|
|
| Author |
Message |
Thoul
VIP
Joined: 30 Jul 2002
Posts: 17676
Location: USA
|
 Posted: November 19th 2004, 12:22 am Post subject: phpBB 2.0.10 to 2.0.11 Code Changes |
 |
|
HTML Version.
Text Version.
These are the code changes introduced between phpBB 2.0.10 and phpBB 2.0.11. If you have installed many hacks on a forum, but wish to update it, these may help you. It is often easier to apply code changes such as these instead of replacing and rehacking your current files.
These code changes use the following instruction labels:
filename - The name of a file to be edited. Equivalent to an OPEN action in a hack or modification.
FIND - This indicates lines of code you should locate. Changes will be made in reference to this code.
REPLACE WITH - This code should completely replace the code in the preceding FIND instruction.
AFTER, ADD - The code in this instruction should be added on a new line after the last line of code in the preceding FIND instruction.
BEFORE, ADD - The code in this instruction should be added on a new line before the first line of code in the preceding FIND instruction.
FIND AND DELETE - Locate the code in this instruction as with a FIND statement, and then delete the code.
Once you have completed the code changes, create an install/ directory in your forum's root directory, and upload the update_to_2011.php file that comes in any phpBB 2.0.11 download to the install/ directory. Run update_to_2011.php by opening it via your web browser, just as you would a normal forum page. Afterward, delete the file and the install/ directory so that your forum is accessible again.
Now, onward to the file changes! |
|
| Back to top |
|
 |
Thoul
VIP
Joined: 30 Jul 2002
Posts: 17676
Location: USA
|
| Posted: November 19th 2004, 12:23 am Post subject: |
|
|
includes/usercp_confirm.php
phpBB 2.0.11 adds a visual confirmation system to registration as a default feature of phpBB. In doing so, a new file was added to phpBB. This file is includes/usercp_confirm.php. Be sure to download the full version of 2.0.11 or the Changed Files version of 2.0.11 to get this file and add it to your forum! If you do not do this, people will not be able to register.
If you do not wish to install phpBB 2.0.11's new visual confirmation system, you can skip the addition of this file. You can also skip all changes listed below for the following files: admin/admin_board.php, profile.php, includes/constants.php, includes/usercp_register.php, templates/subSilver/admin/board_config_body.tpl,
language/lang_english/lang_main.php, language/lang_english/lang_admin.php, and templates/subSilver/profile_add_body.tpl.
All other changes should be considered important security fixes and applied to all forums.
Last edited by Thoul on November 21st 2004, 4:17 am; edited 1 time in total |
|
| Back to top |
|
|
Thoul
VIP
Joined: 30 Jul 2002
Posts: 17676
Location: USA
|
| Posted: November 19th 2004, 12:29 am Post subject: |
|
|
admin/admin_board.php
FIND
| Code:
|
|
$activation_admin = ( $new['require_activation'] == USER_ACTIVATION_ADMIN ) ? "checked=\"checked\"" : "";
|
AFTER, ADD
| Code:
|
$confirm_yes = ($new['enable_confirm']) ? 'checked="checked"' : '';
$confirm_no = (!$new['enable_confirm']) ? 'checked="checked"' : '';
|
FIND
| Code:
|
|
"L_ADMIN" => $lang['Acc_Admin'],
|
AFTER, ADD
| Code:
|
"L_VISUAL_CONFIRM" => $lang['Visual_confirm'],
"L_VISUAL_CONFIRM_EXPLAIN" => $lang['Visual_confirm_explain'],
|
common.php
FIND
| Code:
|
function unset_vars(&$var)
{
while (list($var_name, $null) = @each($var))
{
unset($GLOBALS[$var_name]);
}
return;
}
//
error_reporting (E_ERROR | E_WARNING | E_PARSE); // This will NOT report uninitialized variables
set_magic_quotes_runtime(0); // Disable magic_quotes_runtime
$ini_val = (@phpversion() >= '4.0.0') ? 'ini_get' : 'get_cfg_var';
// Unset globally registered vars - PHP5 ... hhmmm
if (@$ini_val('register_globals') == '1' || strtolower(@$ini_val('register_globals')) == 'on')
{
$var_prefix = 'HTTP';
$var_suffix = '_VARS';
$test = array('_GET', '_POST', '_SERVER', '_COOKIE', '_ENV');
foreach ($test as $var)
{
if (is_array(${$var_prefix . $var . $var_suffix}))
{
unset_vars(${$var_prefix . $var . $var_suffix});
@reset(${$var_prefix . $var . $var_suffix});
}
if (is_array(${$var}))
{
unset_vars(${$var});
@reset(${$var});
}
}
if (is_array(${'_FILES'}))
{
unset_vars(${'_FILES'});
@reset(${'_FILES'});
}
if (is_array(${'HTTP_POST_FILES'}))
{
unset_vars(${'HTTP_POST_FILES'});
@reset(${'HTTP_POST_FILES'});
}
}
// PHP5 with register_long_arrays off?
if (!isset($HTTP_POST_VARS) && isset($_POST))
{
$HTTP_POST_VARS = $_POST;
$HTTP_GET_VARS = $_GET;
$HTTP_SERVER_VARS = $_SERVER;
$HTTP_COOKIE_VARS = $_COOKIE;
$HTTP_ENV_VARS = $_ENV;
$HTTP_POST_FILES = $_FILES;
}
|
REPLACE WITH
| Code:
|
error_reporting (E_ERROR | E_WARNING | E_PARSE); // This will NOT report uninitialized variables
set_magic_quotes_runtime(0); // Disable magic_quotes_runtime
// The following code (unsetting globals) was contributed by Matt Kavanagh
// PHP5 with register_long_arrays off?
if (!isset($HTTP_POST_VARS) && isset($_POST))
{
$HTTP_POST_VARS = $_POST;
$HTTP_GET_VARS = $_GET;
$HTTP_SERVER_VARS = $_SERVER;
$HTTP_COOKIE_VARS = $_COOKIE;
$HTTP_ENV_VARS = $_ENV;
$HTTP_POST_FILES = $_FILES;
// _SESSION is the only superglobal which is conditionally set
if (isset($_SESSION))
{
$HTTP_SESSION_VARS = $_SESSION;
}
}
if (@phpversion() < '4.0.0')
{
// PHP3 path; in PHP3, globals are _always_ registered
// We 'flip' the array of variables to test like this so that
// we can validate later with isset($test[$var]) (no in_array())
$test = array('HTTP_GET_VARS' => NULL, 'HTTP_POST_VARS' => NULL, 'HTTP_COOKIE_VARS' => NULL, 'HTTP_SERVER_VARS' => NULL, 'HTTP_ENV_VARS' => NULL, 'HTTP_POST_FILES' => NULL);
// Loop through each input array
@reset($test);
while (list($input,) = @each($test))
{
while (list($var,) = @each($$input))
{
// Validate the variable to be unset
if (!isset($test[$var]) && $var != 'test' && $var != 'input')
{
unset($$var);
}
}
}
}
else if (@ini_get('register_globals') == '1' || strtolower(@ini_get('register_globals')) == 'on')
{
// PHP4+ path
// Not only will array_merge give a warning if a parameter
// is not an array, it will actually fail. So we check if
// HTTP_SESSION_VARS has been initialised.
if (!isset($HTTP_SESSION_VARS))
{
$HTTP_SESSION_VARS = array();
}
// Merge all into one extremely huge array; unset
// this later
$input = array_merge($HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_SERVER_VARS, $HTTP_SESSION_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES);
unset($input['input']);
while (list($var,) = @each($input))
{
unset($$var);
}
unset($input);
}
|
|
|
| Back to top |
|
|
Thoul
VIP
Joined: 30 Jul 2002
Posts: 17676
Location: USA
|
| Posted: November 19th 2004, 12:30 am Post subject: |
|
|
groupcp.php
FIND
| Code:
|
|
$username = ( isset($HTTP_POST_VARS['username']) ) ? htmlspecialchars($HTTP_POST_VARS['username']) : '';
|
REPLACE WITH
| Code:
|
|
$username = ( isset($HTTP_POST_VARS['username']) ) ? phpbb_clean_username($HTTP_POST_VARS['username']) : '';
|
login.php
FIND
| Code:
|
$username = isset($HTTP_POST_VARS['username']) ? trim(htmlspecialchars($HTTP_POST_VARS['username'])) : '';
$username = substr(str_replace("\\'", "'", $username), 0, 25);
$username = str_replace("'", "\\'", $username);
|
REPLACE WITH
| Code:
|
|
$username = isset($HTTP_POST_VARS['username']) ? phpbb_clean_username($HTTP_POST_VARS['username']) : '';
|
privmsg.php
FIND
| Code:
|
|
$to_username = $HTTP_POST_VARS['username'];
|
REPLACE WITH
| Code:
|
|
$to_username = phpbb_clean_username($HTTP_POST_VARS['username']);
|
FIND
| Code:
|
|
$to_username = ( isset($HTTP_POST_VARS['username']) ) ? trim(strip_tags(stripslashes($HTTP_POST_VARS['username']))) : '';
|
REPLACE WITH
| Code:
|
|
$to_username = (isset($HTTP_POST_VARS['username']) ) ? trim(htmlspecialchars(stripslashes($HTTP_POST_VARS['username']))) : '';
|
FIND
| Code:
|
|
'USERNAME' => preg_replace($html_entities_match, $html_entities_replace, $to_username),
|
REPLACE WITH
| Code:
|
|
'USERNAME' => $to_username,
|
profile.php
FIND
| Code:
|
include($phpbb_root_path . 'includes/usercp_register.'.$phpEx);
exit;
}
|
AFTER, ADD
| Code:
|
else if ( $mode == 'confirm' )
{
// Visual Confirmation
if ( $userdata['session_logged_in'] )
{
exit;
}
include($phpbb_root_path . 'includes/usercp_confirm.'.$phpEx);
exit;
}
|
search.php
FIND
| Code:
|
|
$search_author = htmlspecialchars($search_author);
|
REPLACE WITH
| Code:
|
|
$search_author = phpbb_clean_username($search_author);
|
viewtopic.php
FIND
| Code:
|
|
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
|
REPLACE WITH
| Code:
|
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));
|
includes/constants.php
FIND
AFTER, ADD
| Code:
|
|
define('CONFIRM_TABLE', $table_prefix.'confirm');
|
|
|
| Back to top |
|
|
Thoul
VIP
Joined: 30 Jul 2002
Posts: 17676
Location: USA
|
| Posted: November 19th 2004, 12:31 am Post subject: |
|
|
includes/functions.php
FIND
| Code:
|
//
// Get Userdata, $user can be username or user_id. If force_str is true, the username will be forced.
//
|
BEFORE, ADD
| Code:
|
// added at phpBB 2.0.11 to properly format the username
function phpbb_clean_username($username)
{
$username = htmlspecialchars(rtrim(trim($username), "\\"));
$username = substr(str_replace("\\'", "'", $username), 0, 25);
$username = str_replace("'", "\\'", $username);
return $username;
}
|
FIND
| Code:
|
$user = trim(htmlspecialchars($user));
$user = substr(str_replace("\\'", "'", $user), 0, 25);
$user = str_replace("'", "\\'", $user);
|
REPLACE WITH
| Code:
|
|
$user = phpbb_clean_username($user);
|
includes/functions_post.php
FIND
| Code:
|
|
$username = trim(strip_tags($username));
|
REPLACE WITH
| Code:
|
|
$username = phpbb_clean_username($username);
|
includes/functions_search.php
FIND
| Code:
|
|
$username_search = preg_replace('/\*/', '%', trim(strip_tags($search_match)));
|
REPLACE WITH
| Code:
|
|
$username_search = preg_replace('/\*/', '%', phpbb_clean_username($search_match));
|
FIND
| Code:
|
|
'USERNAME' => ( !empty($search_match) ) ? strip_tags($search_match) : '',
|
REPLACE WITH
| Code:
|
|
'USERNAME' => (!empty($search_match)) ? phpbb_clean_username($search_match) : '',
|
includes/topic_review.php
FIND
| Code:
|
if ( !isset($topic_id) )
{
message_die(GENERAL_MESSAGE, 'Topic_not_exist');
}
|
REPLACE WITH
| Code:
|
if ( !isset($topic_id) || !$topic_id)
{
message_die(GENERAL_MESSAGE, 'Topic_post_not_exist');
}
|
|
|
| Back to top |
|
|
Thoul
VIP
Joined: 30 Jul 2002
Posts: 17676
Location: USA
|
| Posted: November 19th 2004, 12:35 am Post subject: |
|
|
includes/usercp_register.php
FIND
| Code:
|
if ( !defined('IN_PHPBB') )
{
die("Hacking attempt");
|
BEFORE, ADD
| Code:
|
/*
This code has been modified from its original form by psoTFX @ phpbb.com
Changes introduce the back-ported phpBB 2.2 visual confirmation code.
NOTE: Anyone using the modified code contained within this script MUST include
a relevant message such as this in usercp_register.php ... failure to do so
will affect a breach of Section 2a of the GPL and our copyright
png visual confirmation system : (c) phpBB Group, 2003 : All Rights Reserved
*/
|
FIND
| Code:
|
|
$strip_var_list = array('username' => 'username', 'email' => 'email', 'icq' => 'icq', 'aim' => 'aim', 'msn' => 'msn', 'yim' => 'yim', 'website' => 'website', 'location' => 'location', 'occupation' => 'occupation', 'interests' => 'interests');
|
AFTER, ADD
| Code:
|
|
$strip_var_list['confirm_code'] = 'confirm_code';
|
FIND
| Code:
|
$passwd_sql = '';
if ( !empty($new_password) && !empty($password_confirm) )
|
BEFORE, ADD
| Code:
|
if ($board_config['enable_confirm'] && $mode == 'register')
{
if (empty($HTTP_POST_VARS['confirm_id']))
{
$error = TRUE;
$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . $lang['Confirm_code_wrong'];
}
else
{
$confirm_id = htmlspecialchars($HTTP_POST_VARS['confirm_id']);
if (!preg_match('/^[A-Za-z0-9]+$/', $confirm_id))
{
$confirm_id = '';
}
$sql = 'SELECT code
FROM ' . CONFIRM_TABLE . "
WHERE confirm_id = '$confirm_id'
AND session_id = '" . $userdata['session_id'] . "'";
if (!($result = $db->sql_query($sql)))
{
message_die(GENERAL_ERROR, 'Could not obtain confirmation code', __LINE__, __FILE__, $sql);
}
if ($row = $db->sql_fetchrow($result))
{
if ($row['code'] != $confirm_code)
{
$error = TRUE;
$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . $lang['Confirm_code_wrong'];
}
else
{
$sql = 'DELETE FROM ' . CONFIRM_TABLE . "
WHERE confirm_id = '$confirm_id'
AND session_id = '" . $userdata['session_id'] . "'";
if (!$db->sql_query($sql))
{
message_die(GENERAL_ERROR, 'Could not delete confirmation code', __LINE__, __FILE__, $sql);
}
}
}
else
{
$error = TRUE;
$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . $lang['Confirm_code_wrong'];
}
$db->sql_freeresult($result);
}
}
|
FIND
| Code:
|
$template->assign_block_vars('switch_namechange_disallowed', array());
}
|
AFTER, ADD
| Code:
|
// Visual Confirmation
$confirm_image = '';
if (!empty($board_config['enable_confirm']) && $mode == 'register')
{
$sql = 'SELECT session_id
FROM ' . SESSIONS_TABLE;
if (!($result = $db->sql_query($sql)))
{
message_die(GENERAL_ERROR, 'Could not select session data', '', __LINE__, __FILE__, $sql);
}
if ($row = $db->sql_fetchrow($result))
{
$confirm_sql = '';
do
{
$confirm_sql .= (($confirm_sql != '') ? ', ' : '') . "'" . $row['session_id'] . "'";
}
while ($row = $db->sql_fetchrow($result));
$sql = 'DELETE FROM ' . CONFIRM_TABLE . "
WHERE session_id NOT IN ($confirm_sql)";
if (!$db->sql_query($sql))
{
message_die(GENERAL_ERROR, 'Could not delete stale confirm data', '', __LINE__, __FILE__, $sql);
}
}
$db->sql_freeresult($result);
$sql = 'SELECT COUNT(session_id) AS attempts
FROM ' . CONFIRM_TABLE . "
WHERE session_id = '" . $userdata['session_id'] . "'";
if (!($result = $db->sql_query($sql)))
{
message_die(GENERAL_ERROR, 'Could not obtain confirm code count', '', __LINE__, __FILE__, $sql);
}
if ($row = $db->sql_fetchrow($result))
{
if ($row['attempts'] > 3)
{
message_die(GENERAL_MESSAGE, $lang['Too_many_registers']);
}
}
$db->sql_freeresult($result);
$confirm_chars = array('A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '1', '2', '3', '4', '5', '6', '7', '8', '9');
list($usec, $sec) = explode(' ', microtime());
mt_srand($sec * $usec);
$max_chars = count($confirm_chars) - 1;
$code = '';
for ($i = 0; $i < 6; $i++)
{
$code .= $confirm_chars[mt_rand(0, $max_chars)];
}
$confirm_id = md5(uniqid($user_ip));
$sql = 'INSERT INTO ' . CONFIRM_TABLE . " (confirm_id, session_id, code)
VALUES ('$confirm_id', '". $userdata['session_id'] . "', '$code')";
if (!$db->sql_query($sql))
{
message_die(GENERAL_ERROR, 'Could not insert new confirm code information', '', __LINE__, __FILE__, $sql);
}
unset($code);
$confirm_image = (@extension_loaded('zlib')) ? '<img src="' . append_sid("profile.$phpEx?mode=confirm&id=$confirm_id") . '" alt="" title="" />' : '<img src="' . append_sid("profile.$phpEx?mode=confirm&id=$confirm_id&c=1") . '" alt="" title="" /><img src="' . append_sid("profile.$phpEx?mode=confirm&id=$confirm_id&c=2") . '" alt="" title="" /><img src="' . append_sid("profile.$phpEx?mode=confirm&id=$confirm_id&c=3") . '" alt="" title="" /><img src="' . append_sid("profile.$phpEx?mode=confirm&id=$confirm_id&c=4") . '" alt="" title="" /><img src="' . append_sid("profile.$phpEx?mode=confirm&id=$confirm_id&c=5") . '" alt="" title="" /><img src="' . append_sid("profile.$phpEx?mode=confirm&id=$confirm_id&c=6") . '" alt="" title="" />';
$s_hidden_fields .= '<input type="hidden" name="confirm_id" value="' . $confirm_id . '" />';
$template->assign_block_vars('switch_confirm', array());
}
|
FIND
AFTER, ADD
| Code:
|
|
'CONFIRM_IMG' => $confirm_image,
|
FIND
| Code:
|
|
'L_EMAIL_ADDRESS' => $lang['Email_address'],
|
AFTER, ADD
| Code:
|
'L_CONFIRM_CODE_IMPAIRED' => sprintf($lang['Confirm_code_impaired'], '<a href="mailto:' . $board_config['board_email'] . '">', '</a>'),
'L_CONFIRM_CODE' => $lang['Confirm_code'],
'L_CONFIRM_CODE_EXPLAIN' => $lang['Confirm_code_explain'],
|
|
|
| Back to top |
|
|
Thoul
VIP
Joined: 30 Jul 2002
Posts: 17676
Location: USA
|
| Posted: November 19th 2004, 12:36 am Post subject: |
|
|
includes/usercp_sendpasswd.php
FIND
| Code:
|
|
$username = ( !empty($HTTP_POST_VARS['username']) ) ? trim(strip_tags($HTTP_POST_VARS['username'])) : '';
|
REPLACE WITH
| Code:
|
$username = ( !empty($HTTP_POST_VARS['username']) ) ? phpbb_clean_username($HTTP_POST_VARS['username']) : '';
|
includes/usercp_viewprofile.php
FIND
| Code:
|
|
include($phpbb_root_path . 'includes/page_header.'.$phpEx);
|
Please be careful with this instruction! I have been forced to add an extra space between the & and #39; in this code block because phpBB forums will not display this series of characters without the extra space. This space should not be included when the code is placed into your file.
AFTER, ADD
| Code:
|
if (function_exists('get_html_translation_table'))
{
$u_search_author = urlencode(strtr($profiledata['username'], array_flip(get_html_translation_table(HTML_ENTITIES))));
}
else
{
$u_search_author = urlencode(str_replace(array('&', '& #039;', '"', '<', '>'), array('&', "'", '"', '<', '>'), $profiledata['username']));
}
|
FIND
| Code:
|
|
'U_SEARCH_USER' => append_sid("search.$phpEx?search_author=" . urlencode($profiledata['username'])),
|
REPLACE WITH
| Code:
|
'U_SEARCH_USER' => append_sid("search.$phpEx?search_author=" . $u_search_author),
|
templates/subSilver/admin/board_config_body.tpl
FIND
| Code:
|
<td class="row2"><input type="radio" name="require_activation" value="{ACTIVATION_NONE}" {ACTIVATION_NONE_CHECKED} />{L_NONE} <input type="radio" name="require_activation" value="{ACTIVATION_USER}" {ACTIVATION_USER_CHECKED} />{L_USER} <input type="radio" name="require_activation" value="{ACTIVATION_ADMIN}" {ACTIVATION_ADMIN_CHECKED} />{L_ADMIN}</td>
</tr>
<tr>
|
AFTER, ADD
| Code:
|
<td class="row1">{L_VISUAL_CONFIRM}<br /><span class="gensmall">{L_VISUAL_CONFIRM_EXPLAIN}</span></td>
<td class="row2"><input type="radio" name="enable_confirm" value="1" {CONFIRM_ENABLE} />{L_YES} <input type="radio" name="enable_confirm" value="0" {CONFIRM_DISABLE} />{L_NO}</td>
</tr>
<tr>
|
Last edited by Thoul on November 19th 2004, 10:13 am; edited 1 time in total |
|
| Back to top |
|
|
|
|
Forums
Home
Register
Profile
Log in to check your private messages
Log in
FAQ
Search
Contact
Us 
