Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarc Alexander <admin@m-a-styles.de>2019-04-29 08:40:16 +0200
committerMarc Alexander <admin@m-a-styles.de>2019-04-29 09:40:19 +0200
commitc5a995ec8dc43b1ad9c68c725753cdd3b45bcee8 (patch)
tree94a9c38796258808839b1ffb6464ea30c552776b
parentMerge branch '3.2.x' (diff)
parentMerge branch 'prep-release-3.2.6' into 3.2.x (diff)
downloadphpbb-c5a995ec8dc43b1ad9c68c725753cdd3b45bcee8.tar.gz
phpbb-c5a995ec8dc43b1ad9c68c725753cdd3b45bcee8.tar.bz2
phpbb-c5a995ec8dc43b1ad9c68c725753cdd3b45bcee8.zip
Merge branch '3.2.x'
Diffstat
-rw-r--r--build/build.xml2
-rw-r--r--phpBB/docs/CHANGELOG.html18
-rw-r--r--phpBB/includes/acp/acp_board.php10
-rw-r--r--phpBB/includes/functions.php19
-rw-r--r--phpBB/includes/functions_acp.php12
-rw-r--r--phpBB/index.php3
-rw-r--r--phpBB/install/app.php4
-rw-r--r--phpBB/install/schemas/schema_data.sql4
-rw-r--r--phpBB/language/en/acp/board.php4
-rw-r--r--phpBB/language/en/acp/common.php1
-rw-r--r--phpBB/phpbb/avatar/driver/upload.php3
-rw-r--r--phpBB/phpbb/avatar/manager.php2
-rw-r--r--phpBB/phpbb/db/migration/data/v32x/disable_remote_avatar.php34
-rw-r--r--phpBB/phpbb/db/migration/data/v32x/smtp_dynamic_data.php42
-rw-r--r--phpBB/phpbb/db/migration/data/v32x/v326.php39
-rw-r--r--phpBB/phpbb/install/helper/config.php2
-rw-r--r--phpBB/phpbb/search/fulltext_native.php38
-rw-r--r--phpBB/styles/prosilver/template/index_body.html1
-rw-r--r--phpBB/styles/prosilver/template/login_body.html1
-rw-r--r--tests/avatar/manager_test.php2
-rw-r--r--tests/functions_acp/validate_config_vars_test.php10
-rw-r--r--tests/search/native_test.php8
-rw-r--r--tests/test_framework/phpbb_functional_test_case.php8
23 files changed, 237 insertions, 30 deletions
diff --git a/build/build.xml b/build/build.xml
index 511aef8a83..1dc8136802 100644
--- a/build/build.xml
+++ b/build/build.xml
@@ -3,7 +3,7 @@
<project name="phpBB" description="The phpBB forum software" default="all" basedir="../">
<!-- a few settings for the build -->
<property name="newversion" value="3.3.0-a1-dev" />
- <property name="prevversion" value="3.2.6-RC1" />
+ <property name="prevversion" value="3.2.6" />
<property name="olderversions" value="3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0-a1, 3.2.0-a2, 3.2.0-b1, 3.2.0-b2, 3.2.0-RC1, 3.2.0-RC2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5" />
<!-- no configuration should be needed beyond this point -->
diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html
index 37710b30a6..c6f05ca309 100644
--- a/phpBB/docs/CHANGELOG.html
+++ b/phpBB/docs/CHANGELOG.html
@@ -50,6 +50,7 @@
<ol>
<li><a href="#changelog">Changelog</a>
<ul>
+ <li><a href="#v326rc1">Changes since 3.2.6-RC1</a></li>
<li><a href="#v325">Changes since 3.2.5</a></li>
<li><a href="#v325rc1">Changes since 3.2.5-RC1</a></li>
<li><a href="#v324">Changes since 3.2.4</a></li>
@@ -136,6 +137,23 @@
<div class="inner">
<div class="content">
+ <a name="v326rc1"></a><h3>Changes since 3.2.6-RC1</h3>
+ <h4>Bug</h4>
+ <ul>
+ <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16027">PHPBB3-16027</a>] - Appveyor builds fail on PHP 7.0</li>
+ </ul>
+ <h4>Security Issue</h4>
+ <ul>
+ <li>[SECURITY-231] - Remote avatar functionality allows checking for files and ports on local network</li>
+ <li>[SECURITY-235] - Fulltext native search can be used to cause long execution times</li>
+ </ul>
+ <h4>Hardening</h4>
+ <ul>
+ <li>[SECURITY-228] - Require form token in login_box</li>
+ <li>[SECURITY-233] - SMTP auth data shouldn't be cached</li>
+ <li>[SECURITY-234] - Main website URL in Admin Control Panel should not support JS URLs</li>
+ </ul>
+
<a name="v325"></a><h3>Changes since 3.2.5</h3>
<h4>Bug</h4>
<ul>
diff --git a/phpBB/includes/acp/acp_board.php b/phpBB/includes/acp/acp_board.php
index 28f972b9c9..083bd5adac 100644
--- a/phpBB/includes/acp/acp_board.php
+++ b/phpBB/includes/acp/acp_board.php
@@ -30,10 +30,13 @@ class acp_board
function main($id, $mode)
{
- global $user, $template, $request;
+ global $user, $template, $request, $language;
global $config, $phpbb_root_path, $phpEx;
global $cache, $phpbb_container, $phpbb_dispatcher, $phpbb_log;
+ /** @var \phpbb\language\language $language Language object */
+ $language = $phpbb_container->get('language');
+
$user->add_lang('acp/board');
$submit = (isset($_POST['submit']) || isset($_POST['allow_quick_reply_enable'])) ? true : false;
@@ -56,7 +59,7 @@ class acp_board
'legend1' => 'ACP_BOARD_SETTINGS',
'sitename' => array('lang' => 'SITE_NAME', 'validate' => 'string', 'type' => 'text:40:255', 'explain' => false),
'site_desc' => array('lang' => 'SITE_DESC', 'validate' => 'string', 'type' => 'text:40:255', 'explain' => false),
- 'site_home_url' => array('lang' => 'SITE_HOME_URL', 'validate' => 'string', 'type' => 'url:40:255', 'explain' => true),
+ 'site_home_url' => array('lang' => 'SITE_HOME_URL', 'validate' => 'url', 'type' => 'url:40:255', 'explain' => true),
'site_home_text' => array('lang' => 'SITE_HOME_TEXT', 'validate' => 'string', 'type' => 'text:40:255', 'explain' => true),
'board_index_text' => array('lang' => 'BOARD_INDEX_TEXT', 'validate' => 'string', 'type' => 'text:40:255', 'explain' => true),
'board_disable' => array('lang' => 'DISABLE_BOARD', 'validate' => 'bool', 'type' => 'custom', 'method' => 'board_disable', 'explain' => true),
@@ -113,6 +116,7 @@ class acp_board
$avatar_vars = array();
foreach ($avatar_drivers as $current_driver)
{
+ /** @var \phpbb\avatar\driver\driver_interface $driver */
$driver = $phpbb_avatar_manager->get_driver($current_driver, false);
/*
@@ -721,7 +725,7 @@ class acp_board
$template->assign_block_vars('options', array(
'KEY' => $config_key,
'TITLE' => (isset($user->lang[$vars['lang']])) ? $user->lang[$vars['lang']] : $vars['lang'],
- 'S_EXPLAIN' => $vars['explain'],
+ 'S_EXPLAIN' => $vars['explain'] && !empty($l_explain),
'TITLE_EXPLAIN' => $l_explain,
'CONTENT' => $content,
)
diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php
index 3a03cd44d2..51a39e8547 100644
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@@ -2276,6 +2276,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
global $request, $phpbb_container, $phpbb_dispatcher, $phpbb_log;
$err = '';
+ $form_name = 'login';
// Make sure user->setup() has been called
if (!$user->is_setup())
@@ -2351,8 +2352,19 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
trigger_error('NO_AUTH_ADMIN_USER_DIFFER');
}
- // If authentication is successful we redirect user to previous page
- $result = $auth->login($username, $password, $autologin, $viewonline, $admin);
+ // Check form key
+ if ($password && !check_form_key($form_name))
+ {
+ $result = array(
+ 'status' => false,
+ 'error_msg' => 'FORM_INVALID',
+ );
+ }
+ else
+ {
+ // If authentication is successful we redirect user to previous page
+ $result = $auth->login($username, $password, $autologin, $viewonline, $admin);
+ }
// If admin authentication and login, we will log if it was a success or not...
// We also break the operation on the first non-success login - it could be argued that the user already knows
@@ -2503,6 +2515,9 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
));
}
+ // Add form token for login box
+ add_form_key($form_name, '_LOGIN');
+
$s_hidden_fields = build_hidden_fields($s_hidden_fields);
$login_box_template_data = array(
diff --git a/phpBB/includes/functions_acp.php b/phpBB/includes/functions_acp.php
index 808f9e6f94..0ef5db2491 100644
--- a/phpBB/includes/functions_acp.php
+++ b/phpBB/includes/functions_acp.php
@@ -422,7 +422,7 @@ function build_cfg_template($tpl_type, $key, &$new_ary, $config_key, $vars)
*/
function validate_config_vars($config_vars, &$cfg_array, &$error)
{
- global $phpbb_root_path, $user, $phpbb_dispatcher, $phpbb_filesystem;
+ global $phpbb_root_path, $user, $phpbb_dispatcher, $phpbb_filesystem, $language;
$type = 0;
$min = 1;
@@ -445,6 +445,16 @@ function validate_config_vars($config_vars, &$cfg_array, &$error)
// Validate a bit. ;) (0 = type, 1 = min, 2= max)
switch ($validator[$type])
{
+ case 'url':
+ $cfg_array[$config_name] = trim($cfg_array[$config_name]);
+
+ if (!empty($cfg_array[$config_name]) && !preg_match('#^' . get_preg_expression('url') . '$#iu', $cfg_array[$config_name]))
+ {
+ $error[] = $language->lang('URL_INVALID', $language->lang($config_definition['lang']));
+ }
+
+ // no break here
+
case 'string':
$length = utf8_strlen($cfg_array[$config_name]);
diff --git a/phpBB/index.php b/phpBB/index.php
index 13b914abd3..5eee7723a9 100644
--- a/phpBB/index.php
+++ b/phpBB/index.php
@@ -211,6 +211,9 @@ if ($show_birthdays)
$template->assign_block_vars_array('birthdays', $birthdays);
}
+// Add form token for login box
+add_form_key('login', '_LOGIN');
+
// Assign index specific vars
$template->assign_vars(array(
'TOTAL_POSTS' => $user->lang('TOTAL_POSTS_COUNT', (int) $config['num_posts']),
diff --git a/phpBB/install/app.php b/phpBB/install/app.php
index ad71ee369f..52326fbf67 100644
--- a/phpBB/install/app.php
+++ b/phpBB/install/app.php
@@ -20,9 +20,9 @@ define('PHPBB_ENVIRONMENT', 'production');
$phpbb_root_path = '../';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
-if (version_compare(PHP_VERSION, '7.1', '<') || version_compare(PHP_VERSION, '7.3-dev', '>='))
+if (version_compare(PHP_VERSION, '7.1', '<') || version_compare(PHP_VERSION, '8.0-dev', '>='))
{
- die('You are running an unsupported PHP version. Please upgrade to PHP equal to or greater than 7.1.0 but less than 7.3-dev in order to install or update to phpBB 3.2');
+ die('You are running an unsupported PHP version. Please upgrade to PHP equal to or greater than 7.1.0 but less than 8.0-dev in order to install or update to phpBB 3.3');
}
$startup_new_path = $phpbb_root_path . 'install/update/update/new/install/startup.' . $phpEx;
diff --git a/phpBB/install/schemas/schema_data.sql b/phpBB/install/schemas/schema_data.sql
index 65899010f8..1e4b973f99 100644
--- a/phpBB/install/schemas/schema_data.sql
+++ b/phpBB/install/schemas/schema_data.sql
@@ -268,9 +268,9 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('smilies_per_page',
INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_auth_method', 'PLAIN');
INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_delivery', '0');
INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_host', '');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_password', '');
+INSERT INTO phpbb_config (config_name, config_value, is_dynamic) VALUES ('smtp_password', '', 1);
INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_port', '25');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_username', '');
+INSERT INTO phpbb_config (config_name, config_value, is_dynamic) VALUES ('smtp_username', '', 1);
INSERT INTO phpbb_config (config_name, config_value) VALUES ('teampage_memberships', '1');
INSERT INTO phpbb_config (config_name, config_value) VALUES ('teampage_forums', '1');
INSERT INTO phpbb_config (config_name, config_value) VALUES ('topics_per_page', '25');
diff --git a/phpBB/language/en/acp/board.php b/phpBB/language/en/acp/board.php
index 4887a73ca6..b92710b178 100644
--- a/phpBB/language/en/acp/board.php
+++ b/phpBB/language/en/acp/board.php
@@ -111,9 +111,9 @@ $lang = array_merge($lang, array(
'ALLOW_GRAVATAR' => 'Enable gravatar avatars',
'ALLOW_LOCAL' => 'Enable gallery avatars',
'ALLOW_REMOTE' => 'Enable remote avatars',
- 'ALLOW_REMOTE_EXPLAIN' => 'Avatars linked to from another website.',
+ 'ALLOW_REMOTE_EXPLAIN' => 'Avatars linked to from another website.<br><em><strong class="error">Warning:</strong> Enabling this feature might allow users to check for the existence of files and services that are only accessible on the local network.</em>',
'ALLOW_REMOTE_UPLOAD' => 'Enable remote avatar uploading',
- 'ALLOW_REMOTE_UPLOAD_EXPLAIN' => 'Allow uploading of avatars from another website.',
+ 'ALLOW_REMOTE_UPLOAD_EXPLAIN' => 'Allow uploading of avatars from another website.<br><em><strong class="error">Warning:</strong> Enabling this feature might allow users to check for the existence of files and services that are only accessible on the local network.</em>',
'ALLOW_UPLOAD' => 'Enable avatar uploading',
'AVATAR_GALLERY_PATH' => 'Avatar gallery path',
'AVATAR_GALLERY_PATH_EXPLAIN' => 'Path under your phpBB root directory for pre-loaded images, e.g. <samp>images/avatars/gallery</samp>.<br>Double dots like <samp>../</samp> will be stripped from the path for security reasons.',
diff --git a/phpBB/language/en/acp/common.php b/phpBB/language/en/acp/common.php
index 5c0f9a3eed..e59471cdb0 100644
--- a/phpBB/language/en/acp/common.php
+++ b/phpBB/language/en/acp/common.php
@@ -334,6 +334,7 @@ $lang = array_merge($lang, array(
'TOTAL_SIZE' => 'Total size',
'UCP' => 'User Control Panel',
+ 'URL_INVALID' => 'The provided URL for the setting “%1$s” is invalid.',
'USERNAMES_EXPLAIN' => 'Place each username on a separate line.',
'USER_CONTROL_PANEL' => 'User Control Panel',
diff --git a/phpBB/phpbb/avatar/driver/upload.php b/phpBB/phpbb/avatar/driver/upload.php
index 73d5e8fcf8..da1e78cb83 100644
--- a/phpBB/phpbb/avatar/driver/upload.php
+++ b/phpBB/phpbb/avatar/driver/upload.php
@@ -157,7 +157,8 @@ class upload extends \phpbb\avatar\driver\driver
// Do not allow specifying the port (see RFC 3986) or IP addresses
// remote_upload() will do its own check for allowed filetypes
- if (preg_match('@^(http|https|ftp)://[^/:?#]+:[0-9]+[/:?#]@i', $url) ||
+ if (!preg_match('#^(http|https|ftp)://(?:(.*?\.)*?[a-z0-9\-]+?\.[a-z]{2,4}|(?:\d{1,3}\.){3,5}\d{1,3}):?([0-9]*?).*?\.('. implode('|', $this->allowed_extensions) . ')$#i', $url) ||
+ preg_match('@^(http|https|ftp)://[^/:?#]+:[0-9]+[/:?#]@i', $url) ||
preg_match('#^(http|https|ftp)://(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])#i', $url) ||
preg_match('#^(http|https|ftp)://(?:(?:(?:[\dA-F]{1,4}:){6}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:::(?:[\dA-F]{1,4}:){0,5}(?:[\dA-F]{1,4}(?::[\dA-F]{1,4})?|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:):(?:[\dA-F]{1,4}:){4}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,2}:(?:[\dA-F]{1,4}:){3}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,3}:(?:[\dA-F]{1,4}:){2}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,4}:(?:[\dA-F]{1,4}:)(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,5}:(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,6}:[\dA-F]{1,4})|(?:(?:[\dA-F]{1,4}:){1,7}:)|(?:::))#i', $url))
{
diff --git a/phpBB/phpbb/avatar/manager.php b/phpBB/phpbb/avatar/manager.php
index 6d9604db04..a909a91042 100644
--- a/phpBB/phpbb/avatar/manager.php
+++ b/phpBB/phpbb/avatar/manager.php
@@ -271,7 +271,7 @@ class manager
$config_name = $driver->get_config_name();
return array(
- 'allow_avatar_' . $config_name => array('lang' => 'ALLOW_' . strtoupper(str_replace('\\', '_', $config_name)), 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => false),
+ 'allow_avatar_' . $config_name => array('lang' => 'ALLOW_' . strtoupper(str_replace('\\', '_', $config_name)), 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => true),
);
}
diff --git a/phpBB/phpbb/db/migration/data/v32x/disable_remote_avatar.php b/phpBB/phpbb/db/migration/data/v32x/disable_remote_avatar.php
new file mode 100644
index 0000000000..b08833fad4
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v32x/disable_remote_avatar.php
@@ -0,0 +1,34 @@
+<?php
+/**
+ *
+ * This file is part of the phpBB Forum Software package.
+ *
+ * @copyright (c) phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+namespace phpbb\db\migration\data\v32x;
+
+use phpbb\db\migration\migration;
+
+class disable_remote_avatar extends migration
+{
+ static public function depends_on()
+ {
+ return array(
+ '\phpbb\db\migration\data\v32x\v325',
+ );
+ }
+
+ public function update_data()
+ {
+ return array(
+ array('config.update', array('allow_avatar_remote', '0')),
+ array('config.update', array('allow_avatar_remote_upload', '0')),
+ );
+ }
+}
diff --git a/phpBB/phpbb/db/migration/data/v32x/smtp_dynamic_data.php b/phpBB/phpbb/db/migration/data/v32x/smtp_dynamic_data.php
new file mode 100644
index 0000000000..aeaa3e8979
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v32x/smtp_dynamic_data.php
@@ -0,0 +1,42 @@
+<?php
+/**
+ *
+ * This file is part of the phpBB Forum Software package.
+ *
+ * @copyright (c) phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+namespace phpbb\db\migration\data\v32x;
+
+class smtp_dynamic_data extends \phpbb\db\migration\migration
+{
+ static public function depends_on()
+ {
+ return array(
+ '\phpbb\db\migration\data\v32x\v326rc1',
+ );
+ }
+
+ public function update_data()
+ {
+ return array(
+ array('custom', array(array($this, 'set_smtp_dynamic'))),
+ );
+ }
+
+ public function set_smtp_dynamic()
+ {
+ $smtp_auth_entries = [
+ 'smtp_password',
+ 'smtp_username',
+ ];
+ $this->sql_query('UPDATE ' . CONFIG_TABLE . '
+ SET is_dynamic = 1
+ WHERE ' . $this->db->sql_in_set('config_name', $smtp_auth_entries));
+ }
+}
diff --git a/phpBB/phpbb/db/migration/data/v32x/v326.php b/phpBB/phpbb/db/migration/data/v32x/v326.php
new file mode 100644
index 0000000000..2d511b9ed8
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v32x/v326.php
@@ -0,0 +1,39 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v32x;
+
+class v326 extends \phpbb\db\migration\migration
+{
+ public function effectively_installed()
+ {
+ return phpbb_version_compare($this->config['version'], '3.2.6', '>=');
+ }
+
+ static public function depends_on()
+ {
+ return array(
+ '\phpbb\db\migration\data\v32x\v326rc1',
+ '\phpbb\db\migration\data\v32x\disable_remote_avatar',
+ '\phpbb\db\migration\data\v32x\smtp_dynamic_data',
+ );
+
+ }
+
+ public function update_data()
+ {
+ return array(
+ array('config.update', array('version', '3.2.6')),
+ );
+ }
+}
diff --git a/phpBB/phpbb/install/helper/config.php b/phpBB/phpbb/install/helper/config.php
index fad6749019..7eb0ae3b05 100644
--- a/phpBB/phpbb/install/helper/config.php
+++ b/phpBB/phpbb/install/helper/config.php
@@ -330,6 +330,8 @@ class config
fwrite($fp, $file_content);
fclose($fp);
+ // Enforce 0600 permission for install config
+ $this->filesystem->chmod([$this->install_config_file], 0600);
}
/**
diff --git a/phpBB/phpbb/search/fulltext_native.php b/phpBB/phpbb/search/fulltext_native.php
index f97d2c4244..ecebbd37cd 100644
--- a/phpBB/phpbb/search/fulltext_native.php
+++ b/phpBB/phpbb/search/fulltext_native.php
@@ -190,7 +190,7 @@ class fulltext_native extends \phpbb\search\base
*/
public function split_keywords($keywords, $terms)
{
- $tokens = '+-|()*';
+ $tokens = '+-|()* ';
$keywords = trim($this->cleanup($keywords, $tokens));
@@ -224,12 +224,10 @@ class fulltext_native extends \phpbb\search\base
$keywords[$i] = '|';
break;
case '*':
- if ($i === 0 || ($keywords[$i - 1] !== '*' && strcspn($keywords[$i - 1], $tokens) === 0))
+ // $i can never be 0 here since $open_bracket is initialised to false
+ if (strpos($tokens, $keywords[$i - 1]) !== false && ($i + 1 === $n || strpos($tokens, $keywords[$i + 1]) !== false))
{
- if ($i === $n - 1 || ($keywords[$i + 1] !== '*' && strcspn($keywords[$i + 1], $tokens) === 0))
- {
- $keywords = substr($keywords, 0, $i) . substr($keywords, $i + 1);
- }
+ $keywords[$i] = '|';
}
break;
}
@@ -264,7 +262,7 @@ class fulltext_native extends \phpbb\search\base
}
}
- if ($open_bracket)
+ if ($open_bracket !== false)
{
$keywords .= ')';
}
@@ -307,6 +305,20 @@ class fulltext_native extends \phpbb\search\base
}
}
+ // Remove non trailing wildcards from each word to prevent a full table scan (it's now using the database index)
+ $match = '#\*(?!$|\s)#';
+ $replace = '$1';
+ $keywords = preg_replace($match, $replace, $keywords);
+
+ // Only allow one wildcard in the search query to limit the database load
+ $match = '#\*#';
+ $replace = '$1';
+ $count_wildcards = substr_count($keywords, '*');
+
+ // Reverse the string to remove all wildcards except the first one
+ $keywords = strrev(preg_replace($match, $replace, strrev($keywords), $count_wildcards - 1));
+ unset($count_wildcards);
+
// set the search_query which is shown to the user
$this->search_query = $keywords;
@@ -409,8 +421,16 @@ class fulltext_native extends \phpbb\search\base
{
if (strpos($word_part, '*') !== false)
{
- $id_words[] = '\'' . $this->db->sql_escape(str_replace('*', '%', $word_part)) . '\'';
- $non_common_words[] = $word_part;
+ $len = utf8_strlen(str_replace('*', '', $word_part));
+ if ($len >= $this->word_length['min'] && $len <= $this->word_length['max'])
+ {
+ $id_words[] = '\'' . $this->db->sql_escape(str_replace('*', '%', $word_part)) . '\'';
+ $non_common_words[] = $word_part;
+ }
+ else
+ {
+ $this->common_words[] = $word_part;
+ }
}
else if (isset($words[$word_part]))
{
diff --git a/phpBB/styles/prosilver/template/index_body.html b/phpBB/styles/prosilver/template/index_body.html
index 14c7e6b78b..94d069b597 100644
--- a/phpBB/styles/prosilver/template/index_body.html
+++ b/phpBB/styles/prosilver/template/index_body.html
@@ -29,6 +29,7 @@
<!-- ENDIF -->
<input type="submit" tabindex="5" name="login" value="{L_LOGIN}" class="button1 button button-form-bold" />
{S_LOGIN_REDIRECT}
+ {S_FORM_TOKEN_LOGIN}
</fieldset>
</form>
<!-- ENDIF -->
diff --git a/phpBB/styles/prosilver/template/login_body.html b/phpBB/styles/prosilver/template/login_body.html
index b948d6238a..85d3a768fc 100644
--- a/phpBB/styles/prosilver/template/login_body.html
+++ b/phpBB/styles/prosilver/template/login_body.html
@@ -33,6 +33,7 @@
<!-- ENDIF -->
{S_LOGIN_REDIRECT}
+ {S_FORM_TOKEN_LOGIN}
<dl>
<dt>&nbsp;</dt>
<dd>{S_HIDDEN_FIELDS}<input type="submit" name="login" tabindex="6" value="{L_LOGIN}" class="button1 button button-form" /></dd>
diff --git a/tests/avatar/manager_test.php b/tests/avatar/manager_test.php
index db4ebfa0da..331792ae38 100644
--- a/tests/avatar/manager_test.php
+++ b/tests/avatar/manager_test.php
@@ -197,7 +197,7 @@ class phpbb_avatar_manager_test extends \phpbb_database_test_case
$avatar_settings = $this->manager->get_avatar_settings($this->avatar_foobar);
$expected_settings = array(
- 'allow_avatar_' . get_class($this->avatar_foobar) => array('lang' => 'ALLOW_' . strtoupper(get_class($this->avatar_foobar)), 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => false),
+ 'allow_avatar_' . get_class($this->avatar_foobar) => array('lang' => 'ALLOW_' . strtoupper(get_class($this->avatar_foobar)), 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => true),
);
$this->assertEquals($expected_settings, $avatar_settings);
diff --git a/tests/functions_acp/validate_config_vars_test.php b/tests/functions_acp/validate_config_vars_test.php
index 7be2c60aa5..0198f28a39 100644
--- a/tests/functions_acp/validate_config_vars_test.php
+++ b/tests/functions_acp/validate_config_vars_test.php
@@ -19,10 +19,11 @@ class phpbb_functions_acp_validate_config_vars_test extends phpbb_test_case
{
parent::setUp();
- global $user;
+ global $language, $user;
$user = new phpbb_mock_user();
$user->lang = new phpbb_mock_lang();
+ $language = $user->lang;
}
/**
@@ -44,6 +45,7 @@ class phpbb_functions_acp_validate_config_vars_test extends phpbb_test_case
'test_int_32' => array('lang' => 'TEST_INT', 'validate' => 'int:32'),
'test_int_32_64' => array('lang' => 'TEST_INT', 'validate' => 'int:32:64'),
'test_lang' => array('lang' => 'TEST_LANG', 'validate' => 'lang'),
+ 'test_url' => array('lang' => 'TEST_URL', 'validate' => 'url'),
/*
'test_sp' => array('lang' => 'TEST_SP', 'validate' => 'script_path'),
'test_rpath' => array('lang' => 'TEST_RPATH', 'validate' => 'rpath'),
@@ -64,6 +66,7 @@ class phpbb_functions_acp_validate_config_vars_test extends phpbb_test_case
'test_int_32' => 32,
'test_int_32_64' => 48,
'test_lang' => 'en',
+ 'test_url' => 'http://foobar.com',
),
),
);
@@ -148,6 +151,11 @@ class phpbb_functions_acp_validate_config_vars_test extends phpbb_test_case
array('test_lang' => 'this_is_no_language'),
array('WRONG_DATA_LANG'),
),
+ array(
+ array('test_url' => array('lang' => 'TEST_URL', 'validate' => 'url')),
+ array('test_url' => 'javascript://foobar.com'),
+ array('URL_INVALID TEST_URL'),
+ ),
);
}
diff --git a/tests/search/native_test.php b/tests/search/native_test.php
index 954f4c3d36..2e11eaff14 100644
--- a/tests/search/native_test.php
+++ b/tests/search/native_test.php
@@ -70,7 +70,7 @@ class phpbb_search_native_test extends phpbb_search_test_case
'ba*az',
'all',
true,
- array('\'ba%az\''),
+ array(4),
array(),
array(),
),
@@ -78,7 +78,7 @@ class phpbb_search_native_test extends phpbb_search_test_case
'ba*z',
'all',
true,
- array('\'ba%z\''),
+ array(), // <= 3 chars after removing *
array(),
array(),
),
@@ -86,7 +86,7 @@ class phpbb_search_native_test extends phpbb_search_test_case
'baa* baaz*',
'all',
true,
- array('\'baa%\'', '\'baaz%\''),
+ array('\'baa%\'', 4),
array(),
array(),
),
@@ -94,7 +94,7 @@ class phpbb_search_native_test extends phpbb_search_test_case
'ba*z baa*',
'all',
true,
- array('\'ba%z\'', '\'baa%\''),
+ array('\'baa%\''), // baz is <= 3 chars, only baa* is left
array(),
array(),
),
diff --git a/tests/test_framework/phpbb_functional_test_case.php b/tests/test_framework/phpbb_functional_test_case.php
index 129c6a57ad..0fe74ebf76 100644
--- a/tests/test_framework/phpbb_functional_test_case.php
+++ b/tests/test_framework/phpbb_functional_test_case.php
@@ -396,6 +396,14 @@ class phpbb_functional_test_case extends phpbb_test_case
global $phpbb_container;
$phpbb_container->reset();
+ // Purge cache to remove cached files
+ $phpbb_container = new phpbb_mock_container_builder();
+ $phpbb_container->setParameter('core.environment', PHPBB_ENVIRONMENT);
+ $phpbb_container->setParameter('core.cache_dir', $phpbb_root_path . 'cache/' . PHPBB_ENVIRONMENT . '/');
+
+ $cache = new \phpbb\cache\driver\file;
+ $cache->purge();
+
$blacklist = ['phpbb_class_loader_mock', 'phpbb_class_loader_ext', 'phpbb_class_loader'];
foreach (array_keys($GLOBALS) as $key)