YOURLS 1.7.9

YOURLS update : the latest release is now 1.7.9 and you will find it, as usual and only, on YOURLS release page on Github.

This release could have been nicknamed “the Quarantine Edition” since, because or thanks to the corona-lockdown (day 35 and counting) I’ve had quite some time to fix things and improve stuff, as you’ll see on the release page.

Truth be told, I’m also pushing this release as a security update. Last night, the DJ didn’t save my life, but the server hosting was compromised. As a result, you may have seen a message in your YOURLS admin interface advertising a 1.7.8 release with an unusual download link. This was quickly noticed and fixed but a couple hundreds people still downloaded the fake archive, so I’m pushing a newer one for everyone.

Update as usual : download files and overwrite all existing files on your server (your personal files such as plugins or config will remain untouched).

Do the community a favor: stay safe, wash your hands, tweet this post and let friends know about this update!

Short URL to this post:

YOURLS 1.7.4

We’ve just released a security patch for YOURLS, so everyone is advised to update when possible.

What’s new? We’ve hardened security. All prior versions of YOURLS, up to 1.7.3, can be abused in a way that allows a script kiddy malicious user to use your API by forging a valid timestamp, and add unwanted links to your shortener.

How to update? Same and as painless as usual: download the archive and overwrite all existing files. While you’re at it, backup your database, and tell your friends and family to update too!

Short URL to this post:

YOURLS 1.7 and automatically encrypted passwords

Another day, another highlight of a new feature in YOURLS 1.7. In case you weren’t there when the party started, we already covered defense against SQL injections, HTTP requests robustness, funky UTF8 charsets support, proxy support, automatic checking for a new version and a few other neat stuff.

Today will be about increased security of your credentials with automatic password encryption.

Password encryption ?

When you set up YOURLS for the first time, or when you add a new user, you edit your config.php and add a user and a password. Something like:

$yourls_user_passwords = array(
	'joe' => 'MyPassword',

Simple and easy. Now, the thing is: if someone sees that file for whatever reason, they know your YOURLS password (which is the same for most of your other stuff online, admit it).

Previously in YOURLS you could manually hack the config file to encrypt yourself passwords, using a salt and a MD5 hash. Near perfect and practically undecryptable, except that whenever something has to be done manually, well, it has to be done. And you don’t do it.

We’ve improved things in YOURLS 1.7 : encryption is now automatic.

Automatic password encryption !

After you’ve edited your config file, simply use YOURLS. Next time you’ll check your config.php, instead of a clear text password, you’ll see something like this:

$yourls_user_passwords = array(
    'joe' => 'phpass:!2a!08!gRCCvpvK22BgiNzN9q9fXOnjCXqjk88aQoZP/P0wydAj7bB2',

What happened? Using a military grade encryption library, YOURLS has silently encrypted your password to something completely and absolutely unbreakable.

Your password remains unchanged when you want to use it, so your YOURLS install is still as private as your password is secure, but that password does not exist any longer in clear text.

If you need to change your password, simply edit your config file again with a new password, and next time YOURLS will run, it will simply encrypt it again. Don’t want that to happen, for some and probably bad reason? No problem, just add define( 'YOURLS_NO_HASH_PASSWORD', true ); to your config file and you’re done.

If you have any question or problem with that feature, be sure to first check the wiki about YOURLS Usernames & Passwords.

Next time: social bookmarklets and other miscellaneous goodness.

Short URL to this post:

YOURLS 1.7 “Tom Araya” released

I’m pleased to announce the release of YOURLS 1.7 “Tom Araya”

\m/ Tom Araya \m/

In our now centennial tradition of naming YOURLS releases after a metal vocalist, I’m dedicating this release to Tom Araya, from the most excellent badass old-school thrash band we all love, Slayer. Well, vocalist, or maybe screamist, you be the judges :) Before you continue reading, feel free to crank up some good ol’ relaxing tune.

Update now. Seriously, now\’;UPDATE `your_table` WITH `crap`

YOURLS 1.7 brings several exciting new features, and I will cover major ones in an upcoming series of short blog posts. If you’re of the TL;DR type, check the changelog.

The first feature I want to highlight is not even a feature, it’s a bugfix: in YOURLS 1.7 we have scrutinized several aspects regarding security and we have fixed a potential SQL injection vulnerability.

If you run YOURLS for your own and only use, update ASAP, but if you run a public URL shortener, update riiiiiiiiiiight nooooooooooooow (read that in Tom Araya’s voice to get the feeling)

This update is a simple drop-in replacement: download the latest archive, unzip and upload to your server, overwriting existing files. No update procedure, no DB upgrade.

Update as soon as you can, and do your friends a favor: tell them a new version of YOURLS is out and they should update, tweet and retweet the good word.

Speaking of tweets

A quick note regarding tweets: @yourls used to broadcast boring nerd stuff, aka commit messages. No more boring stuff, it’ll be limited to YOURLS news of general interest. The hardcore nerd herd can follow @yourls_dev instead, where you’ll get an idea of the coding activity and pace.

Executive summary

Update now. Blog posts about awesome features in the next days.

Short URL to this post: