Jump to content

Invision Community 4.4.7

Released 10/02/2019

This is a security release and we recommend all clients upgrade as soon as possible.

Key Changes

Version 4.4.7 is a maintenance update to fix critical issues reported since 4.4.6.

Additional Information

Security

  • Fixed external video URLs being embeddable which could allow htaccess prompts for Firefox users, which could be manipulated for social engineering.
  • Fixed SSRF vulnerability if image proxy is enabled.
  • Fixed GET data overwriting POST data when submitting a form.

Core

  • The gateway files for downloading attachments now issue a Content-Security-Policy header.
  • Clarified verbiage on button when resuming a UTF8 conversion.
  • Added a message for when REST API test fails due to a path conflict.
  • Added the ability to fetch members via the REST API with activity_before/activity_after parameters.
  • Added `device_key` cookie information to the cookie page.
  • Adjusted Community in the Cloud auto-upgrader interface for future upgrades as the existing progress bar was inaccurate.
  • Adjusted the Friendly URL list to allow legacy customised URLs to be reverted.
  • Updated 'username' verbiage in some areas to refer to 'display name' instead.
  • Users will now be redirected directly to reviews they submit rather than back to the item.
  • Fixed individual comments sometimes showing in “Items Only” streams when using Elasticsearch.
  • Fixed an issue where content may not be presented in Elasticsearch searches after it is updated.
  • Fixed an issue where anonymous state can be lost for sessions when using Redis for session handling.
  • Fixed errors viewing and rebuilding the leaderboard, using post before registering and viewing social promotion when MySQL 8.0.17 is used.
  • Fixed a duplicate column error that may be logged when upgrading.
  • Fixed an error that can occur when tracking email statistics if the email is sent from a task.
  • Fixed an issue where uploading a new version of a theme may not immediately reflect changes when using disk caching.
  • Fixed an issue where editing some login handlers (Facebook, Microsoft, etc.) can break in some situations when editing their details.
  • Fixed unstyled content showing in Firefox on pages containing embeds if lazy-loading is enabled.
  • Fixed an issue were re-promoting content may not correctly show the selection state of existing image attachments.
  • Fixed a rare niche issue where it's possible for a digest task to get stuck in a loop.
  • Fixed an issue with unapproved comment notifications in situations when merging content and retaining a link.
  • Fixed an issue where it's possible to cause an uncaught exception by manipulating the URL for a content item that doesn't support reactions.
  • Fixed an issue where MySQL search index records were incorrectly deleted.
  • Fixed a missing language string on the 'Support Account' AdminCP notification when Commerce isn't present.
  • Fixed an issue with the LDAP login handler where error messages during set up may not be descriptive.
  • Fixed an issue where the empty BreadcrumbList ld+json tag would be added to the output.
  • Fixed an issue where it was possible to bypass profanity filters when using quick title edit.
  • Fixed an issue where admin control panel failed mail notifications could show a template error.
  • Removed options for content widget feeds to return hidden content added in 4.4.5 which has been unreliable

Forums

  • Fixed “Reply to this topic” button not working for guests
  • Fixed an issue where the ACP - "Popular Now" forum settings couldn't be saved.

Blogs

  • Fixed an issue where the upgrade could fail because of missing database columns.

Pages

  • Fixed an error when pasting a page link into an editor, it displayed as an embed of the entire site.
  • Fixed permissions not synchronizing properly when changing a database from using categories to not using categories.
  • Fixed Editor fields pre-populating content from other records when the "Editable when viewing a record" setting is used.
  • Fixed an issue where externally embedded blocks do not work if "Allow community to be embedded in an iframe" is not set to "Anywhere".

Calendar

  • Fixed all day event dates showing incorrectly in email notifications in some timezones.

Downloads

  • Fixed an issue with top downloaders/submitters statistics page losing filters when changing pages.
  • Fixed an issue with downloads storage handler custom URL when upgrading from 3.x.

Gallery

  • Fixed an issue with top uploads statistics page losing filters when changing pages.

Converters

  • Improved converted row caching when running multiple conversions back-to-back.
  • Conversions will now explicitly strip HTML tags in member titles.
  • Attempt to correct corruption of serialized profile field data during conversion from vB.
  • Fixed a potential issue that can occur converting vB Blog.
  • Fixed certain data not being converted (affects SMF, vB5, Vanilla, phpBB, UBBThreads, Expression Engine).
  • Fixed an issue where the 'manage conversions' page may not load if you have legacy conversions.
  • Fixed an issue when converting content from vB5 which contains [IMG2] or [USER] BBCode.
  • Fixed an issue when converters attempt to convert administrators if the last update time is available.
  • Fixed a number of issues converting vB CMS attachments.

Commerce

  • Added permalinks to the Information, Shipping, and Reviews tabs when viewing a package in the store.
  • Added a new 'neutral' display for ticket history statistics (i.e. if a statistic matches the 30 days prior).
  • Fixed an issue where members could add themselves as an alternative contact.
  • Changed the package seo name column length to 255 characters.
  • Fixed renewal invoices being generated with the wrong billing address for transferred purchases.
  • Fixed an error fetching license key info through the Commerce license key API.
  • Fixed an issue where the tax name in invoice emails could be missing.
  • Fixed an issue where deleting a support department can result in an error in some circumstances, if that department had custom fields mapped to it.


Third-Party / Developer / Designer Mode

  • Applications can no longer be set as the default application if they have no front modules.
  • Fixed an error creating a new conversion software library using the AdminCP tools.
  • Fixed an issue where content items that have not defined a `$containerNodeClass` property could throw an error during searches.

Invision Community © 2024 IPS, Inc.
×
×
  • Create New...