## CHANGELOG:
## v1.2.4c :
1. Made compatible with Fluxbb 1.4
2. Replaced all addslashes with $db->escape
3. install_mod.php script now also works in PostgreSQL and SQLite
## v1.2.4b :
1. Use lang file for all text in message_list.php, e.g.:
| Delete |
should be:
|
2. Lang correction in message_list.php:
if ($pun_user['is_guest'])
message($lang_common['Login required']);
should be
if ($pun_user['is_guest'])
message($lang_common['Not logged in']);
(there is no 'Login required' lang entry in /lang/[Your language]/common.php)
3. Messages header and footer links now look like this:
Index » Private Messages » Inbox
instead of:
My board title » Private Messages » Inbox
4. Some changes in the readme.txt install instructions.
5. Some other minor changes.
## v1.2.4a :
1. Multiple replies of PM's causes long subject lines:
RE: RE: RE: ...
Fix:
http://www.punres.net/viewtopic.php?pid=19466#p19466
2. Flood protection bug mentioned here:
http://www.punres.net/viewtopic.php?pid=25531#p25531
Fix based on:
http://www.punres.net/viewtopic.php?pid=25533#p25533
3. Receiver message status bug mentioned here:
http://www.punres.net/viewtopic.php?pid=25530#p25530
Fix based on:
http://www.punres.net/viewtopic.php?pid=20697#p20697
4. Security fix:
http://www.punres.net/viewtopic.php?pid=25488#p25488
5.
In include/pms/header_new_messages.php
$pun_config['o_pms_messages']
should be:
$pun_config['o_pms_enabled']
6. Security fix when deleting multiple messages in message_list.php
Fix based on:
http://www.punres.net/viewtopic.php?pid=22438#p22438
Details:
Find:
// Delete messages
Before, add:
if (@preg_match('/[^0-9,]/', $_POST['messages']))
message($lang_common['Bad request']);
7. Made style changes to prevent overlapping of boxes in some stylesheets
e.g. overlapping when you modify style/Oxygen.css
from:
.pun {FONT-SIZE: 11px; LINE-HEIGHT: normal}
to:
.pun {FONT-SIZE: 12px; LINE-HEIGHT: normal}
Also fixed the style issue mentioned here:
http://punbb.informer.com/forums/post/73846/#p73846
8. There is no message limit for moderators, even though one can set a limit for moderators in the amin cp. Fixed.
9. Message box status not being displayed for moderators. Fixed.
10. If message box is full, messages that you are sending can still be saved in the Sent folder when sending the message to an administrator or moderator. Fixed.
Details:
in message_send.php
replace:
if($pun_user['g_pm_limit'] != 0 && $pun_user['g_id'] > PUN_GUEST && $status > PUN_GUEST)
with:
if ($pun_user['g_pm_limit'] != 0 && $pun_user['g_id'] > PUN_ADMIN)
11. In PM admin cp:
"This is the number of messages each user is allowed in their inbox."
should be:
"This is the number of messages users in this group are allowed to store. Set to 0 to allow unlimited messages."
(messages in the 'Sent' folder are also counted, not just messages in the 'Inbox')
12. Setting a usergroup's message limit to 0 gives that usergroup unlimited storage space for messages, but the "Your inbox is full!" message is still displayed in the header. Fixed.
Details:
In header_new_messages.php, replace:
if ($pun_config['o_pms_enabled'] != 0 && $pun_user['g_id'] > PUN_ADMIN)
with:
if ($pun_config['o_pms_enabled'] != 0 && $pun_user['g_pm_limit'] != 0 && $pun_user['g_id'] > PUN_ADMIN)
13. Fixed the PunBB (Private Messaging System 1.2.x) Multiple LFI Exploit exploit, as posted by athos at milw0rm here:
http://www.milw0rm.com/exploits/7159
Dante90 mentioned the same exploit at punbb.org here:
http://punbb.informer.com/forums/topic/20320/punbb-private-messaging-system-12x-multiple-lfi-exploit/
I even contacted the guy who discovered the exploit (athos) and asked him to test this update (v1.2.4) and see if the vulnerability is still present. I then got a reply back from him saying v1.2.4 fixed the exploit successfully.
14. Several other minor changes, e.g. spelling corrections, intval() instead of (int), rearrange code brackets etc.