phpBB 3.2.1 / 3.1.11 Released


phpBB 3.2.1 / 3.1.11 Released
nedka

nedka

24/07/2017 00:08
phpBB Team have announced the release of phpBB 3.2.1 and 3.1.11. You are recommended to update to these new versions because of the many bug fixes they include as well as fixes to some security issues: remote avatar functionality and checking new versions.

SSRF Exploit in the Remote Avatar Functionality
A server-side request forgery (SSRF) exploit was discovered in the remote avatar functionality which could be used to perform service discovery on internal and external networks, as well as retrieve images which are usually restricted to local access. This exploit was reported by the security company SEC Consult. Please to disable remote avatar settings until your board has been patched with the new security release: 3.2.1 or 3.1.11.

XSS Vulnerability on Checking New Versions
A cross-site scripting (XSS) vulnerability via version check files was discovered internally by Derk Ruitenbeek. This could have been used to trick users into clicking on javascript: links. You think safe to use official extensions by phpBB or validated by them on phpBB.com. However, version info files which are stored on phpBB.com or developer websites can be attacked to modify URLs for download links and release announcements. Unluckily, you easily clicked into these links before you detect them.

So as, patch this as soon as possible to keep your board is safe when fetching version info files from any other websites. Additionally, the version check now also supports branches which will result in more helpful information about new versions on other branches.

High Load Issues with MySQL FULLTEXT
The new versions fixed issue concerned potential high load scenarios that could be caused by specially crafted search queries while using MySQL FULLTEXT search backend. They also added the missing search indexing for topics after splitting a topic.

The New Hashing Algorithm: bcrypt
phpBB has switched to another hash algorithm for user passwords: bcrypt. Do not worry about existing user password hashes, the update tool will convert them in silent.

Pagination for the Post Details
New releases added the pagination to IP tables and post info on the post details page for moderators.

Verify SSL Certificates Used by SMTP/Jabber Servers
New phpBB versions verify SSL certificates used by SMTP/Jabber servers for sending emails/messages. You can skip this verification or allow self-signed SSL certificates, however, connecting servers with unverified SSL certificates may cause security implications.

Invalid Sorting Order for PMs (3.1.11 Only)
In phpBB 3.1.10, the UCP PM view folder page was using an invalid ORDER_BY definition that resulted in missing PM ordering. Now everything is working correctly.

Facebook API v2 Compatibility (3.2.1 Only)
Facebook recently introduced major changes to its API v2. The new Facebook response is in JSON format, while the pre-2.0 API returns jQuery string. These changes have caused a lot of confusion for some developers, your phpBB board among them. Logging in with Facebook OAuth results in the fatal error “Uncaught exception”. phpBB 3.2.1 comes with PHPoAuthLib 0.8.10 which supported Facebook API v2.

Higher Resolution Images for proSilver (3.2.1 Only)
Imageset icons in proSilver is double sized now for the higher quality on Retina devices.

The TextFormatter in phpBB 3.2.0 still causes many problems. Braces in smiley emotions are not treated as literals, they need to be escaped otherwise they are part of the attribute value template grammar. Smilies that contain some combination of parentheses also cause an exception to be thrown. Nested [color]/[list] BBCode is not parsed correctly in phpBB 3.2 but is parsed in 3.1. URL's using the IRC protocol are not recognized anymore. All of these problems are fixed by TextFormatter 0.10.1 bundled in phpBB 3.2.1.
TextFormatter Improvements (3.2.1 Only)

Broken FTP Update Method (3.2.1 Only)
The FTP updater uses an invalid constructor. This results in errors before even beginning the upload. As a result, users are told that a timeout was encountered. Now the new update tool makes the FTP update method functional again, as well as issues with updating from earlier versions using PostgreSQL.

New Twig Skills (3.2.1 Only)
phpBB 3.2.1 updates the old Twig version 1.24 to 1.33, brings new features for designers in working with phpBB template files.

Strip whitespace from the beginning or end
The filter |trim before phpBB 3.2.1 is to strip from the left and the right (both) sides. But now, it can strip from either the left side or right side only.

Strip whitespace from the beginning of a string:

Chép
{{ ABC|trim(side='left') }}
or
Chép
{{ ABC|trim(' ', 'left') }}
Strip whitespace from the end of a string:
Chép
{{ ABC|trim(side='right') }}
or
Chép
{{ ABC|trim(' ', 'right') }}
New filters use the PHP ltrim() and rtrim() functions.

Checking for an existing block
Assume that we have a HTML block named abc:
Chép
{% block abc %}...{% endblock %}

Checking the block abc for available before using, else print out the error message:
Chép
{% if block('abc') is defined %}
	{{ block('abc') }}
{% else %}
	No data found!
{% endif %}

Checking for an existing constant
Chép
{% if constant('IN_PHPBB') is defined %}

Creating an inner scope
Use the with tag to create a new inner scope. Variables set within this scope are not visible outside of the scope.
Chép
{% with %}
	{% set ABC = 123 %}
	{# {{ ABC }} is 123 here #}
{% endwith %}

{# {{ ABC }} is not visible here any longer #}
or
Chép
{% with { ABC: 123 } %}
	{# {{ ABC }} is 123 here #}
{% endwith %}

{# {{ ABC }} is not visible here any longer #}
You also can move an existing variable to the "restricted area", other ones are not available.
Chép
{% set ABC = 123 %}
{% set XYZ = 999 %}

{% with ABC only %}
	{# Only {{ ABC }} is 123 here #}
	{# {{ XYZ }} is not defined here #}
{% endwith %}

New console commands
Repair the tree structure of the forums and modules:
Chép
php bin/phpbbcli.php fixup:fix-left-right-ids
Update outdated password hashes to be hashed with bcrypt:
Chép
php bin/phpbbcli.php fixup:update-hashes

New Events for Extenstion Developers
Each new phpBB release comes with a lot of new PHP and template events. We just list some noticeable things for you.
  • core.user_format_date_override: Execute code and/or override the PHP function format_date().
  • core.delete_post_after: Execute code after the post or topic has been deleted.
  • core.get_user_rank_after: Modify an user rank before displaying.
  • core.modify_email_headers: Modify email headers before sending.
  • core.send_file_to_browser_before: Modify the attachment before it is sent to the user browser.
  • core.smiley_text_root_path: Modify the smiley path (in display text).
  • core.generate_smilies_before: Modify the smiley path (the smiley list on posting form).
  • core.user_unban: Execute code after the ban has been removed.
  • core.viewtopic_highlight_modify: Modify the highlighted text (found results) on the topic page.
  • index_body_birthday_block_before: Add new HTML blocks before the birthday block on the index page.

Updated Components
Download the latest version and update packages: 3.2.1 | 3.1.11

Finally, for phpBB 3.1.x users, please note that this is the last maintenance release for phpBB 3.1 as it has now reached end of maintenance. It will continue to receive security updates until December 2017. Go Rhea 3.2 now!

Reference: https://www.phpbb.com/community/viewtop ... &t=2430926


VinaBB

Quan điểm

  • Không đề cập chính trị, tôn giáo, nội dung đồi trụy.
  • Giữ gìn sự trong sáng của Tiếng Việt.
  • Không chia sẻ phần mềm vi phạm bản quyền.
  • Không rao vặt và không nhận đặt quảng cáo.
  • Dù trong túi hết tiền thì diễn đàn phpBB của anh cũng phải ngay ngắn.

Chuyện tình VinaBB

17/07/2004: Yêu phpBB từ phiên bản 2.0.10.
22/10/2006: Cất tiếng cười chào đời.
11/06/2007: Chính thức định cư trên Olympus, Sao Hỏa.
11/06/2009: Mất liên lạc với Trái Đất. [ Phiên bản 2007 ]
28/07/2016: Trôi dạt đến mặt trăng Rhea, Sao Thổ.
12/12/2016: Cuộc hành trình mới lại bắt đầu…

Code in Viet Nam

Cống hiến hết mình vì Tổ Quốc Việt Nam Xã Hội Chủ Nghĩa

Quản trị viên

nedka

VinaBB

NEDKA Solutions

Đơn vị chủ quản

Chúng tôi chịu trách nhiệm toàn bộ nội dung có trên VinaBB.vn trước pháp luật.