking when looking for API methods with versions appended.
  • Use optimal batch sizing when rebuilding templates and phrases.
  • Don't allow moderators to delete / edit warnings they have given if they have no permission to.
  • Update GitHub OAuth implementation to use header authorisation.
  • Handle rebuilding the active warning points in the User rebuild job.
  • Supress warnings when closing file pointer after copying file
  • Ensure a boolean value is returned when checking viewing permissions for conversations.
  • When importing deletion log entries, ensure the username and reason do not exceed the allowed max lengths.
  • Update register navigation item to ensure registration is enabled
  • Add widget data attributes to expanded new thread widget
  • Only fetch member stat results once on the overview page
  • Allow connected account providers to provide additional auth params
  • Only enqueue a reaction score rebuild when a reaction's score has changed, and simply rebuild scores for all reactions
  • Correctly identify Android version in the attachment manager
  • Upgrade jQuery to 3.4.1.
  • Validate parent IDs correctly when inserting tree structured data.
  • Prevent spam cleaner error when deleting a thread started by a spammer which has a redirect thread pointing to it.
  • Add a content template for user reports to improve extensibility.
  • Prioritize quick reply editor when multi-quoted quotes are inserted.
  • Add a minimum width to user change log cells
  • Add account email check to various places before sending mail
  • Offset the select-to-quote tooltip whenever touchevents are supported.
  • When rendering an unfurl do not double escape the proxied version of the URL.
  • Force max length constraint when handling a user ban reason.
  • Re-implement shortening of display text for very long URLs.
  • Log moderator attachment deletions to the moderator log.
  • Display error when trying to add template modification when not in development mode.
  • Workaround an issue with multiple color pickers which could prevent some color pickers from behaving as expected.
  • When previewing, ensure that sticky form submit rows stay stuck to the right place.
  • When importing paid subscriptions from vBulletin ensure user group changes are correctly logged.
  • Add a separate 'following' phrase for members others follow
  • Check preg_last_error() when processing template modifications
  • Improve news feed handler attachment handling
  • Prevent an error related to cache clearing of entity relations with an empty condition.
  • Reverse some changes related to template editing syntax highlighting which may actually break syntax highlighting entirely in some cases.
  • Echo a list of allowed extensions back in the error message given when a file that does not have an allowed extension is uploaded.
  • Include file and line number in exception XML response
  • Throw an error exception when a ban fails to apply
  • Handle failed bans in the warning point change service
  • Ensure that emoji conversions are done as expected for all characters.
  • Prevent a URL parsing error when following an HTTP request redirect to a path that starts with a "/" and contains a ":".
  • Improve styling of responsive data lists, particularly with checkboxes that have headings
  • Allow attachment data manipulation before copying files
  • Implement search source method to determine if a query is empty
  • Do URL canonicalization on the contact page and ensure that we link to misc/contact consistently (no trailing slash).
翻译:
XF2.1.8中的一些更改包括:
合并帖子时尝试合并反应
只有当父实体中没有值时,才有水合物自增关系字段。如果该字段在父字段中有值,则现在将引发异常。
创建加载项zip时使用\ZipArchive::OVERWRITE标志以保持与较新libzip版本的兼容性
确保类扩展、代码事件侦听器和模板修改使用更一致的排序。
修复查找附加版本的API方法时的方法检查。
重建模板和短语时使用最佳批量调整。
如果版主没有权限,则不允许他们删除/编辑发出的警告。
更新GitHub OAuth实现以使用头授权。
处理重建用户重建作业中的活动警告点。
复制文件后关闭文件指针时抑制警告
检查会话的查看权限时,请确保返回布尔值。
导入删除日志项时,请确保用户名和原因不超过允许的最大长度。
更新注册导航项以确保注册已启用
向扩展的新线程小部件添加小部件数据属性
在概览页上只获取一次成员统计结果
允许连接的帐户提供程序提供其他身份验证参数
只有当一个反应的分数发生变化时,才将一个反应的分数重新排成一个队列,然后简单地为所有反应重新建立分数
在附件管理器中正确识别Android版本
将jQuery升级至3.4.1。
插入树结构数据时正确验证父ID。
防止删除由垃圾邮件发送者启动的线程时出现垃圾邮件清除器错误,该垃圾邮件发送者具有指向该线程的重定向线程。
为用户报表添加内容模板以提高可扩展性。
插入多引号时,对快速答复编辑器设置优先级。
为用户更改日志单元格添加最小宽度
在发送邮件之前将帐户电子邮件支票添加到各个位置
只要支持touchevents,就偏移“选择引用”工具提示。
呈现unfurl时,不要对URL的代理版本进行双重转义。
处理用户禁用原因时强制最大长度约束。
为非常长的url重新实现显示文本的缩短。
将版主附件删除到版主日志。
不在开发模式下尝试添加模板修改时显示错误。
解决多个颜色选择器的问题,这可能会阻止某些颜色选择器按预期运行。
预览时,请确保粘滞的表单提交行始终粘滞在正确的位置。
从vBulletin导入付费订阅时,请确保正确记录用户组更改。
为其他成员添加单独的“following”短语
处理模板修改时检查preg_last_error()
改进新闻提要处理程序附件处理
防止与缓存清除具有空条件的实体关系相关的错误。
反转一些与模板编辑语法突出显示相关的更改,这些更改在某些情况下可能会完全中断语法突出显示。
在上载不具有允许扩展名的文件时,在给定的错误消息中回显允许扩展名的列表。
在异常XML响应中包含文件和行号
当禁令无法应用时引发错误异常
处理警告在更改服务中失败的禁令
确保所有字符的emoji转换都按预期完成。
当跟踪HTTP请求重定向到以“/”开头并包含“:”的路径时,防止出现URL解析错误。
改进响应数据列表的样式,特别是带有标题的复选框
在复制文件之前允许附件数据操作
实现搜索源方法以确定查询是否为空
在联系人页面上执行URL规范化,并确保始终链接到misc/contact(没有尾随
Some of the changes in XF 2.1.7 include:
  • Ensure that some jobs do not attempt to complete or otherwise change state inside a transaction.
  • Ensure correct URL is used in the bookmark label filter when friendly URLs are not enabled.
  • Display correct username styling when viewing users linked to an IP.
  • In alerts and the news feed, ensure the "your post" link in the reaction item is clickable.
  • Ensure Gravatar rebuild job respects the options sent to it.
  • Prevent users from deleting their own accounts
  • Check for guest posts in post reaction items
  • Ensure login button when viewing a forum as a guest wraps properly.
  • Only try to hide the global action indicator if it's actually present.
  • Do not redirect back to the login page after a connected account request
  • Properly check for tag container inside tagger
  • Do not escape outbound email test subject phrase
  • Correctly handle add-ons created with incorrect casing when the namespace already exists.
  • Add additional wording to make it clear that the rejection reason will be shown to users awaiting approval.
  • Remove hard-coded height from payment inputs
  • Add missing phrase for 'could_not_find_subscriber_id_for_this_purchase_request'
  • Display PHP's memory_limit within server environment report.
  • Force choice builder to use temporary variable with set tags
  • Remove Google+ URL from the Google connected account template.
  • Allow disabling pointer events for nested tooltips
  • Remove unused parameter when fetching reaction phrase
  • Update promotion history interface for clarity
  • Fix post copier attachment regex

The following public templates have had changes:
  • account_bookmarks_popup
  • account_visitor_menu
  • captcha_recaptcha
  • connected_account_associated_linkedin
  • core_contentrow.less
  • editor_dialog_code
  • lightbox_macros
  • reaction_item_post
  • structured_list.less
  • thread_view
XF 2.1.5中的一些更改包括:


以下公共模板已更改:

  • Approval_item_user
  • bb_code.less
  • 无核
  • core_fa.less
  • core_utilities.less
  • helper_js_global
  • help_page
  • 登录
  • member_shared_ips_list
  • report_view
  • setup_fa.less
后退
顶部 底部