XF 2.2 Properly fix security issue with v2.2.16

SeToY

Well-known member
Hello there,

in the update announcement, there are the following pieces of information:
All affected customers should either upgrade to XenForo 2.1.15 or XenForo 2.2.16.
We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually to any version. See below for further details.
but also:
Note: This file cannot be patched automatically as it contains install-specific data. You must apply this change manually to any XenForo installation running XenForo 2.1 or 2.2 to effectively fix the issue.

So, I just wanted to clarify: Am I safe if I run 2.2.16? Because even with 2.2.16, the code that I'm supposed to replace in src/XF.php is still the "old" code in line 1140 after the upgrade to 2.2.16.

Thanks for the clarification!
 
Thanks for your response. I upgraded via the auto upgrader around 30 minutes ago (2.2.15 to 2.2.16), so this is all I need to do and I do not need to upload or patch anything manually?

I'm a bit insecure because of this sentence:
You must apply this change manually to any XenForo installation running XenForo 2.1 or 2.2 to effectively fix the issue.
and updating from 2.2.15 to 2.2.16 is effectively that: running 2.2 in any way, shape or form - even after running the auto updater, where it's also mentioned that:
Note: This file cannot be patched automatically
 
Last edited:
Is it named 2.2.16 Patch 1?

When I do the upgrade check (/admin.php?tools/upgrade-check) on 2.2.16, there's no Patch 1.
Second that. The file src/XF.php (method stringToClass) looks like it's supposed to look after patching, however... so:
You must apply this change manually to any XenForo installation running XenForo 2.1 or 2.2 to effectively fix the issue.
doesn't seem to be that true. I'm confused.
 
To clarify, your XenForo installation will still list the version as "v2.2.16" and it won't mention the patch, but if you downloaded 2.2.16 Patch 1 as per Paul's screenshot above, or performed a one-click upgrade any time after the Patch 1 release, you will be running Patch 1.

On the subject of the confusion, I see your point to an extent, and I will try and clarify the wording here, but to repeat what Paul said earlier, if you have upgraded that is all you need to do. There is no manual patching required.

The specific quote you called out is underneath the manual patching heading and instructions. It is explicitly if you are manually patching, you need to make that code edit manually. We cannot include XF.php in the patch download because it contains install-specific information. That is why that file would need to be manually edited if you are unable to do a normal upgrade for any reason.
 
Updated wording:
Note: This file is not included in the patch download attached to this post as it contains install-specific data. You must apply this change manually to any XenForo installation running XenForo 2.1 or 2.2 to effectively fix the issue. This only applies if you are unable to do a normal upgrade.
 
Okay, but you're able to patch it using the auto-updater from within the ACP, just not from within the XF Customer Area, I see.
To clarify, both of these things are normal upgrades. If you do a normal upgrade you will receive all of the patches and all of the bug fixes. One-click upgrade through your admin control panel, or downloading the updated version from your customer area will both contain everything you need.

The manual patching is only if normal upgrading is not available to you (you might have an expired license, for example).

The only reason we call out XF.php specifically is it cannot be included in the patch zip file that we attached to the announcement post.
 
To clarify, your XenForo installation will still list the version as "v2.2.16" and it won't mention the patch, but if you downloaded 2.2.16 Patch 1 as per Paul's screenshot above, or performed a one-click upgrade any time after the Patch 1 release, you will be running Patch 1.

On the subject of the confusion, I see your point to an extent, and I will try and clarify the wording here, but to repeat what Paul said earlier, if you have upgraded that is all you need to do. There is no manual patching required.

The specific quote you called out is underneath the manual patching heading and instructions. It is explicitly if you are manually patching, you need to make that code edit manually. We cannot include XF.php in the patch download because it contains install-specific information. That is why that file would need to be manually edited if you are unable to do a normal upgrade for any reason.
What about if you upgraded to 2.2.16 via one click before Pl1?
 
You have the security fixes but a very specific bug arose related to accessing node permissions. That’s what Patch 1 was for.

Your XenForo installation will tell you that it is available so you can install it.
 
You have the security fixes but a very specific bug arose related to accessing node permissions. That’s what Patch 1 was for.

Your XenForo installation will tell you that it is available so you can install it.
I installed 2.2.16 via the auto update before Patch 1 was released, however, I'm not seeing an option to auto update to Patch 1 from the ACP.

EDIT: And I'm seeing the node permissions bug.
 
I installed 2.2.16 via the auto update before Patch 1 was released, however, I'm not seeing an option to auto update to Patch 1 from the ACP.

EDIT: And I'm seeing the node permissions bug.
Same. That's why I was asking (but wasn't sure if a quick patch was rolled out before the post was made).

It doesn't look like these files were modified:
  • src/XF/Admin/Controller/Node.php
  • src/XF/Admin/Controller/Permission.php
When I check the date via FTP.
 
My wish for future patches:
Provide a patch / diff as an additional option.

While it is trivial to generate this from the patched files + their base it would save quite a bit of work and allow patches to be applied easily :)
 
Back
Top Bottom