Announcements

Today we are releasing XenForo 2.3.0 Release Candidate 5. While the majority of this release is focusing on bug fixes and stability, there are a few noteworthy changes. Automatic legacy file clean up XenForo installations after upgrading to XenForo 2.3 will have a number of files sitting in the file system which are no longer used. Any XenForo installation that has been around for a while, will to a lesser extent, have a similar issue. These files on their own shouldn't present any issue, but at the same time, keeping them around doesn't make much sense either. There are three approaches to cleaning up legacy files automatically. During one-click upgrade One-click upgrades now have a special step for removing files that were present...

This week in addition to a bunch of bug fixes, we've also been doing a spot of housekeeping in our code. The following is quite technically heavy so if you're a non-developer, shield your eyes and read the less boring bits. Much wider usage for class strings As a reminder, XenForo 2.3 brings with it support for using native PHP class strings. For example, originally we used "class short names" to point to certain classes. While these were easy to write, it makes refactoring classes difficult, and you need these PHP doc comments to hint to code editors what object is ultimately returned in the code: /** @var \XF\Entity\User $user **/ $user = \XF::em()->create('XF:User'); Our preference going forwards is using class strings: $user =...

Security Fix Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers running XenForo 2.3.0 should upgrade to XenForo 2.3.0 Release Candidate 1, including XenForo Media Gallery 2.3.0 Release Candidate 1 if needed. If you also have active installs of XenForo 2.2 or XenForo 2.1 you should refer to the earlier thread with details and patch. The issue relates to a potential cross-site request forgery and code injection vulnerability which could lead to a remote code execution (RCE) or cross-site scripting (XSS) exploit. XenForo extends thanks to independent security researcher, Egidio Romano (EgiX), working with SSD Secure Disclosure. We recommend doing a...

Security Fix Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers should either upgrade to XenForo 2.1.15 or XenForo 2.2.16. If you are a XenForo Cloud customer, a fix has been rolled out automatically, and no further action is required to address this issue. If you are running a pre-release version of XenForo 2.3, you should follow the instructions in the announcement thread for the XenForo 2.3.0 Release Candidate 1 release. The issue relates to a potential cross-site request forgery and code injection vulnerability which could lead to a remote code execution (RCE) or cross-site scripting (XSS) exploit. XenForo extends thanks to independent security...

XenForo & Add-ons 2.3.0 Release Candidate 1 Released It's finally here, the first of a series of release candidates for the XenForo 2.3.0 stable release. We still have a bit more work to do and other changes and improvements in the pipeline but at this point the most serious bugs have been tackled and we don't expect many more releases before we can declare it is ready for a stable release. We strongly recommend anyone testing 2.3 during this pre-release period upgrade as each pre-release version is released. More specific details regarding bugs fixed in this release can be found in the resolved bugs forum. This is pre-release software. It is not officially supported. We do not recommend running it in production. Please remember...

XenForo 2.2.16 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability. One-click upgrade to XenForo 2.2.16 Directly from your admin control panel If you are a XenForo Cloud customer, your upgrade will be scheduled automatically. Some of the changes in XF 2.2.16 include: Fix some issues with xf-dev:class-use-function to better support classes with class attributes and comments, or existing use function declarations. Fix persistent action indicator when using back/forward navigation Add _deleteFromSource method to support performing tasks right before entity deletion Skip logging IPs when...

As we get ever closer to the fabled "release candidate" stage and the eventual stable release, today we are releasing the eighth beta for XenForo 2.3! Nothing particularly noteworthy this week other than a number of bug fixes. We strongly recommend anyone testing 2.3 during this beta period upgrade as each beta version is released. More specific details regarding bugs fixed in this release can be found in the resolved bugs forum. This is beta software. It is not officially supported. We do not recommend running it in production. Please remember that this is beta software. It contains known bugs and incomplete functionality. We do not recommend running beta software in a production environment, and support is limited at this time to...