[_ck_]

There is no need to minify PHP comments, they are dropped by opcode caches.

However reducing query count is not going to be easy.

I’ll do a 3rd party analysis on the queries (and file count) next week or so, I suspect there is going to be little that can be done to reduce the load because of how this is now being done. It is likely any bbPress plugin install is going to have to be heavily cached on any reasonably active site, just like WordPress now absolutely requires a complicated cache like W3 Total Cache.

But what people don’t realize is you cannot cache an active forum like a blog, they work very differently. Blogs are write-once, read many times and then the comments can be isolated with periodic updates. But on a forum it’s write-many-times and constantly changing. So there will always be many cache misses and the mysql engine will get a huge workout.

Try using WP3 these days on an active site where there are cache misses, the server will fall apart. You cannot rely on the miracle of caching and ultra-fast hardware to get around fundamental design problems.

[_ck_]

these popped up in my alerts:

bbPress plugin project saw serious progress during Google Code-in

2011: A New Kind of Forum Software is Born

It’s a shame that topic split/merge had to wait until the plugin version to be done in the API and not in the previous few years for the standalone.

Neither of the writeups mention the impact of database queries and the size of the codebase so I will have to explore that next week. I suspect they are high. It’s easy to pile on features but hard to make them efficient.

ps. Gautam is only 15 ?! Wow, amazing work for such a young age.

[_ck_]

Looks like WP’s emergency update for esc_url should also be ported to bbpress.

I am thinking we need to do a security update for 0.9 as well since many people (thousands) are locked into it.

[_ck_]

Looks like WP’s emergency update for esc_url should also be ported to bbpress.

I am thinking we need to do a security update for 0.9 as well since many people (thousands) are locked into it.

[_ck_]

I am guessing but moving up esc_url only works because the vulnerable url fails the list of allowed protocols. This will break relative urls being passed (try using /forums/ for example without http)

But since relative is a rare case (I use relative but via plugin) I guess it’s acceptable.

[_ck_]

I am guessing but moving up esc_url only works because the vulnerable url fails the list of allowed protocols. This will break relative urls being passed (try using /forums/ for example without http)

But since relative is a rare case (I use relative but via plugin) I guess it’s acceptable.

[_ck_]

Maybe I am getting rusty, but looking at the diff, I don’t see it.

Basically it’s the same thing, shuffled around a bit and the same esc_url and esc_attr is being used at the end, which is the same pattern as the existing 1.0/1.1 code.

Are you sure the fix was not being caused by just having a more updated version of esc_url and esc_attr ?

Or was it just being solved by moving those two sanitizers up higher before bb_safe_redirect could ever be called. Because that was definitely an oversight on someone’s part (not me). Based on the comments I’d guess they thought their functionality was for display filtering and not actually sanitization.

Looking at esc_url though, its default is indeed meant for displaying urls by default, note the comment in the code “Replace ampersands and single quotes only when displaying.” and how the context is set by default to “display”.

Maybe test your solution with a url that contains an ampersand, it probably will not work?

Also, are you relying on the list of protocols to do the sanitization? Because that could be defeated too (and would prevent using relative urls that are legitimate).

ps. very minor but you have confusing indentation indicating nesting with the code at line 18 – which actually is not nested

Feel free to email me directly if that’s better.

[_ck_]

Maybe I am getting rusty, but looking at the diff, I don’t see it.

Basically it’s the same thing, shuffled around a bit and the same esc_url and esc_attr is being used at the end, which is the same pattern as the existing 1.0/1.1 code.

Are you sure the fix was not being caused by just having a more updated version of esc_url and esc_attr ?

Or was it just being solved by moving those two sanitizers up higher before bb_safe_redirect could ever be called. Because that was definitely an oversight on someone’s part (not me). Based on the comments I’d guess they thought their functionality was for display filtering and not actually sanitization.

Looking at esc_url though, its default is indeed meant for displaying urls by default, note the comment in the code “Replace ampersands and single quotes only when displaying.” and how the context is set by default to “display”.

Maybe test your solution with a url that contains an ampersand, it probably will not work?

Also, are you relying on the list of protocols to do the sanitization? Because that could be defeated too (and would prevent using relative urls that are legitimate).

ps. very minor but you have confusing indentation indicating nesting with the code at line 18 – which actually is not nested

Feel free to email me directly if that’s better.

[_ck_]

Thanks, I got the report.

This is interesting.

Do you find that WordPress fails this test too? Because it uses a very similar routine.

I feel the problem should be addressed in function wp_sanitize_redirect which would solve it cross-platform.

[_ck_]

Thanks, I got the report.

This is interesting.

Do you find that WordPress fails this test too? Because it uses a very similar routine.

I feel the problem should be addressed in function wp_sanitize_redirect which would solve it cross-platform.

[_ck_]

You can email me at the address on my donate page on my website.

[_ck_]

You can email me at the address on my donate page on my website.

[_ck_]

This is likely a permissions bug with 1.1 dealing with anonymous posts being edited by admin.

Someone will have to look through the code (if the bug can be duplicated).

[_ck_]

This is likely a permissions bug with 1.1 dealing with anonymous posts being edited by admin.

Someone will have to look through the code (if the bug can be duplicated).

[_ck_]

Actually I think IP can be seen in the admin area too by mods.

It’s possible to remove IP viewing ability via capabilities though.

In fact that sound very familiar, I think I made a mini-plugin for it awhile back.

[_ck_]

Actually I think IP can be seen in the admin area too by mods.

It’s possible to remove IP viewing ability via capabilities though.

In fact that sound very familiar, I think I made a mini-plugin for it awhile back.

[_ck_]

Some interesting statistics for the entire 10,000+ collection of all bbPress installations:

bbPress Version Popularity

1.1 : 1%

1.0 : 48%

0.9 : 36%

0.8 : 15%   (includes sites below 1.x that hide their version

as 0.8 has no consistent way to be detected)

PHP Popularity

5.3 : 4%

5.2 : 70%

5.1 : 4%

5.0 : 1%

4.4 : 6%

4.3 : 1%

?? : 15% (unknown)

So PHP version 5 adoption has finally taken off in late 2010.

Server Popularity

Apache 	 	: 40%  	  (specific version unknown)

Apache/2.2 	: 35%

Apache/2 	: 10%	  (sub-version unknown)

Apache/1.3 	: 5%

Nginx 		: 5%

Microsoft-IIS	: 3%

Litespeed 	: 2%

(and quite a few others/variations but below a single percent each)

Downloads via bbPress.org as of October 2010

bbPress 0.9 : 150,000+

bbPress 1.0 : 129,000+

_ck_ plugins: 102,000+ (total, all included)

[_ck_]

Some interesting statistics for the entire 10,000+ collection of all bbPress installations:

bbPress Version Popularity

1.1 : 1%

1.0 : 48%

0.9 : 36%

0.8 : 15%   (includes sites below 1.x that hide their version

as 0.8 has no consistent way to be detected)

PHP Popularity

5.3 : 4%

5.2 : 70%

5.1 : 4%

5.0 : 1%

4.4 : 6%

4.3 : 1%

?? : 15% (unknown)

So PHP version 5 adoption has finally taken off in late 2010.

Server Popularity

Apache 	 	: 40%  	  (specific version unknown)

Apache/2.2 	: 35%

Apache/2 	: 10%	  (sub-version unknown)

Apache/1.3 	: 5%

Nginx 		: 5%

Microsoft-IIS	: 3%

Litespeed 	: 2%

(and quite a few others/variations but below a single percent each)

Downloads via bbPress.org as of October 2010

bbPress 0.9 : 150,000+

bbPress 1.0 : 129,000+

_ck_ plugins: 102,000+ (total, all included)

[_ck_]

bbPress is now being used in over 100 countries/regions in over 50 languages!

Here is a sample of the Top 50 countries/regions:

United States

Russia

Germany

United Kingdom

Spain

France

Italy

Turkey

Poland

Brazil

Canada

China

Netherlands

Sweden

Japan

Australia

Denmark

Romania

Ukraine

Switzerland

Czech Republic

Finland

Norway

Argentina

Thailand

Bulgaria

South Africa

Iran

Hungary

Austria

Latvia

Lithuania

Belgium

New Zealand

Israel

Indonesia

Slovakia

Portugal

Tokelau

Ireland

Chile

Mexico

South Korea

Serbia

Taiwan

Saudi Arabia

Greece

Malaysia

Estonia

Philippines

Note that the targeted audience as indicated by the flags on the right of the list is more of an art than a science, so please do not be insulted if my algorithm got it wrong. It’s a combination of looking at the TLD and the declared language type being used on the page.

For example a site may have a flag for Spain if Spanish is used but no other specific variation or TLD is used, etc.

The most popular TLDs for bbPress forums are:

.com (by 50% !)

.org

.net

.ru

.uk

.de

.it

.info

.ca   (honourable mention as .ca has 50% less than .info

however pl, fr, nl, se and au all have over 100 sites)

[_ck_]

bbPress is now being used in over 100 countries/regions in over 50 languages!

Here is a sample of the Top 50 countries/regions:

United States

Russia

Germany

United Kingdom

Spain

France

Italy

Turkey

Poland

Brazil

Canada

China

Netherlands

Sweden

Japan

Australia

Denmark

Romania

Ukraine

Switzerland

Czech Republic

Finland

Norway

Argentina

Thailand

Bulgaria

South Africa

Iran

Hungary

Austria

Latvia

Lithuania

Belgium

New Zealand

Israel

Indonesia

Slovakia

Portugal

Tokelau

Ireland

Chile

Mexico

South Korea

Serbia

Taiwan

Saudi Arabia

Greece

Malaysia

Estonia

Philippines

Note that the targeted audience as indicated by the flags on the right of the list is more of an art than a science, so please do not be insulted if my algorithm got it wrong. It’s a combination of looking at the TLD and the declared language type being used on the page.

For example a site may have a flag for Spain if Spanish is used but no other specific variation or TLD is used, etc.

The most popular TLDs for bbPress forums are:

.com (by 50% !)

.org

.net

.ru

.uk

.de

.it

.info

.ca   (honourable mention as .ca has 50% less than .info

however pl, fr, nl, se and au all have over 100 sites)

[_ck_]

In October 2010, to make the Top 100 (out of 10,000+ installations) now requires over 50,000 posts!

We have a new leader Singletrack Mountain Bike Magazine

beating out the old champion Simon & Schuster (international book publisher).

with nearly 1.8 MILLION posts. Absolutely incredible growth!

There are five bbPress powered forums with over a million posts now!

singletrackworld.com  http://www.singletrackworld.com/forum/

simonandschuster.com  http://forums.simonandschuster.com/

wordpress.org         https://wordpress.org/support/

greedyorneedy.com     http://www.greedyorneedy.com/forum/

weddingbee.com        http://boards.weddingbee.com/

Nearly 300 more have over ten thousand posts,

and nearly 1,000 have over one thousand posts.

Over four dozen new bbPress powered forums are put online every week on average!

[_ck_]

In October 2010, to make the Top 100 (out of 10,000+ installations) now requires over 50,000 posts!

We have a new leader Singletrack Mountain Bike Magazine

beating out the old champion Simon & Schuster (international book publisher).

with nearly 1.8 MILLION posts. Absolutely incredible growth!

There are five bbPress powered forums with over a million posts now!

singletrackworld.com  http://www.singletrackworld.com/forum/

simonandschuster.com  http://forums.simonandschuster.com/

wordpress.org         https://wordpress.org/support/

greedyorneedy.com     http://www.greedyorneedy.com/forum/

weddingbee.com        http://boards.weddingbee.com/

Nearly 300 more have over ten thousand posts,

and nearly 1,000 have over one thousand posts.

Over four dozen new bbPress powered forums are put online every week on average!

[_ck_]

Unread Posts probably doesn’t work with 1.x, so deactivate it asap.

[_ck_]

In the installation instructions it tells you how to do custom placement.

[_ck_]

In the installation instructions it tells you how to do custom placement.