Upgrade OJS 2.4.6 to OJS 3.x error


My system has OJS 2.4.6 running on

PHP 5.3.2-1
MySQL 5.7.21
Apache 2.4.18

I’m trying to update it to OJS 3 but all the tests I do are wrong.

    • I have tried to update it to version 3.0.1 and 3.0.2 in two different tests and after running
      php tools / upgrade.php upgrade” everything ends correctly.
      But the system does not work after the two update tests in the browser returns the error in trying to open the initial screen
Fatal error: Call to a member function getUserVar () on a non-object in /home/sp-dgroup/a3/www.um.es/testmigra/ojs_v3.0.2/classes/i18n/AppLocale.inc.php on line 75
  • I have also tried updating from OJS 2.4.6 to 3.1.0 and 3.1.0-1 in two different executions starting from the initial one, on the system

PHP 7.0
MySQL 5.7.21
Apache 2.4.18

but after the execution of “php tools / upgrade.php upgrade” it always returns the error

PHP Fatal error: Uncaught Error: Call to a member function getId() on null in /ojs_v3.1.0_1/classes/install/Upgrade.inc.php:1103
Stack trace:
#0 /ojs_v3.1.0_1/lib/pkp/classes/install/Installer.inc.php(415): Upgrade->convertSupplementaryFiles(Object(Upgrade), Array)
#1 /ojs_v3.1.0_1/lib/pkp/classes/install/Installer.inc.php(265): Installer->executeAction(Array)
#2 /ojs_v3.1.0_1/lib/pkp/classes/install/Installer.inc.php(186): Installer->executeInstaller()
#3 /ojs_v3.1.0_1/lib/pkp/classes/cliTool/UpgradeTool.inc.php(88): Installer->execute()
#4 /ojs_v3.1.0_1/lib/pkp/classes/cliTool/UpgradeTool.inc.php(64): UpgradeTool->upgrade()
#5 /ojs_v3.1.0_1/tools/upgrade.php(34): UpgradeTool->execute()
#6 {main}
thrown in /ojs_v3.1.0_1/classes/install/Upgrade.inc.php on line 1103

分析:从报错信息来看,无法辨识错误具体原因,由于OJS含有众多插件,而且是第三方的为多,OJS 开发者忙于主干开发,插件跟进比较吃力,升级报错一般来源于插件,或者一些次要的功能模组。

OJS and Security


OJS is all web-based applications that allow users to create accounts and upload content, including files, to the web server. As such, the security of each application must be taken seriously – by the developer (that’s PKP), and by the end-user (that could be you, your university, or another hosting service). In this FAQ entry, we address:

  1. The steps PKP takes to develop secure software, and how you can help
  2. Best practices for deploying PKP software securely
  3. Recommended practices for appropriate file management and “internet hygiene” as a user of the system

1) The steps PKP takes to develop secure software, and how you can help

PKP follows standard best practices for web security, including consistent use of escaping to avoid XSS attacks, tokens to prevent CSRF attacks, etc. We stay abreast of recent trends in security, and wherever possible, use best-of-breed third-party tools with large communities of support. Our software includes structures to permit authorization policy recombination, ensuring that sensitive content is not exposed beyond the amount required for a scholarly workflow. We are responsive to bug reports, security audits, and community inquiries and welcome any such contributions. We disclose serious security issues, when they are discovered, via each applications’ software download page:

OJS: https://pkp.sfu.ca/ojs/ojs_download/ 45

The small number of these, historically, is testament to our caution in keeping our software secure.

2) Best practices for deploying PKP software securely

A secure deployment of OJS can be best achieved by using the following recommendations, which are described in docs/README in every download of OJS:

  • Dedicate a database to OJS; use unique credentials to access it. Configure this database to perform automated backups on a regular basis. Perform a manual backup when upgrading or performing maintenance.
  • Configure OJS (config.inc.php) to use SHA1 hashing rather than MD5.
  • Enable captcha or recaptcha in your config.inc.php file, and test that they are working. This will prevent most spam user registrations.
  • Configure OJS (config.inc.php) to use force_ssl_login so that authenticated users communicate with the server via HTTPS. (You will also have to properly create and configure an SSL certificate to do this properly.)
  • Install OJS so that the files directory is NOT a subdirectory of the OJS installation and cannot be accessed directly via the web server.
  • Restrict file permissions as much as possible.
  • Deploy and test a proper backup mechanism. The backup mechanism should back up the database, the OJS system files, and the OJS submission files directory (the “files_dir” parameter in config.inc.php. Ideally, you should make both on-site and off-site backups.
  • Ensure that your web server environment is regularly updated, in particular with any and all security patches.

If these steps are followed, you will substantially reduce the risk of falling prey to common hacking techniques. We strongly urge you to review your existing configurations and ensure these steps have been followed.

3) Recommended practices for appropriate file management and “internet hygiene” as a user of the system

As an author, reviewer, or editor in OJS you deal with submission files from people you don’t know on a daily basis, and there are some basic precautions that you will want to take to mitigate the possibility of being compromised via one of these files. These steps don’t differ from how you would deal with email or other daily life on the internet, but are worth outlining in general form here.

Make sure you have antivirus software installed, and that it is up to date;
Make sure your operating system and all software (especially Word and Excel) are kept up to date, ideally by turning on any auto-update features available to you;
Make sure you have a backup solution available for your work computers;
Practice good password management: don’t use the same username/password in OJS as you would for any other online account, and don’t use an easy to guess password;

Treat everything that you get online with the knowledge that you received it from someone you don’t know, and act likewise. If a submission appears to be suspicious for any reason (strange email address, suspiciously generic title or abstract, etc.), treat the included files with an additional level of diligence.


OJS 3.1.1-2 Released

PKP announces the release of OJS 3.1.1-2.

These are bugfix releases, notably correcting a reflected XSS vulnerability:

  • OJS 3.0.0 to 3.1.1-1: Issue #3785 28 (also Bootstrap and Health Sciences themes)

This type of vulnerability requires some social engineering to take advantage of, and runs client-side, so does not present a high risk. However, it is worth correcting if you’re running an affected release (and we always recommend staying up to date). If you are unable to upgrade to the latest release, there are patch instructions at the links above.

To download OJS 3.1.1-2, and for information on upgrading from previous releases, please see http://pkp.sfu.ca/ojs_download 15

See PKP Applications and Security 4 for general information on security.

Thanks to Metamorfosec for discovery & reporting of the XSS issues.