[blogher8]

I hope _ck_ or someone else can answer.

I have 0.9.0.7 installed.

I just saw _ck_’s post here about a security patch plugin: http://bbpress.org/forums/topic/bbpress-103-released#post-84690

Ten months ago, _ck_ wrote,

“bbPress 0.9 users should install my unofficial “block-long-queries” mini-plugin to avoid the security bug that 1.0.3 fixes and similar unknown attacks in the future.

(it also works in 1.0 and WordPress)”

Since it seems like 0.9.0.7 came out five months later, I am wondering if this new release covers the patch or if it is still needed.

Note that I searched extensively for a post about the 0.9.0.7 release and the changes it represented, but I can’t see anything like that.

Also, I can’t ask in the original thread because it was closed.

Thanks!

[_ck_]

0.9 users should upgrade to (or start with) the 0.9 branch

which was the final version of 0.9

but 0.9.0.7 appears to simply be a copy of the final 0.9 branch

browse https://bbpress.trac.wordpress.org/browser/branches/0.9

zip https://bbpress.trac.wordpress.org/changeset/3730/branches/0.9?old_path=%2F&format=zip

svn co http://svn.automattic.com/bbpress/branches/0.9/

From what I can tell, JJJ just copied the branch over to make “0.9.0.7”

https://bbpress.trac.wordpress.org/changeset/3517

https://bbpress.trac.wordpress.org/changeset/3535

https://bbpress.trac.wordpress.org/log/tags/0.9.0.7/bb-includes?rev=3535

That’s all he did, there were no other changes, improvements or fixes.

But there really are some fixes in the final 0.9 branch over 0.9.0.6

There were 12 files changed from 0.9.0.6 to 0.9.0.7 (aka 0.9 branch)

https://bbpress.trac.wordpress.org/changeset?old_path=%2Ftags%2F0.9.0.6&old=2338+&new_path=%2Ftags%2F0.9.0.7&new=3715

bb-includes/default-filters.php (1 diff)

bb-includes/wp-functions.php (2 diffs)

bb-includes/pluggable.php (1 diff)

bb-includes/functions.php (3 diffs)

bb-includes/registration-functions.php (1 diff)

bb-includes/template-functions.php (3 diffs)

bb-includes/compat.php (1 diff)

search.php (1 diff)

bb-plugins/akismet.php (4 diffs)

bb-admin/bb-do-counts.php (3 diffs)

bb-admin/admin.php (1 diff)

bb-admin/admin-functions.php (2 diffs)

It’s hard to be 100% positive but I am pretty sure they addressed the base64 decoding bug.

Those with 0.9.0.6 can replace just these files to upgrade to 0.9.0.7

https://bbpress.trac.wordpress.org/changeset?format=zip&new=3715&old=2338&new_path=%2Ftags%2F0.9.0.7&old_path=%2Ftags%2F0.9.0.6

(those running versions before 0.9.0.6 will need more files from a fuller upgrade, do not use just the above files as it will break your install)

Everyone should still use my mini-plugin to protect bbpress and wordpress for yet-unidentified security issues. It’s better than nothing. You can even remove the header and just copy the one IF block to your bb-config.php and wp-config.php

If 256 characters turns out to be too short of a URL restriction, some may need to raise it as high as 1024, for example in WordPress where it stupidly uses GET now to mass delete posts, which was a dumbfounding move on their part.

<?php

/*

Plugin Name: Block Long/Bad Queries (for bbPress and WordPress)

*/



if (strlen($_SERVER['REQUEST_URI'])>1024 ||

preg_match('@(eval|base64|unescape)[^a-zA-Z0-9]@si',$_SERVER['REQUEST_URI']))

{

header('HTTP/1.1 414 Request-URI Too Long');

header('Status: 414 Request-URI Too Long');

header('Connection: Close');

exit;

}