MachForm 16 Released. PHP 8 Compatibility and Security Release.

Howdy folks!

PHP 8 has been officially released to the general availability on November 26, 2020 which offers big performance improvement. It is a major version update with a large number of changes that break backward compatibility and many features that were deprecated within the PHP 7.x feature releases have been officially removed.

Today, we’re happy to let you know that we’ve just released MachForm 16, which is fully compatible with PHP 8.

 

PHP 8 Compatibility - MachForm

 

The new version of MachForm (version 16) is now available for downloads on Billing Area.

Security Updates

MachForm v16 also include updates to fix the following security issues:

  • HTTP Host Header Injection
  • Cross-Site Request Forgery (CSRF)
  • Unauthenticated HTML File Upload / Extension filter bypass
  • Unauthenticated Unrestricted File Upload Remote Code Execution

Thank you to Derrie Sutton of Tenable, Inc. for privately disclosing the vulnerabilities above and provide us time to fix the issue.

This post will be updated later with the link to the advisory providing more technical details regarding the issue.

PHP Version Requirement

MachForm v16 requires the minimum version of PHP on your server to be at least PHP 7.2. If you’re still using older version, you’ll need to upgrade your PHP version first.

We strongly recommend you to upgrade due to improved compatibility and security updates within this release.

Changelog

  • Update: PHP 8 Compatibility
  • Update: Faster loading time upon login, particularly on instance having large amount of forms
  • Update: User having “Edit Form” permission is now able to manage access to the associated form
  • Update: Removed standard file upload. File uploads now using advanced uploader
  • Update: Added hostname to the QR Code generated for 2-step-verification, to allow adding multiple instances of MachForm to auth app
  • Update: Updated Dutch translation file
  • Update: Updated front-end forms jQuery library to v3.5.1
  • Update: Smoother iframe scrolling on embedded form
  • Security: HTTP ‘Host’ header injection
  • Security: Prevent CSRF by using CSRF Token and “SameSite” Cookie
  • Security: Removed unused file that can be used for open redirect
  • Security: Changed file upload default behaviour to block all file types, unless otherwise allowed within the whitelist
  • Bugfix: Unique field caused validation problem when “Allow user to edit completed entry” enabled
  • Bugfix: Form with single checkboxes field considered as duplicate entries even though user selected different values
  • Bugfix: Suspended users shouldn’t be displayed within the access list on form info page
  • Bugfix: When “Allow user to edit completed entry” enabled on form with single page, clicking “Open Blank Form” generate error
  • Bugfix: Field having HTML characters within the label are displayed incorrectly on logic settings page
  • Bugfix: Exporting entries/form on server with zlib.output_compression turned on, result to a zipped content
  • Bugfix: Approval columns on form having review table wasn’t created properly on the review table, which resulted to error message when user clicking the resume link
  • Bugfix: Send File as Attachment option shouldn’t attach files for receipt emails
  • Bugfix: Form title doesn’t display correctly on dashboard when using long Unicode characters
  • Bugfix: Editing entry on admin dashboard on form with ‘edit entry’ enabled, in certain case generate error message
  • Bugfix: On a form with ‘edit entry’ enabled, file upload fields always display “required” error message, even if there is file exist already
  • Bugfix: “Edit User” page can’t accept email address containing apostrophe
  • Bugfix: When shipping option is not enabled, Google Pay won’t work
  • Bugfix: Accessibility issue with error messages
  • Bugfix: Email validation allows two consecutive dots
  • Bugfix: On some system, the payment amount on entries page aren’t displayed using 2 digit decimals
  • Bugfix: Unique validation generate error message under MySQL 8

How to Update

This update is FREE for all users having an active support contract.
As mentioned above, you can download it on Billing Area.

Follow this upgrade instruction:
Upgrading MachForm Self-Hosted 

MachForm Cloud Users

If you’re subscribed to any of our MachForm Cloud plans, there is no further action required on your side. We’ve automatically updated MachForm version on all our cloud users with the latest version.

You may also like