PhpBB3: Difference between revisions

From RavenWiki
Jump to navigationJump to search
(Updated for release of phpBB3.0.0-raven-0.31)
Line 9: Line 9:
While there is no formal guarantee of support for any problems, any problems affecting Computing Service use of the modifications are likely to be addressed, sooner or later.
While there is no formal guarantee of support for any problems, any problems affecting Computing Service use of the modifications are likely to be addressed, sooner or later.


Since there is currently no way to automatically install modifications supplied in the XML-based phpBB3 "mod file" format (and manual installation would be very fiddly), these modifications are being provided as sets of added and replacement files for specific phpBB3 versions. NB Installing them on any other version would most likely be disastrous, losing significant changes between the versions and quite probably breaking phpBB3 functionality.
Since there is currently no way to automatically install modifications supplied in the XML-based phpBB3 "mod file" format (and manual installation would be very fiddly), these modifications are being provided as sets of added and replacement files for specific phpBB3 versions. NB Installing them on any other version would most likely be disastrous, losing significant changes between the phpBB versions and quite probably breaking phpBB3 functionality.


==phpBB3.0.0-raven-0.3==
==phpBB3.0.0-raven-0.31==


This is largely just the 0.2 kit updated for use with phpBB 3.0.0, but the location of the Raven server's public key file(s) is now specified through the Admin Control Panel (rather than by editing a file), and various checks are done before enabling Raven authentication. It will now refuse to enable it (with an explanation) if any of the various pre-requisites (such as the PHP OpenSSL extension) are not met, greatly reducing the risk that Raven authentication will be enabled when certain to fail. The README file in the tar and zip file kits has now been split into three files: Changelog (details of what's changed), README (what to expect from these modifications, etc.) and INSTALL (how to install the modifications).
Version 0.31 is a small, but important update to version 0.3 - it includes an updated (version 0.62) copy of the PHP authentication library (ucam_webauth.php) which resolves a potentially serious security problem described in an announcement (29 Apr 2008) on the cs-raven-announce and cs-raven-discuss mailing lists. See [https://lists.cam.ac.uk/mailman/private/cs-raven-announce/2008/msg00002.html New version (0.51) of the ucam_webauth.php library [SECURITY FIX]] in the mailing list archive for details of the problem.  


Special care is needed (details in the INSTALL file) if you are upgrading from an earlier version of these modifications (because of the change to how the the Raven public key directory is specified).
'''It is recommended that any phpBB installation using an earlier version of these modifications should be upgraded, in order to resolve the security issue.'''


Note that the problem mentioned below that affected use of phpBB3RC7 with PHP 5.2.4 and .5 (in general, not specifically Raven authentication) was fixed in the subsequent phpBB 3.0.0 release, and no longer requires special attention.
NB You cannot simply switch to using version 0.51 of ucam_webauth.php (as previously announced) with phpBB to fix the security problem, since (a) the security fix requires changes in the application using it, and (b) the phpBB modifications require an enhanced version of ucam_webauth.php. As for earlier versions of these modifications, the required version of ucam_webauth.php is included in the phpBB modifications kit. Also, the enhanced version (0.62) of ucam_webauth.php is not suitable for applications requiring the older functionality, as that currently has known problems rendering it unusable. It is hoped that a future version of ucam_webauth.php will correct that, make the enhanced functionality more widely available and remove the need for different versions to be used by different applications.


Downloads:
For phpBB 3.0.0 installations using version 0.3 of these modifications, a simplified installation procedure is documented in the INSTALL file, amounting to copying three modified files from the kit and (typically) one or two changes to the phpBB configuration.  
* [http://raven.cam.ac.uk/project/phpbb/files/phpBB3.0.0-raven-0.3.tar.gz phpBB3.0.0-raven-0.3.tar.gz]
* [http://raven.cam.ac.uk/project/phpbb/files/phpBB3.0.0-raven-0.3.zip phpBB3.0.0-raven-0.3.zip]
 
==phpBB3rc7-raven-0.2==


This is essentially the first public version of these modifications (identical to version 0.1 except for important corrections to the installation instructions). See the README file in the tar/zip files for details of what facilities the modifications do (or do not) provide, as well as the installation instructions. As supplied, the only supported language is English and the only supported style is the (default) prosilver, though updating other languages and styles to work with these modifications would not be a large amount of work (given the appropriate expertise).
The main difference between version 0.3/0.31 of these modifications and the earlier versions (apart from the security fix) is support for the official phpBB 3.0.0 release (whereas prior modifications were for phpBB3 "release candidate" versions). Additionally, the location of the Raven server's public key file(s) is now specified through the Admin Control Panel (rather than by editing a file), and various checks are done before enabling Raven authentication, refusing to enable it (with an explanation) if any of the various pre-requisites (such as the PHP OpenSSL extension) are not met. That greatly reducing the risk that Raven authentication will be enabled when it is certain to fail. The README file in the tar and zip file kits has been split into three files: Changelog (details of what's changed), README (what to expect from these modifications, etc.) and INSTALL (how to install the modifications).


These modifications are specifically for phpBB3rc7 (i.e. Release Candidate 7), and should not be expected to work without modification on later (or earlier) versions.
Special care is needed (details in the INSTALL file)
* if you are upgrading from version 0.2 or earlier of these modifications (because of the change to how the the Raven public key directory is specified), and also
* for upgrades from version 0.3 and earlier, and also for new installations (to ensure that a couple of phpBB configuration settings are compatible with the security fix, as their default values set during installation may not be appropriate)


Downloads:
Downloads:
* [http://raven.cam.ac.uk/project/phpbb/files/phpBB3rc7-raven-0.2.tar.gz phpBB3rc7-raven-0.2.tar.gz]
* [http://raven.cam.ac.uk/project/phpbb/files/phpBB3.0.0-raven-0.31.tar.gz phpBB3.0.0-raven-0.31.tar.gz]
* [http://raven.cam.ac.uk/project/phpbb/files/phpBB3rc7-raven-0.2.zip phpBB3rc7-raven-0.2.zip]
* [http://raven.cam.ac.uk/project/phpbb/files/phpBB3.0.0-raven-0.31.zip phpBB3.0.0-raven-0.31.zip]
 
The tar.gz and zip file contents are identical except for the files within the zip file having Windows newlines (i.e. carriage-return+line-feed) rather than Unix newlines (just line-feed).
 
<b>WARNING</b> See [[PHP 5.2.4 and .5 break phpBB3rc7 on Windows]] if relevant to the system on which you are, or will be, running phpBB3.


==Future plans==
==Future plans==
Line 41: Line 35:
With no promises about timescales, or exactly what will be included in futures versions, the following may be of interest as a guide to potential short-term developments.
With no promises about timescales, or exactly what will be included in futures versions, the following may be of interest as a guide to potential short-term developments.


===Enhancements to existing facilities===
===Planned enhancements to existing facilities===


* "sanity-checking" the environment, to reject attempts to enable Raven authentication when it would be certain to leave phpBB with non-working authentication (e.g. if PHP's OpenSSL support is not available)
* improvements to error handling
* improvements to error handling
* resolution of known problems documented in the README file


===New functionality===
===Planned new functionality===


* (optional) ability to use data from the University's "lookup" directory to set corresponding phpBB3 User Profile fields.
* (optional) ability to use data from the University of Cambridge [http://www.lookup.cam.ac.uk/ "lookup" directory] to set corresponding phpBB3 User Profile fields.

Revision as of 21:06, 6 May 2008

Introduction

phpBB is a very popular PHP-based web forum package, which has been extensively updated for version 3.

Although phpBB3 includes an authentication "plug-in" facility, that does not make it trivial to enable use of Raven - it makes too many assumptions about how authentication works.

As the first stage of a larger project, the Computing Service has developed the necessary modifications to allow fully integrated use of Raven with phpBB3. Those modifications are being made available in the hope that they will be of wider use around the University.

While there is no formal guarantee of support for any problems, any problems affecting Computing Service use of the modifications are likely to be addressed, sooner or later.

Since there is currently no way to automatically install modifications supplied in the XML-based phpBB3 "mod file" format (and manual installation would be very fiddly), these modifications are being provided as sets of added and replacement files for specific phpBB3 versions. NB Installing them on any other version would most likely be disastrous, losing significant changes between the phpBB versions and quite probably breaking phpBB3 functionality.

phpBB3.0.0-raven-0.31

Version 0.31 is a small, but important update to version 0.3 - it includes an updated (version 0.62) copy of the PHP authentication library (ucam_webauth.php) which resolves a potentially serious security problem described in an announcement (29 Apr 2008) on the cs-raven-announce and cs-raven-discuss mailing lists. See New version (0.51) of the ucam_webauth.php library [SECURITY FIX] in the mailing list archive for details of the problem.

It is recommended that any phpBB installation using an earlier version of these modifications should be upgraded, in order to resolve the security issue.

NB You cannot simply switch to using version 0.51 of ucam_webauth.php (as previously announced) with phpBB to fix the security problem, since (a) the security fix requires changes in the application using it, and (b) the phpBB modifications require an enhanced version of ucam_webauth.php. As for earlier versions of these modifications, the required version of ucam_webauth.php is included in the phpBB modifications kit. Also, the enhanced version (0.62) of ucam_webauth.php is not suitable for applications requiring the older functionality, as that currently has known problems rendering it unusable. It is hoped that a future version of ucam_webauth.php will correct that, make the enhanced functionality more widely available and remove the need for different versions to be used by different applications.

For phpBB 3.0.0 installations using version 0.3 of these modifications, a simplified installation procedure is documented in the INSTALL file, amounting to copying three modified files from the kit and (typically) one or two changes to the phpBB configuration.

The main difference between version 0.3/0.31 of these modifications and the earlier versions (apart from the security fix) is support for the official phpBB 3.0.0 release (whereas prior modifications were for phpBB3 "release candidate" versions). Additionally, the location of the Raven server's public key file(s) is now specified through the Admin Control Panel (rather than by editing a file), and various checks are done before enabling Raven authentication, refusing to enable it (with an explanation) if any of the various pre-requisites (such as the PHP OpenSSL extension) are not met. That greatly reducing the risk that Raven authentication will be enabled when it is certain to fail. The README file in the tar and zip file kits has been split into three files: Changelog (details of what's changed), README (what to expect from these modifications, etc.) and INSTALL (how to install the modifications).

Special care is needed (details in the INSTALL file)

  • if you are upgrading from version 0.2 or earlier of these modifications (because of the change to how the the Raven public key directory is specified), and also
  • for upgrades from version 0.3 and earlier, and also for new installations (to ensure that a couple of phpBB configuration settings are compatible with the security fix, as their default values set during installation may not be appropriate)

Downloads:

Future plans

With no promises about timescales, or exactly what will be included in futures versions, the following may be of interest as a guide to potential short-term developments.

Planned enhancements to existing facilities

  • improvements to error handling
  • resolution of known problems documented in the README file

Planned new functionality

  • (optional) ability to use data from the University of Cambridge "lookup" directory to set corresponding phpBB3 User Profile fields.