Patching to 2.0.14 test failed on custom theme.

lurkalot · May 15, 2017, 05:01:44 PM

Just upgraded one of my sites to 2.0.14 and get a test failed error on the custom theme (Gray Style).

The code

<input type="hidden" name="hash_passwrd" value="" /> doesn't appear to be in the file. I read in another thread https://www.simplemachines.org/community/index.php?topic=553860.0 that this error can be ignored. Anyway gave it a try and if I use the login at the top of the theme //mywebsitedotcom/index.php?action=login2 it gives

An Error Has Occurred!
Your session timed out while posting. Please go back and try again.

If however I log in from the main menu = //mywebsitedotcom/index.php?action=login Then I can log in ok.

I uninstalled the patch and reistalled the patch this time not checking install on other themes, and same result as above.

Any ideas?

vbgamer45 · May 15, 2017, 05:02:53 PM

I would put that code from the patch before </form> tag if you have a login option on that theme.

lurkalot · May 15, 2017, 05:12:39 PM

Thanks vbgamer45, that was quick.

You mean exactly like this this?

Code Select


	       echo '
	         <div class="user_bar">
				<script type="text/javascript" src="', $settings['default_theme_url'], '/scripts/sha1.js"></script>
				 <form id="guest_form" action="', $scripturl, '?action=login2" method="post" accept-charset="', $context['character_set'], '" ', empty($context['disable_login_hashing']) ? ' onsubmit="hashLoginPassword(this, \'' . $context['session_id'] . '\');"' : '', '>
					<span>'.$txt['username'].': </span><input type="text" name="user" size="10" class="input_text" />
					<span>'.$txt['password'].': </span><input type="password" name="passwrd" size="10" class="input_password" />
					<input type="submit" value="', $txt['login'], '" class="button_submit" />
					<input type="hidden" name="hash_passwrd" value="" /><input type="hidden" name="', $context['session_var'], '" value="', $context['session_id'], '" />
				</form>
	      </div>';
	      }

If I have it correct I'll give it a go on my site and report back.

Gluz · May 15, 2017, 05:16:18 PM

From what I tested in my site this should be enough, I do modify my theme because of that error.

Code Select

<input type="hidden" name="', $context['session_var'], '" value="', $context['session_id'], '" />

lurkalot · May 15, 2017, 05:25:13 PM

Quote from: vbgamer45 on May 15, 2017, 05:02:53 PM
I would put that code from the patch before </form> tag if you have a login option on that theme.

Thanks vbgamer45, I went ahead and tried it, works nicely now.

Cheers.

lurkalot · May 15, 2017, 05:28:57 PM

Quote from: Gluz on May 15, 2017, 05:16:18 PM
From what I tested in my site this should be enough, I do modify my theme because of that error.

Gluz, I was doing the edit that vbgamer45 suggested while you posted, and his fix appears to have done the trick. Thanks for the help though.

lurkalot · May 16, 2017, 04:01:58 PM

Thanks to whoever marked this solved for me, I did come back to do this yesterday but was too late.

I did have a follow up question regarding this issue though. What happens if the theme is downloaded and installed after the 2.0.14 patch? Do all the themes need updating now? Just curious.

Arantor · May 16, 2017, 04:03:07 PM

All themes need updating now.

lurkalot · May 16, 2017, 04:12:00 PM

Quote from: Arantor on May 16, 2017, 04:03:07 PM
All themes need updating now.

Thanks, thought that might be the case but wasn't sure.

PPI Karl · May 20, 2017, 12:48:16 PM

My forum has been having this exact same problem since I updated to 2.0.14. This is probably the dumbest question of the day, but, in which file should I be placing the code?

Code Select

<input type="hidden" name="hash_passwrd" value="" />

I'm using a slightly customized version of the Black Day theme. Thanks for your help and patience.

vbgamer45 · May 20, 2017, 01:05:17 PM

in your themes index.template.php look BEFORE the </form> tag add

Code Select


<input type="hidden" name="', $context['session_var'], '" value="', $context['session_id'], '" />

PPI Karl · May 20, 2017, 01:09:16 PM

Thank you!

lurkalot · May 20, 2017, 01:13:52 PM

Quote from: vbgamer45 on May 20, 2017, 01:05:17 PM
in your themes index.template.php look after the </form> tag add
Code Select Expand
<input type="hidden" name="', $context['session_var'], '" value="', $context['session_id'], '" />

Jut curious. Does it matter if it's before or after the </form> tag? Just I added it before the tag as per your post above.

Arantor · May 20, 2017, 01:20:24 PM

Needs to be inside the <form> so it if it is after the </form> it is outside of everything the form is...

vbgamer45 · May 20, 2017, 01:30:29 PM

Yeah my mistake on the wording there. should be that closing </form> tag

lurkalot · May 20, 2017, 02:18:05 PM

Quote from: Arantor on May 20, 2017, 01:20:24 PM
Needs to be inside the <form> so it if it is after the </form> it is outside of everything the form is...

Thanks Pete.

Quote from: vbgamer45 on May 20, 2017, 01:30:29 PM
Yeah my mistake on the wording there. should be that closing </form> tag

Thanks, yes it's working fine. I just noticed a few posts where its saying to add it after the closing form tag that's all. None of them complained which made me ask.

Arantor · May 20, 2017, 02:28:20 PM

Either add it in after the starting <form> or before the closing </form> would work

lurkalot · May 20, 2017, 02:42:09 PM

Quote from: Arantor on May 20, 2017, 02:28:20 PM
Either add it in after the starting <form> or before the closing </form> would work

Thanks. Yes I've got it like that, but if you look here for example, https://www.simplemachines.org/community/index.php?topic=553950.msg3926390#msg3926390

Arantor · May 20, 2017, 02:51:12 PM

That's taken directly from the patch where the actual code says 'after' because position="after" means 'put the thing I found after the code I want to add' because Package Manager is internally backwards.

ForumGuy789 · May 20, 2017, 10:52:42 PM

This is why i usually wait a week for 2 before installing new updates. Customers are not going to try all the different login methods to get in .. they'll use one then give up. How long do you think that we'll need to wait until there is an update to fix this update? If you make the fix in 2.0.15 then I'll prob skip 2.0.14 if possible. IMO, it sounds like a big problem (people not being able to log in). I know i can edit some code to fix this but if all SMF users need to do this then that's really asking a lot.

Illori · May 21, 2017, 05:43:33 AM

this is not something we can fix in a patch. many custom themes do things differently so it requires some work on your end to make it work with with your custom theme.

Kindred · May 21, 2017, 08:42:51 AM

Actually, this will not be "fixed" In Any future release, because the issue is that the login form changed to be more secure... and all themes that have a login box need to be updated.

So, this is not a bug... this is an issue with custom themes that may require all themes to be updated by the author or the admin/user of the theme

edit -- darned autocorrect (also, did not see Illori's response above when I posted)

ForumGuy789 · May 21, 2017, 12:04:09 PM

Ok thanks for the clarification. I saw Arantor say 'all themes need updating now' and thought it meant non-custom themes too.

Veee · May 22, 2017, 11:55:04 AM

I have a similar issue...

On my case and from the theme I am using, the code that's supposed to be edited isn't under index.template but BoardIndex, is it the same thing? Should I edit it there then?

Thanks!

vbgamer45 · May 22, 2017, 11:59:02 AM

If it is a login form then yes

Veee · May 22, 2017, 11:59:16 AM

It looks the same, just in a different file. Thank you!

Wellwisher · May 29, 2017, 06:57:10 PM

Thank you @vbgamer45 and @lurkalot this thread saved my life!!!

I too had the same problem, when I upgraded to 2.0.14.

I remember testing everything up until 2.0.13, everything was going well. Then I saw the upgrade to "2.0.14" button. It was like moth to a flame tbh. After that I began experiencing login problems. Luckily members could login via /index.php?action=login.

Thanks people. Phew, man I felt the stress levels rise like no tommarh....

paybacks1 · June 15, 2017, 12:33:44 AM

I have just upgraded to 2.0.14, and the fix posted to include the line of code does not seem to have worked for me. Can anyone provide any further assistance?

I am currently getting 'Your session timed out while posting. Please go back and try again.' This happens when attempting to login, not when posting.

Here is what I have in 'index.template.php':

Code Select

<form action="', $scripturl, '?action=search2" method="post" accept-charset="', $context['character_set'], '" name="searchform2" id="searchform2">
        <div id="search_term_input2">

        <input placeholder="Search..." type="text" id="search" name="search"', !empty($context['search_params']['search']) ? ' value="' . $context['search_params']['search'] . '"' : '', ' maxlength="', $context['search_string_limit'], '" class="input_text" />
        </div>
        <input type="hidden" name="', $context['session_var'], '" value="', $context['session_id'], '" /></form>';

Does this seem to be the correct place?

I am also unable to log into the forum at all to access the admin panel (unsure if there is a way to access it otherwise).

vbgamer45 · June 15, 2017, 05:31:48 AM

Not that area. It would be in either the following files index.template.php boardindex.template.php or login.template.php Attach them if you need help.
It would be any form that has login password box.

paybacks1 · June 15, 2017, 09:54:37 AM

I have attached the files if you could point me in the right direction - thanks again

vbgamer45 · June 15, 2017, 05:50:10 PM

boardindex and index.template.php are ok

Attach your SSI.php i see your theme uses some SSI functions..

Attached updated login.template.php file

paybacks1 · June 15, 2017, 07:30:50 PM

Thanks so much for the prompt replies! I seem to have 2 SSI files, they are attached.

paybacks1 · June 16, 2017, 11:13:40 AM

Quote from: paybacks1 on June 15, 2017, 07:30:50 PM
Thanks so much for the prompt replies! I seem to have 2 SSI files, they are attached.

I actually managed to sort the issue out in the SSI2 file. I now have one other issue where the body of any post is not loading past the initial banner with the thread title, so I will have to see about that!

Thanks again for the assistance.

nax · June 24, 2017, 06:10:00 AM

I have a similar problem, I found that in my custom theme the <input type="hidden" name="hash_passwrd" value="" /> did not exist so I manually added it, the upgrade went ok. Now after several days I'm getting the

An Error Has Occurred!
Your session timed out while posting. Please go back and try again.

I know nothing about SSI files can someone help me here.

nax · June 25, 2017, 04:25:33 AM

This also have another forum with bespoke themes where this happening. Users can still get in using

Myforum/index.php?action=login

I have added the suugested line of code within the form /form section as you can see from the sample below. Would any files other than index.template be affected?

nax · June 25, 2017, 05:13:41 AM

Despite the upgrade having gone through successfully after I added the missing code in the form section that it was looking for, the upgrade DID NOT change and replace that code. I've now gone into both forums affected and can see that this is the case for both of them. I have replaced the original missing line

<input type="hidden" name="hash_passwrd" value="" />

with

<input type="hidden" name="', $context['session_var'], '" value="', $context['session_id'], '" />

I'll see if that cures the problem.

nax · June 28, 2017, 05:41:09 AM

I've recently had an issue upgrading from 2.0.13 to 2.0.14 I think it is resolved BUT I have a few questions to help my understanding and clarification of how the SMF system works.

I have two sites let's call then A and B. Both sites use bespoke templates and the upgrade failed on both sites when it came to the following find and replace action :

Operation #2
Find: [Select]
<input type="hidden" name="hash_passwrd" value="" />
Replace With: [Select]
<input type="hidden" name="hash_passwrd" value="" /><input type="hidden" name="', $context['session_var'], '" value="', $context['session_id'], '" />

After double checking the current theme file location in Admin, I duly added the
<input type="hidden" name="hash_passwrd" value="" />
in the appropriate place in the login form area of the index.template.php file – I did this for both sites.

I ran the upgrade again and it went through no problem on both sites.

Then I started to get emails from users on both sites saying they couldn't login.

I checked the index.template.php file on sites A and B in the current theme directory and found that the line I had added had not been replaced, so I did the replacement manually and all seems to be well.

My question/concern is this: Why didn't the replacement happen? Should it have updated the index.template.php file in the core and babylon theme directories as well as I can see no changes to them.

Am I getting confused because some altered files are copied to the "Default" theme directory as the index.template.php has the correct updated code in it?

I'm just trying to sort out in my own mind how it works.

b4pjoe · November 06, 2017, 11:47:43 AM

I seem to be having this same problem. When I try to login I get:

Session verification failed. Please try logging out and back in again, and then try again.

The thing is I am NOT using a custom theme. I am using the SMF default curve theme. It did just happen after upgrading the forum to 2.0.14.

If it matters I do use the PortaMx portal but I am trying to login via the standard SMF login. Any ideas?

Sir Osis of Liver · November 06, 2017, 11:56:49 AM

That's a 2.0.14 bug, it's only affected a few forums. Only way I found to fix it is disable sression check in LogInOut.php -

Code Select



	// Are you guessing with a script?
	// checkSession('post');
	spamProtection('login');

b4pjoe · November 06, 2017, 12:10:09 PM

Quote from: Sir Osis of Liver on November 06, 2017, 11:56:49 AM
That's a 2.0.14 bug, it's only affected a few forums. Only way I found to fix it is disable sression check in LogInOut.php -

Code Select Expand
// Are you guessing with a script? // checkSession('post'); spamProtection('login');

Well disabling that allowed me to login to the forum but when I try to go to admin it still wants my password and I get the same error after I enter it. And now it won't let me logout. Even after re-enabling checkSession. Same error. So now I still can't get into admin and now I can't logout.

Sir Osis of Liver · November 06, 2017, 12:11:56 PM

Revert to 2.0.13.

b4pjoe · November 06, 2017, 12:15:05 PM

I can't get into admin to uninstall the 2.0.14 patch.

Sir Osis of Liver · November 06, 2017, 12:16:56 PM

Look in /Packages/backups, download the zip from before 2.0.14 install, unzip, upload to forum root.

b4pjoe · November 06, 2017, 12:21:22 PM

The zip before 2.0.14 was smf_patch_2.0.13.zip and the only files in it are:

package-info.xml
readme.txt
smf_2-0-13_patch.xml

Arantor · November 06, 2017, 12:43:42 PM

Look inside the backups folder.

b4pjoe · November 06, 2017, 12:46:55 PM

Oh. There are not any zip files in there but there are a lot tar.gz files. The most recent is 2017-11-05_before_smf_patch_2_4.tar.gz and the last thing I did was to install the 2.0.14 patch so I assume this file would contain the 2.0.13 files?

Arantor · November 06, 2017, 12:47:53 PM

Yup, it contains a backup of the files (not attachments) for 2.0.13.

b4pjoe · November 06, 2017, 12:58:57 PM

OK I am back to 2.0.13 now and I can get to admin and everything seems to be working fine. The downside is I had to change my php version back from 7.1 to 5.6.

Sir Osis of Liver · November 06, 2017, 09:03:15 PM

You can try this, don't know if it works. Also go to Admin -> Security and Moderation and check 'Disable administration security' until you get this resolved.

News:

Patching to 2.0.14 test failed on custom theme.