Simple Machines Forum 2.0.16
27 December 2019
Simple Machines Forum version 2.0.16 is now available (security release).
Upgrading to Simple Machines Forum 2.0.16
Simple Machines Forum 2.0.16 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Simple Machines Forum updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Simple Machines Forum install to test the 2.0.16 upgrade prior to applying it live. Get started managing your Simple Machines Forum installations with Installatron
What's New in Simple Machines Forum 2.0.16
Highlights
- Support for privacy policy in addition to registration agreement
- GDPR Compliance toggle in Core Features
- Enabling this configures multiple settings and new features to comply with the GDPR, including:
- Requiring members to accept the current privacy policy in order to use the forum
- Asking during registration whether the new member wants to receive announcements via email
- Enabling token-based unsubscribe links in emails so members can unsubscribe without logging in
- Allowing members to download a copy of their profile information
- Adjusting the behaviour of a number of other features in minor ways as necessary
- PHP 7.2 support
- Improved security hashes for the image proxy
- Improved security for the login cookie
- Assorted other security improvements
- Various improvements for both the installer and upgrader
Changes
- Updated credits.
- Revert the fix to search highlighting [topic 550840]
- Generates $auth_secret during install, so that the admin can log in immediately.
- Improves UI for viewing/accepting changes to registration agreement & privacy policy.
- Improves UI for editing registration agreement & privacy policy.
- Correctly decides whether to search using a regex when using full text search.
- Prevents errors converting HTML entities to 4-byte characters during database maintenance.
- Removes old 1.1 themes during upgrade.
- Implements a number of fixes for the installer and upgrader.
- Removes deprecated ALTER IGNORE statements from upgrade SQL.
- Ensures check_mime_type() is defined before calling it in profileSaveAvatarData().
- Fixes a bug with regex searching in SQLite.
- Removes redundant count() in Poll.php and changes explode for implode.
- Uses hash_hmac to generate much more secure hashes for the image proxy.
- Adds `rel="noopener noreferrer"` to links for user supplied URLs. (Reported by Travis Knapp-Prasek)
- Increases cookie security by hashing with a secret authentication key. (Reported by Logan Whitmire)
- Requires admin password to add/remove admins via group moderation. (Reported by Logan Whitmire)
- Checks MIME type of user-supplied avatar images more thoroughly. (Reported by Logan Whitmire)
- Adds $force parameter to validateSession()
- Improves functionality and security of token-based unsubscribe system.
- Adds token-based unsubscribe links to newsletters.
- Simplifies language strings and templates for unsubscribe links.
- Shows an error message if trying to unsubscribe an invalid member id.
- Prevents sending newletters to arbitrary email addresses in GDPR mode.
- Fixed create_function for the installer, warn for SQLite deprecation.
- Limit PM rules and how many times they can be applied in a time period.
- Don't proxy images for bots
- Cleanup old proxied images as part of daily maintenance
- Only set the old url whenever stats are being logged [topic 459730]
- Fix search highlighting to not mangle/expose some HTML [topic 550840]
- The code to check for too many PM labels was wrong [topic 559166]
- $db_persist needed to be defined as a global in the MySQLi driver [topic 552581]
- $smcFunc['db_error'] shouldn't require a database object as a parameter
- Add X-Frame-Options to both the installer and the upgrader
- Add registration agreement section where users can view and agree to the document, complete with logging
- Ensure that count() is called on valid objects when using PM labels in PHP 7.2
- Try to inject session tokens into any login form that doesn't already have one (may not work in SSI!)
- Implement privacy policy stuff for GDPR
- Add link in footer to agreement and privacy policy
- In XML profile export, explicitly state the language even when the member uses the forum default
- In installer and upgrader, get resource files from simplemachines.org via HTTPS
- Avoid generating errors for non-numeric start values when getting recent posts
- Add ability to force the browser to download XML feed data as a file (good for GDPR support)
- Add a link in profile actions menu to export profile info.
- Make cdata_parse() smarter and less aggressive
- Add "Allow the administrators to send me important news by email" checkbox to registration form
- Invalidate opcode after writing Settings.php (other/install.php)
- Use openssl_random_pseudo_bytes (if available) to generate the token_secret for unsubscribe links
& Fix a minor grammatical error and adds documentation comment to the email template
- Underline the link to the GDPR official info page
- Don't offer the Override Notification Settings option when composing a newsletter if force_gdpr is turned on
- Implement GDPR compliance regarding unsubscribe links and options for email notifications
- Add a GDPR compliance toggle to Core Features.
- Core theme missing login hash [topic 558445]
- template_kick_guest() missing login hash
- Wireless missing login hash [topic 557843]
- Fix code selection in modern browsers (Firefox, Chrome) [topic 553445]
- Message previews ate emoji on UTF forums [topic 558414]
- Improve logging of exceptions
- Don't load the MySQLi driver if on PHP 5.3
- Fix bitmask for error reporting
- Type mismatch [topics 554723, 556672, 558542]
- Undefined index errors if checking permissions too early [topic 558349]
- matchPackageVersion() did not extract the beta number correctly [topic 557810]
- Must clear the opcode cache on Settings.php when modifying it from within the admin area [topic 560180]
- Board theme should not be overridden by user theme [topic 558121]
- sendmail() should send the current server's name [topic 552893]
- smf_categories lost ordering on InnoDB tables in MySQL [topic 552922]
- Silence deprecation notices because we use deprecated functions everywhere
- Remove leftover code while porting from 2.1 [topic 555723]
- Several fixes for the proxy