This commit was manufactured by cvs2svn to create tag

'release_2_0_15'.

git-svn-id: file:///svn/phpbb/tags/release_2_0_15@5150 89ea8834-ac86-4346-8a33-228a782c2dd0

phpBB/admin/admin_forums.php

@@ -233,6 +233,7 @@ if( isset($HTTP_POST_VARS['addforum']) || isset($HTTP_POST_VARS['addcategory'])
 	if( $mode == "addforum" )
 	{
 		list($cat_id) = each($HTTP_POST_VARS['addforum']);
+		$cat_id = intval($cat_id);
 		// 
 		// stripslashes needs to be run on this because slashes are added when the forum name is posted
 		//
@@ -1024,4 +1025,4 @@ $template->pparse("body");
 
 include('./page_footer_admin.'.$phpEx);
 
-?>
+?>

phpBB/admin/admin_smilies.php

@@ -447,6 +447,9 @@ else if ( $mode != "" )
 			$smile_code = ( isset($HTTP_POST_VARS['smile_code']) ) ? $HTTP_POST_VARS['smile_code'] : $HTTP_GET_VARS['smile_code'];
 			$smile_url = ( isset($HTTP_POST_VARS['smile_url']) ) ? $HTTP_POST_VARS['smile_url'] : $HTTP_GET_VARS['smile_url'];
 			$smile_emotion = ( isset($HTTP_POST_VARS['smile_emotion']) ) ? $HTTP_POST_VARS['smile_emotion'] : $HTTP_GET_VARS['smile_emotion'];
+			$smile_code = trim($smile_code);
+			$smile_url = trim($smile_url);
+			$smile_emotion = trim($smile_emotion);
 
 			// If no code was entered complain ...
 			if ($smile_code == '' || $smile_url == '')
@@ -553,4 +556,4 @@ else
 //
 include('./page_footer_admin.'.$phpEx);
 
-?>
+?>

phpBB/admin/admin_styles.php

@@ -75,7 +75,7 @@ switch( $mode )
 		if( isset($install_to) )
 		{
 
-			include($phpbb_root_path. "templates/" . $install_to . "/theme_info.cfg");
+			include($phpbb_root_path. "templates/" . basename($install_to) . "/theme_info.cfg");
 
 			$template_name = $$install_to;
 			$found = FALSE; 
@@ -739,7 +739,7 @@ switch( $mode )
 			
 			@umask(0111);
 
-			$fp = @fopen($phpbb_root_path . 'templates/' . $template_name . '/theme_info.cfg', 'w');
+			$fp = @fopen($phpbb_root_path . 'templates/' . basename($template_name) . '/theme_info.cfg', 'w');
 
 			if( !$fp )
 			{

phpBB/admin/admin_ug_auth.php

@@ -508,6 +508,48 @@ if ( isset($HTTP_POST_VARS['submit']) && ( ( $mode == 'user' && $user_id ) || (
 			}
 		}
 
+		$sql = 'SELECT user_id FROM ' . USER_GROUP_TABLE . "
+			WHERE group_id = $group_id";
+		$result = $db->sql_query($sql);
+
+		$group_user = array();
+		while ($row = $db->sql_fetchrow($result))
+		{
+			$group_user[$row['user_id']] = $row['user_id'];
+		}
+		$db->sql_freeresult($result);
+
+		$sql = "SELECT ug.user_id, COUNT(auth_mod) AS is_auth_mod 
+			FROM " . AUTH_ACCESS_TABLE . " aa, " . USER_GROUP_TABLE . " ug 
+			WHERE ug.user_id IN (" . implode(', ', $group_user) . ") 
+				AND aa.group_id = ug.group_id 
+				AND aa.auth_mod = 1
+			GROUP BY ug.user_id";
+		if ( !($result = $db->sql_query($sql)) )
+		{
+			message_die(GENERAL_ERROR, 'Could not obtain moderator status', '', __LINE__, __FILE__, $sql);
+		}
+
+		while ($row = $db->sql_fetchrow($result))
+		{
+			if ($row['is_auth_mod'])
+			{
+				unset($group_user[$row['user_id']]);
+			}
+		}
+		$db->sql_freeresult($result);
+
+		if (sizeof($group_user))
+		{
+			$sql = "UPDATE " . USERS_TABLE . " 
+				SET user_level = " . USER . " 
+				WHERE user_id IN (" . implode(', ', $group_user) . ") AND user_level = " . MOD;
+			if ( !($result = $db->sql_query($sql)) )
+			{
+				message_die(GENERAL_ERROR, 'Could not update user level', '', __LINE__, __FILE__, $sql);
+			}
+		}
+
 		message_die(GENERAL_MESSAGE, $message);
 	}
 }

phpBB/admin/page_footer_admin.php

@@ -33,7 +33,7 @@ $template->set_filenames(array(
 );
 
 $template->assign_vars(array(
-	'PHPBB_VERSION' => '2' . $board_config['version'], 
+	'PHPBB_VERSION' => ($userdata['user_level'] == ADMIN && $userdata['user_id'] != ANONYMOUS) ? '2' . $board_config['version'] : '', 
 	'TRANSLATION_INFO' => $lang['TRANSLATION_INFO'])
 );
 

phpBB/admin/page_header_admin.php

@@ -35,7 +35,7 @@ if ( $board_config['gzip_compress'] )
 {
 	$phpver = phpversion();
 
-	$useragent = (isset($_SERVER["HTTP_USER_AGENT"]) ) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT;
+	$useragent = (isset($HTTP_SERVER_VARS['HTTP_USER_AGENT'])) ? $HTTP_SERVER_VARS['HTTP_USER_AGENT'] : getenv('HTTP_USER_AGENT');
 
 	if ( $phpver >= '4.0.4pl1' && ( strstr($useragent,'compatible') || strstr($useragent,'Gecko') ) )
 	{

phpBB/admin/pagestart.php

@@ -59,6 +59,11 @@ if ($HTTP_GET_VARS['sid'] != $userdata['session_id'])
 	redirect("index.$phpEx?sid=" . $userdata['session_id']);
 }
 
+if (!$userdata['session_admin'])
+{
+	redirect(append_sid("login.$phpEx?redirect=admin/&admin=1", true));
+}
+
 if (empty($no_page_header))
 {
 	// Not including the pageheader can be neccesarry if META tags are

phpBB/db/oracle.php

@@ -1,472 +0,0 @@
-<?php
-/***************************************************************************
- *                                oracle.php
- *                            -------------------
- *   begin                : Thrusday Feb 15, 2001
- *   copyright            : (C) 2001 The phpBB Group
- *   email                : support@phpbb.com
- *
- *   $Id$
- *
- ***************************************************************************/
-
-/***************************************************************************
- *
- *   This program is free software; you can redistribute it and/or modify
- *   it under the terms of the GNU General Public License as published by
- *   the Free Software Foundation; either version 2 of the License, or
- *   (at your option) any later version.
- *
- ***************************************************************************/
-
-if(!defined("SQL_LAYER"))
-{
-
-define("SQL_LAYER","oracle");
-
-class sql_db
-{
-
-	var $db_connect_id;
-	var $query_result;
-	var $in_transaction = 0;
-	var $row = array();
-	var $rowset = array();
-	var $num_queries = 0;
-	var $last_query_text = "";
-
-	//
-	// Constructor
-	//
-	function sql_db($sqlserver, $sqluser, $sqlpassword, $database="", $persistency = true)
-	{
-		$this->persistency = $persistency;
-		$this->user = $sqluser;
-		$this->password = $sqlpassword;
-		$this->server = $sqlserver;
-		$this->dbname = $database;
-
-		if($this->persistency)
-		{
-			$this->db_connect_id = @OCIPLogon($this->user, $this->password, $this->server);
-		}
-		else
-		{
-			$this->db_connect_id = @OCINLogon($this->user, $this->password, $this->server);
-		}
-		if($this->db_connect_id)
-		{
-			return $this->db_connect_id;
-		}
-		else
-		{
-			return false;
-		}
-	}
-
-	//
-	// Other base methods
-	//
-	function sql_close()
-	{
-		if($this->db_connect_id)
-		{
-			// Commit outstanding transactions
-			if($this->in_transaction)
-			{
-				OCICommit($this->db_connect_id);
-			}
-
-			if($this->query_result)
-			{
-				@OCIFreeStatement($this->query_result);
-			}
-			$result = @OCILogoff($this->db_connect_id);
-			return $result;
-		}
-		else
-		{
-			return false;
-		}
-	}
-
-	//
-	// Base query method
-	//
-	function sql_query($query = "", $transaction = FALSE)
-	{
-		// Remove any pre-existing queries
-		unset($this->query_result);
-
-		// Put us in transaction mode because with Oracle as soon as you make a query you're in a transaction
-		$this->in_transaction = TRUE;
-
-		if($query != "")
-		{
-			$this->last_query = $query;
-			$this->num_queries++;
-
-			if(eregi("LIMIT", $query))
-			{
-				preg_match("/^(.*)LIMIT ([0-9]+)[, ]*([0-9]+)*/s", $query, $limits);
-
-				$query = $limits[1];
-				if($limits[3])
-				{
-					$row_offset = $limits[2];
-					$num_rows = $limits[3];
-				}
-				else
-				{
-					$row_offset = 0;
-					$num_rows = $limits[2];
-				}
-			}
-
-			if(eregi("^(INSERT|UPDATE) ", $query))
-			{
-				$query = preg_replace("/\\\'/s", "''", $query);
-			}
-
-			$this->query_result = @OCIParse($this->db_connect_id, $query);
-			$success = @OCIExecute($this->query_result, OCI_DEFAULT);
-		}
-		if($success)
-		{
-			if($transaction == END_TRANSACTION)
-			{
-				OCICommit($this->db_connect_id);
-				$this->in_transaction = FALSE;
-			}
-
-			unset($this->row[$this->query_result]);
-			unset($this->rowset[$this->query_result]);
-			$this->last_query_text[$this->query_result] = $query;
-
-			return $this->query_result;
-		}
-		else
-		{
-			if($this->in_transaction)
-			{
-				OCIRollback($this->db_connect_id);
-			}
-			return false;
-		}
-	}
-
-	//
-	// Other query methods
-	//
-	function sql_numrows($query_id = 0)
-	{
-		if(!$query_id)
-		{
-			$query_id = $this->query_result;
-		}
-		if($query_id)
-		{
-			$result = @OCIFetchStatement($query_id, $this->rowset);
-			// OCIFetchStatment kills our query result so we have to execute the statment again
-			// if we ever want to use the query_id again.
-			@OCIExecute($query_id, OCI_DEFAULT);
-			return $result;
-		}
-		else
-		{
-			return false;
-		}
-	}
-	function sql_affectedrows($query_id = 0)
-	{
-		if(!$query_id)
-		{
-			$query_id = $this->query_result;
-		}
-		if($query_id)
-		{
-			$result = @OCIRowCount($query_id);
-			return $result;
-		}
-		else
-		{
-			return false;
-		}
-	}
-	function sql_numfields($query_id = 0)
-	{
-		if(!$query_id)
-		{
-			$query_id = $this->query_result;
-		}
-		if($query_id)
-		{
-			$result = @OCINumCols($query_id);
-			return $result;
-		}
-		else
-		{
-			return false;
-		}
-	}
-	function sql_fieldname($offset, $query_id = 0)
-	{
-		// OCIColumnName uses a 1 based array so we have to up the offset by 1 in here to maintain
-		// full abstraction compatibitly
-		$offset += 1;
-		if(!$query_id)
-		{
-			$query_id = $this->query_result;
-		}
-		if($query_id)
-		{
-			$result = strtolower(@OCIColumnName($query_id, $offset));
-			return $result;
-		}
-		else
-		{
-			return false;
-		}
-	}
-	function sql_fieldtype($offset, $query_id = 0)
-	{
-		// This situation is the same as fieldname
-		$offset += 1;
-		if(!$query_id)
-		{
-			$query_id = $this->query_result;
-		}
-		if($query_id)
-		{
-			$result = @OCIColumnType($query_id, $offset);
-			return $result;
-		}
-		else
-		{
-			return false;
-		}
-	}
-	function sql_fetchrow($query_id = 0, $debug = FALSE)
-	{
-		if(!$query_id)
-		{
-			$query_id = $this->query_result;
-		}
-		if($query_id)
-		{
-			$result_row = "";
-			$result = @OCIFetchInto($query_id, $result_row, OCI_ASSOC+OCI_RETURN_NULLS);
-			if($debug)
-			{
-				echo "Query was: ".$this->last_query . "<br>";
-				echo "Result: $result<br>";
-				echo "Query ID: $query_id<br>";
-				echo "<pre>";
-				var_dump($result_row);
-				echo "</pre>";
-			}
-			if($result_row == "")
-			{
-				return false;
-			}
-
-			for($i = 0; $i < count($result_row); $i++)
-			{
-				list($key, $val) = each($result_row);
-				$return_arr[strtolower($key)] = $val;
-			}
-			$this->row[$query_id] = $return_arr;
-
-			return $this->row[$query_id];
-		}
-		else
-		{
-			return false;
-		}
-	}
-	// This function probably isn't as efficant is it could be but any other way I do it
-	// I end up losing 1 row...
-	function sql_fetchrowset($query_id = 0)
-	{
-		if(!$query_id)
-		{
-			$query_id = $this->query_result;
-		}
-		if($query_id)
-		{
-			$rows = @OCIFetchStatement($query_id, $results);
-			@OCIExecute($query_id, OCI_DEFAULT);
-			for($i = 0; $i < $rows; $i++)
-			{
-				@OCIFetchInto($query_id, $tmp_result, OCI_ASSOC+OCI_RETURN_NULLS);
-
-				for($j = 0; $j < count($tmp_result); $j++)
-				{
-					list($key, $val) = each($tmp_result);
-					$return_arr[strtolower($key)] = $val;
-				}
-				$result[] = $return_arr;
-			}
-			return $result;
-		}
-		else
-		{
-			return false;
-		}
-	}
-	function sql_fetchfield($field, $rownum = -1, $query_id = 0)
-	{
-		if(!$query_id)
-		{
-			$query_id = $this->query_result;
-		}
-		if($query_id)
-		{
-			if($rownum > -1)
-			{
-				// Reset the internal rownum pointer.
-				@OCIExecute($query_id, OCI_DEFAULT);
-				for($i = 0; $i < $rownum; $i++)
-				  {
-						// Move the interal pointer to the row we want
-						@OCIFetch($query_id);
-				  }
-				// Get the field data.
-				$result = @OCIResult($query_id, strtoupper($field));
-			}
-			else
-			{
-				// The internal pointer should be where we want it
-				// so we just grab the field out of the current row.
-				$result = @OCIResult($query_id, strtoupper($field));
-			}
-			return $result;
-		}
-		else
-		{
-			return false;
-		}
-	}
-	function sql_rowseek($rownum, $query_id = 0)
-	{
-		if(!$query_id)
-		{
-				$query_id = $this->query_result;
-		}
-		if($query_id)
-		{
-				@OCIExecute($query_id, OCI_DEFAULT);
-			for($i = 0; $i < $rownum; $i++)
-				{
-					@OCIFetch($query_id);
-				}
-			$result = @OCIFetch($query_id);
-			return $result;
-		}
-		else
-		{
-				return false;
-		}
-	}
-	function sql_nextid($query_id = 0)
-	{
-		if(!$query_id)
-		{
-			$query_id = $this->query_result;
-		}
-		if($query_id && $this->last_query_text[$query_id] != "")
-		{
-			if( eregi("^(INSERT{1}|^INSERT INTO{1})[[:space:]][\"]?([a-zA-Z0-9\_\-]+)[\"]?", $this->last_query_text[$query_id], $tablename))
-			{
-				$query = "SELECT ".$tablename[2]."_id_seq.currval FROM DUAL";
-				$stmt = @OCIParse($this->db_connect_id, $query);
-				@OCIExecute($stmt,OCI_DEFAULT );
-				$temp_result = @OCIFetchInto($stmt, $temp_result, OCI_ASSOC+OCI_RETURN_NULLS);
-				if($temp_result)
-				{
-					return $temp_result['CURRVAL'];
-				}
-				else
-				{
-					return false;
-				}
-			}
-			else
-			{
-				return false;
-			}
-		}
-		else
-		{
-			return false;
-		}
-	}
-
-	function sql_nextid($query_id = 0)
-	{
-		if(!$query_id)
-		{
-			$query_id = $this->query_result;
-		}
-		if($query_id && $this->last_query_text[$query_id] != "")
-		{
-			if( eregi("^(INSERT{1}|^INSERT INTO{1})[[:space:]][\"]?([a-zA-Z0-9\_\-]+)[\"]?", $this->last_query_text[$query_id], $tablename))
-			{
-				$query = "SELECT ".$tablename[2]."_id_seq.CURRVAL FROM DUAL";
-				$temp_q_id =  @OCIParse($this->db_connect_id, $query);
-				@OCIExecute($temp_q_id, OCI_DEFAULT);
-				@OCIFetchInto($temp_q_id, $temp_result, OCI_ASSOC+OCI_RETURN_NULLS);
-
-				if($temp_result)
-				{
-					return $temp_result['CURRVAL'];
-				}
-				else
-				{
-					return false;
-				}
-			}
-			else
-			{
-				return false;
-			}
-		}
-		else
-		{
-			return false;
-		}
-	}
-
-
-
-	function sql_freeresult($query_id = 0)
-	{
-		if(!$query_id)
-		{
-				$query_id = $this->query_result;
-		}
-		if($query_id)
-		{
-				$result = @OCIFreeStatement($query_id);
-				return $result;
-		}
-		else
-		{
-				return false;
-		}
-	}
-	function sql_error($query_id  = 0)
-	{
-		if(!$query_id)
-		{
-			$query_id = $this->query_result;
-		}
-		$result  = @OCIError($query_id);
-		return $result;
-	}
-
-} // class sql_db
-
-} // if ... define
-
-?>

phpBB/docs/CHANGELOG.html

@@ -3,7 +3,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html">
 <meta http-equiv="Content-Style-Type" content="text/css">
-<title>phpBB 2.0.12 :: Changelog</title>
+<title>phpBB 2.0.15 :: Changelog</title>
 <link rel="stylesheet" href="../templates/subSilver/subSilver.css" type="text/css" />
 <style type="text/css">
 <!--
@@ -24,7 +24,7 @@ p,ul,td {font-size:10pt;}
 <table width="100%" border="0" cellspacing="0" cellpadding="0">
 	<tr>
 		<td><img src="../templates/subSilver/images/logo_phpBB.gif" border="0" alt="phpBB 2 : Creating Communities" vspace="1" /></a></td>
-		<td align="center" width="100%" valign="middle"><span class="maintitle">phpBB 2.0.12 CHANGELOG</span></td>
+		<td align="center" width="100%" valign="middle"><span class="maintitle">phpBB 2.0.15 CHANGELOG</span></td>
 	</tr>
 </table>
 
@@ -32,6 +32,9 @@ p,ul,td {font-size:10pt;}
 <ol>
 <li><a href="#changelog">Changelog</a></li>
 <ol type="i">
+	<li><a href="#2014">Changes since 2.0.14</a></li>
+	<li><a href="#2013">Changes since 2.0.13</a></li>
+	<li><a href="#2012">Changes since 2.0.12</a></li>
 	<li><a href="#2011">Changes since 2.0.11</a></li>
 	<li><a href="#2010">Changes since 2.0.10</a></li>
 	<li><a href="#209">Changes since 2.0.9</a></li>
@@ -57,7 +60,54 @@ p,ul,td {font-size:10pt;}
 
 <p>This is a non-exhaustive (but still near complete) changelog for phpBB 2.0.x including beta and release candidate versions. Our thanks to all those people who've contributed bug reports and code fixes.</p>
 
-<a name="2011"></a><h3 class="h3">l.i. Changes since 2.0.11</h3>
+<a name="2014"></a><h3 class="h3">l.i. Changes since 2.0.14</h3>
+
+<ul>
+<li>Fixed moderator status removal in groupcp.php</li>
+<li>Removed newlines after ?&gt; on some files - <b>Thoul</b></li>
+<li>Added admin re-authentication (admin needs to login seperatly to access the ACP) - backported from Olympus</li>
+<li>Fixed vulnerability in url/bbcode handling functions - <b>PapaDos and Paul/Zhen-Xjell from CastleCops</b></li>
+<li>Fixed issue in admin/admin_forums.php</li>
+<li>Suppressed warning message for fsockopen in /includes/smtp.php - <b>Thoul</b></li>
+<li>Fixed bug in admin/admin_smilies.php (admin is able to add empty smilies) - <b>Exy</b></li>
+<li>Adjusted documents to reflect the urgent need to update the files too (not only running the database update script)</li>
+<li>Updated the readme file</li>
+<li>Added one new language variable</li>
+<li>Added general error if accessing profile for a non-existent user</li>
+<li>Changed session id generation to be more unique - <b>Henno Joosep</b></li>
+<li>Fixed bug in highlight code to escape characters correctly</li>
+<li>Reversed the 2.0.14 fix for postgresql because it produced more problems than it solves.</li>
+<li>Added reference to article written by R45 about case-sensitivity in postgreSQL to the readme file</li>
+<li>Fixed bypassing of validate_username on registration - Yen</li>
+<li>Empty url/img bbcodes no longer get parsed</li>
+</ul>
+
+<a name="2013"></a><h3 class="h3">l.ii. Changes since 2.0.13</h3>
+
+<ul>
+<li>Hardened author and keyword search a bit to not allow very server intensive searches</li>
+<li>Fixed full path disclosure in bad word parsing</li>
+<li>Resetting complete userdata array in session code if authentication fails</li>
+<li>Fixed bug in moderator control panel where certain parameters could lead to an "error creating new session" sql error</li>
+<li>Fixed bug in session code where empty page ids could lead to an "error creating new session" sql error</li>
+<li>Fixed html handling in signatures if html is turned off globally</li>
+<li>Fixed install.php problem with PHP5 register_long_arrays option turned off</li>
+<li>Fixed potential issues with styling system</li>
+<li>Added correct class to login_body template file</li>
+<li>Removed file db/oracle.php from package</li>
+<li>Removed version number from message body page in /admin (if user is not an admin) - <b>mikelbeck</b></li>
+<li>Fixed case-sensitivity issues in postgres7.php - <b>R45</b></li>
+</ul>
+
+<a name="2012"></a><h3 class="h3">l.iii. Changes since 2.0.12</h3>
+
+<ul>
+<li>Ommitted preg_replace warning in viewtopic due to improper working of preg_quote in PHP - originally reported by matrix_killer, fix submitted by another party</li>
+<li>Fixed high severity issue in session handling allowing everyone gaining administrator rights. Please update as soon as possible.</li>
+<li>Minimum requirements raised to PHP 4.0.3 or above due to fixing vulnerability issues breaking PHP3 compatibility.</li>
+</ul>
+
+<a name="2011"></a><h3 class="h3">l.iv. Changes since 2.0.11</h3>
 
 <ul>
 <li>Added confirm table to admin_db_utilities.php</li>
@@ -72,7 +122,7 @@ p,ul,td {font-size:10pt;}
 <li>Fixed path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug - <b>matrix_killer</b></li>
 </ul>
 
-<a name="2010"></a><h3 class="h3">l.ii. Changes since 2.0.10</h3>
+<a name="2010"></a><h3 class="h3">l.v. Changes since 2.0.10</h3>
 
 <ul>
 <li>Fixed vulnerability in highlighting code (<b>very high severity, please update your installation as soon as possible</b>)</li>
@@ -83,7 +133,7 @@ p,ul,td {font-size:10pt;}
 <li>Added visual confirmation mod to code base</li>
 </ul>
 
-<a name="209"></a><h3 class="h3">l.iii. Changes since 2.0.9</h3>
+<a name="209"></a><h3 class="h3">l.vi. Changes since 2.0.9</h3>
 
 <ul>
 <li>Fixed deleting of styles in admin_styles.php</li>
@@ -96,7 +146,7 @@ p,ul,td {font-size:10pt;}
 <li>Fixed visual confirmation code. The image was not created due to a wrong regular expression.</li>
 </ul>
 
-<a name="208"></a><h3 class="h3">l.iv. Changes since 2.0.8</h3>
+<a name="208"></a><h3 class="h3">l.vii. Changes since 2.0.8</h3>
 
 <ul>
 <li>Fixed one vulnerability in admin_board.php - <b>Xore</b></li>
@@ -115,7 +165,7 @@ p,ul,td {font-size:10pt;}
 <li>Fixed problem with SID not delivered to next page in groupcp.php</li>
 </ul>
 
-<a name="207"></a><h3 class="h3">l.v. Changes since 2.0.7</h3>
+<a name="207"></a><h3 class="h3">l.viii. Changes since 2.0.7</h3>
 
 <ul>
 <li>Fixed several vulnerabilities in admin pages</li>
@@ -127,7 +177,7 @@ p,ul,td {font-size:10pt;}
 <li>Fixed sql injection vulnerability in privmsg - 2.0.8a</li>
 </ul>
 
-<a name="206"></a><h3 class="h3">1.vi. Changes since 2.0.6</h3>
+<a name="206"></a><h3 class="h3">1.ix. Changes since 2.0.6</h3>
 
 <ul>
 <li>Fixed several vulnerabilities in modcp - <b>Robert Lavierck</b></li>
@@ -141,7 +191,7 @@ p,ul,td {font-size:10pt;}
 <li>Fixed potential vulnerability in avatar gallery</li>
 </ul>
 
-<a name="205"></a><h3 class="h3">1.vii. Changes since 2.0.5</h3>
+<a name="205"></a><h3 class="h3">1.x. Changes since 2.0.5</h3>
 
 <ul>
 <li>Fixed various email issues</li>
@@ -157,7 +207,7 @@ p,ul,td {font-size:10pt;}
 <li>Fixed sql injection with reset date format field in profile - <b>tendor</b></li>
 </ul>
 
-<a name="204"></a><h3 class="h3">1.viii. Changes since 2.0.4</h3>
+<a name="204"></a><h3 class="h3">1.xi. Changes since 2.0.4</h3>
 
 <ul>
 <li>Removed user facing session_id checks</li>
@@ -229,7 +279,7 @@ p,ul,td {font-size:10pt;}
 <li>Default English support for visual confirmation - translators are encouraged to support this</li>
 </ul>
 
-<a name="203"></a><h3 class="h3">1.ix. Changes since 2.0.3</h3>
+<a name="203"></a><h3 class="h3">1.xii. Changes since 2.0.3</h3>
 
 <ul>
 <li>Fixed cross-browser scripting issue with highlight param</li>
@@ -356,7 +406,7 @@ p,ul,td {font-size:10pt;}
 <li>Fixed potential SQL vulnerability with marking of private messages - <b>Ulf Harnhammar</b></li>
 </ul>
 
-<a name="202"></a><h3 class="h3">1.x. Changes since 2.0.2</h3>
+<a name="202"></a><h3 class="h3">1.xiii. Changes since 2.0.2</h3>
 
 <ul>
 <li>Fixed potential cross-site scripting vulnerability with avatars - <b>Showscout</b></li>
@@ -365,7 +415,7 @@ p,ul,td {font-size:10pt;}
 <li>Fixed (hopefully) issue with MS Access and multiple pages</li>
 </ul>
 
-<a name="201"></a><h3 class="h3">1.xi. Changes since 2.0.1</h3>
+<a name="201"></a><h3 class="h3">1.xiv. Changes since 2.0.1</h3>
 
 <ul>
 <li>Fixed missing "username" lang variable in user admin template</li>
@@ -400,7 +450,7 @@ p,ul,td {font-size:10pt;}
 <li>Fix emailer to allow sending emails with language-specific character sets</li>
 </ul>
 
-<a name="200"></a><h3 class="h3">1.xii. Changes since 2.0.0</h3>
+<a name="200"></a><h3 class="h3">1.xv. Changes since 2.0.0</h3>
 
 <ul>
 <li>Fixed delete image bug for normal users</li>
@@ -457,7 +507,7 @@ p,ul,td {font-size:10pt;}
 <li>Added database closure to admin frameset page</li>
 </ul>
 
-<a name="final"></a><h3 class="h3">1.xiii. Changes since RC-4</h3>
+<a name="final"></a><h3 class="h3">1.xvi. Changes since RC-4</h3>
 
 <ul>
 <li>Fixed improper report of general error when posting messages containing errors</li>
@@ -487,7 +537,7 @@ p,ul,td {font-size:10pt;}
 <li>Fixed various remaining usergroup display issues</li>
 </ul>
 
-<a name="rc4"></a><h3 class="h3">1.xiv. Changes since RC-3</h3>
+<a name="rc4"></a><h3 class="h3">1.xvii. Changes since RC-3</h3>
 
 <ul>
 <li>Addressed serious security issue with included files</li>
@@ -518,7 +568,7 @@ p,ul,td {font-size:10pt;}
 <li>Fix (hopefully) remaining ICQ overlay issue with view profile in subSilver</li>
 </ul>
 
-<a name="rc3"></a><h3 class="h3">1.xv. Changes since RC-2</h3>
+<a name="rc3"></a><h3 class="h3">1.xviii. Changes since RC-2</h3>
 
 <ul>
 <li>Fixed infamous install parse error</li>
@@ -551,7 +601,7 @@ p,ul,td {font-size:10pt;}
 <li>Hidden usergroups are now completely hidden from view</li>
 </ul>
 
-<a name="rc2"></a><h3 class="h3">1.xvi. Changes since RC-1</h3>
+<a name="rc2"></a><h3 class="h3">1.xix. Changes since RC-1</h3>
 
 <ul>
 <li>Fixed numerous PostgreSQL related issues</li>
@@ -571,7 +621,7 @@ p,ul,td {font-size:10pt;}
 <li>Various other fixes and updates</li>
 </ul>
 
-<a name="rc1"></a><h3 class="h3">1.xvii. Changes since RC-1 (pre)</h3>
+<a name="rc1"></a><h3 class="h3">1.xx. Changes since RC-1 (pre)</h3>
 
 <ul>
 <li>Upgrade script completed for initial fully functional release</li>

phpBB/docs/INSTALL.html

@@ -3,7 +3,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html">
 <meta http-equiv="Content-Style-Type" content="text/css">
-<title>phpBB 2.0.12 :: Install</title>
+<title>phpBB 2.0.15 :: Install</title>
 <link rel="stylesheet" href="../templates/subSilver/subSilver.css" type="text/css">
 <style type="text/css">
 <!--
@@ -24,7 +24,7 @@ p,ul,td {font-size:10pt;}
 <table width="100%" border="0" cellspacing="0" cellpadding="0">
 	<tr>
 		<td><img src="../templates/subSilver/images/logo_phpBB.gif" border="0" alt="phpBB 2 : Creating Communities" vspace="1" /></a></td>
-		<td align="center" width="100%" valign="middle"><span class="maintitle">phpBB 2.0.12 INSTALL</span></td>
+		<td align="center" width="100%" valign="middle"><span class="maintitle">phpBB 2.0.15 INSTALL</span></td>
 	</tr>
 </table>
 
@@ -33,7 +33,7 @@ p,ul,td {font-size:10pt;}
 
 <p>Please note these instructions are not fully comprehensive, a more thorough userguide will be available on the phpBB website in the near future. However, this document will walk you through the basics on installing the forum software.</p>
 
-<p>A basic overview of running phpBB 2.0.12 can be found in the accompanying <a href="README.html">README</a> documentation. Please ensure you read that document in addition to this! For more detailed information on using phpBB 2 you should read <a href="http://www.phpbb.com/support/guide/" target="_new">Userguide</a> now available online.</p>
+<p>A basic overview of running phpBB 2.0.15 can be found in the accompanying <a href="README.html">README</a> documentation. Please ensure you read that document in addition to this! For more detailed information on using phpBB 2 you should read <a href="http://www.phpbb.com/support/guide/" target="_new">Userguide</a> now available online.</p>
 
 <ol>
 <li><a href="#quickinstall">Quick Install</a></li>
@@ -88,7 +88,7 @@ p,ul,td {font-size:10pt;}
 
 <a name="require"></a><h2 class="h2"><u>2. Requirements</u></h2>
 
-<p>Installation of phpBB 2.0.12 requires the following:</p>
+<p>Installation of phpBB2 requires the following:</p>
 <ul>
 <li>A webserver or web hosting account running on any major Operating System</li>
 <li>A SQL database system, <b>one of</b>:
@@ -99,7 +99,7 @@ p,ul,td {font-size:10pt;}
 		<li>MS Access (2000 or XP) via ODBC</li>
 	</ul>
 </li>
-<li>PHP (3.0.9 and above or preferably a recent 4.x) with support for the database you intend to use above</li>
+<li>PHP (4.0.3 and above) with support for the database you intend to use above</li>
 </ul>
 
 <p>If your server or hosting account does not meet the requirements above I am afraid phpBB 2.0 is not for you.</p>
@@ -186,23 +186,25 @@ p,ul,td {font-size:10pt;}
 
 <p><b>MySQL Users Please Note</b>: Changes introduced in 2.0.4 may increase the size of your database, more specifically the search_wordmatch table. There are other changes in that release which are designed to reduce the database size. However these additional changes may not apply to all types of forum (particularly non-English boards). While any increases will be relatively small compared to the overall database size it may be an issue for some users. In particular users on hosting plans which limit database size and where the database is near that limit.</p>
 
+<p><b>Please make sure you update your phpBB2 source files too, even if you run the update_to_latest.php file.</b></p>
+
 <a name="#upgradeSTABLE_full"></a><h3 class="h3">7.i. Full package</h3>
 
 <p>If you have downloaded the full package you should follow the same general upgrade path as for "<a href="#upgradeRC">Upgrade from previous Release Candidate versions of phpBB 2</a>". The exception to this being the need to switch or update styles. In addition there is generally little need to visit the admin panel (though it is adviseable).</p>
 
 <a name="#upgradeSTABLE_files"></a><h3 class="h3">7.ii. Changed files only</h3>
 
-<p>This package contains a number of archives, each contains the files changed from a given release to 2.0.12. You should select the appropriate archive for your current version, e.g. if you currently have 2.0.11 you should select the phpBB-2.0.11_to_2.0.12.zip/tar.gz file.</p>
+<p>This package contains a number of archives, each contains the files changed from a given release to the latest version. You should select the appropriate archive for your current version, e.g. if you currently have 2.0.14 you should select the phpBB-2.0.14_to_2.0.15.zip/tar.gz file.</p>
 
 <p>The directory structure has been preserved enabling you (if you wish) to simply upload the contents of the archive to the appropriate location on your server, i.e. simply overwrite the existing files with the new versions. Do not forget that if you have installed any Mods these files will overwrite the originals possibly destroying them in the process. You will need to re-add Mods to any affected file before uploading.</p>
 
-<p>As for the other upgrade procedures you should run <b>install/update_to_latest.php</b> after you have finished updating the files. This will update your database schema and data (if appropriate) and increment the version number.</p>
+<p>As for the other upgrade procedures you should run <b>install/update_to_latest.php</b> after you have finished updating the files. This will update your database schema and increment the version number.</p>
 
 <a name="#upgradeSTABLE_patch"></a><h3 class="h3">7.iii. Patch file</h3>
 
 <p>The patch file is probably the best solution for those with many Mods or other changes who do not want to re-add them back to all the changed files. To use this you will need command line access to a standard UNIX type <b>patch</b> application.</p>
 
-<p>A number of patch files are provided to allow you to upgrade from previous stable releases. Select the correct patch, e.g. if your current version is 2.0.11 you need the phpBB-2.0.11_to_2.0.12.patch. Place the correct patch in the parent directory containing the phpBB 2 core files (i.e. index.php, viewforum.php, etc.). With this done you should run the following command: <b>patch -cl -d [PHPBB DIRECTORY] -p1 &lt; [PATCH NAME]</b> (where PHPBB DIRECTORY is the directory name your phpBB Installation resides in, for example phpBB2, and where PATCH NAME is the relevant filename of the selected patch file). This should complete quickly, hopefully without any HUNK FAILED comments.</p>
+<p>A number of patch files are provided to allow you to upgrade from previous stable releases. Select the correct patch, e.g. if your current version is 2.0.14 you need the phpBB-2.0.14_to_2.0.15.patch. Place the correct patch in the parent directory containing the phpBB 2 core files (i.e. index.php, viewforum.php, etc.). With this done you should run the following command: <b>patch -cl -d [PHPBB DIRECTORY] -p1 &lt; [PATCH NAME]</b> (where PHPBB DIRECTORY is the directory name your phpBB Installation resides in, for example phpBB2, and where PATCH NAME is the relevant filename of the selected patch file). This should complete quickly, hopefully without any HUNK FAILED comments.</p>
 
 <p>If you do get failures you should look at using the <a href="#upgradeSTABLE_files">Changed files only</a> package to replace the files which failed to patch, please note that you will need to manually re-add any Mods to these particular files. Alternatively if you know how you can examine the .rej files to determine what failed where and make manual adjustments to the relevant source.</p>
 
@@ -214,7 +216,7 @@ p,ul,td {font-size:10pt;}
 
 <a name="postinstall"></a><h2 class="h2"><u>8. Important (security related) post-Install tasks for all installation methods</u></h2>
 
-<p>Once you have succssfully installed phpBB 2.0.12 you <b>MUST</b> ensure you remove the entire install/ and contrib/ directories. Leaving these in place is a <u>very serious potential security issue</u> which may lead to deletion or alteration of files, etc. Please note that until these directories are remove phpBB2 will not operate and a warning message will be displayed. Beyond these <b>essential</b> deletions you may also wish to delete the docs/ directories if you wish.</p>
+<p>Once you have succssfully installed phpBB 2.0.x you <b>MUST</b> ensure you remove the entire install/ and contrib/ directories. Leaving these in place is a <u>very serious potential security issue</u> which may lead to deletion or alteration of files, etc. Please note that until these directories are remove phpBB2 will not operate and a warning message will be displayed. Beyond these <b>essential</b> deletions you may also wish to delete the docs/ directories if you wish.</p>
 
 <p>With these directories deleted you should proceed to the administration panel. Depending on how the installation completed you may have been directed there automatically. If not, login as the administrator you specified during install/upgrade and click the "<b>Administration Panel</b>" link at the bottom of any page. Ensure that details specified in General -> Configuration are correct!</p>
 
@@ -232,7 +234,7 @@ p,ul,td {font-size:10pt;}
 
 <a name="safemode"></a><h3 class="h3">8.ii. Safe Mode</h3>
 
-<p>phpBB 2.0.12 includes support for using uploadable avatars on systems running PHP in safe mode. If this applies to your hosting service you will need to create a sub-directory called <u>tmp</u> in the directory you specified for storage of uploaded avatars (by default this is images/avatars as explained above). Give it the same access rights as for uploadable avatars above.</p>
+<p>phpBB 2.0.x includes support for using uploadable avatars on systems running PHP in safe mode. If this applies to your hosting service you will need to create a sub-directory called <u>tmp</u> in the directory you specified for storage of uploaded avatars (by default this is images/avatars as explained above). Give it the same access rights as for uploadable avatars above.</p>
 
 <p>This safe mode support includes compatibility with various directory restrictions your host may impose (assuming they are not too restrictive and that the PHP installed is version 4.0.3 or later). There is generally no need for any manual setup for safe mode support it is typically handled transparantly.</p>
 

phpBB/docs/README.html

@@ -3,7 +3,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html">
 <meta http-equiv="Content-Style-Type" content="text/css">
-<title>phpBB 2.0.12 :: Readme</title>
+<title>phpBB 2.0.15 :: Readme</title>
 <link rel="stylesheet" href="../templates/subSilver/subSilver.css" type="text/css" />
 <style type="text/css">
 <!--
@@ -24,7 +24,7 @@ p,ul,td {font-size:10pt;}
 <table width="100%" border="0" cellspacing="0" cellpadding="0">
 	<tr>
 		<td><img src="../templates/subSilver/images/logo_phpBB.gif" border="0" alt="phpBB 2 : Creating Communities" vspace="1" /></a></td>
-		<td align="center" width="100%" valign="middle"><span class="maintitle">phpBB 2.0.12 README</span></td>
+		<td align="center" width="100%" valign="middle"><span class="maintitle">phpBB 2.0.15 README</span></td>
 	</tr>
 </table>
 
@@ -84,7 +84,7 @@ p,ul,td {font-size:10pt;}
 
 <p>If your language is not available please visit our forums where you will find a topic listing translations currently available or in preparation. This topic also gives you information should you wish to volunteer to translate a language not currently listed</p>
 
-<p><b>Please note</b> that users who have upgraded to 2.0.12 from versions prior to RC-3 should will <b>need</b> to download new versions of the language/subSilver image packs. Any package downloaded prior to the availability of RC-3 will <b>not</b> function correctly with this version of phpBB 2.</p>
+<p><b>Please note</b> that users who have upgraded to the latest version from versions prior to RC-3 should will <b>need</b> to download new versions of the language/subSilver image packs. Any package downloaded prior to the availability of RC-3 will <b>not</b> function correctly with this version of phpBB 2.</p>
 
 <p>If you have upgraded from 2.0.0 and make use of non-English language packs you will benefit from downloading updated versions which will become available shortly. These introduce a number of strings which went missing from the first version plus a few updates and additions.</p>
 
@@ -116,7 +116,7 @@ p,ul,td {font-size:10pt;}
 
 <p>A comprehensive userguide is now available online and can be accessed from the following location:</p>
 
-<p><a href="http://www.phpbb.com/support/guide/" target="_new">http://www.phpbb.com/guide/phpBB_Users_Guide.html</a></p>
+<p><a href="http://www.phpbb.com/support/guide/" target="_new">http://www.phpbb.com/support/guide/</a></p>
 
 <p>This covers everything from installation through setting permissions and managing users.</p>
 
@@ -130,23 +130,19 @@ p,ul,td {font-size:10pt;}
 
 <a name="irc"></a><h3 class="h3">3.iii Internet Relay Chat</h3>
 
-<p>Another place you may find help is our IRC channel. This operates on the Openprojects IRC network, <b>irc.openprojects.net</b>  and the channel is <b>#phpbb</b> and can be accessed by any good IRC client such as mIRC, XChat, etc. Again, please do not abuse this service and be respectful of other users.</p>
+<p>Another place you may find help is our IRC channel. This operates on the Freenode IRC network, <b>irc.freenode.net</b>  and the channel is <b>#phpbb</b> and can be accessed by any good IRC client such as mIRC, XChat, etc. Again, please do not abuse this service and be respectful of other users.</p>
 
 <a name="status"></a><h2 class="h2"><u>4. Status of this version</u></h2>
 
-<p>This is the second stable release of phpBB 2. The 2.0.x line is essentially feature frozen, point releases will see only bugs and such like fixed. Our next major release will be phpBB 2.2 and work is progressing on this (the unstable development version is 2.1). Please do not post questions asking when 2.2 will be available, no release date has been set. Feel free to suggest new features for phpBB 2.2, we already have a number of improvements in mind and these can be viewed using our task tracker:</p>
+<p>This is the second stable release of phpBB 2. The 2.0.x line is essentially feature frozen, point releases will see only bugs and such like fixed. Our next major release will be phpBB 3.0 and work is progressing on this (the unstable development version is 2.1). Please do not post questions asking when 3.0 will be available, no release date has been set. phpBB 3.0 is now feature frozen, please feel free to suggest new features for phpBB 3.2 using our feature request tracker. We do not guarantee that all these will appear in 3.2 but we will do our best!:</p>
 
-<p><a href="http://sourceforge.net/pm/task.php?group_project_id=13524&group_id=7885&func=browse" target="_new">http://sourceforge.net/pm/task.php?group_project_id=13524&group_id=7885</a></p>
-
-<p>We do not guarantee that all these will appear in 2.2 but we will do our best! If your idea does not appear on this list please visit our feature request list:</p>
-
-<p><a href="http://sourceforge.net/tracker/?atid=357885&group_id=7885&func=browse" target="_new">http://sourceforge.net/tracker/?atid=357885&group_id=7885</a></p>
+<p><a href="http://sourceforge.net/tracker/?atid=580201&group_id=7885&func=browse" target="_new">http://sourceforge.net/tracker/?atid=580201&group_id=7885&func=browse</a></p>
 
 <p>Before submitting your idea please <b>ensure</b> you have read through the entries in that list. If your idea is similar to an existing one please feel free to add a comment to it. Please <b>do not</b> submit duplicate suggestions!</p>
 
-<p>For some suggestions we may ask for your feedback via our forums. For those interested in the development of phpBB 2.2 you should keep an eye on the community forums (particularly the Feature Discussion forum) where you may be able to influence the direction we take with certain new features. Finally you may like to visit our development forum to see how things are progressing:</p>
+<p>For some suggestions we may ask for your feedback via our forums. For those interested in the development of phpBB 3.0 you should keep an eye on the community forums (particularly the Feature Discussion forum) where you may be able to influence the direction we take with certain new features. Finally you may like to visit our development forum to see how things are progressing:</p>
 
-<p><a href="http://area51.phpbb.com/phpBB2/" target="_new">http://area51.phpbb.com/phpBB2/</a></p>
+<p><a href="http://area51.phpbb.com/phpBB/" target="_new">http://area51.phpbb.com/phpBB/</a></p>
 
 <p>Please note that this forum should <b>NOT</b> be used to obtain support for or ask questions about phpBB 2.0.x, the main community forums are the place for this. Any such posts will be locked and go unanswered.</p>
 
@@ -177,9 +173,9 @@ p,ul,td {font-size:10pt;}
 
 <a name="securitybugs"></a><h3 class="h3">5.i. Security related bugs</h3>
 
-<p>If you find a potential security related vulnerability in phpBB 2 please <b>DO NOT</b> post it to the bug tracker, public forums, mailing lists, etc.! Doing so may allow unscrupulous users to take advantage of it before we have time to put a fix in place. All security related bugs should be sent directly to one or more of the developers.</p>
+<p>If you find a potential security related vulnerability in phpBB 2 please <b>DO NOT</b> post it to the bug tracker, public forums, mailing lists, etc.! Doing so may allow unscrupulous users to take advantage of it before we have time to put a fix in place. All security related bugs should be sent to our security tracker:</p>
 
-<p>This can be done in one of three ways; email <a href="mailto:security&#64;phpbb.com">security&#64;phpbb.com</a> this is forwarded to all developers, PM one of the developers (see Developer usergroup list for usernames of all developers) or email them directly (either use their listed email address if available or username&#64;phpbb.com where username is their board username). If emailing or PM'ing developers individually please send the message to several and not just one. If you obtain no response in a reasonable timeframe (a day or two) try the other listed developers.</p>
+<p><a href="http://www.phpbb.com/security/" target="_new">http://www.phpbb.com/security/</a></p>
 
 <a name="curbugs"></a><h2 class="h2"><u>6. Overview of current bug list</u></h2>
 
@@ -191,16 +187,18 @@ p,ul,td {font-size:10pt;}
 <li>By default cannot post very large messages with MSSQL (this can be configured within MSSQL)</li>
 <li>Use of non-latin charsets with MSSQL may result in post data being cropped unexpectedly</li>
 <li>Upgrade may fail to complete on large boards under some hosts</li>
-<li>PHP 3 compatibility issues remain and we recommend you upgrade to PHP4 as soon as possible ( phpBB 2.0.x will be the last version to support PHP 3 )
+<li>Case-sensitivity on usernames and emails with PostgreSQL 7.x. A fix is provided by a user <a href="http://www.phpbb.com/kb/article.php?article_id=201" target="_new">within our knowledge base</a></li>
 </ul>
 
 <a name="php"></a><h2 class="h2"><u>7. PHP compatibility issues</u></h2>
 
+<p>phpBB is no longer supported on PHP3 due to several compatibility issues and we recommend that you upgrade to the  latest stable release of PHP4 to run phpBB.</p>
+
 <p>Please remember that running any application on a developmental version of PHP can lead to strange/unexpected results which may appear to be bugs in the application (which may not be true). Therefore we recommend you upgrade to the newest stable version of PHP before running phpBB 2. If you are running a developmental version of PHP please check any bugs you find on a system running a stable release before submitting.</p>
 
 <p>This board has been developed and tested under Linux and Windows (amongst others) running IIS and Apache using MySQL 3.23 and 4.0.0, MSSQL Server 2000, MS Access 2000 and XP and PostgreSQL 7.x. Versions of PHP used range from 4.0.6 to 4.3.8 without problem. There may be unconfirmed issues with PHP 4.0.1 including patch level releases. If you experience problems with phpBB and have this PHP version installed it is recommended you upgrade it before posting bug reports.</p>
 
-<p>With the recent release of the official version of PHP 5, people and hosts may be switching to the latest PHP version. At this moment, the phpBB Team does not officially support running phpBB on PHP 5, as phpBB2.0.x was not written with PHP 5 in mind. However, many users have reported using it sucessfully on PHP 5 having made a configuration change in PHP to enable support for the deprecated HTTP_*_VARS arrays which is turned off by default in new PHP 5 installations. The relevant configuration option is register_long_arrays and it is decribed in the PHP Manual. phpBB 2.0.x makes use of these arrays in order to maintain backwards compatibility with PHP 3.x and early versions of PHP 4.x which is part of the original specification.<br />
+<p>With the recent release of the official version of PHP 5, people and hosts may be switching to the latest PHP version. At this moment, the phpBB Team does not officially support running phpBB on PHP 5, as phpBB2.0.x was not written with PHP 5 in mind. However, many users have reported using it sucessfully on PHP 5 having made a configuration change in PHP to enable support for the deprecated HTTP_*_VARS arrays which is turned off by default in new PHP 5 installations. The relevant configuration option is register_long_arrays and it is decribed in the PHP Manual. phpBB 2.0.x makes use of these arrays in order to maintain backwards compatibility with early versions of PHP 4.x which is part of the original specification.<br />
 For this reason we do not support PHP 5 as platform for phpBB. It has been reported working, so you can try it. It's a risk you will be taking though.</p>
 
 <a name="phpsec"></a><h3 class="h3">7.i. Notice on PHP security issues</h3>

phpBB/groupcp.php

@@ -337,7 +337,7 @@ else if ( isset($HTTP_POST_VARS['unsub']) || isset($HTTP_POST_VARS['unsubpending
 				message_die(GENERAL_ERROR, 'Could not obtain moderator status', '', __LINE__, __FILE__, $sql);
 			}
 
-			if ( !($row = $db->sql_fetchrow($result)) )
+			if ( !($row = $db->sql_fetchrow($result)) || $row['is_auth_mod'] == 0 )
 			{
 				$sql = "UPDATE " . USERS_TABLE . " 
 					SET user_level = " . USER . " 

phpBB/includes/bbcode.php

@@ -124,6 +124,8 @@ function bbencode_second_pass($text, $uid)
 {
 	global $lang, $bbcode_tpl;
 
+	$text = preg_replace('#(script|about|applet|activex|chrome):#is', "\\1:", $text);
+
 	// pad it with a space so we can distinguish between FALSE and matching the 1st char (index 0).
 	// This is important; bbencode_quote(), bbencode_list(), and bbencode_code() all depend on it.
 	$text = " " . $text;
@@ -194,7 +196,7 @@ function bbencode_second_pass($text, $uid)
 
 	// [img]image_url_here[/img] code..
 	// This one gets first-passed..
-	$patterns[] = "#\[img:$uid\](.*?)\[/img:$uid\]#si";
+	$patterns[] = "#\[img:$uid\]([^?].*?)\[/img:$uid\]#i";
 	$replacements[] = $bbcode_tpl['img'];
 
 	// matches a [url]xxxx://www.phpbb.com[/url] code..
@@ -206,11 +208,11 @@ function bbencode_second_pass($text, $uid)
 	$replacements[] = $bbcode_tpl['url2'];
 
 	// [url=xxxx://www.phpbb.com]phpBB[/url] code..
-	$patterns[] = "#\[url=([\w]+?://[^ \"\n\r\t<]*?)\](.*?)\[/url\]#is";
+	$patterns[] = "#\[url=([\w]+?://[^ \"\n\r\t<]*?)\]([^?].*?)\[/url\]#i";
 	$replacements[] = $bbcode_tpl['url3'];
 
 	// [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).
-	$patterns[] = "#\[url=((www|ftp)\.[^ \"\n\r\t<]*?)\](.*?)\[/url\]#is";
+	$patterns[] = "#\[url=((www|ftp)\.[^ \"\n\r\t<]*?)\]([^?].*?)\[/url\]#i";
 	$replacements[] = $bbcode_tpl['url4'];
 
 	// [email]user@domain.tld[/email] code..
@@ -614,6 +616,7 @@ function bbencode_second_pass_code($text, $uid, $bbcode_tpl)
  */
 function make_clickable($text)
 {
+	$text = preg_replace('#(script|about|applet|activex|chrome):#is', "\\1&#058;", $text);
 
 	// pad it with a space so we can match things at the start of the 1st line.
 	$ret = ' ' . $text;

phpBB/includes/functions_selects.php

@@ -108,4 +108,4 @@ function tz_select($default, $select_name = 'timezone')
 	return $tz_select;
 }
 
-?>
+?>

phpBB/includes/page_header.php

@@ -35,7 +35,7 @@ if ( $board_config['gzip_compress'] )
 {
 	$phpver = phpversion();
 
-	$useragent = (isset($_SERVER["HTTP_USER_AGENT"]) ) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT;
+	$useragent = (isset($HTTP_SERVER_VARS['HTTP_USER_AGENT'])) ? $HTTP_SERVER_VARS['HTTP_USER_AGENT'] : getenv('HTTP_USER_AGENT');
 
 	if ( $phpver >= '4.0.4pl1' && ( strstr($useragent,'compatible') || strstr($useragent,'Gecko') ) )
 	{
@@ -466,7 +466,7 @@ else
 
 // Work around for "current" Apache 2 + PHP module which seems to not
 // cope with private cache control setting
-if (!empty($_SERVER['SERVER_SOFTWARE']) && strstr($_SERVER['SERVER_SOFTWARE'], 'Apache/2'))
+if (!empty($HTTP_SERVER_VARS['SERVER_SOFTWARE']) && strstr($HTTP_SERVER_VARS['SERVER_SOFTWARE'], 'Apache/2'))
 {
 	header ('Cache-Control: no-cache, pre-check=0, post-check=0');
 }

phpBB/includes/sessions.php

@@ -24,7 +24,7 @@
 // Adds/updates a new session to the database for the given userid.
 // Returns the new session ID on success.
 //
-function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_autologin = 0)
+function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_autologin = 0, $admin = 0)
 {
 	global $db, $board_config;
 	global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $SID;
@@ -53,6 +53,8 @@ function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_a
 		$session_id = '';
 	}
 
+	$page_id = (int) $page_id;
+
 	$last_visit = 0;
 	$current_time = time();
 	$expiry_time = $current_time - $board_config['session_length'];
@@ -79,7 +81,7 @@ function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_a
 			if ( isset($sessiondata['autologinid']) && $userdata['user_active'] )
 			{
 				// We have to login automagically
-				if( $sessiondata['autologinid'] == $auto_login_key )
+				if( $sessiondata['autologinid'] === $auto_login_key )
 				{
 					// autologinid matches password
 					$login = 1;
@@ -91,6 +93,11 @@ function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_a
 					$login = 0; 
 					$enable_autologin = 0; 
 					$user_id = $userdata['user_id'] = ANONYMOUS;
+				
+					$sql = 'SELECT * FROM ' . USERS_TABLE . ' WHERE user_id = ' . ANONYMOUS;
+					$result = $db->sql_query($sql);
+					$userdata = $db->sql_fetchrow($result);
+					$db->sql_freeresult($result);
 				}
 			}
 			else
@@ -99,6 +106,11 @@ function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_a
 				$login = 0;
 				$enable_autologin = 0;
 				$user_id = $userdata['user_id'] = ANONYMOUS;
+
+				$sql = 'SELECT * FROM ' . USERS_TABLE . ' WHERE user_id = ' . ANONYMOUS;
+				$result = $db->sql_query($sql);
+				$userdata = $db->sql_fetchrow($result);
+				$db->sql_freeresult($result);
 			}
 		}
 		else
@@ -143,16 +155,18 @@ function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_a
 	// Create or update the session
 	//
 	$sql = "UPDATE " . SESSIONS_TABLE . "
-		SET session_user_id = $user_id, session_start = $current_time, session_time = $current_time, session_page = $page_id, session_logged_in = $login
+		SET session_user_id = $user_id, session_start = $current_time, session_time = $current_time, session_page = $page_id, session_logged_in = $login, session_admin = $admin
 		WHERE session_id = '" . $session_id . "' 
 			AND session_ip = '$user_ip'";
 	if ( !$db->sql_query($sql) || !$db->sql_affectedrows() )
 	{
-		$session_id = md5(uniqid($user_ip));
+		list($sec, $usec) = explode(' ', microtime());
+		mt_srand((float) $sec + ((float) $usec * 100000));
+		$session_id = md5(uniqid(mt_rand(), true));
 
 		$sql = "INSERT INTO " . SESSIONS_TABLE . "
-			(session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in)
-			VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login)";
+			(session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in, session_admin)
+			VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login, $admin)";
 		if ( !$db->sql_query($sql) )
 		{
 			message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql);
@@ -163,17 +177,20 @@ function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_a
 	{// ( $userdata['user_session_time'] > $expiry_time && $auto_create ) ? $userdata['user_lastvisit'] : ( 
 		$last_visit = ( $userdata['user_session_time'] > 0 ) ? $userdata['user_session_time'] : $current_time; 
 
-		$sql = "UPDATE " . USERS_TABLE . " 
-			SET user_session_time = $current_time, user_session_page = $page_id, user_lastvisit = $last_visit
-			WHERE user_id = $user_id";
-		if ( !$db->sql_query($sql) )
+		if (!$admin)
 		{
-			message_die(CRITICAL_ERROR, 'Error updating last visit time', '', __LINE__, __FILE__, $sql);
+			$sql = "UPDATE " . USERS_TABLE . " 
+				SET user_session_time = $current_time, user_session_page = $page_id, user_lastvisit = $last_visit
+				WHERE user_id = $user_id";
+			if ( !$db->sql_query($sql) )
+			{
+				message_die(CRITICAL_ERROR, 'Error updating last visit time', '', __LINE__, __FILE__, $sql);
+			}
 		}
 
 		$userdata['user_lastvisit'] = $last_visit;
 
-		$sessiondata['autologinid'] = ( $enable_autologin && $sessionmethod == SESSION_METHOD_COOKIE ) ? $auto_login_key : '';
+		$sessiondata['autologinid'] = (!$admin) ? (( $enable_autologin && $sessionmethod == SESSION_METHOD_COOKIE ) ? $auto_login_key : '') : $sessiondata['autologinid'];
 		$sessiondata['userid'] = $user_id;
 	}
 
@@ -184,6 +201,7 @@ function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_a
 	$userdata['session_page'] = $page_id;
 	$userdata['session_start'] = $current_time;
 	$userdata['session_time'] = $current_time;
+	$userdata['session_admin'] = $admin;
 
 	setcookie($cookiename . '_data', serialize($sessiondata), $current_time + 31536000, $cookiepath, $cookiedomain, $cookiesecure);
 	setcookie($cookiename . '_sid', $session_id, 0, $cookiepath, $cookiedomain, $cookiesecure);
@@ -229,6 +247,8 @@ function session_pagestart($user_ip, $thispage_id)
 		$session_id = '';
 	}
 
+	$thispage_id = (int) $thispage_id;
+
 	//
 	// Does a session exist?
 	//
@@ -271,8 +291,11 @@ function session_pagestart($user_ip, $thispage_id)
 				//
 				if ( $current_time - $userdata['session_time'] > 60 )
 				{
+					// A little trick to reset session_admin on session re-usage
+					$update_admin = (!defined('IN_ADMIN') && $current_time - $userdata['session_time'] > ($board_config['session_length']+60)) ? ', session_admin = 0' : '';
+
 					$sql = "UPDATE " . SESSIONS_TABLE . " 
-						SET session_time = $current_time, session_page = $thispage_id 
+						SET session_time = $current_time, session_page = $thispage_id$update_admin
 						WHERE session_id = '" . $userdata['session_id'] . "'";
 					if ( !$db->sql_query($sql) )
 					{
@@ -282,7 +305,7 @@ function session_pagestart($user_ip, $thispage_id)
 					if ( $userdata['user_id'] != ANONYMOUS )
 					{
 						$sql = "UPDATE " . USERS_TABLE . " 
-							SET user_session_time = $current_time, user_session_page = $thispage_id 
+							SET user_session_time = $current_time, user_session_page = $thispage_id
 							WHERE user_id = " . $userdata['user_id'];
 						if ( !$db->sql_query($sql) )
 						{
@@ -294,6 +317,7 @@ function session_pagestart($user_ip, $thispage_id)
 					// Delete expired sessions
 					//
 					$expiry_time = $current_time - $board_config['session_length'];
+
 					$sql = "DELETE FROM " . SESSIONS_TABLE . " 
 						WHERE session_time < $expiry_time 
 							AND session_id <> '$session_id'";

phpBB/includes/smtp.php

@@ -106,7 +106,7 @@ function smtpmail($mail_to, $subject, $message, $headers = '')
 
 	// Ok we have error checked as much as we can to this point let's get on
 	// it already.
-	if( !$socket = fsockopen($board_config['smtp_host'], 25, $errno, $errstr, 20) )
+	if( !$socket = @fsockopen($board_config['smtp_host'], 25, $errno, $errstr, 20) )
 	{
 		message_die(GENERAL_ERROR, "Could not connect to smtp host : $errno : $errstr", "", __LINE__, __FILE__);
 	}

phpBB/includes/template.php

@@ -475,4 +475,4 @@ class Template {
 
 }
 
-?>
+?>

phpBB/includes/topic_review.php

@@ -225,4 +225,4 @@ function topic_review($topic_id, $is_inline_review)
 	}
 }
 
-?>
+?>

phpBB/includes/usercp_register.php

@@ -409,9 +409,9 @@ if ( isset($HTTP_POST_VARS['submit']) )
 			// Error is already triggered, since one field is empty.
 			$error = TRUE;
 		}
-		else if ( $username != $userdata['username'] || $mode == 'register' )
+		else if ( $username != $userdata['username'] || $mode == 'register')
 		{
-			if (strtolower($username) != strtolower($userdata['username']))
+			if (strtolower($username) != strtolower($userdata['username']) || $mode == 'register')
 			{
 				$result = validate_username($username);
 				if ( $result['error'] )

phpBB/includes/usercp_viewprofile.php

@@ -33,6 +33,11 @@ if ( empty($HTTP_GET_VARS[POST_USERS_URL]) || $HTTP_GET_VARS[POST_USERS_URL] ==
 }
 $profiledata = get_userdata($HTTP_GET_VARS[POST_USERS_URL]);
 
+if (!$profiledata)
+{
+	message_die(GENERAL_MESSAGE, $lang['No_user_id_specified']);
+}
+
 $sql = "SELECT *
 	FROM " . RANKS_TABLE . "
 	ORDER BY rank_special, rank_min";

phpBB/install/install.php

@@ -225,6 +225,23 @@ function guess_lang()
 error_reporting  (E_ERROR | E_WARNING | E_PARSE); // This will NOT report uninitialized variables
 set_magic_quotes_runtime(0); // Disable magic_quotes_runtime
 
+// PHP5 with register_long_arrays off?
+if (!isset($HTTP_POST_VARS) && isset($_POST))
+{
+	$HTTP_POST_VARS = $_POST;
+	$HTTP_GET_VARS = $_GET;
+	$HTTP_SERVER_VARS = $_SERVER;
+	$HTTP_COOKIE_VARS = $_COOKIE;
+	$HTTP_ENV_VARS = $_ENV;
+	$HTTP_POST_FILES = $_FILES;
+
+	// _SESSION is the only superglobal which is conditionally set
+	if (isset($_SESSION))
+	{
+		$HTTP_SESSION_VARS = $_SESSION;
+	}
+}
+
 // Slash data if it isn't slashed
 if (!get_magic_quotes_gpc())
 {

phpBB/install/schemas/mssql_basic.sql

@@ -69,7 +69,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('record_online_date
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('server_name', 'www.yourdomain.tld');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('server_port', '80');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('script_path', '/phpBB2/');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '.0.12');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '.0.15');
 
 /*
   -- Categories
@@ -91,7 +91,7 @@ INSERT INTO phpbb_forums (forum_id, cat_id, forum_name, forum_desc, forum_status
   Default Admin --> username: admin
                     password: admin (change this or remove it once everything is working!)
 */
-INSERT INTO phpbb_users (user_id, username, user_level, user_regdate, user_password, user_email, user_icq, user_website, user_occ, user_from, user_interests, user_sig, user_viewemail, user_style, user_aim, user_yim, user_msnm, user_posts, user_attachsig, user_allowsmile, user_allowhtml, user_allowbbcode, user_allow_pm, user_notify_pm, user_allow_viewonline, user_rank, user_avatar, user_lang, user_timezone, user_dateformat, user_actkey, user_newpasswd, user_notify, user_active) VALUES ( -1, 'Anonymous', 0, 0, '', '', '', '', '', '', '', '', 0, NULL, '', '', '', 0, 0, 1, 0, 1, 0, 1, 1, NULL, '', '', 0, '', '', '', 0, 0);
+INSERT INTO phpbb_users (user_id, username, user_level, user_regdate, user_password, user_email, user_icq, user_website, user_occ, user_from, user_interests, user_sig, user_viewemail, user_style, user_aim, user_yim, user_msnm, user_posts, user_attachsig, user_allowsmile, user_allowhtml, user_allowbbcode, user_allow_pm, user_notify_pm, user_allow_viewonline, user_rank, user_avatar, user_lang, user_timezone, user_dateformat, user_actkey, user_newpasswd, user_notify, user_active) VALUES ( -1, 'Anonymous', 0, 0, '', '', '', '', '', '', '', '', 0, NULL, '', '', '', 0, 0, 1, 1, 1, 0, 1, 1, NULL, '', '', 0, '', '', '', 0, 0);
 INSERT INTO phpbb_users (user_id, username, user_level, user_regdate, user_password, user_email, user_icq, user_website, user_occ, user_from, user_interests, user_sig, user_viewemail, user_style, user_aim, user_yim, user_msnm, user_posts, user_attachsig, user_allowsmile, user_allowhtml, user_allowbbcode, user_allow_pm, user_notify_pm, user_popup_pm, user_allow_viewonline, user_rank, user_avatar, user_lang, user_timezone, user_dateformat, user_actkey, user_newpasswd, user_notify, user_active) VALUES ( 2, 'Admin', 1, 0, '21232f297a57a5a743894a0e4a801fc3', 'admin@yourdomain.com', '', '', '', '', '', '', 1, 1, '', '', '', 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, '', 'english', 0, 'd M Y h:i a', '', '', 0, 1);
 
 

phpBB/install/schemas/mssql_schema.sql

@@ -190,7 +190,8 @@ CREATE TABLE [phpbb_sessions] (
 	[session_time] [int] NULL ,
 	[session_ip] [char] (8) NOT NULL ,
 	[session_page] [int] NULL ,
-	[session_logged_in] [smallint] NULL
+	[session_logged_in] [smallint] NULL,
+	[session_admin] [smallint] NULL
 ) ON [PRIMARY]
 GO
 

phpBB/install/schemas/mysql_basic.sql

@@ -62,7 +62,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('record_online_date
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('server_name', 'www.myserver.tld');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('server_port', '80');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('script_path', '/phpBB2/');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '.0.12');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '.0.15');
 
 
 # -- Categories
@@ -74,7 +74,7 @@ INSERT INTO phpbb_forums (forum_id, forum_name, forum_desc, cat_id, forum_order,
 
 
 # -- Users
-INSERT INTO phpbb_users (user_id, username, user_level, user_regdate, user_password, user_email, user_icq, user_website, user_occ, user_from, user_interests, user_sig, user_viewemail, user_style, user_aim, user_yim, user_msnm, user_posts, user_attachsig, user_allowsmile, user_allowhtml, user_allowbbcode, user_allow_pm, user_notify_pm, user_allow_viewonline, user_rank, user_avatar, user_lang, user_timezone, user_dateformat, user_actkey, user_newpasswd, user_notify, user_active) VALUES ( -1, 'Anonymous', 0, 0, '', '', '', '', '', '', '', '', 0, NULL, '', '', '', 0, 0, 1, 0, 1, 0, 1, 1, NULL, '', '', 0, '', '', '', 0, 0);
+INSERT INTO phpbb_users (user_id, username, user_level, user_regdate, user_password, user_email, user_icq, user_website, user_occ, user_from, user_interests, user_sig, user_viewemail, user_style, user_aim, user_yim, user_msnm, user_posts, user_attachsig, user_allowsmile, user_allowhtml, user_allowbbcode, user_allow_pm, user_notify_pm, user_allow_viewonline, user_rank, user_avatar, user_lang, user_timezone, user_dateformat, user_actkey, user_newpasswd, user_notify, user_active) VALUES ( -1, 'Anonymous', 0, 0, '', '', '', '', '', '', '', '', 0, NULL, '', '', '', 0, 0, 1, 1, 1, 0, 1, 1, NULL, '', '', 0, '', '', '', 0, 0);
 
 # -- username: admin    password: admin (change this or remove it once everything is working!)
 INSERT INTO phpbb_users (user_id, username, user_level, user_regdate, user_password, user_email, user_icq, user_website, user_occ, user_from, user_interests, user_sig, user_viewemail, user_style, user_aim, user_yim, user_msnm, user_posts, user_attachsig, user_allowsmile, user_allowhtml, user_allowbbcode, user_allow_pm, user_notify_pm, user_popup_pm, user_allow_viewonline, user_rank, user_avatar, user_lang, user_timezone, user_dateformat, user_actkey, user_newpasswd, user_notify, user_active) VALUES ( 2, 'Admin', 1, 0, '21232f297a57a5a743894a0e4a801fc3', 'admin@yourdomain.com', '', '', '', '', '', '', 1, 1, '', '', '', 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, '', 'english', 0, 'd M Y h:i a', '', '', 0, 1);

phpBB/install/schemas/mysql_schema.sql

@@ -305,6 +305,7 @@ CREATE TABLE phpbb_sessions (
    session_ip char(8) DEFAULT '0' NOT NULL,
    session_page int(11) DEFAULT '0' NOT NULL,
    session_logged_in tinyint(1) DEFAULT '0' NOT NULL,
+   session_admin tinyint(2) DEFAULT '0' NOT NULL,
    PRIMARY KEY (session_id),
    KEY session_user_id (session_user_id),
    KEY session_id_ip_user_id (session_id, session_ip, session_user_id)

phpBB/install/schemas/postgres_basic.sql

@@ -63,7 +63,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('record_online_date
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('server_name', 'www.yourdomain.tld');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('server_port', '80');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('script_path', '/phpBB2/');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '.0.12');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '.0.15');
 
 -- Categories
 INSERT INTO phpbb_categories (cat_id, cat_title, cat_order) VALUES (1, 'Test category 1', 10);
@@ -73,7 +73,7 @@ INSERT INTO phpbb_categories (cat_id, cat_title, cat_order) VALUES (1, 'Test cat
 INSERT INTO phpbb_forums (forum_id, forum_name, forum_desc, cat_id, forum_order, forum_posts, forum_topics, forum_last_post_id, auth_view, auth_read, auth_post, auth_reply, auth_edit, auth_delete, auth_announce, auth_sticky, auth_pollcreate, auth_vote, auth_attachments) VALUES (1, 'Test Forum 1', 'This is just a test forum.', 1, 10, 1, 1, 1, 0, 0, 0, 0, 1, 1, 3, 3, 1, 1, 3);
 
 -- Users
-INSERT INTO phpbb_users (user_id, username, user_level, user_regdate, user_password, user_email, user_icq, user_website, user_occ, user_from, user_interests, user_sig, user_viewemail, user_style, user_aim, user_yim, user_msnm, user_posts, user_attachsig, user_allowsmile, user_allowhtml, user_allowbbcode, user_allow_pm, user_notify_pm, user_allow_viewonline, user_rank, user_avatar, user_lang, user_timezone, user_dateformat, user_actkey, user_newpasswd, user_notify, user_active) VALUES ( -1, 'Anonymous', 0, 0, '', '', '', '', '', '', '', '', 0, NULL, '', '', '', 0, 0, 1, 0, 1, 0, 1, 1, NULL, '', '', 0, '', '', '', 0, 0);
+INSERT INTO phpbb_users (user_id, username, user_level, user_regdate, user_password, user_email, user_icq, user_website, user_occ, user_from, user_interests, user_sig, user_viewemail, user_style, user_aim, user_yim, user_msnm, user_posts, user_attachsig, user_allowsmile, user_allowhtml, user_allowbbcode, user_allow_pm, user_notify_pm, user_allow_viewonline, user_rank, user_avatar, user_lang, user_timezone, user_dateformat, user_actkey, user_newpasswd, user_notify, user_active) VALUES ( -1, 'Anonymous', 0, 0, '', '', '', '', '', '', '', '', 0, NULL, '', '', '', 0, 0, 1, 1, 1, 0, 1, 1, NULL, '', '', 0, '', '', '', 0, 0);
 
 -- username: admin    password: admin (change this or remove it once everything is working!)
 INSERT INTO phpbb_users (user_id, username, user_level, user_regdate, user_password, user_email, user_icq, user_website, user_occ, user_from, user_interests, user_sig, user_viewemail, user_style, user_aim, user_yim, user_msnm, user_posts, user_attachsig, user_allowsmile, user_allowhtml, user_allowbbcode, user_allow_pm, user_notify_pm, user_popup_pm, user_allow_viewonline, user_rank, user_avatar, user_lang, user_timezone, user_dateformat, user_actkey, user_newpasswd, user_notify, user_active) VALUES ( 2, 'Admin', 1, 0, '21232f297a57a5a743894a0e4a801fc3', 'admin@yourdomain.com', '', '', '', '', '', '', 1, 1, '', '', '', 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, '', 'english', 0, 'd M Y h:i a', '', '', 0, 1);

phpBB/install/schemas/postgres_schema.sql

@@ -289,6 +289,7 @@ CREATE TABLE phpbb_sessions (
    session_ip char(8) DEFAULT '0' NOT NULL,
    session_page int4 DEFAULT '0' NOT NULL,
    session_logged_in int2 DEFAULT '0' NOT NULL,
+   session_admin int2 DEFAULT '0' NOT NULL,
    CONSTRAINT phpbb_session_pkey PRIMARY KEY (session_id)
 );
 CREATE INDEX session_user_id_phpbb_sessions_index ON phpbb_sessions (session_user_id);

phpBB/install/update_to_latest.php

@@ -59,7 +59,7 @@ include($phpbb_root_path . 'includes/db.'.$phpEx);
 //
 //
 //
-$updates_to_version = '.0.12';
+$updates_to_version = '.0.15';
 //
 //
 //
@@ -420,6 +420,8 @@ switch ($row['config_value'])
 			
 		}
 
+	case '.0.2':
+
 	case '.0.3':
 
 		switch (SQL_LAYER)
@@ -513,6 +515,45 @@ switch ($row['config_value'])
 				break;
 		}
 
+	case '.0.5':
+	case '.0.6':
+	case '.0.7':
+	case '.0.8':
+	case '.0.9':
+	case '.0.10':
+	case '.0.11':
+	case '.0.12':
+	case '.0.13':
+	case '.0.14':
+
+		switch (SQL_LAYER)
+		{
+			case 'mysql':
+			case 'mysql4':
+				$sql[] = "ALTER TABLE " . SESSIONS_TABLE . "
+					ADD COLUMN session_admin tinyint(2) DEFAULT '0' NOT NULL";
+				break;
+
+			case 'postgresql':
+				$sql[] = "ALTER TABLE " . SESSIONS_TABLE . "
+					ADD COLUMN session_admin int2";
+				$sql[] = "ALTER TABLE " . SESSIONS_TABLE . "
+					ALTER COLUMN session_admin SET DEFAULT '0'";
+				break;
+
+			case 'mssql-odbc':
+			case 'mssql':
+				$sql[] = "ALTER TABLE " . SESSIONS_TABLE . " ADD
+					session_admin smallint NOT NULL,
+					CONSTRAINT [DF_" . $table_prefix . "sessions_session_admin] DEFAULT (0) FOR [session_admin]";
+				break;
+
+			case 'msaccess':
+				$sql[] = "ALTER TABLE " . SESSIONS_TABLE . " ADD
+					session_admin smallint NOT NULL";
+				break;
+		}
+
 		break;
 }
 
@@ -900,6 +941,23 @@ switch ($row['config_value'])
 		}
 		$db->sql_freeresult($result);
 		
+	case '.0.6':
+	case '.0.7':
+	case '.0.8':
+	case '.0.9':
+	case '.0.10':
+	case '.0.11':
+	case '.0.12':
+	case '.0.13':
+	case '.0.14':
+
+		$sql = 'UPDATE ' . USERS_TABLE . ' SET user_allowhtml = 1 WHERE user_id = ' . ANONYMOUS;
+		_sql($sql, $errored, $error_ary);
+
+		// We reset those having autologin enabled and forcing the re-assignment of a session id
+		$sql = 'DELETE FROM ' . SESSIONS_TABLE;
+		_sql($sql, $errored, $error_ary);
+
 		break;
 
 	default:

phpBB/language/lang_english/lang_main.php

@@ -1018,6 +1018,8 @@ $lang['Critical_Error'] = 'Critical Error';
 $lang['An_error_occured'] = 'An Error Occurred';
 $lang['A_critical_error'] = 'A Critical Error Occurred';
 
+$lang['Admin_reauthenticate'] = 'To administer the board you must re-authenticate yourself.';
+
 //
 // That's all, Folks!
 // -------------------------------------------------

phpBB/login.php

@@ -52,7 +52,7 @@ else
 
 if( isset($HTTP_POST_VARS['login']) || isset($HTTP_GET_VARS['login']) || isset($HTTP_POST_VARS['logout']) || isset($HTTP_GET_VARS['logout']) )
 {
-	if( ( isset($HTTP_POST_VARS['login']) || isset($HTTP_GET_VARS['login']) ) && !$userdata['session_logged_in'] )
+	if( ( isset($HTTP_POST_VARS['login']) || isset($HTTP_GET_VARS['login']) ) && (!$userdata['session_logged_in'] || isset($HTTP_POST_VARS['admin'])) )
 	{
 		$username = isset($HTTP_POST_VARS['username']) ? phpbb_clean_username($HTTP_POST_VARS['username']) : '';
 		$password = isset($HTTP_POST_VARS['password']) ? $HTTP_POST_VARS['password'] : '';
@@ -77,7 +77,8 @@ if( isset($HTTP_POST_VARS['login']) || isset($HTTP_GET_VARS['login']) || isset($
 				{
 					$autologin = ( isset($HTTP_POST_VARS['autologin']) ) ? TRUE : 0;
 
-					$session_id = session_begin($row['user_id'], $user_ip, PAGE_INDEX, FALSE, $autologin);
+					$admin = (isset($HTTP_POST_VARS['admin'])) ? 1 : 0;
+					$session_id = session_begin($row['user_id'], $user_ip, PAGE_INDEX, FALSE, $autologin, $admin);
 
 					if( $session_id )
 					{
@@ -158,7 +159,7 @@ else
 	// Do a full login page dohickey if
 	// user not already logged in
 	//
-	if( !$userdata['session_logged_in'] )
+	if( !$userdata['session_logged_in'] || (isset($HTTP_GET_VARS['admin']) && $userdata['session_logged_in'] && $userdata['user_level'] == ADMIN))
 	{
 		$page_title = $lang['Login'];
 		include($phpbb_root_path . 'includes/page_header.'.$phpEx);
@@ -207,12 +208,13 @@ else
 		$username = ( $userdata['user_id'] != ANONYMOUS ) ? $userdata['username'] : '';
 
 		$s_hidden_fields = '<input type="hidden" name="redirect" value="' . $forward_page . '" />';
+		$s_hidden_fields .= (isset($HTTP_GET_VARS['admin'])) ? '<input type="hidden" name="admin" value="1" />' : '';
 
 		make_jumpbox('viewforum.'.$phpEx, $forum_id);
 		$template->assign_vars(array(
 			'USERNAME' => $username,
 
-			'L_ENTER_PASSWORD' => $lang['Enter_password'],
+			'L_ENTER_PASSWORD' => (isset($HTTP_GET_VARS['admin'])) ? $lang['Admin_reauthenticate'] : $lang['Enter_password'],
 			'L_SEND_PASSWORD' => $lang['Forgotten_password'],
 
 			'U_SEND_PASSWORD' => append_sid("profile.$phpEx?mode=sendpassword"),

phpBB/modcp.php

@@ -131,6 +131,11 @@ if ( !empty($topic_id) )
 	}
 	$topic_row = $db->sql_fetchrow($result);
 
+	if (!$topic_row)
+	{
+		message_die(GENERAL_MESSAGE, 'Topic_post_not_exist');
+	}
+
 	$forum_topics = ( $topic_row['forum_topics'] == 0 ) ? 1 : $topic_row['forum_topics'];
 	$forum_id = $topic_row['forum_id'];
 	$forum_name = $topic_row['forum_name'];
@@ -146,6 +151,11 @@ else if ( !empty($forum_id) )
 	}
 	$topic_row = $db->sql_fetchrow($result);
 
+	if (!$topic_row)
+	{
+		message_die(GENERAL_MESSAGE, 'Forum_not_exist');
+	}
+
 	$forum_topics = ( $topic_row['forum_topics'] == 0 ) ? 1 : $topic_row['forum_topics'];
 	$forum_name = $topic_row['forum_name'];
 }

phpBB/posting.php

@@ -1105,4 +1105,4 @@ $template->pparse('body');
 
 include($phpbb_root_path . 'includes/page_tail.'.$phpEx);
 
-?>
+?>

phpBB/privmsg.php

@@ -563,9 +563,9 @@ else if ( $mode == 'read' )
 	// If the board has HTML off but the post has HTML
 	// on then we process it, else leave it alone
 	//
-	if ( !$board_config['allow_html'] )
+	if ( !$board_config['allow_html'] || !$userdata['user_allowhtml'])
 	{
-		if ( $user_sig != '' && $privmsg['privmsgs_enable_sig'] && $userdata['user_allowhtml'] )
+		if ( $user_sig != '')
 		{
 			$user_sig = preg_replace('#(<)([\/]?.*?)(>)#is', "&lt;\\2&gt;", $user_sig);
 		}
@@ -1528,9 +1528,9 @@ else if ( $submit || $refresh || $mode != '' )
 		//
 		// Finalise processing as per viewtopic
 		//
-		if ( !$html_on )
+		if ( !$html_on || !$board_config['allow_html'] || !$userdata['user_allowhtml'] )
 		{
-			if ( $user_sig != '' || !$userdata['user_allowhtml'] )
+			if ( $user_sig != '' )
 			{
 				$user_sig = preg_replace('#(<)([\/]?.*?)(>)#is', "&lt;\\2&gt;", $user_sig);
 			}
@@ -2153,4 +2153,4 @@ $template->pparse('body');
 
 include($phpbb_root_path . 'includes/page_tail.'.$phpEx);
 
-?>
+?>

phpBB/search.php

@@ -197,6 +197,11 @@ else if ( $search_keywords != '' || $search_author != '' || $search_id )
 			}
 			else
 			{
+				if (preg_match('#^[\*%]+$#', trim($search_author)) || preg_match('#^[^\*]{1,2}$#', str_replace(array('*', '%'), '', trim($search_author))))
+				{
+					$search_author = '';
+				}
+
 				$search_author = str_replace('*', '%', trim($search_author));
 				
 				$sql = "SELECT user_id
@@ -264,6 +269,12 @@ else if ( $search_keywords != '' || $search_author != '' || $search_id )
 
 			for($i = 0; $i < count($split_search); $i++)
 			{
+				if (preg_match('#^[\*%]+$#', trim($split_search[$i])) || preg_match('#^[^\*]{1,2}$#', str_replace(array('*', '%'), '', trim($split_search[$i]))))
+				{
+					$split_search[$i] = '';
+					continue;
+				}
+
 				switch ( $split_search[$i] )
 				{
 					case 'and':
@@ -407,6 +418,11 @@ else if ( $search_keywords != '' || $search_author != '' || $search_id )
 		//
 		if ( $search_author != '' )
 		{
+			if (preg_match('#^[\*%]+$#', trim($search_author)) || preg_match('#^[^\*]{1,2}$#', str_replace(array('*', '%'), '', trim($search_author))))
+			{
+				$search_author = '';
+			}
+
 			$search_author = str_replace('*', '%', trim(str_replace("\'", "''", $search_author)));
 		}
 

phpBB/templates/subSilver/login_body.tpl

@@ -19,13 +19,13 @@
 		  <tr> 
 			<td width="45%" align="right"><span class="gen">{L_USERNAME}:</span></td>
 			<td> 
-			  <input type="text" name="username" size="25" maxlength="40" value="{USERNAME}" />
+			  <input type="text" class="post" name="username" size="25" maxlength="40" value="{USERNAME}" />
 			</td>
 		  </tr>
 		  <tr> 
 			<td align="right"><span class="gen">{L_PASSWORD}:</span></td>
 			<td> 
-			  <input type="password" name="password" size="25" maxlength="32" />
+			  <input type="password" class="post" name="password" size="25" maxlength="32" />
 			</td>
 		  </tr>
 		  <tr align="center"> 

phpBB/viewonline.php

@@ -286,4 +286,4 @@ $template->pparse('body');
 
 include($phpbb_root_path . 'includes/page_tail.'.$phpEx);
 
-?>
+?>

phpBB/viewtopic.php

@@ -1049,9 +1049,9 @@ for($i = 0; $i < $total_posts; $i++)
 	// If the board has HTML off but the post has HTML
 	// on then we process it, else leave it alone
 	//
-	if ( !$board_config['allow_html'] )
+	if ( !$board_config['allow_html'] || !$userdata['user_allowhtml'])
 	{
-		if ( $user_sig != '' && $userdata['user_allowhtml'] )
+		if ( $user_sig != '' )
 		{
 			$user_sig = preg_replace('#(<)([\/]?.*?)(>)#is', "&lt;\\2&gt;", $user_sig);
 		}
@@ -1107,7 +1107,7 @@ for($i = 0; $i < $total_posts; $i++)
 	{
 		// This was shamelessly 'borrowed' from volker at multiartstudio dot de
 		// via php.net's annotated manual
-		$message = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));
+		$message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "@preg_replace('#\b(" . str_replace('\\', '\\\\', $highlight_match) . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));
 	}
 
 	//
@@ -1119,10 +1119,10 @@ for($i = 0; $i < $total_posts; $i++)
 
 		if ($user_sig != '')
 		{
-			$user_sig = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace(\$orig_word, \$replacement_word, '\\0')", '>' . $user_sig . '<'), 1, -1));
+			$user_sig = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "@preg_replace(\$orig_word, \$replacement_word, '\\0')", '>' . $user_sig . '<'), 1, -1));
 		}
 
-		$message = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace(\$orig_word, \$replacement_word, '\\0')", '>' . $message . '<'), 1, -1));
+		$message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "@preg_replace(\$orig_word, \$replacement_word, '\\0')", '>' . $message . '<'), 1, -1));
 	}
 
 	//
@@ -1213,4 +1213,4 @@ $template->pparse('body');
 
 include($phpbb_root_path . 'includes/page_tail.'.$phpEx);
 
-?>
+?>