• Version 1.8.2 3 May 2016

    Security barrier

    We’ve released version 1.8.2 of FixMyStreet, along with versions 1.7.1 and 1.6.2.

    These releases include an important security fix, whereby a malicious user could craft an image upload to the server that allowed them to run external commands as the user running the site. Please update your installation as soon as possible.

    Version 1.8.2 also contains other improvements and additions to existing features:

    • Twitter social login, alongside the existing Facebook login;
    • PNG and GIF image upload support;
    • Some development improvements, including the final merging of base and fixmystreet templates, storing any Open311 error in the database, and tidying up some unused cobrands;
    • A few bug fixes, such as showing the right body user form value for fixed reports (thanks Jon Kristensen).

    See the full list of changes over on GitHub.

  • Version 1.8.1 23 March 2016

    We’ve released version 1.8.1 of FixMyStreet, which fixes some bugs and makes some improvements to the 1.8 release.

    Now there is multiple photo support, the display of those photos on a report page is now a bit nicer, and if there’s an error message on photo upload it should now always be visible. Auto-scrolling of the sidebar when you hover over a pin has been removed as it was confusing, and the site now remembers a user’s last anonymous state. Fixes have been made for running on more recent versions of Perl, one of which was causing the geocoder to break.

    For developers, an easier way of adding cobrand-specific custom reporting fields has been added.

    There are a couple of other minor changes; see the full list of changes over on GitHub.

  • Version 1.8 2 March 2016

    Thin yellow line

    We’ve released version 1.8 of FixMyStreet.

    The two main new features in this release are Facebook login – provide a Facebook app ID and secret in your configuration and it will smoothly fit into the creation and login flow – and multiple photo support, along with a modern interface for previewing and uploading photos whilst you create your report.

    Smaller improvements include highlighting the pin when you hover over an item in the sidebar, and vice-versa; fixing some small display bugs such as how updates were displayed in Your Reports and preventing a chevron being stretched in Firefox; improving the look of the 404 page, and making sure you can see an update if you got to it via an in-page link.

    Memory performance has been improved, meaning cron jobs can take up to half as much memory, and this release also fixes a number of small bugs, including an embarrassing swap of latitude and longitude in the Google geocoder, making sure you’re signed up for updates if you used the app and were logged in, and better internationalisation and display of numbers.

    For developers, we’ve added a generic static route handler, so that adding new static HTML pages to your installation involves only creating a new file in your template directory and nothing more; improved bounce handling; and fixed the cobrand restriction handling on Your Reports and list pages.

    Plus quite a few other things; as always, see the full list of changes over on GitHub.

  • Version 1.7 23 October 2015

    yellow lines

    We’ve released version 1.7 of FixMyStreet.

    This version adds some new features. First off is that the FixMyStreet design is now bi-directional, providing an easy switch to flip the design to either left-to-right or right-to-left. This was done with the kind support of the National Democratic Institute.

    We have added state and category filters to the list pages, letting users view only e.g. open reports in the potholes category, or all reports in the graffiti category. Various design improvements have been made, including the showing of the report on a questionnaire page and the email confirmation pages, and we’ve added a nicer default OpenGraph image.

    Database performance has been improved in a number of areas, and the accessibility of the map pages has been improved.

    This release also fixes a number of small bugs, including translating report states in the admin index, dealing with DMARC email issues, and fixes for Google Maps API users.

    For developers, we’ve made it easier to run gettext-extract if you’re performing your own translations, removed some confusing warnings, finally removed the final few hardcoded “FixMyStreet” strings so it’s easy to rename your site, streamlined the navigation menu and list item CSS using a BEM style naming scheme so it is easy to change and override, and lastly fixed a long standing issue where errors were not always logged correctly.

    Plus quite a few other things; as always, see the full list of changes over on GitHub.

  • Version 1.6.1 31 July 2015

    Copenhagen trip

    We’ve released version 1.6.1 of FixMyStreet.

    This release fixes a bug introduced in the previous release when setting multiple areas for a body in the administration interface.

    It also includes improvements to the All Reports page, adding a fixed header and tooltips, and stops the sidebar running over the footer on alerts pages. The admin gets a variety of minor improvements, with better internal linking and a mark as sent button. Plus a Danish translation :)

    As ever, see the full list of changes over on GitHub.

  • Version 1.6 10 July 2015


    We’ve released version 1.6 of FixMyStreet (previously numbered 1.5.5).

    This release includes important security fixes:

    • A vulnerability in login email sending that could allow an account to be hijacked by a third party;
    • Alterations to token logging in and timeout behaviour;
    • A dependency update to fix an issue with Unicode characters in passwords.

    More details on those items below. Other items in this release include a Chinese translation, a bug fix with shrunken update photos, and some front end improvements, such as a ‘hamburger’ menu icon and an easier Report button on mobile, and resized map pins based on zoom level.

    See the full list of changes over on GitHub.

    Security fixes

    Login email account hijacking: Due to the way parameters were passed into the token table in the database, it was possible for someone to request a login email for one email address, but have the login email sent to different address. This would allow a third party to log in as someone else, letting them make reports or updates as that person.

    The code has been rewritten so all user parameter passing goes through central functions that return only one parameter even if the user has passed multiple parameters. More details of this class of vulnerability.

    Email authentication tokens: Problem confirmation tokens had to be used within a month; this now applies to all confirmation tokens, and email sign in tokens are valid for a day. Using those tokens after confirmation will redirect correctly, but no longer log you in; links in alert emails will no longer log you in.

    Unicode characters in passwords: The package our code uses to encode database columns, DBIx::Class::EncodedColumn, could have issues with Unicode characters provided to it. This was fixed by upgrading the version we use.

  • Version 1.5.4 18 March 2015

    We’ve released version 1.5.4 of FixMyStreet.

    This includes a couple of new map layers, Bing Maps and Stamen’s toner-lite, and nicer confirmation pages for after you’ve made a report or update, along with other smaller improvements and bug fixes. See the full list of changes over on GitHub.

    For developers, it includes a few small improvements, to do with Mac installation, making some things optional, and including a new configuration variable for if you’re running behind an SSL proxy. We’ve also added some test URLs so that you can view confirmation pages without having to leave a new report or update, e.g. see it in action on

    As always, do ask on the mailing list if you’d like more information on any of the above, or submit an issue or pull request on GitHub.

  • Version 1.5 20 November 2014

    We’ve released version 1.5 of FixMyStreet. This version fully supports the new Long Term Support (LTS) version of Ubuntu, Trusty Tahr 14.04 (the code did already run fine on Ubuntu Trusty if you set it up manually, but now the install script will work and a few other bits have been tidied).

    This release comes with a few improvements to the admin interface, including pagination of search results, validation of new categories, and some display enhancements.

    We’ve moved the map sidebar to be flush with the window edge, which we think is simpler and easier on the eye, and we’ve continued making the template structure easier to change and override.

    We’ve also fixed some bugs, such as map submission not working with JavaScript disabled or unavailable. As another example, we had a report of the Android browser crashing when showing a map page, which we tracked down to the slightly transparent map navigation controls – crashing wasn’t worth this, so now on mobile they’re fully opaque.

    From Transifex we’ve added four new languages (as well as updating the existing ones): Albanian, Bulgarian, Hebrew, and Ukranian.

    See the full changes over on GitHub.

    As always, do ask on the mailing list if you’d like more information on any of the above, or submit an issue or pull request on GitHub.

  • Version 1.4.2 15 July 2014

    We’ve released version 1.4.2, a maintenance release, but also with a couple of new features. The main reason for this release was to fix a couple of issues with the installation script, which are hopefully now resolved. It also upgrades our bundled copy of cpanm (to cope better when an external module website is down), tidies up the template structure, copes with browser autofill on the /auth sign in page, and adds links from the All Reports page to a body’s open or fixed reports.

    The main new feature is the addition of SMTP username/password and SSL/TLS options for your setup. You can read about the new options on the configuration settings page

    See the full changes over on GitHub at

    As always, do ask on the mailing list if you’d like more information on any of the above, or submit an issue or pull request on GitHub.

  • Version 1.4 23 May 2014

    Say hello to version 1.4 of FixMyStreet. As usual, the install script and AMI have both been updated to this version.

    Hopefully this release will run more smoothly on EC2 micro instances, with some cron rejigging to alleviate memory problems.

    There have been a few minor user-facing improvements, such as automatically selecting the reporting category if there’s only one choice, and removing the indenting of emails; some bug fixes, including changes for the new version of Debian, a problem with language setting in email alerts, and removal of cached photos; and a number of improvements for people reusing the code, including a no-op send method, having reports on staging sites be sent to the reporter, adding an external URL field to bodies, and making it easier to change the pin icons.

    See the full changes over on GitHub at

    Thanks to Andy Lulham, Chris Mytton, Dave Arter, Dave Whiteland, Gerald, Hakim Cassimally, Ian Chard, Jon Kristensen, Jonas Oberg, Kindrat, Matthew Somerville, Rikard, Steven Day, and Struan Donald for contributing to this release.

    As always, do ask on the mailing list if you’d like more information on any of the above, or submit an issue or pull request on GitHub.