[Feedback] If you have problems with 2.0.9

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Acyd Burn
Consultant
Consultant
Posts: 5830
Joined: Wed Dec 05, 2001 8:31 pm
Location: Behind You
Name: Meik Sievertsen

[Feedback] If you have problems with 2.0.9

Post by Acyd Burn »

Solved with the Release of phpBB 2.0.10




Hi,

there seems to be an issue with the new code in common.php we were unable to spot down while testing the new package.

For all of you having sql errors if posting messages with single quotes, please test the following fix and tell us if it solved the issue. All posts going offtopic will be deleted.

Can you please make this update to your board:

Open common.php:

Find:

Code: Select all

// Unset globally registered vars - PHP5 ... hhmmm
if (@$ini_val('register_globals') == '1' || strtolower(@$ini_val('register_globals')) == 'on')
{
    $var_prefix = 'HTTP';
    $var_suffix = '_VARS';

    $test = array('_GET', '_POST', '_SERVER', '_COOKIE', '_ENV');

    foreach ($test as $var)
    {
        if (is_array(${$var_prefix . $var . $var_suffix}))
        {
            unset_vars(${$var_prefix . $var . $var_suffix});
        }

        if (is_array(${$var}))
        {
            unset_vars(${$var});
        }
    }

    if (is_array(${'_FILES'}))
    {
        unset_vars(${'_FILES'});
    }

    if (is_array(${'HTTP_POST_FILES'}))
    {
        unset_vars(${'HTTP_POST_FILES'});
    }
}
Replace With:

Code: Select all

// Unset globally registered vars - PHP5 ... hhmmm
if (@$ini_val('register_globals') == '1' || strtolower(@$ini_val('register_globals')) == 'on')
{
    $var_prefix = 'HTTP';
    $var_suffix = '_VARS';

    $test = array('_GET', '_POST', '_SERVER', '_COOKIE', '_ENV');

    foreach ($test as $var)
    {
        if (is_array(${$var_prefix . $var . $var_suffix}))
        {
            unset_vars(${$var_prefix . $var . $var_suffix});
            @reset(${$var_prefix . $var . $var_suffix});
        }

        if (is_array(${$var}))
        {
            unset_vars(${$var});
            @reset(${$var});
        }
    }

    if (is_array(${'_FILES'}))
    {
        unset_vars(${'_FILES'});
        @reset(${'_FILES'});
    }

    if (is_array(${'HTTP_POST_FILES'}))
    {
        unset_vars(${'HTTP_POST_FILES'});
        @reset(${'HTTP_POST_FILES'});
    }
}
The backslash problem within admin_board.php is known and already fixed (one line change).

We might re-package 2.0.9 without incrementing the version number or adding a minor number, releasing a new Code Changes Tutorial, Patches, Changed Files and posting the changes for those already having installed or updated their installation. The common.php problem is only affecting those people having register_globals set to on.


small reminder to smart people:

- the bbcode.php change was made to harden the img bbcode tag further, not to revert the introduced security check, allowing non-image extensions again. The check for remote avatars is intended and on purpose too.

- there is no problem with the quote="username" bbcode button, it is working as expected... it might be a side effect of the above explained problem.

- For all of those thinking about removing the new common.php code because other mods quit working, i consider you contact the mod author to secure their code and to contact your hoster to disable register_globals. This setting is the main reason for all major security issues arised within the last months.


Thank you for reading, and sorry to have caused people problems, but Murphy seems to beat us all. :)
Last edited by Acyd Burn on Sat Jul 17, 2004 4:02 pm, edited 1 time in total.
MobileBadBoy
Registered User
Posts: 356
Joined: Wed Mar 06, 2002 5:29 pm
Location: Mobile, AL
Contact:

Post by MobileBadBoy »

[applied the above fix] I just made a post with an apostrophe and didn't run into any errors, and the post was made successfully.
Last edited by MobileBadBoy on Tue Jul 13, 2004 11:16 pm, edited 1 time in total.
mattfoster
Registered User
Posts: 49
Joined: Sat Dec 14, 2002 3:58 pm

Post by mattfoster »

I was suffering from this problem too, but the above fix seems to have worked. I am now getting some threads which have, say, 6 pages - but upon clicking on page 6 am presented with "No posts exist for this topic".

Are they related in any way?
SimonHL
Registered User
Posts: 1
Joined: Tue Jul 13, 2004 11:41 pm

Post by SimonHL »

The fix worked here as well...
chatserv
Registered User
Posts: 29
Joined: Fri Mar 21, 2003 5:27 pm
Contact:

Post by chatserv »

Maybe it would be a good idea for the code author to post guidelines to be followed by mod authors to make sure their mods are compliant with this code.
geocator
Registered User
Posts: 16242
Joined: Fri Jan 09, 2004 11:56 pm
Location: On dry land
Contact:

Post by geocator »

chatserv wrote: Maybe it would be a good idea for the code author to post guidelines to be followed by mod authors to make sure their mods are compliant with this code.


Thats easy dont rely on globals. Get variables through the super variables.
iwyen
Registered User
Posts: 9
Joined: Sun May 09, 2004 1:46 am
Location: Singapore
Contact:

Post by iwyen »

It worked for my board too :wink:
Arjanus
Registered User
Posts: 5
Joined: Tue Jul 13, 2004 7:44 pm

Post by Arjanus »

Yes! Thanks. It solves my apostrof problem and quotes are working now indeed (but the messages which containes quotes that are posted before this fix is applied need to be edited and saved again (without changing anything) to get that quotes work correctly..
User avatar
Martin.dk
Registered User
Posts: 43
Joined: Fri Nov 30, 2001 12:25 am
Contact:

Re: [Feedback] If you have problems with 2.0.9

Post by Martin.dk »

Acyd Burn wrote: ...The common.php problem is only affecting those people having register_globals set to on.


I would say that isn't completely true. It would affect all people with magic_quotes_gpc set to off.

IMO register_globals has nothing to do with it :)
May the God of hope fill you with all joy and peace as you trust in Him, so that you may overflow with hope by the power of the Holy Spirit. Rom. 15:13
mattfoster
Registered User
Posts: 49
Joined: Sat Dec 14, 2002 3:58 pm

Re: [Feedback] If you have problems with 2.0.9

Post by mattfoster »

Martin.dk wrote:
Acyd Burn wrote:...The common.php problem is only affecting those people having register_globals set to on.

IMO register_globals has nothing to do with it :)


If you look at the code you will see that the fix only applies to people with register_globals set to 1, meaning that if it was set to 0 then the problem wouldn't occur ;)

Anyhow, I think the problem with the extra non-existent page is to do with people posting with apostrophes within the topic. Almost like it increments the post count for that topic but doesn't actually display the post?

edit: Having tried unmodified code on systems both with register_globals set to 1, and one with magic_quotes_gpc off and one on - it appears that the problem is solely caused by having magic_quotes off. Apologies to Martin!
Acyd Burn
Consultant
Consultant
Posts: 5830
Joined: Wed Dec 05, 2001 8:31 pm
Location: Behind You
Name: Meik Sievertsen

Post by Acyd Burn »

The problem is that the vars array is not reset after unsetting all global vars for people with register_globals on. Then, if magic_quotes_gpc is off, phpBB adds slashes to the vars. To conclude, this should only affect people having magic_quotes_gpc off AND register_globals set to on, or those where phpBB is unable to determine the current status of those ini-variables.
nei.ch
Registered User
Posts: 21
Joined: Thu Aug 08, 2002 6:00 pm

Post by nei.ch »

Acyd Burn wrote: small reminder to smart people:

- the bbcode.php change was made to harden the img bbcode tag further, not to revert the introduced security check, allowing non-image extensions again. The check for remote avatars is intended and on purpose too.


What kind of security whole is introduced through valid URLs as img URLs?
See my post in your 2.0.8 -> 2.0.9 code changes topic:
http://www.phpbb.com/phpBB/viewtopic.ph ... 20#1154317
JoshuaB
Registered User
Posts: 95
Joined: Sat Apr 13, 2002 4:11 pm
Location: Hudson, MA USA
Contact:

Post by JoshuaB »

mattfoster wrote: I am now getting some threads which have, say, 6 pages - but upon clicking on page 6 am presented with "No posts exist for this topic".


I'm getting this too.
User avatar
aka_void
Registered User
Posts: 108
Joined: Tue May 20, 2003 7:01 pm
Location: Location: Lost
Name: Mark
Contact:

Post by aka_void »

I can't remove styles from within the ACP... this is on a new install of 2.09. you click on delete, and NOTHING happens :?
jko
Registered User
Posts: 104
Joined: Thu Jun 20, 2002 8:47 pm

Post by jko »

Same problem here with styles removal.

If I comment out

Code: Select all

unset($GLOBALS[$var_name]);
in common.php it works again. This is the same issue I have with my installation of Gallery - the updates are stripping the http vars from scripts that need them.

John
Locked

Return to “2.0.x Support Forum”