2.3.9 patch does not work on 2.3.7

[nocte]

This is what i get on rebuild master data after uploading the patch files from https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/ to a XF 2.3.7 installation.

user@web /home/forum/web $ php cmd.php xf:rebuild-master-data
PHP Fatal error:  Uncaught ErrorException: [E_WARNING] The use statement with non-compound name 'array_key_exists' has no effect in /home/forum/web/src/XF/Container.php:6
Stack trace:
#0 /home/forum/web/src/vendor/composer/ClassLoader.php(576): XF::handlePhpError(2, '...', '...', 6)
#1 /home/forum/web/src/vendor/composer/ClassLoader.php(576): include()
#2 /home/forum/web/src/vendor/composer/ClassLoader.php(427): Composer\Autoload\{closure}('...')
#3 /home/forum/web/src/XF.php(777): Composer\Autoload\ClassLoader->loadClass('...')
#4 /home/forum/web/src/XF.php(762): XF::setupApp('...')
#5 /home/forum/web/src/XF.php(248): XF::app()
#6 [internal function]: XF::handleException(Object(ErrorException))
#7 {main}
  thrown in /home/forum/web/src/XF/Container.php on line 6

 

[Chris D]

When did you download the patch? Today or yesterday?

 

[nocte]

Yesterday. So, re-download?

 

[Chris D]

Yes please

 

[philmckrackon]

@Chris D , should be ok for 2.3.5 also?

 

[Chris D]

Yes I think so

 

[nocte]

Yes please

Done, kind of works. But now I get a huge amount of these errors:

 Macro public:message_macros :: signature() error: Call to undefined method XF\Util\Url::getValidUrl()

seems to be related to this:

K

Fixed Thread 'Method XF\BbCodeRenderer\Html::getValidUrl should be in a utility class'

Jan 12, 2024

Not really a bug, but a development annoyance that could be fixed easily:
Method XF\BbCodeRenderer\Html::getValidUrl can be useful in various places, but it's a protected method of the BB code renderer class.

It would be great if this was in a utility class instaead so it could be used everywhere.

• Kirby
• Replies: 1
• Forum: Resolved bug reports

 

[Chris D]

Might just be sensible to upgrade to 2.3.9?

 

[nocte]

Would adding this code to the class fix this:

    /**
     * Returns a version of the passed in URL that is valid for use in a message or false
     * if the URL is definitively unusable. Note that this is distinct from the URL being valid
     * from an RFC perspective, as users may submit URLs that don't always have all components
     * URL encoded as needed. We generally defer to the browsers to handle this for us rather
     * than rejecting the URL.
     *
     * @param string $url
     * @param string|null $allowedProtocolRegex Regular expression for allowed protocols. Defaults to https?|ftp
     *
     * @return false|string
     */
    public static function getValidUrl(string $url, ?string $allowedProtocolRegex = null)
    {
        if ($allowedProtocolRegex === null)
        {
            $allowedProtocolRegex = '#^(https?|ftp)://#i';
        }

        $url = trim($url);

        if (preg_match('/proxy\.php\?\w+=(http[^&]+)&/i', $url, $match))
        {
            // proxy link of some sort, adjust to the original one
            $proxiedUrl = urldecode($match[1]);
            if (preg_match('/./su', $proxiedUrl))
            {
                $url = $proxiedUrl;
            }
        }

        if (preg_match('/^(\?|\/|#|:)/', $url))
        {
            return false;
        }

        if (strpos($url, "\n") !== false)
        {
            return false;
        }

        if (preg_match('#^(data|https?://data|javascript|about):#i', $url))
        {
            return false;
        }

        if (preg_match($allowedProtocolRegex, $url))
        {
            return $url;
        }

        return 'http://' . $url;
    }
}

 

[nocte]

Might just be sensible to upgrade to 2.3.9?

Not too easy at the moment, because I cannot do it alone..

I also wanted to test the 2.3.8 upgrade first, before I update the live site.

 

[Chris D]

The patch is for people who cannot upgrade, but if you can upgrade, that is the strong recommendation. Alternatively, you could stay unpatched until you're ready.

I won't be providing support on specific changes to make to the patch just yet, so advice is to revert back to your stable version, upgrade, or wait in case there are additional things we need to patch.

 

[Chris D]

Post in thread 'XenForo 2.3.9 (inc XFMG) & 2.2.18 Released (Security Fix)'

Yesterday at 2:42 PM

2.3.9 patch files for pre-XF 2.3.8 installs​

Some users may struggle to apply the patch on pre-2.3.8 installs. If you are patching 2.3.7 or earlier you may try this patch.

• Chris D

• 
• 

 

[Alvin63]

Not too easy at the moment, because I cannot do it alone..

I also wanted to test the 2.3.8 upgrade first, before I update the live site.

It's quite easy - if I can upgrade then you can

 

[Suzanne O]

Upgrading is better than worrying about patches mate.