e107 Files

[!CAUTION] v2.3.4 is a bug-fix release for sites on v2.3.3 or earlier. Upgrade from v2.3.3 or earlier 2.x. If your site tracks the master branch, you are already past v2.3.4, so installing it would be a downgrade. v2.4.x is planned to be the next forward step.

[!IMPORTANT] v2.3.4 collects the most overdue work in the queue: security advisory fixes for password reset, comment editing, and Media Manager imports; the PHP 8.x compatibility patches that have been accumulating; and the bug fixes that really needed to ship. It's not a feature release; the goal is to give v2.3.x sites a stable point release they can adopt while v2.4 work continues separately.

Highlights

• [Security] Critical Broken Access Control on comment edit (GHSA-5w63-63rh-99q6). comment.php previously allowed any authenticated user to overwrite another user's comment by passing that comment's itemid. The updateComment() SQL now requires the row's comment_author_id to match the editor's USERID, so cross-user edits return "Update Failed" instead of succeeding silently. (https://github.com/e107inc/e107/commit/23961a8f)
• [Security] Server-Side Request Forgery in Media Manager imports (GHSA-92fr-7h4f-22pp). e_file::getRemoteFile() and getRemoteContent() now reject URLs that resolve to private, loopback, link-local, or otherwise reserved IP addresses, and limit cURL to HTTP/HTTPS. Sites that legitimately need to fetch from intranet hosts can opt back in by defining e_REMOTE_FILE_ALLOW_PRIVATE to true. (https://github.com/e107inc/e107/commit/5f98cc9f, https://github.com/e107inc/e107/commit/40b2d111)
• [Security] Host Header Injection in password reset (GHSA-7pmw-jwvr-cq2x). The emailed password-reset link no longer trusts the incoming HTTP Host header. Requests with a Host that doesn't match the configured siteurl are rejected, and fpw.php now refuses to run at all if siteurl is unset rather than falling back to HTTP_HOST. (https://github.com/e107inc/e107/commit/04511f9f, https://github.com/e107inc/e107/commit/b0dee823, https://github.com/e107inc/e107/commit/c4f9f71b)
• [Security] Privilege hardening. Media Manager preferences and avatar settings now require Main Admin. The default userclass visibility and edit permissions are also Main Admin by default (previously Admin). (#5489, [#5477])
• Admin area usability. Numerous fatal-error and rendering fixes across admin search, admin UI grids, mailout, polls, datetimepicker, phpinfo, and legacy admin pages. (#5211, [#5464], [#5271], [#5473])
• Email reliability. Fixes to CC handling, DKIM identity, persistent-recipient leakage across sendEmail() calls, and IP logging in notifications. (#5498, [#5535], [#5545])
• PHP 8.x compatibility. Several warnings and fatals on PHP 8.0–8.5 removed from db_verify, thumb.php, file_class, theme_handler, and rating-/forum-info rendering. (#4501, [#5443], [#5482])
• Forum info restored. sc_foruminfo now renders active-user counts and the newest member again. Two long-standing bugs had been hiding the whole block: the SELECT for the newest user was commented out, and the e_TRACKING_DISABLED ternary condition was inverted so the block was only shown when tracking was disabled, which is never the default. (https://github.com/e107inc/e107/commit/0e23f651, https://github.com/e107inc/e107/commit/54e4b9de)

[!NOTE] A note from the maintainer, @Deltik:

v2.4 is going to need more time before it's at the quality level the e107 community deserves. Here's what's upcoming:

• MyISAM → InnoDB as the default engine, for crash recovery, row-level locking, and proper transactions
• utf8mb3 → utf8mb4 for native emoji support and full Unicode in usernames, posts, and comments
• Implicit FULLTEXT indexes that work on InnoDB, so search no longer pins us to MyISAM
• JWT-backed CAPTCHAs where the challenge carries its own server-signed solution token, eliminating the need to stash state in a guest session
• No more sessions for guests. Every anonymous visitor today gets a server-side session row; that goes away.
• New admin area skin with a collapsible sidebar, badges, and mobile navigation
• Bootstrap 5.3 + FontAwesome 6 UI refresh across the front-end and admin
• Admin change history with revert for auditable database edits
• Custom domains per page and static URL mapping for editorial control over URLs
• Schema.org (JSON-LD) support for better SEO, with news schema baked in
• Sitemap index support for sites past the single-sitemap limit
• Image alt-attribute management in Media Manager
• Plugin test runner so plugin authors can ship PHPUnit/Codeception tests with their plugins
• The community PR backlog finally getting reviewed and processed

For Administrators

Added

• Misconfiguration error on fpw.php when the siteurl preference is empty, so admins get a visible signal instead of silently broken password-reset emails. (GHSA-7pmw-jwvr-cq2x, https://github.com/e107inc/e107/commit/04511f9f)

Changed

• Comment editing (security). comment.updateComment() now scopes the SQL update to the editor's own user id, so cross-user comment edits via /comment.php?mode=edit are rejected. Ref: GHSA-5w63-63rh-99q6. (https://github.com/e107inc/e107/commit/23961a8f)
• Remote file fetching (security). e_file::getRemoteFile() and getRemoteContent() now block private, loopback, link-local, and reserved IP ranges by default and limit cURL to HTTP/HTTPS. Define e_REMOTE_FILE_ALLOW_PRIVATE = true to opt back in for intranet/self-hosted use. Ref: GHSA-92fr-7h4f-22pp. (https://github.com/e107inc/e107/commit/5f98cc9f, https://github.com/e107inc/e107/commit/40b2d111)
• Password reset (security). fpw.php now refuses to process any request when the siteurl preference is unset, and builds the reset link from the pref directly rather than from SITEURL (which could be derived from HTTP_HOST). Ref: GHSA-7pmw-jwvr-cq2x. (https://github.com/e107inc/e107/commit/04511f9f)
• Host header validation (security). The core URL bootstrap now rejects requests whose Host header doesn't match the configured siteurl or the site_hosts config entry, with subdomain support. Misconfigured setups now fail fast with a "Site Configuration Issue" message. (#5458, GHSA-7pmw-jwvr-cq2x, https://github.com/e107inc/e107/commit/b0dee823, https://github.com/e107inc/e107/commit/c4f9f71b)
• Media Manager permissions (security). Media Manager Preferences and Avatar settings now require Main Admin. Media Category management is restricted to the A2 permission. (#5489)
• Userclass defaults (security). Default userclass visibility and edit permissions now default to Main Admin instead of Admin. (#5477)
• Admin area theme gate. Non-bootstrap3 admin themes that were known to break the admin area are no longer accepted; the admin falls back to a working theme. (https://github.com/e107inc/e107/commit/3b7097e0)
• Site redirection. www. → bare-domain (and vice versa) handling was refactored out of class2.php into a dedicated method. (#5097)

Fixed

• Fatal errors on the admin search page (#5211), the admin-UI with custom method attribute+filter (#5464), the polls form column selector (#5271), and the plugin-repair extended-user-field path (#5483).
• Admin user area: avatar rendering (#5146), extended user fields restored after plugin refresh (#5483), unbanned users keeping "not verified" status (https://github.com/e107inc/e107/commit/e875515d), oversized navigation icons (#5345).
• Admin email/mailout: CC recipients added correctly, DKIM identity corrected, recipients no longer persist across multiple sendEmail() calls, core prefs no longer stored on instance, mailout mailer-type restriction that was blocking pref saves. (#5498, [#5535], [#4123], [#5355])
• Admin log: query-speed optimization and indexing improvements, duplicate column removed from the rolling log, debug SQL query output. (#5490, [#5473])
• Admin phpinfo page: responsive layout, dark-on-dark text readability in modern-light theme, refactored rendering for theme compatibility, and sidebar menu added to legacy admin pages. (https://github.com/e107inc/e107/commit/730245ef, https://github.com/e107inc/e107/commit/929f5494, https://github.com/e107inc/e107/commit/48b30bc8)
• Password reset: Bootstrap 5 fpw template rendering. (#5336)
• Avatars: remote file checks (#5146, [#5387]), missing-avatar fallback (https://github.com/e107inc/e107/commit/295a5dad), default avatar rendering (https://github.com/e107inc/e107/commit/81ae03c3), MIME type handling for remote images (#5387), .wav audio (#5390) and video dimension handling (#5396) in the media parser.
• Forum plugin: newforumposts_menu page rendering (#5340), shortcodes now use e_HTTP for online.php links (PR [#5340]), sc_foruminfo now renders the active-users block and the newest-member link (previously hidden by an inverted condition, with the underlying user lookup query commented out) (https://github.com/e107inc/e107/commit/0e23f651, https://github.com/e107inc/e107/commit/54e4b9de).
• Ratings: widget renders cleanly for items that have not been rated yet; previously a missing rating row triggered a PHP warning that became a fatal on PHP 8.5. (https://github.com/e107inc/e107/commit/db358ca1)
• News plugin: language loading (#5465), body/extended search scope (#5523).
• Signup: COPPA links updated (#5121), duplicate LAN_ERROR_* constants removed (#3438).
• Notifications: IPv4 format on user_ban_flood (#3612), IP populated in notify_class (#5545), mcp_token tracker ignored in application tracker (#5288).
• Core boot: database warning in class2.php (#5220), missing creation-log entry ID (#5317), config-hash handling (#5120), override-class conflict (#5114), SEF URL in the admin user-settings nav link (#5082).
• Download plugin: duplicate assignment in download_shortcodes (https://github.com/e107inc/e107/commit/c55de23b), missing DOWNLOAD_CAT_CAPTION template var initialization (https://github.com/e107inc/e107/commit/83bd620e, https://github.com/e107inc/e107/commit/a996b769).
• Theme modern-dark: admin nav dropdown alignment. (#5406)
• File Inspector: graceful handling of tmpfile() failure in phar loaders. (https://github.com/e107inc/e107/commit/da1b6f9c)

For Developers

Added

• e_file::isUrlSafe($url) helper that validates a URL against private/reserved IP ranges and the HTTP/HTTPS scheme; called by getRemoteFile() and getRemoteContent(). IPv4-mapped IPv6 inputs (e.g. ::ffff:127.0.0.1) are canonicalized to their IPv4 form before the range check so they cannot bypass it. Ref: GHSA-92fr-7h4f-22pp. (https://github.com/e107inc/e107/commit/5f98cc9f, https://github.com/e107inc/e107/commit/40b2d111)
• Scaffold for XmlAdminIcons in plugin_class (with rename guard in media_class). (#5295)

Changed

• Comment ownership check. comment::updateComment() now constrains its SQL update to comment_author_id = USERID. If you maintain a fork or plugin that calls this method on behalf of another user (moderator tooling, cron-based imports), expect those calls to silently no-op and refactor toward a moderator-aware helper. Ref: GHSA-5w63-63rh-99q6. (https://github.com/e107inc/e107/commit/23961a8f)
• e_file SSRF defense. getRemoteFile() and getRemoteContent() reject URLs that resolve to private/loopback/reserved IPs and any non-HTTP(S) scheme; cURL CURLOPT_PROTOCOLS/CURLOPT_REDIR_PROTOCOLS are pinned to HTTP/HTTPS. IPv4-mapped IPv6 addresses are canonicalized to IPv4 before the range check, so ::ffff:10.0.0.1 is treated as 10.0.0.1 and blocked. Define e_REMOTE_FILE_ALLOW_PRIVATE = true in e107_config.php to bypass for legitimate intranet use. Ref: GHSA-92fr-7h4f-22pp. (https://github.com/e107inc/e107/commit/5f98cc9f, https://github.com/e107inc/e107/commit/40b2d111)
• Password reset link construction. fpw.php builds the reset URL from e107::getPref('siteurl') directly instead of the SITEURL constant. If you rely on SITEURL in similar contexts elsewhere, consider doing the same for anything that leaves the server (emails, webhooks, signed URLs). Ref: GHSA-7pmw-jwvr-cq2x. (https://github.com/e107inc/e107/commit/04511f9f)
• Language file tooltips. Inline tooltip LAN constants standardized; some constants were consolidated. (#5465)
• Permissions schema. Media Manager and userclass permissions tightened — plugins that depended on Admin (A) access to Media Manager prefs or avatars will now need Main Admin (0). (#5489, [#5477])

Fixed

• PHP 8.x compatibility. Fatal errors and warnings removed from db_verify_class (#4501), thumb.php (https://github.com/e107inc/e107/commit/aaa71257), file_class (finfo/getimagesize warnings) (#4501), theme_handler empty path warning (#5482), validator_class fatal (#5443), rater::render() (https://github.com/e107inc/e107/commit/db358ca1) and sc_foruminfo() (https://github.com/e107inc/e107/commit/0e23f651, https://github.com/e107inc/e107/commit/8c390f4f) — PHP 8.5 promoted the "list() on false" case to a new fatal warning.
• e_parse::cleanHtml(). HTML5 void elements (<source>, <wbr>, etc.) are now normalized before serialization so saveHTML() output is identical across libxml versions. libxml < 2.13 parsed <source> as non-void and captured following content as its child; the new pre-serialization pass promotes that content to a sibling, and a complementary post-saveHTML pass strips the stray </source> (and other void-element closing tags) that older libxml still emits, so every libxml ends up with the spec-compliant form. (https://github.com/e107inc/e107/commit/b63d11a2, https://github.com/e107inc/e107/commit/87abb7f7)
• e_parse_class. Base64 image data-URL generation when a file is set (https://github.com/e107inc/e107/commit/bc6b51d4), avatar upload path handling (https://github.com/e107inc/e107/commit/105fe205).
• Plugin builder. Admin links, table-name test typo. (https://github.com/e107inc/e107/commit/8c319720, https://github.com/e107inc/e107/commit/d241ab64, https://github.com/e107inc/e107/commit/d4a665a2)
• Form handler. Help-icon rendering, optgroup class identifiers, DST-related test stability. (#5214, [#5269])
• JavaScript. Invalid-element tab switch issue in admin/front JS. (#5230)
• Update routines. Clear update info after GitHub update in admin boot/db, minor update_routines.php tweak (#5481), warning suppression in admin/auth.php for invalid language values (#5443).
• Caching. Fatal in plugin_class.php cache-path resolution. (#5484)