Hosting Simple Machines Forum

2.0.17

2 January 2020 - 22MB
Fixes a bug that could cause SMF 2.0.16 to start consuming significant amounts of CPU-resources when the RSS function was used.

Eliminates some deprecated function warnings when using SSI.php on PHP 7.2+.

Read more: https://www.simplemachines.org/community/index.php?topic=571067.0






2.0.16
 (security release)
27 December 2019 - 22MBHighlights

Support for privacy policy in addition to registration agreement

GDPR Compliance toggle in Core Features

Enabling this configures multiple settings and new features to comply with the GDPR, including:

Requiring members to accept the current privacy policy in order to use the forum

Asking during registration whether the new member wants to receive announcements via email

Enabling token-based unsubscribe links in emails so members can unsubscribe without logging in

Allowing members to download a copy of their profile information

Adjusting the behaviour of a number of other features in minor ways as necessary

PHP 7.2 support

Improved security hashes for the image proxy

Improved security for the login cookie

Assorted other security improvements

Various improvements for both the installer and upgrader



Changes

Updated credits.

Revert the fix to search highlighting [topic 550840]

Generates $auth_secret during install, so that the admin can log in immediately.

Improves UI for viewing/accepting changes to registration agreement & privacy policy.

Improves UI for editing registration agreement & privacy policy.

Correctly decides whether to search using a regex when using full text search.

Prevents errors converting HTML entities to 4-byte characters during database maintenance.

Removes old 1.1 themes during upgrade.

Implements a number of fixes for the installer and upgrader.

Removes deprecated ALTER IGNORE statements from upgrade SQL.

Ensures check_mime_type() is defined before calling it in profileSaveAvatarData().

Fixes a bug with regex searching in SQLite.

Removes redundant count() in Poll.php and changes explode for implode.

Uses hash_hmac to generate much more secure hashes for the image proxy.

Adds `rel="noopener noreferrer"` to links for user supplied URLs. (Reported by Travis Knapp-Prasek)

Increases cookie security by hashing with a secret authentication key. (Reported by Logan Whitmire)

Requires admin password to add/remove admins via group moderation. (Reported by Logan Whitmire)

Checks MIME type of user-supplied avatar images more thoroughly. (Reported by Logan Whitmire)

Adds $force parameter to validateSession()

Improves functionality and security of token-based unsubscribe system.

Adds token-based unsubscribe links to newsletters.

Simplifies language strings and templates for unsubscribe links.

Shows an error message if trying to unsubscribe an invalid member id.

Prevents sending newletters to arbitrary email addresses in GDPR mode.

Fixed create_function for the installer, warn for SQLite deprecation.

Limit PM rules and how many times they can be applied in a time period.

Don't proxy images for bots

Cleanup old proxied images as part of daily maintenance

Only set the old url whenever stats are being logged [topic 459730]

Fix search highlighting to not mangle/expose some HTML [topic 550840]

The code to check for too many PM labels was wrong [topic 559166]

$db_persist needed to be defined as a global in the MySQLi driver [topic 552581]

$smcFunc['db_error'] shouldn't require a database object as a parameter

Add X-Frame-Options to both the installer and the upgrader

Add registration agreement section where users can view and agree to the document, complete with logging

Ensure that count() is called on valid objects when using PM labels in PHP 7.2

Try to inject session tokens into any login form that doesn't already have one (may not work in SSI!)

Implement privacy policy stuff for GDPR

Add link in footer to agreement and privacy policy

In XML profile export, explicitly state the language even when the member uses the forum default

In installer and upgrader, get resource files from simplemachines.org via HTTPS

Avoid generating errors for non-numeric start values when getting recent posts

Add ability to force the browser to download XML feed data as a file (good for GDPR support)

Add a link in profile actions menu to export profile info.

Make cdata_parse() smarter and less aggressive

Add "Allow the administrators to send me important news by email" checkbox to registration form

Invalidate opcode after writing Settings.php (other/install.php)

Use openssl_random_pseudo_bytes (if available) to generate the token_secret for unsubscribe links

& Fix a minor grammatical error and adds documentation comment to the email template

Underline the link to the GDPR official info page

Don't offer the Override Notification Settings option when composing a newsletter if force_gdpr is turned on

Implement GDPR compliance regarding unsubscribe links and options for email notifications

Add a GDPR compliance toggle to Core Features.

Core theme missing login hash [topic 558445]

template_kick_guest() missing login hash

Wireless missing login hash [topic 557843]

Fix code selection in modern browsers (Firefox, Chrome) [topic 553445]

Message previews ate emoji on UTF forums [topic 558414]

Improve logging of exceptions

Don't load the MySQLi driver if on PHP 5.3

Fix bitmask for error reporting

Type mismatch [topics 554723, 556672, 558542]

Undefined index errors if checking permissions too early [topic 558349]

matchPackageVersion() did not extract the beta number correctly [topic 557810]

Must clear the opcode cache on Settings.php when modifying it from within the admin area [topic 560180]

Board theme should not be overridden by user theme [topic 558121]

sendmail() should send the current server's name [topic 552893]

smf_categories lost ordering on InnoDB tables in MySQL [topic 552922]

Silence deprecation notices because we use deprecated functions everywhere

Remove leftover code while porting from 2.1  [topic 555723]

Several fixes for the proxy

Read more: https://www.simplemachines.org/community/index.php?topic=570986.0






2.0.15
 (security release)
16 June 2018 - 22MBHighlights

A security issue reported by Daniel Le Gall from SCRT SA

Various bug fix with Proxy handler

Login fixes for SSI and Maintenance mode

Various Search fixes

Email handling issue fixed when using SendTopic

Fixed SM Stat collection and added opt in/out functionality to the Admin Panel

Read more: https://www.simplemachines.org/community/index.php?topic=557176.0






2.0.14
 (security release)
23 June 2017 - 22MBThis patch adds both security and general maintenance fixes to your forum, so it is imperative that you install this patch quickly.



SMF 2.0.14

Updating session handlers

Adding HTTPS

fetch_web_data now uses cURL, falling back to sockets

Ported image proxy support from SMF 2.1

Also added HTTPS for avatars

Added a simple exception handler

Check session while logging in

Sanitize some fields to help guard against XSS

Validate email addresses with PHP’s filter method

Fix search highlighting to not mangle/expose some HTML

Fix password acceptance when special characters were used in UTF-8;

Correct some random logic errors in the profile area

Use ampersands instead of semi-colons for PayPal’s return link

Fix sending multiple MIME-Version headers in notification mail

Fix sending multipel Content-Type headers in all requests 



SMF 2.0.13

Some file versions didn't get modified in the 2.0.12 patch

Added check and sanitization for $_REQUEST['u'] in LogInOut.php and Reminder.php

Added check and sanitization for $_REQUEST['uid'] in Reminder.php

Properly sanitize author's website for packages

Added session check when uploading packages

Added session check when copying template files from one theme to another

The code to remove empty BBCode was sometimes breaking things (reported by @rjen; fix provided by Sesquipedalian)

Remove hardcoded limits for safe_unserialize as it was causing cache problems

Update the cal_max_year setting to 2030



SMF 2.0.12

Fixed word censor injection by disallowing an empty 'proper word'

Fixed vulnerable unserialize() code by converting all instances to safe_unserialize()

Added a more thorough safe_unserialize() function to prevent object injection

Fixed a bug where leaving a custom profile field blank on registration that has an email mask would throw an error

Fixed PayPal integration to comply with the new forced SSL

Fixed a bug where notifications were sent for messages in inaccessible boards

Fixed editor to make the editor work with Microsoft Edge

Fixed issue where smiley popup is blank on iOS 9 devices

Fixed WYSIWYG editor in mobile devices

Fixed an undefined $_POST['icon'] in Sources/Post.php

Fixed a minor bug in Login2()

Fixed an issue where SMF doesn't recognize new domain names and considers these as invalid

Fixed an issue where SMF would allow empty BBC

Fixed an issue where theme variants could not be selected

Fixed an issue where the file version of Subs-Post.php could have been 2.0.8 or 2.0.11. It will be updated to 2.0.12 in either case.

Updated copyright year to 2016

Read more: https://www.simplemachines.org/community/index.php?topic=553855.0



display more versions




2.0.11
 (security release)
23 September 2015 - 22MBThis patch is a security release, which focuses on fixing a minor security vulnerability reported in the software, therefore, it is important that you install this patch in a timely manner.
Read more: http://www.simplemachines.org/community/index.php?topic=539888.0






2.0.10
 (addendum 1)
29 April 2015 - 22MBApplications:

Update: Fixed an issue which could prevent the update process from completing successfully. Updates affected by this issue can be re-started from the UI.






2.0.10

25 April 2015 - 22MB
The instructions on ManagePaid page need to be updated
PayPal emails are case insensitive
Long standing problem with ManageNews and PostgreSQL
Long standing problem with Smiley sets and PostgreSQL
Errors show in log when handling certain tar.gz packages
Forum Maintenance - Topics fails if header is collapsed
Fix for unsupported UTF8mb4 characters
SSI.php doesn't handle "hide results until user has voted" properly
Sanitize package redirects
Can't use WYSIWYG editor in Pale Moon browser
Search dialogue can overflow inappropriately
Excessive line in ManageServer.php in the patch upgrade from 2.0.8
HTML tag broken in 2.0.9 install package
Wrong link in ManageAttachments
Error suppression missing in Subs-Package
XML post preview was broken in 2.0.9
Chrome doesn't like opacity for the news fader anymore
Add additional emails in Paid Subscriptions settings for PayPal business accounts.

Read more: http://www.simplemachines.org/community/index.php?topic=535828.0






2.0.9
 (security release)
3 October 2014 - 22MB
SMF tries to stick ORDER BY NULL onto INSERT IGNORE queries containing sub-selects with a GROUP BY statement, causing a database error (Reported by guest)
"Show Results" button always shown for polls as long as you can vote in them (Reported by Chainy)
Multi-select boxes for settings were broken when no value had been selected (Reported by Suki)
Some mail providers screw up the activation link (Reported by NanoSector)
PHP 5.4 changes default charset to UTF-8, which can cause problems with search results and PM notification emails (Reported by fun4us)
Make sure opcode cache gets cleared when regular cache does
Log pruning should only delete closed mod reports, not open ones
Fix layout issue with manage permissions page (Reported by Antes)
Adjust image check to not fail on "cellTextIsHtml", unless paranoid... (Reported by Arantor)
Sanitize all package XML to prevent any XSS attacks (Reported by Arantor)
Add session check when previewing posts to prevent XSS via [html] from forged forms (Reported by emanuele)
Sanitize maintenance mode title to prevent XSS attacks if HTML is used in it (Reported by guest)

Read more: http://www.simplemachines.org/community/index.php?topic=528448.0






2.0.8

18 June 2014 - 22MB
Nobbc should work across multiple lines
Package manager shouldn't fail when only 32M of memory is available
Quoting posts with smileys in, in the WYSIWYG editor, shouldn't spout nonsense into the editor (in the way certain versions of 2.0.7 did)
Td tags with a colspan should still function and not consume vast amounts of memory
Using lots of html bbcode tags when not an admin should not consume vast amounts of memory
Using queryless URLs, and/or when the PHPSESSID is present, should not consume vast amounts of memory
Breaking long words should function without consuming lots of memory
Adding posts with many smileys or bbc with specific parameter types (many times especially) should not consume vast amounts of memory, e.g. [acronym=definition]term[/acronym]
Emails should work without consuming vast amounts of memory
Time tags should work without consuming vast amounts of memory
The copyright year should be updated
Board order should always work correctly (if at a performance hit, a la the mod Arantor prepared)
The memberlist search feature could, in some cases, throw a database error if no valid fields were specified

Read more: http://www.simplemachines.org/community/index.php?topic=524016.0






2.0.7
 (addendum 1)
22 January 2014 - 22MBApplications:

Install and Update: Added revisions published by Simple Machines Forum.






2.0.7

21 January 2014 - 22MB
PHP 5.5 compatibility fixes merged in. (Thanks to all who contributed but especially SleePy and Spuds)
Trim the username if oversized when logging in. (Thanks to TMcomputering for the report)
Check that group inheritance is actually going to be viable before trying to do further inquiry. (Thanks to tfs for the report)
Made sure some of the calendar holidays are corrected when previously incorrect.
Don't let the prune reports function prune open, or for that matter, ignored, reports. (Reported by Kimmie)
If an uploaded file somehow has an image size but isn't really an image, don't try to treat it as an image.
Make file cache somewhat less fragile.
ssi_fetchPosts didn't honour overriding permissions. (Thanks to IchBin for a fix)
Privacy and original sending time were not kept in the mail queue in the event of sending failure.
Wrong variable used in the mail queue handling (Thanks to Nao for originally finding the bug)
Themes with spaces in could break the editor handling. (Thanks to akyhne for the report and akabugeyes for a suggested fix)
Made the anti-XSS header a little less picky.
FIND_IN_SET wasn't always properly set up for PostgreSQL use.
Multiple installed themes with variants wouldn't all be able to be selected properly.
Fields that are regex-validated couldn't be left empty (thanks HappyBits and emanuele)
Fixing legacy TYPE=HEAP (thanks heusdens for the report)

Read more: http://www.simplemachines.org/community/index.php?topic=517205.0






2.0.6
 (security release)
22 October 2013 - 22MBCritical security issues have been identified and are fixed with this update, therefore it is recommended to make sure you update your forums immediately to ensure your community is safe. A few other minor bugs have also been fixed.

Added some headers to help protect against clickjacking (thanks Jakob Lell for the report)
Invalid avatars were not always properly cleaned up (thanks chaoztc for the report)
Added protection against usernames being impersonated with Unicode space characters (thanks Jakob Lell for the report)
Sessions weren't always cleaned up properly on logout (thanks creepernex for the report)
Certain fields were accepted during registration even when they shouldn't be (thanks tomreyn for the report)
Certain errors were unnecessarily shown during a failed registration and some of those were inappropriate anyway (thanks Labradoodle-360 for the report)
Approving an account from a member's profile was not logged (thanks emanuele for the report)
Approving an account from a member's profile did not always properly enforce security rules (thanks emanuele for the report)
The PHPSESSID injector would also add it to the canonical link, breaking it (thanks to all who reported it)
An invalid character was indicated in legacy attachment handling
Under some circumstances the admin panel would not accept the number of verification questions you had entered (thanks BurkeKnight for the report)
The help pages could sometimes accidentally direct users to non-existing pages (thanks AngelinaBelle for the report and Illori for the fix)

Read more: http://www.simplemachines.org/community/index.php?topic=509417.0






2.0.5
 (security release)
12 August 2013 - 22MBCritical security issues have been identified and are fixed with this update, therefore it is recommended to make sure you update your forums immediately to ensure your community is safe. A few other minor bugs have also been fixed.

Updated the WHOIS search URL for RIPE (thanks Runic)
Fixed a problem with upgrade.php that wasn't able to continue after db errors (thanks akc42 for the fix)
Fixed code injection in manage language pages (thanks HauntIT for the report)
Fixed XSS in the news page, emails field (thanks HauntIT for the report)
XSS in personal messages page (thanks HauntIT for the report)

Read more: http://www.simplemachines.org/community/index.php?topic=509417.0






2.0.4
 (addendum 1)
5 August 2013 - 22MBApplications:

Added compatibility for CloudLinux CageFS.






2.0.4

1 February 2013 - 22MBCritical security issues have been identified and are fixed with this update, therefore it is recommended to make sure you update your forums immediately to ensure your community is safe. A few other minor bugs have also been fixed.

Joshua's fix for validatePasswordFlood logic error (reported by Raz0r)
Arantor fix for database error on lost connections
Quick fix for Admin Password Reset vulnerability reported by Raz0r
Directory traversal vulnerability in the function ViewFile (thanks yan.uniko.102 for reporting and Arantor for proposing the fix and Spuds for spotting the undefined variable)
active users cannot change anymore the email from action activate without deactivation/confirmation (thanks BarteX for reporting the issueand suggesting a fix)
Change language from the admin panel could allow XSS, path disclosure and code injection (thanks Jakub Galczyk for reporting the issue)
Missing arguments in SSI functions called through ?ssi= generated error messages showing full server file path (thanks yan.uniko.102 for reporting it)
Directory listing and editing of arbitrary files from the theme editing page in the admin panel

Read more: http://www.simplemachines.org/community/index.php?topic=496403.0






2.0.3

16 December 2012 - 22MBCritical security issues have been identified and are fixed with this update, therefore it is recommended to make sure you update your forums immediately to ensure your community is safe. A few other minor bugs have also been fixed. The most relevant bug fix is an issue that will arise in few months with PayPal: starting on February 1, 2013 PayPal will only accept headers which comply with the HTTP 1.1 specification.

SSI showed hidden boards on non-properly configured forums (part 2)
SSI showed hidden boards on non-properly configured forums
XSS in moderation log page (thanks kingW3 for the report)
ManagePaid fails if copies of Subscriptions-Paypal,php are present
PCRE engine starting at rev 8.3, will not allow you to specify the surrogate range D800–DFFF - From Spuds (similar to commit 10994)
Fixed lacking of check on referer URL when adminLogin comes into play (1.0, 1.1 and 2.0 versions)
Fixes for paypal moving to HTTP 1.1 [bug 5009]
update sandbox to use https, the former address results in a redirect
curl did not work due to improper check
subscriptions should also check for approved payment. Cherry-picked from git commit 07d4bc9fba8942fd284d3d0c3c732889a7bc2e6f by Spuds
Fixed the upgrade.php failing when the Themes directory was in a directory other than $boarddir (thanks iacchi for finding the cause)
Applied all the changes proposed by rawlogic to fix the intermittent session verification failures

Read more: http://www.simplemachines.org/community/index.php?topic=492786.0






2.0.2

23 December 2011 - 22MB





2.0.1

19 September 2011 - 22MB





2.0
 (major version)
11 June 2011 - 22MB





1.1.21

25 April 2015 - 10MB
XML post preview was broken in 1.1.20
XSS possibility if HTML used in maintenance mode title (Reported by guest)
Various parts of the package system could allow XSS attacks (Reported by Arantor)
Add session check to post preview to prevent XSS from html tag through forged forms (Reported by emanuele)

Read more: http://www.simplemachines.org/community/index.php?topic=535828.0






1.1.19
 (security release)
22 October 2013 - 10MBCritical security issues have been identified and are fixed with this update.
Read more: http://www.simplemachines.org/community/index.php?topic=512964.0






1.1.18

1 February 2013 - 10MBCritical security issues have been identified and are fixed with this update.
Read more: http://www.simplemachines.org/community/index.php?topic=496403.0






1.1.17

16 December 2012 - 10MB





1.1.16

23 December 2011 - 10MB





1.1.15

19 September 2011 - 10MB





1.1.14

11 June 2011 - 10MB





1.1.13

12 February 2011 - 10MB





1.1.12

2 November 2010 - 10MB





1.1.11

4 December 2009 - 10MB





1.1.10

15 July 2009 - 10MB





1.1.9

22 May 2009 - 10MB





1.1.8

5 February 2009 - 10MB





1.1.7

11 November 2008 - 10MB





1.1.6

14 September 2008 - 10MB





1.1.5

2 May 2008 - 10MB





1.1.4

2 October 2004 - 10MB





1.1.3

9 August 2007 - 10MB





1.1.2

20 February 2007 - 10MB





1.1.1

21 December 2006 - 10MB





1.0.9

31 October 2006 - 4MB





1.0.8

27 August 2006 - 4MB





1.0.7

10 April 2006 - 4MB





1.0.6

7 February 2006 - 4MB





1.0.5

30 June 2005 - 4MB





1.0.4

22 June 2005 - 4MB





1.0.3

2 May 2005 - 6MB





1.0

11 January 2005 - 2MB