Elgg Blog: Elgg 1.7.5 and 1.6.4 released with security enhancements

Elgg 1.7.5 and 1.6.4 have been released and address two cross site scripting (XSS) vulnerabilities.  Network admins are encouraged to upgrade immediately to keep their networks and users safe.

The first vulnerability was reported by Akhilesh Gupta and can allow users to enter malicious code through the Bookmarks plugin.  The second vulnerability involves the widget subsystem and can allow users to bypass input filtering.  Elgg 1.7.5 and 1.6.4 are the latest versions of Elgg and fix all known security vulnerabilities.

1.7.5 can be downloaded from the Current Release Page and 1.6.4 can be downloaded from the Previous Releases page.

Elgg 1.7.5 contains more than just security enhancements--there are a number of improvements and bugfixes!

Bugfixes include:

  • Checking for mismatched passwords before creating user when manually adding users. 
  • Fixed menu entry for user's Files link.
  • Fixed XFN links on profile page and user lists.
  • Fixed PHP warnings about invalid foreaches in plugins.php
  • Group profile actions correctly encodes HTML entities.
  • Language string corrections. 
Changes to the user interface include:
  • Users must verify their current password before they can changing passwords.
  • Changed many plugins to use friendlier URLs.
  • Added a page to view Wire posts by user.
I encourage everyone still on 1.6 to upgrade to the 1.7 as soon as possible to enjoy all the benefits of the hard work that have gone into 1.7 over the last year.
Thanks to all the users and devs who have opened tickets on Trac, submitted patches, or emailed us with bug reports.  Everyone who helps makes Elgg even better!
  • Thanks a lot! I just upgraded.

     

    I have a lot of modifications to the source code, mainly to the default mods - a bit to the default views.

     

    So, I upgraded every folder besides for languages and mods. The only mod I upgraded was bookmarks. Is there anything else I should know about I need to / may want to upgrade? Thanks!

  • Nice, going to upgrade right away!

     

    By the way, the homepage of Elgg - http://elgg.org still displays 1.7.4 to be the latest version. Thought you might wanna know that. ;)

  • @Untamed - You should always pull your changes out into a plugin that overrides the views / actions / languages you want to change. This makes it very easy to upgrade.  Elgg should be upgraded in one chunk; partial upgrades will cause problems.  Here is the list of all commits between 1.7.4 and 1.7.5.  You can do a SVN diff between revisions 7120 and 7456 to get this in a unified diff format.

    @Shouvik - Thanks...Fixed! :)

  • nice urls, upgrading all fine!

    THanks!

  • Is there a complete list of the new friendlier URLs introduced with Elgg 1.7.5? I already found an incompatility with the vazco_topbar plugin (message inbox no longer accessible) and I will also have to adjust my header menu entries. Due to the @links removed from so many files (that haven't been changed otherwise though) it's VERY difficult to find the "real" changes between 1.7.4 and 1.7.5 using diff as the list of changed files is just so very large.

    Are there other incompatibilties with other plugins to be expected, for example plugins that add group functionalities? Will links in notifications to new group postings and other on-site links to groups and group postings still work?

    [Edit:] I mean links in notifications sent prior upgrading to 1.7.5.

  • @Brett I see this "Changed many plugins to use friendlier URLs." I assume this doesn't yet mean group or profile URS's have been shortened yet as in mypaintersplace.com/joespainting or mypaintersplace.com/enivrolast-wood-stain, is that correct. Cash said that wasn't even planned for 1.8.

    Without upgrading what exactly would we see in URL changes with 1.7.5 and when might we see my above desired changes?

    Thanks for the new version!

  • i just upgraded my site to 1.7.5... 

    i haven't seen any url changes yet.. the inbox link works ok for me using vazco topbar.. 

    can anyone provide a single example of a URL that has changed so i can make sure the upgrade has been run as intended?

    thanks

  • Before upgrading to 1.7.5 the link to the inbox was site.url/pg/messages/username. After the upgrade it's site.url/pg/messages/inbox/username. At least on my site the icon link in vazco_topbar (ver_2.4) didn't work anymore as it still tried to call the old url. Adjusting vazco_topbar/views/default/messages/topbar.php solved the issue.

    Other plugins use pg-urls now while they used mod-urls before. At least the bookmarks plugin seems to work not with the old urls anymore. I just went through all entries in my header_menu and adjusted the links according to the links to pages showing after upgrading to 1.7.5 on the plugin's sidebar menus.

  • the urls i have been using prior to 1.7.4 in the main navigation menu on my site to access the bookmark pages have been '/mod/' for the main 'everyone.php' file and '/pg/' prefixed urls for the other pages.. these all still work on my site after the upgrade to 1.7.5.

    the site is reading as 1.7.5 in the site statistics.. so the dbase upgrade has completed ok.. 

    and i carefully copied over the mod folders, leaving all the new versions of default plugins intact.

  • @iionly - You're correct; the documentation changes make diffing nasty.  Grab a diff between 7120 and 7419, then again between 7446 and 7455 to ignore that commit.

    The URL changes can be seen at http://trac.elgg.org/ticket/2630. These changes only move URLs to page handlers instead of /mod/plugin_name/file.php. These should be backward compatible with the old URLs.  If you find places that aren't, please report them on the ticket above.

    There are no plans to implement the "short URLs" like TohoeBilly mentioned in 1.7 or 1.8.

     

  • 1.7.5

    All Site Pages - Left Menu All Site Pages links to .../mod/pages/all/, that causes a not found 404 error.

    Page Home or any User Page -- Left Menu All Site Pages links to .../pg/pages/all/, that DOSE NOT cause the error.

    This 404 error did not occur in 1.7.4.

  • @Ron: I had reported this issue at trac and it has already been fixed (http://trac.elgg.org/ticket/2691). The fix will be included in 1.7.6.

    You can also fix the issue yourself by adjusting line 26 of mod/pages/world.php.

  • sorry for the English is translated by google because I speak Spanish

    I wonder if they have any idea on user profiles

    as can be done for a user who decides to show his profile as the widget, but in the profile, such as facebook, if the user wants can not show anyone your profile till you send notification of friendship or just show profile friends. I hope I can help
    if there is a plugin so I think it's a good idea to invent it

    from already thank you very much ..

  • http://PluginLotto.com has been upgraded to elgg 1.7.5. Everything seems to me working as intended.

    Thanks Brett.

  • a question about privacy when I create a new user on my system and I register with the user I just created the user can see all my activity and my friends in their riverdashboard, making it uncomfortable because a person I do not know know what I'm saying I want you to add a privacy option where users who register only to see their activities and those of his friends when a person is logged riverdasboard must be blank and only show the activities from friends

  • the idea is to say goodbye to the wire, and no longer depends on the wire to clear the states, an idea I have in mind is when a person writes his state to directly delete the riverdashboard and not have to go to the wire to clear their state, another idea is to remove the publications of my friends, just delete my wall but not delete them on. would be a little more comfortable because at the moment to delete must go to the wire and is very uncomfortable.

    in spanish 

    la idea es decirle adiós al the wire, ya no depender mas del the wire para borrar los estados, una idea que tengo en mente es cuando una persona escribe su estado pueda borrarlo directamente del riverdashboard y no  tener que ir al the wire para borrar su estado, otra idea es borrar las publicaciones de mis amigos, solo borrarlas de mi muro pero que no se las borre a el. seria un poco mas cómodo ya que por el momento para borrarlas hay que ir al the wire y es muy incomodo.

  • @mariano - These are off topic.  Please create a new thread for these subjects.

Latest comments