A new table was created to save all failed login attempts with
corresponding information on username, ip and useragent. By default
the limit is 50 login attempts within 6 hours per IP. The limit is
relatively high to avoid big problems on sites behind a reverse
proxy that don't receive the forwarded-for value as REMOTE_ADDR but
see all users as coming from the same IP address. But if these
users run into problems a special forwarded-for option is available
to limit logins by forwarded-for value instead of ip.
PHPBB3-9992
There are currently two hard limits for the number of BBCodes
allowed. One is enforced by the type of the `bbcode_id` column,
the other by an hard limit in `acp/acp_bbcode.php`. However this
limit can never be reached due to the size of the database column.
Suggested fix involves adding a new constant to define the max.
number of BBCodes (as with smilies) and chaning the database
column from a tinyint to a smallint to actually allow 1511 BBCodes
PHPBB3-7778
* prep-release-3.0.8:
[prep-release-3.0.8] Incrementing version number to 3.0.8 and update changelog
[ticket/9903] Script for detecting potentially malicious flash bbcodes
[ticket/9904] Update WebPI Parameters.xml to work with WebMatrix.
[ticket/9903] Fix XSS in BBcode-parser's Flash-BBcode.
Conflicts:
phpBB/includes/constants.php
phpBB/install/database_update.php
phpBB/install/schemas/schema_data.sql
Generally, our config table is not really suited for holding large datasets. Because feed settings for the forums to enable news feeds and excluded forums rely on the forums itself we have decided to introduce a forum_options table where custom options can be stored.
Additionally, for this to work across all DBMS we support, we added a new method to the DBAL for the bitwise AND operator.
Also moved the forum/topic feed template variable to the location where they belong to (forum and topic view)
git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9965 89ea8834-ac86-4346-8a33-228a782c2dd0
- add option for minimum post chars (which is a required setting for quick reply, therefore we introduce it here)
git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9656 89ea8834-ac86-4346-8a33-228a782c2dd0
Added min/max captcha chars constants and changed the length from 5-8 to 4-7
git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9437 89ea8834-ac86-4346-8a33-228a782c2dd0
- Automatic URL parsing no longer allows dots in the schema but can parse URLs starting after a dot [Bug #15110]
- Dynamic width for birthday select boxes [Bug #15149]
git-svn-id: file:///svn/phpbb/trunk@8246 89ea8834-ac86-4346-8a33-228a782c2dd0
- changed highlighting so foo* will match foo again [Bug #10031]
- restructured magic urls (functionality still mostly the same), added a check for entities in urls and punctuation at the end of magic urls [Bugs #10639, #10293]
- undid the workaround for urls in quotes, as it's fixed by the new magic url handling
- allow magic urls enclosed in BBCode [Bug #10319]
- added handling for IPv6 addresses to the IP checking without adding extra options [Bug #9538]
- correctly handle search in search results of search queries with brackets [Bug #10581]
- added information about requirements for auth_apache [Bug #10107]
git-svn-id: file:///svn/phpbb/trunk@7559 89ea8834-ac86-4346-8a33-228a782c2dd0
imagesets are now "intelligently" multilingual, one may use imagesets inside of CSS files now (as well as properties like the width and height of an imageset's image)
all previous styles should change their imageset.cfg to be like prosilver and subsilver2 (notice how there is now an imageset.cfg in the /en folder, there should be one for each language)
git-svn-id: file:///svn/phpbb/trunk@7304 89ea8834-ac86-4346-8a33-228a782c2dd0
- allow cancelling search index creation/removal
- custom CSS class name input too short [Bug #8328]
- give an error message if a password wasn't convertable (special characters in non-standard encoding)
- moved still_on_time to functions.php, used by acp_search and converter, might be useful for MODs (or complex cron scripts)
- do not allow empty passwords on login
- add sids to local URLs in posts (this was a really terrible bug to fix ;-)) [Bug #7892]
- ignore invalid HTTP_X_FORWARDED_FOR headers (just use REMOTE_ADDR if invalid) [Bug #8314]
- changed forum listing code on search page and acp_attachments [Bug #6658]
- search indexing uses still_on_time(), smaller batch size (1000) and meta_refresh() instead of redirect(), this should solve a few problems [Bugs #8034, #8270]
- made password requirement language strings clearer
- ALPHA is not meant to be alphanumric [Bug #7764]
- display bug in firefox on linux making the pagination wrap on search results page (caused by )
git-svn-id: file:///svn/phpbb/trunk@7076 89ea8834-ac86-4346-8a33-228a782c2dd0
- removing extension from physical filename for uploaded attachments (as has been suggested some time ago from our community), can still be used by using the new 'unique_ext' mode on file cleaning
- fixed a bug with copying attachments if copying a topic
- made sure no attachment files get removed used at another location
- changed media player "embed" code. For some this may result in no auto-resizing - though a download link has been added.
git-svn-id: file:///svn/phpbb/trunk@6831 89ea8834-ac86-4346-8a33-228a782c2dd0
- removed not utilized user_allow_email column from schema
- removed inactive groups (they had no use at all, since inactive users are not able to login)
The only benefit those brought are distinguish users - but this is no longer needed too due to the inactive code present. This also allows us to retain group memberships as well as default settings for users being set inactive due to profile changes.
- rewrote user_active_flip to support multiple users and a mode, as well as coping with the aforementioned changes
- implemented updated jabber class to support SRV server records and for better jabberd2 support.
- jabber errors now logged to the error log with a full transaction
- fixed user_delete calls to include usernames where possible and also update last post information correctly
- implemented additioal checks to user management to cope with common mistakes
- On installation, guess the required mysql schema as best as possible. Users now only need to decide if they want to use the mysqli extension or not (mysqli selected by default) and no longer need to know their mysql version.
- founders do not need to re-activate their account on profile changes
- remove older session if re-authentication was successful (re-authentication always assigns a new session id)
- set the cookie directly instead of using php's function
- added inactive_remind to see which users got deactivated because of reminders (or re-activation) sent out
hopefully not introduced too many bugs - those testing with CVS releases, please concentrate on user registration, activation, profile changes (email/password)...
git-svn-id: file:///svn/phpbb/trunk@6436 89ea8834-ac86-4346-8a33-228a782c2dd0
