phpBB 2.0.8 released

Read me first before posting anywhere!
Subscribe to the feed, available in Image Atom or Image RSS format.
Get Involved

phpBB 2.0.8 released

Postby Acyd Burn » Thu Mar 25, 2004 6:13 pm

phpBB Group are pleased to announce the release of phpBB 2.0.8. This release had been made to fix a number of critical security related issues. Work continues on 2.2.0 and again we do not plan on further releases of 2.0.x except where critical issues arise.

As with previous releases three different packages are available:
  • Full Package
    Contains entire phpBB2 source and English language package
  • Changed Files Only
    Contains only those files changed from previous versions of phpBB. Please note this archive contains changed files for each previous release
  • Patch Files
    Contains patch compatible patches from the previous versions of phpBB.
Select whichever package is most suitable for you.

Please ensure you read the INSTALL and README documents in docs/ before proceeding with installation or updates!.

Note to 2.0.3 users intending to use the patch file version

Users of 2.0.3 intending to use the patch version may (but not necessarily will) need to run fixfiles.sh (found in the contrib/ directory with the downloaded archive) before patching.

We recommend that all 2.0.3 users do a "dry run" patch first to see whether this you need to use this fix. To do this append --dry-run to the patch command, e.g. patch -cl -p1 --dry-run < phpBB-2.0.3_to_2.0.8.patch. This will prevent any permanent changes being made to your installation. If you experience numerous (literally dozens and dozens) of hunk failed messages this applies to you.

To correct this problem go to your phpBB root directory, copy the fixfiles.sh to this location, chmod u+x fixfiles.sh and type ./fixfiles.sh. This will strip windows style carriage returns present in the 2.0.3 source. A new fixfiles.sh script has been put into the contrib folder to be "fixed" too.

What has changed in this release?

A comprehensive changelog is included with all archives. This edition is centred on fixing a number of critical security issues.

As with 2.0.5, 2.0.6 and 2.0.7 the visual confirmation and the template caching Mods are included in the contrib directory.

We urge all users to update promptly to this new release.
If you are still having troubles on reading the documentation provided, please refer to the Support Forum and use the Support Request Template.



If you want to patch your 2.0.7(a) installation


If you are still using phpBB 2.0.7 or prior, please go to our Downloads Page, download the appropiate package and follow the update Instructions.

The following are the changes from 2.0.7a to 2.0.8 for manual upgrading.
A patch file for 2.0.7a to 2.0.8 is downloadeable from this location.

Manual Instructions for upgrading (Mod Format) are soon available here within the Mods Database.

  • admin/admin_forumauth.php
  1. FIND - Line 105
    Code: Select all

             $simple_ary = $simple_auth_ary[$HTTP_POST_VARS['simpleauth']];

             for($i = 0; $i < count($simple_ary); $i++)
             {
                $sql .= ( ( $sql != '' ) ? ', ' : '' ) . $forum_auth_fields[$i] . ' = ' . $simple_ary[$i];
             }

             $sql = "UPDATE " . FORUMS_TABLE . " SET $sql WHERE forum_id = $forum_id";
          }
          else
          {
             for($i = 0; $i < count($forum_auth_fields); $i++)
             {
                $value = $HTTP_POST_VARS[$forum_auth_fields[$i]];


    REPLACE WITH
    Code: Select all

             $simple_ary = $simple_auth_ary[intval($HTTP_POST_VARS['simpleauth'])];

             for($i = 0; $i < count($simple_ary); $i++)
             {
                $sql .= ( ( $sql != '' ) ? ', ' : '' ) . $forum_auth_fields[$i] . ' = ' . $simple_ary[$i];
             }

             if (is_array($simple_ary))
             {
                $sql = "UPDATE " . FORUMS_TABLE . " SET $sql WHERE forum_id = $forum_id";
             }
          }
          else
          {
             for($i = 0; $i < count($forum_auth_fields); $i++)
             {
                $value = intval($HTTP_POST_VARS[$forum_auth_fields[$i]]);

  • admin/admin_forums.php
  1. FIND - Line 60
    Code: Select all

       $mode = ( isset($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];


    AFTER, ADD
    Code: Select all

       $mode = htmlspecialchars($mode);

  • admin/admin_groups.php
  1. FIND - Line 55
    Code: Select all

       $mode = ( isset($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];


    AFTER, ADD
    Code: Select all

       $mode = htmlspecialchars($mode);

  • admin/admin_ranks.php
  1. FIND - Line 43
    Code: Select all

       $mode = ($HTTP_GET_VARS['mode']) ? $HTTP_GET_VARS['mode'] : $HTTP_POST_VARS['mode'];


    AFTER, ADD
    Code: Select all

       $mode = htmlspecialchars($mode);

  • admin/admin_smilies.php
  1. FIND - Line 62
    Code: Select all

       $mode = ( isset($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];


    AFTER, ADD
    Code: Select all

       $mode = htmlspecialchars($mode);

  2. FIND - Line 319
    Code: Select all

             $smiley_id = ( !empty($HTTP_POST_VARS['id']) ) ? $HTTP_POST_VARS['id'] : $HTTP_GET_VARS['id'];


    AFTER, ADD
    Code: Select all

             $smiley_id = intval($smiley_id);

  3. FIND - Line 340
    Code: Select all

             $smiley_id = ( !empty($HTTP_POST_VARS['id']) ) ? $HTTP_POST_VARS['id'] : $HTTP_GET_VARS['id'];


    AFTER, ADD
    Code: Select all

             $smiley_id = intval($smiley_id);

  • admin/admin_styles.php
  1. FIND - Line 61
    Code: Select all

       $mode = ( isset($HTTP_GET_VARS['mode']) ) ? $HTTP_GET_VARS['mode'] : $HTTP_POST_VARS['mode'];


    AFTER, ADD
    Code: Select all

       $mode = htmlspecialchars($mode);

  2. FIND - Line 492
    Code: Select all

                $style_id = $HTTP_GET_VARS['style_id'];


    REPLACE WITH
    Code: Select all

                $style_id = intval($HTTP_GET_VARS['style_id']);

  3. FIND - Line 707
    Code: Select all

                WHERE template_name = '$template_name'";


    REPLACE WITH
    Code: Select all

                WHERE template_name = '" . str_replace("\'", "''", $template_name) . "'";

  • admin/admin_ug_auth.php
  1. FIND - Line 60
    Code: Select all

    $user_id = intval($user_id);
    $group_id = intval($group_id);


    AFTER, ADD
    Code: Select all

    $adv = intval($adv);
    $mode = htmlspecialchars($mode);

  • admin/admin_user_ban.php
  1. FIND - Line 280
    Code: Select all

                $where_sql .= ( ( $where_sql != '' ) ? ', ' : '' ) . $user_list[$i];


    REPLACE WITH
    Code: Select all

                $where_sql .= ( ( $where_sql != '' ) ? ', ' : '' ) . intval($user_list[$i]);

  2. FIND - Line 293
    Code: Select all

                $where_sql .= ( ( $where_sql != '' ) ? ', ' : '' ) . $ip_list[$i];


    REPLACE WITH
    Code: Select all

                $where_sql .= ( ( $where_sql != '' ) ? ', ' : '' ) . str_replace("\'", "''", $ip_list[$i]);

  3. FIND - Line 306
    Code: Select all

                $where_sql .= ( ( $where_sql != '' ) ? ', ' : '' ) . $email_list[$i];


    REPLACE WITH
    Code: Select all

                $where_sql .= ( ( $where_sql != '' ) ? ', ' : '' ) . str_replace("\'", "''", $email_list[$i]);

  • admin/admin_users.php
  1. FIND - Line 52
    Code: Select all

       $mode = ( isset( $HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];


    AFTER, ADD
    Code: Select all

       $mode = htmlspecialchars($mode);

  2. FIND - Line 842
    Code: Select all

                $category = $HTTP_POST_VARS['avatarcategory'];


    REPLACE WITH
    Code: Select all

                $category = htmlspecialchars($HTTP_POST_VARS['avatarcategory']);

  • admin/admin_words.php
  1. FIND - Line 44
    Code: Select all

       $mode = ($HTTP_GET_VARS['mode']) ? $HTTP_GET_VARS['mode'] : $HTTP_POST_VARS['mode'];


    AFTER, ADD
    Code: Select all

       $mode = htmlspecialchars($mode);

  2. FIND - Line 67
    Code: Select all

          $word_id = ( isset($HTTP_GET_VARS['id']) ) ? $HTTP_GET_VARS['id'] : 0;


    REPLACE WITH
    Code: Select all

          $word_id = ( isset($HTTP_GET_VARS['id']) ) ? intval($HTTP_GET_VARS['id']) : 0;

  3. FIND - Line 117
    Code: Select all

          $word_id = ( isset($HTTP_POST_VARS['id']) ) ? $HTTP_POST_VARS['id'] : 0;


    REPLACE WITH
    Code: Select all

          $word_id = ( isset($HTTP_POST_VARS['id']) ) ? intval($HTTP_POST_VARS['id']) : 0;

  4. FIND - Line 154
    Code: Select all

          if( isset($HTTP_POST_VARS['id']) ||  isset($HTTP_GET_VARS['id']) )
          {
             $word_id = ( isset($HTTP_POST_VARS['id']) ) ? $HTTP_POST_VARS['id'] : $HTTP_GET_VARS['id'];


    AFTER, ADD
    Code: Select all

             $word_id = intval($word_id);

  • admin/pagestart.php
  1. FIND - Line 59
    Code: Select all

       redirect($url);


    REPLACE WITH
    Code: Select all

       redirect("index.$phpEx?sid=" . $userdata['session_id']);

  • includes/bbcode.php
  1. FIND - Line 284
    Code: Select all

       $text = preg_replace("#\[img\]((ht|f)tp://)([^\r\n\t<\"]*?)\[/img\]#sie", "'[img:$uid]\\1' . str_replace(' ', '%20', '\\3') . '[/img:$uid]'", $text);


    REPLACE WITH
    Code: Select all

       $text = preg_replace("#\[img\]((ht|f)tp://)([^ \?&=\"\n\r\t<]*?(\.(jpg|jpeg|gif|png)))\[/img\]#sie", "'[img:$uid]\\1' . str_replace(' ', '%20', '\\3') . '[/img:$uid]'", $text);

  • includes/functions_search.php
  1. FIND - Line 201
    Code: Select all

                      $value_sql .= ( ( $value_sql != '' ) ? ', ' : '' ) . '(\'' . $word[$i] . '\', 0)';
                      break;
                   case 'mssql':


    AFTER, ADD
    Code: Select all

                   case 'mssql-odbc':

  2. FIND - Line 226
    Code: Select all

                      VALUES $value_sql";
                   break;
                case 'mssql':


    AFTER, ADD
    Code: Select all

                case 'mssql-odbc':

  • includes/usercp_register.php
  1. FIND - Line 180
    Code: Select all

       $user_avatar_local = ( isset($HTTP_POST_VARS['avatarselect']) && !empty($HTTP_POST_VARS['submitavatar']) && $board_config['allow_avatar_local'] ) ? $HTTP_POST_VARS['avatarselect'] : ( ( isset($HTTP_POST_VARS['avatarlocal'])  ) ? htmlspecialchars($HTTP_POST_VARS['avatarlocal']) : '' );


    REPLACE WITH
    Code: Select all

       $user_avatar_local = ( isset($HTTP_POST_VARS['avatarselect']) && !empty($HTTP_POST_VARS['submitavatar']) && $board_config['allow_avatar_local'] ) ? htmlspecialchars($HTTP_POST_VARS['avatarselect']) : ( ( isset($HTTP_POST_VARS['avatarlocal'])  ) ? htmlspecialchars($HTTP_POST_VARS['avatarlocal']) : '' );

User avatar
Acyd Burn
Consultant
 
Posts: 5831
Joined: Wed Dec 05, 2001 8:31 pm
Location: Behind You
Name: Meik Sievertsen

Return to Announcements

Who is online

Users browsing this forum: No registered users and 12 guests