Two problems:
1) for some reason the directory settings were all wiped out during the upgrade,
2) bad behaviour requires a theme and attachments don't load the theme, so the question is: do attachments need bad behaviour? If the answer is no, loadBadBehavior (and maybe loadBBCParsers as well) should be called only with loadTheme, otherwise there is something to tweak.
On BB, you mean for dlattach actions ?
Yep.
What I did here live is:
// Attachments don't require the entire theme to be loaded.
if ($_req->getQuery('action') === 'dlattach' && (!empty($modSettings['allow_guestAccess']) && $user_info['is_guest']) && (empty($maintenance) || allowedTo('admin_forum')))
detectBrowser();
// Load the current theme. (note that ?theme=1 will also work, may be used for guest theming.)
else
{
loadTheme();
// Load BadBehavior before we go much further
loadBadBehavior();
// The parser is not a DIC just yet
loadBBCParsers();
}
I'd think you would want to protect that action with BB but its not critical
I really don't know (in the sense that I really have no idea what BB does LOL), I assumed BB was intercepting forms POST'ed in order to avoid registrations and stuff like that, so I thought was safe to let attachments be downloaded at will.
But if you say to, then we have to fix the (bad :P) behaviour... what an idiotic joke. LOL
BB also may use the HTTP BL so it can block based on that (at least that was my thought in this case)
For me it doesn't do all that much to prevent registrations per se, but rather the enormous bandwidth and CPU leech caused by such bots. Which includes more than just (failed) registrations, although that's what they concentrate on the most.
Or to put it another way, if PHP is involved in loading attachments it'd be a damn shame if Bad Behavior didn't step in to kick out, um, badly behaving/blacklisted entities.