In addition to the usual fixes and improvements, XenForo 2.3.7 also includes a critical security fix to ensure the security of Passkeys that have been added to your account. We'd very much like to thank
for reporting this issue via Eric and team at
. Between them they also reported a less severe issue related to local account page caching on shared systems.
This version also tightens up the kinds of methods that can be called from within templates, evolving from a loose "prefix" match to a stricter "first word" match of methods that can be called through callbacks and variable method calls. This fix is courtesy of
who we extend huge thanks to in taking the time to report this to us.
We'd also like to take this opportunity to notify all third party developers that writing database queries inside templates is not recommended. While this is still allowed in XenForo 2.3.7, the behaviour is now considered deprecated and will be prevented in XenForo 2.3.8. Code which currently triggers this will insert an error into the Server error log and must be fixed prior to the release of XenForo 2.3.8. Where possible, data must be queried and processed and passed into the template rather than being written inside the template itself.
Finally, we'd like to thank
for reporting a path disclosure issue in exceptions thrown due to open_basedir restrictions.