phpBB 3.0.8 released发布
修复了一个3.0.7版本的重要BUG:
BBCode标签中的FLASH标签可用于执行JavaScript导致跨站点脚本漏洞
打开你的论坛目录下/includes/message_parser.php文件
搜索到
[code] // Apply the same size checks on flash files as on images[/code]
在它后面添加
[code] $in = str_replace(' ', '%20', $in);
// Make sure $in is a URL.
if (!preg_match('#^' . get_preg_expression('url') . '$#i', $in) &&
!preg_match('#^' . get_preg_expression('www_url') . '$#i', $in))
{
return '[flash=' . $width . ',' . $height . ']' . $in . '[/flash]';
}[/code]
保存后,上传覆盖即可。
原文如下:
Hi everyone,
We are pleased to announce the release of phpBB "Patience is a Virtue" 3.0.8. This new version is a maintenance release fixing a large number of bugs as well as improving on usability and performance. Unfortunately we have also discovered a security issue in the previous version affecting boards which have the flash BBCode enabled - it is disabled by default. On WebKit based browsers like Safari or Chrome, as well as Opera, the flash BBCode can be used to execute javascript causing a cross site scripting vulnerability.
To fix this problem in 3.0.7, please go to line 354 in includes/message_parser.php, and right before
Code:
[code] // Apply the same size checks on flash files as on images[/code]
add these lines:
[code] $in = str_replace(' ', '%20', $in);
// Make sure $in is a URL.
if (!preg_match('#^' . get_preg_expression('url') . '$#i', $in) &&
!preg_match('#^' . get_preg_expression('www_url') . '$#i', $in))
{
return '[flash=' . $width . ',' . $height . ']' . $in . '[/flash]';
}[/code]
This will not fix the problem in already existing posts. In order to scan your board for malicious posts we have created a [url=https://github.com/phpbb/phpbb3/raw/develop-olympus/phpBB/develop/check_flash_bbcodes.php:2olyk5kw]scanning script[/url:2olyk5kw]. Simply upload it to your phpBB's root directory and access it directly. A new version of the Support Toolkit including this script as well as a tool for reparsing individual posts will be released soon. We will keep you updated.
The release also fixes a problem with the recaptcha plugin which could have helped spammers circumvent the captcha in some cases. A thank you goes to Evilzone.org for highlighting a few bugs and giving us an overall good security rating.
We urge you to update your installation as soon as possible. Our support team will only support phpBB 3.0.8, updates to phpBB 3.0.8 and conversions to phpBB 3.0.8. Submissions to our trackers for older versions will not be accepted, please make sure you update before you submit a bug report.
If you use a language pack other than the default "English [GB]", you should check our downloads section, an update may already be available.
We would also like to say a special thank you to everyone who has contributed a patch to this release:
Adam Reyher, Chris Sfanos, Cristian Rodriguez, Cullen Walsh, David Ward, Gabriel Vazquez, Marc Alexander, Mark, mrkurt, narqelion, Nick Anderegg, Oleg Pudeyev, Patrick W, Paul Sohier, Richard Foote, RMcGirr83, Rob House, SA007, Tabitha Backoff, Thatbitextra and Yuriy Rusko.
For a complete list of changes with attributed ticket numbers, please consult our [url=http://www.phpbb.com/support/documents.php?mode=changelog&version=3#v307-PL1:2olyk5kw]comprehensive changelog[/url:2olyk5kw].
Installation instructions
A short explanation of how to do a conversion, installation or update is included within the provided INSTALL.html file, please be sure to read it. You can find a [url=http://www.phpbb.com/support/documents.php?mode=install&version=3#require:2olyk5kw]list of requirements[/url:2olyk5kw] on our Downloads page.
Security
If you find any security issues please report them to our [url=http://www.phpbb.com/security/:2olyk5kw]security tracker[/url:2olyk5kw].
Available packages
If you experience problems with the automatic update (white screens, timeouts, etc.) we recommend using the "changed files only" or "patch" method for updating.
Full Package:
Full phpBB 3 source code and english language files.
Automatic Update Package:
Update package for the automatic updater, contains changes from previous release to this release.
Changed Files Only:
Complete files, but only those that were changed since previous releases of phpBB 3. This archive contains changed files for every previous release.
Patch Files:
This file contains diffs against the previous phpBB 3 release, which can be applied with the patch utility.
Select the package most suitable for you. We recommend the following methods depending on your situation:
For new installations you should use the Full Package
For updates of boards without modifications you can use the Automatic Update Package (guided update) or the Changed Files Only package (manual update).
For updates of boards with modifications you should use the Automatic Update Package. If you are confident with patch files and patching you can use the Patch Files Package.
International Support Teams may use the Patch Package in conjunction with the Code Changes to better support users with problematic conflicts during their update process or to help them update code sections.
If you are a hoster/provider, you may want to use the Patch Files Package to update all of your client installations.
Please ensure you read the INSTALL and README documents in docs/ before proceeding with installation, updates or conversions!
Download Locations
The download is of course available on our [url=http://www.phpbb.com/downloads/:2olyk5kw]downloads page[/url:2olyk5kw].
Our [url=http://www.phpbb.com/files/archive/:2olyk5kw]release archive[/url:2olyk5kw] provides all packages we build. If you do not find your desired package you can probably find it in the release archive.
These are the files with their md5 sums:
[url=http://www.phpbb.com/files/release/phpBB-3.0.8.zip:2olyk5kw]phpBB-3.0.8.zip[/url:2olyk5kw] (Full Package)
md5sum: 81de73308603abee863be7552c7caac7
[url=http://www.phpbb.com/files/release/phpBB-3.0.8.tar.bz2:2olyk5kw]phpBB-3.0.8.tar.bz2[/url:2olyk5kw] (Full Package)
md5sum: 7b20c8377364fc0458a241e232a019d0
[url=http://www.phpbb.com/files/release/phpBB-3.0.8-patch.zip:2olyk5kw]phpBB-3.0.8-patch.zip[/url:2olyk5kw] (Patch Files)
md5sum: 75308c5c4e8d1c17ca8faa30687f1b42
[url=http://www.phpbb.com/files/release/phpBB-3.0.8-patch.tar.bz2:2olyk5kw]phpBB-3.0.8-patch.tar.bz2[/url:2olyk5kw] (Patch Files)
md5sum: 295a8bf9bfd3f90d715ecd642b3aa773
[url=http://www.phpbb.com/files/release/phpBB-3.0.8-files.zip:2olyk5kw]phpBB-3.0.8-files.zip[/url:2olyk5kw] (Changed Files)
md5sum: 03e1ad263c697f2b2da0632b1138aaf3
[url=http://www.phpbb.com/files/release/phpBB-3.0.8-files.tar.bz2:2olyk5kw]phpBB-3.0.8-files.tar.bz2[/url:2olyk5kw] (Changed Files)
md5sum: 31632678f94ccb677c2fda40fc91123a
[url=http://www.phpbb.com/files/release/phpBB-3.0.7-PL1_to_3.0.8.zip:2olyk5kw]phpBB-3.0.7-PL1_to_3.0.8.zip[/url:2olyk5kw] (Automatic Update Package from 3.0.7-PL1)
md5sum: 78f54abe9c11a645362ff08bcea67ec3
[url=http://www.phpbb.com/files/release/phpBB-3.0.7-PL1_to_3.0.8.tar.bz2:2olyk5kw]phpBB-3.0.7-PL1_to_3.0.8.tar.bz2[/url:2olyk5kw] (Automatic Update Package from 3.0.7-PL1)
md5sum: 351e9f24fd7d3e291eade22484340d22
[url=http://www.phpbb.com/files/release/phpBB-3.0.7-PL1_to_3.0.8-codechanges.zip:2olyk5kw]phpBB-3.0.7-PL1_to_3.0.8-codechanges.zip[/url:2olyk5kw] (Language and Style Code Changes)
md5sum: 4503e3959d39a6bd9d80bbe2e2b9d0a4
[url=http://www.phpbb.com/files/release/phpBB-3.0.7-PL1_to_3.0.8-codechanges.tar.bz2:2olyk5kw]phpBB-3.0.7-PL1_to_3.0.8-codechanges.tar.bz2[/url:2olyk5kw] (Language and Style Code Changes)
md5sum: b088ba2a16b456b4f7e764f381c4a3b7
[url=http://www.phpbb.com/files/release/phpBB-3.0.8.webpi.zip:2olyk5kw]phpBB-3.0.8.webpi.zip[/url:2olyk5kw] (Microsoft Web Platform Installer Package)
md5sum: af2d5111e435315891a8f772e85fbd47
Download & Documentation
[url=http://www.phpbb.com/downloads/:2olyk5kw]phpBB Downloads[/url:2olyk5kw]
[url=http://www.ohloh.net/projects/phpbb:2olyk5kw]phpBB Projects page @ ohloh[/url:2olyk5kw]
[url=http://www.phpbb.com/support/documentation/3.0/:2olyk5kw]phpBB 3 Documentation[/url:2olyk5kw]
[url=http://www.phpbb.com/phpBB/viewforum.php?f=46:2olyk5kw]phpBB 3 support forum[/url:2olyk5kw]
[url=http://www.phpbb.com/bugs/phpbb3/:2olyk5kw]phpBB 3 bug tracker[/url:2olyk5kw]
[url=http://github.com/phpbb/:2olyk5kw]phpBB on GitHub[/url:2olyk5kw]
[url=http://wiki.phpbb.com/:2olyk5kw]phpBB Code Wiki[/url:2olyk5kw]