XF 2.2 XenForo 2.2.10: Standalone Security Fix?


Active member

I saw XF 2.2.10 just got released with a security fix. Is there a way to backport it to older 2.2.x versions as I currently do not have an active license (yes I know), but still would like to have a secure system.

Just asking...? :)

Thank you!
Thanks. I am at 2.2.6 Patch 2 right now and that is the latest version my license currently allows me, so I cannot download 2.2.10 and compare :( That's why I ask.
Thank you @XenForo :)

Thank you @XenForo :)

I upgraded to patch 1 on the 13th. Is there additional changes since then? I found yesterday's announcement to be a bit confusing...

I have one more question:
How could I re-generate XF's hashes.json file so the file health checker is happy again?

I've tried the CLI approach with
php cmd.php xf-addon:sync-json XF
because the file is in src/addons/XF and everything (afaik) points to "XF" being the right ID - but the system refuses to find this addon.

(Yes, I know the announcement said the warning can be ignored, but I don't know how many emails with the warning will follow and, well, i'd rather have it not send an email, unless there is a real problem - kind of like the check engine light; i'd like it to only blink when it has an actual problem, and when it lights up for a problem I know, it'd hide a new issue I should be aware of)
Last edited:
php cmd.php xf-addon:sync-json XF
Using that command you are syncing the the local addon.json into the database and when doing you are not really syncing the hashes.json.

How could I re-generate XF's hashes.json file so the file health checker is happy again?
You will need to manually correct the file or just use this add-on by @Ozzy47 to not get bothered about that specific file.

thanks for your reply.

You will need to manually correct the file
Alright, that I could do.

Do you happen to have the hashes for the files affected by any chance? :)

| XenForo                                                 |
| File path                                | Status       |
| src/XF/Http/ca-bundle-legacy-openssl.crt | Inconsistent |
| src/XF/Http/ca-bundle.crt                | Inconsistent |
| src/XF/Http/Reader.php                   | Inconsistent |
| src/XF/Util/Ip.php                       | Inconsistent |
Well ok, for everyone who wants to fix the file health check... Here are the hashes from the zip file in the announcement:

    "src/XF/Http/ca-bundle-legacy-openssl.crt": "138da9088350cf5a2ce6c47b1fa27d33d2ac60b9fc1460376d40e4a0cb24eeee",
    "src/XF/Http/ca-bundle.crt": "08df40e8f528ed283b0e480ba4bcdbfdd2fdcf695a7ada1668243072d80f8b6f",
    "src/XF/Util/Ip.php": "9ef8e90620aadde52a82b1dd52f231d5d7bdd335334ba57441cbcdf0e6fe48c8",
    "src/XF/Http/Reader.php": "9aa754540eb4a118ca724b5ad645fa4cc39a5779a12793db6d673f59b748bf96",

Find the lines in src/addons/XF/hashes.js that contain the path and replace the hash.

For sake of completeness, here's my script that got me the hashes.

// https://stackoverflow.com/questions/24783862/list-all-the-files-and-folders-in-a-directory-with-php-recursive-function
function getDirContents($dir, &$results = array()) {
    $files = scandir($dir);

    foreach ($files as $key => $value) {
        $path = realpath($dir . DIRECTORY_SEPARATOR . $value);
        if (!is_dir($path)) {
            $results[] = $path;
        } else if ($value != "." && $value != "..") {
            getDirContents($path, $results);
            //$results[] = $path;

    return $results;

$list = getDirContents(__DIR__.'/src');

$res = array();
foreach($list as $current) {
    $cleanName = str_replace(__DIR__, '', $current);
    $res[] = array(
        'path' => $cleanName,
        'hash' => hashThatFile($current),


function hashThatFile($path) {
    $contents = file_get_contents($path);
    $contents = str_replace("\r", '', $contents);
    return hash('sha256', $contents);
In case you want to get rid of the warning when applying the security fix only, here is the new hash from the file in the announcement:

"src/XF/BbCode/Renderer/EditorHtml.php": "05bc7595432c3ebd0d05a7b005d9928ee60f538212ee6d40b0f4008620ec1036",

You'd put that into src/addons/XF/hashes.json where a line already exists thats begins with "src/XF/BbCode/Renderer/EditorHtml.php". Just replace the hash. And you're good to go. :–)

(This is for 2.2.x, have not done it with 2.1, but the script used is literally one post above this one, so feel free.)
Top Bottom