We are pleased to announce the release of phpBB 3.1.5 "Bertie returning from the City of a Hundred Spires". This version is a maintenance and security release of the 3.1.x branch which fixes one content permission issue and a number of bugs, as well as adds new events as entry points for extensions to modify phpBB's behaviour.
We'd like to thank 5hocK for letting us know that it was previously possible for the subject of a post of an inaccessible subforum to be listed as the newest post on the forum index. This could happen if the subforum was password protected while its parent forum wasn't, or if users were granted permission to view the subforum in lists, but not to read posts in the subforum. We recommend using appropriate permission settings with usergroups over password protected forums.
This release uses the respective HTML attribute to disable autocompletion on all password fields that still allowed it. Passwords required to authenticate to external services like email or XMPP servers are no longer set as default values in ACP forms - thanks to Foritfy Open Source Review for proposing this improvement.
Please note: You may run into a conflict warning when using the automatic update package. We recommend you resolve the conflict by picking "Do not merge - use new file". If you have made custom changes to the file "includes/acp/acp_prune.php" or would like further information, please read the corresponding sticky topic in our support forum.
The full changelog is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.1.5 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=13098
The packages can be downloaded from our downloads page.
The development team thanks everyone who contributed code to this release: brunoais, Callum Macrae, Matt Friedman, javiexin, rxu, cyberalien, CHItA, Richard McGirr, alf007, Alexander Köplinger, Wolfsblvt, dragosvr92
If you have any questions or comments, we'll be happy to address them in the discussion topic.
- The phpBB Team
Security and Hardening
- Hardening: Use autocomplete=off for password fields
- Hardening: Do not populate password fields in the ACP settings with the old password - Thanks ''Fortify Open Source Review'' for suggesting
- Content Permissons: Post subjects from protected subforums were listed incorrectly on the forum index in the following two scenarios: 1. Forum that has no forum password has a subforum with a password. 2. Forum with read permissions has a subforum without read permissions "Can read forum", but with list permissions "Can see forum" - Thanks ''5hocK'' for suggesting
- Events - More events have been added to the template and the php core
- Printing topics with webkit - Properly display background images when printing with webkit browser
- Language files for xCP modules - Adding multiple language files for acp/mcp/ucp modules was incorrectly handled for extensions
- Several Controller Fixes - AJAX responses did not support exceptions messages, AJAX responses did not support meta_refresh and redirect