What's new in phpBB 3.3
Jan 7, 2020
- The new phpBB 3.3 Proteus builds upon 3.2 Rhea and is a big step towards a more modern base while maintaining a clear update path. It is now shipped with Symfony 3.4, Twig 2, and jQuery 3.4. The improvements include, among others, support for Invisible reCAPTCHA, Argon2i and Argon2id password hashing, improved reset password functionality, and minor changes to the UI.
- The minimum supported PHP version has been increased to PHP 7.1.3 while support for PHP 7.3 and PHP 7.4 has been added. Fixed security issues in 3.2.9 are part of this release as well.
New in phpBB 3.2.7 (May 5, 2019)
- The fixed issues include, among others, issues with form token validation during login, the inability to change topic types after posting, an issue with viewing private message folders, and potentially incorrectly shortened URL links when using the [url=] BBCode.
- Full backwards compatibility for styles released before phpBB 3.2.6 has been introduced, which will enable logins even though these styles have not yet been updated with the latest style changes.
New in phpBB 3.2.4 (Nov 22, 2018)
- This version is a maintenance and security release of the 3.2.x branch which fixes one security issue and various issues reported in previous versions.
- The security issue was discovered with a new exploitation technique called Phar deserialization. An attacker with control over a founder admin account could escalate to remote code execution by abusing PHP’s default unserialization of metadata in Phar files. More information about this technique can be found here. In order to fix this issue we’ve removed the ability to define absolute paths in the Admin Control Panel. This resulted in the removal of setting the ImageMagick path, so make sure to have the GD image library available instead. A new event to generate thumbnails was added as replacement, so you’re able to write an extension that uses a different image library to generate thumbnails. We would like to thank Simon Scannell and Robin Peraglie of RIPS Technologies for their report and responsible disclosure. The issue has been assigned CVE-2018-19274.
- The fixed issues include, among others, compatibility issues with PHP 7.2 and issues with removing users from the newly registered user group more than once.
- Among the notable changes are the addition of the list-unsubscribe header to emails sent by phpBB and the ability to reset your password without entering the username.
New in phpBB 3.2.2 (Jan 9, 2018)
- This version is a maintenance & security release of the 3.2.x branch which fixes one security issue, adds one minor feature addition, as well as fixing various issues reported in previous versions.
- Previous versions did not limit the allowed schemes for URLs in profile fields and therefore allowed users to also specify URLs with the javascript scheme. This is now forbidden. As always, please keep in mind that external URLs can potentially be unsafe. Therefore it is recommended to not click on any URLs that might look suspicious to you. We would like to thank “aaaimg” for the disclosure of this issue to our development team.
- As a minor feature addition, phpBB now also supports Memcached caching.
- The fixed issues include, among others, problems when updating from phpBB versions 3.0.5 and older, incorrect image size being detected for uploaded files, blurry forum & topic icons in some browsers, and problems with deleting orphaned attachments when a high number of orphaned attachments is present.
- We’d also like to note that due to changes in our dependency the minimum expected PHP version is now PHP 5.4.7. PHP versions between 5.4.0 and 5.4.6 will most likely continue to work but can cause unexpected side effects. If you are affected by this you should upgrade to a newer, secure version of PHP. In addition to that, PHP 7.2 is now supported by phpBB 3.2. Please ensure that your extensions are compatible before upgrading.
New in phpBB 3.2.1 (Jul 20, 2017)
- This version is a maintenance & security release of the 3.2.x branch which fixes three security issues, as well as adding more hardening and fixes for various bugs reported in previous versions.
- A server-side request forgery (SSRF) exploit was discovered in the remote avatar functionality which could be used to perform service discovery on internal and external networks as well as retrieve images which are usually restricted to local access (thanks to SEC Consult for the report). Additionally, a cross-site scripting vulnerability via version check files was discovered internally (thanks Derk Ruitenbeek). This could have been used to trick users into clicking on javascript: links. The third fixed issue concerned potential high load scenarios that could be caused by specially crafted search queries while using MySQL fulltext search.
- The bugfixes address issues with migration dependencies preventing updates from phpBB 3.0.6 or older, multiple issues with the new text formatter, make the FTP update method functional again, as well as issues with updating from earlier versions using PostgreSQL. Notable changes include new, higher resolution images for the imageset icons, pagination for IP tables and post info, and added search indexing for topics after splitting a topic. The version check now also supports branches which will result in more helpful information about new versions on other branches.
New in phpBB 3.2 (Jan 15, 2017)
- Today is a big day for the entire phpBB community and we hope that you're as excited as we are! With the help of over one hundred volunteers, we have improved and extended phpBB to provide the new and improved phpBB 3.2 Rhea.
- The new phpBB 3.2 Rhea builds upon 3.1 Ascraeus, upgrading the experience for users, administrators, and developers. The new BBCode parser adds support for all the emojis you've been using on mobile devices, the new font awesome integration adds retina quality icons to prosilver, and the quoting feature has been enhanced. Together with Symfony 2.8, an improved integration of the twig template engine, and full support for both PHP 7.0 & 7.1, we have increased extensibility of phpBB 3.2 while reducing development time.
- Board admins will apprecite the new installer, which enables easier updating using the browser or a command-line interface, as well as the newly added reCAPTCHA 2.0 to thwart would-be spammers at the gate.
New in phpBB 3.1.9 (Apr 18, 2016)
- New Features:
- Respect X-Forwarded-Headers for upgrading non-SSL to SSL connection - Proxy's request to upgrade users to using SSL instead of non-SSL communication will be correctly respected (e.g. when using HAproxy). This requires default ports for SSL and can only be used for upgrading from non-SSL to SSL and not to downgrade from SSL to non-SSL.
- Disable sending headers - Extension authors can disable sending headers in the page_header() function and the controller helper's render() method
- Notable Changes:
- Q&A fallback to non-default language questions - Q&A will try to fall back to Q&A combos that are not the current or default language if it's enabled and no valid Q&A set for the current or default language are set. If this is not possible, the captcha system will throw an error and prevent registrations without filling out the captcha caused by the invalid setup and misconfiguration.
- Notable Bug Fixes:
- Removed automatic approve of unapproved posts - Editing an unapproved post as a moderator will no longer automatically approve it.
- Email queue not cached by opcache - Email queue won't be cached by opcache anymore. This caused issues with dulicate emails.
- Correct column default in MSSQL - Database column default will no longer be incorrectly escaped in MSSQL (caused upgrade issues for 3.0.x to 3.1.x)
- Modified since for files served with download/file.php - The modified since header was not correctly served
- File update when using non-file based cache - Admins updating when using caches like memcache no longer see the comparing files page over and over again when looking at file changes
- Attachments display according to the correct BBCode ID - Attachments displayed now correctly correspond to the ones defined by the attachment BBCodes that were added using the frontend
New in phpBB 3.1.5 (Jun 18, 2015)
- Security and Hardening:
- Hardening: Use autocomplete=off for password fields
- Hardening: Do not populate password fields in the ACP settings with the old password - Thanks Fortify Open Source Review for suggesting
- Content Permissons: Post subjects from protected subforums were listed incorrectly on the forum index in the following two scenarios: 1. Forum that has no forum password has a subforum with a password. 2. Forum with read permissions has a subforum without read permissions "Can read forum", but with list permissions "Can see forum" - Thanks 5hocK for suggesting
- New Features:
- Events - More events have been added to the template and the php core
- Notable Bug Fixes:
- Printing topics with webkit - Properly display background images when printing with webkit browser
- Language files for xCP modules - Adding multiple language files for acp/mcp/ucp modules was incorrectly handled for extensions
- Several Controller Fixes - AJAX responses did not support exceptions messages, AJAX responses did not support meta_refresh and redirect
New in phpBB 3.1.4 (May 8, 2015)
- Security and Hardening:
- Security: An insufficient check allowed users of the Google Chrome browser to be redirected to external domains (e.g. on login). Thanks to Mathias Karlsson (avlidienbrunn) for bringing this to our attention.
- Hardening: The HTTP protocol version received via SERVER_PROTOCOL is now verifed to have the expected format. See PHPBB3-13765.
- New Features:
- Events - More events have been added to the template and the php core
- Notable Bug Fixes:
- Version check of extensions - File caching of extensions' version check file doesn't work
- Fix links from /board - Append page name to base url if it doesn't contain it and the path ends without a trailing slash
New in phpBB 3.1.3 (Feb 2, 2015)
- Security and Hardening:
- Hardening of imagick path - Existence of the path to the imagick program specified in the Administration Control Panel is now verified.
- New Features:
- Events - More events have been added to the template and the php core
- Support for IDN (IRI) Urls - Urls in BBCodes, posts and profile fields can now contain UTF8 characters
- Migrations can now use DI - Migrations can now use the container to access additional objects
- Notable Bug Fixes:
- Canonical URLs sort parameters removed - In order to produce less duplicate pages, the sort parameters have been removed from the canonical URLs
- Multiple bugs while updating - Quite some bugs in the database update scripts have been fixed
- Boolean profile fields on PostgreSQL - Boolean profile fields can now be created again
- UTF8 characters in attachment names - Attachments with UTF8 characters in their file name can now be uploaded again
New in phpBB 3.1.2 (Nov 26, 2014)
- Today, we are publishing phpBB 3.1.2 in order to address over 30 discovered issues since the release of 3.1.0: a number of improvements as well as two minor security vulnerabilities that we identified ourselves. Please update your phpBB 3.1 installation as soon as possible.
- We resolved problems with redirects to incorrect URLs following confirmation screens that we introduced with the security fix in 3.1.1. A large number of the bug fixes and improvements relate to the update process from phpBB 3.0 Olympus to 3.1 Ascraeus and we are confident that the process now works more smoothly for anyone looking to update.
- Through specifically crafted requests with an XMLHttpRequest header it was possible to trigger an infinite loop in a phpBB routine which may end up consuming a large amount of resources on a server running phpBB 3.1.1. Further, once you installed an extension, its authors were able to load additional HTML in the extensions administration interface through the version check file which would only be exploitable by malicious extension authors. Independent of this particular problem we recommend you only install extensions made available in the extension database on http://www.phpbb.com as they go through a security audit by the extensions team before they are published.
New in phpBB 3.1.1 (Nov 3, 2014)
- If a user's selected style no longer exists, attempt to reset to an existing style.
- Fix auth provider errors for forums that migrated from other forum software.
- Improve and correct update instructions and documentation.
New in phpBB 3.1.0 (Oct 29, 2014)
- Today is a big day for the entire phpBB community and we hope you're excited! With the help of hundreds of volunteers, we have created the best and most modern version of phpBB yet: 3.1 Ascraeus. It features many improvements for users, administrators, and developers alike. Its new responsive theme takes phpBB into the modern mobile world, OAuth logins and Gravatars improve phpBB's integration into the social web, and a new notification system makes it easy to keep apprised of all that's going on.
- With phpBB 3.1 Ascraeus' extension system, you can easily customize and extend your forum's functionality without modifying source code. The extension system makes updating phpBB and 3rd party code a breeze. Our Extensions Team is also actively developing a set of officially supported extensions, explanding upon phpBB's already rich feature-set with some separately maintained popular options. For example custom pages, Google Analytics integration, and detailed board rules.
- We have been hard at work to ensure 3.1 Ascraeus is also the most stable and secure release of phpBB. A professional security audit performed by SektionEins found phpBB 3.1 Ascraeus to be solid, due to the examplary execution of strict coding guidelines. The well tested and widely used Symfony components have replaced some of the underlying foundations of phpBB to let us focus our efforts on providing the best forum experience imaginable.
New in phpBB 3.1.0 RC5 (Oct 8, 2014)
- New Features:
- Events - New events have been added to increase the power of extensions
- Notable Changes:
- Services sorted - The services provided by the phpBB core have been ordered and split into multiple files so you can find them more easily
- Notable Bug Fixes:
- MySQL 5.7 - Installing on MySQL 5.7 is now possible again
New in phpBB 3.1.0 RC4 (Sep 22, 2014)
- New Features:
- Events - New events have been added to increase the power of extensions
- Extensions and "all" style - Extensions templates are now loaded from the "all" folder by controller/helper/render()
- Extensions outside of phpBB - Add ability to access extensions outside the phpBB root
- Notable Changes:
- Notification service prefix - The hardcoded prefix for notification services has been removed, so extensions can correctly namespace them.
- Symfony Update - Symfony Components have been updated to 2.3.19
- Notable Bug Fixes:
- Converting from phpBB 2.0 - Converting from phpBB 2.0 to 3.1 is now possible again
New in phpBB 3.0.12 (Sep 30, 2013)
- This version is a maintenance release fixing various bugs but not adding any new features. We have updated the list of bots/spiders, further improved compatibility with recent PHP versions, and support MySQL fulltext search on InnoDB for those MySQL versions which provide it. The custom BBCode token LOCAL_URL has been modified to operate closer to its description. If you have any custom BBCodes using the token you should test if the custom BBCode still functions correctly or if you need to replace the token with the new RELATIVE_URL token. Moderators are no longer exempt from post approval, instead the permission "Can post without approval" is applied as it is for all other users. We now reject very long password inputs immediately to save on resources during password checks.
New in phpBB 3.0.8 (Nov 22, 2010)
- Security:
- [PHPBB3-9903] - Execute javascript in [flash=] BBCode
- Bug:
- [PHPBB3-4923] - compress_tar incorrectly determines type
- [PHPBB3-5164] - Honor minimum and maximum password length in generated passwords as much as possible.
- [PHPBB3-6726] - Connecting to PostgreSQL using 'localhost' doesn't try to use a TCP connection
- [PHPBB3-6747] - word censoringdoes not handle space for two or more words
- [PHPBB3-7260] - Do not delete polls if one exists and editing user lacks permissions
- [PHPBB3-7296] - Style export to tar(.*) does not work
- [PHPBB3-7369] - Custom Profile dates display incorrectly
- [PHPBB3-7417] - Search keywords field does not initially get focus
- [PHPBB3-7538] - Query exceeds maximum value for user_login_attempts
- [PHPBB3-7716] - Data too long for column 'message_subject'
- [PHPBB3-7720] - Fix alternative image-description for unread posts.
- [PHPBB3-7782] - Send HTTP 404 if topic, forum or user do not exist
- [PHPBB3-7972] - Copied topics are not indexed
- [PHPBB3-8169] - Parse CSS Regex accepts invalid code
- [PHPBB3-8792] - Misleading error message in auth_ldap.php, function init_ldap()
- [PHPBB3-8894] - JavaScript error and visible quote button on topic review if BBCodes disallowed
- [PHPBB3-8924] - spelling in admin_welcome_inactive.txt
- [PHPBB3-8929] - MS SQL error on view all smilies after 3.0.6 upgrade
- [PHPBB3-8935] - able to set minimal avatar size larger than maximum
- [PHPBB3-8944] - Error on database update (must specify size of index on MySQL4)
- [PHPBB3-9012] - Retain original topic title in shadow topic when moving a topic and editing the title.
- [PHPBB3-9034] - Redirect() fails with directory traversal
- [PHPBB3-9047] - Active topics and reported posts
- [PHPBB3-9049] - Password reminder system generates confusable passwords
- [PHPBB3-9053] - Correctly sort database backup file list by date on database restore page
- [PHPBB3-9061] - Race condition in queue locking
- [PHPBB3-9068] - Grammatical Error under Load Settings
- [PHPBB3-9075] - Missing / bad default values of CPFs result in SQL errors on registration of new users
- [PHPBB3-9091] - Wrong IP checking for IPv4 addresses mapped into IPv6
- [PHPBB3-9094] - Hide "Copy permissions" message, when permissions were copied.
- [PHPBB3-9095] - Misleading setting text for CAPTCHA
- [PHPBB3-9099] - Missing comma in PASSWORD_EXPLAIN acp language strings
- [PHPBB3-9101] - Bad text placement for reCAPTCHA description
- [PHPBB3-9104] - Safari does not display box headers correctly in the ACP.
- [PHPBB3-9107] - Can't Set Parent Forum
- [PHPBB3-9108] - RSS feeds does not work on Postgres
- [PHPBB3-9112] - Most active forum post count does not respect m_approve permission
- [PHPBB3-9114] - Recent bug fix for smilies causing problems on older MySQL versions
- [PHPBB3-9117] - Wrong redirection after login
- [PHPBB3-9119] - Language selection is disregarded in automatic update
- [PHPBB3-9120] - Typo fix in a comment in functions.php
- [PHPBB3-9121] - Forum feed shows posts that are currently on the moderation queue
- [PHPBB3-9125] - ACP User Overview: Unmatched tag when viewing own user
- [PHPBB3-9126] - Invalid redirection after login to forum not in web root
- [PHPBB3-9132] - Oracle CLOB support is broken, preventing storage of long strings
- [PHPBB3-9135] - Fix report-icon for moderators in PM folders.
- [PHPBB3-9140] - Check current board version in incremental update packages
- [PHPBB3-9145] - Fix open_basedir issues when accessing styles- and language-management
- [PHPBB3-9146] - Quick-Reply tabindex="6" set twice
- [PHPBB3-9147] - "Change topic type"-option "Normal" always selected.
- [PHPBB3-9154] - Correctly check for double inclusion in captcha garbage collection
- [PHPBB3-9158] - viewforum/viewtopic pages unnecessarily duplicated with start=0
- [PHPBB3-9162] - BBCode in poll options is broken, when posting without question.
- [PHPBB3-9167] - Remove shadow topics from remaining forums when deleting a forum including posts
- [PHPBB3-9170] - Unable to get image size in img bbcode when URL has multiple parameters.
- [PHPBB3-9173] - sql_config_count() artificially limits number scope to 4byte-integer on PostgreSQL and Firebird
- [PHPBB3-9176] - When setting the board's date format the board's timezone settings aren't taken into account
- [PHPBB3-9451] - Unnecessary overhead in avatar_process_user function
- [PHPBB3-9478] - Validate maximum number of allowed recipients per PM value
- [PHPBB3-9495] - Loginbox redirect breaks xHTML
- [PHPBB3-9499] - Javascript function dE does not correctly detect element visibility
- [PHPBB3-9504] - Allow gallery avatars with whitespaces in the filename
- [PHPBB3-9509] - phpBB Coding Guidelines state subversion as the version control system for phpBB
- [PHPBB3-9510] - Unable to copy permissions from and to forums you cannot see
- [PHPBB3-9512] - Fix dead link in MCP on reports for global announcements in prosilver.
- [PHPBB3-9514] - Correctly delete big datasets when deleting a forum including topics/posts on non-MySQL databases
- [PHPBB3-9518] - Postgres DBAL does not correctly create a new database connection when passing $new_link as true
- [PHPBB3-9519] - Replace remaining is_writable() calls with phpbb_is_writable().
- [PHPBB3-9521] - MSSQL error reporting returns String instead of an error
- [PHPBB3-9524] - IPv6 regular expression does not match addresses starting in ::
- [PHPBB3-9526] - User Preference to hide online status does not work for bots
- [PHPBB3-9528] - Quoting in a PM does not fall back to bbcode-less quotes using "> " when bbcodes are disabled
- [PHPBB3-9529] - Topic review does not display all selected posts
- [PHPBB3-9530] - subsilver2 missing fallback option on quoting when bbcodes are disabled
- [PHPBB3-9531] - BBCode-less fall back option for quotes is missing "Author wrote:" line when quoting from topic-review.
- [PHPBB3-9535] - Incorrect margins in RTL languages: signatures, permission ACP & updater
- [PHPBB3-9545] - 'Your first forum' should have 'Display active topics:' set to 'Yes'
- [PHPBB3-9546] - Moving all posts from one topic to another does not delete bookmarks
- [PHPBB3-9547] - Changing forum type applies FORUM_FLAG_ACTIVE_TOPICS to new forum type.
- [PHPBB3-9548] - Delete user quicktool drop down should have an empty or invalid selection as the default
- [PHPBB3-9559] - Messenger Queue Batch Size configuration option is overridden
- [PHPBB3-9567] - Newly registered users group ACP wording
- [PHPBB3-9582] - Missing MSSQL native driver case statements
- [PHPBB3-9587] - Prosilver overrides reCaptcha class.
- [PHPBB3-9592] - Test suite does not run on SQLite
- [PHPBB3-9593] - Missing documentation for running unit tests
- [PHPBB3-9599] - Windows workaround for checkdnsrr() returns wrong results
- [PHPBB3-9605] - Wrong class added to topiclist, when there's no announcement topic.
- [PHPBB3-9615] - When attaching a file whose name contains quotes, filename before last quote is cut off in display
- [PHPBB3-9623] - Strings not properly normalized - acp_prune.php
- [PHPBB3-9626] - Regular expressions from get_preg_expression() are untested.
- [PHPBB3-9628] - Add module function does not correctly insert a module after the specified one
- [PHPBB3-9633] - Newly registered users group color is not used in Our Newest Member
- [PHPBB3-9635] - Useless parameter $data['post_time'] in function submit_post.
- [PHPBB3-9637] - SET NAMES 'BINARY' error in convertor
- [PHPBB3-9643] - DB connection error when $dbhost is an IPv6 address
- [PHPBB3-9644] - submit_post shows support for options that cause a trigger_error in the call to user_notification
- [PHPBB3-9646] - Cant hide/outcomment @import in stylesheet.css
- [PHPBB3-9650] - It should not be possible to ban Anonymous
- [PHPBB3-9653] - xhtml errors in subsilver2 when using the bbcodes code and quote in signatures
- [PHPBB3-9655] - Selecting an unavailable captcha plugin looks like a successful action
- [PHPBB3-9656] - PHP Information in ACP always lists error_reporting as 0
- [PHPBB3-9658] - Optimize topic splitting
- [PHPBB3-9662] - Search interval applied inconsistently
- [PHPBB3-9664] - Another duplicate accesskey: t = top and list item
- [PHPBB3-9665] - Signature "0" cannot be previewed
- [PHPBB3-9677] - Subsilver2 is missing the bbcode-helpline for inline-attachments.
- [PHPBB3-9678] - Flash attachments are not displayed in subsilver2.
- [PHPBB3-9679] - "Notify User" checkbox appears in MCP Queue even if no notification methods are enabled
- [PHPBB3-9686] - Unable to create data backup using the mssqlnative DBAL
- [PHPBB3-9694] - Calling download/file.php with empty avatar parameter can throw an E_NOTICE message
- [PHPBB3-9695] - Bad Display of User Input - mcp_ban
- [PHPBB3-9696] - Installation of phpBB with SQLite fails
- [PHPBB3-9697] - Backlink broken when the select parent forum does not exist.
- [PHPBB3-9698] - Returning result of new by reference is deprecated in php 5.3
- [PHPBB3-9702] - "Ban until (date)" appears to be based on UTC time instead of local time
- [PHPBB3-9703] - Removing a user does not remove their private message folders or rules
- [PHPBB3-9704] - Coding guidelines typo
- [PHPBB3-9712] - Future dates display as "less than one minute ago"
- [PHPBB3-9714] - "Undefined variable: email" in email regular expression unit tests
- [PHPBB3-9715] - Fix email address regular expression or adjust email regular expression unit tests
- [PHPBB3-9722] - "New Topic" button title attribute mismatch in prosilver's viewforum
- [PHPBB3-9727] - Feed replaces ./ with board URL
- [PHPBB3-9743] - Fix background-position of top2-class in prosilver for RTL-languages.
- [PHPBB3-9744] - Mistyped word 'then' in FAQ. It should be 'than'.
- [PHPBB3-9748] - not being replaced in prepare_message
- [PHPBB3-9749] - fulltext_mysql.php overreacts on + and - characters in search words
- [PHPBB3-9752] - Misleading text when using Q&A CAPTCHA
- [PHPBB3-9754] - Template variable S_USER_POSTED always set to false in search.php
- [PHPBB3-9757] - Empty template variable HISTORY_TITLE in ucp_pm_history
- [PHPBB3-9760] - Fulltext native search, wildcarddoes not get escaped leading to long execution time
- [PHPBB3-9761] - Quote nesting depth explanation is misleading
- [PHPBB3-9771] - build_url() doesn't ignore empty parameters
- [PHPBB3-9772] - Under some circumstances, email addresses are shown to undesired users
- [PHPBB3-9780] - gen_rand_string() not respecting $num_chars parameter anymore.
- [PHPBB3-9782] - Board disable radio in Board-Settings set on when server load high
- [PHPBB3-9793] - Undefined function send_status_line() in download/file.php when in avatar mode.
- [PHPBB3-9807] - Avatar tab displays when avatars are disabled
- [PHPBB3-9810] - Clicking on "Select All" of code tag on print page results in a javascript error when using prosilver
- [PHPBB3-9820] - Fix undefined indexes when trying to post a new topic
- [PHPBB3-9822] - Can not delete style-components from the file-system as per explanation.
- [PHPBB3-9829] - Recaptcha plugin result interpretation fault
- [PHPBB3-9835] - Login Confirm Explain Not Working
- [PHPBB3-9840] - Display view unread posts link for guests
- [PHPBB3-9841] - Change "Save" button to "Save draft"
- [PHPBB3-9847] - Language typo and written form (British/American)
- [PHPBB3-9854] - Auth API documentation is incomplete
- [PHPBB3-9855] - Tests don't run on PHPUnit 3.5
- [PHPBB3-9879] - captcha_qa.php spelling, punctuation and grammar errors
- [PHPBB3-9883] - CAPTCHA uses american english
- [PHPBB3-9884] - Massive email delays
- [PHPBB3-9885] - Default file extension groups not properly updated by database updater.
- [PHPBB3-9886] - Database updater does not run on PostgreSQL because of an error in _add_module()
- [PHPBB3-9888] - Update fails when Bing [Bot] was already added to the users table
- [PHPBB3-9891] - Updater drops language-selection after database-update
- [PHPBB3-9509] - phpBB Coding Guidelines state subversion as the version control system for phpBB
- Improvement:
- [PHPBB3-7332] - MCP post details usability
- [PHPBB3-7717] - Use user's language for standard-extensions-group name
- [PHPBB3-8709] - Multibyte keys in request_var not possible
- [PHPBB3-8936] - subsilver2 missing reply-to-all feature
- [PHPBB3-9088] - Add missing semicolons in js files
- [PHPBB3-9179] - improve quasi-documentation of notify_status values
- [PHPBB3-9503] - Posts with empty titles in moderation queue are not easily approved
- [PHPBB3-9534] - user_ipwhois() does not support IPv6 addresses
- [PHPBB3-9536] - Small improvement for query against sessions table in acp_users.php
- [PHPBB3-9553] - Make git hooks run with /bin/sh instead of bash
- [PHPBB3-9570] - Change "system timezone" to "guest timezone" in acp, add explanation
- [PHPBB3-9578] - ACP Posting tab is missing "Post settings" module.
- [PHPBB3-9589] - Sample nginx configuration file
- [PHPBB3-9595] - Search settings in ACP: Add information on minimum word size indexed when using Fulltext MySQL backend
- [PHPBB3-9598] - Call checkdnsrr() on Windows with PHP 5.3
- [PHPBB3-9609] - Use send_status_line instead of calling header
- [PHPBB3-9611] - Increase entropy in activation keys
- [PHPBB3-9612] - Split gen_rand_string() into gen_rand_string() and gen_rand_string_friendly()
- [PHPBB3-9629] - sid parameter forced for style.php makes caching difficult
- [PHPBB3-9659] - Default phpBB signature user_options need to be set for convertors
- [PHPBB3-9690] - MSN Bot will become Bing Bot
- [PHPBB3-9777] - Print useful error message in pre-commit hook when php is not installed.
- [PHPBB3-9785] - Not able to recover a password when board disabled
- [PHPBB3-9825] - Run tests on sqlite if available and no test db configured
- [PHPBB3-9827] - IE9 Beta fixes IE8 textarea bug
- [PHPBB3-9830] - Awkward message when config.php is missing
- [PHPBB3-9850] - Allow version checker to display information on multiple releases
- [PHPBB3-9853] - Change default reCAPTCHA theme in Prosilver & Subsilver2 to better coordinate with style color scheme
- [PHPBB3-9880] - Rename all mentions of CAPTCHA or visual confirmation to anti-bot
- [PHPBB3-9899] - Change the style in the ACP for the recaptcha to match that displayed on prosilver
- New Feature:
- [PHPBB3-9039] - Native SQL Server Support mssqlnative.php
- [PHPBB3-9511] - View note for moderators on unapproved posts/topics with unapproved posts in ATOM Feed.
- Task:
- [PHPBB3-9520] - Add web.config files for IIS
- [PHPBB3-9625] - Update database UNIT-test
- [PHPBB3-9701] - Enable notices in unit tests
- [PHPBB3-9768] - Create git commit-msg hook that verifies the commit message conforms to our standards
- [PHPBB3-9769] - Add install and uninstall scripts for the git hooks
- [PHPBB3-9770] - Git commit message should be prefilled with branch and ticket information
- [PHPBB3-9800] - Update tracker URL in docs/./../support/documents.php?mode=readme&version=3
- [PHPBB3-9804] - Update docs/AUTHORS (DavidMJ & igorw)
- [PHPBB3-9808] - Git commit message hook depends on GNU wc
- [PHPBB3-9816] - Remove config.php from git repository
- [PHPBB3-9848] - Add phpBB data files to .gitignore.
- [PHPBB3-9849] - Create build script using phing
- [PHPBB3-9857] - Remove visible $Id: ./../support/documents.php?mode=changelog&version=3 10873 2010-11-20 17:15:18Z git-gate $ from docs files.
- [PHPBB3-9868] - Make the test suite run and pass using the mssqlnative driver
- [PHPBB3-9904] - Update WebPI Parameters.xml
- Sub-task:
- [PHPBB3-9517] - Remote avatar upload does not check the filesize before and during transfer.
- [PHPBB3-9562] - Advanced Search is inaccessible using the mssqlnative DBAL
- [PHPBB3-9564] - Reported messages are not assigned the default report reason when a reason is removed from the ACP using the mssqlnative DBAL
- [PHPBB3-9565] - It is impossible to create a custom profile field using the mssqlnative DBAL
- [PHPBB3-9566] - Two debug notices are displayed when setting a custom profile field though the UCP using the mssqlnative DBAL
- [PHPBB3-9583] - MSSQL native backups cannot be restored
- [PHPBB3-9606] - Drop redundant SQL query for unreads fetching
- [PHPBB3-9613] - Implement a load switch for unreads search feature.
- [PHPBB3-9817] - Make build script create blank config.php
New in phpBB 3.0.7-PL1 (Mar 9, 2010)
- We are sorry to announce the immediate release of phpBB 3.0.7-PL1 to address a security issue which was introduced in 3.0.7, unfortunately the issue wasn't noticed during testing and has only surfaced a week after the release of 3.0.7.
- We promised working feeds for phpBB 3.0.7. Sadly, we were not able to deliver on that promise - a critical bug in the permission handling for feeds slipped past. To all people who already have updated to 3.0.7, it is of critical importance to update to 3.0.7-PL1. Otherwise, it is possible for users to bypass permission settings under the following circumstances:
- Feeds are enabled
- Any of the posts or topics feeds are enabled
- The unauthorised user - or one of the groups they are a member of - have forum permissions set on a private forum
- If you have excluded a forum from the list of forums that provide feeds, it is unaffected
- Note: We recommend the use of a regular update routine over manually editing your files. If you manually edit your files your board will not recognise the update.
- There were no other changes, in particular neither style nor language changes.
New in phpBB 3.0.6 (Nov 18, 2009)
- Better captcha options and backported 3.2 captcha plugins:
- Classic and GD CAPTCHA
- reCaptcha (based on API from recaptcha.net by Mike Crawford and Ben Maurer)
- Q&A CAPTCHA
- 3D Wave (by Robert "Xore" Hetzler)
- Introduced new ACM (Cache) plugins. (Please consult our support forums for help if you need to use one of the new ACM plugins)
- null (to disable caching completely)
- memcache
- APC
- XCache
- eAccelerator
- ATOM Feeds
- Bare-bones Quick Reply editor in viewtopic
- Users can report PMs to moderators which are then visible in a new MCP module
- Ability to copy permissions from one forum to several other forums.
- Send anonymous statistical information to phpBB on installation and update (optional)
New in phpBB 3.0.5 (Jun 1, 2009)
- Added and refined CAPTCHA options to better protect against new version of CAPTCHA crackers.
- Added an option to the registration screen to allow users to refresh the displayed CAPTCHA.
- Performance improvements for native fulltext search.
- Added a new search option. The admin can define the maximum number of words allowed to search for. This option gives control about the maximum search load.
- Search indexing should no longer stall for some installations.
- Conflicting files are able to be downloaded now within the automatic updater for manual inspection.
- The database updater now checks for an incompatible database schema in case the database version got updated. The admin will be notified about possible solutions and repair scripts.
- We now set the connection encoding for MySQL versions 4.1.0 to 4.1.2. This may fix some conversion issues with special characters.
- Language pack authors now see errors/notices within their language pack if they enabled DEBUG_EXTRA.
- Flash files now display again after update to flash player 10.
New in phpBB 3.0.4 (Dec 16, 2008)
- [Fix] Allow mixed-case template directories to be inherited (Bug #36725)
- [Fix] Regression bug from revision #8908 regarding log display in ACP
- [Fix] Allow the UCP group management to work for groups with avatars. (Bug #37375)
- [Fix] Fix header list build for replying oldest PM in PM history (Bug #37275)
- [Fix] Do not display COPPA group in memberlist find member dialog if COPPA disabled (Bug #37175)
- [Fix] Do not try to send jabber notifications if no jid entered (Bug #36775)
- [Fix] Only display special ranks to guests; no longer display normal ranks for guests (Bug #36735)
- [Fix] Properly treat punctuation marks after local urls (Bug #37055)
- [Fix] Make searching for members by YIM address work in prosilver
- [Fix] Tell users to recreate the search index after changing the common word threshold for fulltext_native (Bug #36345)
- [Fix] Adjusted phpbb_chmod() to always set permissions for group bit.
- [Fix] Do not increment users post count after post approval if post had been posted in a forum with no post count increasing set (Bug #37865)
- [Fix] Extend vertical line for last post column if no posts in forum (Bug #37125)
- [Fix] correctly update last topic/forum information if changing guest usernames through editing posts (Bug #38095)
- [Fix] fix postcount resync for situations where low and high post ids are higher than step value, resulting in users having 0 posts. (Bug #38195)
- [Fix] Use a left join for the topics table on search to avoid trouble with FROM syntax on some databases (Bug #37005)
- [Fix] Do not show 'Forward' button if the user cannot send PM's
- [Change] Alllow applications to set custom module inclusion path (idea by HoL)
- [Change] Handle checking for duplicate usernames in chunks (Bug #17285 - Patch by A_Jelly_Doughnut)
- [Change] Better handling and finer control for custom profile fields visibility options. (Patch by Highway of Life)
- [Change] Performance increase for format_date() (Bug #37575 - Patch by BartVB)
- [Change] Changed prosilver date separator from 'on' to '»'
- [Change] Performance increase for get_username_string() (Bug #37545 - Patch by BartVB)
- [Change] Slight performance increase for common parameter calls to append_sid() (Bug #37555 - Patch by BartVB)
- [Feature] Added 'AGO' setting to relative date strings. For example: posted 14 minutes ago. (Patch by BartVB)
- [Sec] Fixed an issue where deactivated accounts could be re-activated without the required privileges. (Reported by Jorick)
- [Sec] Ask for forum password if post within passworded forum quoted in private message. (Reported by nickvergessen)
New in phpBB 3.0.3 (Nov 13, 2008)
- Fixed:
- Correctly set topic starter if first post in topic removed
- Added VST - Venezuela Standard Time
- Close DB connections in file.php.
- Correctly return results for nested cached queries
- Allow export of PM pages greater one. (#33155)
- Display coloured username of last poster in list of subscribed forums (prosilver).
- Do not jump back to page 1 when hiding member search in memberlist.
- Correctly limit input of the users location to 100 characters in the UCP and ACP.
- Sync reports when using the move all users posts tool in the ACP.
- Remove reported flag from shadow topics when closing reports.
- Do not show non indexed forums on the search page if they contain no subforums.
- Stop search bots incrementing topic views.
- Use correct link for post author search.
- Do not decrease topics counter when deleting shadow topics.
- Send localised disapproval reasons in the recipients local language.
- Do not display reported topic icon for shadow topics.
- Expand shown ban reason in unban screen to fully show long entries.
- Preserve alpha transparency for created thumbnails.
- Use correct port delimiter for MSSQL connections in windows.
- Do not allow setting forums parent to the forum itself.
- Display assigned rank/avatar for guests.
- Set secure cookie for style switcher if required.
- Fix native full text search on postgresql while using excluding keyword matches.
- Pass S_SEARCH_ACTION through append_sid() in search.php.
- Correctly handle unread status of subforums (that are not shown on the index) of forums that are shown on the index.
- Stop users from deleting posts after the edit time has passed or they have been locked.
- Split posts target forum requires 'f_post' now instead of 'm_split'.
- Use a distinct log message for shadow topic deletions to differentiate between normal topic deletions.
- Fix problems with styles using an underscore within the filename.
- Better return links when deleting topics through the MCP.
- Add quoting support to PM history when composing a reply.
- Use phpBB 3.1.x method for storing cached data to prevent PHP bug with our usage of var_export(). (Thanks to Techie-Micheal and HoL for pointing out possible problems)
- Check users pm preferences for pm's sent to groups.
- Do not allow password reminders if u_passchg permission is not given.
- Implemented strict check for cached user permissions and existing ACL options. This fix makes sure cached permissions are valid, even if they got already cached.
- Do not show link to user/group profiles if user has no permission to view the linked page and gets a denied message anyway.
- Do not display last post link and sort display options for search engines.
- Make sure users still get notifications if they set to only be notified by Jabber, but Jabber service disabled.
- Don't show forum subscription link on categories.
- Display a message if no topics or forums are selected when unsubscribing.
- Mark/unmark all links in UCP now select/unselect both subscribed topics and forums.
- Increase board topic counter when splitting topics.
- Display profile icons when viewing a topic, or PM when only the jabber icon is to be visible.
- Do not send PMs with warnings if the user cannot read PMs or they are disabled.
- Correctly convert Niels' Birthday MOD to the date format used in phpBB3.
- Parse BBCode lists of type square, circle and disc.
- Round the displayed percentages in polls.
- Disable mass e-mail when e-mail is disabled.
- Display coloured poster username of queued posts displayed on the front of the MCP.
- Moderators can only see reports/queue/logs from forums they can actually read.
- Correctly display topic when start parameter is equal to the number of posts.
- Correctly display topic in MCP when start parameter is equal to or greater than the number of posts.
- Changed:
- No longer allow the direct use of MULTI_INSERT in sql_build_array. sql_multi_insert() must be used.
- Display warning in ACP if config.php file is left writable.
- More restrictive chmod to new files being created. (phpbb_chmod() function mostly by faw)
- Set headers to allow browsers to better cache attachments (Mylek pointed this out)
- Hide parameters if they equal the default in viewforum/viewtopic
- Various improvements to group listings
- Set headers for IE 8 in file.php
- Do not count queued posts to user_posts.
- Allow setting birth year to current year.
- Do not use the topics posted table when performing an egosearch.
- Log the forum name that topics are moved into.
- Automatically add users/groups to the PM recipient list, if entered or selected.
- Reply to PM now includes all previous recipients and not only the original sender.
- Make topic selection for merge less confusing by removing unneeded controls.
- MCP topic view checkboxes now default to unchecked.
- Adjust language key "SPLIT_AFTER" to make the action clearer.
- Add links to the post and forum when viewing a report from the MCP.
- Remove NUL-Bytes directly in request_var() for strings and within the custom DBAL sql_escape() functions (MSSQL, Firebird, Oracle) (reported by AdhostMikeSw)
- Feature:
- Allow limited inheritance for template sets.
- Allow hard disabling of the template editor.
- Allow setting custom language path through $user->set_custom_lang_path(). $user->lang_path now also do not include the user language, but only the path.
- Ability to define nullar/singular/plural language entries
- Ability to mimic sprintf() calls with $user->lang() with the ability to correctly assign nullar/singular/plural language entries.
- Added the possibility to force user posts put in queue if post count is lower than an admin defined value. Guest posting is not affected by this setting.
- Added 'max_recipients' setting for private messages. This setting allows admins to define the maximum number of recipients per private message with a board-wide setting and a group-specific setting.
- Added new permission setting for sending private messages to groups. Now there are two permissions to define sending private messages to multiple recipients and private messages to groups.
- Allow specific connection to different server for jabber functionality by providing a valid JID as username. This also allows the use of talk.google.com as jabber server with gmail.com JIDs.
- Sec Precaution:
- Stricter validation of the HTTP_HOST header (Thanks to Techie-Micheal et al for pointing out possible issues in derived code)