We are pleased to announce the release of phpBB 3.3.2 "From Bertie with Love". This version is a maintenance and security release of the 3.3.x branch which fixes one security issue, introduces further hardening, and resolves various issues reported in previous versions.
Previous versions of phpBB starting with 3.2.0 adjusted the way formatting was removed in the strip BBCode function. If this function was used in extensions it could potentially lead to HTML entities being decoded and encoded unexpectedly and therefore result in reflected XSS. We’d like to thank n0bodysec for responsibly disclosing this to us.
Further hardening has been introduced to the ACP configuration settings for the Jabber functionality. The page will no longer output the communication content while adjusting settings. We’d like to thank Cory Billington for reporting this issue to us via HackerOne.
The fixed issues include, among others, a circular dependency when cron tasks depend on the controller helper, issues with drop-down menus, inconsistent margins when using zoom inside a browser, and an error while generating backups on PostgreSQL 12+.
In addition to that, permissions will now follow a more natural ordering in the ACP and the maximum allowed attachment file size will be displayed to users.
The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.3.2
and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=15390
The packages can be downloaded from our downloads page.
The development team thanks everyone who contributed code to this release: rxu, William Desportes, Christian Schnegelberger, JoshyPHP, Matt Friedman, 3D-I, Jakub Senko, kasimi, Alfredo Ramos, MichaIng, Noxwizard, ansavin, juanse254
If you have any questions or comments, we'll be happy to address them in the discussion topic
- The phpBB Team