phpBB 2.0.9 to phpBB 2.0.10 Code Changes

These are the code changes introduced between phpBB 2.0.9 and phpBB 2.0.10. If you have installed many hacks on a forum, but wish to update it, these may help you. It is often easier to apply code changes such as these instead of replacing and rehacking your current files.

These code changes use the following instruction labels:
filename - The name of a file to be edited. Equivalent to an OPEN action in a hack or modification. FIND - This indicates lines of code you should locate. Changes will be made in reference to this code.
REPLACE WITH - This code should completely replace the code in the preceding FIND instruction.
AFTER, ADD - The code in this instruction should be added on a new line after the last line of code in the preceding FIND instruction.
BEFORE, ADD - The code in this instruction should be added on a new line before the first line of code in the preceding FIND instruction.
FIND AND DELETE - Locate the code in this instruction as with a FIND statement, and then delete the code.

Once you have completed the code changes, create an install/ directory in your forum's root directory, and upload the update_to_210.php file that comes in any phpBB 2.0.10 download to the install/ directory. Run update_to_210.php by opening it via your web browser, just as you would a normal forum page. Afterward, delete the file and the install/ directory so that your forum is accessible again.

Now, onward to the file changes!

admin/admin_board.php
FIND

		Code:
			      $default_config[$config_name] = str_replace("'", "\'", $config_value);

REPLACE WITH

		Code:
			      $default_config[$config_name] = isset($HTTP_POST_VARS['submit']) ? str_replace("'", "\'", $config_value) : $config_value;

admin/admin_styles.php
FIND

		Code:
			$no_page_header = (!empty($HTTP_POST_VARS['send_file']) || $cancel) ? TRUE : FALSE;

require('./pagestart.' . $phpEx);

AFTER, ADD

		Code:
			$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;


$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;

common.php
FIND

		Code:
			         unset_vars(${$var_prefix . $var . $var_suffix});

AFTER, ADD

		Code:
			         @reset(${$var_prefix . $var . $var_suffix});

FIND

		Code:
			         unset_vars(${$var});

AFTER, ADD

		Code:
			         @reset(${$var});

FIND

		Code:
			      unset_vars(${'_FILES'});

AFTER, ADD

		Code:
			      @reset(${'_FILES'});

FIND

		Code:
			      unset_vars(${'HTTP_POST_FILES'});

AFTER, ADD

		Code:
			      @reset(${'HTTP_POST_FILES'});

FIND

		Code:
			//

// addslashes to vars if magic_quotes_gpc is off

// this is a security precaution to prevent someone

// trying to break out of a SQL statement.

//

BEFORE, ADD

		Code:
			// PHP5 with register_long_arrays off?

if (!isset($HTTP_POST_VARS) && isset($_POST))

{

   $HTTP_POST_VARS = $_POST;

   $HTTP_GET_VARS = $_GET;

   $HTTP_SERVER_VARS = $_SERVER;

   $HTTP_COOKIE_VARS = $_COOKIE;

   $HTTP_ENV_VARS = $_ENV;

   $HTTP_POST_FILES = $_FILES;

}

		Code:
			               $redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&amp;', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : '';


               $redirect = str_replace('?', '&', $redirect);

AFTER, ADD

		Code:
			               if (strstr(urldecode($redirect), "\n") || strstr(urldecode($redirect), "\r"))

               {

                  message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');

               }

FIND

		Code:
			         $redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&amp;', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : "";


         $redirect = str_replace("?", "&", $redirect);

AFTER, ADD

		Code:
			         if (strstr(urldecode($redirect), "\n") || strstr(urldecode($redirect), "\r"))

         {

            message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');

         }

search.php
FIND

		Code:
			   $search_author = ( isset($HTTP_POST_VARS['search_author']) ) ? $HTTP_POST_VARS['search_author'] : $HTTP_GET_VARS['search_author'];

AFTER, ADD

		Code:
			   $search_author = htmlspecialchars($search_author);

includes/functions.php
FIND

		Code:
			   if ( !empty($SID) )

   {

      $boxstring .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';

   }

REPLACE WITH

		Code:
			   // Let the jumpbox work again in sites having additional session id checks.

//   if ( !empty($SID) )

//   {

      $boxstring .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';

//   }

FIND

		Code:
			   if (!empty($db))

   {

      $db->sql_close();

   }

AFTER, ADD

		Code:
			   if (strstr(urldecode($url), "\n") || strstr(urldecode($url), "\r"))

   {

      message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');

   }

Code from phpBB 2.0.9 and 2.0.10 is copyright by the phpBB Group. Find these and other code changes at phpBBHacks.com and phpBB Smith.
Compiled by your friendly neighborhood Thoul from the phpBB 2.0.9 - 2.0.10 patch file.