From c44c398626e933a89c1b897bd8a71f94a29336a6 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 26 Dec 2019 14:59:14 +0100 Subject: [ticket/security-253] Check form key when exporting PM data SECURITY-253 --- phpBB/includes/ucp/ucp_pm_viewfolder.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/phpBB/includes/ucp/ucp_pm_viewfolder.php b/phpBB/includes/ucp/ucp_pm_viewfolder.php index 09e7bf4d7c..ce40a2507d 100644 --- a/phpBB/includes/ucp/ucp_pm_viewfolder.php +++ b/phpBB/includes/ucp/ucp_pm_viewfolder.php @@ -32,6 +32,8 @@ function view_folder($id, $mode, $folder_id, $folder) $folder_info = get_pm_from($folder_id, $folder, $user->data['user_id']); + add_form_key('ucp_pm_view_folder'); + if (!$submit_export) { $user->add_lang('viewforum'); @@ -197,6 +199,11 @@ function view_folder($id, $mode, $folder_id, $folder) $enclosure = $request->variable('enclosure', ''); $delimiter = $request->variable('delimiter', ''); + if (!check_form_key('ucp_pm_view_folder')) + { + trigger_error('FORM_INVALID'); + } + if ($export_type == 'CSV' && ($delimiter === '' || $enclosure === '')) { $template->assign_var('PROMPT', true); -- cgit v1.2.1 From 6320da67e4f031e5d47c74ecaea477c2e721f99a Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 11 Nov 2019 20:35:09 +0100 Subject: [ticket/security-249] Do not handle avatar submit on invalid token SECURITY-249 --- phpBB/includes/ucp/ucp_groups.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/phpBB/includes/ucp/ucp_groups.php b/phpBB/includes/ucp/ucp_groups.php index 2423af86be..24b94126b0 100644 --- a/phpBB/includes/ucp/ucp_groups.php +++ b/phpBB/includes/ucp/ucp_groups.php @@ -534,7 +534,12 @@ class ucp_groups 'teampage' => $group_row['group_teampage'], ); - if ($config['allow_avatar']) + if (!check_form_key('ucp_groups')) + { + $error[] = $user->lang['FORM_INVALID']; + } + + if (!count($error) && $config['allow_avatar']) { // Handle avatar $driver_name = $phpbb_avatar_manager->clean_driver_name($request->variable('avatar_driver', '')); @@ -556,11 +561,6 @@ class ucp_groups $error = array_merge($error, $phpbb_avatar_manager->localize_errors($user, $avatar_error)); } - if (!check_form_key('ucp_groups')) - { - $error[] = $user->lang['FORM_INVALID']; - } - // Validate submitted colour value if ($colour_error = validate_data($submit_ary, array('colour' => array('hex_colour', true)))) { -- cgit v1.2.1 From e7a6ed20e8ea073d7bf14890c766b17de444cf79 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Tue, 24 Dec 2019 15:27:43 +0100 Subject: [ticket/security-251] Check form token when moving PM to folder SECURITY-251 --- phpBB/includes/ucp/ucp_pm.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/phpBB/includes/ucp/ucp_pm.php b/phpBB/includes/ucp/ucp_pm.php index 4d02620e89..3f982c8dd0 100644 --- a/phpBB/includes/ucp/ucp_pm.php +++ b/phpBB/includes/ucp/ucp_pm.php @@ -193,6 +193,8 @@ class ucp_pm trigger_error('NO_AUTH_READ_HOLD_MESSAGE'); } + add_form_key('ucp_pm_view'); + // First Handle Mark actions and moving messages $submit_mark = (isset($_POST['submit_mark'])) ? true : false; $move_pm = (isset($_POST['move_pm'])) ? true : false; @@ -210,6 +212,11 @@ class ucp_pm // Move PM if ($move_pm) { + if (!check_form_key('ucp_pm_view')) + { + trigger_error('FORM_INVALID'); + } + $move_msg_ids = (isset($_POST['marked_msg_id'])) ? $request->variable('marked_msg_id', array(0)) : array(); $cur_folder_id = $request->variable('cur_folder_id', PRIVMSGS_NO_BOX); -- cgit v1.2.1 From 25c80df156ecd5389734265f8fdf6908212984b4 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 26 Dec 2019 14:40:23 +0100 Subject: [ticket/security-252] Check form token on marking PM SECURITY-252 --- phpBB/includes/ucp/ucp_pm.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/phpBB/includes/ucp/ucp_pm.php b/phpBB/includes/ucp/ucp_pm.php index 3f982c8dd0..00d1ce7149 100644 --- a/phpBB/includes/ucp/ucp_pm.php +++ b/phpBB/includes/ucp/ucp_pm.php @@ -209,14 +209,14 @@ class ucp_pm $submit_mark = false; } + if (($move_pm || $submit_mark) && !check_form_key('ucp_pm_view')) + { + trigger_error('FORM_INVALID'); + } + // Move PM if ($move_pm) { - if (!check_form_key('ucp_pm_view')) - { - trigger_error('FORM_INVALID'); - } - $move_msg_ids = (isset($_POST['marked_msg_id'])) ? $request->variable('marked_msg_id', array(0)) : array(); $cur_folder_id = $request->variable('cur_folder_id', PRIVMSGS_NO_BOX); -- cgit v1.2.1 From 4f007321e19e18e9166c4df2e8cb0d98d17fc14c Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Tue, 24 Dec 2019 12:44:16 +0100 Subject: [ticket/security-250] Check form key when approving group membership SECURITY-250 --- phpBB/includes/ucp/ucp_groups.php | 5 ++ tests/functional/ucp_groups_test.php | 68 ++++++++++++++++++++++ .../test_framework/phpbb_functional_test_case.php | 33 +++++++---- 3 files changed, 94 insertions(+), 12 deletions(-) diff --git a/phpBB/includes/ucp/ucp_groups.php b/phpBB/includes/ucp/ucp_groups.php index 24b94126b0..cf6e049748 100644 --- a/phpBB/includes/ucp/ucp_groups.php +++ b/phpBB/includes/ucp/ucp_groups.php @@ -875,6 +875,11 @@ class ucp_groups trigger_error($user->lang['NO_GROUP'] . $return_page); } + if (!check_form_key('ucp_groups')) + { + trigger_error($user->lang('FORM_INVALID') . $return_page); + } + if (!($row = group_memberships($group_id, $user->data['user_id']))) { trigger_error($user->lang['NOT_MEMBER_OF_GROUP'] . $return_page); diff --git a/tests/functional/ucp_groups_test.php b/tests/functional/ucp_groups_test.php index cd18a0fcae..445c124158 100644 --- a/tests/functional/ucp_groups_test.php +++ b/tests/functional/ucp_groups_test.php @@ -54,4 +54,72 @@ class phpbb_functional_ucp_groups_test extends phpbb_functional_common_groups_te $this->assertContains($this->lang('GROUP_UPDATED'), $crawler->text()); $this->assertEquals($teampage_settings, $this->get_teampage_settings()); } + + public function test_create_request_group() + { + $this->login(); + $this->admin_login(); + $this->add_lang('acp/groups'); + + $crawler = self::request('GET', 'adm/index.php?i=acp_groups&mode=manage&sid=' . $this->sid); + $form = $crawler->selectButton($this->lang('SUBMIT'))->form(); + $crawler = self::submit($form, array('group_name' => 'request-group')); + + $form = $crawler->selectButton($this->lang('SUBMIT'))->form(); + $crawler = self::submit($form, array('group_name' => 'request-group')); + + $this->assertContainsLang('GROUP_CREATED', $crawler->filter('#main')->text()); + + $group_id = $this->get_group_id('request-group'); + + // Make admin group leader + $crawler = self::request('GET', 'adm/index.php?i=acp_groups&mode=manage&action=list&g=' . $group_id . '&sid=' . $this->sid); + $form = $crawler->filter('input[name=addusers]')->selectButton($this->lang('SUBMIT'))->form(); + $crawler = self::submit($form, [ + 'leader' => 1, + 'usernames' => 'admin', + ]); + + $this->assertContainsLang('GROUP_MODS_ADDED', $crawler->filter('#main')->text()); + } + + /** + * @depends test_create_request_group + */ + public function test_request_group_membership() + { + $this->create_user('request-group-user'); + $this->login('request-group-user'); + $this->add_lang('groups'); + + $group_id = $this->get_group_id('request-group'); + + $crawler = self::request('GET', 'ucp.php?i=ucp_groups&mode=membership&sid=' . $this->sid); + $form = $crawler->selectButton($this->lang('SUBMIT'))->form(); + $crawler = self::submit($form, ['selected' => $group_id, 'action' => 'join']); + $this->assertContainsLang('GROUP_JOIN_PENDING_CONFIRM', $crawler->text()); + + $form = $crawler->selectButton($this->lang('YES'))->form(); + $crawler = self::submit($form); + $this->assertContainsLang('GROUP_JOINED_PENDING', $crawler->text()); + } + + /** + * @depends test_request_group_membership + */ + public function test_approve_group_membership() + { + $this->login(); + $this->add_lang('acp/groups'); + + $group_id = $this->get_group_id('request-group'); + $crawler = self::request('GET', 'ucp.php?i=ucp_groups&mode=manage&action=list&g=' . $group_id . '&sid=' . $this->sid); + $form = $crawler->filter('input[name=update]')->selectButton($this->lang('SUBMIT'))->form(); + $crawler = self::submit($form, [ + 'mark' => [$crawler->filter('input[name="mark[]"]')->first()->attr('value')], + 'action' => 'approve', + ]); + + $this->assertContainsLang('USERS_APPROVED', $crawler->text()); + } } diff --git a/tests/test_framework/phpbb_functional_test_case.php b/tests/test_framework/phpbb_functional_test_case.php index 2659cf6e73..f1b30f0fed 100644 --- a/tests/test_framework/phpbb_functional_test_case.php +++ b/tests/test_framework/phpbb_functional_test_case.php @@ -623,6 +623,25 @@ class phpbb_functional_test_case extends phpbb_test_case return user_add($user_row); } + /** + * Get group ID + * + * @param string $group_name Group name + * @return int Group id of specified group name + */ + protected function get_group_id($group_name) + { + $db = $this->get_db(); + $sql = 'SELECT group_id + FROM ' . GROUPS_TABLE . " + WHERE group_name = '" . $db->sql_escape($group_name) . "'"; + $result = $db->sql_query($sql); + $group_id = (int) $db->sql_fetchfield('group_id'); + $db->sql_freeresult($result); + + return $group_id; + } + protected function remove_user_group($group_name, $usernames) { global $db, $cache, $auth, $config, $phpbb_dispatcher, $phpbb_log, $phpbb_container, $phpbb_root_path, $phpEx; @@ -655,12 +674,7 @@ class phpbb_functional_test_case extends phpbb_test_case require_once(__DIR__ . '/../../phpBB/includes/functions_user.php'); } - $sql = 'SELECT group_id - FROM ' . GROUPS_TABLE . " - WHERE group_name = '" . $db->sql_escape($group_name) . "'"; - $result = $db->sql_query($sql); - $group_id = (int) $db->sql_fetchfield('group_id'); - $db->sql_freeresult($result); + $group_id = $this->get_group_id($group_name); return group_user_del($group_id, false, $usernames, $group_name); } @@ -700,12 +714,7 @@ class phpbb_functional_test_case extends phpbb_test_case require_once(__DIR__ . '/../../phpBB/includes/functions_user.php'); } - $sql = 'SELECT group_id - FROM ' . GROUPS_TABLE . " - WHERE group_name = '" . $db->sql_escape($group_name) . "'"; - $result = $db->sql_query($sql); - $group_id = (int) $db->sql_fetchfield('group_id'); - $db->sql_freeresult($result); + $group_id = $this->get_group_id($group_name); return group_user_add($group_id, false, $usernames, $group_name, $default, $leader); } -- cgit v1.2.1 From a2a003836896124c9c35fe6720890b40bf62cb48 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 4 Jan 2020 10:16:06 +0100 Subject: [prep-release-3.2.9] Update version numbers for 3.2.9 --- build/build.xml | 4 ++-- phpBB/includes/constants.php | 2 +- phpBB/install/phpbbcli.php | 2 +- phpBB/install/schemas/schema_data.sql | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/build/build.xml b/build/build.xml index e81bc98fe2..a95d8bedf5 100644 --- a/build/build.xml +++ b/build/build.xml @@ -2,9 +2,9 @@ - + - + diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php index 12df965bd9..ff3bbbc543 100644 --- a/phpBB/includes/constants.php +++ b/phpBB/includes/constants.php @@ -28,7 +28,7 @@ if (!defined('IN_PHPBB')) */ // phpBB Version -@define('PHPBB_VERSION', '3.2.9-RC1'); +@define('PHPBB_VERSION', '3.2.9'); // QA-related // define('PHPBB_QA', 1); diff --git a/phpBB/install/phpbbcli.php b/phpBB/install/phpbbcli.php index dbc8a17f8c..86ec87b38f 100755 --- a/phpBB/install/phpbbcli.php +++ b/phpBB/install/phpbbcli.php @@ -23,7 +23,7 @@ if (php_sapi_name() !== 'cli') define('IN_PHPBB', true); define('IN_INSTALL', true); define('PHPBB_ENVIRONMENT', 'production'); -define('PHPBB_VERSION', '3.2.9-RC1'); +define('PHPBB_VERSION', '3.2.9'); $phpbb_root_path = __DIR__ . '/../'; $phpEx = substr(strrchr(__FILE__, '.'), 1); diff --git a/phpBB/install/schemas/schema_data.sql b/phpBB/install/schemas/schema_data.sql index c9afe0176b..45685051f2 100644 --- a/phpBB/install/schemas/schema_data.sql +++ b/phpBB/install/schemas/schema_data.sql @@ -279,7 +279,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('tpl_allow_php', '0 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_icons_path', 'images/upload_icons'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_path', 'files'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('use_system_cron', '0'); -INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.2.9-RC1'); +INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.2.9'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_expire_days', '90'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_gc', '14400'); -- cgit v1.2.1 From 4f39da4343c465f6d6e0053090d2619c14a908b1 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 4 Jan 2020 10:17:57 +0100 Subject: [prep-release-3.2.9] Add migration for 3.2.9 --- phpBB/phpbb/db/migration/data/v32x/v329.php | 37 +++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 phpBB/phpbb/db/migration/data/v32x/v329.php diff --git a/phpBB/phpbb/db/migration/data/v32x/v329.php b/phpBB/phpbb/db/migration/data/v32x/v329.php new file mode 100644 index 0000000000..e88e264aef --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v32x/v329.php @@ -0,0 +1,37 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\db\migration\data\v32x; + +class v329 extends \phpbb\db\migration\migration +{ + public function effectively_installed() + { + return phpbb_version_compare($this->config['version'], '3.2.9', '>='); + } + + static public function depends_on() + { + return array( + '\phpbb\db\migration\data\v32x\v329rc1', + '\phpbb\db\migration\data\v32x\user_emoji_permission', + ); + } + + public function update_data() + { + return array( + array('config.update', array('version', '3.2.9')), + ); + } +} -- cgit v1.2.1 From 2fdd46b36431ae0f58bb2e78e42553168db9a0ff Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 4 Jan 2020 11:28:54 +0100 Subject: [prep-release-3.2.9] Update changelog for 3.2.9 --- phpBB/docs/CHANGELOG.html | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 33faa961a1..45300c4986 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -50,6 +50,7 @@
  1. Changelog
      +
    • Changes since 3.2.9-RC1
    • Changes since 3.2.8
    • Changes since 3.2.8-RC1
    • Changes since 3.2.7
      • @@ -141,6 +142,30 @@
      +

      Changes since 3.2.9-RC1

      +

      Bug

      +
        +
      • [PHPBB3-15592] - "Place inline" button appears when BBcode is disabled (Post settings)
        • +
      • [PHPBB3-16269] - Sphinx backend indexes HTML markup as keywords
        • +
      • [PHPBB3-16282] - Default jQuery CDN URL is outdated on new installs
        • +
      +

      Improvement

      +
        +
      • [PHPBB3-16271] - Add support for 3.3.x API documentation
        • +
      • [PHPBB3-16279] - Add permission for Emojii in topic title
        • +
      +

      Security

      +
        +
      • [SECURITY-249] - Group avatar overwrite on invalid submit
        • +
      • [SECURITY-250] - Group leader can be tricked into approving user
        • +
      +

      Hardening

      +
        +
      • [SECURITY-251] - Unwanted move of PMs to folders
        • +
      • [SECURITY-252] - PMs of unsuspecting users can be marked as important
        • +
      • [SECURITY-253] - PM export without proper validation
        • +
      +

      Changes since 3.2.8

      Bug

        -- cgit v1.2.1