Soda Tasting, an online show for those who love soda

Bookmark and Share

phpBB 2.0.2 to 2.0.3 Code Changes

phpBB 2.0.2 to 2.0.3 Code Changes

Postby Acyd Burn » December 7th 2002, 7:41 am

These are the code changes made from phpBB 2.0.2 to phpBB 2.0.3. This might be very helpful if you want to update your board and have installed a bunch of hacks. It is normally easier to do this as opposed to reinstalling all of your hacks.

When you find a 'AFTER, ADD'-Statement, the code has to be added after the last line quoted in the 'FIND'-Statement.
When you find a 'REPLACE WITH'-Statement, the code quoted in the 'FIND'-Statement has to be replaced completely with the quoted code in the 'REPLACE WITH'-Statement.
When you find a 'DELETE'-Statement, the code has to be deleted.

After you have finish this tutorial, you have to upload the file update_to_203.php, execute it and then delete it from your webspace.

Ok, lets start:

  • update_to_203.php
This file was added since phpBB 2.0.2, so no changes here, just a new file.
And you have to run it after (or before) changing the relevant phpBB 2 Files.

    • login.php
    One security fix in login.php.

    1. A security fix for redirecting to URL's, some unwanted characters are filtered out now.

      FIND - Line 178
      Code: Select all
      			if( preg_match("/^redirect=(.*)$/si", $forward_to, $forward_matches) )
      


      REPLACE WITH
      Code: Select all
      			if( preg_match("/^redirect=([a-z0-9\.#\/\?&=\+\-_]+)/si", $forward_to, $forward_matches) )
      

    • db/msaccess.php
    The changes within this file are only relevant if you use a MS Access database with phpBB 2.
    The phpBB Group hopes that these changes will fix some issues with MS Access databases.

    1. Changed the outer row offset / Added it to the odbc_fetch_row function.

      FIND - Line 140
      Code: Select all
      					while( odbc_fetch_row($this->result) && $row_outer < $row_outer_max )
      


      REPLACE WITH
      Code: Select all
      					while( odbc_fetch_row($this->result, $row_outer) && $row_outer < $row_outer_max )
      

    • includes/page_header.php
    Fixed potential SQL rewrite issue.

    1. Int-valed Forum Id, Fixed potential SQL rewrite issue.

      FIND - Line 88
      Code: Select all
      $user_forum_sql = ( !empty($forum_id) ) ? "AND s.session_page = $forum_id" : '';
      


      REPLACE WITH
      Code: Select all
      $user_forum_sql = ( !empty($forum_id) ) ? "AND s.session_page = " . intval($forum_id) : '';
      

    • includes/usercp_register.php
    Fixed potential cross-site scripting vulnerability with avatars.

    1. Remove HTML commands out of the Local Avatar Assignment.

      FIND - Line 166
      Code: Select all
      	$user_avatar_local = ( isset($HTTP_POST_VARS['avatarselect']) && !empty($HTTP_POST_VARS['submitavatar']) && $board_config['allow_avatar_local'] ) ? $HTTP_POST_VARS['avatarselect'] : ( ( isset($HTTP_POST_VARS['avatarlocal'])  ) ? $HTTP_POST_VARS['avatarlocal'] : '' );
      


      REPLACE WITH
      Code: Select all
      	$user_avatar_local = ( isset($HTTP_POST_VARS['avatarselect']) && !empty($HTTP_POST_VARS['submitavatar']) && $board_config['allow_avatar_local'] ) ? $HTTP_POST_VARS['avatarselect'] : ( ( isset($HTTP_POST_VARS['avatarlocal'])  ) ? htmlspecialchars($HTTP_POST_VARS['avatarlocal']) : '' );
      

    2. The same with the Remote Avatar Assignment.

      FIND - Line 168
      Code: Select all
      	$user_avatar_remoteurl = ( !empty($HTTP_POST_VARS['avatarremoteurl']) ) ? trim($HTTP_POST_VARS['avatarremoteurl']) : '';
      


      REPLACE WITH
      Code: Select all
      	$user_avatar_remoteurl = ( !empty($HTTP_POST_VARS['avatarremoteurl']) ) ? trim(htmlspecialchars($HTTP_POST_VARS['avatarremoteurl'])) : '';
      



    Have fun with your updated phpBB.
    User avatar
    Acyd Burn
    Consultant
     
    Posts: 650
    Joined: April 19th 2002, 7:00 pm
    Location: Germany (Oldb)

    Return to phpBB 2: Fixes and Code Changes

    Who is online

    Users browsing this forum: No registered users and 0 guests