phpBB

Development Wiki

Difference between revisions of "Release Highlights/3.0.14"

From phpBB Development Wiki

(Notable Changes and Bug Fixes)
 
(3 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
== Security and Hardening ==
 
== Security and Hardening ==
 +
* Security: An insufficient check allowed users of the Google Chrome browser to be redirected to external domains (e.g. on login). Thanks to Mathias Karlsson (avlidienbrunn) for bringing this to our attention.
 
* Hardening: The HTTP protocol version received via SERVER_PROTOCOL is now verifed to have the expected format. See [https://tracker.phpbb.com/browse/PHPBB3-13765 PHPBB3-13765].
 
* Hardening: The HTTP protocol version received via SERVER_PROTOCOL is now verifed to have the expected format. See [https://tracker.phpbb.com/browse/PHPBB3-13765 PHPBB3-13765].
  
 
== Notable Changes and Bug Fixes ==
 
== Notable Changes and Bug Fixes ==
 
* The path to imagick is now correctly verified as an absolute path instead of a relative path. See [https://tracker.phpbb.com/browse/PHPBB3-13568 PHPBB3-13568].
 
* The path to imagick is now correctly verified as an absolute path instead of a relative path. See [https://tracker.phpbb.com/browse/PHPBB3-13568 PHPBB3-13568].
* download/file.php no longer sends a Content-Length header when returning a "304 Not Modified" response. See [https://tracker.phpbb.com/browse/PHPBB3-13414 PHPBB3-13414].
+
* download/file.php no longer sends a Content-Length header when issuing "304 Not Modified". See [https://tracker.phpbb.com/browse/PHPBB3-13414 PHPBB3-13414].

Latest revision as of 14:23, 3 May 2015

This page highlights important changes in phpBB 3.0.14. For a complete list of changes, please refer to this report.

Security and Hardening

  • Security: An insufficient check allowed users of the Google Chrome browser to be redirected to external domains (e.g. on login). Thanks to Mathias Karlsson (avlidienbrunn) for bringing this to our attention.
  • Hardening: The HTTP protocol version received via SERVER_PROTOCOL is now verifed to have the expected format. See PHPBB3-13765.

Notable Changes and Bug Fixes

  • The path to imagick is now correctly verified as an absolute path instead of a relative path. See PHPBB3-13568.
  • download/file.php no longer sends a Content-Length header when issuing "304 Not Modified". See PHPBB3-13414.