MyLittleForum 20260208.1 (2.5.14), security fix for possible code injection in the image upload

This is a further bugfix release in the 2.5-branch with a fix regarding a possibility for a PHP-code injection in the image upload feature. It is possible to prepare an image with executable PHP-code as a PHAR package. Processing such an image after the upload would have caused the execution of the code. With rewriting the image as the first processing step removes the allegedly malicious code from the image.

The security issue was reported by @Matrix-Cain.

The new version contains several further fixes. Furthermore we upgrade Smarty from version 3.1,x to 5.7.0. This makes it necessary to add a few new directories for running Smarty. These are the directories infrastructure and its subdirectories smarty_cache and templates_c. Please do not miss to upload the new directory structure. to be able to run the forum in its new version. The old directory templates_c in the root directory of the forum is outdated with the upgrade to MLF 20260208.1 and will be marked to be removed with the next upgrade.

The minimal PHP version, the forum is able to run is PHP 7.3, the maximal (tested) PHP version is 8.4. The minimal version of the MySQL database server was raised to version 5.7.7 respectively version 10.2.2 in case of a MariaDB server with one of the previous releases (20240729.1). The minimal version of MLF from one can start an upgrade is version 2.4.19.

Important notice

After finishing the upgrade process the forum stays in maintenance modus. Since the version 20250921.1 the default theme will report this to the forum administrators on every page (see therefore PR #854). You have to manually enable the forum again in the settings page afterwards.

Second notice

Since the MLF version 20251010.1 the list of files to delete is separated from the list of files to upload.

What's Changed

• Prevent code execution during processing of uploaded images @loesler in #900, @auge8472 in #906
• Solve several deprecation messages for PHP code for PHP 8.x versions by @loesler in #911 and #913 as well as by @auge8472 in #904
• Fix youtube embedding error 153 by @auge8472 in #917
• Add Smarty 5.7 to MLF2 by @auge8472 in #912
• Reset the pagination on the overview pages to page 1 to prevent to land on an empty page when switching between normal and spam thread list by @auge8472 in #896
• Replace $_SERVER['PHP_SELF'] with $_SERVER['SCRIPT_NAME'] by @auge8472 in #908
• Ensure the method of requests to be GET or POST by @auge8472 in #901
• More cleanup in the styling rulesets by @auge8472 in #897, #902, #905, #910
• Add elements for new contacting scheme settings to the user edit form in the admin area by @auge8472 in #909
• Style posting management buttons by @auge8472 in #898
• Add a blurring effect to ::backdrop of the full-size-image popover by @auge8472 in #903
• Remove the language strings enclosing single quotes in the installation script by @auge8472 in #918
• Enhancement for the upgrade process starting from a stable version of the 2.4 branch by @auge8472 in #916

Full Changelog: 20251129.1...20260208.1