Simple Machines Forum 2.0.14
23 June 2017
Simple Machines Forum version 2.0.14 is now available (security release).
Upgrading to Simple Machines Forum 2.0.14
Simple Machines Forum 2.0.14 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Simple Machines Forum updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Simple Machines Forum install to test the 2.0.14 upgrade prior to applying it live. Get started managing your Simple Machines Forum installations with Installatron
What's New in Simple Machines Forum 2.0.14
This patch adds both security and general maintenance fixes to your forum, so it is imperative that you install this patch quickly.
SMF 2.0.14
- Updating session handlers
- Adding HTTPS
- fetch_web_data now uses cURL, falling back to sockets
- Ported image proxy support from SMF 2.1
- Also added HTTPS for avatars
- Added a simple exception handler
- Check session while logging in
- Sanitize some fields to help guard against XSS
- Validate email addresses with PHP’s filter method
- Fix search highlighting to not mangle/expose some HTML
- Fix password acceptance when special characters were used in UTF-8;
- Correct some random logic errors in the profile area
- Use ampersands instead of semi-colons for PayPal’s return link
- Fix sending multiple MIME-Version headers in notification mail
- Fix sending multipel Content-Type headers in all requests
SMF 2.0.13
- Some file versions didn't get modified in the 2.0.12 patch
- Added check and sanitization for $_REQUEST['u'] in LogInOut.php and Reminder.php
- Added check and sanitization for $_REQUEST['uid'] in Reminder.php
- Properly sanitize author's website for packages
- Added session check when uploading packages
- Added session check when copying template files from one theme to another
- The code to remove empty BBCode was sometimes breaking things (reported by @rjen; fix provided by Sesquipedalian)
- Remove hardcoded limits for safe_unserialize as it was causing cache problems
- Update the cal_max_year setting to 2030
SMF 2.0.12
- Fixed word censor injection by disallowing an empty 'proper word'
- Fixed vulnerable unserialize() code by converting all instances to safe_unserialize()
- Added a more thorough safe_unserialize() function to prevent object injection
- Fixed a bug where leaving a custom profile field blank on registration that has an email mask would throw an error
- Fixed PayPal integration to comply with the new forced SSL
- Fixed a bug where notifications were sent for messages in inaccessible boards
- Fixed editor to make the editor work with Microsoft Edge
- Fixed issue where smiley popup is blank on iOS 9 devices
- Fixed WYSIWYG editor in mobile devices
- Fixed an undefined $_POST['icon'] in Sources/Post.php
- Fixed a minor bug in Login2()
- Fixed an issue where SMF doesn't recognize new domain names and considers these as invalid
- Fixed an issue where SMF would allow empty BBC
- Fixed an issue where theme variants could not be selected
- Fixed an issue where the file version of Subs-Post.php could have been 2.0.8 or 2.0.11. It will be updated to 2.0.12 in either case.
- Updated copyright year to 2016