[3.0.8] Update regarding requests to includes/ directory

Discussion forum for MOD Writers regarding MOD Development.
Locked
User avatar
Tom
Former Team Member
Posts: 2665
Joined: Tue Jun 20, 2006 2:12 am
Name: Tom Catullo
Contact:

[3.0.8] Update regarding requests to includes/ directory

Post by Tom »

Hello, everyone.

We would like to take this opportunity to inform the MOD community of a recent change regarding web requests to the includes/ directory that has been introduced in phpBB 3.0.8. With the release of 3.0.8, web requests to the includes/ directory are now denied through the addition of an .htaccess file in that directory.

For MOD writers
This means that any request for web access to the includes/ directory or any files contained in it will be met with a 403 - Forbidden error. This change was made in order to prevent full-path disclosure on servers running PHP 5.3. Files from includes/ can of course still be included using PHP, but requesting them in HTML code, for example, would be denied. If any of your MODs rely on web access to the includes/ directory, we suggest that you adjust the affected MODs so that they will not encounter issues when running on phpBB 3.0.8. Any MODs that do not fit into this category need not be revised for this particular change.

Technical details
On servers running PHP 5.3, if PHP's error_reporting directive contains E_DEPRECATED, the PHP parser would throw a warning when accessing a file containing code that assigns an instantiation by reference, for example:

Code: Select all

$obj =& new some_class();
This is (more or less) being done automatically since PHP5. Because the warning is raised by the parser, the IN_PHPBB check will not prevent it from being displayed. For this reason, we had to address the issue by denying direct access to those files.

For MOD users
If you are a board operator running 3.0.8 or planning to upgrade soon, please check to see if any of your installed MODs will be affected by the update to 3.0.8 by checking the MOD's support topic or support section in the Customisation Database. Despite these possible issues, we still strongly recommend that you update to 3.0.8 as soon as possible. If necessary, the issue can be temporarily fixed by explicitly allowing files in the includes/ directory by adding the following code to includes/.htaccess for each filename:

Code: Select all

<Files FILENAME>
   Order Allow,Deny
   Allow from All
</Files>
Here is an example of its usage with a file named swfobject.js:

Code: Select all

<Files swfobject.js>
   Order Allow,Deny
   Allow from All
</Files>
This also works for subdirectories of includes/, in which case we suggest you to create a separate .htaccess file within the subdirectory, observing the same method described above for each file.

If you have any questions as a MOD writer or user regarding this announcement, we would be happy to assist you in the MOD Writers Discussion forum.

Thank you,
The Modifications Team
Last edited by tumba25 on Tue May 01, 2012 11:39 pm, edited 1 time in total.
Reason: Unstickyfied
Tom Catullo - Former Moderator Team Member
phpBB3 Smiley Pak Generator | Legend Repositioning MOD | My GitHub | My Site
Locked

Return to “[3.0.x] MOD Writers Discussion”