XF 2.2 XenForo 2.2.10: Standalone Security Fix?
- Thread starter TLDR
- Start date
That's why I ask.
Lukas W.
Well-known member
Security fixes are usually released as hotfix packages so people with expired licenses can update without having to go through hoops and license renewals.
TLDR
Active member
Thank you @XenForo 
xenforo.com
XenForo 2.2.10 Patch 1 Released
XenForo 2.2.10 Released XenForo 2.2.10 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability. This version contains a fix for an issue whereby...
xenforo.com
Sal Collaziano
Well-known member
I upgraded to patch 1 on the 13th. Is there additional changes since then? I found yesterday's announcement to be a bit confusing...Thank you @XenForo
XenForo 2.2.10 Patch 1 Released
XenForo 2.2.10 Released XenForo 2.2.10 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability. This version contains a fix for an issue whereby...
TLDR
Active member
Hello,
I have one more question:
How could I re-generate XF's hashes.json file so the file health checker is happy again?
I've tried the CLI approach with
because the file is in src/addons/XF and everything (afaik) points to "XF" being the right ID - but the system refuses to find this addon.
(Yes, I know the announcement said the warning can be ignored, but I don't know how many emails with the warning will follow and, well, i'd rather have it not send an email, unless there is a real problem - kind of like the check engine light; i'd like it to only blink when it has an actual problem, and when it lights up for a problem I know, it'd hide a new issue I should be aware of)
I have one more question:
How could I re-generate XF's hashes.json file so the file health checker is happy again?
I've tried the CLI approach with
Bash:
php cmd.php xf-addon:sync-json XF(Yes, I know the announcement said the warning can be ignored, but I don't know how many emails with the warning will follow and, well, i'd rather have it not send an email, unless there is a real problem - kind of like the check engine light; i'd like it to only blink when it has an actual problem, and when it lights up for a problem I know, it'd hide a new issue I should be aware of)
Last edited:
TickTackk
Well-known member
Code:
php cmd.php xf-addon:sync-json XFaddon.json into the database and when doing you are not really syncing the hashes.json.You will need to manually correct the file or just use this add-on by @Ozzy47 to not get bothered about that specific file.
TLDR
Active member
Hi,
thanks for your reply.
Do you happen to have the hashes for the files affected by any chance?
thanks for your reply.
Alright, that I could do.
Do you happen to have the hashes for the files affected by any chance?
Code:
+------------------------------------------+--------------+
| XenForo |
+------------------------------------------+--------------+
| File path | Status |
+------------------------------------------+--------------+
| src/XF/Http/ca-bundle-legacy-openssl.crt | Inconsistent |
| src/XF/Http/ca-bundle.crt | Inconsistent |
| src/XF/Http/Reader.php | Inconsistent |
| src/XF/Util/Ip.php | Inconsistent |
+------------------------------------------+--------------+TLDR
Active member
Well ok, for everyone who wants to fix the file health check... Here are the hashes from the zip file in the announcement:
Find the lines in src/addons/XF/hashes.js that contain the path and replace the hash.
For sake of completeness, here's my script that got me the hashes.
JavaScript:
"src/XF/Http/ca-bundle-legacy-openssl.crt": "138da9088350cf5a2ce6c47b1fa27d33d2ac60b9fc1460376d40e4a0cb24eeee",
"src/XF/Http/ca-bundle.crt": "08df40e8f528ed283b0e480ba4bcdbfdd2fdcf695a7ada1668243072d80f8b6f",
"src/XF/Util/Ip.php": "9ef8e90620aadde52a82b1dd52f231d5d7bdd335334ba57441cbcdf0e6fe48c8",
"src/XF/Http/Reader.php": "9aa754540eb4a118ca724b5ad645fa4cc39a5779a12793db6d673f59b748bf96",Find the lines in src/addons/XF/hashes.js that contain the path and replace the hash.
For sake of completeness, here's my script that got me the hashes.
PHP:
<?php
// https://stackoverflow.com/questions/24783862/list-all-the-files-and-folders-in-a-directory-with-php-recursive-function
function getDirContents($dir, &$results = array()) {
$files = scandir($dir);
foreach ($files as $key => $value) {
$path = realpath($dir . DIRECTORY_SEPARATOR . $value);
if (!is_dir($path)) {
$results[] = $path;
} else if ($value != "." && $value != "..") {
getDirContents($path, $results);
//$results[] = $path;
}
}
return $results;
}
$list = getDirContents(__DIR__.'/src');
$res = array();
foreach($list as $current) {
$cleanName = str_replace(__DIR__, '', $current);
$res[] = array(
'path' => $cleanName,
'hash' => hashThatFile($current),
);
}
print_r($res);
function hashThatFile($path) {
$contents = file_get_contents($path);
$contents = str_replace("\r", '', $contents);
return hash('sha256', $contents);
}TLDR
Active member
In case you want to get rid of the warning when applying the security fix only, here is the new hash from the file in the announcement:
You'd put that into src/addons/XF/hashes.json where a line already exists thats begins with "src/XF/BbCode/Renderer/EditorHtml.php". Just replace the hash. And you're good to go. :–)
(This is for 2.2.x, have not done it with 2.1, but the script used is literally one post above this one, so feel free.)
JSON:
"src/XF/BbCode/Renderer/EditorHtml.php": "05bc7595432c3ebd0d05a7b005d9928ee60f538212ee6d40b0f4008620ec1036",You'd put that into src/addons/XF/hashes.json where a line already exists thats begins with "src/XF/BbCode/Renderer/EditorHtml.php". Just replace the hash. And you're good to go. :–)
(This is for 2.2.x, have not done it with 2.1, but the script used is literally one post above this one, so feel free.)
