phpBB 2.0.10 released

Read me first before posting anywhere!
Subscribe to the feed, available in Image Atom or Image RSS format.
Get Involved

phpBB 2.0.10 released

Postby Acyd Burn » Sat Jul 17, 2004 4:00 pm

phpBB Group are pleased to announce the release of phpBB 2.0.10 the "Murphy is furry" release. This release had been made to fix one security related issue and some bugs introduced by the 2.0.9 release, plus two new ones. Work continues on 2.2.0 and again we do not plan on further releases of 2.0.x except where critical issues arise. Note that we do not intend dropping support for 2.0.x even after 2.2 is released.

As with previous releases three different packages are available:
  • Full Package
    Contains entire phpBB2 source and English language package
  • Changed Files Only
    Contains only those files changed from previous versions of phpBB. Please note this archive contains changed files for each previous release
  • Patch Files
    Contains patch compatible patches from the previous versions of phpBB.
Select whichever package is most suitable for you.

Please ensure you read the INSTALL and README documents in docs/ before proceeding with installation or updates!.

Note to 2.0.3 users intending to use the patch file version

Users of 2.0.3 intending to use the patch version may (but not necessarily will) need to run fixfiles.sh (found in the contrib/ directory with the downloaded archive) before patching.

We recommend that all 2.0.3 users do a "dry run" patch first to see whether this you need to use this fix. To do this append --dry-run to the patch command, e.g. patch -cl -p1 --dry-run < phpBB-2.0.3_to_2.0.10.patch. This will prevent any permanent changes being made to your installation. If you experience numerous (literally dozens and dozens) of hunk failed messages this applies to you.

To correct this problem go to your phpBB root directory, copy the fixfiles.sh to this location, chmod u+x fixfiles.sh and type ./fixfiles.sh. This will strip windows style carriage returns present in the 2.0.3 source.

What has changed in this release?

We will list a comprehensive list (with the necessary changes) here. For all of you still running 2.0.8(a), there will be a tutorial with code changes from 2.0.8 to 2.0.10, the following list is only for those running 2.0.9.

The main problem arised in 2.0.9 was for those having register_globals set to on and magic_quotes_gpc set to off. For those the board was nearly unusable. Additionally with the release of PHP5 users had to change a php.ini variable, which is now simulated by phpBB. Support for phpBB 2.0.x running under PHP5 is still not provided here. The common.php change:

common.php
  • FIND - Line 43
    Code: Select all

    // Unset globally registered vars - PHP5 ... hhmmm
    if (@$ini_val('register_globals') == '1' || strtolower(@$ini_val('register_globals')) == 'on')
    {
       $var_prefix = 'HTTP';
       $var_suffix = '_VARS';
       
       $test = array('_GET', '_POST', '_SERVER', '_COOKIE', '_ENV');

       foreach ($test as $var)
       {
          if (is_array(${$var_prefix . $var . $var_suffix}))
          {
             unset_vars(${$var_prefix . $var . $var_suffix});
          }

          if (is_array(${$var}))
          {
             unset_vars(${$var});
          }
       }

       if (is_array(${'_FILES'}))
       {
          unset_vars(${'_FILES'});
       }

       if (is_array(${'HTTP_POST_FILES'}))
       {
          unset_vars(${'HTTP_POST_FILES'});
       }
    }


    REPLACE WITH
    Code: Select all

    // Unset globally registered vars - PHP5 ... hhmmm
    if (@$ini_val('register_globals') == '1' || strtolower(@$ini_val('register_globals')) == 'on')
    {
       $var_prefix = 'HTTP';
       $var_suffix = '_VARS';
       
       $test = array('_GET', '_POST', '_SERVER', '_COOKIE', '_ENV');

       foreach ($test as $var)
       {
          if (is_array(${$var_prefix . $var . $var_suffix}))
          {
             unset_vars(${$var_prefix . $var . $var_suffix});
             @reset(${$var_prefix . $var . $var_suffix});
          }

          if (is_array(${$var}))
          {
             unset_vars(${$var});
             @reset(${$var});
          }
       }

       if (is_array(${'_FILES'}))
       {
          unset_vars(${'_FILES'});
          @reset(${'_FILES'});
       }

       if (is_array(${'HTTP_POST_FILES'}))
       {
          unset_vars(${'HTTP_POST_FILES'});
          @reset(${'HTTP_POST_FILES'});
       }
    }

    // PHP5 with register_long_arrays off?
    if (!isset($HTTP_POST_VARS) && isset($_POST))
    {
       $HTTP_POST_VARS = $_POST;
       $HTTP_GET_VARS = $_GET;
       $HTTP_SERVER_VARS = $_SERVER;
       $HTTP_COOKIE_VARS = $_COOKIE;
       $HTTP_ENV_VARS = $_ENV;
       $HTTP_POST_FILES = $_FILES;
    }

There was one bug introduced by a security fix in 2.0.9 making submitting board settings with single quotes (for example the board description) buggy.
This has been fixed by the following change:

admin/admin_board.php
  • FIND - Line 46
    Code: Select all

          $default_config[$config_name] = str_replace("'", "\'", $config_value);


    REPLACE WITH
    Code: Select all

          $default_config[$config_name] = isset($HTTP_POST_VARS['submit']) ? str_replace("'", "\'", $config_value) : $config_value;

There was a problem caused by the unsetting of global vars. Because the style system itself makes two variables global, deleting styles no longer worked. To fix this problem, the following change is necessary:

admin/admin_styles.php
  • FIND - Line 49
    Code: Select all

    require('./pagestart.' . $phpEx);


    AFTER, ADD
    Code: Select all


    $confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
    $cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;

Some users reported problems with the jumpbox not working within the moderator control panel. The fix:

includes/functions.php
  • FIND - Line 190
    Code: Select all

       if ( !empty($SID) )
       {
          $boxstring .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';
       }


    REPLACE WITH
    Code: Select all

       // Let the jumpbox work again in sites having additional session id checks.
    //   if ( !empty($SID) )
    //   {
          $boxstring .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';
    //   }

Amit Klein and Ory Segal reported a vulnerability with redirects (Apache users are not affected by this), which is fixed by these changes:

includes/functions.php
  • FIND - Line 743
    Code: Select all

       if (!empty($db))
       {
          $db->sql_close();
       }


    AFTER, ADD
    Code: Select all

       if (strstr(urldecode($url), "\n") || strstr(urldecode($url), "\r"))
       {
          message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');
       }

login.php
  • FIND - Line 96
    Code: Select all

                   $redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&amp;', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : '';
                   $redirect = str_replace('?', '&', $redirect);


    AFTER, ADD
    Code: Select all

                   if (strstr(urldecode($redirect), "\n") || strstr(urldecode($redirect), "\r"))
                   {
                      message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');
                   }

  • FIND - Line 116
    Code: Select all
             $redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&amp;', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : "";
             $redirect = str_replace("?", "&", $redirect);


    AFTER, ADD
    Code: Select all

                   if (strstr(urldecode($redirect), "\n") || strstr(urldecode($redirect), "\r"))
                   {
                      message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');
                   }

Searching for authors sometimes lead to no results, even if the author existed. This is due to special chars within the username, now searching for these is working correctly:

search.php
  • FIND - Line 62
    Code: Select all

       $search_author = ( isset($HTTP_POST_VARS['search_author']) ) ? $HTTP_POST_VARS['search_author'] : $HTTP_GET_VARS['search_author'];


    AFTER, ADD
    Code: Select all

       $search_author = htmlspecialchars($search_author);

The visual confirmation pre-edited files were fixed to resolve an issue with a regular expression checking for correct confirm ids.
As with previous versions the visual confirmation and the template caching Mods are included in the contrib directory.

We urge all users to update promptly to this new release.
If you are still having troubles on reading the documentation provided, please refer to the Support Forum and use the Support Request Template.


For those with a lot of Mods installed Code Changes Mods are available:
phpBB 2.0.8 to phpBB 2.0.10 Code Changes
phpBB 2.0.9 to phpBB 2.0.10 Code Changes
User avatar
Acyd Burn
Consultant
 
Posts: 5831
Joined: Wed Dec 05, 2001 8:31 pm
Location: Behind You
Name: Meik Sievertsen

Return to Announcements

Who is online

Users browsing this forum: No registered users and 18 guests