Security update to Flarum Tags 0.1.0-beta.13.2

clarkwinkelmann

Yesterday we released an emergency security fix for the bundled Tags extension. Here are more details.

Impact

This vulnerability allowed any registered user to edit the tags of any discussion for which they have READ access using the REST API.

Users were able to remove any existing tag, and add any tag in which they are allowed to create discussions. The chosen tags still had to match the configured Tags minimums and maximums.

By moving the discussion to new tags, users were able to go around permissions applied to restricted tags. Depending on the setup, this can include publicly exposing content that was only visible to certain groups, or gain the ability to interact with content where such interaction was limited.

The full impact varies depending on the configuration of permissions and restricted tags, and which community extensions are being used. All tag-scoped permissions offered by extensions are impacted by this ability to go around them.

Forums that don't use restricted tags and don't use any extension that relies on tags for access control should not see any security impact. An update is still required to stop users from being able to change any discussion's tags.

Forums that don't use the Tags extension are unaffected.

Patches

The fix will be available in version v0.1.0-beta.14 with Flarum beta 14. The fix has already been back-ported to Flarum beta 13 as version v0.1.0-beta.13.2 of the Tags extension.

References

flarum/core2355

Credit

Thank you to @LianSheng for finding it and to @SychO for the quick fix!

How to update

If you are using Flarum beta 13:

In your Flarum folder (containing composer.json and config.php), run:

composer update flarum/tags --prefer-dist --no-dev -a

You can then confirm the update worked by checking Composer output (should say "updating to v0.1.0-beta.13.2"), or by checking the version number in the admin panel in the extension list.

If you are using beta 12 or older:

You should update to Flarum beta 13 as soon as possible. We unfortunately can't support older Flarum releases with security fixes. Follow the instructions to update. The security fix will automatically be applied when you perform the update to beta 13.

Followup

The original fix released as v0.1.0-beta.13.1 contained an error. We have released an updated fix as v0.1.0-beta.13.2. If you already installed the 13.1 fix, repeat the steps above to install 13.2.

In our haste to get the fix out we missed an important quality check. We will review our process so this doesn't happen again. We apologize for the inconvenience.

MikeJones

Yesterday I just used composer update flarum/tags

Does that work too or no?

clarkwinkelmann

MikeJones yes, both essentially achieve the same. The one I included above should consume a bit less memory, making it more suitable for shared hosting.

Wadera

Correct me if I'm wrong.
If you don't worry about memory limits you can also run just: composer update to get updated all extensions, dependencies and flarum itself?

jordanjay29

Wadera You can, but generally you need to be careful. Sometimes dependencies can update ahead of Flarum and render it incompatible. It's better to approach composer update with specific requests so you don't create an unpredictable environment. @luceos made a whole guide for using Composer with Flarum that you can check out for more information on best practices.

Wadera

As pointed on discussion jordanjay29
We should upgrade all extensions manually fallowing this guide:
https://discuss.flarum.org/d/9225-the-most-unsettling-end-user-guide-to-composer-for-flarum

If you have multiple of them it will be a lot of manual work, so what about get it automated?

Example fast scripting:

[me@myhost flarum]$ which composer
/usr/local/bin/composer
[me@myhost flarum]$ which php
/usr/local/bin/php
[me@myhost flarum]$ ls
CHANGELOG.md  LICENSE  README.md  composer.json  composer.lock  config.php  extend.php  flarum  nohup.out  public  storage  vendor  update.sh

Version if you have limited memory and want to update one by one:

[me@myhost flarum]$ cat update.sh
#!/bin/bash
extensions=$(cat composer.json | awk '/}/ {found=0} {if(found) print} /require/ {found=1}' | awk -F : '{print $1}' | sed 's/"//g')
echo 'Updating extensions:'
for i in $extensions
do
echo -n 'Updating: '; echo $i;
/usr/local/bin/composer update $i --prefer-dist --no-dev -o --no-suggest
done
echo 'Migrate:'
/usr/local/bin/php flarum migrate
echo 'Clear cache:'
/usr/local/bin/php flarum cache:clear
echo 'Update completed!'
echo

Version if you want to update them all at once:

[me@myhost flarum]$ cat update.sh
#!/bin/bash
extensions=$(cat composer.json | awk '/}/ {found=0} {if(found) print} /require/ {found=1}' | awk -F : '{print $1}' | sed 's/"//g')
echo -n 'Updating extensions: '; echo $extensions
echo
/usr/local/bin/composer update $extensions --prefer-dist --no-dev -o --no-suggest
echo 'Migrate:'
/usr/local/bin/php flarum migrate
echo 'Clear cache:'
/usr/local/bin/php flarum cache:clear
echo 'Update completed!'
echo

How to run it?

[me@myhost flarum]$ chmod +x update.sh
[me@myhost flarum]$ ./update.sh

In theory we can also add it into cron to get autopatch everyday at midnight? 🙂
Did I get it right?

matteocontrini

I updated but now when I try to change tags for a discussion an exception is thrown:

[2020-10-06 18:56:03] production.ERROR: BadMethodCallException: Call to undefined method Flarum\User\User::assertCan() in /path/to/forum/vendor/illuminate/support/Traits/ForwardsCalls.php:50
Stack trace:
#0 /path/to/forum/vendor/illuminate/support/Traits/ForwardsCalls.php(36): Illuminate\Database\Eloquent\Model::thro
wBadMethodCallException('assertCan')
#1 /path/to/forum/vendor/illuminate/database/Eloquent/Model.php(1610): Illuminate\Database\Eloquent\Model->forward
CallTo(Object(Illuminate\Database\Eloquent\Builder), 'assertCan', Array)
#2 /path/to/forum/vendor/flarum/core/src/Database/AbstractModel.php(222): Illuminate\Database\Eloquent\Model->__ca
ll('assertCan', Array)
#3 /path/to/forum/vendor/flarum/tags/src/Listener/SaveTagsToDatabase.php(63): Flarum\Database\AbstractModel->__cal
l('assertCan', Array)
#4 [internal function]: Flarum\Tags\Listener\SaveTagsToDatabase->handle(Object(Flarum\Discussion\Event\Saving))

robinodds

matteocontrini same here. Oops something went wrong error.

Wadera

Post moved to https://discuss.flarum.org/d/25061-upgrade-script
To prevent off top here 😉

askvortsov

On testing, we found that the backported fix uses a feature introduced in beta 14, resulting in crashes when users tried to edit tags on forums running beta 13. The 0.1.0-beta.13.2 release of tags should be used instead.

[deleted]

How to revert to flarum/tags v 13.1 using Composer?

After update from 13.1 to 13.2 i got this on homepage

Flarum encountered a boot error (ReflectionException) Class FoF\FrontPage\Listeners\SaveFrontToDatabase does not exist thrown in /home/xxx/xxx/vendor/illuminate/container/Container.php on line 779

clarkwinkelmann

[deleted] use the command from the first post under "How to update" to update the Tags extension.

I'm not sure what you mean by revert? The latest version, which is now v0.1.0-beta13.2, should be used.

[deleted]

clarkwinkelmann I'm not sure what you mean by revert? The latest version, which is now v0.1.0-beta13.2, should be used.

After update from flarum/tags ver v0.1.0-beta13.1 to ver v0.1.0-beta13.2 I got error (previous post). I hope to fix this by downgrading flarum/tags extension...

askvortsov

[deleted] the two are unrelated. You should reach out in the Frontpage thread to report the issue.

clarkwinkelmann

[deleted] sorry I posted my reply before seeing your edit with the error message.

This is actually an issue we fixed in Frontpage but never released FriendsOfFlarum/frontpage6 and it happens because of the use of the -a flag in my command above.

I have now released the fix in Frontpage. Updating Frontpage should fix this error https://discuss.flarum.org/d/19256-friendsofflarum-frontpage/39

[deleted]

Sorry, this error had to be some kind of temporary hosting issue... flarum/tagsv0.1.0-beta.13.2 is working just fine.

[deleted]

Thanks, man. As always, Flarum team is always there to help.

ChadJessen

Thank you for the security fix. Keep up the great work!!