We are pleased to announce the releases of phpBB 3.0.14 "Securing the thermal exhaust port" and phpBB 3.1.4 "May the fourth be with you". These versions are maintenance and security releases of both the 3.0.x and the 3.1.x branches which fix one minor security issue and a number of bugs. The 3.1.4 release additionally adds new events that act as entry points for extensions to modify phpBB's behaviour.
Thanks to Mathias Karlsson (avlidienbrunn) for bringing the security issue to our attention. An insufficient check allowed users of the Google Chrome browser to be redirected to external domains (e.g. on login) when provided with a malicious URL from a third party. This is no longer possible in 3.0.14 and 3.1.4.
The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.1.4 (3.1.4) and https://wiki.phpbb.com/Release_Highlights/3.0.14 (3.0.14) and a list of all issues fixed on our tracker at https://tracker.phpbb.com/browse/PHPBB3 ... lter=12991 (3.1.4) and https://tracker.phpbb.com/browse/PHPBB3 ... lter=13094 (3.0.14).
The latest packages can be downloaded from our downloads page (3.1.4) (3.0.14).
The development team thanks everyone who contributed code to these releases: brunoais, RMcGirr83, rxu, Jakub Senko, Wolfsblvt, cyberalien, kasimi, Dragos-Valentin Radulescu, Kailey Truscott, paulsohier, Crizzo, JoshyPHP, Kevin Roy, Matt Friedman, n-aleha, Raphaël M, Robert Heim, Scout4all, kamijoutouma
If you have any questions or comments, we'll be happy to address them in the discussion topic.
- The phpBB Team
Release Highlights phpBB 3.1.4
Security and Hardening
- Security: An insufficient check allowed users of the Google Chrome browser to be redirected to external domains (e.g. on login). Thanks to Mathias Karlsson (avlidienbrunn) for bringing this to our attention.
- Hardening: The HTTP protocol version received via SERVER_PROTOCOL is now verifed to have the expected format. See PHPBB3-13765.
- Events - More events have been added to the template and the php core
- Version check of extensions - File caching of extensions' version check file doesn't work
- Fix links from /board - Append page name to base url if it doesn't contain it and the path ends without a trailing slash
Release Highlights 3.0.14
Security and Hardening
- Security: An insufficient check allowed users of the Google Chrome browser to be redirected to external domains (e.g. on login). Thanks to Mathias Karlsson (avlidienbrunn) for bringing this to our attention.
- Hardening: The HTTP protocol version received via SERVER_PROTOCOL is now verifed to have the expected format. See PHPBB3-13765.
- The path to imagick is now correctly verified as an absolute path instead of a relative path. See PHPBB3-13568.
- download/file.php no longer sends a Content-Length header when issuing "304 Not Modified". See PHPBB3-13414.