FluxBB 1.5.9 released

Franz · 2015-11-09 10:52:45

Today marks the release of version 1.5.9 of the FluxBB forum software.

Due to two security-relevant bug fixes, this release only contains bug fixes. Improvements that were originally planned to be released with this version, like SQLite3 support and a responsive design, will be delayed to a soon-to-be-released v1.5.10.

Security fixes

This release fixes two security issues: The first one allowed attackers to trick moderators into e.g. locking or stickying other topics without noticing. The second change prevents sophisticated timing attacks targeted at e.g. password hashes.

More bugfixes

Other changes in this release include several fixes of regressions introduced in the last release, fixes related to the handling of several esoteric HTTP headers, and a fix for a quote bug that broke the forum layout. Finally, if you want to embed your forum in another web page, the relevant HTTP header is now configurable.

Updating

Please update your forums as soon as possible.

As always, download packages can be found on our download page.
Changed files and patches are available on the upgrade page. Please remember to make a backup of your files as well as the database before upgrading your forum!

Thank you to everyone involved in this release, from vulnerability reports to bug fixes.

Flarum progress

In case you haven't followed its progress, Flarum is progressing nicely and is currently moving through regular beta releases. Go check it out on Flarum.org.

hcgtv · 2015-11-09 11:29:33

Thanks Franz, I updated the PHP Cross reference.

GWR · 2015-11-10 09:30:47

Thanks. Upgraded successfully (with some manual patching aid for failed ones).

During "Update" I got an error /notice about an unset array index (access to a not defined index of an array) but this was only visible on my localhost, on "live" I got an empty page without text but a "collapsed" div-box (php notices not shown on live-variant).
Redirect worked, and updated forum too (of course - as there are no db-updates except version string).

Maybe reason was a "not updated" German translation (did not check how the translation and "defaults" are done in fluxbb)

bye
Ron

Last edited by GWR (2015-11-10 09:35:17)

Franz · 2015-11-10 09:42:26

GWR wrote:

Maybe reason was a "not updated" German translation (did not check how the translation and "defaults" are done in fluxbb)

Ah yes, thanks for the heads-up. Three language files changed a little bit - the one for the upgrade script was one of them. You can see the differences on GitHub.

GWR · 2015-11-10 10:50:24

Just checked the way the localization is used: it strictly relies on the underlaying locale-files.

So if the corresponding "lang"-file is not up-to-date, it might lead to the "undefined index"-notices/warnings/errors (not sure what type it was).

I thought this happens:

a)
- english is loaded in
- user-language is "mixed" into (overriding the original values).

b)
- user-language is used, but if a key is not set, the "key" is used as resulting string

a) could be using a cache system
b) adds a bit of a "function wrapper"-performance-penalty (could be neglected I think).

bye
Ron

Franz · 2015-11-10 10:52:22

Yeah, it made me think about that. If anything, I'd say falling back to English would be preferred (unless people remove the English language pack).

Visman · 2015-11-10 10:59:03

@Franz, https://fluxbb.org/development/core/tic … ckt9z54944 where csrf token?

Studio384 · 2015-11-10 13:09:10

Franz wrote:

Yeah, it made me think about that. If anything, I'd say falling back to English would be preferred (unless people remove the English language pack).

The only way to work around that is to put the full strings in the FluxBB source and translate that, instead of using shorter variations of these texts to refer to their full-sized version in the language files, so that when there isn't a translation, it justs shows what was already in the source.

chris98 · 2015-11-10 17:11:50

That seems like a very bad system. There must be a better way than adding them into the source.

Studio384 · 2015-11-10 18:06:22

chris98 wrote:

That seems like a very bad system. There must be a better way than adding them into the source.

Except there isn't and it is the way most others do it, including WordPress. Any other way is to put them in a separate file and then there is no guaranty that users won't remove them for other languages, thus no fallback.

Askelon · 2015-11-10 23:34:46

chris98 wrote:

That seems like a very bad system. There must be a better way than adding them into the source.

Can't see a better way, actually.

printf( translate( 'Topics by %s' ), $username );

$translation = array( 'Topics by %s' => 'Discussions de %s' );
function translate( $string ) {
    return isset( $translation[ $string ] ) ? $translation[ $string ] : $string;
}

GWR · 2015-11-11 06:42:49

To create "translation files" on then greps all the "translate(*)" from the php-sources and extracts it into an "english.php" (ready for translation into other languages).

Similar to the whole PO-Translation-process in other languages.

negative:
- you only have one single localization-file instead of many small files.
- you need to take care of more words to be written similar to the "code used"-phrases (now: 3-4 words, then: more words :-))
- localization wrapper

positive:
- no need for "english"-localization to get loaded when executing the scripts
- fallback possible in all cases

If you intend to outsource the localization you might do as I already suggested:
- keep the current "abbreviations"

- load cached mix-lang if existing
a) if not existing
- load "english" if existing
- mix in "your lang"
- cache mix-lang
b) ... nothing more to do

bye
Ron

Franz · 2015-11-11 10:59:55

Studio384 wrote:

chris98 wrote:
That seems like a very bad system. There must be a better way than adding them into the source.
Except there isn't and it is the way most others do it, including WordPress.

Well, we could just make sure the English language pack can not be removed (e.g. by storing it in another location then "language packs"). But that would then require an option in the admin panel to "disable" the English language pack for users.

Alternative: Falling back to keys.

cFg · 2015-12-26 18:47:13

You can add the and system PM in next version ?
I want to help with ideas for new versions

because I like the system and is very easy to use !

adaur · 2015-12-26 20:07:43

Nope, it's one of the unfeatures: https://fluxbb.org/docs/unfeatures

You can always use a modification: https://fluxbb.org/resources/mods/anoth … ng-system/

Gary · 2015-12-27 06:12:20

cFg wrote:

You can add the and system PM in next version ?
I want to help with ideas for new versions

because I like the system and is very easy to use !

It's great to see you are willing to help us with ideas for new versions; it's something we want all FluxBB users to do! As adaur mentioned there are quite a few "normal features" that the developers have purposely left out which ensures the software sticks to its roots of being a lighter and faster alternative to many other feature-heavy forums. That doesn't mean it isn't as powerful of course.

The modifications that adaur has also linked to can provide users with all those things they expect a forum to have so you're not really losing out anywhere.

cFg · 2015-12-27 10:12:57

I think I'm the only one in Romania that uses fluxbb ...

I cannot help financially but I can do commercials

You can add and the T/C to topic , in the same version with PM-ul

Because I want to open a forum with fluxbb.

Gary · 2015-12-27 10:31:09

I hope there are other people in Romania using it!

Have you got your hosting service sorted in order to open up a new FluxBB forum by any chance?

cFg · 2015-12-27 14:58:27

I open a forum , but it's free
on future a her I open a forum.

When will appear version 1.6.0
I gave some ideas

-----------New ideas+old ideas-------------
-------------------------------------------
1 . You can add the and system PM in next version ?
2 . You can add and the T/C to topic , in the same version with PM-ul ?
3 . Button to move topic (move)
4 . add more Notes administrative
5 . warning system , three warnings = three months ban automat
6 . solve bug-ul from suspension :
6A. no I can give disconnect , should be able ...

I hope that Franz one to look and take a decision

Last edited by cFg (2015-12-27 14:59:21)

Gary · 2015-12-27 15:40:51

At the moment we cannot give a timeframe as to when the next version will be available, but it will be announced when it's ready.

It's good to hear you have your new forum up and running. Congratulations.

1. adaur has already explained that there is a modification available to enable private messages. Check out Another Private Messaging - Topic System by adaur and New Private Messaging System by Visman.
2. I don't understand this one.
3. Topics can be moved by users that have the permission to do so. You will notice this once you create and log into your new FluxBB installation.
4. I assume you're talking about having a notes area on the 'Administration' page?
5. You can ban people for specific amounts of time and have the ban expire on a certain date. As far as incorporating a warning system into the core of FluxBB, I doubt it will happen. Some modifications are currently available called the Warning Mod by adaur and Auto Warnings by Koos.
6. I don't understand this one either.
6A. Same as above.

Would you mind elaborating on points 2, 6 and 6A for me?

cFg · 2015-12-27 15:52:12

Gary wrote:

Would you mind elaborating on points 2, 6 and 6A for me?

No, I did one suspension and I could not to me disconnect ...

And thanks for informed!

Gary · 2015-12-27 16:17:47

I still don't quite understand what you are trying to explain.

No problem at all.

Studio384 · 2015-12-27 22:46:56

cFg wrote:

Gary wrote:
Would you mind elaborating on points 2, 6 and 6A for me?
No, I did one suspension and I could not to me disconnect ...
And thanks for informed!

You're indeed not that clear about what you are trying to say. It's hard to understand the way you write it.

------

As of FluxBB 1.6, we really can't give a timeframe for that indeed. Keeping in mind how this went with past FluxBB releases, between the first beta and first stable release of 1.4, there was a one-year gap. And that was AFTER most development had been done. FluxBB 1.6 is still in early stages and up until today, not much has been done on it (or at least, not in public). I am, though, happy to say that today, I've worked (and published pull requests for) the following tickets:

Honnest though, these are more minor changes. But hey, it's progress nonetheless. I'm also looking into other minor changes now...

artoodetoo · 2016-01-05 18:21:48

Franz wrote:

prevents sophisticated timing attacks

Do you really think that the difference is measurable?!
It is not synthetic test. It is single short strings comparison on the background of
- web access,
- tons of other code and
- database queries.
Are you serious?

Wait a minute, if you are so "purist", why you don't notice terrible DBAL code for years? Yes it is not exploit but it's really ugly and highly unprofessional.

Last edited by artoodetoo (2016-01-05 18:23:34)

Franz · 2016-01-05 21:06:25

artoodetoo wrote:

Do you really think that the difference is measurable?!

Yes, it is.

artoodetoo wrote:

Wait a minute, if you are so "purist", why you don't notice terrible DBAL code for years? Yes it is not exploit but it's really ugly and highly unprofessional.

Oh, am I?

I am the last one to claim that FluxBB's code is "professional" in terms of OO coding practices etc. I happen to have quite some improvements prepared for things like this on my machine, though.

Forums

#1 2015-11-09 10:52:45