Headline
CVE-2021-40604: 4.6.2
A Server-Side Request Forgery (SSRF) vulnerability in IPS Community Suite before 4.6.2 allows remote authenticated users to request arbitrary URLs or trigger deserialization via phar protocol when generating class names dynamically. In some cases an exploitation is possible by an unauthenticated user.
IPS Community Suite 4.6.2
Released 06/25/2021
This is a security release and we recommend all clients upgrade as soon as possible.
Key Changes
This new release brings many new features to Invision Community.
Additional Information
Security
- Added a new Referrer-Policy setting to allow the admin to control whether a Referrer-Policy header of strict-origin-when-cross-origin is explicitly used.
- Added recommendation through an AdminCP notification to disable display name logins to mitigate username enumeration + brute force attack attempts.
- Improved handling of areas that may allow username or email address enumeration.
- Improved image upload handling to strip sensitive EXIF data.
- Fixed an issue where NULL byte sequences in uploaded filenames could be erroneously allowed.
- Fixed an SQL error that could be triggered by manipulating certain requests.
- Fixed an issue where moderators could potentially execute arbitrary PHP code if the Pages application is installed.
- Fixed certain scenarios where the CSRF token could be captured by external parties.
- Fixed an SSRF when generating class names dynamically. *
- Fixed an issue where stream RSS keys could be easily predictable in certain cases.
Core
- Fixed an issue where guests logging in may be inadvertently redirected to a page displaying javascript source code
- Added logging to Member History when adding or removing a member from a club.
- Fixed an issue where some communities may see an old test bulletin when upgrading.
- Removed the ability to set poll vote counts directly
- Fixed theme conflicting checking potentially throwing an error before upgrading on PHP 8.
- Fixed an issue where using the browser’s back button would not reload profile content.
- Fixed a niche issue where some widgets may show an error after deleting a member group.
- Fixed an issue where clearing site caches on the Health Dashboard requires working Javascript.
- Fixed an issue where the ACP-Support tools would show an error after Ticket Submission even if the ticket was submitted successfully.
- Fixed an issue where the Achievement notification settings in the ACP and Frontend would be shown on systems where achievements were disabled globally.
- Fixed an issue where a loading icon would appear in the top left pf profile views due to unneccessary URL requests being made.
- Fixed an issue where a single image page builder widget did not honour the max-height setting.
- Fixed an issue where the system would import achievement rules for not installed applications.
- Fixed an issue involving a missing language string under the Storage Settings area in the AdminCP for badges.
- Fixed an issue where a mobile menu template error may show if sub items are not links.
- Fixed an issue where Admins were unable to view Club content when rules are required to be accepted.
- Fixed an issue with outgoing SendGrid emails.
- Fixed an issue where sending a request with the If-Modified-Since header set to an invalid timestamp causes an uncaught error
- Fixed an issue where Admins were unable to view Club content when rules are required to be accepted.
- Fixed an issue with outgoing SendGrid emails.
- Fixed an issue with a mis-spelling of “achievement” in the achievement rebuild area in the AdmnCP.
- Fixed an issue that caused legacy upgrades to error-out under certain circumstances when using PHP 8.
- Fixed an issue where the active users widget may show the wrong information.
- Fixed an issue with a mis-spelling of “achievement” in the achievement rebuild area in the AdminCP.
- Fixed issues encountered when upgrading from a legacy version of IP.Board.
- Fixed an issue with a mis-spelling of “achievement” in the achievement rebuild area in the AdmnCP.
- Fixed an issue that caused legacy upgrades to error-out under certain circumstances when using PHP 8.
- Fixed broken ACP Permission checks for the badges page.
- Fixed an issue where webhook requests would be fired twice under certain circumstances.
- Changed the Download for a Language to open as a modal when showing additional settings.
- Fixed an issue where a member would see a 404 error when loading a comment that they didn’t have access to
- Fixed Third Party plugins not being included in the list of third party hooks in the Support Dashboard.
- Added support for web push notifications.
- Implemented a new AdminCP support Health Dashboard in place of the support tool.
- Improved uploader UI across the suite.
- Added support for Emoji 13.0 emojis.
- Added support for WebShare API.
- Added an option to disable relative dates.
- Improved security of AdminCP member list.
- Improved security of attachments for guests.
- Improved performance of attachment lookups in the editor.
- Improved performance of the Followed Content activity stream.
- Improved performance of handling custom meta tags.
- Improved randomization of randomly sorted content feed widgets.
- Improved performance of session handling.
- Improved upgrade error messages.
- Added a simple offline page, displayed when users have no internet connection.
- Improved performance of Emoji menu in the editor.
- Added support for PHP 8.
- Added support for uploaded webp images (if the server’s image handling software supports webp).
- Added incoming and outgoing email addresses to the new installation onboarding wizard.
- Added additional options for handling media enclosures in imported RSS feeds.
- Added support for anonymous posting.
- Added a block to user profiles to show the number of solutions the member has submitted, and a page to view all solutions.
- Added ability to search by email address when looking for members in the Moderator CP for moderators with permission to view email addresses.
- Added a new notification when content is approved.
- Added new option for \IPS\OUTPUT_CACHE_METHOD to disable output caching, but still send cache headers.
- Added support for s-maxage, stale-if-error, stale-while-revalidate cache-control directives.
- Added a link to re-enable a disabled messenger on mobile.
- Added pruning of IP addresses for stored ratings based on the AdminCP IP address pruning configuration.
- Added some AdminCP search keywords. Added ability to pay renewal invoices in the AdminCP Marketplace.
- Added native lazy loading attribute for user profile images and reactions.
- Added canonical tag for Leaderboard > Past Leaders page.
- Added a missing language string for the administrators permissions.
- Separated “Reaction” and “My Stuff” notification preferences so that reaction notifications can be controlled separately.
- Improved page performance metrics by adding font-display style to FontAwesome and preloading woff2 font file.
- Reintroduced the ability to automatically embed Facebook and Instagram links in posts.
- Changed AdminCP sessions to be valid for up to 1 hour by default.
- Changed most multi-select form inputs in the AdminCP to checkbox sets.
- Changed IP banning to not be run for guests.
- Changed warning point verbiage to use numeric pluralization to better support non-English languages.
- Changed the way how the widget manager send the data to resolve an error when too many widgets are placed on the page.
- Changed file storage configuration manager to prevent Community In The Cloud clients from selecting filesystem storage handlers.
- Changed the email in the profile hovercard into a mailto link
- Improved 304 response caching removing database connection.
- Improved pluralized verbiage for automatic moderation.
- Implemented caching for “Active Users” and “Who’s Online” blocks.
- Implemented a minor performance improvement when fetching groups.
- Improved performance of staff directory page by removing unnecessary queries.
- Improved performance of the ModeratorCP where hidden posts are listed.
- Improved performance of multi-moderation actions.
- Improved performance of sending emails to multiple recipients when there are promote items to be included.
- Improved inline quoting to account for text copied from code blocks.
- Updated WordPress login handler to use new Miniorange OAuth server endpoints.
- Moved the “Tags” text color theme setting to the “Front End Colors” tab.
- Adjusted guest posts that require approval to not show the post pending approval.
- Adjusted caching headers for guests in some areas.
- Improved reliability of address autocomplete.
- Improved WordPress OAuth for WordPress servers that do not allow the authorization HTTP header.
- Improved speed of re-indexing some content items after moderation.
- Improved performance of marking something as read in some cases.
- Improved soft deleting comments/reviews to remove code duplication.
- Improved rich embedding to support embedding of short links provided by the TikTok app (vm.tiktok.com links).
- Improved the appearance of the Notification Settings screen.
- Clarified the purpose of the Date field when configuring an Activity Stream block.
- Fixed a long-standing issue where pagination would not show on tables after AJAX requests where the page did not contain pagination when first loaded.
- Fixed “Post Before Registering” + word filters set to hold the content for moderator approval working together.
- Fixed “Unlimited” not working for “Maximum image dimensions to save” setting.
- Fixed an issue where the wrong author may be notified when a comment or review is embedded.
- Fixed an issue specify dimensions for images in posts manually.
- Fixed an issue where items to be moderated are not reflected in the interface when moving to other pages.
- Fixed a potential javascript error when a broken video is posted.
- Fixed unhiding topics from edit screen.
- Fixed bad admin logs when managing group administrators and moderators in the AdminCP.
- Fixed an issue where pruning members or mass moving members to a new group can result in an old cached group count still displaying in the AdminCP.
- Fixed exact word filters requiring moderator approval resulting in the word being stripped from the title instead of triggering moderator approval.
- Fixed posting a status update taking a long time if the user has a lot of followers.
- Fixed Authy setup on Firefox.
- Fixed web manifest not working when the site is in offline mode.
- Fixed an issue where the “Can login anonymously” group setting may not apply as expected when a user belongs to more than one group.
- Fixed incorrect timezone detection for users in Argentina.
- Fixed an issue where certain custom profile fields would not be formatted when exporting the member list from the AdminCP.
- Fixed some UI issues with right-to-left languages.
- Fixed an issue where moving a read content item to a new container results in it becoming unread.
- Fixed pressing ctrl/cmd+enter multiple times causing duplicate posts.
- Fixed image dialog in editor not showing correctly on iOS.
- Fixed an issue where profanity filters set to hold content for moderator approval may apply against the previous content instead of the new content when editing a content item.
- Fixed an issue with specific CKEditor plugins for Community In The Cloud clients.
- Fixed orphaned files being left over when deleting custom fields throughout the Suite.
- Fixed orphaned files being left over in some cases when uninstalling applications.
- Fixed a performance issue viewing “Unread Content” activity streams in some configurations.
- Fixed an issue handling dates associated with ratings for content.
- Fixed images pasted into editor sometimes being inserted in wrong location.
- Fixed an RTL display issue with the caret arrow connecting an editor with a profile photo.
- Fixed an RTL display issue with the attachment box in posts.
- Fixed an issue where pasting links in Microsoft Edge may not allow them to embed.
- Fixed an issue where the link to disable your messenger was not displaying.
- Fixed opacity of button after repositining cover image.
- Fixed a minor issue where Community in the Cloud clients could see a countdown timer that says "You may continue in 0:010 seconds".
- Fixed the not translatable enabled/disabled string in the moderator history for comment approval enabled/disabled log entries.
- Fixed the “Preview” button in an editor potentially causing attachments to be associated with the wrong post.
- Fixed an issue where the UTF-8 converter “Fix collations” process may get stuck if it times out on a large table.
- Fixed an issue where the DeleteImageProxyFiles task would never finish or not update its progress appropriately .
- Fixed some invalid CSS syntax.
- Fixed an issue with the deletecontent task that can cause the task to lock when ran via cron.
- Fixed an issue moving Icons & Logos to a new storage handler when one or more of the images is broken.
- Fixed certain activity statistics showing inaccurate previous period values.
- Fixed an issue where users may be able to bypass image restrictions in signatures.
- Fixed a bug where exact profanity filters were treated case sensitive.
- Fixed an issue where status update pagination may not work correctly.
- Fixed an issue where URLs in editor fields may be corrupted when exporting member lists.
- Fixed an issue where attachments may inadvertently force a post into moderation when Link Moderation is enabled.
- Fixed an issue where Plugins & Languages may not show an update is available.
- Fixed an issue where updating plugins will leave deleted or renamed javascript files behind.
- Fixed an issue where the core_output_cache table size could get very large.
- Fixed a bug with pagination links when viewing a member’s list of ignored members.
- Fixed a bug where the member list export process may show a percentage complete greater than 100.
- Fixed an issue where unbroken words can break email layouts.
- Fixed an issue where customized email templates do not inherit template parameter changes during upgrade.
- Fixed an issue specify dimensions for images in posts manually.
- Fixed an error upgrading third party applications on Community In The Cloud accounts in some cases.
- Fixed an issue where it was not possible to login through OAuth if the OAuth server had guest access disabled.
- Fixed an RTL display issue with the caret arrow connecting an editor with a profile photo.
- Fixed an issue where numeric fields could be incorrectly treated as incomplete during profile completion.
- Fixed an issue where too many cookies could be set when using custom profile fields with editors in them.
- Fixed an issue where the email failure AdminCP notification may mistakingly be sent even when other emails are sending correctly.
- Fixed an issue where creating a ban filter would break with IN_DEV being enabled.
- Fixed an issue where the login form may not redirect the user to their original location in some situations.
- Fixed an error that can occur when a Marketplace login expires.
- Fixed a bug where RSS imports may create a broken image depending upon the “Maximum image dimensions to save” configuration.
- Fixed a bug where the fontsize template plugin may return an invalid value when certain language packs are used.
- Fixed an error with the REST API reference page when a referenced application is not installed.
- Fixed a potential issue that can occur when the Sitemap generator runs via cron.
- Fixed a javascript error that can occur in the AdminCP when using custom analytics tracking codes.
- Fixed an issue where item counts could be unreadable in the moderator control panel IP tools on small displays.
- Fixed an issue where the layout for the move dialog could be broken with long container names.
- Fixed an issue where the move members task could stop working when the target group doesn’t exist.
- Fixed moderator permission checks in report center.
- Fixed an issue with structured data throughout the Suite for users with automatically generated letter photos.
- Fixed an error viewing reports that had comments.
- Fixed a display issue that can occur when a spoiler is found inside a quote.
- Fixed a bug where comments from ignored users may display incorrectly when added to a comment stream from an inline notification (i.e. “View new post” within a topic you are viewing).
- Fixed editing code blocks inside certain other elements (such as spoilers) adding extra line breaks.
- Fixed club cover photos becoming orphaned when the club is deleted.
- Fixed member cover photos becoming orphaned when the member is deleted.
- Fixed an issue where it was not possible to report content items unless the member group was set to be able to report all content types.
- Fixed an issue where meta descriptions could have quotes stripped.
- Fixed an issue dismissing upgrade notifications if the page has not finished loading yet.
- Fixed an issue that can occur if a license check fails.
- Fixed an issue where sub-nodes would not load on a chart’s custom form.
- Fixed an issue where comments may be added to a comment feed (such as posts within a topic) more than once when clicking the link to show new replies.
- Fixed a bug where code syntax highlighting in a post may incorrectly highlight code in a language other than the chosen one.
- Fixed the Warning Action form throwing an error while IN_DEV.
- Fixed an issue where some status update functionality may still show if the status module is disabled.
- Fixed streams showing read content when they should only show unread content on occasion.
- Fixed streams allowing “all” to be specified for date range when using MySQL search, which is restricted to the last 365 days.
- Fixed automatic linking of URLs in posts not working after emptying browser storage.
- Fixed an issue where the moderator control panel could throw an error if status update reports were present.
- Fixed share link not being auto-selected for easy copying when the dialog to share a comment is opened.
- Fixed a link that can cause the page title to be removed resulting in the current URL displaying as the page title in the browser.
- Fixed a javascript error that can occur upon selecting a Pixabay image from the “Choose stock photo” selector.
- Fixed an issue where the ‘Expand’ link on collapsed quotes could appear twice when a comment is added to the page.
- Fixed an issue where icons overlap on blocks in the Admin CP statistics areas.
- Fixed an issue where quotes split in the editor with a double-enter keystroke would not retain quote data or notify original author correctly.
- Fixed an issue when logging in with LinkedIn.
- Fixed certain hidden content such as empty widgets not always being hidden.
- Fixed an issue where the Tag autocomplete field in certain situations (e.g. Gallery submission screen) would have a misplaced results dropdown.
- Fixed an issue where search result snippets may not have shown the relevant text containing the matched search term.
- Fixed an issue where quoting a user whose username has a leading zero would cause the zero to be dropped when the quote is displayed.
- Fixed an issue where spacing around embedded images in an email may not accurately reflect how it appeared in the editor.
- Fixed an issue where the AdminCP upgrader would not update the versions of disabled applications.
- Fixed an issue where Mapbox maps could show both a clustered group of markers and single items in the same view.
- Fixed a bug where viewing streams with custom parameters to adjust the filters will not display the correct results when clicking the “Load More” button.
- Fixed an error when attempting to force a password reset for a member with no current password.
- Fixed an issue displaying the current notification preferences overview when MySQL read/write separation is used.
- Fixed an issue when viewing/updating legacy 3.x applications via Marketplace.
- Fixed report center comments not having the image proxy stripped when upgrading from previous versions.
- Fixed Google Adsense code being stripped from posts even if submitted with HTML posting allowed.
- Fixed an error when disabling languages in some circumstances.
- Fixed guests not able to report content if using Keycaptcha.
- Fixed attachments in translatable fields.
- Fixed an issue with lazy loading in certain situations and certain locales.
- Fixed an issue with the mobile navigation menu where parent items with unique links would not show as clickable sub-items.
- Fixed “Stop all email notifications” not disabling digests.
- Optimized the staff directory to reduce page loading times.
- Fixed some broken AdminCP live search results on CiC.
- Fixed the background color of ACP Drop Areas and the color of treelist links for the AdminCP dark theme.
- Fixed an issue where radio form element descriptions may be misaligned.
- Fixed an issue with an error message not showing the folder name when plugin installation fails.
- Fixed an issue where some external links did not open in a new window despite the relevant setting being enabled.
- Fixed an invalid Open Graph type tag being specified.
- Fixed a missing confirmation when deleting content via the moderator approval queue.
- Fixed an issue where status update notification text could be inaccurate.
- Fixed certain options available for custom streams not working as expected.
- Fixed an issue where status update notification text could be inaccurate.
- Fixed a false positive report that images raise security exceptions in some cases.
- Fixed the “•••” button in the author response being always displayed, even if the logged in member can’t edit or delete the response.
- Fixed Search Activity Statistics resulting in an error due to a MySQL issue in some cases.
- Fixed content pagination not populating correctly in some applications with restricted moderators.
- Fixed a bug where resizing a window could result in a horizontal scrollbar when an upload widget exists on the page.
- Fixed a DB error happening when somebody tries to post too many data to a textarea field.
- Fixed an issue where Safari may reload each page after the user logs out.
- Fixed messenger link still displaying on profiles on mobile devices if the user does not have permission to access the messenger module.
- Fixed an issue where the number short format wouldn’t work after a language import.
- Fixed an issue where club custom fields would show autosave values for different clubs.
- Fixed an uncaught exception when following a malformed “follow” URL.
- Fixed inline moderator actions in content items showing the wrong moderator name in some circumstances.
- Fixed an issue where referral cookies may not be set when guests view a page served from the cache.
- Fixed an issue where referrals from deleted members could cause an error.
- Fixed an issue where member exports can contain html for profile fields.
- Fixed chunk uploading when using Amazon S3 with some S3-compatible providers.
- Fixed broken 3rd party ACP permissions on CiC.
- Fixed a typo when flagging a member as a spammer.
- Fixed an issue where editor contents may be lost or incorrect when paginating through a topic and using the editor on different pages.
- Fixed an issue where font-awesome <i> tags submitted in source mode are stripped by CKEditor.
- Fixed an issue where AdminCP theme resource may continously be written to disk.
- Fixed statistical charts not working in some locales.
- Fixed sitemaps not generating properly.
- Upgraded CKEditor to 4.16.
- Optimized Redis when storing data and sessions.
- Removed the mobile “hamburger” menu on mobile pages, which was inadvertently added on 4.5.
- Removed unnecessary Pragma header where used.
- Removed HTML5 shiv in AdminCP.
- Removed view options for guests in clubs.
- Removed support for Twitch embeds as Twitch has removed their oembed endpoint with no plans to introduce a new one.
- Removed notification sounds.
- Removed orphaned ‘Activity/Content Discovery’ module.
- Fixed incorrect css variable names affecting .ipsMenu children.
- Fixed the background color of selected text in ACP Code Editors while using dark mode.
- Fixed the caret color in ACP Code Editors while using dark mode.
- Fixed various minor issues with the AdminCP Marketplace.
- Changed the color css variable on #elRegisterButton so it uses the correct variable.
- Removed an excess closing anchor tag from the coppa template file.
- Fixed an issue where the width of the layout would stretch, caused by long strings of content.
- Removed support for Memcache, APC, XCache, WinCache. Use Redis instead.
- Made the 404/403 error pages more friendly.
- Added a new Spam Defense option to allow registration but require moderator approval of all new posts.
- Added an option to the profanity word filters to hold for moderation when a member has less than a set number of posts.
- Fixed an issue where Member Sync onEmailChange may be called before validation when changing email via validating screen.
- Fixed importing members from CSV to Date custom fields not importing properly.
- Fixed an issue where font-sizes on mobiles weren’t following the Font Scale setting.
- Fixed an issue where tags associated with hidden content were included when generating statistics.
- Fixed an issue with the Easy Mode theme editor in Safari which caused the “Select” tool to return incorrect styles.
- Fixed an separate issue with the Easy Mode theme editor where a JS could be thrown due to a race condition.
- Fixed an issue where review ratings are not recalculated properly when a review is deleted.
- Fixed a potential redirect loop when re-accepting Terms of Service and / or Privacy Policy changes.
- Fixed an issue where content was missing the proper share logo.
- Fixed an issue where post attachments sometimes used different styles within a list. Attachments in a list will always use a smaller ‘inline’ style now.
- Worked around a bug in MySQL when viewing statistics in the AdminCP.
- Fixed some HTML validation errors.
- Fixed an issue where uninstalling an application wouldn’t delete the associated rss feed import data.
- Fixed an issue where changing table filters could cause the table to be stuck in loading state due to an underlying error.
- Fixed an issue where a cached Widget returned the wrong timezone based time.
- Fixed an issue where banned members could see that there are announcements, but could not read the announcement.
- Fixed issue where poll choices are cleared because poll question title is empty on Edit Topic submit.
- Advert impression counters are incremented via Redis to reduce MySQL write queries where Redis is available.
- Fixed an issue where some SMTP servers may fail to generate valid DKIM hashes.
- Removed browser caching for “upgrade in progress” page.
- Fixed an issue where the Privacy Page does not redirect to an external link.
- Fixed an issue when an anonymmous online status doesn’t persist across logins when using button log in methods
Forums
- Fixed an issue where language string instead of the final parsed strings were used for Webhook Requests.
- Fixed an issue where the member’s “solved count” would not show in QA forums.
- Fixed a bug that caused the wrong database table to be indexed when loading number of archived posts made by a given user
- Implemented notifications to the topic author when a question or topic is marked as solved.
- Implemented notifications to the poster when their post is marked as the solution to a topic or the best reply to a question.
- Implemented maximum dimensions of 800px x 800px for forum grid images to allow the software to reduce the size of extremely large images.
- Changed “popular posts” in the topic statistics area to make each displayed post a link to the post.
- Changed “posted images” in the topic statistics area to link attached images to the post they were attached to.
- Changed the unarchiving task to process quicker.
- Changed digest emails to honor the email truncation option.
- Changed the “Unsolved” option for topic feed widgets to restrict results to Question and Answer forums or forums with “Mark as solved” enabled.
- Added option to display inline moderation actions in between posts (if enabled) without the moderator name to non-moderators.
- Added per-group option to hide inline moderation actions shown in between posts.
- Added statistic block to show “Percentage of topics solved” to compare topics posted vs those marked solved within question and answer forums, or forums that allow a solution to be marked.
- Added statistic block to show “Average time to solved” for question and answer forums, or forums that allow a solution to be marked.
- Added the missing ‘features’ color field to forums categories.
- Added lazy load support to preview images in Topic Summary sidebar.
- Added lazy load support to forums when in grid view.
- Added support for the expanded topic view display within the fluid topic listing interface.
- Fixed an issue changing time periods when viewing new topic and post statistic charts.
- Fixed issues setting and unsetting best answers on topics.
- Fixed “solved” interface elements displaying for topics within forums where the ability to mark topic solutions has been disabled.
- Fixed an issue where viewing a topic when the last post is hidden does not mark the topic as read.
- Fixed reaction count showing incorrectly when viewing whole topic’s reactions (i.e. from expanded view).
- Fixed a bad id attribute in the post template.
- Optimized queries when all forums do not use a password.
- Improved performance of topic embeds.
- Improved performance of very large topics.
- Improved performance of the Forum Statistics widget on large forums.
- Improved performance of topic statistics.
- Improved performance of expanded forum view for large forums.
- Added the ability to show when specific group(s) have replied to a topic when viewing a list of topics
- Added filters to the topic list view to quickly isolate hidden topics and topics with hidden posts.
- Fixed an issue where the border-radius was incorrectly 0px in Q&A Forums.
- Improved results for “Popular Questions This Month” tab for Q&A Forums.
- Fixed an issue where club forums wouldn’t show in Fluid View if only one root category exists.
- Fixed an issue where topic feeds could show cached read/unread status.
- Fixed an issue where Grid Card Images could show lost links.
- Fixed an issue where Youtube Shorts URLs would not embed.
- Fixed the position of the queued content badge in fluid view, which was overlapping the topic stats.
- Fixed an issue where topics marked manually for unarchiving would not be processed.
REST / OAuth
- Fixed OAuth login if guests cannot access site.
- Fixed creating a content item by the REST API not triggering a webhook.
- Fixed Zapier’s API calls showing in logs without a name for the key.
- Fixed some duplicated error codes.
Pages
- Fixed an issue where the page builder widgets did not have the correct data attributes when used in a Pages page.
- Fixed an issue that may occur during upgrade when Database file storage is used.
- Added a data-pageName parameter for the body tag with the page path (folder/name) for better CSS targeting.
- Changed two column page builder pages to use vertical widget layouts.
- Changed category fiters in databases to not require CSRF keys in order to apply filtering.
- Improved AdminCP logging of certain actions.
- .well-known can now be used as a folder name for Apple Pay verification in Commerce.
- Fixed an error that can occur after a database is deleted if there are pending review or comment deletions for the database.
- Fixed an error when creating a new block in the “Custom” block category has been deleted.
- Fixed orphaned files being left over when deleting fields, records and databases in the AdminCP.
- Fixed an error where saving templates for similar blocks with the same template name can result in an error.
- Fixed an issue where deleting a page may delete all pages within an unrelated subfolder.
- Fixed an issue when hiding a comment on a database with forum syncing using multi-moderation triggers a page not found error.
- Fixed an error attempting to use the advanced search for a Pages database in the AdminCP.
- Fixed unclear AdminCP logs when performing actions such as copying, editing or deleting a database.
- Fixed an issue where record authors couldn’t respond to reviews.
- Fixed a PHP notice for certain reciprocal database link fields.
- Fixed orphaned review records being left behind when a database is deleted.
- Fixed an issue where automatically-generated topics did not trigger notifications for followers of the forum.
- Fixed an issue where “Publish Date” may not show correctly in record feed sort options.
- Fixed an issue where deleting a database which was used as reciprocal field in another database would result in error.
- Fixed an issue where importing RSS feeds to Pages could set the wrong author.
- Fixed an issue where article images would float outside of their content box if the article only contained a few lines of text.
- Fixed an issue with attachments not properly associating with comments on a record and not being deleted if the comment is deleted when syncing comments with the forums.
- Fixed an issue where copying blocks could result in lost attachments or languages strings.
- Fixed an issue where HTML logic of a page may be stored in the search index.
- Fixed and issue where inline editing an item field wouldn’t update the reciprocal map.
- Fixed an issue with the REST API where a GET request to records with a category parameter would result in a DB error.
- Fixed an issue where it’s possible to create two Folders with the same name, causing conflicts.
- Fixed an issue where the API can delete a forum even if a database posts topics to that forum.
- Fixed an issue where deleting a database wouldn’t delete the associated rss feed import data.
- Fixed a niche issue where it was possible for a record name to show on the online list when the viewer does not have permission to view it.
Commerce
- Fixed an error occurring when checking out as a guest after following a referral link.
- Fixed an issue where a refund may not automatically happen if a payment is made via PayPal Subscriptions and refused by a fraud rule.
- Fixed an issue where refunding/cancelling an invoice with a referral commission would not revoke the commission.
- Fixed an issue where the AdminCP invoice view may not show all of the commissions on the invoice.
- Fixed an error during checkout due to renewals when performing stock checks.
- Added a confirmation pop-up when mass approving account withdrawals.
- Added an option to limit Withdrawal requests to one per currency at any time.
- Added a missing language string for the review widgets.
- Renewal invoice warning emails will now show tax included, if applicable.
- Improved email normalization for MaxMind fraud detection.
- Subscriptions Grace Period setting will now allow a value of 0.
- Fixed Commerce generating incomplete accounts when the “Ask to provide a display name?” setting is off.
- Fixed an issue where you may be able to purchase more than the number of items in stock.
- Fixed race-condition potentially causing duplicate purchase records or transactions.
- Fixed interactions on invoice table when viewing a purchase in AdminCP.
- Fixed error trying to access a customer’s support request history from the sidebar when viewing a support request.
- Fixed error trying to approve a transaction from a Stripe dispute page.
- Fixed some countries not showing in Markets statistics page.
- Fixed an error attempting to delete support replies in the AdminCP.
- Fixed error reporting when checking out with Stripe on a free trial with incorrect card details.
- Fixed billing name not being passed to Stripe when paying with card.
- Fixed an error when running PHP 7.4 and adding items with certain configurations to the cart.
- Fixed an issue with certain email notifications generated by Commerce resulting in errors or potentially incorrectly formatted amounts.
- Fixed an issue where editing a purchase’s grace period would enable renewals on the purchase even if there are none specified.
- Fixed an issue where guest location tracking via cookie did not work correctly.
- Fixed an issue where replying to a support request and returning to the list of requests does not mark the request as read.
- Fixed an issue where customers could not reactivate subscriptions where an existing subscription was cancelled but allowed the customer to reactivate.
- Fixed an issue where checking out with an item without a renewal charge could in some circumstances cause an error.
- Fixed some missing friendly URLs on various pages of Commerce.
- Fixed an issue where disabled subscriptions couldn’t be canceled.
- Fixed an issue where renewal terms were not presented on the front end in the order they are specified in the AdminCP.
- Fixed an issue where support tabs in the AdminCP would not wrap and could cause the page to stretch.
- Fixed an error when running PHP 7.4 when creating new support streams in the Admin CP.
- Fixed an issue where if a customer cancels a PayPal billing agreement immediately after the initial payment before the webhook for that payment is received, the payment becomes associated with a blank invoice.
- Fixed an issue where a user may be prompted to provide card details when purchasing a free trial, even if the product being purchased is restricted to non-card payment methods.
- Fixed an issue with Member Filters happening when members where filtered by subscriptions and purchases.
- Fixed an issue where copying a donation goal would not copy the donation goal description.
- Fixed an issue where copying a support department would not copy the support department submission screen text.
- Fixed an issue where copying a support severity would not copy the support severity description.
- Fixed an issue where deleting a support status would not remove the custom language strings in the database.
- Fixed an issue where copying or deleting a shipping rate did not copy or delete the delivery estimate text.
- Fixed an issue where copying or deleting a product filter did not copy or delete the public name.
- Fixed an issue where copying or deleting a product did not copy or delete various translatable fields, such as the client area page content and email notification subjects.
- Fixed an issue where canceling an ad purchase would result in an error.
- Fixed an issue where users may not see the correct page after checkout if email validation is in use.
- Fixed an IN_DEV error editing Pages templates that was thrown for applications without any Pages Templates.
- Fixed an error that can occur in some situations when allowing upgrading purchases between renewals pro-rata.
- Fixed an issue where Stripe webhook events may fail in some circumstances.
- Fixed an issue where API requests may cause an error if referencing transactions from deleted members.
- Fixed an issue where merging members could leave members as alternative contacts for themselves.
- Fixed an issue where the first step may be skipped during checkout even if custom fields are required.
Gallery
- Added ability to remove category and album cover photos.
- Adjusted default Gallery bandwidth retention period from unlimited to 1 year.
- Improved performance of certain areas of Gallery.
- Improved performance of the Gallery Statistics widget on large galleries.
- Fixed not being able to upload to Gallery if albums are required, and the member had previously created an album, but the member can no longer create new albums.
- Fixed not being able to toggle “Enable maps by default” on in the Gallery settings.
- Fixed multiquoting comments.
- Fixed an issue where maximum allowed file sizes for images or movies may not be applied as expected in certain configurations.
- Fixed a CSRF error when mass-managing Gallery category content (moving to another category or deleting).
- Fixed an issue toggling maps enabled for images in certain cases.
- Fixed albums not being hidden when a user is flagged as a spammer.
- Fixed an issue with the submission progress bar for some locales.
Downloads
- Added an option to require a change log to be submitted with new version updates.
- Added the ability for files to be re-activated after renewals are cancelled.
- Added statistics pertaining to the most downloaded files
- Changed the “Upload a new version” process to also verify the user can add to the category, in addition to being able to edit the file.
- Fixed an issue where downloading small files can fail.
- Fixed several issues handling watermarks and original non-watermarked screenshots.
- Fixed an issue where group limitations on maximum file submission size may not apply correctly when a member belongs to more than one group.
- Fixed an issue with submit buttons showing for club Downloads categories that a user does not have permission to submit to.
- Fixed an issue in the logic that determines whether a renewal invoice should be generated.
- Fixed an issue where downloads digest emails can contain broken thumbnails.
- Fixed an issue where rejected pending versions could leave screenshots and thumbnails orphaned on disk.
- Fixed an issue where a lot of files submitted that were queued as pending files could cause an error.
- Fixed the hardcoded “Change how the notification is sent” text when the notification blurb.
- Fixed an issue where the API can delete a forum even if a downloads category posts topics to that forum.
- Removed the not working search options from the custom fields edit form.
Blogs
- Added ability to manage entry categories for group blogs when viewing the blog on the front end.
- Fixed a bug where flagging a user as a spammer will disable all group blogs the user has access to submit entries to.
- Fixed pagination when showing blog entries in a particular category.
- Fixed an issue where creating a blog in the frontend would show the previous created blogs description.
- Fixed entry cover photos becoming orphaned when the entry is deleted.
- Fixed some breadcrumb links not using friendly URLs.
- Fixed some broken language phrases when Forums and Pages are not installed.
- Fixed an issue where some members couldn’t report specific blog entries.
- Fixed an issue where the AdminCP livesearch results link to categories instead of blogs.
- Removed view options for guests in blogs.
- Removed Aggregate rating from JSON-LD structured data
- Added a warning message when deleting a blog that this action will permanently delete the blog and all its entries.
Calendar
- Fixed an issue where the cover photo may be deleted when duplicating an event.
- Fixed an error when editing iCalendar feed imports in the AdminCP.
- Fixed a bug where recurring events in upcoming event widgets may display the wrong date.
- Fixed a bug where events may show on the daily view in calendar on days the event does not occur.
- Fixed event cover photos becoming orphaned when the event is deleted.
- Fixed a minor bug where ranged events crossing from one week into another may not be visually represented as doing so.
- Fixed a bug where iCalendar feeds that are imported into Calendar may cause previously viewed events to show as unread.
- Fixed events occurring on the same day not ordering properly in the Upcoming Events widget.
REST / OAuth
- Fixed creating a content item by the REST API not triggering a webhook.
- Fixed creating a topic in a category (i.e. a container which cannot have topics posted to it) not reporting an error.
Converter
- Added support for wpForo 1.9.x.
- Added support for converting Markdown formatted posts in Vanilla.
- Improved converters to skip invalid child applications that do not exist.
- Improved performance of the Vanilla converter.
- Fixed an issue where large filenames could cause a logging error.
- Fixed an issue where pre-configured CMS Category permissions may not be correct.
- Fixed custom fields not converting properly from WordPress.
- Fixed an issue where acronyms may not convert from Invision Community.
- Fixed a niche issue where a temporary database column may be missing.
- Fixed an issue converting checkbox set custom fields in some cases.
- Fixed an issue where legacy SMF attachments may not be converted.
- Fixed an issue converting some types of SMF profile photos.
- Fixed an issue where emoticons in content may not get converted properly.
- Fixed an issue where a conversion from IPS forums would fail.
- Fixed an issue where long topic titles in 3rd party applications could cause forum conversions to fail.
- Fixed some issues when converting from Vanilla and your files used to be in S3.
- Fixed a niche issue where really old vBulletin avatars may not be converted.
Changes affecting third-party developers and designers
- Upgraded Whoops to version 2.9.1.
- Added support for web push notifications. To support these kinds of notifications, you will need to add parse_mobile_* methods in your Notification extensions.
- Added a $count parameter to \IPS\Content::definiteArticle/_definiteArticle(). If an integer is passed, a pluralized phrase will be used, if available. You should add pluralized strings for any _defart* strings you’ve already created. The key should be in the format _defart*_plural.
- Added constant ACP_SESSION_TIMEOUT to allow administrators to control how long AdminCP sessions are valid for.
- Added a per-application setting to hide the application on the announcement creation form (this setting’s use may be expanded in the future).
- Added theme settings to control header height (desktop & mobile sizes), which are used in the existing CSS variables.
- Added version to the filename of exported apps/plugins/themes/languages.
- Added \IPS\DateTime::roundedDiff() and \IPS\DateTime::roundedDiffFromSeconds() to return a human-readable rounded diff of two datetime objects, or a diff based on a supplied number of seconds, respectively.
- Added a new ‘enforceMaxLimit’ option for \IPS\Form\Helper\Password elements to bypass the max 72 character limit.
- Added an option to set orderResults to FALSE for \IPS\Helpers\Form\Item instances to return results in the order the user specified.
- Added a new javascript utility method to adjust external links to force them to open in a new window: ips.utils.links.updateExternalLinks. This is called automatically on the contentChange event, but may also be called manually in situations where the contentChange event is not fired.
- Improved the extensibility of Cache/DataStore methods.
- Updated some uses of border-radius to use existing CSS variables.
- Changed template groups and locations to be case-sensitive, which fixes an issue enabling designers mode on a server using a case-sensitive file system.
- Changed the logic that controls how pagination is shown in templates. The data-role="tablePagination" element should now always exist in the table DOM; it will be shown/hidden dynamically if pagination is required after AJAX requests.
- Fixed an error that can occur when dev sync runs if you are not logged in and the application has a whatsnew.json file in its latest version folder.
- Fixed broken progress bar when enabling designers mode.
- Fixed numeric values passed to the REST API /core/members/{id} endpoint not always adjusting the property, and sometimes causing an SQL error.
- Fixed the “Upcoming Events” widget not showing when developer mode is enabled.
- Fixed an issue using the hide option for contentAction when deleting a member via the REST API.
- Fixed eq() pseudo-selector no longer being supported in theme hooks.
- Fixed required() pseudo-selector not working in theme hooks.
- Fixed \IPS\Content\Statistics not working for applications that use a database column prefix.
- Fixed theme hooks on Forums > index > forumGridItem not working as expected.
- Fixed a missing redirect when hiding comments using multi-moderation on classes that do not define a $hideLogKey property.
- Fixed the constructor for \IPS\nexus\DomainLookup not honoring the $performWhoisLookup parameter.
- Fixed some inconsistent HTML with building the quick search menu options.
- Fixed an error that can occur when sessions are cleared.
- Fixed a bug where a notification flash instance without an image passed (i.e. a notification with no author) results in a broken image.
- Fixed an issue where it was not possible to use form headers in widget configuration forms.
- Fixed installing plugins generating an invalid widgets.json file.
- Fixed an error deleting Pages templates in the AdminCP when developer mode is enabled.
- Fixed issues adding/editing database indexes for applications.
- Fixed an issue where you could not hook into \IPS\Redis.
- Fixed an undefined index notice parsing valid ICS feeds with no events in them.
- Fixed an inaccurate Redis log entry indicating read server used instead of write server.
- Abstracted code in \IPS\core\modules\admin\members\members::export() to make it easier to apply hooks to member list exports.
- Removed ability to reorder queries for upgrader in the developer center. Developers should manually reorder the JSON file if necessary.
- Removed the onOtherAppUninstall() method from application Uninstall extensions in favor of onOtherUninstall().
- Removed several deprecated methods and properties throughout the Suite and verified core code no longer references those methods and properties.
- Enforced the $type parameter for \IPS\Email::buildFromContent() and \IPS\Email::buildFromTemplate() with an error if the type is not specified.
- The markRead() method will no longer consider an updated column if last_comment or last_review is defined.
- A number of caching improvements have been implemented, please make sure your pages are sending no-cache headers if you do not want them cached.
- Non-AJAX requests that retain a CSRF token in the URL with a 200 response code will now trigger a development error recommending to redirect the request or otherwise remove the CSRF token. Leaving a CSRF token in the URL while generating a page can represent a security risk if remote images (for example) are embedded on the page, as the CSRF token could be susceptible to interception by the remote party.
- Support for notification sounds in the browser has been removed. If you rely on playing sounds, you will need to implement this functionality in your application.
- Add new method was added to the IPS\Content\Item class which is called when an item is deleted. It’s receiving the comment/review ids which are going to be deleted, allowing you to remove any additional cleanup calls based on the comments and reviews in this item.
- Updated the ModCP content restore (soft delete) to use the built in restore() method instead of using its own code.
- Account settings will no longer prompt for re-authentication if the account does not have a way of re-authenticating. Applies mostly to custom SSO integrations.
Important Method Changes:
- Added a $seperator parameter to \IPS\CustomField::displayValues which can be used to define a custom seperator when displaying multiple values .
- Updated method signature for \IPS\Node\Model::getLastCommentTime().
- Added a $count parameter to \IPS\Content::definiteArticle/_definiteArticle(). If an integer is passed, a pluralized phrase will be used, if available. You should add pluralized strings for any _defart* strings you’ve already created. The key should be in the format _defart*_plural.
* Thanks to Mikhail Klyuchnikov of Positive Technologies Offensive Team (https://swarm.ptsecurity.com/) for this report.