diff options
| -rw-r--r-- | build/build.xml | 22 | ||||
| -rwxr-xr-x | build/build_diff.php | 3 | ||||
| -rwxr-xr-x | build/package.php | 12 | ||||
| -rw-r--r-- | phpBB/docs/CHANGELOG.html | 1 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_forums.php | 1 | ||||
| -rw-r--r-- | phpBB/includes/functions.php | 7 | ||||
| -rw-r--r-- | phpBB/includes/functions_user.php | 18 | ||||
| -rw-r--r-- | phpBB/includes/ucp/ucp_login_link.php | 8 | ||||
| -rw-r--r-- | phpBB/includes/ucp/ucp_register.php | 4 | ||||
| -rw-r--r-- | tests/functional/registration_test.php | 52 | ||||
| -rw-r--r-- | tests/mock/request.php | 2 | ||||
| -rw-r--r-- | tests/security/hash_test.php | 8 |
12 files changed, 105 insertions, 33 deletions
diff --git a/build/build.xml b/build/build.xml index f8181160c1..31782e6821 100644 --- a/build/build.xml +++ b/build/build.xml @@ -3,8 +3,8 @@ <project name="phpBB" description="The phpBB forum software" default="all" basedir="../"> <!-- a few settings for the build --> <property name="newversion" value="3.1.0-dev" /> - <property name="prevversion" value="3.0.11" /> - <property name="olderversions" value="3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.7-PL1, 3.0.8, 3.0.9, 3.0.10" /> + <property name="prevversion" value="3.0.12" /> + <property name="olderversions" value="3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.7-PL1, 3.0.8, 3.0.9, 3.0.10, 3.0.11" /> <!-- no configuration should be needed beyond this point --> <property name="oldversions" value="${olderversions}, ${prevversion}" /> @@ -149,6 +149,24 @@ <exec dir="build" escape="false" command="git diff --stat release-${prevversion}...HEAD > save/save_${prevversion}_to_${newversion}/phpbb-${prevversion}_to_${newversion}_git_diffstat.txt" /> + + <phingcall target="checksum-dir"> + <property name="dir" value="build/new_version/release_files" /> + </phingcall> + </target> + + <target name="checksum-dir"> + <foreach param="filename" absparam="absfilename" target="checksum-file"> + <fileset dir="${dir}"> + <type type="file" /> + </fileset> + </foreach> + </target> + + <target name="checksum-file"> + <echo msg="Creating checksum file for ${absfilename}" /> + <php function="dirname" returnProperty="dir"><param value="${absfilename}"/></php> + <exec dir="${dir}" command="sha256sum ${filename} > ${filename}.sha256" /> </target> <target name="changelog" depends="prepare"> diff --git a/build/build_diff.php b/build/build_diff.php index 74630232b3..68bac65a66 100755 --- a/build/build_diff.php +++ b/build/build_diff.php @@ -83,9 +83,6 @@ if (!$echo_changes) // Build Package run_command("$compress_command ./../../new_version/release_files/{$code_changes_filename}.{$extension} *"); - - // Build MD5 Sum - run_command("md5sum ./../../new_version/release_files/{$code_changes_filename}.{$extension} > ./../../new_version/release_files/{$code_changes_filename}.{$extension}.md5"); flush(); } } diff --git a/build/package.php b/build/package.php index eef6765af6..d05448dfb4 100755 --- a/build/package.php +++ b/build/package.php @@ -287,9 +287,6 @@ if (sizeof($package->old_packages)) // Build Package $package->run_command($compress_command . ' ../release_files/' . $package->get('release_filename') . '-patch.' . $extension . ' *'); - - // Build MD5 Sum - $package->run_command('md5sum ../release_files/' . $package->get('release_filename') . '-patch.' . $extension . ' > ../release_files/' . $package->get('release_filename') . '-patch.' . $extension . '.md5'); } // Build Files Package @@ -321,8 +318,6 @@ if (sizeof($package->old_packages)) chdir('./release'); $package->run_command("$compress_command ../../release_files/" . $package->get('release_filename') . '-files.' . $extension . ' *'); - // Build MD5 Sum - $package->run_command('md5sum ../../release_files/' . $package->get('release_filename') . '-files.' . $extension . ' > ../../release_files/' . $package->get('release_filename') . '-files.' . $extension . '.md5'); chdir('..'); $package->run_command('rm -Rv ' . $package->get('files_directory') . '/release'); @@ -365,9 +360,6 @@ if (sizeof($package->old_packages)) // Copy last package over... $package->run_command('rm -v ../release_files/phpBB-' . $last_version . ".$extension"); $package->run_command("$compress_command ../../release_files/phpBB-$last_version.$extension *"); - - // Build MD5 Sum - $package->run_command("md5sum ../../release_files/phpBB-$last_version.$extension > ../../release_files/phpBB-$last_version.$extension.md5"); chdir('..'); } @@ -390,9 +382,6 @@ foreach ($compress_programs as $extension => $compress_command) // Build Package $package->run_command("$compress_command ./release_files/" . $package->get('release_filename') . '.' . $extension . ' ' . $package->get('package_name')); - - // Build MD5 Sum - $package->run_command('md5sum ./release_files/' . $package->get('release_filename') . '.' . $extension . ' > ./release_files/' . $package->get('release_filename') . '.' . $extension . '.md5'); } // Microsoft Web PI packaging @@ -400,7 +389,6 @@ $package->begin_status('Packaging phpBB for Microsoft WebPI'); $file = './release_files/' . $package->get('release_filename') . '.webpi.zip'; $package->run_command('cp -p ./release_files/' . $package->get('release_filename') . ".zip $file"); $package->run_command('cd ./../webpi && ' . $compress_programs['zip'] . " ./../new_version/$file *"); -$package->run_command("md5sum $file > $file.md5"); // verify results chdir($package->locations['root']); diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index c2eb48137a..2be63eb866 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -211,6 +211,7 @@ <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11368">PHPBB3-11368</a>] - Latest pm reports row count</li> <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11583">PHPBB3-11583</a>] - InnoDB supports FULLTEXT index since MySQL 5.6.4.</li> <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11740">PHPBB3-11740</a>] - Update link in FAQ to Ideas Centre</li> +<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11873">PHPBB3-11873</a>] - Prevent expensive hash computation in phpbb_check_hash() by rejecting very long passwords</li> </ul> <h4>Sub-task</h4> <ul> diff --git a/phpBB/includes/acp/acp_forums.php b/phpBB/includes/acp/acp_forums.php index 580c68f3ed..258aabcc0d 100644 --- a/phpBB/includes/acp/acp_forums.php +++ b/phpBB/includes/acp/acp_forums.php @@ -55,7 +55,6 @@ class acp_forums $total = request_var('total', 0); $this->display_progress_bar($start, $total); - exit; break; case 'delete': diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 28c03534ea..e1f96c0b1e 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -442,6 +442,13 @@ function phpbb_hash($password) */ function phpbb_check_hash($password, $hash) { + if (strlen($password) > 4096) + { + // If the password is too huge, we will simply reject it + // and not let the server try to hash it. + return false; + } + $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; if (strlen($hash) == 34) { diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index c248be0864..0a0656377c 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -388,12 +388,13 @@ function user_delete($mode, $user_ids, $retain_username = true) * Event before a user is deleted * * @event core.delete_user_before - * @var string mode Mode of deletion (retain/delete posts) - * @var int user_id ID of the deleted user - * @var mixed post_username Guest username that is being used or false + * @var string mode Mode of deletion (retain/delete posts) + * @var array user_ids IDs of the deleted user + * @var mixed retain_username True if username should be retained + * or false if not * @since 3.1-A1 */ - $vars = array('mode', 'user_id', 'post_username'); + $vars = array('mode', 'user_ids', 'retain_username'); extract($phpbb_dispatcher->trigger_event('core.delete_user_before', compact($vars))); // Before we begin, we will remove the reports the user issued. @@ -616,12 +617,13 @@ function user_delete($mode, $user_ids, $retain_username = true) * Event after a user is deleted * * @event core.delete_user_after - * @var string mode Mode of deletion (retain/delete posts) - * @var int user_id ID of the deleted user - * @var mixed post_username Guest username that is being used or false + * @var string mode Mode of deletion (retain/delete posts) + * @var array user_ids IDs of the deleted user + * @var mixed retain_username True if username should be retained + * or false if not * @since 3.1-A1 */ - $vars = array('mode', 'user_id', 'post_username'); + $vars = array('mode', 'user_ids', 'retain_username'); extract($phpbb_dispatcher->trigger_event('core.delete_user_after', compact($vars))); // Reset newest user info if appropriate diff --git a/phpBB/includes/ucp/ucp_login_link.php b/phpBB/includes/ucp/ucp_login_link.php index 4620eb9b9e..80a553953d 100644 --- a/phpBB/includes/ucp/ucp_login_link.php +++ b/phpBB/includes/ucp/ucp_login_link.php @@ -72,8 +72,8 @@ class ucp_login_link { if ($request->is_set_post('login')) { - $login_username = $request->variable('login_username', '', false, phpbb_request_interface::POST); - $login_password = $request->untrimmed_variable('login_password', '', true, phpbb_request_interface::POST); + $login_username = $request->variable('login_username', '', false, \phpbb\request\request_interface::POST); + $login_password = $request->untrimmed_variable('login_password', '', true, \phpbb\request\request_interface::POST); $login_result = $auth_provider->login($login_username, $login_password); @@ -153,7 +153,7 @@ class ucp_login_link { global $request; - $var_names = $request->variable_names(phpbb_request_interface::GET); + $var_names = $request->variable_names(\phpbb\request\request_interface::GET); $login_link_data = array(); $string_start_length = strlen('login_link_'); @@ -162,7 +162,7 @@ class ucp_login_link if (strpos($var_name, 'login_link_') === 0) { $key_name = substr($var_name, $string_start_length); - $login_link_data[$key_name] = $request->variable($var_name, '', false, phpbb_request_interface::GET); + $login_link_data[$key_name] = $request->variable($var_name, '', false, \phpbb\request\request_interface::GET); } } diff --git a/phpBB/includes/ucp/ucp_register.php b/phpBB/includes/ucp/ucp_register.php index 44621e6dea..1f9ab23326 100644 --- a/phpBB/includes/ucp/ucp_register.php +++ b/phpBB/includes/ucp/ucp_register.php @@ -516,7 +516,7 @@ class ucp_register { global $request; - $var_names = $request->variable_names(phpbb_request_interface::POST); + $var_names = $request->variable_names(\phpbb\request\request_interface::POST); $login_link_data = array(); $string_start_length = strlen('login_link_'); @@ -525,7 +525,7 @@ class ucp_register if (strpos($var_name, 'login_link_') === 0) { $key_name = substr($var_name, $string_start_length); - $login_link_data[$key_name] = $request->variable($var_name, '', false, phpbb_request_interface::POST); + $login_link_data[$key_name] = $request->variable($var_name, '', false, \phpbb\request\request_interface::POST); } } diff --git a/tests/functional/registration_test.php b/tests/functional/registration_test.php new file mode 100644 index 0000000000..5baf33c59e --- /dev/null +++ b/tests/functional/registration_test.php @@ -0,0 +1,52 @@ +<?php +/** +* +* @package testing +* @copyright (c) 2013 phpBB Group +* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 +* +*/ + +/** +* @group functional +*/ +class phpbb_functional_registration_test extends phpbb_functional_test_case +{ + public function test_disable_captcha_on_registration() + { + $this->login(); + $this->admin_login(); + + $crawler = self::request('GET', "adm/index.php?i=acp_board&mode=registration&sid={$this->sid}"); + $form = $crawler->selectButton('Submit')->form(); + $form['config[enable_confirm]']->setValue('0'); + $crawler = self::submit($form); + + $this->assertContainsLang('CONFIG_UPDATED', $crawler->filter('#main .successbox')->text()); + } + + /** + * @depends test_disable_captcha_on_registration + */ + public function test_register_new_account() + { + $this->add_lang('ucp'); + + $crawler = self::request('GET', 'ucp.php?mode=register'); + $this->assertContainsLang('REGISTRATION', $crawler->filter('div.content h2')->text()); + + $form = $crawler->selectButton('I agree to these terms')->form(); + $crawler = self::submit($form); + + $form = $crawler->selectButton('Submit')->form(array( + 'username' => 'user-reg-test', + 'email' => 'user-reg-test@phpbb.com', + 'new_password' => 'testtest', + 'password_confirm' => 'testtest', + )); + $form['tz']->select('Europe/Berlin'); + $crawler = self::submit($form); + + $this->assertContainsLang('ACCOUNT_ADDED', $crawler->filter('#message')->text()); + } +} diff --git a/tests/mock/request.php b/tests/mock/request.php index ed0744c8cf..60ba725abd 100644 --- a/tests/mock/request.php +++ b/tests/mock/request.php @@ -74,7 +74,7 @@ class phpbb_mock_request implements \phpbb\request\request_interface return array_keys($this->data[$super_global]); } - public function get_super_global($super_global = phpbb_request_interface::REQUEST) + public function get_super_global($super_global = \phpbb\request\request_interface::REQUEST) { return $this->data[$super_global]; } diff --git a/tests/security/hash_test.php b/tests/security/hash_test.php index 0c2580c19b..e226365ef3 100644 --- a/tests/security/hash_test.php +++ b/tests/security/hash_test.php @@ -17,5 +17,13 @@ class phpbb_security_hash_test extends phpbb_test_case $this->assertTrue(phpbb_check_hash('test', '$P$9isfrtKXWqrz8PvztXlL3.daw4U0zI1')); $this->assertFalse(phpbb_check_hash('foo', '$H$9isfrtKXWqrz8PvztXlL3.daw4U0zI1')); } + + public function test_check_hash_with_large_input() + { + // 16 MB password, should be rejected quite fast + $start_time = time(); + $this->assertFalse(phpbb_check_hash(str_repeat('a', 1024 * 1024 * 16), '$H$9isfrtKXWqrz8PvztXlL3.daw4U0zI1')); + $this->assertLessThanOrEqual(5, time() - $start_time); + } } |