phpBB 2.0.18 released

Read me first before posting anywhere!
Subscribe to the feed, available in Image Atom or Image RSS format.
Scam Warning

phpBB 2.0.18 released

Postby Acyd Burn » Sun Oct 30, 2005 4:39 pm

The phpBB Group is pleased to announce the release of phpBB 2.0.18, "The Halloween Special" release.

This is a major update to the 2.0.x codebase and includes fixes for numerous bugs reported by users to our Bug Tracker, as well as updates to those issues identified by the recent security audit of the code and a couple of security issues reported to us. In addition we have backported a further feature from our "Olympus" codebase to change the way automatic logins are handled.

We would like to thank all of those who take part in the security audit of the code for their work.

As with all new releases we urge you to update as soon as possible. You can of course find this download available on our downloads page. As per usual four packages are available to simplify your update.
  • Full Package
    Contains entire phpBB2 source and English language package
  • Changed Files Only
    Contains only those files changed from previous versions of phpBB. Please note this archive contains changed files for each previous release
  • Patch Files
    Contains patch compatible patches from the previous versions of phpBB.
  • Code Changes
    Contains step-by-step instructions in MOD format for updating heavily MODified installs
    Download zip | Download tar.gz | Download tar.bz2
Select whichever package is most suitable for you.

Please ensure you read the INSTALL and README documents in docs/ before proceeding with installation or updates!.


It is important that you carry out both parts of the update - updating the files and running the database update script - for updates to be complete.


What has changed in this release?

The changelog (contained within this release) is as follows:
  • [Fix] incorrect handling of password resets if admin activation is enabled (Bug #88)
  • [Fix] retrieving category rows in index.php (Bug #90)
  • [Fix] improved index performance by determining the permissions before iterating through all forums (Bug #91)
  • [Fix] wrong topic redirection after login redirect (Bug #94)
  • [Fix] improved handling of username lists in admin_ug_auth.php (Bug #98)
  • [Fix] incorrect removal of bbcode_uid values if bbcode has been turned off (Bug #100)
  • [Fix] correctly preview signature if editing other users posts (Bug #101)
  • [Fix] incorrect alt tag on generated search images in groupcp.php, viewtopic.php and usercp_viewprofile.php (Bug #102)
  • [Fix] consistent forum ordering in all dropdown boxes (Bug #106)
  • [Fix] correctly get compression status in page_tail.php and page_footer_admin.php (Bug #117)
  • [Fix] set page title on summary page of groupcp.php (bug #125)
  • [Fix] correctly test style and avatar in usercp_register.php (bug #129 and #317)
  • [Fix] handling of reactivation notifications if admin activation is enabled (Bug #145)
  • [Fix] handling of both forms of translation information used in language packs (Bug #159)
  • [Fix] key length for activation keys fixed in usercp_sendpassword.php (Bug #171)
  • [Fix] use GENERAL_MESSAGE constant in message_die instead of MESSAGE (Bug #176)
  • [Fix] incorrect handling of move stubs (Bug #179)
  • [Fix] wrong mode_type in memberlist (Bug #187)
  • [Fix] SQL errors when setting maximum PMs to 0 (Bug #188)
  • [Fix] removed unused variable from topic_notify email template (Bug #210)
  • [Fix] removed unset variable from smilies popup window title (Bug #224)
  • [Fix] removed duplicate template assignment from admin_board.php (Bug #226)
  • [Fix] incorrect search link for guest posts in modcp.php (Bug #254)
  • [Fix] all users removed from topics watch table on special occassions (Bug #271)
  • [Fix] correctly check returned value from strpos in append_sid function (Bug #275)
  • [Fix] correctly display username in private message notification (Bug #278)
  • [Fix] fixed "var-by-ref" errors (Bug #322)
  • [Fix] changed redirection to installation (Bug #325)
  • [Fix] added timout of 10 seconds to version check (Bug #348)
  • [Fix] fixed user_level default in postgresql schema file (Bug #444)
  • [Fix] multiple minor HTML issues with subSilver
  • [Change] deprecated the use of some PHP 3 compatability functions in favour of the native equivalents
  • [Change] added 60 days limit for grabbing unread topics in index.php
  • [Sec] backport of session keys system from olympus
  • [Sec] fixed email bans to use the same pattern as email validation and allow wildcard domain bans
  • [Sec] fixed validation of topic type when posting
  • [Sec] unset database password once it is no longer needed
  • [Sec] fixed potential to select images outside the specified path as avatars or smilies
  • [Sec] fix globals de-registration code for PHP5 - (Stefan Esser/Matt Kavanagh)
  • [Sec] changed avatar gallery code sections to prevent possible injection points (AnthraX101)
  • [Sec] signature field is not properly sanitised for user input when an error occurs while accessing the avatar gallery (AnthraX101)
  • [Sec] check to_username and ownership when editing a PM (AnthraX101)
  • [Sec] fixed ability to edit PM's you did not send (depablo84)
  • [Sec] compare imagetype on avatar uploading to match the file extension from uploaded file
User avatar
Acyd Burn
Consultant
 
Posts: 5831
Joined: Wed Dec 05, 2001 8:31 pm
Location: Behind You
Name: Meik Sievertsen

Postby Acyd Burn » Mon Oct 31, 2005 10:54 am

Hi,

we just noticed that some changes were not checked in to CVS and thus been missing within the released 2.0.18 packages.
We repackaged phpBB 2.0.18 and also updated the changed files package.

The changed files are common.php (just one tiny change) and includes/usercp_register.php (several changes).

For all of you having uploaded the packages or the changed files to their sites, please grab the packages again and inform your users about the changes.

Sorry for the inconvenience. We will evaluate what went wrong internally and why this happened.

The changed files only are available for download at http://www.phpbb.com/files/releases/cha ... ackage.zip


Now the changes in detail (from 2.0.18 to the repackage):

Open common.php

FIND:
Code: Select all
if (@phpversion() >= '5.0.0' && (!ini_get('register_long_arrays') || @ini_get('register_long_arrays') == '0' || strtolower(@ini_get('register_long_arrays')) == 'off'))


REPLACE WITH:
Code: Select all
if (@phpversion() >= '5.0.0' && (!@ini_get('register_long_arrays') || @ini_get('register_long_arrays') == '0' || strtolower(@ini_get('register_long_arrays')) == 'off'))



Open includes/usercp_register.php

FIND (Line 75):
Code: Select all
$error = FALSE;


AFTER, ADD:
Code: Select all
$error_msg = '';


FIND (Line 195):
Code: Select all
   $user_avatar_local = ( isset($HTTP_POST_VARS['avatarselect']) && !empty($HTTP_POST_VARS['submitavatar']) && $board_config['allow_avatar_local'] ) ? htmlspecialchars($HTTP_POST_VARS['avatarselect']) : ( ( isset($HTTP_POST_VARS['avatarlocal'])  ) ? htmlspecialchars($HTTP_POST_VARS['avatarlocal']) : '' );


AFTER, ADD:
Code: Select all
   $user_avatar_category = ( isset($HTTP_POST_VARS['avatarcatname']) && $board_config['allow_avatar_local'] ) ? htmlspecialchars($HTTP_POST_VARS['avatarcatname']) : '' ;


FIND (Line 224):
Code: Select all
      $signature = stripslashes($signature);


REPLACE WITH:
Code: Select all
      $signature = htmlspecialchars(stripslashes($signature));


FIND (Line 231):
Code: Select all
         $user_avatar = $user_avatar_local;


REPLACE WITH:
Code: Select all
         $user_avatar = $user_avatar_category . '/' . $user_avatar_local;


FIND (Line 441):
Code: Select all
      if ( $signature_bbcode_uid == '' )


REPLACE WITH:
Code: Select all
      if ( !isset($signature_bbcode_uid) || $signature_bbcode_uid == '' )


FIND (Line 477):
Code: Select all
      if ( @file_exists(@phpbb_realpath('./' . $board_config['avatar_path'] . '/' . $userdata['user_avatar'])) )
      {
         @unlink(@phpbb_realpath('./' . $board_config['avatar_path'] . '/' . $userdata['user_avatar']));
      }
      $avatar_sql = user_avatar_url($mode, $error, $error_msg, $user_avatar_remoteurl);
   }
   else if ( $user_avatar_local != '' && $board_config['allow_avatar_local'] )
   {
      if ( @file_exists(@phpbb_realpath('./' . $board_config['avatar_path'] . '/' . $userdata['user_avatar'])) )
      {
         @unlink(@phpbb_realpath('./' . $board_config['avatar_path'] . '/' . $userdata['user_avatar']));
      }
      $avatar_sql = user_avatar_gallery($mode, $error, $error_msg, $user_avatar_local);


REPLACE WITH:
Code: Select all
      user_avatar_delete($userdata['user_avatar_type'], $userdata['user_avatar']);
      $avatar_sql = user_avatar_url($mode, $error, $error_msg, $user_avatar_remoteurl);
   }
   else if ( $user_avatar_local != '' && $board_config['allow_avatar_local'] )
   {
      user_avatar_delete($userdata['user_avatar_type'], $userdata['user_avatar']);
      $avatar_sql = user_avatar_gallery($mode, $error, $error_msg, $user_avatar_local, $user_avatar_category);


FIND (Line 897):
Code: Select all
      $s_hidden_fields .= '<input type="hidden" name="avatarlocal" value="' . $user_avatar_local . '" />';


REPLACE WITH:
Code: Select all
      $s_hidden_fields .= '<input type="hidden" name="avatarlocal" value="' . $user_avatar_local . '" /><input type="hidden" name="avatarcatname" value="' . $user_avatar_category . '" />';


the phpBB Group.
User avatar
Acyd Burn
Consultant
 
Posts: 5831
Joined: Wed Dec 05, 2001 8:31 pm
Location: Behind You
Name: Meik Sievertsen


Return to Announcements

Who is online

Users browsing this forum: No registered users and 13 guests