先貼 2.0.13 跟 2.0.14 的變動 :
- Hardened author and keyword search a bit to not allow very server intensive searches
- Fixed full path disclosure in bad word parsing
- Resetting complete userdata array in session code if authentication fails
- Fixed bug in moderator control panel where certain parameters could lead to an “error creating new session” sql error
- Fixed bug in session code where empty page ids could lead to an “error creating new session” sql error
- Fixed html handling in signatures if html is turned off globally
- Fixed install.php problem with PHP5 register_long_arrays option turned off
- Fixed potential issues with styling system
- Added correct class to login_body template file
- Removed file db/oracle.php from package
- Removed version number from message body page in /admin (if user is not an admin) – mikelbeck
- Fixed case-sensitivity issues in postgres7.php – R45
2.0.15 修正了安全性問題, includes/bbcode.php 的這段 :
{ global $lang, $bbcode_tpl;
下面加進這行 :
$text = preg_replace("#(script|about|applet|activex|chrome):#is", "\1:", $text);
另外是這段 :
*/ function make_clickable($text) {
下面加進這行 :
$text = preg_replace("#(script|about|applet|activex|chrome):#is", "\1:", $text);
所以總共有這些變動 :
- Fixed moderator status removal in groupcp.php
- Removed newlines after ?> on some files – Thoul
- Added admin re-authentication (admin needs to login seperatly to access the ACP) – backported from Olympus
- Fixed vulnerability in url/bbcode handling functions – PapaDos and Paul/Zhen-Xjell from CastleCops
- Fixed issue in admin/admin_forums.php
- Suppressed warning message for fsockopen in /includes/smtp.php – Thoul
- Fixed bug in admin/admin_smilies.php (admin is able to add empty smilies) – Exy
- Adjusted documents to reflect the urgent need to update the files too (not only running the database update script)
- Updated the readme file
- Added one new language variable
- Added general error if accessing profile for a non-existent user
- Changed session id generation to be more unique – Henno Joosep
- Fixed bug in highlight code to escape characters correctly
- Reversed the 2.0.14 fix for postgresql because it produced more problems than it solves.
- Added reference to article written by R45 about case-sensitivity in postgreSQL to the readme file
- Fixed bypassing of validate_username on registration – Yen
- Empty url/img bbcodes no longer get parsed
竹貓星球 也有這兩篇公告 :
[2005/04/25] phpBB 2.0.14 安全性修正版(包含更新檔)
[2005/05/08] phpBB 2.0.15 安全性修正版本