Details
-
Type:
Task
-
Status: Unverified Fix
-
Priority:
Blocker
-
Resolution: Fixed
-
Affects Version/s: 3.0.8
-
Fix Version/s: 3.0.9-RC1
-
Component/s: None
-
Labels:None
Description
This issue was first reported by lacton via the security tracker.
In certain conditions, phpBB is exposing the full path of cron.php. ie apache access log shows requests:
"GET /var/www/jadephpbb/httpdocs/cron.php?cron_type=tidy_search HTTP/1.1" 404 304 "https://forums.jadeworld.com/viewtopic.php?f=9&t=1206&start=0"
Support topic: http://www.phpbb.com/community/viewtopic.php?f=46&t=2121664
Issue Links
- is related to
-
PHPBB3-8334
common.php code for IN_CRON
- Closed
Activity
Your 3.1 code still breaks all MODs files...
I think that is acceptable. Do you have an alternate proposal?
The current fix options are as follows.
For 3.0, we have a minimal fix here:
https://github.com/p/phpbb3/compare/develop-olympus...ticket%2F10046-v2
The actual fix is in the first commit, the second commit is a relevant change but not technically part of the fix.
Note that due to http://tracker.phpbb.com/browse/PHPBB3-9912 the first commit will not apply cleanly to 3.0.8 (but the logic does transfer over).
For 3.1, the "proper" proposed fix is here:
https://github.com/p/phpbb3/compare/develop...ticket%2F10046
Note that the two 3.0 commits need to be merged into develop, then the first commit reverted and conflicts between the second commit and unrelated changes in develop resolved, then the 3.1 fix applied on top.