Search the Community
Showing results for tags 'mybb'.
-
All the latest news and info from the myBB RSS feeds will be posted in this thread.
-
What do you all think about MyBB? I've actually been messing with it. I made an extremely niche forum for it, so it will have slow growth. https://www.outdoorwrite.com/ I used to use it a long time ago. I had to install an addon to make it "somewhat" responsive. MyBB to me have a GREAT look and feel but it's behind the times as far as features go and has been for quite some time.
-
[attach=full]18[/attach] MyBB’s ecosystem spans across several platforms connecting contributors, authors, and users. In this post, we’ll collect a number of recent highlights from around the Project. 10³ Stars on GitHub Software is often divided into closed- and open-style development. Back in 2009, MyBB switched from the former to the latter, enabling administrators and developers, who tweak their forums in the most random ways, to submit and see their fixes in official releases. The move also opened up the development process and allowed a crowd of enthusiasts to critique any upcoming changes and test them on their own servers, and with custom plugins. Since then, code from 100+ contributors has made its way into MyBB, and earlier this year, the Project’s main repository passed the symbolic threshold of 1K stars from members of the open source community. If you have patches of your own, or would like to otherwise make MyBB a better forum software, explore some of the options in the CONTRIBUTING.md file. 10² Stars for Top Extensions If you’ve been using MyBB, you’ll know that the core package is only a part of its identity: extensions have an important place in the ecosystem that’s been maturing for two decades. Today, the Extend platform hosts over 1300 projects that have published more than five thousand releases downloaded well over two million times, and a pair of extensions have already crossed the 100-star mark — taking a portion of over 6.5 thousand stars given in total. Starring projects allows you to find them in a single place when you’re ready to start your new forum, and subscribing to them (which was done more than a thousand times) will notify you of new releases to check out. As we work to define MyBB as lightweight software with modern features, we aim to further strengthen extensions as a pillar of the application by building authoring aids and APIs into the core to make the experience easier and more pleasant for everyone involved. 10¹ Development News In recent months, numerous key elements of the upcoming series have taken shape. Read ten notes about the View system, extending MyBB, merged features, requirements, and upcoming works in the 1.9 Development Milestone thread. We have also published a Quick Start cheatsheet, allowing you to set up the development branch and preview it right away using your favorite workflow. If you’re ready for some tinkering and a deeper dive, read Experimenting with Inheritance Basics, where we make use of the new theming system and track how the application handles it so far. 10⁰ Familiar-looking Theme When patrolling the Extend section, we noticed one submission was particularly reminiscent, but we couldn’t put our finger on it. A careful investigation that included, among other methods, reading its documentation revealed that it’s MyBB 1.9’s official theme — for MyBB 1.8. The Curves UI takes the upcoming series’ look and backports it visually into the current stable version. It is also maintained on GitHub, where you can work with authors to improve it further. It joins many responsive Community-maintained themes, so it’s another good starting point for customization, and if you’re looking to prepare your forum for the style transition into 1.9.x, you can now use its latest build to make the eventual switch extra smooth. The Base With the Community-driven environment giving the Project its power, the base of organizing work and tying up all loose ends is done by the MyBB Team. To ensure this exponentiation yields the best product, we’ve recently brushed up and published the list of Roles, including ten non–management focus areas within the Team. Those now include separate teams for testing and developer relations, in adjustment according to the direction we’d like to take. While those spots are often filled through invitation, if some of the listed activities pique your interest, tell us about it (the worst you’ll get is a friendly nudge in the right direction on how to make a positive impact!). If you’d like to keep up to date with various news related to MyBB development and the Project behind it on the fediverse, use our verified handle @mybb@fosstodon.org. Continue reading...
-
mybb MyBB 1.8.38 Released — Security & Maintenance Release
Guest posted a topic in Forum Software Discussions
MyBB 1.8.38 is now available, and is a security & maintenance release. Administrators of installed boards should update the existing configuration (inc/config.php) to include all addresses blocked by default in Disallowed Remote Addresses. 2 security vulnerabilities addressed: Low risk: Incomplete disallowed remote addresses list SSRF (advisory) — reported by shin24 Low risk: Backups directory .htaccess deletion (advisory) — reported by shin24 16 issues resolved Check the Release Notes for more information. Get latest MyBB Full & Upgrade Packages → The MyBB Project extends thanks to reporters and researchers following responsible disclosure. Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB. If you would like to contribute to the Project, Get Involved. Thanks, MyBB Team Continue reading... -
mybb MyBB 1.8.37 Released — Security & Maintenance Release
Guest posted a topic in Forum Software Discussions
MyBB 1.8.37 is now available, and is a security & maintenance release. This version includes improvements for compatibility with mailing configurations and recent PHP versions. 2 security vulnerabilities addressed: Medium risk: Visual editor size code persistent XSS (advisory) — reported by Paulos Yibelo (Octagon Networks) Low risk: ACP Themes persistent XSS (advisory) — reported by Or4nG.M4n 12 issues resolved Check the Release Notes for more information. Get latest MyBB Full & Upgrade Packages → The MyBB Project extends thanks to reporters and researchers following responsible disclosure. Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB. If you would like to contribute to the Project, Get Involved. Thanks, MyBB Team Continue reading... -
MyBB 1.8.36 is now available, and is a security release. After applying the patch, we recommend using the Admin CP’s Tools & Maintenance → System Health → Check Templates tool to scan for security issues that may not have been detected before this version. 1 security vulnerability addressed: High risk: ACP Templates RCE (advisory) — reported by Emmet Leahy Check the Release Notes for more information. Get latest MyBB Full & Upgrade Packages → The MyBB Project extends thanks to reporters and researchers following responsible disclosure. Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB. If you would like to contribute to the Project, Get Involved. Thanks, MyBB Team Continue reading...
-
MyBB 1.8.35 is now available, and is a maintenance release. This version improves stability and compatibility with various PHP versions. 7 issues resolved Check the Release Notes for more information. Get latest MyBB Full & Upgrade Packages → Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB. If you would like to contribute to the Project, Get Involved. Thanks, MyBB Team Continue reading...
-
mybb MyBB 1.8.34 Released — Security & Maintenance Release
Guest posted a topic in Forum Software Discussions
MyBB 1.8.34 is now available, and is a security & maintenance release. 1 security vulnerability addressed: Low risk: User CP email persistent XSS (advisory) — reported by Ahmet Altuntaş 13 issues resolved Check the Release Notes for more information. Get latest MyBB Full & Upgrade Packages → The MyBB Project extends thanks to reporters and researchers following responsible disclosure. Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB. If you would like to contribute to the Project, Get Involved. To keep up with Project news, you can now follow MyBB on Mastodon. Thanks, MyBB Team Continue reading... -
[attach=full]4[/attach] One key to keeping software projects and the surrounding communities healthy is keeping friction for all audiences to a minimum. In MyBB, this friction is derivative of user experience and developer experience. Our largest audience is formed by the end users — people browsing online forums, not expected to know what MyBB is, yet benefitting from fine-tuned visuals, phrases, and flows that come out-of-the-box. At the same time, we target two groups further down the forum assembly line, for whom both UX and DX apply. For site owners and community leaders, the software needs to be approachable and intuitive — without requiring particular knowledge of languages and technologies — but also allow tweaking its look and functionality by maintainers with technical experience. For developers, in addition to a useful extension system, APIs, and documentation, the software needs to expose the appropriate tools to allow speedy development and testing — without assuming one’s familiarity with it. These factors are crucial in the world of free and open-source software, where the development relies on external contributors and their ease of work. A setup mechanism is where their paths cross: it has to break down unavoidable complexity, without getting in expert users’ way. Besides having to meet best UX and DX practices, it also carries the weight of defining the first impression of the product for everyone. The Need for Speed kawaii — 2:56 PM I wonder how many of the PostgreSQL installs are me with my Docker stack People who work with, and on MyBB, install it a lot. To comfortably test new code and eliminate bugs in the core and extensions, their setup should require minimal time and attention better spent on the task at hand. The existing installation experience left much to be desired — among others, the old installer: [attach=full]5[/attach] is strictly synchronous and static, making users alternate between waiting and filling out forms, asks for information that’s either nonessential (e.g. a website URL for the optionally displayed link), or derived (e.g. cookie settings that can be deduced from the forum URL), contains technical details of little to no relevance, which also makes it more difficult to navigate, loads pages only for the user to press Next, instead of proceeding automatically, offers no shortcuts for quick setup for testing or development, and can’t be scripted or automated. The special part of the application accessed through install/ was largely self-contained and separate from the rest, offering a good target for improvements parallel to other work on the 1.9 series. In this post, we share how the system was disassembled, redesigned, and rebuilt. Key Changes [attach=full]6[/attach] The new implementation was expected not only to address the web GUI problems, but also to introduce a mirror interface for the command line, as well as a PHP API for direct execution. Rather than tailoring the interfaces to any specific business logic, the GUI and CLI were generally prepared for miscellaneous future usage (i.a. by the Merge System, which currently has to carry its own UI). Correspondingly, the existing activities — installation and upgrade — were rewritten as universal processes with controlled input, output, and better-isolated logic, while the miscellaneous, reusable code was refactored into functions. Del The best kind of code improvement is its deletion. With MyBB 1.9 switching to file-based themes, the most time-consuming operation of inserting the templates into the database was safely removed. In the same spirit, the GNU GPL license agreement was left out, given that it relates to distribution, rather than usage of software. The installation’s final page was scrapped, and the summary information was moved to a Welcome to MyBB thread, which additionally serves as dummy content for new users to play with after being redirected there from the installer. Process operations are executed automatically until user input is needed, without unnecessary confirmation or technical output. For example, the installer skips the full list of requirements — available on Download and Docs pages — and only produces relevant details when problems are found. Input for settings related to HTTP cookies (responsible for the Domain and Path attributes) — effectively derivative of the Board URL — was removed, and the values are determined automatically instead. Similarly, the setting for the Secure flag will now be immediately enabled for HTTPS-based URLs. The reorganization reduced the number of steps (and displayed screens) to four, grouping all related operations according to the types of data they depend upon (gathered using forms in the browser, or series of prompts in the CLI). Ctrl V Both processes were supplemented with a mechanism previously exclusive to the Admin Control Panel: checksum verification. Given the potential for various problems to occur during upload, MyBB will run an integrity check of its files during installation and upgrade. Another feature brought in line with the core was language support: although a .lang.php phrases file was utilized, applying non-English languages required overwriting it, which was a pain point when distributing translations. In 1.9, the file was moved to the inc/languages/ structure, meaning that it can be supplied within ordinary language packs. When non-English packs are detected, a selection is displayed, and if just one extra language is present, it becomes the default option. This choice also changes the board’s Default Language, and that of the new administrator account. Finally, the version check functionality was replicated in the GUI, allowing webmasters to easily confirm they are about to install, or update to, the application’s latest available version. Insert To help prevent accidental overwriting of data, signs of an existing instance will result in alternative headings and descriptions, indicating a reinstallation. As forgotten forums may appear broken for numerous reasons (e.g. failed database connection, or missing content), a more precise status is attached to the first step. Lowering the bar for new forum owners, we made two improvements to the database credentials form — likely to be the most difficult one. First, the process now provides instant feedback for parameters at multiple stages (server connection, authentication, database access, and existence of old tables). Second, while the default database engine selection was already filtered according to enabled PHP extensions, the new process will also perform a number of educated guesses to pre-fill the rest of the form. This behavior may be especially beneficial to testers and developers who use standardized credential sets. User Interfaces Web UI [attach=full]7[/attach] The new web-based interface uses a single index.php entry point, which contains fallback code to provide friendly error messages when PHP cannot be executed, or its version is not supported. In MyBB 1.8 and before, when accessing the directory with a functional forum, administrators would be presented with an upgrade/install choice screen — this was simplified by opening the upgrade screen by default, with a link to force reinstallation for local network requests that indicate a non-production board. The flow in the browser-based GUI is managed by a client-side controller, capable of handling input and output asynchronously, letting users fill out and submit subsequent forms as the attached operations execute in the background. A server-side controller provides fallback support for no-JavaScript clients. More form fields take advantage of input verification and autocomplete features supported by browsers and password managers. Password fields were enriched with reveal toggles (in browsers other than Microsoft Edge, which provides the feature natively) — balancing the UX with the removal of redundant retype password input — and then placed at the end of forms to detect usage of other entered data (like site details, username, or email) for score calculation, powered by the zxcvbn library. The auto-login feature was extended to likewise initialize a session for the Admin CP, enabling administrators to instantly explore it and finish configuring their forums. The processes support flags that can be provided as URL parameters. Developers can use the dev flag to skip File Verification and pre-fill administrator account details for quicker setup. With the fast flag, the application will attempt a zero-click installation, proceeding automatically with provided data and defaults suitable for development. When installing in development mode, an additional post is created in the welcome thread with convenient links to launch the process again and reset MyBB to its default state. Over six years ago, we pointed out the tip-over in observed web traffic into the majority using HTTPS — today’s data shows that secure transmission for publicly-available sites is a universal standard. Although administrators of new forums should be well-aware of this, and have HTTPS already set up, some may delay this step until after the installation. This, of course, is dangerous, given that passwords and login keys already start being transmitted. Therefore, the installer warns about an unsafe connection for public network requests (limiting warning fatigue during non-production usage). Consistent with our long-term development plans, the new setup system has no inline styles nor scripts, which allowed us to add a restrictive Content Security Policy by default. The web implementation tracks the time of each operation using the Performance API, and the custom measurements can be observed using developer tools built into some web browsers. Safety The installer has been equipped with additional checks to prevent misuse. Previously, authentication was only required to access the upgrade script, but not installation, which may have allowed third parties to access it when the complete directory was uploaded and the lock file was deleted for upgrading. The new system will check for additional, process-specific lock files, with lock_install created automatically. To reinstall the board, administrators will be also required to delete or empty the configuration file, which will provide another cue that existing data will be overwritten. These constraints don’t apply in a development environment, in which case a detailed installation status is simply shown on the first screen. Authentication-related logic tied to the upgrade script was reworked by removing assumptions about the stability of initialization and credential handling, which may become temporarily broken during the upgrade process (e.g. after uploading new files, but before applying database changes). Instead, the upgrade process validates administrators’ sessions carried over from the forum front-end opportunistically, and otherwise relies on an ad-hoc proof by prompting them to create a temporary file with the name cryptographically tied to a cookie value. CLI [attach=full]8[/attach] The new bin/cli command line-executable PHP script, built with Symfony’s Console component, comes with commands for each maintenance process, walking users through steps in a fashion similar to the web GUI. It can also execute any of the processes non-interactively, allowing integration into various automated scripts. When using this interface, the input can be: provided interactively: Board URL: > https://example.net/forum passed as direct parameters with the command: $ bin/cli install --param bburl=https://example.net/forum picked up from environment variables: MYBB_INSTALL_BBURL=https://example.net/forum skipped entirely — by accepting defaults: $ bin/cli install --fast (here, we rely on database discovery and an existing installation, where the URL — unavailable in CLI mode — can be retrieved from old settings) Similarly to the web mode, the commands support i.a. --dev and --fast flags, in addition to Symfony’s built-in usability and debugging options. Maintenance Pages The installer’s new look belongs to the new family of maintenance pages — used during special conditions of MyBB’s operation, and inspired by the design of the 1.9 front-end and the Project’s website. Each condition was assigned a distinct color, and the pages differ in what elements are displayed according the subject in a given context: the board, or its underlying software. MyBB’s own branding is toned down on the error and board closed pages — which usually depend on the individual environment and administrator’s activity — and appropriately displayed in full during installation and subsequent upgrades. By handling thousands of support cases, we see how the subtle changes in error message phrasing reflect in future help requests, and have a general idea of how people — both the administrators and the users of their forums — respond to them. The error pages address both groups with specific (but still concise) suggestions for reaching out for technical assistance, depending on the circumstances and configured contact settings. Data Reorganization Data previously distributed — and uploaded — with the installation directory was absorbed into the core. The permanent availability of the database schemas, initial data seeds, and upgrades — moved from install/resources/ to respective subdirectories under inc/ — will enable the core to i.a. extend its self-verification features to cover the database structure, and allow resetting settings to default values. This effort included a refactoring of some data from individual SQL queries to arrays, and increasing the usage of multi-row insert queries, yielding improved performance. Given that static assets tied to the GUI were also extracted, any upgrade packages (Changed Files) involving the upgrade process for MyBB 1.9 will only contain: the entry point file, and truly new or modified resources — compared to the growing set of 80+ install/ files to upload (and remove shortly after) on MyBB ≤ 1.8. Another kind of relocation was made to the file containing the application’s checksums: the once-online feature of File Verification, which would download it from the MyBB.com server before comparing it against the filesystem, was modified to include it in the package for offline verification, improving reliability and privacy. Flattening Workflows If you manage MyBB forums or develop extensions, you have likely encountered more broad friction: to run MyBB locally, a complete web stack has to be installed — including the HTTP server, PHP interpreter, and a database system. This can quickly become overwhelming if you need to test against various versions and systems to mimic your live forum’s setup, or investigate reported problems. Our Docker Compose configuration — which already took care of setting up the web stack components — was recently updated to also install Composer dependencies for MyBB 1.9, and now, with the MyBB CLI, to install the application itself. This means that after the initial Docker installation, you can get MyBB up and running from the source (in any branch or Pull Request), without the overhead of setting up the underlying software on your host system, or manually handling the intermediate steps of installing dependencies — or MyBB — using a single command. Similarly, the scriptable installer was used to create a default configuration for GitHub Codespaces — an additional layer that provides an instant web-based IDE to run, debug, and modify MyBB and its source code. Go to the MyBB 1.9 development branch to preview the recent updates, try Codespaces with your free quota on GitHub, and help track down any problems in the new series of our forum software. [attach=full]9[/attach] If you like working on improvements — that are sometimes measured by how well they blend into the background — Get Involved. Continue reading...
-
mybb MyBB 1.8.33 Released — Security & Maintenance Release
Guest posted a topic in Forum Software Discussions
MyBB 1.8.33 is now available, and is a security & maintenance release. This version improves cache system stability, and compatibility with PostgreSQL (PDO) and recent PHP versions. 1 security vulnerability addressed: High risk: ACP Languages local file inclusion (advisory) — reported by yelang123 (Stealien), NGA (Stealien) 8 issues resolved Check the Release Notes for more information. Get latest MyBB Full & Upgrade Packages → The MyBB Project extends thanks to reporters and researchers following responsible disclosure. Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB. If you would like to contribute to the Project, Get Involved. Thanks, MyBB Team Continue reading... -
mybb MyBB 1.8.32 Released — Security & Maintenance Release
Guest posted a topic in Forum Software Discussions
MyBB 1.8.32 is now available, and is a security & maintenance release. This version addresses reported security problems and updates SCEditor to the latest version. 3 security vulnerabilities addressed: High risk: Visual editor persistent XSS (advisory) — reported by Aleksey Solovev (Positive Technologies) Medium risk: ACP Users SQL injection (advisory) — reported by Aleksey Solovev (Positive Technologies) Low risk: Attachment upload XSS (advisory) — reported by Aleksey Solovev (Positive Technologies) 1 issues resolved Check the Release Notes for more information. Get latest MyBB Full & Upgrade Packages → The MyBB Project extends thanks to reporters and researchers following responsible disclosure. Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB. If you would like to contribute to the Project, Get Involved. Thanks, MyBB Team Continue reading... -
mybb MyBB 1.8.31 Released — Security & Maintenance Release
Guest posted a topic in Forum Software Discussions
MyBB 1.8.31 is now available, and is a security & maintenance release. This version resolves discovered bugs and regressions, and improves compatibility with database engines and recent PHP versions. Please note that the value of Additional Parameters for PHP’s mail() (Mail Settings) now only takes effect when saved in the Configuration File. 1 security vulnerability addressed: Medium risk: Mail settings command parameter injection (advisory) 21 issues resolved Check the Release Notes for more information. Get latest MyBB Full & Upgrade Packages → Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB. If you would like to contribute to the Project, Get Involved. Thanks, MyBB Team Continue reading... -
mybb MyBB 1.8.38 Released — Security & Maintenance Release
Guest posted a topic in Forum Software Discussions
MyBB 1.8.38 is now available, and is a security & maintenance release. Administrators of installed boards should update the existing configuration ([iCODE]inc/config.php[/iCODE]) to include all addresses blocked by default in Disallowed Remote Addresses. 2 security vulnerabilities addressed: Low risk: Incomplete disallowed remote addresses list SSRF (advisory) — reported by shin24 Low risk: Backups directory .htaccess deletion (advisory) — reported by shin24 16 issues resolved Check the Release Notes for more information. Get latest MyBB Full & Upgrade Packages → The MyBB Project extends thanks to reporters and researchers following responsible disclosure. Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB. If you would like to contribute to the Project, Get Involved. Thanks, MyBB Team Continue reading... -
mybb MyBB 1.8.37 Released — Security & Maintenance Release
Guest posted a topic in Forum Software Discussions
MyBB 1.8.37 is now available, and is a security & maintenance release. This version includes improvements for compatibility with mailing configurations and recent PHP versions. 2 security vulnerabilities addressed: Medium risk: Visual editor size code persistent XSS (advisory) — reported by Paulos Yibelo (Octagon Networks) Low risk: ACP Themes persistent XSS (advisory) — reported by Or4nG.M4n 12 issues resolved Check the Release Notes for more information. Get latest MyBB Full & Upgrade Packages → The MyBB Project extends thanks to reporters and researchers following responsible disclosure. Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB. If you would like to contribute to the Project, Get Involved. Thanks, MyBB Team Continue reading... -
MyBB 1.8.36 is now available, and is a security release. After applying the patch, we recommend using the Admin CP’s Tools & Maintenance → System Health → Check Templates tool to scan for security issues that may not have been detected before this version. 1 security vulnerability addressed: High risk: ACP Templates RCE (advisory) — reported by Emmet Leahy Check the Release Notes for more information. Get latest MyBB Full & Upgrade Packages → The MyBB Project extends thanks to reporters and researchers following responsible disclosure. Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB. If you would like to contribute to the Project, Get Involved. Thanks, MyBB Team Continue reading...
-
MyBB 1.8.35 is now available, and is a maintenance release. This version improves stability and compatibility with various PHP versions. 7 issues resolved Check the Release Notes for more information. Get latest MyBB Full & Upgrade Packages → Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB. If you would like to contribute to the Project, Get Involved. Thanks, MyBB Team Continue reading...
-
mybb MyBB 1.8.34 Released — Security & Maintenance Release
Guest posted a topic in Forum Software Discussions
MyBB 1.8.34 is now available, and is a security & maintenance release. 1 security vulnerability addressed: Low risk: User CP email persistent XSS (advisory) — reported by Ahmet Altuntaş 13 issues resolved Check the Release Notes for more information. Get latest MyBB Full & Upgrade Packages → The MyBB Project extends thanks to reporters and researchers following responsible disclosure. Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB. If you would like to contribute to the Project, Get Involved. To keep up with Project news, you can now follow MyBB on Mastodon. Thanks, MyBB Team Continue reading... -
One key to keeping software projects and the surrounding communities healthy is keeping friction for all audiences to a minimum. In MyBB, this friction is derivative of user experience and developer experience. Our largest audience is formed by the end users — people browsing online forums, not expected to know what MyBB is, yet benefitting from fine-tuned visuals, phrases, and flows that come out-of-the-box. At the same time, we target two groups further down the forum assembly line, for whom both UX and DX apply. For site owners and community leaders, the software needs to be approachable and intuitive — without requiring particular knowledge of languages and technologies — but also allow tweaking its look and functionality by maintainers with technical experience. For developers, in addition to a useful extension system, APIs, and documentation, the software needs to expose the appropriate tools to allow speedy development and testing — without assuming one’s familiarity with it. These factors are crucial in the world of free and open-source software, where the development relies on external contributors and their ease of work. A setup mechanism is where their paths cross: it has to break down unavoidable complexity, without getting in expert users’ way. Besides having to meet best UX and DX practices, it also carries the weight of defining the first impression of the product for everyone. [HEADING=1]The Need for Speed[/HEADING] People who work with, and on MyBB, install it a lot. To comfortably test new code and eliminate bugs in the core and extensions, their setup should require minimal time and attention better spent on the task at hand. The existing installation experience left much to be desired — among others, the old installer: is strictly synchronous and static, making users alternate between waiting and filling out forms, asks for information that’s either nonessential (e.g. a website URL for the optionally displayed link), or derived (e.g. cookie settings that can be deduced from the forum URL), contains technical details of little to no relevance, which also makes it more difficult to navigate, loads pages only for the user to press Next, instead of proceeding automatically, offers no shortcuts for quick setup for testing or development, and can’t be scripted or automated. The special part of the application accessed through [iCODE]install/[/iCODE] was largely self-contained and separate from the rest, offering a good target for improvements parallel to other work on the 1.9 series. In this post, we share how the system was disassembled, redesigned, and rebuilt. [HEADING=1]Key Changes[/HEADING] The new implementation was expected not only to address the web GUI problems, but also to introduce a mirror interface for the command line, as well as a PHP API for direct execution. Rather than tailoring the interfaces to any specific business logic, the GUI and CLI were generally prepared for miscellaneous future usage (i.a. by the Merge System, which currently has to carry its own UI). Correspondingly, the existing activities — installation and upgrade — were rewritten as universal processes with controlled input, output, and better-isolated logic, while the miscellaneous, reusable code was refactored into functions. [HEADING=3]Del[/HEADING] The best kind of code improvement is its deletion. With MyBB 1.9 switching to file-based themes, the most time-consuming operation of inserting the templates into the database was safely removed. In the same spirit, the GNU GPL license agreement was left out, given that it relates to distribution, rather than usage of software. The installation’s final page was scrapped, and the summary information was moved to a Welcome to MyBB thread, which additionally serves as dummy content for new users to play with after being redirected there from the installer. Process operations are executed automatically until user input is needed, without unnecessary confirmation or technical output. For example, the installer skips the full list of requirements — available on Download and Docs pages — and only produces relevant details when problems are found. Input for settings related to HTTP cookies (responsible for the [iCODE]Domain[/iCODE] and [iCODE]Path[/iCODE] attributes) — effectively derivative of the Board URL — was removed, and the values are determined automatically instead. Similarly, the setting for the [iCODE]Secure[/iCODE] flag will now be immediately enabled for HTTPS-based URLs. The reorganization reduced the number of steps (and displayed screens) to four, grouping all related operations according to the types of data they depend upon (gathered using forms in the browser, or series of prompts in the CLI). [HEADING=3]Ctrl V[/HEADING] Both processes were supplemented with a mechanism previously exclusive to the Admin Control Panel: checksum verification. Given the potential for various problems to occur during upload, MyBB will run an integrity check of its files during installation and upgrade. Another feature brought in line with the core was language support: although a [iCODE].lang.php[/iCODE] phrases file was utilized, applying non-English languages required overwriting it, which was a pain point when distributing translations. In 1.9, the file was moved to the [iCODE]inc/languages/[/iCODE] structure, meaning that it can be supplied within ordinary language packs. When non-English packs are detected, a selection is displayed, and if just one extra language is present, it becomes the default option. This choice also changes the board’s Default Language, and that of the new administrator account. Finally, the version check functionality was replicated in the GUI, allowing webmasters to easily confirm they are about to install, or update to, the application’s latest available version. [HEADING=3]Insert[/HEADING] To help prevent accidental overwriting of data, signs of an existing instance will result in alternative headings and descriptions, indicating a reinstallation. As forgotten forums may appear broken for numerous reasons (e.g. failed database connection, or missing content), a more precise status is attached to the first step. Lowering the bar for new forum owners, we made two improvements to the database credentials form — likely to be the most difficult one. First, the process now provides instant feedback for parameters at multiple stages (server connection, authentication, database access, and existence of old tables). Second, while the default database engine selection was already filtered according to enabled PHP extensions, the new process will also perform a number of educated guesses to pre-fill the rest of the form. This behavior may be especially beneficial to testers and developers who use standardized credential sets. [HEADING=1]User Interfaces[/HEADING] [HEADING=2]Web UI[/HEADING] The new web-based interface uses a single [iCODE]index.php[/iCODE] entry point, which contains fallback code to provide friendly error messages when PHP cannot be executed, or its version is not supported. In MyBB 1.8 and before, when accessing the directory with a functional forum, administrators would be presented with an upgrade/install choice screen — this was simplified by opening the upgrade screen by default, with a link to force reinstallation for local network requests that indicate a non-production board. The flow in the browser-based GUI is managed by a client-side controller, capable of handling input and output asynchronously, letting users fill out and submit subsequent forms as the attached operations execute in the background. A server-side controller provides fallback support for no-JavaScript clients. More form fields take advantage of input verification and autocomplete features supported by browsers and password managers. Password fields were enriched with reveal toggles (in browsers other than Microsoft Edge, which provides the feature natively) — balancing the UX with the removal of redundant retype password input — and then placed at the end of forms to detect usage of other entered data (like site details, username, or email) for score calculation, powered by the zxcvbn library. The auto-login feature was extended to likewise initialize a session for the Admin CP, enabling administrators to instantly explore it and finish configuring their forums. The processes support flags that can be provided as URL parameters. Developers can use the [iCODE]dev[/iCODE] flag to skip File Verification and pre-fill administrator account details for quicker setup. With the [iCODE]fast[/iCODE] flag, the application will attempt a zero-click installation, proceeding automatically with provided data and defaults suitable for development. When installing in development mode, an additional post is created in the welcome thread with convenient links to launch the process again and reset MyBB to its default state. Over six years ago, we pointed out the tip-over in observed web traffic into the majority using HTTPS — today’s data shows that secure transmission for publicly-available sites is a universal standard. Although administrators of new forums should be well-aware of this, and have HTTPS already set up, some may delay this step until after the installation. This, of course, is dangerous, given that passwords and login keys already start being transmitted. Therefore, the installer warns about an unsafe connection for public network requests (limiting warning fatigue during non-production usage). Consistent with our long-term development plans, the new setup system has no inline styles nor scripts, which allowed us to add a restrictive Content Security Policy by default. The web implementation tracks the time of each operation using the Performance API, and the custom measurements can be observed using developer tools built into some web browsers. [HEADING=3]Safety[/HEADING] The installer has been equipped with additional checks to prevent misuse. Previously, authentication was only required to access the upgrade script, but not installation, which may have allowed third parties to access it when the complete directory was uploaded and the [iCODE]lock[/iCODE] file was deleted for upgrading. The new system will check for additional, process-specific lock files, with [iCODE]lock_install[/iCODE] created automatically. To reinstall the board, administrators will be also required to delete or empty the configuration file, which will provide another cue that existing data will be overwritten. These constraints don’t apply in a development environment, in which case a detailed installation status is simply shown on the first screen. Authentication-related logic tied to the upgrade script was reworked by removing assumptions about the stability of initialization and credential handling, which may become temporarily broken during the upgrade process (e.g. after uploading new files, but before applying database changes). Instead, the upgrade process validates administrators’ sessions carried over from the forum front-end opportunistically, and otherwise relies on an ad-hoc proof by prompting them to create a temporary file with the name cryptographically tied to a cookie value. [HEADING=2]CLI[/HEADING] The new [iCODE]bin/cli[/iCODE] command line-executable PHP script, built with Symfony’s Console component, comes with commands for each maintenance process, walking users through steps in a fashion similar to the web GUI. It can also execute any of the processes non-interactively, allowing integration into various automated scripts. When using this interface, the input can be: provided interactively: Board URL: > https://example.net/forum passed as direct parameters with the command: $ bin/cli install --param bburl=https://example.net/forum picked up from environment variables: MYBB_INSTALL_BBURL=https://example.net/forum skipped entirely — by accepting defaults: $ bin/cli install --fast (here, we rely on database discovery and an existing installation, where the URL — unavailable in CLI mode — can be retrieved from old settings) Similarly to the web mode, the commands support i.a. [iCODE]--dev[/iCODE] and [iCODE]--fast[/iCODE] flags, in addition to Symfony’s built-in usability and debugging options. [HEADING=1]Maintenance Pages[/HEADING] The installer’s new look belongs to the new family of maintenance pages — used during special conditions of MyBB’s operation, and inspired by the design of the 1.9 front-end and the Project’s website. Each condition was assigned a distinct color, and the pages differ in what elements are displayed according the subject in a given context: the board, or its underlying software. MyBB’s own branding is toned down on the error and board closed pages — which usually depend on the individual environment and administrator’s activity — and appropriately displayed in full during installation and subsequent upgrades. By handling thousands of support cases, we see how the subtle changes in error message phrasing reflect in future help requests, and have a general idea of how people — both the administrators and the users of their forums — respond to them. The error pages address both groups with specific (but still concise) suggestions for reaching out for technical assistance, depending on the circumstances and configured contact settings. [HEADING=1]Data Reorganization[/HEADING] Data previously distributed — and uploaded — with the installation directory was absorbed into the core. The permanent availability of the database schemas, initial data seeds, and upgrades — moved from [iCODE]install/resources/[/iCODE] to respective subdirectories under [iCODE]inc/[/iCODE] — will enable the core to i.a. extend its self-verification features to cover the database structure, and allow resetting settings to default values. This effort included a refactoring of some data from individual SQL queries to arrays, and increasing the usage of multi-row insert queries, yielding improved performance. Given that static assets tied to the GUI were also extracted, any upgrade packages (Changed Files) involving the upgrade process for MyBB 1.9 will only contain: the entry point file, and truly new or modified resources — compared to the growing set of 80+ [iCODE]install/[/iCODE] files to upload (and remove shortly after) on MyBB ≤ 1.8. Another kind of relocation was made to the file containing the application’s checksums: the once-online feature of File Verification, which would download it from the MyBB.com server before comparing it against the filesystem, was modified to include it in the package for offline verification, improving reliability and privacy. [HEADING=1]Flattening Workflows[/HEADING] If you manage MyBB forums or develop extensions, you have likely encountered more broad friction: to run MyBB locally, a complete web stack has to be installed — including the HTTP server, PHP interpreter, and a database system. This can quickly become overwhelming if you need to test against various versions and systems to mimic your live forum’s setup, or investigate reported problems. Our Docker Compose configuration — which already took care of setting up the web stack components — was recently updated to also install Composer dependencies for MyBB 1.9, and now, with the MyBB CLI, to install the application itself. This means that after the initial Docker installation, you can get MyBB up and running from the source (in any branch or Pull Request), without the overhead of setting up the underlying software on your host system, or manually handling the intermediate steps of installing dependencies — or MyBB — using a single command. Similarly, the scriptable installer was used to create a default configuration for GitHub Codespaces — an additional layer that provides an instant web-based IDE to run, debug, and modify MyBB and its source code. Go to the MyBB 1.9 development branch to preview the recent updates, try Codespaces with your free quota on GitHub, and help track down any problems in the new series of our forum software. If you like working on improvements — that are sometimes measured by how well they blend into the background — Get Involved. Continue reading...
-
mybb MyBB 1.8.33 Released — Security & Maintenance Release
Guest posted a topic in Forum Software Discussions
MyBB 1.8.33 is now available, and is a security & maintenance release. This version improves cache system stability, and compatibility with PostgreSQL (PDO) and recent PHP versions. 1 security vulnerability addressed: High risk: ACP Languages local file inclusion (advisory) — reported by yelang123 (Stealien), NGA (Stealien) 8 issues resolved Check the Release Notes for more information. Get latest MyBB Full & Upgrade Packages → The MyBB Project extends thanks to reporters and researchers following responsible disclosure. Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB. If you would like to contribute to the Project, Get Involved. Thanks, MyBB Team Continue reading... -
mybb MyBB 1.8.32 Released — Security & Maintenance Release
Guest posted a topic in Forum Software Discussions
MyBB 1.8.32 is now available, and is a security & maintenance release. This version addresses reported security problems and updates SCEditor to the latest version. 3 security vulnerabilities addressed: High risk: Visual editor persistent XSS (advisory) — reported by Aleksey Solovev (Positive Technologies) Medium risk: ACP Users SQL injection (advisory) — reported by Aleksey Solovev (Positive Technologies) Low risk: Attachment upload XSS (advisory) — reported by Aleksey Solovev (Positive Technologies) 1 issues resolved Check the Release Notes for more information. Get latest MyBB Full & Upgrade Packages → The MyBB Project extends thanks to reporters and researchers following responsible disclosure. Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB. If you would like to contribute to the Project, Get Involved. Thanks, MyBB Team Continue reading... -
mybb MyBB 1.8.31 Released — Security & Maintenance Release
Guest posted a topic in Forum Software Discussions
MyBB 1.8.31 is now available, and is a security & maintenance release. This version resolves discovered bugs and regressions, and improves compatibility with database engines and recent PHP versions. Please note that the value of Additional Parameters for PHP’s mail() (Mail Settings) now only takes effect when saved in the Configuration File. 1 security vulnerability addressed: Medium risk: Mail settings command parameter injection (advisory) 21 issues resolved Check the Release Notes for more information. Get latest MyBB Full & Upgrade Packages → Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB. If you would like to contribute to the Project, Get Involved. Thanks, MyBB Team Continue reading... -
MyBB 1.8.30 is now available, and is a security release. 1 security vulnerability addressed: High risk: ACP Settings management RCE (advisory) — reported by Cillian Collins / Trend Micro Zero Day Initiative Check the Release Notes for more information. Get latest MyBB Full & Upgrade Packages → The MyBB Project extends thanks to reporters and researchers following responsible disclosure. Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB. If you would like to contribute to the Project, Get Involved. Thanks, MyBB Team Continue reading...
-
MyBB 1.8.29 is now available, and is a security release. 1 security vulnerability addressed: High risk: ACP Settings management RCE (advisory) — reported by Xiangwen (Evan) Yu Check the Release Notes for more information. Get latest MyBB Full & Upgrade Packages → The MyBB Project extends thanks to reporters and researchers following responsible disclosure. Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB. If you would like to contribute to the Project, Get Involved. Thanks, MyBB Team Continue reading...
-
mybb MyBB 1.8.28 Released — Security & Maintenance Release
Guest posted a topic in Forum Software Discussions
MyBB 1.8.28 is now available, and is a security & maintenance release. This version resolves discovered bugs and regressions, and addresses known PHP 8 compatibility problems. This version enables validation of HTML code generated by the MyCode parser — check the Documentation page and previous announcement for more details. 1 security vulnerability addressed: Medium risk: ACP Template Name XSS (advisory) — reported by Andrey Stoykov 28 issues resolved Check the Release Notes for more information. Get latest MyBB Full & Upgrade Packages → The MyBB Project extends thanks to reporters and researchers following responsible disclosure. Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB. If you would like to contribute to the Project, Get Involved. Thanks, MyBB Team Continue reading... -
mybb 1.8’s CAPTCHA Bug, Parser Validation, and PHP Compatibility
Guest posted a topic in Forum Software Discussions
As we stabilize the 1.8 branch for future support with development eventually switching focus to 1.9, we’d like to draw your attention to the following advisories. CAPTCHA Bug Version 1.8.27 has introduced a bug affecting two of MyBB’s supported CAPTCHA mechanisms: reCAPTCHA v3 and hCaptcha invisible. For those, the CAPTCHA may appear broken, and the verification can reject or accept attempts incorrectly. If your forum uses those systems, we advise to either: temporarily switch to another mechanism using the CAPTCHA Images for Registration & Posting setting (ACP: Configuration → Settings → General Configuration), or applying the upcoming changes to source code files manually. This problem will be resolved in the next maintenance release. Parser Output Validation The upcoming maintenance release enforces validation of XHTML code generated by the MyCode parser in order to improve security. MyBB 1.8.27 included this feature in report-only mode, meaning that any problems are already being saved to the configured error log. After upgrading, validation errors will continue to be logged, but messages with problematic MyCode will not be displayed to prevent potential XSS attacks against your forums. Forum administrators should verify that their error logging is configured properly, and monitor the log for errors that may indicate necessary changes to their customizations like custom MyCodes, theme templates, username styles, and plugins. These errors can be triggered when forum content that uses MyCode is viewed. We created a relevant Docs section that details pinpointing the origin, debugging using a dedicated tool, and disabling the validation requirement for boards that are not yet ready for this change. Examples of Fixed Validation Errors To help demonstrate what actions may need to be taken, let’s take a look at some validation failures that turned up so far: Case 1: Attributes Without Value in Default Templates MyBB’s default theme included HTML attributes without values. These caused validation errors such as: Specification mandates value for attribute attributes construct error To fix this, we simply added ="true" fragments where needed. [*]Case 2: Redundant Tags in Username Style In a support thread, unnecessary HTML in a customized username style, present in a forum post, resulted in a logged failure that mentioned: Opening and ending tag mismatch Extra content at the end of the document This could be resolved by cleaning up the HTML code in the Username Style field for the problematic user group by removing stray closing tags. Case 3: Self-Closing Tags in Custom MyCode In another support thread, a custom MyCode included an unclosed HTML tag, which resulted in a validation failure that mentioned: Opening and ending tag mismatch EndTag: ' For correct XHTML validation, tags that don't have an equivalent closing tag should include a forward slash: . Case 4: Invalid Placeholder Format A plugin that inserted invisible markers in the format resulted in errors referring to attribute parsing and missing end tags. This format was changed to to pass the validation. If you have trouble resolving validation failures, visit our support platforms and include the full logged error. PHP Compatibility MyBB aims to support most recent versions of web browsers, servers, database systems, and PHP interpreters. Due to significant changes in PHP 8.0, however, we recommended using PHP up to 7.4 while the code was being adjusted. The upcoming MyBB release includes another batch of such adjustments, and removes some unnecessary side-effects of version-related PHP Warnings. We also pay attention to PHP 8.1, which is not expected to cause major problems after these updates. Even though more issues may still be discovered when running MyBB on latest versions of PHP, we encourage administrators and extension developers to verify the stability of their forums and extensions on PHP 8, and to watch out for any errors that may appear in the error log, starting with the next maintenance release. Numerous web hosts already support switching to PHP 8.0, and MyBB can easily be tested locally using Docker. Any suspected issues related to compatibility, as usual, can be reported on our support platforms. Continue reading...