but 0.9.0.7 appears to simply be a copy of the final 0.9 branch

browse http://bbpress.trac.wordpress.org/browser/branches/0.9

zip http://bbpress.trac.wordpress.org/changeset/3730/branches/0.9?old_path=%2F&format=zip

svn co http://svn.automattic.com/bbpress/branches/0.9/

From what I can tell, JJJ just copied the branch over to make "0.9.0.7"

http://bbpress.trac.wordpress.org/changeset/3517
http://bbpress.trac.wordpress.org/changeset/3535
http://bbpress.trac.wordpress.org/log/tags/0.9.0.7/bb-includes?rev=3535

That's all he did, there were no other changes, improvements or fixes.

But there really are some fixes in the final 0.9 branch over 0.9.0.6

There were 12 files changed from 0.9.0.6 to 0.9.0.7 (aka 0.9 branch)

http://bbpress.trac.wordpress.org/changeset?old_path=%2Ftags%2F0.9.0.6&old=2338+&new_path=%2Ftags%2F0.9.0.7&new=3715

bb-includes/default-filters.php (1 diff)
bb-includes/wp-functions.php (2 diffs)
bb-includes/pluggable.php (1 diff)
bb-includes/functions.php (3 diffs)
bb-includes/registration-functions.php (1 diff)
bb-includes/template-functions.php (3 diffs)
bb-includes/compat.php (1 diff)
search.php (1 diff)
bb-plugins/akismet.php (4 diffs)
bb-admin/bb-do-counts.php (3 diffs)
bb-admin/admin.php (1 diff)
bb-admin/admin-functions.php (2 diffs)

It's hard to be 100% positive but I am pretty sure they addressed the base64 decoding bug.

Those with 0.9.0.6 can replace just these files to upgrade to 0.9.0.7
http://bbpress.trac.wordpress.org/changeset?format=zip&new=3715&old=2338&new_path=%2Ftags%2F0.9.0.7&old_path=%2Ftags%2F0.9.0.6
(those running versions before 0.9.0.6 will need more files from a fuller upgrade, do not use just the above files as it will break your install)

Everyone should still use my mini-plugin to protect bbpress and wordpress for yet-unidentified security issues. It's better than nothing. You can even remove the header and just copy the one IF block to your bb-config.php and wp-config.php

If 256 characters turns out to be too short of a URL restriction, some may need to raise it as high as 1024, for example in WordPress where it stupidly uses GET now to mass delete posts, which was a dumbfounding move on their part.

<?php
/*
Plugin Name: Block Long/Bad Queries (for bbPress and WordPress)
*/

if (strlen($_SERVER['REQUEST_URI'])>1024 ||
preg_match('@(eval|base64|unescape)[^a-zA-Z0-9]@si',$_SERVER['REQUEST_URI']))
{
	header('HTTP/1.1 414 Request-URI Too Long');
	header('Status: 414 Request-URI Too Long');
	header('Connection: Close');
	exit;
}

I have 0.9.0.7 installed.

I just saw _ck_'s post here about a security patch plugin: http://bbpress.org/forums/topic/bbpress-103-released#post-84690

Ten months ago, _ck_ wrote,

"bbPress 0.9 users should install my unofficial "block-long-queries" mini-plugin to avoid the security bug that 1.0.3 fixes and similar unknown attacks in the future.
(it also works in 1.0 and WordPress)"

Since it seems like 0.9.0.7 came out five months later, I am wondering if this new release covers the patch or if it is still needed.

Note that I searched extensively for a post about the 0.9.0.7 release and the changes it represented, but I can't see anything like that.

Also, I can't ask in the original thread because it was closed.

Thanks!

<?php post_form( array( 'last_page_only' => false ) ); ?>
I hope, with that kind of code we can disable attachments on replies.

-- Anyone?

Also:
I would suggest making it so that only logged in users can add attachments.

bbPress has the option of allowing guests to post to the forums, so if I turn that on, I end up with guest attachment abilities, which I personally don't want.

Great little plugin btw, thnx!

Hello, Zaerl, Ben L.
Are you listening to me?

I think _ck_ has gone again :-/

bbPress attachment is working fine. but

-- Is it possible to hide/disable attachment functionalities when a user replying to a topic?

-- I mean, When a user creating a topic (post-form.php/bbpressdotorg/forums/?new=1) then only attachments should work.

--Otherwise when topic is open, then plugin should not show in threading. like I don't want to show attachments in bbpressdotorg/forums/topic/not-allowed-attachments-in-threading-so-create-every-new-topic-to-upload-stuff

Please let me know your thoughts on it. Thanks

--Pagal

Sorry, I simply do not have the time.

Restore backups from before upgrading 0.9 to 1.x

It's used by WP/bbPress *before* the post is saved permanently (pre_post filter)

But bbcode is stored as bbcode, not converted HTML.

So it has to be converted to html each time a post is shown (post_text filter).

So KSES is too slow for that.

(plus I don't want to use an external function with regex matches, which makes it ten times more complex)

Looking for feedback from those running a realworld, robust 1.x setup as I only have a test install.

Personally I also think it looks better in 0.9 but that's just me.

It cannot damage anything during testing as it's a read-only kind of plugin (for now).

So now this plugin will help admin explore how those tags got there or if spammers have snuck in any stray tags.

Install, activate and look under the Manage menu.

Click on the numbers next to the items to "drill down" on those tags.

Let me know if you have feature ideas or find bugs.

--

okay it's on the SVN now with a couple of tweaks/fixes

so you can get it from there

http://plugins-svn.bbpress.org/tag-history/trunk/

http://bbpress.org/plugins/topic/tag-history/

If you are using _ck_'s bbcode-lite plugin: http://bbpress.org/plugins/topic/bbcode-lite/

You can use basic html
<img src="http://mydomain.com/pic.jpg" alt="Pic1" />

The trade-off of bbcode-lite is speed, so for security things have to be disallowed instead of trying to parse for all options which would slow things down.

HTML tags are saved when a post is made and then they are done, so it's fast. But bbcode has to be parsed each and every time a page is displayed, so speed is important.

I guess an advanced feature for a future version would be to convert the bbcode into permanently saved html after the user's time to edit has passed (ie. an hour). But that kind of sophistication will have to wait.

<img src="http://mydomain.com/pic.jpg" alt="Pic1" />

As this is allowed through bbcode-lite.

Appreciate the response,
RedBull

http://plugins-svn.bbpress.org/bbcode-lite/trunk/

This is an important security update.

Basically bbPress doesn't run it's tag filter on post_text when the text is finally displayed, because it would be too slow.

Instead it only checks tags during saving time and filters then.

If an item is not a tag AT SAVE TIME it won't get checked.

That is how this is slipping through, because bbcode are not html tags.

I have a quick, dirty fix.

Basically anything that gets stuck INSIDE a tag ie. [HERE] = < HERE > is no longer allowed to contain spaces, single quote or double quote. Stuff [blah]HERE[/blah] = <blah>HERE</blah> is okay.

Preventing spaces alone, in theory, should be enough. Even url or entity encoding won't get properly parsed. It will simply display as plain text and then you can see who is posting what instead of hidden stuff.

The only good news is that this problem in theory should not allow admin cookies to be stolen since the last version of 0.9 and 1.x already use HttpOnly cookies which cannot be read by javascript.

The downside of the quick-fix is that secondary attributes are no longer possible until I come up with another way. Example of secondary would be alt or title etc.

Many thanks for reporting this Tom!

Working hard on a fix.

All BBcode-lite users should upgrade to 1.0.5 IMMEDIATELY

(regardless if you allow images or not)

http://bbpress.org/plugins/topic/bbcode-lite/

http://plugins-svn.bbpress.org/bbcode-lite/trunk/

I run through post-text so the bbpress parser never fires.

Fortunately img is disabled by default but I bet people turn it on.

Working on a fix.

$tags['img'] = array('src' => array(), 'title' => array(), 'alt' => array());

only src, title and alt attributes are allowed. Can you share a pastebin link with the exact rogue text?

[img]http://www.whatever.net/forums/bb-admin/images/blank.gi" style="display:none;" onerror="this.parentNode.parentNode.parentNode.parentNode.parentNode.innerHTML = this.parentNode.parentNode.parentNode.parentNode.parentNode.innerHTML.replace(/oldStuff|onerror/g,'newStuff'); [/img]

What are the patching instructions? Thanks.

Here is the link to legacy download counter in case anyone wondering - http://bbpress.org/download/counter/legacy

bbPress 1.x has been downloaded over 121k times!

_ck_ plugins this weekend will break the 100k total downloads mark!

These are the top 10 _ck_ plugins:

bbPress Signatures
BBcode Lite
bbPress Smilies
Human Test
BBcode Buttons
bbPress Attachments
bbPress Polls
Hidden Forums
Post Count Plus
Topic Icons