Topic: PunBB 1.2.6

I'm pleased to announce the release of PunBB 1.2.6. This time around, a large number of minor bugs have been fixed. In addition, one or two rather serious vulnerabilities and a number of not-so-serious security concerns have been dealt with. As usual, it is recommended that everyone update to 1.2.6 as soon as possible. Download archives, patches and other things related to the release can be found on the downloads page.

One change in 1.2.6 worth mentioning is changeset 208. What this does is to force files included from templates via the pun_include directive to be in a particular directory. The directory is include/user/. If you've been using pun_include in 1.2.5 or earlier, you will need to make sure that the directory exists and to move all/any included scripts into that directory. If your files are located outside the PunBB directory tree, I recommend that you create symbolic links in the include/user/ directory. The change has been implemented to deal with a potential vulnerability.

In what has become somewhat of a custom for me, I would like to thank Stefan Esser of the Hardened-PHP Project and Smartys, forum regular and bug finder extraordinaire, for reporting both vulnerabilities and general bugs. I owe you guys a couple of rounds of beer :)

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: PunBB 1.2.6

Hello smile

Tkanks for the job, I will update my PunBB asap wink and forward the message to the french part of PunBB.

3

Re: PunBB 1.2.6

There's a little typo in the install docs.

"Copy/upload the script 12_to_124_update.php from the directory extras/ to the forum root directory and run it through your browser."

It should read "12_to_126_update.php", sorry if it causes any confusion.

4

Re: PunBB 1.2.6

I'll drink to this. I have a cold "Wisconsin Amber" in the crisper door of my fridge. Thanks Rickard for a job well done. Do you have any more future releases in the 1.2.x line or are you going to begin work on 1.3 now?

5

Re: PunBB 1.2.6

Will these changes affect any mods/plugins?

6

Re: PunBB 1.2.6

Sean wrote:

I'll drink to this. I have a cold "Wisconsin Amber" in the crisper door of my fridge. Thanks Rickard for a job well done. Do you have any more future releases in the 1.2.x line or are you going to begin work on 1.3 now?

He has already begun working on 1.3
As 1.2.6 is released, he'll have more time to work on 1.3
Please, I would'nt like to see this question "when will 1.3 be released?....." wink

Ludo,

7

Re: PunBB 1.2.6

weldone.
will upgrade very soon smile

8 (edited by Ludo 2005-07-08 08:42)

Re: PunBB 1.2.6

Rickard wrote:

One change in 1.2.6 worth mentioning is changeset 208. What this does is to force files included from templates via the pun_include directive to be in a particular directory. The directory is include/user/. If you've been using pun_include in 1.2.5 or earlier, you will need to make sure that the directory exists and to move all/any included scripts into that directory. If your files are located outside the PunBB directory tree, I recommend that you create symbolic links in the include/user/ directory. The change has been implemented to deal with a potential vulnerability.

Does this mean you had to modify something in order to make the google add go on working on punbb.org?

I saw the doc says

For example, if you wanted to include a script called banner.php at the bottom of all forum pages, you would place the script in include/user/

In 1.2.5 I do not have include/user. I only have include/ but no /user in.
Is user/ created by the upgrade script? Or do I have to create it on my own?

Ludo,

9

Re: PunBB 1.2.6

Posible to pach (1.2.5 to 1.2.6) without shell access? Some files on my punbb forum are with modules ...

it's just me...

Re: PunBB 1.2.6

Upgrade from 1.2.5 to 1.2.6 successfully completed !
smile
Thank's a lot for your work Rickard.

11 (edited by Tobi 2005-07-08 12:12)

Re: PunBB 1.2.6

Thanks, great job!

I feel much safer now lol

However, there is a bug (at least for me it is, just doesn't function) in:

punbb-1.2.6/upload/include/functions.php
Line 860:

<meta http-equiv="refresh" content="<?php echo $pun_config['o_redirect_delay'] ?>;URL=<?php echo htmlspecialchars($destination_url) ?>" />

Problem is that if $destination_url contains an ampersand (&) this is translated to & . Fine but does not lead where it should so I get an invalid page error after redirection...

I just removed the htmlspecialchars() and it functions so no big deal. I'm just wondering if not everybody will have this issue...

The German PunBB Site:
PunBB-forum.de

12

Re: PunBB 1.2.6

will there be a chanlog from 1.2.5 to 1.2.6 to make the change manually

Re: PunBB 1.2.6

http://punbb.org/downloads.php - hdiff

14

Re: PunBB 1.2.6

Tobi wrote:

Thanks, great job!

I feel much safer now lol

However, there is a bug (at least for me it is, just doesn't function) in:

punbb-1.2.6/upload/include/functions.php
Line 860:

<meta http-equiv="refresh" content="<?php echo $pun_config['o_redirect_delay'] ?>;URL=<?php echo htmlspecialchars($destination_url) ?>" />

Problem is that if $destination_url contains an ampersand (&) this is translated to & . Fine but does not lead where it should so I get an invalid page error after redirection...

I just removed the htmlspecialchars() and it functions so no big deal. I'm just wondering if not everybody will have this issue...

Well, to stay safe I guess

<meta http-equiv="refresh" content="<?php echo $pun_config['o_redirect_delay'] ?>;URL=<?php echo ereg_replace("&","&",htmlspecialchars($destination_url)) ?>" />

will do as well....

The German PunBB Site:
PunBB-forum.de

15 (edited by hcgtv 2005-07-08 14:35)

Re: PunBB 1.2.6

For updating software, when you've made mods, I recommend:

Windows: Beyond Compare
Linux: Krusader file manager, Kompare

Re: PunBB 1.2.6

Ludo: Yes, I had to move the adsense script into the include/user/ folder. The folder didn't exist, so I created it.

hcgtv, Tobi: I will fix the things you brought up and silently re-release 1.2.6 when I get back from work tonight.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: PunBB 1.2.6

I've updated the download to incorporate the following changes:

http://dev.punbb.org/changeset/228
http://dev.punbb.org/changeset/229

I will not change the version number. If you downloaded 1.2.6 prior to this post being made, you need to make the above two changes. Sorry for the inconvenience.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: PunBB 1.2.6

The complete changelog

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: PunBB 1.2.6

Rickard wrote:

I've updated the download to incorporate the following changes:

http://dev.punbb.org/changeset/228
http://dev.punbb.org/changeset/229

Hi,

I've just downloaded the tar.gz file and installed punbb - and I still got the problem with the page redirect not working ("Bad request. The link you followed is incorrect or outdated.") in the Profile section.
Changeset 229 fixed it for me.

Re: PunBB 1.2.6

That's odd. Must be a cache problem or something.

Line 860 in functions.php should look like this:

<meta http-equiv="refresh" content="<?php echo $pun_config['o_redirect_delay'] ?>;URL=<?php echo str_replace(array('<', '>', '"'), array('<', '>', '"'), $destination_url) ?>" />
"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: PunBB 1.2.6

yep, that's the one I changed.

Thanks for a great little forum, Rickard!

I'm really looking forward to 1.3 and SEF URLs smile smile

22 (edited by hcgtv 2005-07-09 05:54)

Re: PunBB 1.2.6

Had some time while watching Hurricane Dennis rip apart my homeland (Cuba) sad

Here's all the changelogs on a wiki page: http://nupusi.net/punbb:history

   *  PunBB Version History
          o 1.2.6 (2005-07-07)
          o 1.2.5 (2005-04-07)
          o 1.2.4 (2005-03-18)
          o 1.2.3 (2005-03-11)
          o 1.2.2
          o 1.2.1
          o 1.2
          o 1.1.5
          o 1.1.4
          o 1.1.3
          o 1.1.2
          o 1.1.1
          o 1.1
          o 1.0.1
          o 1.0
          o 1.0 rc2
          o 1.0 rc1
          o 1.0 beta 3
          o 1.0 beta 2
          o 1.0 beta 1a
          o 1.0 beta 1
          o 1.0 alpha

Rickard, I can't figure out the dates some of them were released. When you moved to Textdrive, all of the old release zips have similar dates. If we can fill in the dates, I'll add them to the wiki page.

23

Re: PunBB 1.2.6

what's the easiest way to upgrade from 1.2.5? i have extremely limited knowledge with mysql and i'm not sure how to backup my databases sad. how can i upgrade while keeping my forum running smoothly?

Re: PunBB 1.2.6

kiz wrote:

what's the easiest way to upgrade from 1.2.5? i have extremely limited knowledge with mysql and i'm not sure how to backup my databases sad. how can i upgrade while keeping my forum running smoothly?

Copy the files under upload/ directory in the changed files zip and run 12_to_126.php or whatever on your server (I think that file's in extras/ in the zip, well, usually). (If it's all modded, you're better off patching it and running the script.)

Re: PunBB 1.2.6

...
* Fixed BBCode validator not allowing certain code tag combinations.
...
* Fixed certain BBCode combinations resulting in garbled output.
...

Does that mean [colo r=#RRGGBB][/colo r], [im g][/im g], etc. won't work?  Some guy did that at me on my forums.