phpbb2.0.20: all fixes in one place...

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
asinshesq
Registered User
Posts: 6266
Joined: Sun Feb 22, 2004 9:34 pm
Location: NYC
Name: Alan

phpbb2.0.20: all fixes in one place...

Post by asinshesq » Thu Apr 13, 2006 3:29 pm

Since a revised 2.0.20 fixing the various bugs talked about in this forum hasn't yet been posted, I figured it might be useful for me to post in one place all the corrections you'll find if you page through the various upgrade to 2.0.20 threads. (If I left any out, feel free to reply to this topic and point it out and I'll edit this post so it continues to be a definitive source).

1. To fix the problem that messes up the use of named quotes bbcode when html is enabled on your board, do this (source: CVS and this post: http://www.phpbb.com/phpBB/viewtopic.ph ... 70#2088170 ):

Code: Select all

OPEN
includes/functions_post.php

FIND
		$message = addslashes($message);

AFTER, ADD
		$message = str_replace('"', '\"', $message);
2. If you downloaded the code upgrade version of 2.0.19 to 2.0.20 and you downloaded it early (before Graham corrected that file), you need to do this (source, CVS and this post: http://www.phpbb.com/phpBB/viewtopic.ph ... 51#2079351 , plus changed the erroneous $replace_word to $replacement_word as per CVS and this post: http://www.phpbb.com/phpBB/viewtopic.ph ... 43#2086243 ):

Code: Select all

OPEN
privmsg.php

FIND
			if ( !($privmsg = $db->sql_fetchrow($result)) )
			{
				redirect(append_sid("privmsg.$phpEx?folder=$folder", true));
			}

			$privmsg_subject = preg_replace($orig_word, $replacement_word, $privmsg_subject); 
			$privmsg_subject = ( ( !preg_match('/^Re:/', $privmsg['privmsgs_subject']) ) ? 'Re: ' : '' ) . $privmsg['privmsgs_subject']; 

REPLACE WITH
			if ( !($privmsg = $db->sql_fetchrow($result)) )
			{
				redirect(append_sid("privmsg.$phpEx?folder=$folder", true));
			}

			$orig_word = $replacement_word = array();
			obtain_word_list($orig_word, $replacement_word);

			$privmsg_subject = ( ( !preg_match('/^Re:/', $privmsg['privmsgs_subject']) ) ? 'Re: ' : '' ) . $privmsg['privmsgs_subject'];
			$privmsg_subject = preg_replace($orig_word, $replacement_word, $privmsg_subject);
3. Even if you used a clean set of phpbb2.0.20 files or the corrected upgrade file, you need to do this to privmsg.php (but note that I already included this change in the change I describe in (2) above so if you do the change in (2) you can skip this one)(source, CVS and this post: http://www.phpbb.com/phpBB/viewtopic.ph ... 43#2086243 ):

Code: Select all

OPEN
privmsg.php

FIND
			obtain_word_list($orig_word, $replace_word);

REPLACE WITH
			obtain_word_list($orig_word, $replacement_word);
4. If you are using phpbb2 with mysql5, you need to make these changes (source, CVS and this post: http://www.phpbb.com/phpBB/viewtopic.ph ... 83#2085583 ):

Code: Select all

OPEN
includes/functions.php

FIND
	return substr($val, 16);

REPLACE WITH
	return substr($val, 4, 16);

OPEN
usercp_register.php

FIND
		$code = strtoupper(str_replace('0', 'o', substr($code, 6)));

REPLACE WITH
		$code = strtoupper(str_replace('0', 'o', substr($code, 2, 6)));

OPEN
profile.php

FIND
	return ( $hash ) ? md5($rand_str) : substr($rand_str, 8);

REPLACE WITH
	return ( $hash ) ? md5($rand_str) : substr($rand_str, 0, 8);
5. If you have a forum where the admin activates users and an inactive user tries to log in, 2.0.20 will take him to a white screen. Here's the fix for that (source, my post here: http://www.phpbb.com/phpBB/viewtopic.ph ... 86#2084286 , though I haven't seen any official confirmation of that fix):

Code: Select all

OPEN
login.php

FIND
				// Only store a failed login attempt for an active user - inactive users can't login even with a correct password
				elseif( $row['user_active'] )

				{
					// Save login tries and last login
					if ($row['user_id'] != ANONYMOUS)

REPLACE WITH
				else
				{
					// Save login tries and last login, but only store a failed login attempt for an
					// active user - inactive users can't login even with a correct password
					if ( $row['user_id'] != ANONYMOUS && $row['user_active'] )

User avatar
Kote Nuki
Registered User
Posts: 255
Joined: Thu Oct 31, 2002 6:04 pm
Location: Birmingham, AL
Contact:

Post by Kote Nuki » Thu Apr 13, 2006 3:40 pm

Very nice Alan. :)
Just me, Kote Nuki

asinshesq
Registered User
Posts: 6266
Joined: Sun Feb 22, 2004 9:34 pm
Location: NYC
Name: Alan

Post by asinshesq » Thu Apr 13, 2006 3:44 pm

Thanks.

By the way, even though I cite where I got each of the changes, it would probably be useful for someone who is formally on the support team to explicitly bless the changes in this post so that other users would know they are safe to use.

User avatar
rboos
Registered User
Posts: 15
Joined: Thu Jun 05, 2003 10:34 am
Location: Brazil

Post by rboos » Thu Apr 13, 2006 8:31 pm

I applied fixes 1 and 3 (quotes and PMs) and my 2.0.20 is working great now, thx Alan!
RBoos - mitsumania.com

User avatar
Wo1f
Registered User
Posts: 2039
Joined: Fri Jan 28, 2005 3:20 am

Re: phpbb2.0.20: all fixes in one place...

Post by Wo1f » Thu Apr 13, 2006 10:52 pm

Hi asinshesp,
asinshesq wrote: 5. If you have a forum where the admin activates users and an inactive user tries to log in, 2.0.20 will take him to a white screen. Here's the fix for that (source, my post here: http://www.phpbb.com/phpBB/viewtopic.ph ... 86#2084286 , though I haven't seen any official confirmation of that fix):

Code: Select all

OPEN
login.php

FIND
				// Only store a failed login attempt for an active user - inactive users can't login even with a correct password
				elseif( $row['user_id'] != ANONYMOUS && $row['user_active'] )

				{
					// Save login tries and last login
					if ($row['user_id'] != ANONYMOUS)

REPLACE WITH
				else
				{
					// Save login tries and last login, but only store a failed login attempt for an
					// active user - inactive users can't login even with a correct password
					if ( $row['user_id'] != ANONYMOUS && $row['user_active'] )


I can confirm that this fix won't do. An inactive user has a username and id, he's not considered anonymous. I worked around this one simply by adding an additional else statement like so:

Code: Select all

// Only store a failed login attempt for an active user - inactive users can't login even with a correct password
				elseif ( $row['user_active'] )
				{
					// Save login tries and last login
					if ($row['user_id'] != ANONYMOUS)
					{
						$sql = 'UPDATE ' . USERS_TABLE . '
							SET user_login_tries = user_login_tries + 1, user_last_login_try = ' . time() . '
							WHERE user_id = ' . $row['user_id'];
						$db->sql_query($sql);
					}
					
					$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : '';
					$redirect = str_replace('?', '&', $redirect);

					if (strstr(urldecode($redirect), "\n") || strstr(urldecode($redirect), "\r"))
					{
						message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');
					}

					$template->assign_vars(array(
						'META' => "<meta http-equiv=\"refresh\" content=\"3;url=login.$phpEx?redirect=$redirect\">")
					);

					$message = $lang['Error_login'] . '<br /><br />' . sprintf($lang['Click_return_login'], "<a href=\"login.$phpEx?redirect=$redirect\">", '</a>') . '<br /><br />' .  sprintf($lang['Click_return_index'], '<a href="' . append_sid("index.$phpEx") . '">', '</a>');

					message_die(GENERAL_MESSAGE, $message);
				}

else
				{
					$message = $lang['Error_login'] . '<br /><br />' . sprintf($lang['Click_return_login'], "<a href=\"login.$phpEx?redirect=$redirect\">", '</a>') . '<br /><br />' .  sprintf($lang['Click_return_index'], '<a href="' . append_sid("index.$phpEx") . '">', '</a>');

					message_die(GENERAL_MESSAGE, $message);
				}
I spaced out the last lines to make it more visible. Works well for me on a default phpBB install v2.0.20 although I'm not sure if this would be the most efficient way of going about it.

Best regards,
Wolf

asinshesq
Registered User
Posts: 6266
Joined: Sun Feb 22, 2004 9:34 pm
Location: NYC
Name: Alan

Re: phpbb2.0.20: all fixes in one place...

Post by asinshesq » Thu Apr 13, 2006 11:10 pm

Wo1f wrote: ...I can confirm that this fix won't do. An inactive user has a username and id, he's not considered anonymous....


That change works fine on my board and I'm guessing it will work fine on yours too. The point is that by getting rid of the if in the 'elseif' line, the script goes down to the next part even for an inactive user. It then intentionally skips the login attempts sql for anyone who is either a guest (user_id = anonymous) or an inactive user (I didn't see any point in doing the sql for an inactive user since he won't be able to log in anyway, but perhaps that's where we disagree?), and then the script goes on and takes the inactive user to the correct screen that tells him he is inactive or using the wrong password.

rgross
Registered User
Posts: 127
Joined: Fri Dec 10, 2004 7:22 am

Post by rgross » Fri Apr 14, 2006 12:02 am

Thanks for putting this together. I had put in a request for this 2 days ago in another thread, so kudos. I'll patiently await an official response on that last fix. Thanks!

C2
Registered User
Posts: 76
Joined: Tue Nov 15, 2005 10:58 pm

Post by C2 » Fri Apr 14, 2006 3:56 am

sticky please!

User avatar
Wo1f
Registered User
Posts: 2039
Joined: Fri Jan 28, 2005 3:20 am

Re: phpbb2.0.20: all fixes in one place...

Post by Wo1f » Fri Apr 14, 2006 4:15 am

asinshesq wrote: The point is that by getting rid of the if in the 'elseif' line, the script goes down to the next part even for an inactive user. It then intentionally skips the login attempts sql for anyone who is either a guest (user_id = anonymous) or an inactive user (I didn't see any point in doing the sql for an inactive user since he won't be able to log in anyway, but perhaps that's where we disagree?), and then the script goes on and takes the inactive user to the correct screen that tells him he is inactive or using the wrong password.

There was never a disagreement to begin with, and certainly not now. :wink: Your fix works as advertised when properly applied, My bad. As for the results, this is an example of achieving "almost" the same result with different methods.
Wo1f wrote: Works well for me on a default phpBB install v2.0.20 although I'm not sure if this would be the most efficient way of going about it.

My quickfix jumps to the error message without passing through that block of code you do. But then, I'm bypassing the "potentially insecure url" check which could be a problem. Correct?

User avatar
karlsemple
Former Team Member
Posts: 39802
Joined: Mon Nov 01, 2004 8:54 am
Location: Hereford, UK
Contact:

Post by karlsemple » Fri Apr 14, 2006 6:12 am

All these had already been applied to all 3 of my boards and all work as said above. Nice one for bringing them together into one post, makes all our lives easier :)
Image

User avatar
karlsemple
Former Team Member
Posts: 39802
Joined: Mon Nov 01, 2004 8:54 am
Location: Hereford, UK
Contact:

Post by karlsemple » Fri Apr 14, 2006 6:22 am

one thing i should maybe point out is the following

The above fixes have been taken from the cvs, this is the development version of the next release. This means these fixes will be included in the next release, so anyone using the code changes to go from version to version should remember that they have already done these if you apply them now! Otherwise you may find yourself looking for lines which no longer exist :wink:
Image

User avatar
DanPLC
Registered User
Posts: 7
Joined: Tue Mar 21, 2006 4:49 pm

Post by DanPLC » Fri Apr 14, 2006 1:46 pm

karlsemple wrote: one thing i should maybe point out is the following

The above fixes have been taken from the cvs, this is the development version of the next release. This means these fixes will be included in the next release, so anyone using the code changes to go from version to version should remember that they have already done these if you apply them now! Otherwise you may find yourself looking for lines which no longer exist :wink:


Will an incremental release of 2.0.20 (2.0.20.1?) containing these fixes be officially released soon?

User avatar
karlsemple
Former Team Member
Posts: 39802
Joined: Mon Nov 01, 2004 8:54 am
Location: Hereford, UK
Contact:

Post by karlsemple » Fri Apr 14, 2006 1:50 pm

DanPLC wrote:
karlsemple wrote:one thing i should maybe point out is the following

The above fixes have been taken from the cvs, this is the development version of the next release. This means these fixes will be included in the next release, so anyone using the code changes to go from version to version should remember that they have already done these if you apply them now! Otherwise you may find yourself looking for lines which no longer exist :wink:


Will an incremental release of 2.0.20 (2.0.20.1?) containing these fixes be officially released soon?


They will be fixed in the next release of phpbb, and the only folks who know when that will be released are the developers. However i am guessing it is unlikely they will re-release version 2.0.20 just for these fixes. Especially as they are already fixed in cvs and freely available on this forum for anyone that needs them :)
Image

asinshesq
Registered User
Posts: 6266
Joined: Sun Feb 22, 2004 9:34 pm
Location: NYC
Name: Alan

Post by asinshesq » Fri Apr 14, 2006 2:04 pm

karlsemple wrote:
DanPLC wrote:
karlsemple wrote:one thing i should maybe point out is the following

The above fixes have been taken from the cvs, this is the development version of the next release. This means these fixes will be included in the next release, so anyone using the code changes to go from version to version should remember that they have already done these if you apply them now! Otherwise you may find yourself looking for lines which no longer exist :wink:


Will an incremental release of 2.0.20 (2.0.20.1?) containing these fixes be officially released soon?


They will be fixed in the next release of phpbb, and the only folks who know when that will be released are the developers. However i am guessing it is unlikely they will re-release version 2.0.20 just for these fixes. Especially as they are already fixed in cvs and freely available on this forum for anyone that needs them :)


In that case, wouldn't it make sense for Graham to add another post at the end of his topic announcing 2.0.20 setting forth the fixes? And perhaps a member of the support staff could make a sticky with these fixes too?

User avatar
karlsemple
Former Team Member
Posts: 39802
Joined: Mon Nov 01, 2004 8:54 am
Location: Hereford, UK
Contact:

Post by karlsemple » Fri Apr 14, 2006 2:09 pm

Please lets not turn this into a discussion, i have no control over making topics sticky, you would have to contact and admin about that.
Image

Locked

Return to “2.0.x Support Forum”

Who is online

Users browsing this forum: No registered users and 13 guests

cron