« PhpBB 2.0.15 released ! | 網頁 | P4 的 HT 出包了!? O_O »

西元2005年05月13日

PhpBB 2.0.15 released !

先貼 2.0.13 跟 2.0.14 的變動 :

  • Hardened author and keyword search a bit to not allow very server intensive searches

  • Fixed full path disclosure in bad word parsing

  • Resetting complete userdata array in session code if authentication fails

  • Fixed bug in moderator control panel where certain parameters could lead to an “error creating new session” sql error

  • Fixed bug in session code where empty page ids could lead to an “error creating new session” sql error

  • Fixed html handling in signatures if html is turned off globally

  • Fixed install.php problem with PHP5 register_long_arrays option turned off

  • Fixed potential issues with styling system

  • Added correct class to login_body template file

  • Removed file db/oracle.php from package

  • Removed version number from message body page in /admin (if user is not an admin) – mikelbeck

  • Fixed case-sensitivity issues in postgres7.php – R45

2.0.15 修正了安全性問題 :

includes/bbcode.php 的這段 :
{
global $lang, $bbcode_tpl;
下面加進這行 :
$text = preg_replace('#(script|about|applet|activex|chrome):#is', "\1:", $text);
另外是這段 :
*/
function make_clickable($text)
{
下面加進這行 :
$text = preg_replace('#(script|about|applet|activex|chrome):#is', "\1:", $text);

所以總共有這些變動 :

  • Fixed moderator status removal in groupcp.php

  • Removed newlines after ?> on some files – Thoul

  • Added admin re-authentication (admin needs to login seperatly to access the ACP) – backported from Olympus

  • Fixed vulnerability in url/bbcode handling functions – PapaDos and Paul/Zhen-Xjell from CastleCops

  • Fixed issue in admin/admin_forums.php

  • Suppressed warning message for fsockopen in /includes/smtp.php – Thoul

  • Fixed bug in admin/admin_smilies.php (admin is able to add empty smilies) – Exy

  • Adjusted documents to reflect the urgent need to update the files too (not only running the database update script)

  • Updated the readme file

  • Added one new language variable

  • Added general error if accessing profile for a non-existent user

  • Changed session id generation to be more unique – Henno Joosep

  • Fixed bug in highlight code to escape characters correctly

  • Reversed the 2.0.14 fix for postgresql because it produced more problems than it solves.

  • Added reference to article written by R45 about case-sensitivity in postgreSQL to the readme file

  • Fixed bypassing of validate_username on registration – Yen

  • Empty url/img bbcodes no longer get parsed

竹貓星球 也有這兩篇公告 :
[2005/04/25] phpBB 2.0.14 安全性修正版(包含更新檔)
[2005/05/08] phpBB 2.0.15 安全性修正版本

00:55 永久網址 | 留言 (0) | Email this

The comments are closed.