Do NOT use recent patches to v2.3.1, v2.2.3, or v2.1.4! Data Corruption Issue

dleffler

Please do NOT install v2.3.1 Patch #1/2, v2.2.3 Patch #6/7, nor v2.1.4 Patch #3/4! They will cause WYSIWYG text to become garbled when saving, and will strip scripts when saving a Code Snipped module. We are still working on a universal (server) fix for these versions. .


View article...

BJKline

So what do we do to roll back if the patch was installed? Specifically 2.3.1 patch 1.


View article...

dleffler

I'll try to get a patch #3 up soon with the 3 older subsystem files expRouter.php, expTheme.php, & expString.php.


View article...

dleffler

The quickest fix (at this point) is to re-install the last full package and the most recent pre-fix patch

v2.1.4 full package and v2.1.4patch2
v2.2.3 full package and v2.2.3patch5
v2.3.1 full package

If using the git 'master' repo, you could do a
git checkout v2.3.1


View article...

generare

Patch 3 for v2.3.1 ok now? We can test with that link in which we found out this issue if you think patch 3 is safe enough to try.


View article...

dleffler

There were several issues with the first set of recent security patches:
1. It would strip out all scripts from the Code Snippets module when saving those items, which defeats the purpose of the code snippets module.
2. On some servers it would an 'rn' in place of all 'new lines' when saving text from any form (configure, etc...).
3. It would strip out the closing tags on most html/wysiwyg data when saving text from any form (configure, etc...)
(which means the security filter was working TOO well, it was not only scrubbing out unwanted things but also needed/wanted things)

Though we've fixed #1 and #3 , #2 is hard to pin down, especially since I can't reproduce it locally, however it seems to appear on many remote servers.

Therefore, the following patches (which may be available in the wild) are NOT recommended:
v2.1.4patch3, v2.1.4patch4, and v2.1.4patch5
v2.2.3patch6, v2.2.3patch7, and v2.2.3patch8
v2.3.1patch1, v2.3.1patch2, and v2.3.1patch3



View article...

generare

Taking expRouter.php, expTheme.php, & expString.php from the full package of v2.3.1 would fix this for now? Any database changes?


View article...

dleffler

The fix will be found in v2.1.4patch6, v2.2.3patch9 and v2.3.1patch4. See separate discussion


View article...