Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2013-08-14 17:42:33

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,475
Website

FluxBB 1.5.4 and 1.4.11 released

Today marks the release of two new FluxBB versions: v1.5.4 and v1.4.11.

These releases fix another security issue that allowed attackers to redirect forum users from the attacker's site to any URL on the internet via FluxBB's email contact form. This is a problem as the users might be redirected to a dangerous or inappropriate webpage, even though they assume to visit a trusted site (the forum).
FluxBB 1.5.4 also brings along fixes for a bunch of smaller issues in the 1.5 branch as well as full PHP 5.5 support - v1.4.11 only fixes the security issue.

Unfortunately, we were not contacted before the vulnerability was published; I still want to thank the Zero Science Lab for the helpful communication after the issue was brought to our attention.

As always, download packages can be found on our download page.
Changed files and patches are available on the upgrade page. Please remember to make a backup of your files as well as the database before upgrading your forum!

A quick note on the status of 2.0: you can expect to see a video of the new admin panel soon!


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#2 2013-08-14 18:40:06

Romanov
Member
Registered: 2010-06-10
Posts: 7

Re: FluxBB 1.5.4 and 1.4.11 released

dBpvXjx.jpgp

P.S. Anyway, good work! xD

Last edited by Romanov (2013-08-16 16:27:58)

Offline

#3 2013-08-14 18:55:26

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,475
Website

Re: FluxBB 1.5.4 and 1.4.11 released

Trust me, you can build fast apps using Laravel framework components. Absolutely no problem. smile


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#4 2013-08-14 19:08:54

Studio384
Developer
From: Belgium
Registered: 2012-04-11
Posts: 680
Website

Re: FluxBB 1.5.4 and 1.4.11 released

I don't like the idea of a framework either, but just live with it... As long as FluxBB doesn't get to complicated in use, I'm happy (we all should). Anyway, great to see those updates.

Offline

#5 2013-08-14 19:20:03

123
Member
From: Poland
Registered: 2012-07-24
Posts: 333

Re: FluxBB 1.5.4 and 1.4.11 released

What is light? Are heavy? It's just a word that everyone sees differently. I gets very angry composer and inability to launch Alpha FluxBB2 normally under Windows. Links are getting faster (ha hah ha not in Poland), the servers also come FluxBB2 for two years.


Solidarity = compensation for war. Time to pay.
[img]http://imagizer.imageshack.com/img633/7813/XjQh8f.png[/img]
Ach, lekceważyłaś wolę króla
a w nocy naszego spotkania, śmiałaś się do łez

Offline

#6 2013-08-15 21:29:58

Squiggles
Member
Registered: 2012-12-14
Posts: 278

Re: FluxBB 1.5.4 and 1.4.11 released

Are there any other changes / features included in v1.5.4 or is it just fix this one issue?

Offline

#7 2013-08-15 21:33:28

adaur
Developer
From: France
Registered: 2010-01-07
Posts: 839
Website

Re: FluxBB 1.5.4 and 1.4.11 released


FeatherBB - A simple and lightweight new generation forum system
Based on FluxBB, written in PHP, using Slim Framework for a proper OOP-MVC architecture.

Offline

#8 2013-08-16 08:46:10

Studio384
Developer
From: Belgium
Registered: 2012-04-11
Posts: 680
Website

Re: FluxBB 1.5.4 and 1.4.11 released

Franz, you made a mistake in the announcement on top of the forum, it still says "FluxBB 1.4.10".

Offline

#9 2013-08-16 20:06:15

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,475
Website

Re: FluxBB 1.5.4 and 1.4.11 released

Fixed, cheers.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#10 2013-08-16 21:38:03

Studio384
Developer
From: Belgium
Registered: 2012-04-11
Posts: 680
Website

Re: FluxBB 1.5.4 and 1.4.11 released

Franz wrote:

Fixed, cheers.

We maybe should try to be an example and update to 1.5.4 too? I know some fixes are already merged with the site, but we are missing some parts, including the version nummer and those last-minute tickets fixes.

Offline

#11 2013-08-16 21:46:16

Fruggles
Member
From: Canada
Registered: 2013-06-14
Posts: 10

Re: FluxBB 1.5.4 and 1.4.11 released

Great news, thank you for the updates.

Looking forward to v2. Laravel would be great for my needs as I'm pretty sure it will be much easier to integrate fully with a CMS than the current fluxbb.

Offline

#12 2013-08-17 22:19:38

Studio384
Developer
From: Belgium
Registered: 2012-04-11
Posts: 680
Website

Re: FluxBB 1.5.4 and 1.4.11 released

I don't know why, but is this (http://fluxbb.org/forums/viewtopic.php?id=6721) caused by the update? You have to scroll down to the part where Franz said "I want to use this opportunity to thank everybody who has contributed to this release:" in his first post. Somthing's wrong with the parser.

Offline

#13 2013-08-17 23:00:04

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,475
Website

Re: FluxBB 1.5.4 and 1.4.11 released

Oh boy. Seems to be related to what Visman posted. I'll investigate tomorrow, good night!


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#14 2013-08-24 01:03:53

Jack
Member
Registered: 2010-12-24
Posts: 485
Website

Re: FluxBB 1.5.4 and 1.4.11 released

Good news! Happy to see some improvement. Is there any language update?

J

[BIG OFF TOPIC]

Studio384 wrote:

As long as FluxBB doesn't get to complicated in use

Hey Studio, it should be "too" not "to", I'm warning you just because I have seen that it is a recurring mistake, not just a typo. smile
[/BIG OFF TOPIC]

Last edited by Jack (2013-08-24 01:05:45)


Sorry I don't speak English smile
FluxBB Italy

Offline

#15 2013-08-24 06:12:25

Studio384
Developer
From: Belgium
Registered: 2012-04-11
Posts: 680
Website

Re: FluxBB 1.5.4 and 1.4.11 released

Yes, you should take a look at install.php.

Offline

#16 2013-08-25 17:43:15

sklerder
Member
From: Brittany
Registered: 2012-11-06
Posts: 117
Website

Re: FluxBB 1.5.4 and 1.4.11 released

Hi all !

Bad news : The revert from "PHP_EOL" to "\r\n" breaks mails headers on my forum :
- PHP 5.3.3
- LAMP
- FluxBB 1.5.4, updated by diff between files

Would I be the only one impacted ?

On my side, I reverted from "\r\n" to "PHP_EOL" to have correct headers in sent mails ...

Offline

#17 2013-08-25 21:45:27

Squiggles
Member
Registered: 2012-12-14
Posts: 278

Re: FluxBB 1.5.4 and 1.4.11 released

Good thing I haven't updated then big_smile. Fluxbb.org hasn't even fully updated to 1.5.4 so think I'll wait until they do.

Last edited by Squiggles (2013-08-25 21:51:10)

Offline

#18 2013-09-02 21:22:04

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,475
Website

Re: FluxBB 1.5.4 and 1.4.11 released

sklerder wrote:

Bad news : The revert from "PHP_EOL" to "\r\n" breaks mails headers on my forum :
- PHP 5.3.3
- LAMP
- FluxBB 1.5.4, updated by diff between files

Would I be the only one impacted ?

On my side, I reverted from "\r\n" to "PHP_EOL" to have correct headers in sent mails ...

I don't get it. Can somebody please explain how to handle this correctly for everyone?

EDIT: Actually, @Squiggles: do you use SMTP or mail()?

Last edited by Franz (2013-09-02 21:27:05)


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#19 2013-09-02 22:11:40

sklerder
Member
From: Brittany
Registered: 2012-11-06
Posts: 117
Website

Re: FluxBB 1.5.4 and 1.4.11 released

Hi Franz.

Well, I really don't know how to handle it ...
I posted because I supposed I won't be the only one to have the problem (but I know how to handle it) smile

On my side, I use PHP mail() function, which "gives" the mail to Postfix.
Thus on A Linux CentOS 6.3, standard installation.

One solution would be to have the choice :
- PHP_EOL (which should be the good choice in most cases)
- \r\n (typically Windows ?)
- \n
- \r

But I agree it's not the simplest solution, and maybe ther's a better way ...

If I'm the only one to meet this problem, it would be interesting for me to know it, and I'll try to find on my side how to solve the problem smile

Offline

#20 2013-09-02 22:16:45

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,475
Website

Re: FluxBB 1.5.4 and 1.4.11 released

The problem is clearly the mail agent (Postfix in your case). The standard says to use \r\n and that's what we do again now. Can you update Postfix or use another agent?


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#21 2013-09-03 17:08:22

sklerder
Member
From: Brittany
Registered: 2012-11-06
Posts: 117
Website

Re: FluxBB 1.5.4 and 1.4.11 released

Hello !

Well, it's not that simple ...
I believe I'm not the only Postfix user ...
Would it be solved for me, other users, particularly those using Postfix on a "mutualized" server, could encounter this problem  smile

With Postfix, up to 2.9 (for what I found here), the line endings are converted by Postfix if the first line ends with "\r\n" (that was my case with original 1.5.4) :

sendmail_fix_line_endings (default: always)

    Controls how the Postfix sendmail command converts email message line endings from <CR><LF> into UNIX format (<LF>).

    always
        Always convert message lines ending in <CR><LF>. This setting is the default with Postfix 2.9 and later.
    strict
        Convert message lines ending in <CR><LF> only if the first input line ends in <CR><LF>. This setting is backwards-compatible with Postfix 2.8 and earlier.
    never
        Never convert message lines ending in <CR><LF>. This setting exists for completeness only.

    This feature is available in Postfix 2.9 and later.

On CentOS, if using the OS's package, the version is 2.6.6, so the problem remains ...


barbuslex did not precise, when reopening the defect, which OS he was using when he encountered the problem,  and which was the MTA. This information could be interesting, though  ...

I really think that, for the moment, the clean way would be to have an additionnal admin option (in the E-mail section of admin panel) to set this feature, at least between "PHP_EOL",  "\r\n" and "\n", perhaps "\r".
The first beiing OS-dependent, may vary between systems, that's why the two (or three) others should be available ...

I don't know what would be the good choice on Mac OSX, but it could vary between "\r" (legacy Mac OSX) and "\n" (more recent versions of Mac OSX), but it could change within Mac OSX versions hmm

Offline

#22 2013-09-03 20:30:31

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,475
Website

Re: FluxBB 1.5.4 and 1.4.11 released

Sigh. Why do standards even exist? wink

I see your point, though. I'm sure you're not the only one. So, this additional setting would, if enabled, cause us to use PHP_EOL instead of CRLF when using mail(), right?

In fact, can you please create a ticket describing exactly what this setting would do?


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#23 2013-09-03 21:02:38

sklerder
Member
From: Brittany
Registered: 2012-11-06
Posts: 117
Website

Re: FluxBB 1.5.4 and 1.4.11 released

Not so simple.

It seems to me that it should be a manual setting.
I'd set a new var or environment var (ie. $flux_eol or FLUX_EOL), with default value to "PHP_EOL" by a manual choice in the control panel, with other choices between "\r\n", "\n" and eventually "\r".

This value should be used only where we had, before 1.5.4, the PHP_EOL environnment value.

The fact of using it is handled automatically by the code, because the case "SMTP vs mail()" is already handled in "email.php", but the administrator should be advised that this new setting has an effect  only when the "SMTP server address" is empty, and that he has to try other values than the standard if mail headers are broken.

It shouldn't be a very big modification :
- A new field in the "config" table
- A new item in the admin panel + code to handle the modification
- A new help string to explain the usage

Maybe I miss something, but this is the idea ...

[Edit]
Oups, modification while I was making my post.

OK, I try to explain that in a ticket ...
[/Edit]

Last edited by sklerder (2013-09-03 21:04:39)

Offline

#24 2013-09-03 21:12:45

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,475
Website

Re: FluxBB 1.5.4 and 1.4.11 released

What about a simple constant instead? Don't really want to add this to the admin panel, and it does seem to be enough of an edge case...


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#25 2013-09-03 21:24:09

sklerder
Member
From: Brittany
Registered: 2012-11-06
Posts: 117
Website

Re: FluxBB 1.5.4 and 1.4.11 released

I'm not sure it's an edge case wink

Of course, it could be a simple constant. But if it's not a visible setting, chances are that there will be lot of questions on the different forums (fluxbb.org for sure, but also "localized" forums).

If we make the choice of a simple constant, it should be in the /config.php file, but chances are that it won't "visible" enough hmm

I'm going to try with the constant and make a feedback (not today smile) before creating the ticket ...

Offline

Board footer

Powered by FluxBB