Will
such critical problems be fixed and released before a new MyBB version is released?
All bugs found are responsed with "And are going to be fixed in the next version/SVN".
What about these problems that cause such security breaches? Shouldn't they be patched straight away with just a simple news post saying "edit xxx replace yyy with zzz"???
Especially as some problems are made public. Script kiddies could have a field day with some of the problems that have been reported here but not fixed because we are waiting for new versions to be released with these fixes in them.
At which point in my post do i say it will be fixed for the next release?
As far as i am aware its being worked on and a patch will be released when the problem is resolved.
I'm just talking about in general, didnt mean to single you out. Sorry.
Quote:Will such critical problems be fixed and released before a new MyBB version is released?
Of course. They are and always have been.
Quote:All bugs found are responsed with "And are going to be fixed in the next version/SVN".
All general bugs are fixed in that manner, security related issues are addressed ASAP and patched/released ASAP.
Ok
Couldn't all input be sanitised with addslashes? I like to make a loop in a global.php type file that gets all GET and POSTS vars and then assigns them to $get_varname and $post_varname with addslashes x2 applied to them all. I also use strip_tags but that wouldn't work in this environment. I then use stripslashes on all data coming from the db. That way it should be safe from most SQL injection techniques.
Or pehaps a filtering system. Something that contains INSERT INTO OR SELECT FROM would be rejected unless it's identified as a variable already sanitised. For example, say any post var that uses the name "message" would be exempt from this filter?
Well what we do is actually strip all slashes from input if magic_quotes is turned on. We do this because the majority of servers these days seem to have magic_quoets disabled and for performance reasons we don't want to be looping through every input variable on every page load when the majority of servers are configured that way.
We have a filtering system in place for certain variables such as tid, pid, fid, uid.. etc, however we can't add every input variable to that filter (which basically can check if a value is supposed to be an integer or not)
MyBB doesn't require stripslashes either because of the system we've got in place - because the data is slashed once before inserting it into the DB.
It's complicated and fairly hard to explain what I mean by it and why things are done the way they are, but it's done for a reason.