Security update for IntelliJ-based IDEs v2016.1 and older versions

Eugene Toporov

We have just released an important update for all IntelliJ-based IDEs. This update addresses critical security vulnerabilities inside the underlying IntelliJ Platform. The vulnerabilities, in various forms, are also present in older versions of the IDEs; therefore, patches for those are also available.

While we have had no reports of any active attacks against these vulnerabilities, we strongly recommend for all users to install the update as soon as possible.

Please read more on the issues and ways to update below.

Built-in web server vulnerabilities

The cross-site request forgery (CSRF) flaw in the IDE’s built-in webserver allowed an attacker to access local file system from a malicious web page without user consent.

Internal RPC vulnerabilities

Over-permissive CORS settings allowed attackers to use a malicious website in order to access various internal API endpoints, gain access to data saved by the IDE, and gather various meta-information like IDE version or open a project.

Our huge thanks go to Jordan Milne for disclosing these issues and working closely with us and to Android Studio team from Google for perfect collaboration while working on the fixes.

What to do

To install the update simply select ‘Check for Updates’ from inside the IDE or visit www.jetbrains.com to download the most recent version. If you are using a version prior to 2016.1.x, read below for download links.

For more details about the security update and in case of additional questions, refer to the FAQ below.

FAQ

Q: What products / versions are updated?
A: All JetBrains products built on IntelliJ Platform are affected. The table below shows the minimum versions for which an update is released. If you are using the listed version or a higher one, then you need to update.

Product Updates Available as of Version (build number)
AppCode 2.1 (129.772)
CLion 1.0 (141.353)
DataGrip 1.0 (143.1410.7)
IntelliJ IDEA 12.1 (129.161)
MPS 3.0 (129.350)
PhpStorm 6.0 (129.291)
PyCharm 2.7 (125.57)
PyCharm Edu 1.0 (139.280)
Rider Private EAP builds prior to build 144.5342
RubyMine 5.4 (129.241)
WebStorm 6.0 (127.68)

Q: Are earlier versions affected?
A: We are not aware of similar vulnerabilities in older versions. Built-in web server was introduced in December 2012 (branch 129.x), and the above-mentioned and fixed internal RPC vulnerabilities did not exist in older versions. Still, a possibility of vulnerabilities in older versions exists, which is why we recommend upgrading your IDE if it was released more than 3 years ago.

Q: What products are NOT affected?
A: ReSharper, ReSharper C++, dotCover, dotMemory, dotTrace, dotPeek, TeamCity, YouTrack, Upsource and Hub are not affected and do not need this security update.

Q: I need a full download rather than a patch for an earlier version of the IDE. Where can I download it?
A: Check the previous versions page for your product below. All versions published there contain the security update or are not affected by these two specific vulnerabilities.

Q: I’m unable to update to the latest version. Where can I get help?
A: Please contact us about the problems that prevent you from updating.

Q: I’m building an IDE on IntelliJ Platform. What should I do?
A: Make sure to merge the latest changes from the corresponding branch of intellij-community: the “129”, “131”, .. “145” branches for the “129.“, “131.“, … “145.” builds correspondingly and “master” for the “146.” or “162.*” builds.) For details please contact security@jetbrains.com or the partner team at busdev@jetbrains.com for any questions or concerns.

Q: I’m using an IDE built on IntelliJ Platform but not from JetBrains. What should I do?
A: We have been in contact with our partners building on IntelliJ Platform. Updates for Android Studio 1.5.x and 2.x should be available already. Please contact the vendor of the IDE for an update. If you have other questions, please contact us.

Q: I’m developing a plugin for IDEs built on IntelliJ Platform. Does my plugin need update?
A: No, plugins are not affected.

Q: I’d like to be notified about security vulnerabilities in future.
A: You can subscribe to the security bulletin at www.jetbrains.com/security/subscribe.

UPDATE: If you’re running on OS X and the IDE doesn’t start after installing the update, please refer to https://intellij-support.jetbrains.com/hc/en-us/articles/208516145 for workarounds

JetBrains Team
The Drive to Develop

Comments below can no longer be edited.

290 Responses to Security update for IntelliJ-based IDEs v2016.1 and older versions

  1. Kirill Rakhman says:

    May 11, 2016

    Was the bug exploitable when you didn’t start any server, e.g. when you only developed an Android/Desktop app?

    • Hadi Hariri says:

      May 11, 2016

      The web server is active as soon as you start the IDE, so as such it is vulnerable. The updates will address this problem.

      • Dave says:

        May 11, 2016

        But what if I don’t want the IDE to start a webserver? How do I stop that?

        • Philip Whitehouse says:

          May 11, 2016

          I have to agree. Fixing a bug the webserver is fine, but it seems like an unnecessary attack service for most development.

          • Hadi Hariri says:

            May 11, 2016

            The Web Server is used for quite a bit of functionality for the IDE, independently of whether you’re doing web development or not. If we were to disable it, it would remove some of this functionality.

            Right now our main focus has been to address these issues while doing our best to not break any functionality in the products.

            • Pritam Baral says:

              May 11, 2016

              Couldn’t that be served by a Unix socket? Obviously, I don’t know what the webserver is used for; but if all you needed was some form of IPC among locally running processes anyway, it seems there was never a need to expose it to the network.

              • Hadi Hariri says:

                May 12, 2016

                When we discovered the vulnerabilities, our first and foremost objective was to fix them as soon as possible and release updates for all products, without having a major impact on functionality and the workflow of our customers.

                The internal server is not exclusively used for web application development but also serves for other functionality such as the Internal Git SSH support, Http Authorization, Serving Documentation from JAR’s as well as providing a REST API endpoint. Simply disabling it would have caused a lot of functionality to cease. And a testament to this is that currently we are seeing some impact on existing workflows which we’re addressing.

                Our next task will be to look at the viability of making the internal server opt-in and see how we could provide the same functionality via other means or at a minimum make customers aware of the loss of functionality

            • Jennifer says:

              May 11, 2016

              What kind of functionalities would break if web server is removed?

              I am maybe ok with losing functionality I don’t want or that I am not a user of if it is means I am getting an IDE with no web server!

              – Jennifer

              • Hadi Hariri says:

                May 12, 2016

                Please see above

            • Vin Wong says:

              May 12, 2016

              Actually, I don’t even know that a web server existing in service.
              I will use Surface 3 as my development device sometime. It is not a great performance device. If I can turn off the web server, I think my device can run a bit faster.

              I see that some of the functions in IDE require the web server but what if we do not use those functions? I will be thankful if you could tell us what kind of functions depends on the web server.

              I also suggest your company add an option to the IDE, let user choose to turn on or off the web server.

              • Hadi Hariri says:

                May 12, 2016

                Please see my response above.

            • Sachin says:

              May 12, 2016

              I disagreee

        • Eugen says:

          May 11, 2016

          second that.. please provide steps to ban any web-server starting.

        • hockeymikey says:

          May 11, 2016

          I agree.

        • Jeroen De Dauw says:

          May 11, 2016

          +1. I have never used, and do not plan to use, the internal webserver. This simply does not make sense for my work. When I started reading this I thought to myself “well that’s fine, I’m not using this anyway”. Then I find out it is started by default. Not cool.

        • Daniel says:

          May 11, 2016

          This a vulnerability that had no reason to exist. As requested above, please provide steps on how to remove the internal webserver or ban it from starting

        • Mark Starr says:

          May 11, 2016

          +1: Yep – I don’t need it started. How do I stop it?

  2. Aleksey says:

    May 11, 2016

    My WebStorm 2016 on Mac become a brick 🙁 Rolling back…

    • Aleksey says:

      May 11, 2016

      No, can’t roll back – you don’t have a 2016 versions in Previous WebStorm Releases. Need to roll further on 11 🙁

    • Hadi Hariri says:

      May 11, 2016

      Why a brick? What’s the issue?

    • Ekaterina Prigara says:

      May 11, 2016

      We would really appreciate if you provide a bit more details about the problem. Can you please send us the content of your IDE log folder (menu Help – Show log) on https://youtrack.jetbrains.com/issues/WEB.
      Thank you!

    • Alex says:

      May 11, 2016

      Mine did as well…after finally getting it to load I’m unable to zoom in. Seems like the patch was pushed a little too quickly without full testing

      • Akira Takemura says:

        May 12, 2016

        Same issue happen to me.
        I can’t zoom in and out with pinch gesture.
        This issue irritating me.

  3. Anton Patrushev says:

    May 11, 2016

    Trying to download OS X version, got this:

    AccessDenied
    Access Denied
    206A530861DFFBA2

    ijfXc1Wn128We6HEdyPzWY1zgutm0lsNlJo3HZZPoJ2vUjmFYRn6+uWtiRkIT7PW52lvT8m/EVY=

    • Eugene Toporov says:

      May 11, 2016

      Really sorry for the inconvenience. But please specify more details. What product and version is it? Thank you

      • Anton Patrushev says:

        May 11, 2016

        Never mind, it is working now.
        It was IntelliJ IDEA 15.0.6 for OS X.

    • Mark says:

      May 11, 2016

      Those look a lot like AWS keys. I think they shouldn’t be posted publicly… you may want to rotate your AWS keys if that’s what they are!

  4. Anatoly says:

    May 11, 2016

    When trying to update an older version of Webstorm (10.0), I receive the following error:

    Failed to download patch file:
    Cannot download ‘http://download-cf.jetbrains.com/webstorm/WS-141.1550-141.3058-patch-win.jar’: Server returned HTTP response code: 403 for URL: http://download-cf.jetbrains.com/webstorm/WS-141.1550-141.3058-patch-win.jar
    , response: 403 Forbidden

    • Ekaterina Prigara says:

      May 11, 2016

      Thanks for report! We’re investigating. Will let you know. In the meanwhile, you can make a fresh install – here you can find a link: https://confluence.jetbrains.com/display/WI/Previous+WebStorm+Releases

    • Hadi Hariri says:

      May 11, 2016

      Sorry about that. Pinged the team. They’re looking into it.

    • Ekaterina Prigara says:

      May 11, 2016

      Oh, actually already found the issue and re-uploaded the patch update. Please try in an hour or so. Sorry for the inconvenience.

      • Sachin says:

        May 12, 2016

        Still it doesn’t work :/

  5. Danny says:

    May 11, 2016

    If I’m using the PHPStorm 2016.1.1 EAP, is that sufficient?

    • Vladimir Luchansky says:

      May 11, 2016

      Yes, you need to update from 145.969 to 145.970 (from EAP to 2016.1.1).

  6. Brady Mulhollem says:

    May 11, 2016

    Can you please document what exactly has been changed? What does IntelliJ now expect requests to include in order to be allowed?

    I was relying on this server in my development environment. I had it integrated with a reverse proxy. That is all completely broken and I can’t fix it because there is zero useful information that I can find.

  7. Daniel Bartholomae says:

    May 11, 2016

    When trying to install the patch (11.0.4) for Webstorm 11.0.3 on Windows 10, Windows Defender removes some of the files due to containing a virus:
    C:\Users\user\AppData\Local\Temp\idea.updater.files.tmp.0\temp.tmp.2

  8. Anton Lazarev says:

    May 11, 2016

    PhpStorm constantly crashing on opening @ Mac OS X 10.10.5

    Rolled it back to 2016.1, thank Odin I have a copy

    • Georgi Kehaiov says:

      May 11, 2016

      Same with Intellij IDEA on mac os x 10.10.5. I opened a ticket – https://youtrack.jetbrains.com/issue/IDEA-155856

      • Eugene Toporov says:

        May 11, 2016

        Thanks for reporting it. Sorry for the inconvenience.

    • David Rousal says:

      May 11, 2016

      same with cLion, very bad patch jetbrains

  9. Paul says:

    May 11, 2016

    What about Project Rider? I checked for updates and it said I had the most up to date version

    • Eugene Toporov says:

      May 11, 2016

      If your current version is 144.5342 or higher you are up-to-date.

      • Paul says:

        May 11, 2016

        Ok, Thank you 🙂

  10. Andrei says:

    May 11, 2016

    Sorry guys, you have so many bugs in your recent updates, I’d like to wait before install the most recent one.

    • Hadi Hariri says:

      May 11, 2016

      Sorry to hear that. Could you point us to some of the issues you’re encountering to see why they’re not being addressed?

      • Andrei says:

        May 11, 2016

        Sure, I am going to report two usability bugs tomorrow on the bug tracker. However, there are bugs I reported before and they are not seem to be fixed in the nearest future. Anyway, this is your product guys, it is up to you if you want to ruin it completely. I am thinking to change my IDE to something more predictable. Seriously, the quality of your products now is low as never before.

        • Hadi Hariri says:

          May 12, 2016

          Andrei

          I’d very much appreciate if you could send me links (hadi@jetbrains.com – or paste them here) of your issues, both the new ones you’re going to log as well as existing ones. I’ll follow-up with each of them.

          Thanks.

  11. Alex says:

    May 11, 2016

    Am getting a “java.io.IOException: Couldn’t create PTY” when trying to open a git terminal in PHPStorm. Used to work before the update 🙂

    • Hadi Hariri says:

      May 11, 2016

      This most likely isn’t related to this fix. Is it possible to log a bug?

      • Alex says:

        May 11, 2016

        Well it was working fine this morning and not working anymore after I applied the patch.

        • Dmitry Trofimov says:

          May 11, 2016

          Hi Alex, could you please file a bug to https://youtrack.jetbrains.com/issues/IDEA
          Please attach your logs there.

          • Alex says:

            May 11, 2016

            Fixed it – I had to update the settings/tools/Terminal to use quotes like: “C:\Program Files\Git\bin\sh.exe” -login -i

            Before it was setup without quotes but that stopped working after the update.

            Thanks for the help

            • Eugene Toporov says:

              May 11, 2016

              Thank you for the update.

            • legshooter says:

              May 13, 2016

              Thanks, Alex!

              Same problem hit me – You helped 🙂

            • Marcelo Ribeiro says:

              May 14, 2016

              Thanks, Alex!

            • Benjamin Teglbjærg says:

              May 16, 2016

              Thanks, I had this problem too!

            • irpye says:

              May 20, 2016

              Same problem here, on intellij IDEA on windows.

              I had to replace : cmd.exe /K cd work
              with : “C:\Windows\System32\cmd.exe” /K cd work

              Thanks

            • Frank says:

              May 26, 2016

              Thanks Alex ! That helped 🙂

            • Ben Ooms says:

              May 27, 2016

              Thanks Alex,
              Had the same

            • Karl says:

              June 1, 2016

              I second that! Thanks Alex!

            • Rob van den Hout says:

              August 17, 2016

              Awesome, thanks! This is also the fix if anyone is using powershell as terminal. update the settings/tools/Terminal to use quotes like: “powershell.exe” -Executionpolicy Unrestricted

      • Sascha Thiel says:

        May 11, 2016

        IT is a miracle business, everything magically stops working without having done something. 😀

        BTW: I had the same problem. “Quotes” saved my day! Thanks Alex!

      • Jacek Kolasa says:

        May 12, 2016

        It was definitely related to this fix. 🙂 Had the same problem, but Alex’s solution worked! Not cool, Jetbrains 😛

      • This says:

        May 12, 2016

        Yes, it IS related to this fix. Had the same issue.

        • Michael Bennett says:

          May 13, 2016

          I am using CMDER and it still doesn’t work using single or double quotes

          cmd.exe /K “%CMDER_ROOT%\vendor\init.bat”

          Again was working just before I updated, now its the same error.

          Strangely, if I just load a plain command line, then run this command line inside it then it works…

          • Petras says:

            May 24, 2016

            Enclosing cmd.exe in double quotes helped me too:
            “cmd.exe” /K set MAVEN_BATCH_PAUSE=off

            Thank you, Alex!

        • Soham Banerjee says:

          May 13, 2016

          Faced the same issue. Quotes saved the day.

  12. Mostafa Ali says:

    May 11, 2016

    I tried installing it a couple of times but did not work, kept showing that the release was till 2016.1.1 and I need to update again.

    I am using Ubuntu 15.10

    • Yves says:

      May 11, 2016

      Same for me, running Ubuntu 16.04.

    • cowst says:

      May 11, 2016

      Same on Mint 17.3

    • Eugene Toporov says:

      May 11, 2016

      Mostafa, what product are you trying to update?

      • cowst says:

        May 12, 2016

        It happens with idea community 2016.1.1 and pycharm 2016.1.2 for me.

    • Jarda says:

      May 12, 2016

      Same for me running Ubuntu 16.04, trying update Clion (2016.1.1) and Android Studio (2.1.0)

    • Sjoerd says:

      June 17, 2016

      Same for me on OSX El Capitan. Trying to update IntelliJ CE 2016.1.1, it downloaded the updates, but fails to apply them. After a restart, the version is still the same and it keeps asking me to update (but did not reattempt the download, so I assume that went OK).

  13. Sébastien says:

    May 11, 2016

    Here, I’ve got another problem. Now, when I run my project (in chromium) Webstorm asks for each of my ressources (webp, webm, png) to “copy authorization URL to clipboard” for validation. My projects contains dozens of resources, that’s not possible to validate each of theses one per one.

    • Dennis Ushakov says:

      May 11, 2016

      Are these files under the project directory?

      • 李晓健 says:

        May 12, 2016

        I have this problem too,these files not under the project directory, these files are external resources ,their path begin with http:// .

      • Sébastien says:

        May 12, 2016

        Yes they are. Theses are dart projects, served by pub.

        • Alexander Doroshko says:

          May 12, 2016

          Sébastien,
          Unfortunately we failed to reproduce the issue on our end. Can you please provide details about your project structure (paths to pubspec, main HTML file that you start, resources), full output of Pub Serve tool window, OS, SDK version. Sample project to reproduce would be great. I suggest to file a bug with these details in https://youtrack.jetbrains.com/issues/Web (Dart subsystem).
          Thank you!

          • Sébastien says:

            May 12, 2016

            Hello, I rolled back to the previous install on my system, but ok. I reapply now the security update and make a small sample project. When it’s ready, I’ll send you in your tracking system. Thanks for caring.

          • Sébastien says:

            May 12, 2016

            Problem reported by my colleague :
            WEB-21598 Request without authorization

            Thx again.

    • Kevin Monahan says:

      May 11, 2016

      I’m also seeing this. The requested files are under the project directory. I do, though, map a “remote” URL (http://localhost:63342/…) to my JavaScript (and TypeScript) src dir. I’m debugging with a Javascript Debug config.

  14. Kevin Dahl says:

    May 11, 2016

    When I try to apply the update on Linux (debian jessie/Gnome3) I get DataGrip restarting, but it just says there’s an update again each time it starts back up. Is this a known issue?

    • Kevin Dahl says:

      May 11, 2016

      Seems the datagrip patch is 403:

      [ 18865] ERROR – plication.impl.ApplicationImpl – Connection failed with HTTP code 403
      com.intellij.util.io.HttpRequests$HttpStatusException: Connection failed with HTTP code 403. Status=403, Url=https://download.jetbrains.com/datagrip/DB-145.862-145.863-patch-unix.jar

      PyCharm and WebStorm both updated fine on the same machine.

      • Sergey Ignatov says:

        May 11, 2016

        Thanks, we’ve fixed the issue, please update.

    • Maksim Sobolevskiy says:

      May 11, 2016

      Hello!
      It is a known issue, we hope to fix it in several hours.
      Thanks!

  15. Philip says:

    May 11, 2016

    I have a question about patching older releases, we are on 14.1.x currently.

    Above in the blog post, it says that, “The vulnerabilities, in various forms, are also present in older versions of the IDEs; therefore, patches for those are also available.” Later it says regarding older versions to, “Check the previous versions page for your product below. All updates published after May 10th contain the security update. ”

    After downloading IntelliJ 14.1.7 from the previous IntelliJ releases page, it shows a build date of April 29th, 2016. This seems to indicate that it does not have the fix.
    https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases

    1. Is there a fix for 14.1.x?
    2. Can the older releases that are patched with the fix be listed by version number in the blog post, or somewhere else?
    3. Are IntelliJ licenses entitled to free updates and upgrades until a particular date eligible for bugfixes with the security fix (so long as they remain on the same major.minor release)?

    • Eugene Toporov says:

      May 11, 2016

      Philip, yes 14.1.7 contains the fix. We built it earlier and it was being tested internally.
      We’ve actually published it today so, it is later than May 10. But I see the confusion, will see how the text can be improved.
      Thank you!

    • Eugene Toporov says:

      May 11, 2016

      So, all answers:
      1. Yes, there is
      2. All versions of IntelliJ IDEA starting from 12.1.x that are published on https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases include the fix.
      3. These updates are free, so whatever version is available to you can be updated using a corresponding bugfix update, considering it is 12.1 or newer.

      • Philip says:

        May 11, 2016

        Eugene,

        Thanks so much for the clarification and for fixing the older releases.

        I tested with 14.1.7 and can confirm the issue appears fixed (at least with the webserver serving up files in the project directory).

  16. Bas B says:

    May 11, 2016

    Is there a CVE?

    • Hadi Hariri says:

      May 11, 2016

      Unfortunately not yet. We’re in the process of receiving one.

  17. msdisme says:

    May 11, 2016

    Is the community version also affected?

    • Eugene Toporov says:

      May 11, 2016

      Yes, it is. The updates for Community editions are available as well

  18. Maxim Shirshin says:

    May 11, 2016

    WebStorm 2016 1.2 (the one with the security fix) crashes for me on MacOS after updating (tried applying the patch and doing a fresh install using the distribution file from the website). In the old version, no WebStorm 2016 can be found. What am I supposed to do? Is rolling back to Webstorm 11 the only option?

  19. Dave says:

    May 11, 2016

    I updated to PHPStorm 10 and it didn’t apply half of my exported settings that I imported from v8, and now that JetBrains releases a new *MAJOR* version every 3 months, I don’t want to have to reinstall that often, I’d prefer to just get updates.

    The Major updates need to slow down to allow security patches like this to happen more easily rather than making us reinstall the entire program and risk losing a lot of configuration often.

    • Eugene Toporov says:

      May 12, 2016

      Dave, I’m sorry to hear you have problems with updates and lost the settings. This of course should not happen.
      I just want to share that our plan is exactly to move to smaller, incremental updates rather than big “major” ones. This is what we’ve started with moving away from so called major versions 8->9->10 to a year-based versioning.
      And yes, we should improve our patch installation routines. This is a major task for the team.
      Thank you very much for the feedback.

  20. jth says:

    May 11, 2016

    Nice update, lose all settings, all configuration in all projects and all the local history. Epic win guys, epic win… This + lots of troubles recently (many crashes), I’m tired of this… where is the time when everything just work properly ? One year ago ?

    • jth says:

      May 11, 2016

      You are going too fast, you’re losing it

    • Hadi Hariri says:

      May 11, 2016

      You shouldn’t have lost anything. Could you maybe provide us with some more information of your settings?

      • Edward says:

        May 11, 2016

        We shouldn’t, but that’s what happened. Our entire team lost all the mentioned configurations. This is ridiculous and unacceptable

        • Hadi Hariri says:

          May 12, 2016

          It is completely unacceptable, I agree.

          Can you please provide me with more details of the product you updating, from which version, and what files went missing? You can reach me on hadi@jetbrains.com or if you prefer to log the issue and send me the ID.

  21. Oliver says:

    May 11, 2016

    (quote)
    The cross-site request forgery (CSRF) flaw in the IDE’s built-in webserver allowed an attacker to access local file system from a malicious web page without user consent.
    (end_of_quote)

    It would mean that I need to display a malicious website from within the IDE?
    If I never display web content inside the IDE I am safe?
    Am I getting this right?

    • Eugene Toporov says:

      May 11, 2016

      Oliver, no not from within the IDE. A page can be open in the browser.

    • Roy van Rijn says:

      May 11, 2016

      I don’t think so. If you have IntelliJ or WebStorm running there is a webserver running on port 63342. The files here can be accessed from any website through any browser you’re using. I think this is the problem (there are not many details known).

      • Oliver says:

        May 11, 2016

        Okay. So for me it is: while having the IDE open do not browse on any other websites than the ones of your own projects.
        Thanks for clarification.

        The hot-fix-updates seem to be a little too hot for me reading all the problems mentioned here. So I prefer to not install these until they
        themselves get fixed.

        The above will do it for me until then.

        • Michael says:

          May 12, 2016

          I still don’t get it how exactly the security issue can be used / avoided. As I see it there are two bugs mentioned that have been fixed. For both you need to open a malicious website in any browser and have webstorm started? Then the webpage gains access to the webstorm ports so it can possibly control webstorm? Is that correct?

          The malicious website could access any file that webstorm has open or can open? So basically any local file? The website could also control some functions of the IDE and read metadata about the IDE? Is that correct as well?

  22. obe says:

    May 11, 2016

    JetBrains – I like your company a lot and I’m very impressed with your products, but you really should up your QA and delivery processes.

    Your releases are often at Beta level, and I don’t think that I even once updated a product without seeing some sort of regression in a common functionality.

    Honestly, unless there is a specific feature I really really need – I am reluctant to upgrade for fear of what would be broken. The moment I saw your email about this security issue – I thought to myself – “ok, mental reminder to update my JetBrains products in 3-4 weeks when their patch reaches production level”. In other words: I am more afraid of upgrading than I am of an attack, even with this issue now being out in the open…

    Guys – keep up the good work and just slow down. Give bug fixing a higher priority. Educate your developers to test everything they do before they deliver to QA. Keep up the open communication with the community but don’t treat the community as a group of beta-testers…

    • Hadi Hariri says:

      May 11, 2016

      Thank you for the feedback. We’re listening and we’ll do our best to improve.

      • Jennifer says:

        May 11, 2016

        What kinds of testing are done in the now? Black box testing? White box testing? Unit testing? Usability testing? Integration testing? Hands on testing? Automatic script testing?

        Will web testing now be done of the web server?

        – Jennifer

        • Hadi Hariri says:

          May 12, 2016

          We do Unit Testing, Integration Testing, Hands-On Testing and some of this also includes automatic scripting. And we try this with as many VM’s and OS’s as we can, but obviously not enough.

          In terms of White box/Black box, both but it very much depends on the context of the code too.

  23. Arthur Guimaraes de Oliveira says:

    May 11, 2016

    Whats going on?! I Get an email with some important security update, and after updating it webStorm wont start! it became a brick! I already tried uninstalling and nothing. I got a deadline that I need to meet!!!

  24. Pablo says:

    May 11, 2016

    For the records, at least with PyCharm the «Download» button in the «Platform and Plugin Updates» dialog will take you to the site downloads page, where only the latest version is directly available. Those like me who have an old license will find the version that is actually mentioned in the dialog (5.0.5 in my case) behind the «Previous versions» link, in the opened page. Or simply go here: https://confluence.jetbrains.com/display/PYH/Previous+PyCharm+Releases

    • Eugene Toporov says:

      May 11, 2016

      Thank you Pablo. This is our mistake, we’ll get it fixed

  25. Tom Metcalfe says:

    May 11, 2016

    Im getting

    hi I’m seeing the ‘PHPStorm quit unexpectedly’ error. Here is the first bit of the debug details:

    Process: phpstorm [894]
    Path: /Applications/PhpStorm.app/Contents/MacOS/phpstorm
    Identifier: com.jetbrains.PhpStorm
    Version: 2016.1.1 (PS-145.970.40)
    Code Type: X86-64 (Native)
    Parent Process: ??? [1]
    Responsible: phpstorm [894]
    User ID: XXXXXX

    Date/Time: 2016-05-11 17:12:29.114 +0100
    OS Version: Mac OS X 10.10.4 (14E46)
    Report Version: 11
    Anonymous UUID: XXXXX

    Time Awake Since Boot: 550 seconds

    Crashed Thread: 0 AppKit Thread Dispatch queue: com.apple.main-thread

    Exception Type: EXC_BAD_ACCESS (SIGABRT)
    Exception Codes: KERN_INVALID_ADDRESS at 0x0000000030353230

    VM Regions Near 0x30353230:
    –>
    __TEXT 0000000100af3000-0000000100afc000 [ 36K] r-x/rwx SM=COW /Applications/PhpStorm.app/Contents/MacOS/phpstorm

    Application Specific Information:
    abort() called

    Thread 0 Crashed:: AppKit Thread Dispatch queue: com.apple.main-thread

    • Dennis Ushakov says:

      May 11, 2016

      Please try this for workaround https://intellij-support.jetbrains.com/hc/en-us/articles/208516145

      • Aaron Mendez says:

        May 11, 2016

        I receive essentially the same crashlog with Webstorm. This after downloading a fresh installer, and already having javac 1.6.0_65. My OS Version is 10.10.5, and upgrade to El Capitan is against my company’s IT policy at the moment. This has left WebStorm bricked. Good thing I’ve got NeoVim.

        • Aaron Mendez says:

          May 11, 2016

          OK, I take this back. It wasn’t clear that the Java needed is the old “Java for OS X 2015-001” – see https://support.apple.com/kb/DL1572?locale=en_US

          After installing this additional Java, WebStorm now starts.

          The Apple page states: “This package is exclusively intended for support of legacy software and installs the same deprecated version of Java 6 included in the 2014-001 and 2013-005 releases.”

          JetBrains: this seems like an embarrassing and dangerous dependency. Hopefully you’ll be able to move away from it soon.

          Thanks for the fast workaround info.

          • Jennifer says:

            May 11, 2016

            Does this old Java version of which you are referring does it have any known security flaws?

            Why does the IDE need to use archaic Java and not new Java?

            – Jennifer

          • Dennis Ushakov says:

            May 12, 2016

            Sorry about this issue, it’s not a real fix, just a temporary workaround. You can follow https://youtrack.jetbrains.com/issue/IDEA-155856 for the updates

  26. James Howe says:

    May 11, 2016

    So how do I get inline documentation to work again?
    I press Ctrl+Q and now get “Fetching documentation…” in the doc window and the new prompt:

    Page ‘http://localhost:63342/P…letRequestAttributes.html’ requested without authorization,
    you can copy URL and open it in browser to trust it.

    I follow those instructions and try again, but just get the prompt again.

  27. Lor says:

    May 11, 2016

    What happened to font in PhpStorm on Linux? It looks slightly different (bold and GUI font). Does it happens only on my machine?

    • Konstantin says:

      May 11, 2016

      I got the same issue.

    • Jennifer says:

      May 11, 2016

      Can you show us screen shot so we can see what it look like?

      – Jennifer

    • Kaijia says:

      May 12, 2016

      Me too. Cannot fix it.

    • Thomas says:

      May 12, 2016

      I’m seeing the same, not sure if it’s broken now or fixed from the last release (which I remember also looked quite different). The editor font looks a little more crisp, but project view and tabs etc are far bolder than they used to be. The blue text colour everywhere for modified files is also quite intense when you have a lot of changes, but could get used to it.

    • BoraMa says:

      May 13, 2016

      I got the same issue too, under Ubuntu Linux. Bold fonts appear significantly bolder than in 2016.1. I tried the newest bundled JDK (from here https://youtrack.jetbrains.com/issue/IDEA-57233#comment=27-1432397) but it was the same. But when I copied the jre folder from the 2016.1 version over to the new version, the fonts DID return to their previous appearance. Nevertheless, after a day, I got somehow used to the new fonts.. will probably give them a try and see…

  28. Gunnar Ahlberg says:

    May 11, 2016

    The upgrade went fine on my Windows 7 from 2016.1 to IntelliJ IDEA 2016.1.2
    Build #IU-145.971, built on April 29, 2016

    Keep up the good work guys

    • Eugene Toporov says:

      May 11, 2016

      Thanks Gunnar!

  29. Tom Clement says:

    May 11, 2016

    Roy, you say: “If you have IntelliJ or WebStorm running there is a webserver running on port 63342”.

    My question is, what happens if we use a firewall to block that port. What functionality of IntelliJ would be affected and how?

    • Eugene Toporov says:

      May 11, 2016

      Tom, if you block the above port the IDE will pick another one.
      You are welcome to contact our support team for more clarifications.

  30. Rey Bango says:

    May 11, 2016

    Hi just to confirm, is the security issue only present when the IDE is running or is it also an issue when it’s closed down?

    • Eugene Toporov says:

      May 11, 2016

      Only when it is running

  31. Jörgen Persson says:

    May 11, 2016

    Rider says I have the latest update. See screenshot: http://pasteboard.co/QBlaAKt.png
    However, the answer Eugene Toporov says in this post suggests that there are later release made: https://blog.jetbrains.com/blog/2016/05/11/security-update-for-intellij-based-ides-v2016-1-and-older-versions/#comment-254173

    • Daria Dovzhikova says:

      May 11, 2016

      Hello Jörgen,

      Did you receive an email on around April, 25 with the links to download build 144.5342? At this point it is the latest one.

      • Jörgen Persson says:

        May 12, 2016

        I searched my emails and found it and have now downloaded the latest. I still think it’s weird though that the app says I have the latest version when I obviously haven’t.

        • Daria Dovzhikova says:

          May 12, 2016

          Jörgen,

          Sorry for the confusion, but Rider is still in the early stage of development, thus not all the features are available.

  32. Andrea says:

    May 11, 2016

    I have IDEA 12.1.6. While installing security update 12.1.8, it asks whether I would like to uninstall IDEA 12.1.6 because it is an older version.

    I thought I am downloading a patch. Should I uninstall 12.1.6 in order to install this security update version 12.1.8?

    • Eugene Toporov says:

      May 11, 2016

      Did you do the ‘Check for updates’ from the IDE? Which option did you then select?

    • Nikolay Chashnikov says:

      May 11, 2016

      We provided update via patch only for IDEA 12.1.7. So in order to update to 12.1.8 from 12.1.6 you indeed need to install 12.1.8 from scratch. You may uninstall 12.1.6 later, after checking that 12.1.8 works properly for you.

      • Andrea says:

        May 11, 2016

        Did as instructed. Works. Thank you.

  33. Jordi Tudela says:

    May 11, 2016

    Trying to download OS X version for PyCharm 3.0.3 Professional, got this:

    AccessDenied
    Access Denied
    CF916CB08E37491C

    IXcVJNkD6V+exkms+Ersjg9BBlumwXqPbm6856MEloG/j67Pnn3lbYmSAP8zO4cLbmX6pYPbhSI=

    • Eugene Toporov says:

      May 11, 2016

      Sorry about it, we’re checking it now.

    • Dmitry Trofimov says:

      May 11, 2016

      Please try it again.

  34. Philip says:

    May 11, 2016

    Downloaded ideaIU-12.1.8.dmg as I only have a valid license for 12. Did the update but when I start IntelliJ now I get the famous Gatekeeper message: “IntelliJ IDEA 12” can’t be opened because it is from an unidentified developer. Why and do I have to worry?

    • Eugene Toporov says:

      May 11, 2016

      Philip, version 12 is not signed, it is true. We have introduced signing later. So, if you downloaded it using a link from our pages you do not need to worry.

    • Nikolay Chashnikov says:

      May 11, 2016

      To be absolutely sure you can also check that sha256sum of ideaIU-12.1.8.dmg is equal to the value from https://download.jetbrains.com/idea/ideaIU-12.1.8.dmg.sha256.

      • Philip says:

        May 11, 2016

        Thanks Eugene & Nikolay! I chose to verify the checksum which was all good!

      • Jennifer says:

        May 11, 2016

        Can you posts a list of all checksums so we can be sure that the checksums here and the checksums from the download.jetbrains.com and the checksums of the files we get are all the same matching?

        – Jennifer

  35. steward says:

    May 11, 2016

    Oh hell not again.
    We won’t get just this patch, we’ll get a bunch of new bugs and changes to the way things used to work. I cannot take the time to gamble.

    I strongly urge the team to focus on a stable release that lasts forever.
    After six years of paying, that’s enough. I had what I needed long ago.

    Ever since it has been a nightmare cycle for your sake, not mine.

    • Nikolay Chashnikov says:

      May 11, 2016

      Which version of which product do you use? The updates for IDEA 15.0.5 and IDEA 2016.1.1 indeed include many other changes, but the patches for older versions (14.1.6, 14.0.4, 13.1.6, 13.0.4, 12.1.7) consist mainly of changes related to security fixes, so they shouldn’t introduce new bugs or change behavior of the IDE.

  36. v6ak says:

    May 11, 2016

    What ports are used? Is there somewhere documented what is provided by the server?

  37. Ravi says:

    May 11, 2016

    Why th fk is it downloading the full IntelliJ IDE and not just the patch?

    • Eugene Toporov says:

      May 11, 2016

      Sorry about it. We’ve provided as many patches as we could but were unable to create them for some. Which version are you trying to update?

      • Jennifer says:

        May 11, 2016

        Can you post list of products and versions that have patch and products and versions that do not have patch but have full download?

        – Jennifer

  38. Carl says:

    May 11, 2016

    Why the hell is IntelliJ running a web server in the first place?? Did I ASK you to fire-up a random web server on my dev box??

    And the absolute LAST thing I’m going to do is download your so-called “patch”. During the past year JetBrains has demonstrated its so incompetent at writing software, I’m never buying a new version from you again!

  39. Fadeleaf says:

    May 11, 2016

    I updated IntelliJ Ultimate today. It now doesn’t load a ton of plugins (Java EE, Spring MVC, and the list goes on and on). So my projects won’t load properly. This basically bricked my projects.

    • Hadi Hariri says:

      May 12, 2016

      That shouldn’t be happening. Can you give us more details on your exact version?

  40. Jennifer says:

    May 11, 2016

    Was this security problem caused in any way by the switch to subscriptions?

    https://blog.jetbrains.com/blog/2015/09/03/introducing-jetbrains-toolbox/
    https://blog.jetbrains.com/blog/2015/09/18/final-update-on-the-jetbrains-toolbox-announcement/

    I am confused why an IDE would have an internal web server?

    Like CLion which maybe I am wrong but I do not think it is used for web developments.

    Why would it have an internal web server with bugs?

    Your clarifications are so very desired!

    – Jennifer

    • Hadi Hariri says:

      May 12, 2016

      Jennifer,

      No. This is completely unrelated to switch to subscriptions or JetBrains Toolbox. This web server functionality has been there for quite a number of years and this is why we’re providing back-ports of up to 3 years.

      As mentioned previously, we use the internal web server for different functionality such as documentation

  41. Carl says:

    May 11, 2016

    Here’s a faster and more reliable solution that works 100% of the time on OSX:

    1) Download Little Snitch
    2) Block ALL inbound and ALL outbound access for JetBrains products (except the sites you WANT to access)

    …And seriously JetBrains, FOUR open ports and THREE outbound connections, including something that looks an awful lot like realtime behavior tracking?

    I am SO rotating my passwords and SSH keys!

    • Hadi Hariri says:

      May 12, 2016

      Hi Carl,

      We don’t have any type of realtime behaviour tracking. The only usage statistics we collect, which is opt-in and configurable via Preferences, is sent to us with your consent (and always anonymously), and is not realtime.

  42. Jennifer says:

    May 11, 2016

    Is there any risk to my source codes? If I used vulnerable IDE and accidentally visit page that uses this attack without my knowledges is there chance it would update my source codes? Does web server bug give write access to my files in the IDE? Could malicious web page put malicious code in my source codes without me knowing of it? Should I audit all of my source codes to make sure they were not modified?

    Much thank you!

    – Jennifer

  43. Torsten says:

    May 11, 2016

    Hi,

    I run version 10.0.2, our company license was valid until November 2015. You write me, I have to update, even older versions, so I downloaded and started the update, but I can’t unlock it, neither the key works nor the login with credentials. Both tell me its expired.

    I don’t understand, why you make such a big thing out of this update, when you then don’t allow me to run the program (I am not starting a 30-days-try-out-time now and I am pretty sure, that the company won’t pay again at the moment…).

    Is this just “marketing” or how can I get it to work?

    Cheers,
    Torsten

    • Torsten says:

      May 11, 2016

      … and now I am pretty much confused. I stopped PhpStorm, and started the old version (as I was not able to put in the key for the new one). Now I see, that the name is now “PhpStorm 10.0.4”! I checked: it is really code inside the old folder that is running, I see that the old config files are updated. The program still runs if I rename the folder of the new download and the new created settings (so not a mix between old and new config and installation). Now I also checked inside the old folder, the application and some subfolders are updated (at least they have a datestamp from today).

      So basically you give a new version to download, that can’t be installed, but patches secretly the old version in the background?

      Ok – I am thankful, that I can get a free patch and security update, but why can’t it be communicated that way? At least you should tell, that you instead of installing a new version in a new folder you (also) update and overwrite old code and not just do that in the background.

      An extremely odd experience. I hope it did not crush anything in that confusing “setup” and the title is showing a successful patch and not just
      a half way overwritten config file.

      Cheers,
      Torsten

      • Hadi Hariri says:

        May 12, 2016

        Torsten

        Not sure I understand what exactly has happened, but you should have received any update free if they were within the versions we provided support for. It should have also applied to the version you had installed.

        In any case we apologise for the issues. Is it all sorted now or can we help in any way?

  44. Python Pro says:

    May 11, 2016

    Please add an option to disable the internal webserver, with documentation explaining what impact this exactly has.

    I pay annually for this product and I expect nothing less. If this is an unreasonable request I’ll take my business elsewhere.

  45. Nate says:

    May 11, 2016

    Updated PyCharm with this update and now it’s telling me I’m unlicensed 🙁 Not good. Gotta dig through old emails to hopefully find my license code.

  46. Tom P says:

    May 11, 2016

    To anyone who has ssl handshake_refused errors after this update, try downloading java8 from the java website.

    I was previously using java6 mac, svn worked on commandline but not phpstorm.

  47. Eric Stein says:

    May 11, 2016

    Hey.. uh… the links on the download page (https://confluence.jetbrains.com/display/PYH/Previous+PyCharm+Releases) that PyCharm sent me to when I used “Check for Updates” are pointing to a plain HTTP URL and there are no hashes posted or gpg signatures.

    But if I tweak the download URLs to be https instead of http, I can still download. Please just update the URL schemes… not exactly awesome to post a security update in a way that can be MITMed.

  48. Narra Jbsd says:

    May 11, 2016

    Just would like to leave a positive comment here, in appreciation of what the JetBrains team appears to have done right on this.

    – Jumping ahead, I have the new PHPStorm EAP 145.970 installed — and it says it was built on 3 May This indicates, I belleve, that the team did indeed do substantial testing before releasing the new software. Remember also that they did not do it on Monday, either.

    – Does it work? It appears to work fine. All my history is present, settings and so forth, even the certificate signon for a vagrant ubuntu vm just installed. PhpStorm opened on my last work, just as it had before taking the upgrade.

    – On what platform am I reporting this? Windows 10, all latest upgrades Tuesday and today.

    – What precautions were taken? After reading above, I copied .idea folders from each project that had them, and I copied the various .WebIde* and .WebStorm* folders from my Users folder on W10. None of these appear to be altered, which is as it should be, before I have changed anything in the projects with the new release. Webstorm* exists because I ran the EAP for it until the improved JavaScript debugging made it into the PhpStorm EAP.

    – would also like to compliment the team on the eager reply and early solutions they are providing for the cases where things haven’t gone perfectly. I think it’s expected to find some of that when you make substantial changes to a complex architecture — especially when it involves security permissions. But other things about build environments can slip through also, as we should all know.

    A big thank you to JetBrains for taking on and executing this challenge. I had thought something big was in the works, as the always appreciated developing upgrades had gone silent for a little while.

    Kind regards,
    Clive

    • Hadi Hariri says:

      May 12, 2016

      Thank you Clive.

  49. Tom Clement says:

    May 11, 2016

    Hi Eugene, We have shipped a product based on version 12.1.7. Does the patched version 12.1.8 contain changes other than the security fix that would require additional testing?

    Thanks

    • Hadi Hariri says:

      May 12, 2016

      Hi Tom,

      It only contains security fixes.

  50. Bob Stein says:

    May 12, 2016

    I’m running PyCharm 5.0.3, Pro edition (for Django and Flask support) on Windows 7 Pro 64bit. My subscription expired Jan 30, 2016. I can’t afford to renew right now. Is the best I can do to keep running 5.0.3? Should I run PyCharm-professional-5.0.5.exe from https://confluence.jetbrains.com/display/PYH/Previous+PyCharm+Releases
    ?

    Apologize for asking for help with old versions. I don’t begrudge you guys the fees, it was totally worth it. I just wonder if this security update is possible for me. The about screen says I have perpetual fallback license for this version (5.0.3) but not sure what that means. Thanks!

    • Dmitry Filippov says:

      May 12, 2016

      Hi Bob,
      you had an old-style licensing subscription, that implies you have perpetual license for any major PyCharm Professional Edition versions(releases) within your subscription period. Given the fact your subscription expired on Jan 30, 2016 you have perpetual license for PyCharm 5 AND for all bug update versions of PyCharm 5 regardless of their release dates. Effectively that means you can upgrade to PyCharm 5.0.5 for free.
      We strongly encourage you to update to PyCharm 5.0.5 as it contains very important security bug fixes. In your case, please download the full installation distribution from https://confluence.jetbrains.com/display/PYH/Previous+PyCharm+Releases and run the installer. It will suggest you to remove the previous installation, keeping all your settings.
      I hope my answer helps.

      • Bob Stein says:

        May 15, 2016

        Thanks very much, Dmitry, for the multiple clarifications! All set running 5.0.5 on laptop and desktop.

    • Oliver says:

      May 12, 2016

      +1 same situation here

      • Dmitry Filippov says:

        May 12, 2016

        I hope you managed to upgrade successfully.

  51. Emergency Patch Issued For Android Studio And IntelliJ-Based IDEs To Close Up Two Serious Security Vulnerabilities – my android says:

    May 12, 2016

    […] a pair of potentially serious vulnerabilities recently identified in the IntelliJ platform. A blog post on the JetBrains website briefly describes the issues, both of which expose users to attack if they […]

  52. Kyle Zhang says:

    May 12, 2016

    Can we disable the anti-CSRF authorization of built-in server?

    Thanks

    • Hadi Hariri says:

      May 12, 2016

      Unfortunately it is currently not possible.

  53. Nagamohan Magadi says:

    May 12, 2016

    Pre-update:
    http://localhost:63342/********/index.html#/login

    Post-update:
    http://localhost:63342/*******/index.html?_ijt=o7vnqa59dvtjo34204as5bdssp#/login
    +

    Page ‘http://localhost:63342/in…/login’ requested without authorisation,
    you can copy URL and open it in browser to trust it.

    Why is this happening and what’s the fix?? Pages are not loading properly since the update

    App: Webstorm 2016 on Mac OSX

    • Nagamohan Magadi says:

      May 12, 2016

      Edit:

      App: Webstorm 2016.1.2

      • Ankit says:

        June 9, 2016

        Is any fixes found, or any option to get rid of it, it breaks the protractor test from running..?

        Thanks

    • Alexey says:

      May 12, 2016

      This _ijt= is also breaking our dev/test flows. We load resources from a Chrome extension and can’t pass that parameter there conveniently. Need a way to disable this!

  54. Kyle Zhang says:

    May 12, 2016

    I want disable the authorization of the built-in server, how can I do that?

    • Hadi Hariri says:

      May 12, 2016

      Currently this is not possible.

      • Kyle Zhang says:

        May 12, 2016

        I went back to Webstorm 2016.1.1 and wait for a configure to disable or white list to achieve anti-CSRF flaw.

        I was using reverse proxy with built-in server. but now, it’s too difficult to config the proxy rule. Of course, I have tried append the authorized cookie to every request session, but not all files success.

        Can I temporarily disable the configure by change some file content( like source code)?

  55. Kamen Davidkov says:

    May 12, 2016

    Hi,

    I have WebStorm 11.0.1 and I’m not able to update it.
    The error I recieve is:

    “Connection failed (connect timed out). Please check network connection and try again.”

    • Hadi Hariri says:

      May 12, 2016

      Is this still occurring? Have you tried to download directly?

  56. Jari says:

    May 12, 2016

    Where is the updated version for 10.5.4 located ? On the old versions dowload page there is still the version 10.5.4, not 10.5.5.
    Thanks!

  57. cas twue says:

    May 12, 2016

    I want a patch fo 14.1.5 no the full IntelliJ IDE, can you provide a patch for the version? Thankyou

  58. Oleg Muravskiy says:

    May 12, 2016

    After update I get “Page ‘http://localhost:63342/m…jar/resources/inherit.gif’ requested without authorization, you can copy URL and open it in a browser to trust it.” while browsing javadoc for a class. After this IntelliJ just hangs 🙁

    This probably resolves CORS issue, but I don’t think this is how it’s supposed to work 🙂

    IntelliJ IDEA 2016.1.2, build IU-145.971.21

  59. Michael Hodgins says:

    May 12, 2016

    Hi guys. Just updated; the only bugs I’ve discovered so far are that Presentation Mode and code zooming no longer work. It’s a good job I’m not doing a presentation today!

    • Hadi Hariri says:

      May 12, 2016

      Hi Michael,

      Is this with IntelliJ IDEA?

      • Michael Hodgins says:

        May 12, 2016

        Hi Hadi. No, it was with PhpStorm and WebStorm. I don’t know what’s happening, because Presentation mode has started working again, though not the feature where I can pinch to zoom in on code.

  60. Johan says:

    May 12, 2016

    After installing the security patch javadoc doesn’t work in IDEA (version 2016.1.2). All I get after pressing CTRL-Q on a method is dialogue saying “Page ‘http://localhost:63342/…./Awaiting.html’ requested without authorization, you can copy URL and open it browser to trust it.” where Awaiting is the Java class I wanted to view the documentation for.
    So after the update it’s not possible to view Javadoc inside IDEA any longer.

    How do I fix this or work around it?

  61. Neil Laurance says:

    May 12, 2016

    Is there any report from the license server that can show the version each developer is using?

    • Hadi Hariri says:

      May 12, 2016

      Yes, it is possible. For more information please see:
      https://www.jetbrains.com/help/license_server/detailed_server_usage_statistics.html

      • Neil Laurance says:

        May 12, 2016

        Thanks for the link.
        Unfortunately, it doesn’t seem that our license server version reacts to this configure command, so the reportApi endpoint simply returns a 404.
        Is there any way to determine what license server version we are running, and if we need to upgrade it to get this reportApi endpoint?

        • Hadi Hariri says:

          May 12, 2016

          The version should be available at the bottom of the license server page. Reports are supported as of version 9309.

          • Neil Laurance says:

            May 12, 2016

            That explains it, thanks Hadi – we are on version 7844

            • Hadi Hariri says:

              May 12, 2016

              In principle you should be able to upgrade. Have you pinged Sales?

  62. Bryan says:

    May 12, 2016

    I’m having a problem with error 404 when using localhost to view my site. I’ll try and send details but for now can you give me a link to download 11.0.3 please because I need to get on with my work and I’m hindered by the update.
    Thanks
    Bryan

  63. Sela Yair says:

    May 12, 2016

    Do I need to pay to get the security update?

    • Eugene Toporov says:

      May 12, 2016

      No, an update for any version that you currently have license for is free

    • Hadi Hariri says:

      May 12, 2016

      If you have an active subscription, no. If you do not and your version is under some of the ones we cover (which we go back up to 3 years), then also no, it’s free. If you could tell me what product and version you have then I could tell you for sure.

  64. Arulan Pari says:

    May 12, 2016

    Hey, in drupal *.install extension are not working

  65. Darek Krzywania says:

    May 12, 2016

    After the update I can’t use my license key. The system tells me the key is already in use.

  66. Chris says:

    May 12, 2016

    Same here.. im pissed! the last updates messed up my configuration here and there and altered things i dont like. Its a pain to find the right option because there are thousands of them.. AAAAAAAAAAAAAAARGH 😀 I hate this red border around function pararmeters i see everytime i use the autocomplete function.. thank you for this one! More colors.. the people need colors !!!! 🙂

    I dont need help.. i just needet to let some steam out of my head!
    I feel better now, Have a nice day everybody.

  67. Zachery Hysong says:

    May 12, 2016

    It would be fantastic if you made a launcher / updating platform like Adobe does for Creative Could. Then you could just push the updates out to all the IDEs at once. It would save a lot of time for people like me who have almost the whole suite installed on multiple PCs.

  68. Pavel says:

    May 12, 2016

    Open files via ajax gone on open in browser preview 🙁

  69. Michael Bennett says:

    May 12, 2016

    I am getting the same error around terminals (http://cmder.net/) cmder.

    command line is: cmd.exe /K “c:\dev\cmder\vendor\init.bat”

    error: java.io.IOException: Couldn’t create PTY

    Was working 5 minutes before applying the upgrade…

    • Ricahrd Fan says:

      May 17, 2016

      it need quotes, this will work: “cmd.exe” /K “c:\dev\cmder\vendor\init.bat”

  70. Joshua Dockins says:

    May 13, 2016

    I am on a Linux Mint machine. I tried to update pycharm from 2016.1.2 to 2016.1.3 but nothing happened after the restart. Still on 2016.1.2. Is there a fix being worked on to allow the 2016.1.3 update on Linux Mint machines?

    • Dmitry Filippov says:

      May 13, 2016

      We have one patch for all Linux distributions. So it should work for Linux Mint as well. What happens if you check for updates once again via Help | Check for updates? If there’s an update still available please try again. If not, you can download the full installation from the download page: https://www.jetbrains.com/pycharm/download/#section=linux
      please install 2016.1.3 along with your current installation, and only after that delete the old version. All IDE and project settings will be preserved in this case.
      We haven’t got any complains about linux patch updates until now, if you see there’s a problem still existing, please fill this form to contact the tech support: https://intellij-support.jetbrains.com/hc/en-us/requests/new?ticket_form_id=66731
      They’ll be able to debug your problem.

  71. Vipin K says:

    May 13, 2016

    Hello,
    What would be the major impact on the application developed for Android client ?

    Thanks!!

    • Hadi Hariri says:

      May 14, 2016

      Shouldn’t have any impact.

  72. Joel Wochele says:

    May 13, 2016

    Getting
    Refused to execute script from ” because its MIME type (‘application/octet-stream’) is not executable, and strict MIME type checking is enabled.
    after the update.
    Any detailed informations what has changed with the update?
    Or suggestion where I can start tracking down the error?

    • Vladimir Krivosheev says:

      May 13, 2016

      We set header “X-Content-Type-Options: nosniff”. Please ensure that your web server set correct Content-Type for script files.

  73. Vojislav says:

    May 13, 2016

    Couldn’t you just make webserver bind only to loopback interface? No need for it being accessible over any other interface present I reckon? That is, if I undrestood correctly that those vulnerabilities can be exploited remotely while running intellij IDE?

    • Maksim.Mossienko says:

      May 13, 2016

      Just in case, webserver is bound only to loopback interface.

  74. How I Fixed: PHPStorm 2016.1.1 Weird Graphical Glitch | Code Review Videos says:

    May 13, 2016

    […] I also took the opportunity to bump PHPStorm to 2016.1.1, after all this recent hoo-hah about security. […]

  75. Shmulik Alfandari says:

    May 17, 2016

    I am using IntelliJIDEA version 14.1.4
    From where can I download the security patch?

  76. Bill Tsapalos says:

    May 17, 2016

    I am trying to find out more about the CSRF vulnerability.
    According to the description if I understand correctly it looks like a Local File Inclusion (LFI). Where can I find more info about this vulnerability?

    Thank you in advance,
    Bill

  77. Maier says:

    May 17, 2016

    /abc.html
    /abc.js

    http://localhost:63342/abc.html (Success)
    http://localhost:63342/abc.js (404 Not Found)

    How to visit the file(abc.js) now?

  78. Franziskus Karsunke says:

    May 17, 2016

    Beside all the negative comments here I wanted to say thank you to the Jetbrains team for the communication in this case. Also providing an update down to IntelliJ 12.1 is very nice of you guys!

    Keep up the good work!

    • Eugene Toporov says:

      May 18, 2016

      Thank you Franziskus!

  79. D Deryl Downey says:

    May 17, 2016

    Hadi,

    Tell the guys and gals I said Thank You! I’ve the entire suite of toolsets from JetBrains, licenced under your Education program, and the updates went flawlessly. I was actually expecting a bunch of issues as I also run Windows Insider Preview Build 14342.rs1_release.160506-1708 of Windows 10 on that machine. Zero issues here.

    I’ve had cause to have issues with you guys before (using RubyMine). Not a single one the last 2 rounds since installing the 2016 releases. Much improved, much appreciated, and good job!

    • Eugene Toporov says:

      May 18, 2016

      Thank you very much for the feedback!

  80. Peter says:

    May 18, 2016

    Hi,

    2 quick questions:

    1.- If i don’t start the IDE, there are no vulnerabilities. Is that correct? Does the webserver starts when windows starts? Or only when i open Android Studio?

    2.- If we have a very old version of android studio, is that vulnerability in those old versions? (like Android Studio 1.0.2 for example).

    Thank you.

    • Eugene Toporov says:

      May 18, 2016

      Peter,

      1. Yes, that is correct. Webserver is running only when the IDE is open
      2. I think yes, AS 1.0.2 has some of these vulnerabilities. On http://tools.android.com/recent/androidstudio102released it says the build number us 135.1653844 which means it uses IntelliJ Platform branch number 135. We have updated products starting with branch 129.

  81. cowst says:

    May 18, 2016

    Any plan to make updates work again on Ubuntu?

    • Eugene Toporov says:

      May 18, 2016

      Updates should work on Ubuntu. Do you experience any issues?
      Please note that we were unable to provide patch-updates for all combinations and in some cases it is necessary to download a full installer. Sorry for the inconvenience, if this is the case for you.

  82. Mark Vasilkov says:

    May 18, 2016

    The IDE doesn’t even start after the security update. Good job guys, please continue. As a paying customer, I absolutely enjoy doing alpha testing.

  83. concerned_intellijayer says:

    May 20, 2016

    I’ve just installed Mac OS X v15.0.6 of IntelliJ Ultimate, downloaded from
    https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases

    But on clicking ‘About IntelliJ IDEA’ I see
    IntelliJ IDEA 15.0.6
    Build #IU-143.2370, built on April 28, 2016

    That’s a long ways before the announcement of this vulnerability on May 11th.

    Could you please confirm that Mac OS X v15.0.6 of IntelliJ Ultimate from https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases contains the fix for this vulnerability?

  84. SeanR says:

    May 20, 2016

    Today I installed the Mac OS X v15.0.6 version of IntelliJ Ultimate, downloaded from
    https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases

    But on clicking ‘About IntelliJ IDEA’ I see the date of the build comes before this announcement. I really would just like confirmation that the Mac OS X v15.0.6 of IntelliJ Ultimate from https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases contains the fix for this vulnerability?

    There are widespread concerns here that 15.0.6 does not contain the fix due to this date discrepancy.

    Thank you!

    • Eugene Toporov says:

      May 31, 2016

      Sean, thank you for the feedback.
      The build date is earlier than the announcement date because it was really built earlier. We had to prepare and test updates for many versions of many products and therefore some were built earlier and were waiting for the announcement and were being tested internally. The v15.0.6 published at the Previous Releases page does contain the security vulnerabilities fix.

      -Eugene

  85. Eric B. says:

    May 20, 2016

    Is it possible that the update affected the Upsource Plugin ‘Test Connection’ feature? When it takes me to the Chrome to authenticate, it fails to return to Upsource after I authenticate. It instead directs Chrome to URL like so: https://localhost:3100/?code=XXXX . And Chrome shows ERR_SSL_PROTOCOL_ERROR, “This site can’t provide a secure connection”.

    • Artem says:

      May 31, 2016

      Hi Eric,

      Redirect to localhost is an expected behavior, so the security update shouldn’t be a cause here.

      The most interesting thing that redirect should go to http://localhost… but not to https://..

      Perhaps you have some proxy configuration (like http_redirect) that causes this behavior?

  86. Ikhtiyor says:

    May 20, 2016

    Copy authorization url to clipboard popup is annoying in WebStorm. Each time when you refresh the browser with clear cache we need to copy new generated url and then paste it to address bar and so on so force. I think this is not fix but just workaround to resolve an issue.

    • Eugene Toporov says:

      May 31, 2016

      Hi,

      In WebStorm 2016.1.3 (released yesterday) we’ve added an option to accept unsigned requests which should disable the popup.
      You can find more details at https://youtrack.jetbrains.com/issue/IDEA-155917

  87. be;lle says:

    May 22, 2016

    i updated to the latest version and then all my previously compiled programs start giving error messages,pls how do i fix it

  88. ayoub bougsid says:

    May 23, 2016

    Thymeleaf still not working when using spring boot is any fix are going to came soon ?

  89. Eric P says:

    May 24, 2016

    Can you summarize any open issues with this update so we can decide if it’s ok to upgrade?

    • Eugene Toporov says:

      May 31, 2016

      Eric, do you mean if there are any issues related to update installation?
      Please let me know which version and which product.
      I can also recommend to check with our support team (https://intellij-support.jetbrains.com), they should be able to give you a qualified answer.

      • Eric P says:

        June 10, 2016

        Eugene,

        Right, will I hit one of the issues people have run into above when I update to avoid this security issue.

        I’m using Webstorm 11.0.1. Build #WS-143.382 for Windows

        Thanks,
        Eric

  90. Bart says:

    May 31, 2016

    Every time I dare update my IDE, the new version says it will uninstall the old version. But it never says if all my setting will be preserved (subversion, etc.) so I exit out. Will updating IDEA from 14.1.3 to 14.1.7 cause a disruption in my work, as I am in the middle of major code changes, but I keep getting warned about having to update.

    • Eugene Toporov says:

      May 31, 2016

      Bart, the uninstall of the old version is optional. Also, the settings are stored separately in a system folder, so uninstallation should not delete them too.
      To be safe you can back up your IDE settings using File->Export Settings from the IDE.
      You are welcome to contact our support team at https://intellij-support.jetbrains.com/ if you have more questions.

  91. 游莉雅 says:

    June 3, 2016

    I want JetBrains for learning!

  92. Marcelo says:

    June 16, 2016

    Hello.

    I’m using Rubymine v2016.1 Build #RM-145.597 on Linux and I got a update notice.

    Tried to update, the patch is downloaded, but after the restart the version is not updated. Strange.

    If I check for updates, there they are again. It was not applied.

    I’m running as administrator every time I tried to update.

    Thanks!

    • Anuki says:

      June 17, 2016

      The most likely reason of this problem is running the application with parameter from the command line. A similar problem was described here: https://youtrack.jetbrains.com/issue/IDEA-155904#comment=27-1467510. If so, try running the IDE without parameters to update, and then you will be able to use your way to run. If not, please describe more detail and steps to reproduce in this ticket (idea.log would be very useful), thanks!

  93. Steven Holloway says:

    June 20, 2016

    This version is totally broken for me.
    UI locks ups immediately upon reaching a breakpoint.
    UI locks after about 1.5 hours of editor use with no server running.

    • Eugene Toporov says:

      June 20, 2016

      Sorry to hear this Steven.
      Please contact our support team with more details so they could try to help resolve the issues.

  94. Zachary Markham says:

    June 21, 2016

    When trying to run using a custom Run/Debug configuration I’m constantly getting the “Page ” requested without authorization,
    you can copy URL and open it in browser to trust it.”

    My run configuration has some custom URL params that are required so I have to copy the authorization URL from the prompt, get the auth param, and append it to my original URL. Is there not an easier way to do this? It’s really annoying. Can the param not be auto appended when using a Run configuration?

    • Eugene Toporov says:

      June 22, 2016

      Zachary,
      Which version and what product you are using?

      In WebStorm 2016.1.3 we’ve added an option to accept unsigned requests which should disable the popup.
      You can find more details at https://youtrack.jetbrains.com/issue/IDEA-155917
      Does it help?

  95. Sergey says:

    July 13, 2016

    After pressing button “update and restart” phpStorm downloads something (progress bar completes), IDE restarts but IDE version dont changes and it says that need to update again. I pressed “update and restart” 5 times and nothing changes after IDE auto restart.

    • Eugene Toporov says:

      July 14, 2016

      Hi Sergey,
      I’m sorry about the problem and thank you for reporting.
      In this case I’d suggest to download the complete installer. Which version are you trying to update, btw?

      • Sergey says:

        July 28, 2016

        I`m trying to update:

        Build version: PhpStorm 10.0.3 Build #PS-143.1770 January 8, 2016
        Java version: 1.8.0_51-b16x86
        Operating System: Windows 7 (6.1, x86)

  96. Canuteson says:

    August 16, 2016

    I have a Perpetual fallback license for PyCharm 5.0.5, which is not valid for 2016.2. The post states there are patches for previous versions, but the Pycharm links have the latest Pycharm 5.x line showing an old build I already have:
    https://confluence.jetbrains.com/display/PYH/Previous+PyCharm+Releases

    Can you please clarify how people on 5.x can patch without upgrading to 2016.2.x?

    • Eugene Toporov says:

      August 16, 2016

      Hi!

      PyCharm 5.0.5 released on May 11th, 2016 contains the security fix so you have nothing to worry about if you are using it already.
      If you have any other questions, please contact PyCharm support at https://intellij-support.jetbrains.com