Posts by Alexander Ebert

    Hello,


    Each concurrent request hitting your site consumes one connection to the database server. If you have a larger number of concurrent visitors or make use of plugins that dispatch a large number of requests, then it could happen that there are too many in-flight requests, consuming all connections granted by your webhost. This can be even worse on slower hosts, because the longer it takes to process a request, the longer this connection slot is taken up.

    We have just released new versions of our products:

    • WoltLab Suite 5.2.4


    Stability releases (also known as "minor releases") aim to solve existing problems in the current version. Like every stability release, they do not introduce new features; It is strongly recommended to apply these updates.

    Users Sending Emails to Users

    The software contains a legacy feature that enables users (and if configured, also guests) to send emails to other users. This feature has little use today, but is more often than not overlooked by administrators, especially those migrating from previous versions. The form uses a dedicated group permissions that was enabled by default in previous versions and was often left unchanged.


    It has come to our attention that attackers take advantage of this feature and actively abused it to send out spam emails to other users. We've taken two steps to mitigate this issue to some extent:

    1. Force revoked the group permissions to use this form. Site owner can grant the permissions again at their own discrection, although we strongly advise against this.
    2. The captcha protection of the mail form was previously enabled for guest access only and is now enforced for users alike. This is the first form to enforce the captcha for logged-in users too.

    For Developers: Changes to the HTML Markup For .contentItemLink

    The new .contentItemList was introduced as a generic implementation for content pieces that rely on teaser images. However, the DOM is somewhat flawed by expecting a link to wrap around the whole content section, which easily collides with certain content elments.

    HTML
    <a href="…" class="contentItemLink">
    <!-- content -->
    </a>

    Should be changed into:

    HTML
    <div class="contentItemLink">
    <!-- content -->
    <a href="…" class="contentItemLinkShadow"></a>
    </div>

    The CSS remains unaffected, causing no visual change if the old DOM is continued to be used, preserving compatibility with existing implementations. The changes to the CSS is fully backwards compatible, however, we strongly encourage developers to adopt these changes as soon as possible.


    https://github.com/WoltLab/WCF/issues/3189

    Performing System Updates

    Open your Administration Control Panel and navigate to Configuration > Packages > List Packages. Please click on the button Search for Updates located in the right corner above the package list.

    Notable Changes

    The list below includes only significant changes, minor fixes or typos are generally left out.

    WoltLab Suite Blog

    • The generated HTML for the article preview was invalid, causing some parts of the preview to not respond to clicks. 5.2
    • Pages excluded from access by search engines were incorrectly listed in the sitemap. 5.2
    • The list of articles by tag did not support multiple result pages. 5.2
    • New template event in the header section of articles. 5.2

    WoltLab Suite Calendar

    • Pages excluded from access by search engines were incorrectly listed in the sitemap. 5.2
    • The list of events by tag did not support multiple result pages. 5.2

    WoltLab Suite Filebase

    • Custom input fields of type boolean could not be enabled due to a collision of the HTML id. 5.2
    • Pages excluded from access by search engines were incorrectly listed in the sitemap. 5.2
    • The list of files by tag did not support multiple result pages. 5.2

    WoltLab Suite Gallery

    • The list of deleted images raised an exception when viewed by guests. 5.2
    • Pages excluded from access by search engines were incorrectly listed in the sitemap. 5.2
    • The list of albums and images by tag did not support multiple result pages. 5.2

    WoltLab Suite Forum

    • Attempting to move a thread raised an exception in PHP 7.4. 5.2
    • Incorrect handling of empty threads in the AMP view. 5.2
    • The list of threads by tag did not support multiple result pages. 5.2

    WoltLab Suite Core: Conversations

    • Resolved an issue when replying to conversations when one or more participants were deleted. 5.2

    WoltLab Suite Core: Importers

    • XenForo 2.x
      • Support for pixel based font sizes and the support for the rgb() format for colors. 5.2
      • Support for additional meta data used with embedded attachments. 5.2
    • WoltLab Suite 3.x, 5.x
      • Incorrect recognition of categories for imported media. 5.2

    WoltLab Suite Core

    • Resolved two compatibility issues with PHP 7.4. 5.2
    • New template events in the message sidebar in the rank section. 5.2
    • The form to add new phrases sometimes failed the validation of the selected category. 5.2
    • Incorrect prompt for i18n articles when attempting to create an article on the category list. 5.2
    • Collision of the mobile UI for messages on screen widths between 768 and 1024 px. 5.2
    • Improved main menu on oversized tablets that exceed 1024 px screen width. 5.2
    • Improved the display of code boxes in the AMP view. 5.2
    • The generated HTML for the article preview was invalid, causing some parts of the preview to not respond to clicks. 5.2

    but I'm curious about the reason it stops with error.

    The screenshot shows a big red cross, which indicates that an error occurred. It should have displayed a proper on-screen error message, but possibly this was network related and there was no actual error message.


    You could try opening the developer tools of your browser (Windows: F12) and open the "Network" tab. Then navigate to the sitemaps, start the rebuild process and wait for it to finish. If it fails again and there is no error message, look at the results in the "Network" tab, there should be a failed request marked in red. Clicking on it reveals some useful status information of what has happened in the background, possibly revealing the root cause.

    Hello,


    That's super easy with some basic CSS. Edit your box and enter something in the field CSS Class Name, for example, boxWithoutPadding. Now, head over to "Customization > Global CSS and SCSS" and append the following code at the end of the input area:

    CSS
    .boxesSidebarLeft .box:not(.boxBorderless).boxWithoutPadding, .boxesSidebarRight .box:not(.boxBorderless).boxWithoutPadding {
        padding: 0;
    }

    Third Party Package Servers Provided by (Optional) Packages

    In recent years, we have seen an increasing number of incidents involving third-party package servers, focusing on packages offered in the Plugin-Store.


    In the interest of our customers, we have decided not to approve any new packages or updates that directly or indirectly (e.g. via optional packages) install third-party package servers. This explicitly only affects packages in the plugin store, there is no technical change in the core, it is still possible to create package servers via third-party packages or by manually adding them.


    In this context, and in the interests of transparency, we would like to explain the primary reasons for our decision in the following.

    Lack of Necessity for Products in the Plugin-Store

    For extensions and styles from the plugin store, there is absolutely no need to install third-party package servers, because all updates are delivered directly from the Plugin-Store as soon as they are reviewed.

    Distribution of Non-audited Updates

    Some third-party vendors release updates for packages directly as soon as they are available and do not wait for the review in the plugin store. This is problematic because the final review of each new package and each update is done manually by a WoltLab GmbH employee.


    On average, every third update is rejected at the first attempt due to substantial defects. Early delivery via third-party package servers undermines this review, which aims to reduce both security and stability issues.

    Collision with Commercially Offered Products

    A special case is the premature release of updates, where the product is offered both in the Plugin-Store and directly by the third-party vendor. This can lead to conflicts if no access data has been stored for the third-party vendor's package server and updates are therefore offered before they are published in the Plugin-Store.

    Security Concerns Regarding Unaudited Packages and Updates

    The strength of the package system is also one of the biggest weak spots, because extensions can make almost arbitrary changes, up to the execution of security-critical malicious code. This is made more difficult by the fact that package servers can offer updates for almost any package for download, the only exception being our products, which can only be delivered via the official package servers.


    Unfortunately, incidents have occurred in which websites of third-party vendors have become the target of attacks, with both takeovers at the DNS level, i.e. the domains pointing to a foreign server, and the direct compromise of the server systems. This also means that an attacker gains control over the packet servers of these providers and can exploit them to deliver malicious code almost without being noticed. A look beyond the horizon reveals that this is by no means a fictitious scenario, but rather a recurring threat, for example with NPM or various Linux distributions, which could often only be prevented by a high level of protection.

    Compatibility with the WoltLab Cloud

    We will soon start to review extensions and styles in the Plugin-Store for compatibility with the WoltLab Cloud. Entries that pass this test will be marked by us; we do not plan to use some kind of "negative marking" at this time.


    The criteria for determining compatibility are as follows:

    1. Compatibility with WoltLab Suite 5.2.
    2. Outgoing HTTP(S) connections consistently rely on the HTTPRequest class or handle the proxy configuration correctly.
    3. No outgoing connections to other TCP or UDP ports.
    4. No mass sending of emails.
    5. No overlapping with privileges that are subject to restrictions in the context of a managed service, such as direct database administration.
    6. Packages that install third-party packet servers are generally excluded.

    These criteria are already met by the vast majority of packages, so no significant restrictions are to be expected.

    We have just released new versions of our products:

    • WoltLab Suite 5.2.3
    • WoltLab Suite 3.1.12
    • WoltLab Suite 3.0.23


    Stability releases (also known as "minor releases") aim to solve existing problems in the current version. Like every stability release, they do not introduce new features; It is strongly recommended to apply these updates.

    Performing System Updates

    Open your Administration Control Panel and navigate to Configuration > Packages > List Packages. Please click on the button Search for Updates located in the right corner above the package list.

    Compatibility with PHP 7.4

    This update introduces compatibility with PHP 7.4 for the WoltLab Suite 3.0.x and 3.1.x series.

    Notable Changes

    The list below includes only significant changes, minor fixes or typos are generally left out. Some changes have been applied in 3.1 or 5.2 in earlier updates and are not listed separately.

    WoltLab Suite Blog

    • Compatibility with PHP 7.4. 3.1 3.0
    • Improper encoding of values yielded incorrect data for enriched search results. 3.1

    WoltLab Suite Calendar

    • Imported events use the custom location name if the imported event from iCal does not expose coordinates. 5.2
    • The end data was sometimes uneditable. 3.1 3.0
    • Greatly increased the range for the maximum number of repeated event dates. 3.0
    • Skip invalid dates in imported iCal exports. 3.0

    WoltLab Suite Filebase

    • Custom boolean options did not show their value if the user selected "no". 5.2

    WoltLab Suite Gallery

    • The generated HTML of the album and image bbcode was sometimes invalid. 5.2
    • Watermarks have been incorrectly applied to thumbnails of video links. 3.1
    • The page location was incorrect for nested categories. 3.1 3.0
    • An incorrect number of images were reported inside the album bbcode. 3.1 3.0

    WoltLab Suite Forum

    • Empty RSS feeds could raise an exception. 5.2
    • Moved the reaction button on mobile devices back into the message menu due to several incompatibilities. 5.2
    • Threads could be hidden from the thread list if the thread starter is a guest and the current user blocks other users. 5.2
    • Custom boolean options did not show their value if the user selected "no". 5.2
    • The list of unresolved threads yielded inaccurate results for guests. 3.1
    • Incorrect logging of threads that are moved to the trash bin. 3.0
    • External links could break the user group permission form. 3.0

    WoltLab Suite Core: Conversations

    • Incorrect update of usernames when merging a user with another. 3.0
    • Leaving a draft conversation yielded an error. 5.2 3.1 3.0

    WoltLab Suite Core: Importers

    • SMF 2.x
      • Added support for legacy attachment filenames. 3.0
    • MyBB 1.x
      • Incorrect recognition of quotation marks inside font bbcodes. 3.1 3.0
    • vBulletin 5.x
      • Broader support for different [attach] types. 3.1
      • BBCodes in signatures had not been converted. 3.1
      • Improved the support for pixel based font sizes. 3.1

    WoltLab Suite Core

    • Improved the compatibility with code that relies on legacy message handling. 5.2
    • The system check now validates the availibility of graphics processing libraries. 5.2
    • Improved the styling of messages for Google AMP. 5.2
    • Backspacing the empty editor in iOS Safari yielded unexpected HTML. 5.2
    • The number of pending notification and the favicon where sometimes not updated when the browser tab is running in the background. 5.2
    • Mentioning a user group would yield only a single notification. 5.2
    • Improved the reaction UI for large touch devices (iPad Pro 12.9"). 5.2
    • Chromium based browsers did not properly outdent nested lists in the editor. 5.2
    • The upgrade from 3.1 to 5.2 failed in MySQL >= 8.0.19. 5.2
    • Adding or editing users could silently fail due to validation errors in the signature text. 3.1
    • Converting text lines into code in the WYSIWYG editor using Firefox could cause extra blank lines. 3.1
    • User mentiones had a trailing whitespace that caused a small gap between mentiones and the adjacent text. 3.1
    • Compatibility with PHP 7.4. 3.1 3.0
    • The Facebook login no longer requests legacy scopes that could cause issues. 3.0
    • Upgraded the GitHub login due to changes to their API endpoints. 5.2 3.1 3.0
    • Resizing the browser window would not always rebuild the dimensions of a dialog. 3.0
    • Rebuilding users could causes issues with signatures from newly registered users. 3.0
    • Reject access tokens of banned users. 3.1 3.0
    • HTML entities were encoded twice in the anchor links of the user profile tabs. 3.1 3.0
    • Error logs would sometimes be removed after a delay due to an incorrect time comparison. 5.2 3.1 3.0

    We're changing the way we use our branches in all of our repositories, paving the way for an accelerated release cadence. These changes will become effective on Wednesday, February 19th, 2020. We highly recommend that you adjust your build processes, in particular all sorts of artifacts, to reflect these changes.

    The New Branch Schema

    Old branches have been tracked in version branches, such as 2.1 or 3.0, for a long time already. However, the current and next version have faced some inconsistencies over the past years, residing in different branches with sometimes unclear rules on when they are migrated into version branches. This has historically lead to some confusion with 3rd party developers that had issues tracking down the correct branch to apply and/or suggest their changes.


    The new schema puts up clear rules on this:

    • Stable version will always reside in version branches, regardless of their age.
    • master is always the development branch that eventually becomes the next stable version.
    • Upon reaching the stable version .0, the master branch is transfered into the appropriate version branch.
    • The next branch has become obsolete, as it is now represented by the master branch.

    Effective Changes: An Example

    The Core's repository (https://github.com/WoltLab/WCF/) will serve as an example for the aforementioned changes:


    TreeBeforeAfter
    Version 2.1.x2.12.1
    Version 3.0.x3.03.0
    Version 3.1.xmaster3.1
    Version 5.2.xnext5.2
    (Next version)---master

    Timeline

    These changes will enter into force on Wednesday, February 19th, 2020.

    The system running all demos will be unavailable tomorrow, Feburar 13th, 2020, between 1:00 pm and 4:00pm CET for maintenance. Existing demos cannot be reached during this time period.


    Requests for new demos are added to a queue and will be processed once the maintance has been completed.


    Update 3:15 pm: The maintenance has been completed successfully.

    We have just released new versions of our products:

    • WoltLab Suite 5.2.2


    Stability releases (also known as "minor releases") aim to solve existing problems in the current version. Like every stability release, they do not introduce new features; It is strongly recommended to apply these updates.

    Performing System Updates

    Open your Administration Control Panel and navigate to Configuration > Packages > List Packages. Please click on the button Search for Updates located in the right corner above the package list.

    Notable Changes

    The list below includes only significant changes, minor fixes or typos are generally left out.

    WoltLab Suite Blog

    • The generated HTML for the article preview was invalid, causing some parts of the preview to not respond to clicks.

    WoltLab Suite Calendar

    • Adjusted the HTML5 metadata to the latest standard.
    • The test for overlapping event dates suffered from a calculation error if the start and end date are equal.

    WoltLab Suite Filebase

    • The text of custom licenses could not be edited.
    • Added support for the import of reviews.

    WoltLab Suite Filebase: Support Threads

    • The support thread was created twice by accident.

    WoltLab Suite Gallery

    • The category filter on the album list did not behave as expected.
    • An incorrect number of image were reported inside the album bbcode.

    WoltLab Suite Forum

    • Empty threads raised an exception due to some incorrect propery accesses.
    • Approving threads had been counted twice in the stats. It is recommended to rebuild the board data after applying this update.
    • RSS feeds that yielded no items after applying the filters will no longer report an error.
    • The list of replies displayed below articles now follow the same order as they appear in the thread.

    WoltLab Suite Core: Conversations

    • The action ConversationAction::markAsRead() no longer implicitly assumes the active user.

    WoltLab Suite Core: Importers

    • MyBB 1.x
      • Incorrect recognition of quotation marks inside font bbcodes.
    • vBulletin 5.x
      • Broader support for different [attach] types.
      • BBCodes in signatures had not been converted.
      • Improved the support for pixel based font sizes.
    • XenForo 2.x
      • Incorrect detection of JSON encoded data.

    WoltLab Suite Core: Infractions

    • The form to issue warnings now correctly applys a predefined reason.

    WoltLab Suite Core

    • Resolved an issue that could cause special trophies to be awarded twice.
    • The system check page suffered from a bad string comparison for MySQL.
    • Attempting to create a new article in the frontend offered multilingual articles even when there is only a single language available.
    • The detection for WebP images failed in PHP 7.0.
    • Streamlined the token validation for pages that require access tokens.
    • HTML entities were encoded twice in the anchor links of the user profile tabs.
    • Hidden dialogs containing an iframe would sometimes react to pointer events.
    • Triple clicking inside a table cell inside the editor will no longer yield invalid markup if the selected content was replaced.
    • Optional "select" fields in the contact form did not support the "(No selection)" option.
    • Improved the DateFormField component, better validation and a consistent usage of UTC dates.
    • Resolved a compatibility issue in the Net_IDNA2 package when used with PHP 7.4.
    • Upgrading from Woltlab Suite 3.1 would previously discard the custom box positions for some pages.
    • The reaction picker was sometimes rendered behind the page header.
    • The fullscreen mode in the editor did not work in some cases.
    • Disabled the edit button in the user list if the active user lacks the required permissions.
    • Detection for misconfigured PHP environments that use opcache but prevent any sort of cache reset.
    • Adjusted the GitHub authentication to match their latest API changes.