Page 1 of 5

[Feedback] If you have problems with 2.0.9

Posted: Tue Jul 13, 2004 10:45 pm
by Acyd Burn
Solved with the Release of phpBB 2.0.10




Hi,

there seems to be an issue with the new code in common.php we were unable to spot down while testing the new package.

For all of you having sql errors if posting messages with single quotes, please test the following fix and tell us if it solved the issue. All posts going offtopic will be deleted.

Can you please make this update to your board:

Open common.php:

Find:

Code: Select all

// Unset globally registered vars - PHP5 ... hhmmm
if (@$ini_val('register_globals') == '1' || strtolower(@$ini_val('register_globals')) == 'on')
{
    $var_prefix = 'HTTP';
    $var_suffix = '_VARS';

    $test = array('_GET', '_POST', '_SERVER', '_COOKIE', '_ENV');

    foreach ($test as $var)
    {
        if (is_array(${$var_prefix . $var . $var_suffix}))
        {
            unset_vars(${$var_prefix . $var . $var_suffix});
        }

        if (is_array(${$var}))
        {
            unset_vars(${$var});
        }
    }

    if (is_array(${'_FILES'}))
    {
        unset_vars(${'_FILES'});
    }

    if (is_array(${'HTTP_POST_FILES'}))
    {
        unset_vars(${'HTTP_POST_FILES'});
    }
}
Replace With:

Code: Select all

// Unset globally registered vars - PHP5 ... hhmmm
if (@$ini_val('register_globals') == '1' || strtolower(@$ini_val('register_globals')) == 'on')
{
    $var_prefix = 'HTTP';
    $var_suffix = '_VARS';

    $test = array('_GET', '_POST', '_SERVER', '_COOKIE', '_ENV');

    foreach ($test as $var)
    {
        if (is_array(${$var_prefix . $var . $var_suffix}))
        {
            unset_vars(${$var_prefix . $var . $var_suffix});
            @reset(${$var_prefix . $var . $var_suffix});
        }

        if (is_array(${$var}))
        {
            unset_vars(${$var});
            @reset(${$var});
        }
    }

    if (is_array(${'_FILES'}))
    {
        unset_vars(${'_FILES'});
        @reset(${'_FILES'});
    }

    if (is_array(${'HTTP_POST_FILES'}))
    {
        unset_vars(${'HTTP_POST_FILES'});
        @reset(${'HTTP_POST_FILES'});
    }
}
The backslash problem within admin_board.php is known and already fixed (one line change).

We might re-package 2.0.9 without incrementing the version number or adding a minor number, releasing a new Code Changes Tutorial, Patches, Changed Files and posting the changes for those already having installed or updated their installation. The common.php problem is only affecting those people having register_globals set to on.


small reminder to smart people:

- the bbcode.php change was made to harden the img bbcode tag further, not to revert the introduced security check, allowing non-image extensions again. The check for remote avatars is intended and on purpose too.

- there is no problem with the quote="username" bbcode button, it is working as expected... it might be a side effect of the above explained problem.

- For all of those thinking about removing the new common.php code because other mods quit working, i consider you contact the mod author to secure their code and to contact your hoster to disable register_globals. This setting is the main reason for all major security issues arised within the last months.


Thank you for reading, and sorry to have caused people problems, but Murphy seems to beat us all. :)

Posted: Tue Jul 13, 2004 11:03 pm
by MobileBadBoy
[applied the above fix] I just made a post with an apostrophe and didn't run into any errors, and the post was made successfully.

Posted: Tue Jul 13, 2004 11:14 pm
by mattfoster
I was suffering from this problem too, but the above fix seems to have worked. I am now getting some threads which have, say, 6 pages - but upon clicking on page 6 am presented with "No posts exist for this topic".

Are they related in any way?

Posted: Tue Jul 13, 2004 11:44 pm
by SimonHL
The fix worked here as well...

Posted: Wed Jul 14, 2004 3:06 am
by chatserv
Maybe it would be a good idea for the code author to post guidelines to be followed by mod authors to make sure their mods are compliant with this code.

Posted: Wed Jul 14, 2004 3:08 am
by geocator
chatserv wrote: Maybe it would be a good idea for the code author to post guidelines to be followed by mod authors to make sure their mods are compliant with this code.


Thats easy dont rely on globals. Get variables through the super variables.

Posted: Wed Jul 14, 2004 3:53 am
by iwyen
It worked for my board too :wink:

Posted: Wed Jul 14, 2004 9:55 am
by Arjanus
Yes! Thanks. It solves my apostrof problem and quotes are working now indeed (but the messages which containes quotes that are posted before this fix is applied need to be edited and saved again (without changing anything) to get that quotes work correctly..

Re: [Feedback] If you have problems with 2.0.9

Posted: Wed Jul 14, 2004 10:17 am
by Martin.dk
Acyd Burn wrote: ...The common.php problem is only affecting those people having register_globals set to on.


I would say that isn't completely true. It would affect all people with magic_quotes_gpc set to off.

IMO register_globals has nothing to do with it :)

Re: [Feedback] If you have problems with 2.0.9

Posted: Wed Jul 14, 2004 10:42 am
by mattfoster
Martin.dk wrote:
Acyd Burn wrote:...The common.php problem is only affecting those people having register_globals set to on.

IMO register_globals has nothing to do with it :)


If you look at the code you will see that the fix only applies to people with register_globals set to 1, meaning that if it was set to 0 then the problem wouldn't occur ;)

Anyhow, I think the problem with the extra non-existent page is to do with people posting with apostrophes within the topic. Almost like it increments the post count for that topic but doesn't actually display the post?

edit: Having tried unmodified code on systems both with register_globals set to 1, and one with magic_quotes_gpc off and one on - it appears that the problem is solely caused by having magic_quotes off. Apologies to Martin!

Posted: Wed Jul 14, 2004 11:12 am
by Acyd Burn
The problem is that the vars array is not reset after unsetting all global vars for people with register_globals on. Then, if magic_quotes_gpc is off, phpBB adds slashes to the vars. To conclude, this should only affect people having magic_quotes_gpc off AND register_globals set to on, or those where phpBB is unable to determine the current status of those ini-variables.

Posted: Wed Jul 14, 2004 1:46 pm
by nei.ch
Acyd Burn wrote: small reminder to smart people:

- the bbcode.php change was made to harden the img bbcode tag further, not to revert the introduced security check, allowing non-image extensions again. The check for remote avatars is intended and on purpose too.


What kind of security whole is introduced through valid URLs as img URLs?
See my post in your 2.0.8 -> 2.0.9 code changes topic:
http://www.phpbb.com/phpBB/viewtopic.ph ... 20#1154317

Posted: Wed Jul 14, 2004 2:21 pm
by JoshuaB
mattfoster wrote: I am now getting some threads which have, say, 6 pages - but upon clicking on page 6 am presented with "No posts exist for this topic".


I'm getting this too.

Posted: Wed Jul 14, 2004 2:30 pm
by aka_void
I can't remove styles from within the ACP... this is on a new install of 2.09. you click on delete, and NOTHING happens :?

Posted: Wed Jul 14, 2004 2:54 pm
by jko
Same problem here with styles removal.

If I comment out

Code: Select all

unset($GLOBALS[$var_name]);
in common.php it works again. This is the same issue I have with my installation of Gallery - the updates are stripping the http vars from scripts that need them.

John