+ // Do not allow specifying the port (see RFC 3986) or IP addresses

+ if (!preg_match('#^(http|https|ftp)://(?:(.*?\.)*?[a-z0-9\-]+?\.[a-z]{2,4}|(?:\d{1,3}\.){3,5}\d{1,3}):?([0-9]*?).*?\.('. implode('|', $this->allowed_extensions) . ')$#i', $url) ||

+ preg_match('@^(http|https|ftp)://[^/:?#]+:[0-9]+[/:?#]@i', $url) ||

+ preg_match('#^(http|https|ftp)://(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])#i', $url) ||

+ preg_match('#^(http|https|ftp)://(?:(?:(?:[\dA-F]{1,4}:){6}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:::(?:[\dA-F]{1,4}:){0,5}(?:[\dA-F]{1,4}(?::[\dA-F]{1,4})?|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:):(?:[\dA-F]{1,4}:){4}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,2}:(?:[\dA-F]{1,4}:){3}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,3}:(?:[\dA-F]{1,4}:){2}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,4}:(?:[\dA-F]{1,4}:)(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,5}:(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,6}:[\dA-F]{1,4})|(?:(?:[\dA-F]{1,4}:){1,7}:)|(?:::))#i', $url))

+ // Do not allow specifying the port (see RFC 3986) or IP addresses

+ // remote_upload() will do its own check for allowed filetypes

+ if (preg_match('@^(http|https|ftp)://[^/:?#]+:[0-9]+[/:?#]@i', $url) ||

+ preg_match('#^(http|https|ftp)://(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])#i', $url) ||

+ preg_match('#^(http|https|ftp)://(?:(?:(?:[\dA-F]{1,4}:){6}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:::(?:[\dA-F]{1,4}:){0,5}(?:[\dA-F]{1,4}(?::[\dA-F]{1,4})?|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:):(?:[\dA-F]{1,4}:){4}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,2}:(?:[\dA-F]{1,4}:){3}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,3}:(?:[\dA-F]{1,4}:){2}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,4}:(?:[\dA-F]{1,4}:)(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,5}:(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,6}:[\dA-F]{1,4})|(?:(?:[\dA-F]{1,4}:){1,7}:)|(?:::))#i', $url))

+ {

+ $error[] = 'AVATAR_URL_INVALID';

+ return false;

+ }

+

+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from

+# module mod_authz_host to a new module called mod_access_compat (which may be

+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.

+# We could just conditionally provide both versions, but unfortunately Apache

+# does not explicitly tell us its version if the module mod_version is not

+# available. In this case, we check for the availability of module

+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.

+<IfModule mod_version.c>

+ <IfVersion < 2.4>

+ <Files "*">

+ Order Allow,Deny

+ Deny from All

+ </Files>

+ </IfVersion>

+ <IfVersion >= 2.4>

+ <Files "*">

+ Require all denied

+ </Files>

+ </IfVersion>

+</IfModule>

+<IfModule !mod_version.c>

+ <IfModule !mod_authz_core.c>

+ <Files "*">

+ Order Allow,Deny

+ Deny from All

+ </Files>

+ </IfModule>

+ <IfModule mod_authz_core.c>

+ <Files "*">

+ Require all denied

+ </Files>

+ </IfModule>

+</IfModule>

+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from

+# module mod_authz_host to a new module called mod_access_compat (which may be

+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.

+# We could just conditionally provide both versions, but unfortunately Apache

+# does not explicitly tell us its version if the module mod_version is not

+# available. In this case, we check for the availability of module

+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.

+<IfModule mod_version.c>

+ <IfVersion < 2.4>

+ <Files "*">

+ Order Allow,Deny

+ Deny from All

+ </Files>

+ </IfVersion>

+ <IfVersion >= 2.4>

+ <Files "*">

+ Require all denied

+ </Files>

+ </IfVersion>

+</IfModule>

+<IfModule !mod_version.c>

+ <IfModule !mod_authz_core.c>

+ <Files "*">

+ Order Allow,Deny

+ Deny from All

+ </Files>

+ </IfModule>

+ <IfModule mod_authz_core.c>

+ <Files "*">

+ Require all denied

+ </Files>

+ </IfModule>

+</IfModule>

+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from

+# module mod_authz_host to a new module called mod_access_compat (which may be

+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.

+# We could just conditionally provide both versions, but unfortunately Apache

+# does not explicitly tell us its version if the module mod_version is not

+# available. In this case, we check for the availability of module

+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.

+<IfModule mod_version.c>

+ <IfVersion < 2.4>

+ <Files "*">

+ Order Allow,Deny

+ Deny from All

+ </Files>

+ </IfVersion>

+ <IfVersion >= 2.4>

+ <Files "*">

+ Require all denied

+ </Files>

+ </IfVersion>

+</IfModule>

+<IfModule !mod_version.c>

+ <IfModule !mod_authz_core.c>

+ <Files "*">

+ Order Allow,Deny

+ Deny from All

+ </Files>

+ </IfModule>

+ <IfModule mod_authz_core.c>

+ <Files "*">

+ Require all denied

+ </Files>

+ </IfModule>

+</IfModule>

+<?php

+/**

+*

+* This file is part of the phpBB Forum Software package.

+*

+* @copyright (c) phpBB Limited <https://www.phpbb.com>

+* @license GNU General Public License, version 2 (GPL-2.0)

+*

+* For full copyright and license information, please see

+* the docs/CREDITS.txt file.

+*

+*/

+

+namespace phpbb\db\migration\data\v31x;

+

+class v3111 extends \phpbb\db\migration\migration

+{

+ public function effectively_installed()

+ {

+ return phpbb_version_compare($this->config['version'], '3.1.11', '>=');

+ }

+

+ static public function depends_on()

+ {

+ return array(

+ '\phpbb\db\migration\data\v31x\v3111rc1',

+ );

+ }

+

+ public function update_data()

+ {

+ return array(

+ array('config.update', array('version', '3.1.11')),

+ );

+ }

+}

+<?php

+/**

+*

+* This file is part of the phpBB Forum Software package.

+*

+* @copyright (c) phpBB Limited <https://www.phpbb.com>

+* @license GNU General Public License, version 2 (GPL-2.0)

+*

+* For full copyright and license information, please see

+* the docs/CREDITS.txt file.

+*

+*/

+

+namespace phpbb\db\migration\data\v31x;

+

+class v3111rc1 extends \phpbb\db\migration\migration

+{

+ public function effectively_installed()

+ {

+ return phpbb_version_compare($this->config['version'], '3.1.11-RC1', '>=');

+ }

+

+ static public function depends_on()

+ {

+ return array(

+ '\phpbb\db\migration\data\v31x\v3110',

+ '\phpbb\db\migration\data\v31x\add_log_time_index',

+ '\phpbb\db\migration\data\v31x\increase_size_of_emotion',

+ '\phpbb\db\migration\data\v31x\add_jabber_ssl_context_config_options',

+ '\phpbb\db\migration\data\v31x\add_smtp_ssl_context_config_options',

+ '\phpbb\db\migration\data\v31x\update_hashes',

+ '\phpbb\db\migration\data\v31x\remove_duplicate_migrations',

+ '\phpbb\db\migration\data\v31x\add_latest_topics_index',

+ );

+ }

+

+ public function update_data()

+ {

+ return array(

+ array('config.update', array('version', '3.1.11-RC1')),

+ );

+ }

+}

+ // Check for not allowed search queries for InnoDB.

+ // We assume similar restrictions for MyISAM, which is usually even

+ // slower but not as restrictive as InnoDB.

+ // InnoDB full-text search does not support the use of a leading

+ // plus sign with wildcard ('+*'), a plus and minus sign

+ // combination ('+-'), or leading a plus and minus sign combination.

+ // InnoDB full-text search only supports leading plus or minus signs.

+ // For example, InnoDB supports '+apple' but does not support 'apple+'.

+ // Specifying a trailing plus or minus sign causes InnoDB to report

+ // a syntax error. InnoDB full-text search does not support the use

+ // of multiple operators on a single search word, as in this example:

+ // '++apple'. Use of multiple operators on a single search word

+ // returns a syntax error to standard out.

+ // Also, ensure that the wildcard character is only used at the

+ // end of the line as it's intended by MySQL.

+ if (preg_match('#^(\+[+-]|\+\*|.+[+-]$|.+\*(?!$))#', $word))

+ {

+ unset($this->split_words[$i]);

+ continue;

+ }

+

+ protected $version_schema = array(

+ 'stable' => array(

+ 'current' => 'version',

+ 'download' => 'url',

+ 'announcement' => 'url',

+ 'eol' => 'url',

+ 'security' => 'bool',

+ ),

+ 'unstable' => array(

+ 'current' => 'version',

+ 'download' => 'url',

+ 'announcement' => 'url',

+ 'eol' => 'url',

+ 'security' => 'bool',

+ ),

+ );

+

+ $info = $this->validate_versions($info);

+

+

+ /**

+ * Validate versions info input

+ *

+ * @param array $versions_info Decoded json data array. Will be modified

+ * and cleaned by this method

+ *

+ * @return array Versions info array

+ */

+ public function validate_versions($versions_info)

+ {

+ $array_diff = array_diff_key($versions_info, array($this->version_schema));

+

+ // Remove excessive data

+ if (count($array_diff) > 0)

+ {

+ $old_versions_info = $versions_info;

+ $versions_info = array(

+ 'stable' => !empty($old_versions_info['stable']) ? $old_versions_info['stable'] : array(),

+ 'unstable' => !empty($old_versions_info['unstable']) ? $old_versions_info['unstable'] : array(),

+ );

+ unset($old_versions_info);

+ }

+

+ foreach ($versions_info as $stability_type => &$versions_data)

+ {

+ foreach ($versions_data as $branch => &$version_data)

+ {

+ if (!preg_match('/^[0-9a-z\-\.]+$/i', $branch))

+ {

+ unset($versions_data[$branch]);

+ continue;

+ }

+

+ $stability_diff = array_diff_key($version_data, $this->version_schema[$stability_type]);

+

+ if (count($stability_diff) > 0)

+ {

+ $old_version_data = $version_data;

+ $version_data = array();

+ foreach ($this->version_schema[$stability_type] as $key => $value)

+ {

+ if (isset($old_version_data[$key]))

+ {

+ $version_data[$key] = $old_version_data[$key];

+ }

+ }

+ unset($old_version_data);

+ }

+

+ foreach ($version_data as $key => &$value)

+ {

+ if (!isset($this->version_schema[$stability_type][$key]))

+ {

+ unset($version_data[$key]);

+ throw new \RuntimeException($this->user->lang('VERSIONCHECK_INVALID_ENTRY'));

+ }

+

+ switch ($this->version_schema[$stability_type][$key])

+ {

+ case 'bool':

+ $value = (bool) $value;

+ break;

+

+ case 'url':

+ if (!empty($value) && !preg_match('#^' . get_preg_expression('url') . '$#iu', $value) &&

+ !preg_match('#^' . get_preg_expression('www_url') . '$#iu', $value))

+ {

+ throw new \RuntimeException($this->user->lang('VERSIONCHECK_INVALID_URL'));

+ }

+ break;

+

+ case 'version':

+ if (!empty($value) && !preg_match(get_preg_expression('semantic_version'), $value))

+ {

+ throw new \RuntimeException($this->user->lang('VERSIONCHECK_INVALID_VERSION'));

+ }

+ break;

+

+ default:

+ // Shouldn't be possible to trigger this

+ throw new \RuntimeException($this->user->lang('VERSIONCHECK_INVALID_ENTRY'));

+ }

+ }

+ }

+ }

+

+ return $versions_info;

+ }