We are pleased to announce the release of phpBB 3.1.3 "The Bertie Strikes Back". This version is a maintenance and security release of the 3.1.x branch which fixes one security issue, a number of bugs, and adds new events as entry points for extensions to modify phpBB's behaviour.
In 3.1.x we no longer consider it acceptable for administrators to have system access through the administration control panel. It was previously possible for an administrator on a forum to use the ImageMagick binary path setting to execute code on the server.
The full changelog is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.1.3 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=12793
The packages can be downloaded from our downloads page.
The development team thanks everyone who contributed code to this release: brunoais, Jakub Senko, rxu, MasterShredder, Matt Friedman, Oliver Schramm, omniError, Kailey Truscott, PayBas, Crizzo, Gaëtan Muller, Prosk8er, Tobi Schäfer, Wolfsblvt, kochi, lavigor, n-aleha
If you have any questions or comments, we'll be happy to address them in the discussion topic.
- The phpBB Team
Release Highlights
Security and Hardening
- Hardening of imagick path - Existence of the path to the imagick program specified in the Administration Control Panel is now verified.
- Events - More events have been added to the template and the php core
- Support for IDN (IRI) Urls - Urls in BBCodes, posts and profile fields can now contain UTF8 characters
- Migrations can now use DI - Migrations can now use the container to access additional objects
- Canonical URLs sort parameters removed - In order to produce less duplicate pages, the sort parameters have been removed from the canonical URLs
- Multiple bugs while updating - Quite some bugs in the database update scripts have been fixed
- Boolean profile fields on PostgreSQL - Boolean profile fields can now be created again
- UTF8 characters in attachment names - Attachments with UTF8 characters in their file name can now be uploaded again