phpBB Academy at StarTrekGuide

[stitch626]

Subject: phpBB3 Release Candidate 7 (RC7) released

Hello,

We are very pleased to announce the availability of the phpBB3 RC7 package, the "We are sorry and love our support team" edition. This release fixes some critical issues which arised with the recently released Release Candidate 6, basically fixing some bbcode problems as well as missing form tokens. On the downloads page we provide two update packages this time, one for going from RC5 to RC7 and one for going from RC6 to RC7.

This release is mostly the outcome of an external security audit performed by SektionEins. All items tagged as [Sec] were found by the company doing the audit and revealed some fundamental problems we were able to fix. We are proud that the audit revealed no sql injection vulnerability or critical command execution vulnerabilities.

For release candidates full support is given, allowing language packs as well as modifications and styles. We only give support to those having a clean RC installation or updates from previous release candidates. Previous conversions or updates from betas will not be supported here. We encourage only those running the release candidates wanting to test out the new version, it is still recommended to wait for the full release; after all this is a release candidate.
Please also note that we urge you to update - we only support the latest version. Bug reports submitted for previous releases will be closed as well as only the latest version being supported here.

RC6/RC7 has seen some improvements as well as fixing some security issues. Some important fixes are:

• [Fix] Further fixing user profile view (please do not forget to update/refresh your template and style) (Bug #14230)
• [Fix] Adjust google adsense bot information (Bug #14296)
• [Fix] Fix horizontal scrollbar problem in IE6 (Bug #14228) - fix provided by Danny-dev
• [Fix] Correctly set user style for guest user (able to be changed within user management)
• [Change] Moved note about dns_get_record function for using GTalk (Jabber) from Jabber log to Jabber ACP panel
• [Fix] Do not use register_shutdown_function within cron.php if handling the queue and the mail function being used (Bug #14321)
• [Fix] Fixing private message on-hold code if moving messages into folder based on rules (Bug #14309)
• [Fix] Allow the merge selection screen to work (Bug #14363)
• [Change] Require additional permissions for copying permission when editing forums
• [Fix] Local magic URLs no longer get an additional trailing slash (Bug #14362)
• [Fix] Do not let the cron script stale for one hour if register_shutdown_function is not able to be called (Bug #14436)
• [Feature] Added /includes/db/db_tools.php file, which includes tools for handling cross-db actions such as altering columns, etc.
• [Fix] Fixed token handling in jabber class for extremely spec-compliant XMPP server (Bug #14445)
• [Change] Listing the board url within the email text instead of appending it to the subject (Bug #14378)
• [Fix] Use correct dimension (width x height) in ACP (Bug #14452)
• [Feature] Added completely new hook system to allow better application/mod integration - see docs/hook_system.html
• [Fix] Fixing google cache display problems with Firefox (Bug #14472) - patch provided by Raimon
• [Change] Allow years in future be selected for date custom profile field (Bug #14519)
• [Feature] Added an option to enforce that users spend a configurable amount of time on the terms page during registration
• [Sec] Fixing possible XSS through compromised WHOIS server (#i63, #i64)
• [Sec] Missing access control on whois in viewonline.php (#i51)
• [Sec] Encoding some variables within user::page array correctly (to cope with browser not doing it correctly) to prevent XSS through functions re-using them (#i61)
• [Sec] Fixed XSS through memberlist search feature (#i62)
• [Sec] Fixed XSS through colour swatch (#i65)
• [Sec] Fixed insecure attachment deletion (#i53)
• [Sec] Only allow whitelisted protocols in meta_redirect/redirect (#i66)
• [Sec] Check file names to be written in language management panel (#i52)
• [Sec] Deregister globals if ini_get has been disabled (#i112)
• [Sec] Added form tokens to most forms to enforce a lighter variant of CSRF protection (#i91 - #i96)
• [Sec] Use new password hash method for forum passwords (#i43)
• [Sec] Changed download file location to prevent flash crossdomain policies taking effect (#i8)
• [Sec] Do not allow autocompletion for password on admin re-authentication (#i41)
• [Sec] Made sure users are not completely locked out if they have a GLOBALS cookie (#i101)
• [Sec] Use the secure hash to generate BBCODE_UIDs (#i71)
• [Sec] Increase the length of BBCODE_UIDs (#i72)
• [Sec] New password hashing mechanism for storing passwords (#i42)

Please refer to the changelog for a complete list of fixes since RC5:

http://www.phpbb.com/support/documents. ... &version=3

A short explanation of how to do a conversion, installation or update is included within the provided INSTALL.html file, please be sure to read it. If you want to be on the safe side we suggest still waiting for later releases before you fully convert your 2.0.x installation.

Important

Due to the password storage mechanism changed, you will not be able to log in to your board if you try to use the updated database with files prior to RC6.

Minimum Requirements

phpBB3 has a few requirements which must be met before you are able to install and use it.

• A webserver or web hosting account running on any major Operating System with support for PHP
• A SQL database system, one of:
  
  • MySQL 3.23 or above (MySQLi supported)
  • PostgreSQL 7.3+
  • SQLite 2.8.2+
  • Firebird 2.0+
  • MS SQL Server 2000 or above (directly or via ODBC)
  • Oracle
• PHP 4.3.3+ (>=4.3.3, >4.4.x, >5.x.x, >6.0-dev (compatible)) with support for the database you intend to use.
• getimagesize() function need to be enabled
• These optional presence of the following modules within PHP will provide access to additional features, but they are not required.
  
  • zlib Compression support
  • Remote FTP support
  • XML support
  • Imagemagick support
  • GD Support

The presence of each of these optional modules will be checked during the installation process.

Security

Security issues found should be reported to our security tracker in the usual way.

Available packages

If you experience problems with the automatic update (white screens, timeouts, etc.) we recommend using the "changed files only" or "patch" method for updating.

With this release, there are four packages available.

• Full Package
  Contains entire phpBB3 source and english language files.
• Changed Files Only
  Contains only those files changed from previous versions of phpBB3. Please note this archive contains changed files for each previous release.
• Patch Files
  Contains patch compatible patches from previous versions of phpBB3.
• Automatic Update Package
  Update package for the automatic updater, containing the changes from previous release to this release.

Select whichever package is most suitable for you.

Please ensure you read the INSTALL and README documents in docs/ before proceeding with installation, updates or conversions!.

The automatic update package does not include the file includes/utf/data/recode_cjk.php. If you use a SJIS encoding or a variant you should replace this file manually with the version included within the full package.

Download/Documentation

• phpBB Downloads
• phpBB3 development section
• phpBB3 Documentation
• phpBB3 support forum
• phpBB3 bug tracker
• phpBB3 Coding Guidelines
• phpBB3 Sourcecode Documentation

Have fun with the release,
the phpBB Team

[Petester]

Exactly what is the difference between RC6 and RC7?
(its only one day...)

[Sniper_E]

A lot of fixes were quickly made in RC7 which they found at the last minute in RC6.
In RC6 I found you couldn't edit the Ranks, reported it and they fixed it right then.

Now with RC7 the only problem I can find is that it want let you remember your password.
So, auto login want happen when you go to your server. Should this be reported?

New database, Fresh install, This "remember password" is broken in all styles.

There is a <!-- IF S_AUTOLOGIN_ENABLED --> in that section of the page but I didn't see where
you would enable that function in the ACP. Is there a place in the ACP and that's my problem?

[Petester]

Darn them!Kill this suspense and just release the gold! (jk)

So.. does it worth to let me get on RC7?

[Shadow of Wishes Mark]

I've tried to integrate the "I forgot my password" from RC5, but there was a big general error showing up. I guess that they forgot to put this feature back on RC7...or NOT....?!

[jdh]

I've tried to integrate the "I forgot my password" from RC5, but there was a big general error showing up. I guess that they forgot to put this feature back on RC7...or NOT....?!

I honestly doubt they would take is away....

[bbrian017]

meh meh meh

[Ladysarajane]

To upgrade to RC7 or not to upgrade....That is the question!!!!

I spent all day yesterday, fixing the RC6 upgrade. I have my forum running, mostly except for a personalized style......Now do I chance the update to RC7 or not?

[bbrian017]

To upgrade to RC7 or not to upgrade....That is the question!!!!

I spent all day yesterday, fixing the RC6 upgrade. I have my forum running, mostly except for a personalized style......Now do I chance the update to RC7 or not?

Update to RC7 was solid for me so I say yeah go ahead and give it a try

[Dace]

be careful ! RC7 automatic update package has been updated ! see Acyd burn last reply in RC7 post !