phpBB 2.0.x CHANGELOG

1. Changelog
1. Changes since 2.0.21
2. Changes since 2.0.20
3. Changes since 2.0.19
4. Changes since 2.0.18
5. Changes since 2.0.17
6. Changes since 2.0.16
7. Changes since 2.0.15
8. Changes since 2.0.14
9. Changes since 2.0.13
10. Changes since 2.0.12
11. Changes since 2.0.11
12. Changes since 2.0.10
13. Changes since 2.0.9
14. Changes since 2.0.8
15. Changes since 2.0.7
16. Changes since 2.0.6
17. Changes since 2.0.5
18. Changes since 2.0.4
19. Changes since 2.0.3
20. Changes since 2.0.2
21. Changes since 2.0.1
22. Changes since 2.0.0
23. Changes since RC-4
24. Changes since RC-3
25. Changes since RC-2
26. Changes since RC-1
27. Changes since RC-1 (pre)
2. Disclaimer

1. Changelog

This is a non-exhaustive (but still near complete) changelog for phpBB 2.0.x including beta and release candidate versions. Our thanks to all those people who've contributed bug reports and code fixes.

l.i. Changes since 2.0.21

• [Fix] Check for user's existence prior to showing email form
• [Fix] New members of moderator groups should always become moderators (Bug #382)
• [Fix] Proper message when replying to non-existant topics (Bug #459)
• [Fix] Changed column type of search_array to store more ids (Bug #4058)
• [Fix] Fixed annoyance with font-size selector (Bug #4612)
• [Fix] Fix optimize line in database updater (Bug #6186)
• [Sec] Check for the avatar upload directory reinforced
• [Sec] Changes to the criteria for "bad" redirection targets - kellanved
• [Sec] Fixed a non-persistent XSS issue in private messaging
• [Sec] Fixing possible negative start parameter - SpiderZ.
• [Sec] Added session checks to various forms - kellanved

l.ii. Changes since 2.0.20

• [Fix] Changes to random number generator code to explicitly truncate the length of the string
• [Fix] Quoting on boards with HTML enabled
• [Fix] Special characters on boards with HTML enabled
• [Fix] Redirect to list if cancelling deletion of ranks, smilies or word censors
• [Fix] Missing error message if an inactive user tried to login (Bug #1598)
• [Fix] Do not alter post counts when just removing a poll (Bug #1602)
• [Fix] Correct error in removal of old session keys
• [Fix] Changed filtering of short search terms
• [Sec] Improved filtering on language selection (also addresses a number of bug reports related to missing languages)
• [Change] Backported more efficient highlighting code from Olympus
• [Change] Backported zlib emulation code so that there is only a single confirmation image even if zlib is not available

l.iii. Changes since 2.0.19

• [Fix] Prevent login attempts from incrementing for inactive users
• [Fix] Do not check maximum login attempts on re-authentication to the admin panel - tomknight
• [Fix] Regenerate session keys on password change
• [Fix] retrieving category rows in index.php (Bug #90)
• [Fix] improved index performance by determining the permissions before iterating through all forums (Bug #91)
• [Fix] Better handling of short usernames within the search (bug #105)
• [Fix] Send a no-cache header on admin pages as well as normal board pages (Bug #149)
• [Fix] Apply word censors to the message when quoting it (Bug #405)
• [Fix] Improved performance of query in admin_groups (Bug #753)
• [Fix] Workaround for an issue in either PHP or MSSQL resulting in a space being returned instead of an empty string (bug #830)
• [Fix] Correct use of default_style config value (Bug #861)
• [Fix] Replace unneeded unset calls in admin_db_utilities.php - vanderaj
• [Fix] Improved error handling in modcp.php
• [Fix] Improved handling of forums to which the user does not have any explicit permissions - vanderaj
• [Fix] Assorted fixes and cleanup of admin_ranks.php, now requires confirmation of deletions
• [Fix] Assorted fixes and cleanup of admin_words.php, now requires confirmation of deletions
• [Fix] Addition and editing of smilies can no longer be performed via GET, now requires confirmation of deletions
• [Fix] Escape group names in admin_groups.php
• [Sec] Replace strip_tags with htmlspecialchars in private message subject
• [Sec] Some changes to HTML handling if enabled
• [Sec] Escape any special characters in reverse dns - Anthrax101
• [Sec] Typecast poll id values - Anthrax101
• [Sec] Added configurable search flood control to reduce the effect of DoS style attacks
• [Sec] Changed the way we create "random" values for use as keys - chinchilla/Anthrax101
• [Change] Changed handling of the case where a selected style doesn't exist in the database
• [Change] Changed handling of topic pruning to improve performance
• [Change] Changed default forum permissions to only allow registered users to post in new forums

l.iv. Changes since 2.0.18

• [Fix] corrected index on session keys table under MS SQL
• [Fix] added session keys table to backup
• [Fix] delete session keys entries when deleting user
• [Fix] changes to support MySQL 5.0
• [Fix] changes to some of the admin files to improve efficiency and remove a potential error condition when building the menu
• [Fix] change truncation of username length in usercp_register.php - BFUK
• [Fix] incorrect path to avatars in admin_users.php (Bug #667)
• [Fix] fixed get_userdata to support correct sql escaping (non-mysql dbs) - jarnaez
• [Fix] fixed captcha for those not having the zlib extension enabled
• [Change] Placed version information above who is online in admin panel for better visual presence
• [Sec] fixed XSS issue (only valid for Internet Explorer) within the url bbcode
• [Sec] fixed XSS issue if html tags are allowed and enabled
• [Sec] added configurable maximum login attempts to prevent dictionary attacks

l.v. Changes since 2.0.17

• [Fix] incorrect handling of password resets if admin activation is enabled (Bug #88)
• [Fix] wrong topic redirection after login redirect (Bug #94)
• [Fix] improved handling of username lists in admin_ug_auth.php (Bug #98)
• [Fix] incorrect removal of bbcode_uid values if bbcode has been turned off (Bug #100)
• [Fix] correctly preview signature if editing other users posts (Bug #101)
• [Fix] incorrect alt tag on generated search images in groupcp.php, viewtopic.php and usercp_viewprofile.php (Bug #102)
• [Fix] consistent forum ordering in all dropdown boxes (Bug #106)
• [Fix] correctly get compression status in page_tail.php and page_footer_admin.php (Bug #117)
• [Fix] set page title on summary page of groupcp.php (bug #125)
• [Fix] correctly test style and avatar in usercp_register.php (bug #129 and #317)
• [Fix] handling of reactivation notifications if admin activation is enabled (Bug #145)
• [Fix] handling of both forms of translation information used in language packs (Bug #159)
• [Fix] key length for activation keys fixed in usercp_sendpassword.php (Bug #171)
• [Fix] use GENERAL_MESSAGE constant in message_die instead of MESSAGE (Bug #176)
• [Fix] incorrect handling of move stubs (Bug #179)
• [Fix] wrong mode_type in memberlist (Bug #187)
• [Fix] SQL errors when setting maximum PMs to 0 (Bug #188)
• [Fix] removed unused variable from topic_notify email template (Bug #210)
• [Fix] removed unset variable from smilies popup window title (Bug #224)
• [Fix] removed duplicate template assignment from admin_board.php (Bug #226)
• [Fix] incorrect search link for guest posts in modcp.php (Bug #254)
• [Fix] all users removed from topics watch table on special occassions (Bug #271)
• [Fix] correctly check returned value from strpos in append_sid function (Bug #275)
• [Fix] correctly display username in private message notification (Bug #278)
• [Fix] fixed "var-by-ref" errors (Bug #322)
• [Fix] changed redirection to installation (Bug #325)
• [Fix] added timout of 10 seconds to version check (Bug #348)
• [Fix] fixed user_level default in postgresql schema file (Bug #444)
• [Fix] multiple minor HTML issues with subSilver
• [Change] deprecated the use of some PHP 3 compatability functions in favour of the native equivalents
• [Change] added 60 days limit for grabbing unread topics in index.php
• [Sec] backport of session keys system from olympus
• [Sec] fixed email bans to use the same pattern as email validation and allow wildcard domain bans
• [Sec] fixed validation of topic type when posting
• [Sec] unset database password once it is no longer needed
• [Sec] fixed potential to select images outside the specified path as avatars or smilies
• [Sec] fix globals de-registration code for PHP5 - (Stefan Esser/Matt Kavanagh)
• [Sec] changed avatar gallery code sections to prevent possible injection points (AnthraX101)
• [Sec] signature field is not properly sanitised for user input when an error occurs while accessing the avatar gallery (AnthraX101)
• [Sec] check to_username and ownership when editing a PM (AnthraX101)
• [Sec] fixed ability to edit PM's you did not send (depablo84)
• [Sec] compare imagetype on avatar uploading to match the file extension from uploaded file

l.vi. Changes since 2.0.16

• Added extra checks to the deletion code in privmsg.php - reported by party_fan
• Fixed XSS issue in IE using the url BBCode
• Fixed admin activation so that you must have administrator rights to activate accounts in this mode - reported by ieure
• Fixed get_username returning wrong row for usernames beginning with numerics - reported by Ptirhiik
• Pass username through phpbb_clean_username within validate_username function - AnthraX101
• Fixed PHP error in message_die function
• Fixed incorrect generation of {postrow.SEARCH_IMG} tag in viewtopic.php - reported by Double_J
• Also fixed above issue in usercp_viewprofile.php
• Fixed incorrect setting of user_level on pending members if a group is granted moderator rights - reported by halochat
• Fixed ordering of forums on admin_ug_auth.php to be consistant with other pages
• Correctly set username on posts when deleting a user from the admin panel

l.vii. Changes since 2.0.15

• Fixed critical issue with highlighting - Discovered and fix provided by Ron van Daal
• Url descriptions able to be wrapped over more than one line again
• Fixed bug with eAccelerator in admin_ug_auth.php
• Check new_forum_id for existence in modcp.php - alessnet
• Prevent uploading avatars with no dimensions - Xpert
• Fixed bug in usercp_register.php, forcing avatar file removal without updating avatar informations within the database - HenkPoley
• Fixed bug in admin re-authentication redirect for servers not having index.php as one of their default files set

l.viii. Changes since 2.0.14

• Fixed moderator status removal in groupcp.php
• Removed newlines after ?> on some files - Thoul
• Added admin re-authentication (admin needs to login seperatly to access the ACP) - backported from Olympus
• Fixed vulnerability in url/bbcode handling functions - PapaDos and Paul/Zhen-Xjell from CastleCops
• Fixed issue in admin/admin_forums.php
• Suppressed warning message for fsockopen in /includes/smtp.php - Thoul
• Fixed bug in admin/admin_smilies.php (admin is able to add empty smilies) - Exy
• Adjusted documents to reflect the urgent need to update the files too (not only running the database update script)
• Updated the readme file
• Added one new language variable
• Added general error if accessing profile for a non-existent user
• Changed session id generation to be more unique - Henno Joosep
• Fixed bug in highlight code to escape characters correctly
• Reversed the 2.0.14 fix for postgresql because it produced more problems than it solves.
• Added reference to article written by R45 about case-sensitivity in postgreSQL to the readme file
• Fixed bypassing of validate_username on registration - Yen
• Empty url/img bbcodes no longer get parsed

l.ix. Changes since 2.0.13

• Hardened author and keyword search a bit to not allow very server intensive searches
• Fixed full path disclosure in bad word parsing
• Resetting complete userdata array in session code if authentication fails
• Fixed bug in moderator control panel where certain parameters could lead to an "error creating new session" sql error
• Fixed bug in session code where empty page ids could lead to an "error creating new session" sql error
• Fixed html handling in signatures if html is turned off globally
• Fixed install.php problem with PHP5 register_long_arrays option turned off
• Fixed potential issues with styling system
• Added correct class to login_body template file
• Removed file db/oracle.php from package
• Removed version number from message body page in /admin (if user is not an admin) - mikelbeck
• Fixed case-sensitivity issues in postgres7.php - R45

l.x. Changes since 2.0.12

• Ommitted preg_replace warning in viewtopic due to improper working of preg_quote in PHP - originally reported by matrix_killer, fix submitted by another party
• Fixed high severity issue in session handling allowing everyone gaining administrator rights. Please update as soon as possible.
• Minimum requirements raised to PHP 4.0.3 or above due to fixing vulnerability issues breaking PHP3 compatibility.

l.xi. Changes since 2.0.11

• Added confirm table to admin_db_utilities.php
• Prevented full path display on critical messages
• Fixed full path disclosure in username handling caused by a PHP 4.3.10 bug - AnthraX101
• Added exclude list to unsetting globals (if register_globals is on) - SpoofedExistence
• Fixed arbitrary file disclosure vulnerability in avatar handling functions - AnthraX101
• Fixed arbitrary file unlink vulnerability in avatar handling functions - AnthraX101
• Removed version number from powered by line
• Merged database update files to update_to_latest.php file
• Fixed path disclosure bug in search.php caused by a PHP 4.3.10 bug (related to AnthraX101's discovery)
• Fixed path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug - matrix_killer

l.xii. Changes since 2.0.10

• Fixed vulnerability in highlighting code (very high severity, please update your installation as soon as possible)
• Fixed unsetting global vars - Matt Kavanagh
• Fixed XSS vulnerability in username handling - AnthraX101
• Fixed not confirmed sql injection in username handling - warmth
• Added check for empty topic id in topic_review function
• Added visual confirmation mod to code base

l.xiii. Changes since 2.0.9

• Fixed deleting of styles in admin_styles.php
• Fixed wrong unsetting of variables introduced in phpBB 2.0.9, making the board non-functional for users with specific php.ini settings
• Added code to let phpBB work with PHP5 for those having register_long_arrays set to off (default settings) - running phpBB 2.0.x with PHP5 is not supported at http://www.phpbb.com.
• Fixed bug in admin_board.php for board settings having single quotes in it
• Fixed "search by author" in search.php. Now it is possible to search for users with special chars in their name too
• Fixed forum jumpbox propagating session id in moderator control pages
• Added check for newlines at redirecting pages, to prevent http response splitting attacks - Ory Segal and Amit Klein
• Fixed visual confirmation code. The image was not created due to a wrong regular expression.

l.xiv. Changes since 2.0.8

• Fixed one vulnerability in admin_board.php - Xore
• Added checking for proper session id characters to sessions and viewtopic to prevent injections - Bartlomiej Korupczynski
• Fixed injection vulnerabilities possible with linked avatars
• Implemented unsetting globalised variables
• Limited confirm switch to POST variable in posting
• Changed IP code in common.php to prevent IP spoofing, which might introduce some problems with private IP Ranges showing up. - Wang Products
• Updated visual confirmation mod [pre-edited files]
• Moved obtaining word censors in modcp out of topic generation loop [increased performance/lower query count] - spotted by R45
• Added the ability to link to https/ftps sites using the img bbcode tag
• Fixed user online information in admin/index.php
• Fixed getting group moderator in groupcp.php if running oracle backend - spotted by pakman
• Fixed use of non-existing result variable in modcp (poster_id instead of user_id)
• Fixed several vulnerabilities (XSS, SQL Injection and path disclosure) only possible with register_globals enabled - Matthew C. Kavanagh, Janek Vind
• Fixed problem with SID not delivered to next page in groupcp.php

l.xv. Changes since 2.0.7

• Fixed several vulnerabilities in admin pages
• Fixed sid checking code in admin/pagestart.php
• Fixed injection vulnerabilities possible with the img bbcode tag
• Limited allowed images in img bbcode tag to jpg, jpeg, gif and png
• Fixed redirect problems - 2.0.7a
• Fixed sql injection vulnerability in search - 2.0.7a
• Fixed sql injection vulnerability in privmsg - 2.0.8a

1.xvi. Changes since 2.0.6

• Fixed several vulnerabilities in modcp - Robert Lavierck
• Changed whois lookup address within admin index
• Fixed potential vulnerability in viewtopic postorder - 2.0.6d
• Updates to cope with Zend Optimizer 2.5 problems - 2.0.6d - jetset
• Force specialcharing of redirect variable in login - Pit
• Fixed potential vulnerability in viewtopic postdays - GulfTech Security Research
• Fixed potential vulnerability in viewforum topicdays - GulfTech Security Research
• Fixed potential vulnerability in modcp
• Fixed potential vulnerability in avatar gallery

1.xvii. Changes since 2.0.5

• Fixed various email issues
• Fixed registration email bug with Administrator Confirmation used
• Fixed mass emailer
• Fixed long post time issue
• Fixed bug with usernames containing single quotes
• Fixed word list bug - Word boundaries were not considered
• Fixed vulnerability in style admin
• Fixed sql injection vulnerability in viewtopic
• Fixed vulnerability allowing server side variable access in search - tendor
• Fixed potential vulnerability in 2.0.5 login username entry - throw away/eomer
• Fixed sql injection with reset date format field in profile - tendor

1.xviii. Changes since 2.0.4

• Removed user facing session_id checks
• Fixed user self-activation after deactivation
• Fixed incorrect functioning of phpbb_realpath
• Fixed wrong path to database schema files within the upgrade script
• Fixed double quote problem with username validation
• Allow & within email addresses
• Fixed email validation for banned email addresses
• Removed underline from email domain validation
• Fixed redirection for sentbox folder, installation and email
• Fixed poll deletion
• Fixed Mozilla navigation bar
• Fixed URL bbcode parsing
• Fixed database timeouts while searching the forums
• Fixed wrong email return path in admin mass mailing - netclectic
• Fixed MS-SQL failures within the update script
• Fixed memberlist sort order
• Fixed not showing leading spaces within Code BBCode
• Fixed problem with adding double quotes to subject titles
• Remove username input field from profile when user cannot change name
• Fixed pagination error with highlighting
• Fixed errors if no smilies are installed
• Fixed CSS issues with IE 5.2 on MacOS X
• Fixed missing sid propagation problem within the Moderator Control Panel
• Fixed language variables within Authentication error output
• Removed doubled CSS class definitions within input fields
• Fixed username change within the Administration Panel
• Added missing <tr> tags to index_body.tpl
• Added missing username language variable to admin index page
• Fixed moderator status update if a usergroup got deleted
• Fixed poll handling upon post edit
• Fixed remove common words from search table if post get pruned - Nuttzy99
• Fixed behaviour on splitting topics if no checkbox is selected
• Anonymous is no longer displayed within Username dropdown boxes
• Fixed viewprofile redirection if an invalid mode was specified
• Fixed fraction settings within determining common words - Novan
• Prevent admin change usernames to his own within the ACP
• Activation email is sent to all admins
• Fixed conversion of & to &amp; in appropriate cases
• Fixed display of "greater than topics per page" announcements preventing display of normal posts
• Added variable checks to database backup and restore screen
• Prevented pm popup window from resetting after visiting avatar gallery
• Fixed special character handling with word censor
• Added SID to jumpbox
• Fixed problems with usernames using html special chars
• Added GMT + 13 to English lang_main, all translators are encouraged to do likewise
• Deleted doubled 'U_MEMBERLIST' assignment from page_header.php
• Fixed wrong display of Signature Checkbox while editing Private Message
• Fixed disappearing post text if emoticon was inserted directly after pressing a BBCode button
• Display correct alt-tag for smilies within postings
• Prevented the ability to apply BBCode to website contents
• Fixed maxlength issue with password field in login_body.tpl
• Fixed possible username duplication issue with validation and username length
• Fixed split words function to handle additional foreign characters
• Changed empty email To Field to use a non-disclosure delimiter
• Fixed wrong language var in install.php - FTP Config screen
• Fixed alt tag for locked topic images in viewforum_body.tpl
• Fixed typo in groupcp.php - $lang['Unsub_success'] instead of $lang['Usub_success']
• Fixed timezone display
• Fixed wrong display of author quote tag within profile - Cl1mh4224rd
• Added deletion of sessions of users whose account is deactivated
• Added mail header X-MimeOLE to the emailer class
• Prevent registration if user is logged in or user trying to register again
• Prevent usage of char(255) in usernames
• Added check for additional FORWARDED_FOR IP's - cosmos
• Fixed handling of non-selection of option when voting
• Fixed potential xss issue with memberslist mode
• Default English support for visual confirmation - translators are encouraged to support this

1.xix. Changes since 2.0.3

• Fixed cross-browser scripting issue with highlight param
• Back-ported highlighting code from phpBB 2.2
• Add session id validation to posting, profile, email, voting - Edwin van Vliet
• Added {S_HIDDEN_FIELDS} template var to profile_send_email.tpl
• Added "intval" fix for flood check, may resolve some issues
• Added missing index to post_id for search_wordmatch
• Fixed spelling error in search add words preventing use of stopword list
• Fixed issue with search common words not being run
• Introduce viewtopic resync patch by Ashe
• Replace a for n in templating code
• Fixed ordering in memberslist
• Fixed group_id sequence issues with pgsql and msaccess
• Fixed assumption of word censors in user notification
• Fixed incorrect display of quotes in user management fields
• Fixed entry of special chars in all profile fields - note this may cause temporary issues
• Fixed incorrect display of quotes when using avatar gallery
• Fixed missing username in email sent to users when admin activated
• Added check for non-empty smiley code and url in smiley admin
• Prevent display of -- sig seperator in emails when no board sig exists
• Fixed URL propagated sid issues with jumpbox
• Fixed wrong mode name check (polldelete) in functions_post
• Added missing root path to l10n image path check
• Remove validation of fields when deleting a user
• Fixed sort mode select box in memberslist to default to current mode
• Deny inline topic review listing to users without auth_read permissions
• Prevent display of topic notification checkbox if user cannot read forum
• Remove incorrect pre-pending of IP to uploaded avatars
• Fixed deletion of uploaded avatars when changing to remote/gallery
• Added check for non-blank line during install schema/basic sql ops
• Added sort ordering to Top Ten poster listing by request
• Fixed incorrect error report when altering case of username
• Added jumpbox output to modcp {JUMPBOX} will now work
• Fixed non-updating of users with MOD levels when deleting a forum
• Remove email to group moderator when approving new members
• Fixed non-handling of HTML in poll options
• Fixed non-deletion of polls when deleting forum and its posts
• Fixed moved shadow topic from being bumped upon reply
• Changed field size of timezone to decimal(5,2) where applicable
• Fixed missing sid append to URL when redirecting to newest reply
• Fixed missing slashes in private IP preg check
• Fixed session not setting userdata['user_id'] to ANON as appropriate
• Added check for non-empty name in disallow admin
• Fixed validation of SSL website addresses in profile
• Fixed inability of admins to upload avatars via user admin panel
• Fixed non-deletion of private message text upon full box overwrite
• Fixed incorrect error message in smiley admin
• Fixed incorrect alt-text for "Stop Watching Topic" image
• Temporary fix for missing lang strings in forum admin - translators should update their packages if not done already
• Use selected localisation during later stages of installation
• Fixed non-check of permissions when deleting a topic via Moderator Control Panel
• Fixed non-update of banlist upon user deletion
• Check approved users boxes by default in usergroup approve form
• Fixed non-appending of sid to backup meta refresh
• Fixed non-notification of no support for certain databases in backup/restore
• Added $images var to message die global declaration
• Fixed wrong string, Private_message in Private Messaging
• Add mail send result to error output
• Fixed non-appending of sid to Mozilla nav bar menu items
• Fixed incorrect profile linking from MSNM url in private messaging
• Grammatical errors in English lang_main fixed - Cluster
• Allow deletion of avatar and simultaneous upload/linking/gallery selection
• Fixed non-updating of user rank when changing from special to normal rank in rank admin
• Changed user topic notification default in schemas to 0 (off)
• Fixed non-XHTML compliant img tags in privmsg.php
• Fixed non-deletion of announcements and polls when removing forum contents in forum admin
• Fixed non-pruning of watched topics table when pruning related topics
• Enable GET redirect on logout
• Added check for IE6.x to viewtopic ICQ indicator javascript
• Fixed empty username quoting with MS-SQL
• Fixed BBCode url, magic url and img tags to allow most chars beyond domain names
• Prevent parsing of -ve size values in BBCode size tag
• Back ported HTML handler from 2.2, this may impact some boards which allow complex HTML - existing parser remains but commented out
• Fixed parsing of word censors to not censor words within < and > tag delimiters
• Fixed database utilities failing to backup data with MySQL
• Fixed signature parsing in User Admin
• Fixed missing class="post" tags in subSilver Admin templates
• Fixes for paths under Apache2
• Added wrap text with tag support for posting in Mozilla 1.1+
• Fixed use of missing CSS classes in modcp_split, group_info_body, error_body and agreement
• Fixed ability of users to edit polls even after they have received votes
• Fixed header Location to be absolute URL as per HTTP 1.1 spec - noted by PhilippK
• Added additional session_id checks to MCP, topic subscription, PM and similar items
• Fixed colour select box in posting_body to reset to Default colour after selection
• Altered PM icon to show new image until messages have been read
• Fixed incomplete deletion of PMs when removing the associated user
• Fixed unread and new PM user counters to decrement appropriately in all situations
• Fixed possible cross-site scripting issue with username search
• Fixed some problems with gzip in combination with newer PHP versions and Mozilla
• Fixed wrong maxlength in modcp_split.tpl subject field
• Fixed inability to edit username of guest poster - vHiker
• Fixed ability for guests to post with certain registered usernames
• Fixed various HTML issues to improve XHTML compliance - Daz
• Fixed missing template var {L_PM} for memberslist - Daz
• Fixed wrong key name for $images['Topic_un_watch'] - Daz
• Fixed missing template var {S_WATCH_TOPIC_IMG} for viewtopic - Daz
• Fixed missing default constraints for post table under MSSQL
• Fixed incorrect field size for forum pruning - preventing days > 256
• Fixed continuing redirect issues for broken web servers, e.g. IIS+CGI PHP
• Fixed inability to use ftp as a protocol for the [img] tag
• Fixed incorrect handling of [img] tags containing %20 encoded spaces
• Added check for . within cookie_name, change to _ if present
• Added SHOW_ONLINE constant to limit "users online" code operation to index and viewforum
• Added "temporary" workaround for Apache2 + PHP module ignoring "private" cache header
• Added workaround for modcp IP lookup and links to Anonymous user profile
• Fixed broken bbcode parsing of quotes containing bbcode in the "username"
• Fixed excess slashes in [quote=""] first pass encoding
• Fixed rendering issue with quote button under Mozilla - Daz
• Grammatical errors in remaining core lang files fixed - Cluster
• Fixed bbcode quote breaking when username contained ] before [
• Fixed duplicate group_id error during upgrade of users from phpBB 1.x
• Fixed stripslashes() problem with the conversion of the config table from phpBB 1.x
• Rejiggled validation code, may eliminate "Username disallowed" issues
• Fixed differing initial "public" setting of forum permissions between different files
• Added check for invalid (non-compliant) email addresses to upgrade script
• Further redirect workarounds for broken servers, please direct further issues to the vendors
• Added GMT + 13 to English lang_main, all translators are encouraged to do likewise
• Added switch to default_lang email template if user lang template no longer exists
• Fixed javascript error when selecting smiley containing a single quote
• Update users watched topic if a post they made is split into a new topic
• Fixed situations where email templates contain incorrect or missing subject lines
• Fixed error when searching for posts and no forums exist
• Fixed potential SQL vulnerability with marking of private messages - Ulf Harnhammar

1.xx. Changes since 2.0.2

• Fixed potential cross-site scripting vulnerability with avatars - Showscout
• Fixed potential SQL rewrite issue in page header - missing contrib
• Fixed potential CSS/HTML rewrite on viewing in login - Marc Rees
• Fixed (hopefully) issue with MS Access and multiple pages

1.xxi. Changes since 2.0.1

• Fixed missing "username" lang variable in user admin template
• Session work around for users behind rotating IPs - vHiker
• Fixed potential session user_id re-write - Ashe
• Fixed potential cross-browser scripting issue with BBCode URLs
• Fixed potential gallery avatar exploit - Ashe
• Fix sorting of smileys on each function call - Ashe/psoTFX
• Clear topic_mod text output in viewtopic - Lars
• Fix regex for avatar remote urls
• Fix non-updating of user post counts when deleting whole topics
• Increase time limit when sending topic reply notifications
• Set default forum when splitting topics
• Fix non-deletion of uploaded avatars when switching to gallery
• Removed various closing newlines from included files
• Add MAX_ROWS to HEAP table alter in install/upgrade - Ashe
• Update username maxlength for subSilver templates
• Allow ( and ) in BBCode [url] tags
• Fix non-quoting of # in username validation regexs
• Fix overlooked global var in private messaging
• Possible fix for \r\n email templates issues
• Fix missing str_replace for category title forum admin SQL
• Fix trailing , when sending emails via smtp
• Fix avatar issues in user admin
• Fix improper checking of email address ban in sessions
• Fix use of hard coded language strings in forum admin
• Fix missing closing ) in smilies admin
• Fix missing Username label in user admin
• Fix upgrade.php bug where conversion would not complete (and updated other scripts to match the changes)
• Fix problem with redirect and login.php
• Fix typo that could cause problems with sorting in the memberlist
• Fix emailer to allow sending emails with language-specific character sets

1.xxii. Changes since 2.0.0

• Fixed delete image bug for normal users
• Fixed group control panel image links
• Fixed missing L_POST variable in group control panel
• Fixed missing user id when redirecting to email form after login
• Fixed (a)ppend_sid function name error in group control panel
• Fixed reset of post type when previewing a post
• Fixed mass emailer include path error
• Fixed potential SQL exploit
• Fixed several minor subSilver issues
• Fixed [quote] breaking HTML problem
• Fixed problem with unclosed nested quotes
• Fixed bad handling of automagic links at end of quotes
• Fixed potential BBCode and avatar remote exploit
• Altered email validation check to allow + in username as per RFC
• Fixed incorrect behaviour with wildcards in disallowed usernames
• Added missing append_sid for search view results as posts
• Fixed incorrect clearing of current sessions for logged in users
• Fixed user_timezone (cannot update user profile) problem
• Added correct setting of moderator status for users during upgrade
• Fixed handling of uploaded avatars if gallery avatar currently used
• Fixed use of existing username for uploaded avatars
• Fixed updating of topic reply stats when post is deleted
• Fixed irrelevant error message when activating already active account
• Fixed gzip compression problems with Netscape and some PHP versions
• Fixed MS Access layer errors when using latest PHP versions
• Fixed styles admin editing problems with MSSQL Server
• Fixed logout issue when cancelling certain actions
• Fixed missing text in certain admin links
• Fixed opening of frame within frame when logging into admin
• Fixed incorrect ordering of search results by time
• Fixed fulltext searching failure with MS Access
• Hopefully fixed fulltext search with non-latin single byte charsets
• Enabled work-around support for some multi-byte charsets - OOHOO
• Re-enabled search indexing of all-numeric character sequences
• Updated email banning to properly implement wildcards
• Fixed missing extension in links from groupcp
• Fixed lack of re-validation when changing email address
• Added additional IP check when using HTTP_X_FORWARDED_FOR
• Fixed non-display of delete icon when on second or greater topic page
• Fixed problems with users/groups assigned multiple permissions
• Fixed problem with - and + in search words - Matthijs
• Fixed improper handling for deletion of words from search table
• Fixed support for , in automagic URLs as per RFC
• Fixed circular reference SQL errors when deleting posts under MS Access
• Fixed nested [code] problems
• Added charset encoding headers for emails - romutis
• Fixed "Copy to self" emails to use correct language
• Fixed pagination error when limiting previous days for viewforum
• Decreased minimum search word size to 3 chars
• Fixed deletion of one or more options from all polls when editing just one
• Fixed checking of group memberships when promoting/demoting group moderators
• Added database closure to admin frameset page

1.xxiii. Changes since RC-4

• Fixed improper report of general error when posting messages containing errors
• Fixed post text being doubled up if it contained one or more < without closing >
• Fixed pruning errors due to search function name change
• Hopefully fixed various issues which led to incorrect reply and excess page counts
• Fixed groupcp not displaying all email buttons to group moderator or admin
• Fixed failure to display error notice when uploading oversized avatars
• Hopefully corrected problem with viewonline displaying too few/many users online
• Partially addressed issue with activation URLs >76 chars
• Fixed additional search facilities failing to work or working incorrectly
• Fixed search syntax highlighting
• Addressed various webservers handling of page redirects
• Fixed word censor not replacing first or last words
• Fixed avatar height and width check for locally uploaded images
• Hopefully fixed cache control header
• Added check for PM box size limit of 0 to prevent div0 error
• Fixed failure to fully delete PMs in outbox
• Fixed display problem with polls
• Fixed problem with guest username not being displayed for topic results in search
• Fixed problem with quotes in various profile fields
• Fixed schema problem with user_timezone
• Fixed page display issue with MS Access
• Fixed user level issue when altering user from user to admin and vice versa
• Fixed incorrect parseing of some email templates
• Reduced size of MS Access primer
• Fixed various remaining usergroup display issues

1.xxiv. Changes since RC-3

• Addressed serious security issue with included files
• Fixed non-use of database table prefix name during upgrade
• Split functions and profile into separate modules
• Fixed (hopefully) remaining issues with colourisation of moderator usernames
• Updated install to include entry of additional, required, information
• Fixed (hopefully) AOL incompatibilities
• Fixed non-display of moderators in index/viewforum
• Fixed group control panel 'no groups exist' problems
• Fix HTTP_X_FORWARDED_FOR spoofing possibility
• Fix ignoring of private range IP's in HTTP_X_FORWARDED_FOR
• Enable multiple wildcard email banning, eg. *name*@somewhere.tld
• Fix problems with posts being truncated if containing < and > characters
• Prevent URL, BBCode and most smiley parseing in [code][/code]
• Fix problems with use of certain reserved chars in word censor list
• Fix default search useage to be as described (was doing AND by default)
• Fix various avatar issues with profile, gallery and viewtopic
• Enable safe mode support for uploading avatars
• Fix broken modcp IP view issue
• Fix potential session_id re-write vulnerability
• Finish localisation of days and months (AM/PM are not and will not be localised in 2.0)
• Remove link to external subSilver stylesheet from default subSilver templates
• Handle TRANSACTIONS correctly in MySQL 3.x (by returning correct responses)
• Fix checkbox resetting problem while previewing posts
• Fix a login redirect issue
• Remove some additional unused fields during upgrade
• Fix (hopefully) remaining ICQ overlay issue with view profile in subSilver

1.xxv. Changes since RC-2

• Fixed infamous install parse error
• Major update of posting and related search functions (fixing various issues and increasing speed)
• Fixed display of author and last poster names when both are different guest users
• Fixed upgrade stall issues (hopefully!) and improved output
• Fixed highlighting code for viewtopic and search
• Reduced size of several files and functions
• Moved localised images to sub-directories
• Improved user feedback of disallowed usernames
• Fixed various MSSQL bugs
• Fixed installation of MSSQL/MSSQL-ODBC
• Fixed security issue with upgrade.php
• Finished implemention of various additional features
• Fixed various user, group and forum permissions problems
• Fixed issues with BBCode [ and ] (hopefully!)
• Fixed autologin problems with MS IIS
• Hopefully fixed problems with URIs in emails on some server configs
• Fixed 'blank' profile and DB utilities problems on submit
• Fixed incorrect language being used in email subjects
• Fixed issues with incorrect private message new/unread counts
• Fixed various PostgreSQL related errors
• Automatically forward users to login screen in more situations
• AEnabled (coloured) online indication of moderators and admins
• Enabled maximum online user count
• Altered online user count to ignore duplicate IPs (will now underestimate rather than overestimate)
• Enabled viewing of users browsing each forum
• Fixed (hopefully) display of overlayed ICQ icon in Netscape using subSilver
• Fixed display of guest usernames for last post and author
• Hidden usergroups are now completely hidden from view

1.xxvi. Changes since RC-1

• Fixed numerous PostgreSQL related issues
• Significant updates and additions to the upgrade script
• Various (missed) hard coded language strings fixed
• Fixed viewforum error when no forum id specified
• Fixed old constant name useage in search system
• Fixed display of moved posts when viewing unanswered posts
• Fixed failure of search for user and keyword when displaying as posts
• Fixed PM popup notification
• Fixed view more emoticon session page problem
• Fixed view profile email links
• Fixed display of websites in profile
• Fixed backup database failure
• Fixed MS Access schema error when posting topics
• Fixed problem with hypenated/dotted DB names in MySQL 3.23.6+
• Various other fixes and updates

1.xxvii. Changes since RC-1 (pre)

• Upgrade script completed for initial fully functional release
• Sessions code updated
• Mark read code updated and hopefully fixed
• Significant changes to properly deal with \' for non-MySQL boards
• mssql, msaccess and mssql-odbc DB classes re-written
• Avatar issues addressed and fixed
• Search (INSERT) bug using MySQL fixed
• Search highlighting issues addressed
• Search own/other users posts fixed
• BBCode fixes for magic URIs and other issues
• Template updates for subSilver
• User and group permissions problems fixed
• Forum management problems (deletion of forum causing category not to display) fixed
• Pagination problem with groupcp fixed
• Backslash issues with posting and profile fixed
• Backslash issues with emails fixed
• preg_quote problems fixed
• User management updated with full avatar control and missing fields
• Private messaging box limits fixed
• Private messaging ?folder= strangeness fixed
• Forum pruning code updated to cope with search system
• Emoticon system in posting updated
• BBCode FAQ link added to posting form
• Language file updates to address concerns of translators
• Various other bug fixes and updates

Note that a full list of fixed bugs can be found at the bug tracker (see section on bug reporting here)

2. Copyright and disclaimer

This application is opensource software released under the GPL. Please see source code and the Docs directory for more details. This package and its contents are Copyright © 2002 phpBB Group, All Rights Reserved.