• MetaBlog

  • Security update to Flarum Tags 0.1.0-beta.13.2

Yesterday we released an emergency security fix for the bundled Tags extension. Here are more details.

Impact

This vulnerability allowed any registered user to edit the tags of any discussion for which they have READ access using the REST API.

Users were able to remove any existing tag, and add any tag in which they are allowed to create discussions. The chosen tags still had to match the configured Tags minimums and maximums.

By moving the discussion to new tags, users were able to go around permissions applied to restricted tags. Depending on the setup, this can include publicly exposing content that was only visible to certain groups, or gain the ability to interact with content where such interaction was limited.

The full impact varies depending on the configuration of permissions and restricted tags, and which community extensions are being used. All tag-scoped permissions offered by extensions are impacted by this ability to go around them.

Forums that don't use restricted tags and don't use any extension that relies on tags for access control should not see any security impact. An update is still required to stop users from being able to change any discussion's tags.

Forums that don't use the Tags extension are unaffected.

Patches

The fix will be available in version v0.1.0-beta.14 with Flarum beta 14. The fix has already been back-ported to Flarum beta 13 as version v0.1.0-beta.13.2 of the Tags extension.

References

flarum/core2355

Credit

Thank you to @LianSheng for finding it and to @SychO for the quick fix!

How to update

If you are using Flarum beta 13:

In your Flarum folder (containing composer.json and config.php), run:

composer update flarum/tags --prefer-dist --no-dev -a

You can then confirm the update worked by checking Composer output (should say "updating to v0.1.0-beta.13.2"), or by checking the version number in the admin panel in the extension list.

If you are using beta 12 or older:

You should update to Flarum beta 13 as soon as possible. We unfortunately can't support older Flarum releases with security fixes. Follow the instructions to update. The security fix will automatically be applied when you perform the update to beta 13.

Followup

The original fix released as v0.1.0-beta.13.1 contained an error. We have released an updated fix as v0.1.0-beta.13.2. If you already installed the 13.1 fix, repeat the steps above to install 13.2.

In our haste to get the fix out we missed an important quality check. We will review our process so this doesn't happen again. We apologize for the inconvenience.

Correct me if I'm wrong.
If you don't worry about memory limits you can also run just: composer update to get updated all extensions, dependencies and flarum itself?

    Wadera You can, but generally you need to be careful. Sometimes dependencies can update ahead of Flarum and render it incompatible. It's better to approach composer update with specific requests so you don't create an unpredictable environment. @luceos made a whole guide for using Composer with Flarum that you can check out for more information on best practices.

        I updated but now when I try to change tags for a discussion an exception is thrown:

        [2020-10-06 18:56:03] production.ERROR: BadMethodCallException: Call to undefined method Flarum\User\User::assertCan() in /path/to/forum/vendor/illuminate/support/Traits/ForwardsCalls.php:50
Stack trace:
#0 /path/to/forum/vendor/illuminate/support/Traits/ForwardsCalls.php(36): Illuminate\Database\Eloquent\Model::thro
wBadMethodCallException('assertCan')
#1 /path/to/forum/vendor/illuminate/database/Eloquent/Model.php(1610): Illuminate\Database\Eloquent\Model->forward
CallTo(Object(Illuminate\Database\Eloquent\Builder), 'assertCan', Array)
#2 /path/to/forum/vendor/flarum/core/src/Database/AbstractModel.php(222): Illuminate\Database\Eloquent\Model->__ca
ll('assertCan', Array)
#3 /path/to/forum/vendor/flarum/tags/src/Listener/SaveTagsToDatabase.php(63): Flarum\Database\AbstractModel->__cal
l('assertCan', Array)
#4 [internal function]: Flarum\Tags\Listener\SaveTagsToDatabase->handle(Object(Flarum\Discussion\Event\Saving))
          askvortsov changed the title to Security update to Flarum Tags 0.1.0-beta.13.2 .

          On testing, we found that the backported fix uses a feature introduced in beta 14, resulting in crashes when users tried to edit tags on forums running beta 13. The 0.1.0-beta.13.2 release of tags should be used instead.

          • [deleted]

          • Post #12
          • Edited

          How to revert to flarum/tags v 13.1 using Composer?

          After update from 13.1 to 13.2 i got this on homepage

          Flarum encountered a boot error (ReflectionException)
          Class FoF\FrontPage\Listeners\SaveFrontToDatabase does not exist
          thrown in /home/xxx/xxx/vendor/illuminate/container/Container.php on line 779

            [deleted] use the command from the first post under "How to update" to update the Tags extension.

            I'm not sure what you mean by revert? The latest version, which is now v0.1.0-beta13.2, should be used.

                • [deleted]

                • Post #14

                clarkwinkelmann I'm not sure what you mean by revert? The latest version, which is now v0.1.0-beta13.2, should be used.

                After update from flarum/tags ver v0.1.0-beta13.1 to ver v0.1.0-beta13.2 I got error (previous post). I hope to fix this by downgrading flarum/tags extension...

                    • [deleted]

                    • Post #15

                    Sorry, this error had to be some kind of temporary hosting issue... flarum/tagsv0.1.0-beta.13.2 is working just fine.

                    [deleted] the two are unrelated. You should reach out in the Frontpage thread to report the issue.