v2.4.1patch2 released to fix several issues: security vulnerability and file upload failure

dleffler

This patch fixes several issues in the v2.4.1 release especially a security vulnerability and some issues with file uploads. We strongly encourage all Exponent installations be upgraded to v2.4.1 with this patch as soon as practical! Patch #2 to v2.4.1 is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.4.1-patch-2.zip/download  

v241patch2 adds these features to v241:

- update dynamic SEO page titles to reduce length

v241patch2 fixes these issues in v241:

- regression fix (v240) unable to update cart item quantities

- regression fix (v241) several elFinder upload/paste issues

- regression fix wildcard module name for action_maps.php (probably never worked correctly)

- security fix exploits using source_selector.php, reported by Belladona-c0re and croxy CVE-2017-6364

- regression fix some 500 errors when permissions or logged in checks fail

v241patch2 updates these 3rd party libraries in v241:

- bootstrap datetimepicker to v4.17.47

- easypost library to v3.3.3

- plupload to v2.3.1

- TinyMCE to v4.5.4

- elFinder to v2.1.22 to fix upload/mimetype (security) issues

- Sortable jquery plugin to v1.5.1

- less.php less compiler to v1.17.0.13 to bring less.js support from 1.7.0 to 2.5.3

- mediaelement.js to v3.2.3, includes plugins v1.2.2

BJKline

Something happened between 2.4.1 and the first patch. I got the first patch installed by extracting it into my website's directory on the server. Then I could run the upgrade scripts. I i didn't think to turn on error reporting at the time. 

So when I attempted to install patch 2 I turned on Error Reporting and Logging. I got the following error. 

Fatal error: Uncaught Error: Call to undefined method Archive_Zip::setErrorHandling() in /home/bjk03/bjkline.biz/framework/modules/administration/controllers/administrationController.php:692 Stack trace: #0 /home/bjk03/bjkline.biz/framework/core/expFramework.php(456): administrationController->install_extension_confirm() #1 /home/bjk03/bjkline.biz/framework/core/subsystems/expTheme.php(796): renderAction(Array) #2 /home/bjk03/bjkline.biz/framework/core/subsystems/expTheme.php(910): expTheme::runAction() #3 /home/bjk03/bjkline.biz/themes/coolwatertheme/subthemes/Full Body.php(51): expTheme::main() #4 /home/bjk03/bjkline.biz/index.php(102): include('/home/bjk03/bjk...') #5 {main} thrown in /home/bjk03/bjkline.biz/framework/modules/administration/controllers/administrationController.php on line 692

The server is running PHP 7.0.14. 

dleffler

You did indeed catch an overlooked bug in the code since last Dec 16th...the two PEAR modules we've always included are not written the same...will be fixed for the next release, patch 3 out in a week or two.

The work-around would be to convert the patch to a tar.gz or .tar.bz2 file and upload it.

BJKline

I don't think making the patch a tar.gz or tar.bz2 is the correct work-around. Here's how I attempted to make the .tar.gz. These steps were done on a Mac running OS X 10.11.6.

First I downloaded the .zip file from the link in the first post of this topic. Then I extracted it. This created a exponent-2.4.1-patch-2 directory. Then I ran this command from the Terminal: tar czf exponent-2.4.1-patch-2.tar.gz exponent-2.4.1-patch-2

I then tried to upload into Exponent. I went to the Admin menu -> Super Admin Tools -> Extensions -> Install Extension. Then I clicked on the Upload Extension tab. Then I choose the exponent-2.4.1-patch2.tar.gz file. I also checked the Patch Exponent or Install Theme box. Finally I clicked the Upload Extension button. The files appeared to copy over but I wasn't prompted to run the upgrade scripts. 

This was on a server that's running php 7.0.14. I've got one site that is still using php 5.6.  I will try uploading the tar.gz version and see if that works.

EDIT: Using php 5.6 makes no difference. I still don't get prompted to run the upgrade scripts.