Flarum

Forums made simple. Modern, fast, and free!

Extensible

Elegant UI

Mobile First

Stylable

Fast & Light

Secure

Trusted

Localised into many languages with 21 translation packs

english
german
french
简体中文
italian
Русский
indonesian
polish
dutch
swedish for flarum
czech
japanese
spanish
bosnian language pack for flarum core and multiple extensions
turkish
italiano
magyar fordítás
română
korean
latvian
正體中文語言包

Showcase

DevNL

A perfect example of Flarum's customizability. This highly customised Dutch developer community has a unique layout, with beautiful elements like a custom loader. Created by the author of the popular SEO and Support Platform extensions.

Ten Digit Grid

An avid adventurer and hiker, Mike has found Flarum to be an excellent platform for blogging about his trips, discussing gear, and meeting fellow hiking enthusiasts while slowly increasing engagement.

UPC Switzerland

Leading provider of communication and entertainment in Switzerland. Their Flarum community creates a framework for healthy togetherness while supporting their customers with an appealing, user-friendly community experience.

Blog

Flarum 1.0.0 Released

v1.0.0 - Kangaroo


  • 🧔 A new user slug driver was introduced which uses the user Id.
  • 🔐 Hardened headers against actors with bad intent.
  • 📃 The admin area now has an extensible users list.
  • 👆 New mentions system, detaching itself from usernames.
  • 🤖 Many improvements to canonical URL generation.
  • ⏩ Many improvements to performance in core and bundled extensions, including tags.
  • 😎 Many improvements to accessibility.
  • 🌐 Moved to the ICU format for translations, which paves the way for genderization in translations among others.
  • 🔃 The pusher extension now also makes non public discussion realtime.
  • 📃 Asset publishing separated from the migrate command into assets:publish.
  • 🔍 Fixed searching discussion titles.
  • 🐛 Tons of fixes.

Kangaroo by Austin Elder from Unsplash
by Austin Elder from Unsplash

📚 History


Eleven years ago, Toby Zerner set out with a mission: to build a forum for the future. The result, esoTalk, was a good product, and an excellent playground for learning and trying ideas. After a few years, esoTalk evolved into something bigger: a revolutionary new design, based around simplicity, elegance, and ease of use. This was the birth of Flarum.
Now, seven years and sixteen beta releases later by over hundred contributors, Flarum finds itself in an exciting period! Adoption of our software has skyrocketed, a substantial extension ecosystem has emerged, and even enterprises are migrating over. Although Toby has moved on to other entrepreneurial projects, the Flarum team is larger and more active than ever, with over a dozen people working passionately to advance the project. In 2019, the Flarum Foundation was brought into existence to safeguard the future of Flarum as a free and open-source product. We’ve also converted to a steady 2-3 month release cycle, and with that we managed to release the first stable version!
Our team at Flarum believes that the time has come to challenge the traditional forum design and architecture. While forums at their core have remained very much the same over the years, we see that people want something more, and we're here to build it. Flarum has been created specifically to engage and enhance community interactions in a digital world and to develop lean, extensible software that improves the experience of the admin, moderator, extension developer, and most importantly, the user.
Flarum is not just another forum software, it is much more an incredibly flexible framework that allows its users to add every feature imaginable to their installations. To this point, Flarum has been explicitly built with extensibility and ease of use in mind, while building upon modern software standards to ensure that this remains within our core ethos: Simple, Modern, and Fast.

📣 The Release


To us, beta never meant that Flarum would break while using it. It meant that extensions might no longer work when upgrading. Only twice have we seen a release that completely made almost all extensions incompatible, those being beta 8 and 14.
With stable out, we will do our best to postpone changes that break extensions to the next major release (v2.0.0) which we currently plan to release in about a year. The stable release as such will mark a time for 🌱 growth and 📈 stability.
That alone is a huge gain of this release, but let's not stray from everything else that has been done; because 78 issues were taken care of! We listed the most noticeable changes at the top, if you want to dive into all the changes please visit the changelog files on our repositories.

👨‍💻 For Developers


Ahead of the release we announced major changes in a dedicated discussion, this seems to have had a very positive effect on the number of compatible extensions. We recommend (extension) developers towards the upgrade guide for a complete list of changes.

⤴️ Upgrading


Before you run the upgrade, make sure to create a backup of your public/assets directory, your composer.json and your database!
Before starting the upgrade process, ensure you are on 0.1.0-beta.16 in your Admin Dashboard or by typing php flarum info, use the previous release notes for upgrading from an earlier version.
To upgrade from 0.1.0-beta.16 to stable, take a look at our stable upgrade guide documentation.
If you run into any issues, please open a new discussion under the Support tag. Ignore similar discussions, and open a new one anyhow. Make sure to mention the output of php flarum info, composer why-not flarum/core v1.0.0 and any errors in their fullest.

🙇‍♀️ Acknowledgements


Reaching stable wouldn't have been possible without the sacrifice made by over hundred contributors! For this release we specifically thank these wonderful people:
To every Open Collective supporter and Github Sponsor, but especially:
And finally, to you for your ongoing support and enthusiasm that keeps us all going!

🆘 Support the Project


We need your support to:
  • Guarantee continued development on the software.
  • Create a valuable ecosystem around the project.
  • Ensure healthy extensions are available.
You can support us:
  • 👕 By getting some swag from our merchandise store!
  • 💵 By backing us on Open Collective or on GitHub.
  • 👩‍💻 By contributing to the source code, hop onto any of our open issues.
  • 🌎 By translating Flarum and extensions into your own language.
  • 💝 By sharing your love for Flarum with friends, family and on the internet.
  • 💬 By hanging out with us, here on discuss!

🔮 What now?


The coming weeks we'll allow our team to relax as everyone has been pressing hard for this release for months on end! For this reason we have sent all our team members some well deserved swag in celebration of stable and as a thank you for their contributions to the project.
Our next release will be a minor patch version addressing any bugs we missed in 1.0. In the meantime, we'll be doing a lot of internal discussion and planning to put together roadmaps and strategy moving towards v2.
Critical security update to Flarum core, with new incident write-up (v1.0.2)
This post was edited 2021-06-07 at 20:50 UTC to include a full write-up of the security incident. The original announcement is still available at the bottom of this post.
If you have not yet updated to v1.0.2 or later, do so immediately. The details of the vulnerability are public, and your forum could be maliciously exploited.
Affected versions:
  • v1.0.0 - ⚠️ Affected
  • v1.0.1 - ⚠️ Affected
  • <= v0.1.0-beta.16 - ✅ Not affected
Upgrade instructions:
# Update to latest version
composer update --prefer-dist --no-dev -a -W

# Verify that you're on v1.0.2
composer show flarum/core

# Clear cache
php flarum cache:clear

Preface

On Saturday 5 June 2021 at 23:02 UTC, I (@davwheat) discovered a critical cross-site scripting (XSS) vulnerability in Flarum core, affecting versions v1.0.0 and v1.0.1.
This vulnerability related to the handling of variables passed to core's translator, and the possible conversion of strings into HTML DOM nodes.
The details of this vulnerability were disclosed on the Flarum Discord's #devs-security channel at 23:05 UTC (3 mins after discovery). The vulnerability's CVE score was 10.0, which is the highest CVE score possible.
The vulnerability was initially found while performing some local testing on an unrelated area of core's code, before noticing that HTML strings entered into the search box would be parsed and inserted into the DOM as HTML instead of text.
This was patched through a combination of efforts from multiple developers, and swiftly pushed to core's master branch at 01:47 UTC the next day (2021-06-06). Matt ( @tankerkiller125) manually pushed the update to demo.flarum.site and nightly.flarum.site for testing purposes and to patch the vulnerability. After verifying that the patch worked as expected and didn't have noticeable effects on other areas of core and bundled extensions, it was released as v1.0.2 at 02:26 UTC.
Posts were made on Discuss involving the creation a new discussion (https://discuss.flarum.org/d/27558) and posts on the v1.0.0 and v1.0.1 release discussions. Jordan (@jordanjay29) sent an announcement in Discord a few minutes later at 02:32 UTC.

What caused the vulnerability?

Flarum's translation system allowed for string inputs to be converted into HTML DOM nodes when rendered. This change was made between v0.1.0-beta.16 and v1.0.0 and was not noticed or documented.
This allowed for any user to type malicious HTML markup within certain user input fields and have this execute on client browsers. The example which led to the discovery of this vulnerability was in the forum search box. Entering faux-malicious HTML markup, such as <script>alert('test')</script> resulted in an alert box appearing on the forum. This attack could also be modified to perform AJAX requests on behalf of a user, possibly deleting discussions, modifying their settings or profile, or even modifying settings on the Admin panel if the attack was targeted towards a privileged user.
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, resulting in a CVE score of 10, the highest possible. See the CVSS score breakdown.
A security advisory has been published on GitHub detailing information of the vulnerability: https://github.com/flarum/core/security/advisories/GHSA-5qjq-69w6-fg57. We have been issued with a CVE (CVE-2021-32671) that will be published on the official CVE list at mitre.org: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32671

CVSS breakdown

Attack vector: network
This attack is performed over a network without physical or local access required. The network does not have to be adjacent.

Attack complexity: low
The attack can be performed relatively simply and affected all forums, despite their individual configurations. It is repeatable under all conditions.

User interaction: none
The example that led to the discovery of this vulnerability does require user interaction: a malicious link must be clicked and then the search box must be entered. However, we believe there is a high chance that it may be possible to perform an attack due to this vulnerability without any user interaction

Scope: changed
The vulnerable component is the Flarum forum. The impacted component is the user's browser, therefore the scope has changed.

Confidentiality impact: high
An impacted user's details could be fully retrieved by the attacker via a malicious AJAX request.

Integrity impact: high
An impacted user's details could be changed by the attacker via a malicious AJAX request.

Availability impact: high
If a forum administrator was impacted, a malicious AJAX request could modify forum settings on the Admin dashboard and result in a full forum denial of service. This could be by injecting broken Javascript code into the custom header resulting in a broken forum frontend.

How was the vulnerability fixed?

When passing variables to the translator, we now perform some extra checks.
Now, if the passed variable is a string, we will wrap it in a Mithril fragment (a VDOM node that does not get converted into an actual node when rendered), and then use that instead. Mithril will ensure that the contents of this fragment are rendered as a string only, and not as HTML markup.
For more info, please see the commit that fixes this vulnerability: flarum/[email protected]440bed8

What did we do right?

The quick disclosure and reaction time of multiple developers allowed for the rapid patching of core. This vulnerability was patched in 3 hours and 24 minutes, which is incredible.
All available members of the core team dropped what they were working on to patch the vulnerability together. Over 630 messages were sent between developers, QA testers and the Foundation board members during the discovery, verification and patching of this vulnerability. We couldn't have asked for anything more from the entire Flarum team when we needed them.

What could we improve?

At the time of the discovery, no online developers had the ability to draft a security disclosure on GitHub. This would have provided us with a secure way to attempt to develop a patch together and review the code more easily. Instead, we needed to send screenshots of code and write suggestions in Discord. This also meant we could only easily test the patch on one device (mine) before pushing to master and then testing on other deployments.

How can we prevent this happening again?

Our rich text formatter is currently located outside of the Flarum organisation. This package was developed independently from the Flarum team, so code reviews by multiple core developers never took place. Despite this, however, our organisation code reviews often look more closely at code style, correctness and readability as opposed to searching for all possible exploits.
This vulnerability was discovered purely by luck. There is no telling how long this could have remained in Flarum if it was not caught. We need to work towards having Javascript tests as standard for Flarum core. We currently have PHP tests which check that users cannot perform dangerous actions if they do not have permission, but we don't have any way to automatically check the forum frontend for possible vulnerabilities and bugs. This would be extremely helpful for future release cycles, bug detection and vulnerability scanning.

Original announcement

Recently we released a critical security fix for Flarum core. We urge all forums running versions v1.0.0 and v1.0.1 to update immediately to v1.0.2.

Affected versions

  • v1.0.0 - ⚠️ Affected
  • v1.0.1 - ⚠️ Affected
  • <= v0.1.0-beta.16 - ✅ Not affected

Impact

This critical vulnerability allows any user to perform a cross-site scripting (XSS) attack, which could result in escalation of privilege and denial of service for forums running the affected versions.
We estimate this to have a CVE score of 10, which is the highest possible severity.
Full details will be available in the near future as forums running on affected versions update.

Patches

All forums running Flarum core v1.0.0 or v1.0.1 should immediately update to v1.0.2.

References

A security advisory has been published on GitHub detailing this vulnerability: https://github.com/flarum/core/security/advisories/GHSA-5qjq-69w6-fg57.
Full details will be available in the near future as forums running on affected versions update.

Credit

Thank you to @davwheat for identifying the vulnerability and providing the patch.
A reminder that if you ever become aware of a security issue in Flarum, please report it to us privately by emailing [email protected], and we will address it promptly.
You can find our full security policy on GitHub.

How to update

Update immediately to Flarum core v1.0.2.
# Update to latest version
composer update --prefer-dist --no-dev -a -W

# Verify that you're on v1.0.2
composer show flarum/core

# Clear cache
php flarum cache:clear

Follow-up

Full details will be available in the near future as forums running on affected versions update.

Support

As always, for support, please create a new discussion in the Support tag.
Dev Diary: Build 18
Welcome to the next cycle, the first post-stable release.
Share in our excitement of releasing stable on the Announcement 🥳
We'll post information about our plans soon ™️ , but first we'll take a bit of time off to relax after our months of effort in releasing stable. We'll follow up with support and bug reports in a timely manner.
Flarum 1.0.1 Released - minor patches
👋 Hello everyone,
We haven't concluded our current development cycle, but wanted to fix some blocking issues that we encountered since the release of our first stable version Kangaroo. This announcement contains a number of patches, we recommend to update your existing Flarum community as soon as possible.
Summary:
  • Not all tags are shown in the permission grid if permissions are assigned to secondary tags.
  • The button to add links is not visible.
  • Installations are impossible on some environments.

Upgrade

  • Fresh installations (with composer create-project flarum/flarum) will automatically install these patch releases.
  • For existing Flarum installations you can update using:
composer update --prefer-dist --no-dev -a
php flarum cache:clear
You can then check whether you are on the latest release from the admin area or by running:
php flarum --version

Changes

Flarum (core) v1.0.1

Fixed

  • Installation fails on environments without proc_* functions enabled or mysql client binary (flarum/core#2890)

Tags v1.0.1

Fixed

Markdown v1.0.1

Fixed

Thanks

Thanks to the amazing bug reporters and especially likuilin and @DursunCan for filing great reports on GitHub.
Thanks to the superstar people doing QA for these patches @Ralkage and @datitisev.
Thanks to the wonderful people providing the patches @SychO, @davwheat and @luceos.


Please use this discussion only for feedback and comments, not support. Support questions should be raised in their own discussion. We will not sticky this release because it contains only patches.
Flarum 0.1.0-beta.14 Released
Hello my magnificent Flarumites!
We have taxed your patience in bringing the newest beta installment of Flarum. Yet this release marks closure on the most impactful change in preparation for stable since beta 8, the frontend framework upgrade. With 80+ issues closed in addition to that upgrade, Beta 14 is the largest release Flarum has seen so far. Moreover, this release only took 5 months, in comparison to Beta 8 which had comparable scope but took 17 months.
It wasn't always easy, especially with all that happened in the world around us, but our team persevered in shipping a release we can be proud of.
It does not matter how slowly you go so long as you do not stop. --Confucius

Cairns Birdwing


Cairns Birdwing

🔔 What’s Changed?


The focus of this release was a long overdue upgrade of Flarum's frontend framework from Mithril v0.2 to Mithril v2.0. This also included refactors of many major frontend components like the discussion list, notifications dropdown, and post stream. We also started using TypeScript in core's frontend, upgraded the Laravel packages we used from v5 to v6, and fixed a lot of bugs. Most changes are more applicable to extension developers, but they go a long way towards increasing stability of our frontend. A few user-visible highlights:
  • 📦️ When enabling and disabling extensions we will now check their dependencies on other extensions to prevent bricking your forum. For instance , since askvortsov/categories relies on flarum/tags, you can't enable it unless flarum/tags is enabled. (flarum/core#2188)
  • 🗨️ Fixed a bunch of bugs with the post stream
  • 🏷️ Improved tag discussion count and last posted discussion calculations
  • ⬅️ Added a "view post" popup when having edited a post similar to when you create a post. (flarum/core#2108)
  • ✉️ Email configuration can now be tested from within the admin area. (flarum/core#2023)
  • 🔍 Searching for users based on groups is now also possible using the group ID. (flarum/core#2192)
  • 🕛️ Relative times are now updated without reloading. (flarum/core#2208)
  • ⚠️ Improved request error handling with modals. (flarum/core#1929)
  • 😁 Font Awesome was updated. (flarum/core#2274)
  • 📛 User display names are now implemented as drivers, and have extenders (flarum/core#2174)
  • 🔒️ The bundled Facebook, GitHub and Twitter authentication extensions have moved to Friends of Flarum. flarum/core#2006
There are a bunch more! If you're into this, feel free to scour our changelogs and releases on GitHub.

👨‍💻 For Developers


If you are a developer please understand there are many breaking changes in this release, make sure to read the full upgrade guide in our docs! Some key points:
  • We are now using Mithril 2, which means a lot of changes to components will be needed. (flarum/core#2255)
  • You MUST use the new View extender for registering Laravel View namespaces instead of resolving the View factory directly in extend.php (flarum/core#2134)
  • The Laravel packages Flarum uses have been upgraded to v6 from v5. This means that some helpers, like array_get, are no longer available. Also, theApplication has been decoupled from the IoC container and Laravel's Application contract flarum/core#2243
  • Application paths have been moved to the resolvable Paths class. (flarum/core#2142)
  • Config (config.php contents) has been moved to the resolvable Config class. (flarum/core#2271)
  • Subjects and bodies for notification emails can (and should!!!) now be translated. (flarum/core#2244)
  • A user extender for display name drivers and user group pre-processing has been added. (flarum/core#2110)
  • Other changes are mentioned in the upgrade guide for this release.
Developers are urged to check the changelogs of relating packages when they discover issues. You can review the Beta 14 Upgrade Guide to ensure your extensions are up to date.
If you have any questions or run into any obstacles in upgrading, please open a new discussion in the Dev tag or find us in #extend on our Discord.

⤴️ Upgrading


Please note that Beta 14 comes with a lot of changes, and extension developers will need some time to catch up. Please ensure that all extensions you need have been updated for beta 14 before upgrading your forum.
Before you run the upgrade, make sure to create a backup of your public/assets directory, your composer.json and your database!

Step 1: Ensure you are on version 0.1.0-beta.13 in your Admin Dashboard or by running php flarum info (use the previous release notes for upgrading from an earlier version)
Step 2: Uninstall every 3rd party extension that isn't compatible with beta 14 yet. Most extensions are no longer compatible! You can check which extensions are compatible at Extiverse (it needs up to one hour after release to display compatible extensions).
Step 3: Disable the remaining extensions. Re-enabling them one at a time after you update will make it easier to debug if any issues occur.
Step 4: Run the following commands:

composer remove --no-update flarum/auth-facebook flarum/auth-github flarum/auth-twitter
Now run the update all versions without installing (yet):
composer update --no-install --with-all-dependencies
[optional] In case you used the facebook, github or twitter log in extensions:
composer require --no-update fof/oauth
Now install everything you've updated:
composer install --prefer-dist --no-dev -a
Last step is to run the database changes and clear the cache:
php flarum migrate
php flarum cache:clear
Step 5: Use your newly-upgraded Flarum site!
If you run into any problems, please open a new discussion in the Support tag. There may be discussions of similar issues, but open a new one anyway, it helps us get your specific problem resolved faster.
If the problem persists – we're here to help! Make sure to include the output of php flarum info. Please also include the output of composer why-not flarum/core v0.1.0-beta.14

🙇‍♀️ Acknowledgements


Flarum releases wouldn't be possible without a multitude of people, our thanks go out to all of them! Thank you...
To everyone who contributed code this release, especially @w-4, @matteocontrini, @SychO, @Kylo, @Littlegolden, @iPurpl3x, @fengkx, @corvofeng, @Qiaeru, @davwheat, @gruentee, @tariqthedev, @eddiewebb, @angus, @alphaman, x7airworker, w3Abhishek, phanlyhuynh, nlssn, lhsazevedo, julakali, Heniisbaba, timas130, spekulatius, razonyang, jxsl13, and anyone else we've missed;
To our eagle-eyed bug reporters, especially @w-4, @matteocontrini, @SychO, @LianSheng, @peopleinside, @iPurpl3x and anyone else we've missed;
To the incredible team behind Flarum, including @Franz, @luceos, @jordanjay29, @datitisev, @clarkwinkelmann, @tankerkiller125, @askvortsov, @Liberty, @Digital, @Pollux, @katos, @Kyrne and @Ralkage;
To every Open Collective supporter and Github Sponsor, but especially Glowing Blue AG and KAV Partners. And also @rehrar, @BartVB, Christoph Schneegans, Dan Rezykowski, Sridhar Kamma, Donald Broussard, GuitarTalk, Hari, @ianm, Jian Gong, @phenomlab, @Edmilerad, Daniel Alter, espectrunk, FibraClick, HostBend LLC, Ken Lam, Lay Dominicans of bl. Michał Czartoryski, odyssea-ogc, Open Collective Inc, Timotheus Pokorra, malago86, yannisme, @askvortsov, zgq354, AndreiTelteu, @tankerkiller125, @angus, Wadera, @pkernstock, demianh, @hrvoje_hr;
Your continued support is extremely helpful, being fundamental to stable development for Flarum! Help us become a sustainable project by backing us on Open Collective or on GitHub
And finally, to you for your ongoing support and enthusiasm that keeps us all going!

Developers

Extend

Learn how to harness the extensibility of Flarum to create your own extensions and customize your community.

EXTEND

Contribute

Help us make Flarum even more powerful and customizable! Every bug report, pull request, and documentation improvement is a huge help.

CONTRIBUTE

Built with the best tools

Have you ever changed tires with a spoon? Using the right tools for the job is key to success. We thank our technology partners for their generous product donations!