phpBB 2.0.15 released !

先貼 2.0.13 跟 2.0.14 的變動 :

• Hardened author and keyword search a bit to not allow very server intensive searches



• Fixed full path disclosure in bad word parsing



• Resetting complete userdata array in session code if authentication fails



• Fixed bug in moderator control panel where certain parameters could lead to an “error creating new session” sql error



• Fixed bug in session code where empty page ids could lead to an “error creating new session” sql error



• Fixed html handling in signatures if html is turned off globally



• Fixed install.php problem with PHP5 register_long_arrays option turned off



• Fixed potential issues with styling system



• Added correct class to login_body template file



• Removed file db/oracle.php from package



• Removed version number from message body page in /admin (if user is not an admin) – mikelbeck



• Fixed case-sensitivity issues in postgres7.php – R45

2.0.15 修正了安全性問題 :

includes/bbcode.php 的這段 :

{

global $lang, $bbcode_tpl;

下面加進這行 :

$text = preg_replace('#(script|about|applet|activex|chrome):#is', "\1:", $text);

另外是這段 :

*/

function make_clickable($text)

{

下面加進這行 :

$text = preg_replace('#(script|about|applet|activex|chrome):#is', "\1:", $text);

所以總共有這些變動 :

• Fixed moderator status removal in groupcp.php



• Removed newlines after ?> on some files – Thoul



• Added admin re-authentication (admin needs to login seperatly to access the ACP) – backported from Olympus



• Fixed vulnerability in url/bbcode handling functions – PapaDos and Paul/Zhen-Xjell from CastleCops



• Fixed issue in admin/admin_forums.php



• Suppressed warning message for fsockopen in /includes/smtp.php – Thoul



• Fixed bug in admin/admin_smilies.php (admin is able to add empty smilies) – Exy



• Adjusted documents to reflect the urgent need to update the files too (not only running the database update script)



• Updated the readme file



• Added one new language variable



• Added general error if accessing profile for a non-existent user



• Changed session id generation to be more unique – Henno Joosep



• Fixed bug in highlight code to escape characters correctly



• Reversed the 2.0.14 fix for postgresql because it produced more problems than it solves.



• Added reference to article written by R45 about case-sensitivity in postgreSQL to the readme file



• Fixed bypassing of validate_username on registration – Yen



• Empty url/img bbcodes no longer get parsed

竹貓星球 也有這兩篇公告 :

[2005/04/25] phpBB 2.0.14 安全性修正版(包含更新檔)

[2005/05/08] phpBB 2.0.15 安全性修正版本