vBulletin 3.5.1, 3.0.10 & 2.3.8 Released

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Kier
    Former Lead Developer, vBulletin
    • Sep 2000
    • 8179

    vBulletin 3.5.1, 3.0.10 & 2.3.8 Released

    vBulletin 3.5.1
    vBulletin 3.0.10
    vBulletin 2.3.8

    The original purpose of this release was to provide a regular, scheduled bug-fix / service release for the new 3.5.x series, but newly discovered flaws in Internet Explorer and PHP have necessitated a security release for all three vBulletin branches.

    The first flaw is in Microsoft Internet Explorer. It affects vBulletin image uploads and potentially opens a cross-site-scripting exploit. It has affected many web-based applications that allow image uploads, including phpBB and Hotmail. Although a fix from Microsoft would be preferable, we have implemented a work-around in all three branches of vBulletin to prevent the Internet Explorer flaw from being exploited.

    The second flaw is in PHP and may allow the entry of unsanitized data into several areas in vBulletin. This may create security holes that are not directly caused by vBulletin, simply exploited through vBulletin as it uses affected PHP code. PHP 4.4.1 has been released to address this issue (no updated PHP5 is available yet). If you are running PHP 4, it is strongly recommended that you update your PHP installation to 4.4.1!

    I'd just like to reiterate that neither of these flaws are directly related to vBulletin. Rather, they are flaws in software that ties into vBulletin. We are simply creating workarounds for these issues to prevent them from being exploited.

    Patch files containing only the security fixes for vBulletin 3.5.0, 3.0.6 - 3.0.9 and 2.3.4 - 2.3.7 are attached to this thread, though we would recommend that you fully upgrade your board rather than simply patch it wherever possible. The zip files contain partial directory structures of the upload/ folder that would normally be found in the package you downloaded from the members' area. You should simply download the correct file for your board and extract it. Connect to your server via FTP and upload the contents of the zip file to your main board directory. This should overwrite files already on your server -- if it does not, then your board will not be patched!

    All customers should upgrade or patch their boards as soon as possible.

    Installing or Upgrading vBulletin (3.0.x/3.5.x)

    Please see the appropriate manual sections: Installing vBulletin and Upgrading vBulletin.

    Note that the process is the same as it was in the 3.0.x series. However you must redo your config.php if you are upgrading from 3.0.x!

    Bug Reports (3.5.x)

    You may report bugs by clicking here. Before reporting a bug, please attempt to recreate the bug on a default, uncustomized style (especially if your errors are JavaScript related). Additionally, if you have used the plugins/products system at all, please attempt to recreate the issue with the plugins system disabled!
    Attached Files
  • Kier
    Former Lead Developer, vBulletin
    • Sep 2000
    • 8179

    #2
    3.5.1 Changes of Note

    New AJAX disable option
    This allows the administrator to enable AJAX, disable AJAX or disable just those AJAX features which can be troublesome due to character set issues.

    IconV use where available
    If IconV is installed on your server (which we strongly recommend) vBulletin will now use its character set conversion abilities rather than relying on its own for AJAX-submitted data. This is of especial interest to boards running with non-latin characters such as Chinese, Arabic etc.

    Option to switch email banning system back to 3.0.x settings
    An option now exists to change the new email banning system's behavior back to the more aggressive method employed by vBulletin 3.0.x. This means that banned words / letters etc. will be matched anywhere within the email address, rather than matching from the end of the address towards the start.

    This means that you can specify '@example.' to ban both example.com and example.co.uk, whereas with the 3.5.x system you would have to expressly ban both.

    Reputation no longer uses a popup window
    Reputation is now handled in the same window as viewing a post.

    Product install code execution order changed
    Install code specified in a product XML file is now executed before the product record is inserted into the database. This allows far more flexibility to the code to be run when installing a product.

    Bitfield XML files use stronger product association
    For a bitfield XML file to be parsed, it must be associated with a product that is installed and active. Previously, it was impossible to not use certain bitfield files without deleting them. This is more consistent with CP navigation XML files.

    Increased Compatibility with MySQL 5
    MySQL 5 has now been declared stable and is therefore supported by vBulletin. With 3.5.1 previous compatibility issues with MySQL 5 have been addressed, allowing vBulletin to run without errors. However, it should be noted that vBulletin is not yet compatible with MySQL 5 running in Strict Mode, and this should be disabled in the MySQL configuration or using the new option in config.php.

    Comment

    • Kier
      Former Lead Developer, vBulletin
      • Sep 2000
      • 8179

      #3
      Template Changes from 3.5.0 to 3.5.1

      The are the template changes since 3.5.0 'Gold' ONLY

      If you are not running 3.5.0 'Gold' yet, there are significantly more changed templates than are listed here. Use "Find Updated Templates" to find the templates that have changed and incorporate those changes. You may even wish to start with a default style!

      Note:
      You need to only look through this post for templates you have customized. You do not need to take any action to ensure that your uncustomized templates are the latest versions.

      If you find a template you have customized in this list, you will likely want to include the changes made here. However, this is not always required. Under each change listed here, you will see "requires revert?" This refers to whether the changes are mandatory (yes). If the changes are mandatory, things will break if you do not incorporate the changes made. It is strongly recommended that you revert and recustomize any templates that say they require a revert.

      Additionally, you may wish to use the "Find Updated Template" feature in the control panel to find templates that have been changed since your last edit to them.

      -----------------------------------------------------

      pm_showpm
      Code:
      if (document.attachEvent)
      {
          document.attachEvent('onload', askReceipt);
      }
      else if(document.addEventListener)
      {
          document.addEventListener('load', askReceipt, true);
      }
      to
      Code:
      if (window.attachEvent)
      {
          window.attachEvent('onload', askReceipt);
      }
      else if(window.addEventListener)
      {
          window.addEventListener('load', askReceipt, false);
      }
      Requires Revert: YES




      headinclude

      Added an option to disable AJAX features, mainly due to (currently unfixable) problems on some non-English boards.

      Requires revert? Yes, if you want to use the new option.



      reputation
      repurtationbit
      reputation_yourpost
      postbit
      postbit_legacy

      The reputation has been moved from using a javascript popup to using the same browser window.

      Requires Revert? YES



      SHOWTHREAD

      Change FIRST instance of
      HTML Code:
      <if condition="$show['approvepost']">
      to
      HTML Code:
      <if condition="$show['inlinemod']">
      Requires Revert? If your mods do not have moderate posts permission then they won't have access to the post moderation tools unless this change is made.
      • forumhome_forumbit_level1_post
      • forumhome_forumbit_level2_post
      • MEMBERINFO
      • memberlist_resultsbit
      • modifyoptions
      • navbar
      • postbit
      • postbit_deleted
      • postbit_ignore
      • postbit_ignore_global
      • postbit_legacy
      • postbit_legacy
      • showgroups_usergroupbit
      • SHOWTHREAD
      • threadbit
      Added rel="nofollow" to various links to try to convince search bots not to go wandering into no permission errors.

      Requires revert? No



      pm_emptyfolder

      Find
      HTML Code:
      <input type="hidden" name="folderid" value="$folderid" />
      Add this afterwards
      HTML Code:
      <input type="hidden" name="dateline" value="$dateline" />
      Requires Revert: No, but refer to bug 1593



      threadadmin_deleteposts
      threadadmin_deletethreads

      Added several conditionals to better control which delete options are shown to the moderator. The moderator can never use a delete option that they don't have permission to but now those options will not be displayed when they have selected posts/threads that don't allow an option (based on forum permission).

      Requires Revert: No, but it is recommended



      editor_toolbar_on
      HTML Code:
      <td class="popup_feedback"><div id="{$editorid}_size_out">&nbsp;</div></td>
      to
      HTML Code:
      <td class="popup_feedback"><div id="{$editorid}_size_out" style="width:25px">&nbsp;</div></td>
      Requires Revert: No



      threadadmin_moveposts [Bug 1697]

      Change
      HTML Code:
      <input type="text" class="bginput" name="title" value="" size="50" maxlength="85" />
      to
      HTML Code:
      <input type="text" class="bginput" name="title" value="$post[title]" size="50" maxlength="85" />
      Requires Revert? No



      modifysignature
      pm_newpm

      Fix the problem with the smilie fieldset overflowing the parent table width.

      Requires Revert? No, the fix is purely aesthetic.



      SHOWTHREAD

      Change
      HTML Code:
      <if condition="$show['inlinemod']">
      <div>
      <strong>$vbphrase[moderation]</strong>
      to

      HTML Code:
      <if condition="$show['inlinemod']">
      <div class="smallfont" style="text-align:$stylevar[left]; white-space:nowrap; float:$stylevar[right]">
      <if condition="$show['pagenav']"><br /></if><strong>$vbphrase[moderation]</strong><br />
      Change
      HTML Code:
      </select>
      <input type="hidden" name="s" value="$session[sessionhash]" />
      <input type="hidden" name="threadid" value="$threadinfo[threadid]" />
      <input type="hidden" name="p" value="$postid" />
      <input type="hidden" name="url" value="$url" />
      <input type="submit" class="button" id="inlinego" value="$vbphrase[go]" />
      to

      HTML Code:
      </select><input type="submit" class="button" id="inlinego" value="$vbphrase[go]" />
      <input type="hidden" name="s" value="$session[sessionhash]" />
      <input type="hidden" name="threadid" value="$threadinfo[threadid]" />
      <input type="hidden" name="p" value="$postid" />
      <input type="hidden" name="url" value="$url" />
      Requires Revert: No



      FORUMDISPLAY

      Change
      HTML Code:
      <if condition="$pagenav OR $show['inlinemod']">
      <td class="smallfont" align="$stylevar[right]">$pagenav
      <if condition="$show['inlinemod']">
      <br /><em>$vbphrase[moderation]</em>
      to
      HTML Code:
      <if condition="$show['pagenav'] OR $show['inlinemod']">
      <td align="$stylevar[right]">$pagenav
      <if condition="$show['inlinemod']">
      <div class="smallfont" style="text-align:$stylevar[left]; white-space:nowrap; float:$stylevar[right]">
      <if condition="$show['pagenav']"><br /></if><strong>$vbphrase[moderation]</strong><br />
      Change
      HTML Code:
      </select>
      <input type="submit" class="button" id="inlinego" value="$vbphrase[go]" />
      to
      HTML Code:
      </select><input type="submit" class="button" id="inlinego" value="$vbphrase[go]" />
      </div>
      Requires Revert: No

      Comment

      • Kier
        Former Lead Developer, vBulletin
        • Sep 2000
        • 8179

        #4
        Bugs fixed and files changed in 3.5.1 since 3.5.0

        You can view a list of bugs fixed between 3.5.0 and 3.5.1 using this link:
        Bugs List

        Files changed from 3.5.0 to 3.5.1
        • /
          • ajax.php
          • attachment.php
          • calendar.php
          • external.php
          • faq.php
          • forumdisplay.php
          • global.php
          • image.php
          • index.php
          • inlinemod.php
          • login.php
          • memberlist.php
          • misc.php
          • newreply.php
          • newthread.php
          • payment_gateway.php
          • poll.php
          • postings.php
          • private.php
          • profile.php
          • report.php
          • reputation.php
          • search.php
          • sendmessage.php
          • showthread.php
          • usercp.php
          • usernote.php
        • admincp
          • admincalendar.php
          • attachment.php
          • diagnostic.php
          • forum.php
          • help.php
          • image.php
          • index.php
          • misc.php
          • options.php
          • phrase.php
          • plugin.php
          • subscriptions.php
          • template.php
          • thread.php
          • user.php
          • usergroup.php
          • usertools.php
        • archive
          • archive.css
        • clientscript
          • vbulletin_ajax_threadslist.js
          • vbulletin_attachment.js
          • vbulletin_editor.css
          • vbulletin_global.js
          • vbulletin_menu.js
          • vbulletin_quick_edit.js
          • vbulletin_quick_reply.js
          • vbulletin_templatemgr.js
          • vbulletin_textedit.js
        • includes
          • adminfunctions.php
          • adminfunctions_language.php
          • adminfunctions_navpanel.php
          • adminfunctions_options.php
          • adminfunctions_profilefield.php
          • adminfunctions_template.php
          • class_bbcode.php
          • class_bbcode_alt.php
          • class_bitfield_builder.php
          • class_core.php
          • class_datastore.php
          • class_dbalter.php
          • class_dm.php
          • class_dm_attachment.php
          • class_dm_forum.php
          • class_dm_moderator.php
          • class_dm_poll.php
          • class_dm_threadpost.php
          • class_image.php
          • class_mail.php
          • class_paid_subscription.php
          • class_upload.php
          • class_xml.php
          • config.php.new
          • database_error_page.html
          • datastore_cache.php
          • functions.php
          • functions_databuild.php
          • functions_editor.php
          • functions_log_error.php
          • functions_misc.php
          • functions_newpost.php
          • functions_user.php
          • functions_wysiwyg.php
          • init.php
          • cron
            • attachmentviews.php
            • promotion.php
            • threadviews.php
          • paymentapi
            • class_authorizenet.php
            • class_moneybookers.php
            • class_paypal.php
          • xml
            • hooks_vbulletin.xml
        • install/* (all files)
        • modcp
          • banning.php
          • moderate.php
          • user.php

        Comment

        • Kier
          Former Lead Developer, vBulletin
          • Sep 2000
          • 8179

          #5
          Changed files from 3.0.9 to 3.0.10
          • /
            • memberlist.php
            • register.php
          • admincp
            • cronlog.php
            • image.php
          • clientscript
            • vbulletin_wysiwyg.js
          • includes
            • adminfunctions_template.php
            • functions_bigthree.php
            • functions_file.php
            • functions_upload.php
            • init.php
          • install
            • install.php
            • upgrade.php
            • upgrade21.php
            • upgrade_language_en.php
            • vbulletin-language.xml
            • vbulletin-settings.xml
            • vbulletin-style.xml
          • modcp
            • announcement.php
            • user.php
          No templates were changed.
          Firefox 1.5 Change
          A bug was fixed in Firefox 1.5 that causes the menu positions in the WYSIWYG editor to be incorrect. This has been fixed in vBulletin 3.0.10 for these newer versions. The vbulletin_wysiwyg.js is compatible with 3.0.2+, it is therefore recommended you upload this file if you intend just to patch your current install.

          Comment

          • Kier
            Former Lead Developer, vBulletin
            • Sep 2000
            • 8179

            #6
            Changed files from 2.3.7 to 2.3.8:
            • /
              • member.php
            • admin
              • functions.php
              • global.php
              • install.php
              • upgrade1.php
              • upgrade31.php
              • vbulletin.style
            No templates were changed.

            Comment

            • Kier
              Former Lead Developer, vBulletin
              • Sep 2000
              • 8179

              #7
              Discussion Links

              You can discuss these releases using these links:

              Comment

              • Freddie Bingham
                Former vBulletin Developer
                • May 2000
                • 14057
                • 1.1.x

                #8
                If you are experiencing the following error with 3.5.1:

                Code:
                 Warning: Constants may only evaluate to scalar values in /includes/class_core.php on line 1522
                Please replace your copy of includes/class_core.php with the attached copy.
                Attached Files

                Comment

                • Kier
                  Former Lead Developer, vBulletin
                  • Sep 2000
                  • 8179

                  #9
                  The members' area package has now been updated to include this fix. Additionally, private.php has been updated.

                  Comment

                  widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                  Working...