phpBB 2 : Creating Communities phpBB 2.0.x CHANGELOG
  1. Changelog
    1. Changes since 2.0.17
    2. Changes since 2.0.16
    3. Changes since 2.0.15
    4. Changes since 2.0.14
    5. Changes since 2.0.13
    6. Changes since 2.0.12
    7. Changes since 2.0.11
    8. Changes since 2.0.10
    9. Changes since 2.0.9
    10. Changes since 2.0.8
    11. Changes since 2.0.7
    12. Changes since 2.0.6
    13. Changes since 2.0.5
    14. Changes since 2.0.4
    15. Changes since 2.0.3
    16. Changes since 2.0.2
    17. Changes since 2.0.1
    18. Changes since 2.0.0
    19. Changes since RC-4
    20. Changes since RC-3
    21. Changes since RC-2
    22. Changes since RC-1
    23. Changes since RC-1 (pre)
  2. Disclaimer

1. Changelog

This is a non-exhaustive (but still near complete) changelog for phpBB 2.0.x including beta and release candidate versions. Our thanks to all those people who've contributed bug reports and code fixes.

l.i. Changes since 2.0.17

bullet[Fix] incorrect handling of password resets if admin activation is enabled (Bug #88)
bullet[Fix] retrieving category rows in index.php (Bug #90)
bullet[Fix] improved index performance by determining the permissions before iterating through all forums (Bug #91)
bullet[Fix] wrong topic redirection after login redirect (Bug #94)
bullet[Fix] improved handling of username lists in admin_ug_auth.php (Bug #98)
bullet[Fix] incorrect removal of bbcode_uid values if bbcode has been turned off (Bug #100)
bullet[Fix] correctly preview signature if editing other users posts (Bug #101)
bullet[Fix] incorrect alt tag on generated search images in groupcp.php, viewtopic.php and usercp_viewprofile.php (Bug #102)
bullet[Fix] consistent forum ordering in all dropdown boxes (Bug #106)
bullet[Fix] correctly get compression status in page_tail.php and page_footer_admin.php (Bug #117)
bullet[Fix] set page title on summary page of groupcp.php (bug #125)
bullet[Fix] correctly test style and avatar in usercp_register.php (bug #129 and #317)
bullet[Fix] handling of reactivation notifications if admin activation is enabled (Bug #145)
bullet[Fix] handling of both forms of translation information used in language packs (Bug #159)
bullet[Fix] key length for activation keys fixed in usercp_sendpassword.php (Bug #171)
bullet[Fix] use GENERAL_MESSAGE constant in message_die instead of MESSAGE (Bug #176)
bullet[Fix] incorrect handling of move stubs (Bug #179)
bullet[Fix] wrong mode_type in memberlist (Bug #187)
bullet[Fix] SQL errors when setting maximum PMs to 0 (Bug #188)
bullet[Fix] removed unused variable from topic_notify email template (Bug #210)
bullet[Fix] removed unset variable from smilies popup window title (Bug #224)
bullet[Fix] removed duplicate template assignment from admin_board.php (Bug #226)
bullet[Fix] incorrect search link for guest posts in modcp.php (Bug #254)
bullet[Fix] all users removed from topics watch table on special occassions (Bug #271)
bullet[Fix] correctly check returned value from strpos in append_sid function (Bug #275)
bullet[Fix] correctly display username in private message notification (Bug #278)
bullet[Fix] fixed "var-by-ref" errors (Bug #322)
bullet[Fix] changed redirection to installation (Bug #325)
bullet[Fix] added timout of 10 seconds to version check (Bug #348)
bullet[Fix] fixed user_level default in postgresql schema file (Bug #444)
bullet[Fix] multiple minor HTML issues with subSilver
bullet[Change] deprecated the use of some PHP 3 compatability functions in favour of the native equivalents
bullet[Change] added 60 days limit for grabbing unread topics in index.php
bullet[Sec] backport of session keys system from olympus
bullet[Sec] fixed email bans to use the same pattern as email validation and allow wildcard domain bans
bullet[Sec] fixed validation of topic type when posting
bullet[Sec] unset database password once it is no longer needed
bullet[Sec] fixed potential to select images outside the specified path as avatars or smilies
bullet[Sec] fix globals de-registration code for PHP5 - (Stefan Esser/Matt Kavanagh)
bullet[Sec] changed avatar gallery code sections to prevent possible injection points (AnthraX101)
bullet[Sec] signature field is not properly sanitised for user input when an error occurs while accessing the avatar gallery (AnthraX101)
bullet[Sec] check to_username and ownership when editing a PM (AnthraX101)
bullet[Sec] fixed ability to edit PM's you did not send (depablo84)
bullet[Sec] compare imagetype on avatar uploading to match the file extension from uploaded file

l.ii. Changes since 2.0.16

bulletAdded extra checks to the deletion code in privmsg.php - reported by party_fan
bulletFixed XSS issue in IE using the url BBCode
bulletFixed admin activation so that you must have administrator rights to activate accounts in this mode - reported by ieure
bulletFixed get_username returning wrong row for usernames beginning with numerics - reported by Ptirhiik
bulletPass username through phpbb_clean_username within validate_username function - AnthraX101
bulletFixed PHP error in message_die function
bulletFixed incorrect generation of {postrow.SEARCH_IMG} tag in viewtopic.php - reported by Double_J
bulletAlso fixed above issue in usercp_viewprofile.php
bulletFixed incorrect setting of user_level on pending members if a group is granted moderator rights - reported by halochat
bulletFixed ordering of forums on admin_ug_auth.php to be consistant with other pages
bulletCorrectly set username on posts when deleting a user from the admin panel

l.iii. Changes since 2.0.15

bulletFixed critical issue with highlighting - Discovered and fix provided by Ron van Daal
bulletUrl descriptions able to be wrapped over more than one line again
bulletFixed bug with eAccelerator in admin_ug_auth.php
bulletCheck new_forum_id for existence in modcp.php - alessnet
bulletPrevent uploading avatars with no dimensions - Xpert
bulletFixed bug in usercp_register.php, forcing avatar file removal without updating avatar informations within the database - HenkPoley
bulletFixed bug in admin re-authentication redirect for servers not having index.php as one of their default files set

l.iv. Changes since 2.0.14

bulletFixed moderator status removal in groupcp.php
bulletRemoved newlines after ?> on some files - Thoul
bulletAdded admin re-authentication (admin needs to login seperatly to access the ACP) - backported from Olympus
bulletFixed vulnerability in url/bbcode handling functions - PapaDos and Paul/Zhen-Xjell from CastleCops
bulletFixed issue in admin/admin_forums.php
bulletSuppressed warning message for fsockopen in /includes/smtp.php - Thoul
bulletFixed bug in admin/admin_smilies.php (admin is able to add empty smilies) - Exy
bulletAdjusted documents to reflect the urgent need to update the files too (not only running the database update script)
bulletUpdated the readme file
bulletAdded one new language variable
bulletAdded general error if accessing profile for a non-existent user
bulletChanged session id generation to be more unique - Henno Joosep
bulletFixed bug in highlight code to escape characters correctly
bulletReversed the 2.0.14 fix for postgresql because it produced more problems than it solves.
bulletAdded reference to article written by R45 about case-sensitivity in postgreSQL to the readme file
bulletFixed bypassing of validate_username on registration - Yen
bulletEmpty url/img bbcodes no longer get parsed

l.v. Changes since 2.0.13

bulletHardened author and keyword search a bit to not allow very server intensive searches
bulletFixed full path disclosure in bad word parsing
bulletResetting complete userdata array in session code if authentication fails
bulletFixed bug in moderator control panel where certain parameters could lead to an "error creating new session" sql error
bulletFixed bug in session code where empty page ids could lead to an "error creating new session" sql error
bulletFixed html handling in signatures if html is turned off globally
bulletFixed install.php problem with PHP5 register_long_arrays option turned off
bulletFixed potential issues with styling system
bulletAdded correct class to login_body template file
bulletRemoved file db/oracle.php from package
bulletRemoved version number from message body page in /admin (if user is not an admin) - mikelbeck
bulletFixed case-sensitivity issues in postgres7.php - R45 Changes since 2.0.12

bulletOmmitted preg_replace warning in viewtopic due to improper working of preg_quote in PHP - originally reported by matrix_killer, fix submitted by another party
bulletFixed high severity issue in session handling allowing everyone gaining administrator rights. Please update as soon as possible.
bulletMinimum requirements raised to PHP 4.0.3 or above due to fixing vulnerability issues breaking PHP3 compatibility.

l.vii. Changes since 2.0.11

bulletAdded confirm table to admin_db_utilities.php
bulletPrevented full path display on critical messages
bulletFixed full path disclosure in username handling caused by a PHP 4.3.10 bug - AnthraX101
bulletAdded exclude list to unsetting globals (if register_globals is on) - SpoofedExistence
bulletFixed arbitrary file disclosure vulnerability in avatar handling functions - AnthraX101
bulletFixed arbitrary file unlink vulnerability in avatar handling functions - AnthraX101
bulletRemoved version number from powered by line
bulletMerged database update files to update_to_latest.php file
bulletFixed path disclosure bug in search.php caused by a PHP 4.3.10 bug (related to AnthraX101's discovery)
bulletFixed path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug - matrix_killer

l.viii. Changes since 2.0.10

bulletFixed vulnerability in highlighting code (very high severity, please update your installation as soon as possible)
bulletFixed unsetting global vars - Matt Kavanagh
bulletFixed XSS vulnerability in username handling - AnthraX101
bulletFixed not confirmed sql injection in username handling - warmth
bulletAdded check for empty topic id in topic_review function
bulletAdded visual confirmation mod to code base

l.ix. Changes since 2.0.9

bulletFixed deleting of styles in admin_styles.php
bulletFixed wrong unsetting of variables introduced in phpBB 2.0.9, making the board non-functional for users with specific php.ini settings
bulletAdded code to let phpBB work with PHP5 for those having register_long_arrays set to off (default settings) - running phpBB 2.0.x with PHP5 is not supported at
bulletFixed bug in admin_board.php for board settings having single quotes in it
bulletFixed "search by author" in search.php. Now it is possible to search for users with special chars in their name too
bulletFixed forum jumpbox propagating session id in moderator control pages
bulletAdded check for newlines at redirecting pages, to prevent http response splitting attacks - Ory Segal and Amit Klein
bulletFixed visual confirmation code. The image was not created due to a wrong regular expression.

l.x. Changes since 2.0.8

bulletFixed one vulnerability in admin_board.php - Xore
bulletAdded checking for proper session id characters to sessions and viewtopic to prevent injections - Bartlomiej Korupczynski
bulletFixed injection vulnerabilities possible with linked avatars
bulletImplemented unsetting globalised variables
bulletLimited confirm switch to POST variable in posting
bulletChanged IP code in common.php to prevent IP spoofing, which might introduce some problems with private IP Ranges showing up. - Wang Products
bulletUpdated visual confirmation mod [pre-edited files]
bulletMoved obtaining word censors in modcp out of topic generation loop [increased performance/lower query count] - spotted by R45
bulletAdded the ability to link to https/ftps sites using the img bbcode tag
bulletFixed user online information in admin/index.php
bulletFixed getting group moderator in groupcp.php if running oracle backend - spotted by pakman
bulletFixed use of non-existing result variable in modcp (poster_id instead of user_id)
bulletFixed several vulnerabilities (XSS, SQL Injection and path disclosure) only possible with register_globals enabled - Matthew C. Kavanagh, Janek Vind
bulletFixed problem with SID not delivered to next page in groupcp.php

l.xi. Changes since 2.0.7

bulletFixed several vulnerabilities in admin pages
bulletFixed sid checking code in admin/pagestart.php
bulletFixed injection vulnerabilities possible with the img bbcode tag
bulletLimited allowed images in img bbcode tag to jpg, jpeg, gif and png
bulletFixed redirect problems - 2.0.7a
bulletFixed sql injection vulnerability in search - 2.0.7a
bulletFixed sql injection vulnerability in privmsg - 2.0.8a

1.xii. Changes since 2.0.6

bulletFixed several vulnerabilities in modcp - Robert Lavierck
bulletChanged whois lookup address within admin index
bulletFixed potential vulnerability in viewtopic postorder - 2.0.6d
bulletUpdates to cope with Zend Optimizer 2.5 problems - 2.0.6d - jetset
bulletForce specialcharing of redirect variable in login - Pit
bulletFixed potential vulnerability in viewtopic postdays - GulfTech Security Research
bulletFixed potential vulnerability in viewforum topicdays - GulfTech Security Research
bulletFixed potential vulnerability in modcp
bulletFixed potential vulnerability in avatar gallery

1.xiii. Changes since 2.0.5

bulletFixed various email issues
bulletFixed registration email bug with Administrator Confirmation used
bulletFixed mass emailer
bulletFixed long post time issue
bulletFixed bug with usernames containing single quotes
bulletFixed word list bug - Word boundaries were not considered
bulletFixed vulnerability in style admin
bulletFixed sql injection vulnerability in viewtopic
bulletFixed vulnerability allowing server side variable access in search - tendor
bulletFixed potential vulnerability in 2.0.5 login username entry - throw away/eomer
bulletFixed sql injection with reset date format field in profile - tendor

1.xiv. Changes since 2.0.4

bulletRemoved user facing session_id checks
bulletFixed user self-activation after deactivation
bulletFixed incorrect functioning of phpbb_realpath
bulletFixed wrong path to database schema files within the upgrade script
bulletFixed double quote problem with username validation
bulletAllow & within email addresses
bulletFixed email validation for banned email addresses
bulletRemoved underline from email domain validation
bulletFixed redirection for sentbox folder, installation and email
bulletFixed poll deletion
bulletFixed Mozilla navigation bar
bulletFixed URL bbcode parsing
bulletFixed database timeouts while searching the forums
bulletFixed wrong email return path in admin mass mailing - netclectic
bulletFixed MS-SQL failures within the update script
bulletFixed memberlist sort order
bulletFixed not showing leading spaces within Code BBCode
bulletFixed problem with adding double quotes to subject titles
bulletRemove username input field from profile when user cannot change name
bulletFixed pagination error with highlighting
bulletFixed errors if no smilies are installed
bulletFixed CSS issues with IE 5.2 on MacOS X
bulletFixed missing sid propagation problem within the Moderator Control Panel
bulletFixed language variables within Authentication error output
bulletRemoved doubled CSS class definitions within input fields
bulletFixed username change within the Administration Panel
bulletAdded missing <tr> tags to index_body.tpl
bulletAdded missing username language variable to admin index page
bulletFixed moderator status update if a usergroup got deleted
bulletFixed poll handling upon post edit
bulletFixed remove common words from search table if post get pruned - Nuttzy99
bulletFixed behaviour on splitting topics if no checkbox is selected
bulletAnonymous is no longer displayed within Username dropdown boxes
bulletFixed viewprofile redirection if an invalid mode was specified
bulletFixed fraction settings within determining common words - Novan
bulletPrevent admin change usernames to his own within the ACP
bulletActivation email is sent to all admins
bulletFixed conversion of & to &amp; in appropriate cases
bulletFixed display of "greater than topics per page" announcements preventing display of normal posts
bulletAdded variable checks to database backup and restore screen
bulletPrevented pm popup window from resetting after visiting avatar gallery
bulletFixed special character handling with word censor
bulletAdded SID to jumpbox
bulletFixed problems with usernames using html special chars
bulletAdded GMT + 13 to English lang_main, all translators are encouraged to do likewise
bulletDeleted doubled 'U_MEMBERLIST' assignment from page_header.php
bulletFixed wrong display of Signature Checkbox while editing Private Message
bulletFixed disappearing post text if emoticon was inserted directly after pressing a BBCode button
bulletDisplay correct alt-tag for smilies within postings
bulletPrevented the ability to apply BBCode to website contents
bulletFixed maxlength issue with password field in login_body.tpl
bulletFixed possible username duplication issue with validation and username length
bulletFixed split words function to handle additional foreign characters
bulletChanged empty email To Field to use a non-disclosure delimiter
bulletFixed wrong language var in install.php - FTP Config screen
bulletFixed alt tag for locked topic images in viewforum_body.tpl
bulletFixed typo in groupcp.php - $lang['Unsub_success'] instead of $lang['Usub_success']
bulletFixed timezone display
bulletFixed wrong display of author quote tag within profile - Cl1mh4224rd
bulletAdded deletion of sessions of users whose account is deactivated
bulletAdded mail header X-MimeOLE to the emailer class
bulletPrevent registration if user is logged in or user trying to register again
bulletPrevent usage of char(255) in usernames
bulletAdded check for additional FORWARDED_FOR IP's - cosmos
bulletFixed handling of non-selection of option when voting
bulletFixed potential xss issue with memberslist mode
bulletDefault English support for visual confirmation - translators are encouraged to support this

1.xv. Changes since 2.0.3

bulletFixed cross-browser scripting issue with highlight param
bulletBack-ported highlighting code from phpBB 2.2
bulletAdd session id validation to posting, profile, email, voting - Edwin van Vliet
bulletAdded {S_HIDDEN_FIELDS} template var to profile_send_email.tpl
bulletAdded "intval" fix for flood check, may resolve some issues
bulletAdded missing index to post_id for search_wordmatch
bulletFixed spelling error in search add words preventing use of stopword list
bulletFixed issue with search common words not being run
bulletIntroduce viewtopic resync patch by Ashe
bulletReplace a for n in templating code
bulletFixed ordering in memberslist
bulletFixed group_id sequence issues with pgsql and msaccess
bulletFixed assumption of word censors in user notification
bulletFixed incorrect display of quotes in user management fields
bulletFixed entry of special chars in all profile fields - note this may cause temporary issues
bulletFixed incorrect display of quotes when using avatar gallery
bulletFixed missing username in email sent to users when admin activated
bulletAdded check for non-empty smiley code and url in smiley admin
bulletPrevent display of -- sig seperator in emails when no board sig exists
bulletFixed URL propagated sid issues with jumpbox
bulletFixed wrong mode name check (polldelete) in functions_post
bulletAdded missing root path to l10n image path check
bulletRemove validation of fields when deleting a user
bulletFixed sort mode select box in memberslist to default to current mode
bulletDeny inline topic review listing to users without auth_read permissions
bulletPrevent display of topic notification checkbox if user cannot read forum
bulletRemove incorrect pre-pending of IP to uploaded avatars
bulletFixed deletion of uploaded avatars when changing to remote/gallery
bulletAdded check for non-blank line during install schema/basic sql ops
bulletAdded sort ordering to Top Ten poster listing by request
bulletFixed incorrect error report when altering case of username
bulletAdded jumpbox output to modcp {JUMPBOX} will now work
bulletFixed non-updating of users with MOD levels when deleting a forum
bulletRemove email to group moderator when approving new members
bulletFixed non-handling of HTML in poll options
bulletFixed non-deletion of polls when deleting forum and its posts
bulletFixed moved shadow topic from being bumped upon reply
bulletChanged field size of timezone to decimal(5,2) where applicable
bulletFixed missing sid append to URL when redirecting to newest reply
bulletFixed missing slashes in private IP preg check
bulletFixed session not setting userdata['user_id'] to ANON as appropriate
bulletAdded check for non-empty name in disallow admin
bulletFixed validation of SSL website addresses in profile
bulletFixed inability of admins to upload avatars via user admin panel
bulletFixed non-deletion of private message text upon full box overwrite
bulletFixed incorrect error message in smiley admin
bulletFixed incorrect alt-text for "Stop Watching Topic" image
bulletTemporary fix for missing lang strings in forum admin - translators should update their packages if not done already
bulletUse selected localisation during later stages of installation
bulletFixed non-check of permissions when deleting a topic via Moderator Control Panel
bulletFixed non-update of banlist upon user deletion
bulletCheck approved users boxes by default in usergroup approve form
bulletFixed non-appending of sid to backup meta refresh
bulletFixed non-notification of no support for certain databases in backup/restore
bulletAdded $images var to message die global declaration
bulletFixed wrong string, Private_message in Private Messaging
bulletAdd mail send result to error output
bulletFixed non-appending of sid to Mozilla nav bar menu items
bulletFixed incorrect profile linking from MSNM url in private messaging
bulletGrammatical errors in English lang_main fixed - Cluster
bulletAllow deletion of avatar and simultaneous upload/linking/gallery selection
bulletFixed non-updating of user rank when changing from special to normal rank in rank admin
bulletChanged user topic notification default in schemas to 0 (off)
bulletFixed non-XHTML compliant img tags in privmsg.php
bulletFixed non-deletion of announcements and polls when removing forum contents in forum admin
bulletFixed non-pruning of watched topics table when pruning related topics
bulletEnable GET redirect on logout
bulletAdded check for IE6.x to viewtopic ICQ indicator javascript
bulletFixed empty username quoting with MS-SQL
bulletFixed BBCode url, magic url and img tags to allow most chars beyond domain names
bulletPrevent parsing of -ve size values in BBCode size tag
bulletBack ported HTML handler from 2.2, this may impact some boards which allow complex HTML - existing parser remains but commented out
bulletFixed parsing of word censors to not censor words within < and > tag delimiters
bulletFixed database utilities failing to backup data with MySQL
bulletFixed signature parsing in User Admin
bulletFixed missing class="post" tags in subSilver Admin templates
bulletFixes for paths under Apache2
bulletAdded wrap text with tag support for posting in Mozilla 1.1+
bulletFixed use of missing CSS classes in modcp_split, group_info_body, error_body and agreement
bulletFixed ability of users to edit polls even after they have received votes
bulletFixed header Location to be absolute URL as per HTTP 1.1 spec - noted by PhilippK
bulletAdded additional session_id checks to MCP, topic subscription, PM and similar items
bulletFixed colour select box in posting_body to reset to Default colour after selection
bulletAltered PM icon to show new image until messages have been read
bulletFixed incomplete deletion of PMs when removing the associated user
bulletFixed unread and new PM user counters to decrement appropriately in all situations
bulletFixed possible cross-site scripting issue with username search
bulletFixed some problems with gzip in combination with newer PHP versions and Mozilla
bulletFixed wrong maxlength in modcp_split.tpl subject field
bulletFixed inability to edit username of guest poster - vHiker
bulletFixed ability for guests to post with certain registered usernames
bulletFixed various HTML issues to improve XHTML compliance - Daz
bulletFixed missing template var {L_PM} for memberslist - Daz
bulletFixed wrong key name for $images['Topic_un_watch'] - Daz
bulletFixed missing template var {S_WATCH_TOPIC_IMG} for viewtopic - Daz
bulletFixed missing default constraints for post table under MSSQL
bulletFixed incorrect field size for forum pruning - preventing days > 256
bulletFixed continuing redirect issues for broken web servers, e.g. IIS+CGI PHP
bulletFixed inability to use ftp as a protocol for the [img] tag
bulletFixed incorrect handling of [img] tags containing %20 encoded spaces
bulletAdded check for . within cookie_name, change to _ if present
bulletAdded SHOW_ONLINE constant to limit "users online" code operation to index and viewforum
bulletAdded "temporary" workaround for Apache2 + PHP module ignoring "private" cache header
bulletAdded workaround for modcp IP lookup and links to Anonymous user profile
bulletFixed broken bbcode parsing of quotes containing bbcode in the "username"
bulletFixed excess slashes in [quote=""] first pass encoding
bulletFixed rendering issue with quote button under Mozilla - Daz
bulletGrammatical errors in remaining core lang files fixed - Cluster
bulletFixed bbcode quote breaking when username contained ] before [
bulletFixed duplicate group_id error during upgrade of users from phpBB 1.x
bulletFixed stripslashes() problem with the conversion of the config table from phpBB 1.x
bulletRejiggled validation code, may eliminate "Username disallowed" issues
bulletFixed differing initial "public" setting of forum permissions between different files
bulletAdded check for invalid (non-compliant) email addresses to upgrade script
bulletFurther redirect workarounds for broken servers, please direct further issues to the vendors
bulletAdded GMT + 13 to English lang_main, all translators are encouraged to do likewise
bulletAdded switch to default_lang email template if user lang template no longer exists
bulletFixed javascript error when selecting smiley containing a single quote
bulletUpdate users watched topic if a post they made is split into a new topic
bulletFixed situations where email templates contain incorrect or missing subject lines
bulletFixed error when searching for posts and no forums exist
bulletFixed potential SQL vulnerability with marking of private messages - Ulf Harnhammar

1.xvi. Changes since 2.0.2

bulletFixed potential cross-site scripting vulnerability with avatars - Showscout
bulletFixed potential SQL rewrite issue in page header - missing contrib
bulletFixed potential CSS/HTML rewrite on viewing in login - Marc Rees
bulletFixed (hopefully) issue with MS Access and multiple pages

1.xvii. Changes since 2.0.1

bulletFixed missing "username" lang variable in user admin template
bulletSession work around for users behind rotating IPs - vHiker
bulletFixed potential session user_id re-write - Ashe
bulletFixed potential cross-browser scripting issue with BBCode URLs
bulletFixed potential gallery avatar exploit - Ashe
bulletFix sorting of smileys on each function call - Ashe/psoTFX
bulletClear topic_mod text output in viewtopic - Lars
bulletFix regex for avatar remote urls
bulletFix non-updating of user post counts when deleting whole topics
bulletIncrease time limit when sending topic reply notifications
bulletSet default forum when splitting topics
bulletFix non-deletion of uploaded avatars when switching to gallery
bulletRemoved various closing newlines from included files
bulletAdd MAX_ROWS to HEAP table alter in install/upgrade - Ashe
bulletUpdate username maxlength for subSilver templates
bulletAllow ( and ) in BBCode [url] tags
bulletFix non-quoting of # in username validation regexs
bulletFix overlooked global var in private messaging
bulletPossible fix for \r\n email templates issues
bulletFix missing str_replace for category title forum admin SQL
bulletFix trailing , when sending emails via smtp
bulletFix avatar issues in user admin
bulletFix improper checking of email address ban in sessions
bulletFix use of hard coded language strings in forum admin
bulletFix missing closing ) in smilies admin
bulletFix missing Username label in user admin
bulletFix upgrade.php bug where conversion would not complete (and updated other scripts to match the changes)
bulletFix problem with redirect and login.php
bulletFix typo that could cause problems with sorting in the memberlist
bulletFix emailer to allow sending emails with language-specific character sets

1.xviii. Changes since 2.0.0

bulletFixed delete image bug for normal users
bulletFixed group control panel image links
bulletFixed missing L_POST variable in group control panel
bulletFixed missing user id when redirecting to email form after login
bulletFixed (a)ppend_sid function name error in group control panel
bulletFixed reset of post type when previewing a post
bulletFixed mass emailer include path error
bulletFixed potential SQL exploit
bulletFixed several minor subSilver issues
bulletFixed [quote] breaking HTML problem
bulletFixed problem with unclosed nested quotes
bulletFixed bad handling of automagic links at end of quotes
bulletFixed potential BBCode and avatar remote exploit
bulletAltered email validation check to allow + in username as per RFC
bulletFixed incorrect behaviour with wildcards in disallowed usernames
bulletAdded missing append_sid for search view results as posts
bulletFixed incorrect clearing of current sessions for logged in users
bulletFixed user_timezone (cannot update user profile) problem
bulletAdded correct setting of moderator status for users during upgrade
bulletFixed handling of uploaded avatars if gallery avatar currently used
bulletFixed use of existing username for uploaded avatars
bulletFixed updating of topic reply stats when post is deleted
bulletFixed irrelevant error message when activating already active account
bulletFixed gzip compression problems with Netscape and some PHP versions
bulletFixed MS Access layer errors when using latest PHP versions
bulletFixed styles admin editing problems with MSSQL Server
bulletFixed logout issue when cancelling certain actions
bulletFixed missing text in certain admin links
bulletFixed opening of frame within frame when logging into admin
bulletFixed incorrect ordering of search results by time
bulletFixed fulltext searching failure with MS Access
bulletHopefully fixed fulltext search with non-latin single byte charsets
bulletEnabled work-around support for some multi-byte charsets - OOHOO
bulletRe-enabled search indexing of all-numeric character sequences
bulletUpdated email banning to properly implement wildcards
bulletFixed missing extension in links from groupcp
bulletFixed lack of re-validation when changing email address
bulletAdded additional IP check when using HTTP_X_FORWARDED_FOR
bulletFixed non-display of delete icon when on second or greater topic page
bulletFixed problems with users/groups assigned multiple permissions
bulletFixed problem with - and + in search words - Matthijs
bulletFixed improper handling for deletion of words from search table
bulletFixed support for , in automagic URLs as per RFC
bulletFixed circular reference SQL errors when deleting posts under MS Access
bulletFixed nested [code] problems
bulletAdded charset encoding headers for emails - romutis
bulletFixed "Copy to self" emails to use correct language
bulletFixed pagination error when limiting previous days for viewforum
bulletDecreased minimum search word size to 3 chars
bulletFixed deletion of one or more options from all polls when editing just one
bulletFixed checking of group memberships when promoting/demoting group moderators
bulletAdded database closure to admin frameset page

1.xix. Changes since RC-4

bulletFixed improper report of general error when posting messages containing errors
bulletFixed post text being doubled up if it contained one or more < without closing >
bulletFixed pruning errors due to search function name change
bulletHopefully fixed various issues which led to incorrect reply and excess page counts
bulletFixed groupcp not displaying all email buttons to group moderator or admin
bulletFixed failure to display error notice when uploading oversized avatars
bulletHopefully corrected problem with viewonline displaying too few/many users online
bulletPartially addressed issue with activation URLs >76 chars
bulletFixed additional search facilities failing to work or working incorrectly
bulletFixed search syntax highlighting
bulletAddressed various webservers handling of page redirects
bulletFixed word censor not replacing first or last words
bulletFixed avatar height and width check for locally uploaded images
bulletHopefully fixed cache control header
bulletAdded check for PM box size limit of 0 to prevent div0 error
bulletFixed failure to fully delete PMs in outbox
bulletFixed display problem with polls
bulletFixed problem with guest username not being displayed for topic results in search
bulletFixed problem with quotes in various profile fields
bulletFixed schema problem with user_timezone
bulletFixed page display issue with MS Access
bulletFixed user level issue when altering user from user to admin and vice versa
bulletFixed incorrect parseing of some email templates
bulletReduced size of MS Access primer
bulletFixed various remaining usergroup display issues

1.xx. Changes since RC-3

bulletAddressed serious security issue with included files
bulletFixed non-use of database table prefix name during upgrade
bulletSplit functions and profile into separate modules
bulletFixed (hopefully) remaining issues with colourisation of moderator usernames
bulletUpdated install to include entry of additional, required, information
bulletFixed (hopefully) AOL incompatibilities
bulletFixed non-display of moderators in index/viewforum
bulletFixed group control panel 'no groups exist' problems
bulletFix HTTP_X_FORWARDED_FOR spoofing possibility
bulletFix ignoring of private range IP's in HTTP_X_FORWARDED_FOR
bulletEnable multiple wildcard email banning, eg. *name*@somewhere.tld
bulletFix problems with posts being truncated if containing < and > characters
bulletPrevent URL, BBCode and most smiley parseing in [code][/code]
bulletFix problems with use of certain reserved chars in word censor list
bulletFix default search useage to be as described (was doing AND by default)
bulletFix various avatar issues with profile, gallery and viewtopic
bulletEnable safe mode support for uploading avatars
bulletFix broken modcp IP view issue
bulletFix potential session_id re-write vulnerability
bulletFinish localisation of days and months (AM/PM are not and will not be localised in 2.0)
bulletRemove link to external subSilver stylesheet from default subSilver templates
bulletHandle TRANSACTIONS correctly in MySQL 3.x (by returning correct responses)
bulletFix checkbox resetting problem while previewing posts
bulletFix a login redirect issue
bulletRemove some additional unused fields during upgrade
bulletFix (hopefully) remaining ICQ overlay issue with view profile in subSilver

1.xxi. Changes since RC-2

bulletFixed infamous install parse error
bulletMajor update of posting and related search functions (fixing various issues and increasing speed)
bulletFixed display of author and last poster names when both are different guest users
bulletFixed upgrade stall issues (hopefully!) and improved output
bulletFixed highlighting code for viewtopic and search
bulletReduced size of several files and functions
bulletMoved localised images to sub-directories
bulletImproved user feedback of disallowed usernames
bulletFixed various MSSQL bugs
bulletFixed installation of MSSQL/MSSQL-ODBC
bulletFixed security issue with upgrade.php
bulletFinished implemention of various additional features
bulletFixed various user, group and forum permissions problems
bulletFixed issues with BBCode [ and ] (hopefully!)
bulletFixed autologin problems with MS IIS
bulletHopefully fixed problems with URIs in emails on some server configs
bulletFixed 'blank' profile and DB utilities problems on submit
bulletFixed incorrect language being used in email subjects
bulletFixed issues with incorrect private message new/unread counts
bulletFixed various PostgreSQL related errors
bulletAutomatically forward users to login screen in more situations
bulletAEnabled (coloured) online indication of moderators and admins
bulletEnabled maximum online user count
bulletAltered online user count to ignore duplicate IPs (will now underestimate rather than overestimate)
bulletEnabled viewing of users browsing each forum
bulletFixed (hopefully) display of overlayed ICQ icon in Netscape using subSilver
bulletFixed display of guest usernames for last post and author
bulletHidden usergroups are now completely hidden from view

1.xxii. Changes since RC-1

bulletFixed numerous PostgreSQL related issues
bulletSignificant updates and additions to the upgrade script
bulletVarious (missed) hard coded language strings fixed
bulletFixed viewforum error when no forum id specified
bulletFixed old constant name useage in search system
bulletFixed display of moved posts when viewing unanswered posts
bulletFixed failure of search for user and keyword when displaying as posts
bulletFixed PM popup notification
bulletFixed view more emoticon session page problem
bulletFixed view profile email links
bulletFixed display of websites in profile
bulletFixed backup database failure
bulletFixed MS Access schema error when posting topics
bulletFixed problem with hypenated/dotted DB names in MySQL 3.23.6+
bulletVarious other fixes and updates

1.xxiii. Changes since RC-1 (pre)

bulletUpgrade script completed for initial fully functional release
bulletSessions code updated
bulletMark read code updated and hopefully fixed
bulletSignificant changes to properly deal with \' for non-MySQL boards
bulletmssql, msaccess and mssql-odbc DB classes re-written
bulletAvatar issues addressed and fixed
bulletSearch (INSERT) bug using MySQL fixed
bulletSearch highlighting issues addressed
bulletSearch own/other users posts fixed
bulletBBCode fixes for magic URIs and other issues
bulletTemplate updates for subSilver
bulletUser and group permissions problems fixed
bulletForum management problems (deletion of forum causing category not to display) fixed
bulletPagination problem with groupcp fixed
bulletBackslash issues with posting and profile fixed
bulletBackslash issues with emails fixed
bulletpreg_quote problems fixed
bulletUser management updated with full avatar control and missing fields
bulletPrivate messaging box limits fixed
bulletPrivate messaging ?folder= strangeness fixed
bulletForum pruning code updated to cope with search system
bulletEmoticon system in posting updated
bulletBBCode FAQ link added to posting form
bulletLanguage file updates to address concerns of translators
bulletVarious other bug fixes and updates

Note that a full list of fixed bugs can be found at the bug tracker (see section on bug reporting here)

2. Copyright and disclaimer

This application is opensource software released under the GPL. Please see source code and the Docs directory for more details. This package and its contents are Copyright 2002 phpBB Group, All Rights Reserved.