From cdf4f5ef85f05c0f94eae1a9edb1c28d4ac3515f Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 14 Jul 2019 16:44:59 +0200 Subject: [ticket/security/246] Check form key no matter if submit is set SECURITY-246 --- phpBB/includes/acp/acp_bbcodes.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/phpBB/includes/acp/acp_bbcodes.php b/phpBB/includes/acp/acp_bbcodes.php index 1f7374a07f..56079061ce 100644 --- a/phpBB/includes/acp/acp_bbcodes.php +++ b/phpBB/includes/acp/acp_bbcodes.php @@ -33,7 +33,6 @@ class acp_bbcodes // Set up general vars $action = $request->variable('action', ''); $bbcode_id = $request->variable('bbcode', 0); - $submit = $request->is_set_post('submit'); $this->tpl_name = 'acp_bbcodes'; $this->page_title = 'ACP_BBCODES'; @@ -41,11 +40,6 @@ class acp_bbcodes add_form_key($form_key); - if ($submit && !check_form_key($form_key)) - { - trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); - } - // Set up mode-specific vars switch ($action) { @@ -179,6 +173,12 @@ class acp_bbcodes extract($phpbb_dispatcher->trigger_event('core.acp_bbcodes_modify_create', compact($vars))); $warn_text = preg_match('%<[^>]*\{text[\d]*\}[^>]*>%i', $bbcode_tpl); + + if (!$warn_text && !check_form_key($form_key)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + if (!$warn_text || confirm_box(true)) { $data = $this->build_regexp($bbcode_match, $bbcode_tpl); -- cgit v1.2.1 From b5a997ce183fa655af4c03b5f92a58a1a3e7c2f1 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Tue, 16 Jul 2019 20:44:12 +0200 Subject: [ticket/security/243] Limit size values to supported values SECURITY-243 --- phpBB/language/en/posting.php | 1 + phpBB/phpbb/textformatter/s9e/parser.php | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/phpBB/language/en/posting.php b/phpBB/language/en/posting.php index 11ea6483e1..8f43ee7656 100644 --- a/phpBB/language/en/posting.php +++ b/phpBB/language/en/posting.php @@ -139,6 +139,7 @@ $lang = array_merge($lang, array( 'IMAGES_ARE_OFF' => '[img] is OFF', 'IMAGES_ARE_ON' => '[img] is ON', 'INVALID_FILENAME' => '%s is an invalid filename.', + 'INVALID_FONT_SIZE' => 'The font size you supplied is invalid: %s', 'LOAD' => 'Load', 'LOAD_DRAFT' => 'Load draft', diff --git a/phpBB/phpbb/textformatter/s9e/parser.php b/phpBB/phpbb/textformatter/s9e/parser.php index 3698dca224..e30bc2b0d9 100644 --- a/phpBB/phpbb/textformatter/s9e/parser.php +++ b/phpBB/phpbb/textformatter/s9e/parser.php @@ -228,6 +228,10 @@ class parser implements \phpbb\textformatter\parser_interface { $errors[] = array($msg); } + else if ($msg === 'INVALID_FONT_SIZE') + { + $errors[] = [$msg, $context['invalid_size']]; + } } // Deduplicate error messages. array_unique() only works on strings so we have to serialize @@ -335,6 +339,13 @@ class parser implements \phpbb\textformatter\parser_interface */ static public function filter_font_size($size, $max_size, Logger $logger) { + if (!is_int($size)) + { + $logger->err('INVALID_FONT_SIZE', ['invalid_size' => htmlspecialchars($size)]); + + return false; + } + if ($max_size && $size > $max_size) { $logger->err('MAX_FONT_SIZE_EXCEEDED', array('max_size' => $max_size)); -- cgit v1.2.1 From c934d3fcfdaaa1e8c2161577690fef9dcb41b1e1 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Wed, 17 Jul 2019 22:02:32 +0200 Subject: [ticket/security/243] Limit size BBCode to 4 numeric characters SECURITY-243 --- phpBB/phpbb/textformatter/s9e/factory.php | 2 +- phpBB/phpbb/textformatter/s9e/parser.php | 2 +- phpBB/styles/prosilver/template/bbcode.html | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/phpBB/phpbb/textformatter/s9e/factory.php b/phpBB/phpbb/textformatter/s9e/factory.php index 6191b9a315..d339e3311d 100644 --- a/phpBB/phpbb/textformatter/s9e/factory.php +++ b/phpBB/phpbb/textformatter/s9e/factory.php @@ -110,7 +110,7 @@ class factory implements \phpbb\textformatter\cache_interface 'i' => '', 'u' => '', 'img' => '{L_IMAGE}', - 'size' => '', + 'size' => 'font-size: %; line-height: normal', 'color' => '', 'email' => ' diff --git a/phpBB/phpbb/textformatter/s9e/parser.php b/phpBB/phpbb/textformatter/s9e/parser.php index e30bc2b0d9..1bc56a8cb4 100644 --- a/phpBB/phpbb/textformatter/s9e/parser.php +++ b/phpBB/phpbb/textformatter/s9e/parser.php @@ -339,7 +339,7 @@ class parser implements \phpbb\textformatter\parser_interface */ static public function filter_font_size($size, $max_size, Logger $logger) { - if (!is_int($size)) + if (!is_numeric($size)) { $logger->err('INVALID_FONT_SIZE', ['invalid_size' => htmlspecialchars($size)]); diff --git a/phpBB/styles/prosilver/template/bbcode.html b/phpBB/styles/prosilver/template/bbcode.html index 940c0ace29..f4ec94dbfe 100644 --- a/phpBB/styles/prosilver/template/bbcode.html +++ b/phpBB/styles/prosilver/template/bbcode.html @@ -64,7 +64,7 @@ {TEXT} -{TEXT} +font-size: %; line-height: normal {L_IMAGE} -- cgit v1.2.1 From f75577e5f858e43e202010f6889bd55096f75ea3 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 18 Jul 2019 22:32:19 +0200 Subject: [ticket/security/243] Use bbcode.html like formatting SECURITY-243 --- phpBB/phpbb/textformatter/s9e/factory.php | 2 +- tests/text_formatter/s9e/default_formatting_test.php | 2 +- tests/text_processing/tickets_data/PHPBB3-13921.html | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/phpBB/phpbb/textformatter/s9e/factory.php b/phpBB/phpbb/textformatter/s9e/factory.php index d339e3311d..dca1c78d40 100644 --- a/phpBB/phpbb/textformatter/s9e/factory.php +++ b/phpBB/phpbb/textformatter/s9e/factory.php @@ -110,7 +110,7 @@ class factory implements \phpbb\textformatter\cache_interface 'i' => '', 'u' => '', 'img' => '{L_IMAGE}', - 'size' => 'font-size: %; line-height: normal', + 'size' => 'font-size: %; line-height: normal', 'color' => '', 'email' => ' diff --git a/tests/text_formatter/s9e/default_formatting_test.php b/tests/text_formatter/s9e/default_formatting_test.php index a35c9138a5..1aa4f0bc3a 100644 --- a/tests/text_formatter/s9e/default_formatting_test.php +++ b/tests/text_formatter/s9e/default_formatting_test.php @@ -70,7 +70,7 @@ class phpbb_textformatter_s9e_default_formatting_test extends phpbb_test_case ), array( '[size=75]smaller[/size]', - 'smaller' + 'smaller' ), array( '[quote]quoted[/quote]', diff --git a/tests/text_processing/tickets_data/PHPBB3-13921.html b/tests/text_processing/tickets_data/PHPBB3-13921.html index 690668ef28..6a9dc7f504 100644 --- a/tests/text_processing/tickets_data/PHPBB3-13921.html +++ b/tests/text_processing/tickets_data/PHPBB3-13921.html @@ -1 +1 @@ -
xxx
\ No newline at end of file +
xxx
\ No newline at end of file -- cgit v1.2.1 From 4d640555ef1ba851f9e041c594d0dda7253e8450 Mon Sep 17 00:00:00 2001 From: rxu Date: Tue, 2 Jan 2018 13:51:39 +0700 Subject: [ticket/15467] Fix JS for permissions setting PHPBB3-15467 --- phpBB/adm/style/permission_mask.html | 2 ++ phpBB/adm/style/permissions.js | 10 ++++++++++ 2 files changed, 12 insertions(+) diff --git a/phpBB/adm/style/permission_mask.html b/phpBB/adm/style/permission_mask.html index c556664b8c..23294d60df 100644 --- a/phpBB/adm/style/permission_mask.html +++ b/phpBB/adm/style/permission_mask.html @@ -9,6 +9,8 @@ var role_options = new Array(); + var no_role_assigned = "{LA_NO_ROLE_ASSIGNED}"; + {S_ROLE_JS_ARRAY} diff --git a/phpBB/adm/style/permissions.js b/phpBB/adm/style/permissions.js index 9178adab50..4ae566ace7 100644 --- a/phpBB/adm/style/permissions.js +++ b/phpBB/adm/style/permissions.js @@ -279,6 +279,16 @@ function reset_role(id) { } t.options[0].selected = true; + + (function($)// Avoid conflicts with other libraries + { + var parent = $(t).parent(); + parent.find("span[title=Roles]")[0].innerText = no_role_assigned; + + // Find proper role value + var roleInput = parent.find('input[name^=role][data-name]'); + roleInput.val(0); + })(jQuery); // Avoid conflicts with other libraries } /** -- cgit v1.2.1 From 6b04fda0f323e7cfddab427c4f8696ac440d361c Mon Sep 17 00:00:00 2001 From: Nekstati <52348253+Nekstati@users.noreply.github.com> Date: Sun, 28 Jul 2019 18:39:04 +0700 Subject: [ticket/15467] Fix JS for permissions setting PHPBB3-15467 --- phpBB/adm/style/permissions.js | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/phpBB/adm/style/permissions.js b/phpBB/adm/style/permissions.js index 4ae566ace7..af8e21ad51 100644 --- a/phpBB/adm/style/permissions.js +++ b/phpBB/adm/style/permissions.js @@ -280,15 +280,9 @@ function reset_role(id) { t.options[0].selected = true; - (function($)// Avoid conflicts with other libraries - { - var parent = $(t).parent(); - parent.find("span[title=Roles]")[0].innerText = no_role_assigned; - - // Find proper role value - var roleInput = parent.find('input[name^=role][data-name]'); - roleInput.val(0); - })(jQuery); // Avoid conflicts with other libraries + var parent = t.parentNode; + parent.querySelector('span.dropdown-trigger').innerText = no_role_assigned; + parent.querySelector('input[data-name^=role]').value = '0'; } /** -- cgit v1.2.1 From 4555817a8b6dc3910fff0c26422a82aa769c8904 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 11 Aug 2019 21:31:59 +0200 Subject: [ticket/security/247] Disable loading of local files on client side SECURITY-247 --- phpBB/phpbb/db/driver/mysqli.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/phpBB/phpbb/db/driver/mysqli.php b/phpBB/phpbb/db/driver/mysqli.php index d43e201526..b429ad97aa 100644 --- a/phpBB/phpbb/db/driver/mysqli.php +++ b/phpBB/phpbb/db/driver/mysqli.php @@ -68,6 +68,9 @@ class mysqli extends \phpbb\db\driver\mysql_base if ($this->db_connect_id && $this->dbname != '') { + // Disable loading local files on client side + @mysqli_options($this->db_connect_id, MYSQLI_OPT_LOCAL_INFILE, false); + @mysqli_query($this->db_connect_id, "SET NAMES 'utf8'"); // enforce strict mode on databases that support it -- cgit v1.2.1 From 29a77ea10d31fc2edf1a71ee0dfa247696531d66 Mon Sep 17 00:00:00 2001 From: Christian Schnegelberger Date: Mon, 19 Aug 2019 20:40:03 +0200 Subject: [ticket/16136] Reword sentence for account already linked PHPBB3-16136 --- phpBB/language/en/common.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/language/en/common.php b/phpBB/language/en/common.php index 8df8fc630b..332204b899 100644 --- a/phpBB/language/en/common.php +++ b/phpBB/language/en/common.php @@ -91,7 +91,7 @@ $lang = array_merge($lang, array( 'ATTACHED_IMAGE_NOT_IMAGE' => 'The image file you tried to attach is invalid.', 'AUTHOR' => 'Author', 'AUTH_NO_PROFILE_CREATED' => 'The creation of a user profile was unsuccessful.', - 'AUTH_PROVIDER_OAUTH_ERROR_ALREADY_LINKED' => 'The account is already linked with other user.', + 'AUTH_PROVIDER_OAUTH_ERROR_ALREADY_LINKED' => 'The account is already linked to another user.', 'AUTH_PROVIDER_OAUTH_ERROR_INVALID_ENTRY' => 'Invalid database entry.', 'AUTH_PROVIDER_OAUTH_ERROR_INVALID_SERVICE_TYPE' => 'Invalid service type provided to OAuth service handler.', 'AUTH_PROVIDER_OAUTH_ERROR_SERVICE_NOT_CREATED' => 'OAuth service not created', -- cgit v1.2.1 From 54c684051bb603415e2fedb274ad12adac7e1bd4 Mon Sep 17 00:00:00 2001 From: kinerity Date: Tue, 20 Aug 2019 20:01:27 -0400 Subject: [ticket/16134] Exclude group leaders on group member purge PHPBB3-16134 --- phpBB/includes/acp/acp_prune.php | 1 + 1 file changed, 1 insertion(+) diff --git a/phpBB/includes/acp/acp_prune.php b/phpBB/includes/acp/acp_prune.php index 3eee4f7922..c5f7789de8 100644 --- a/phpBB/includes/acp/acp_prune.php +++ b/phpBB/includes/acp/acp_prune.php @@ -537,6 +537,7 @@ class acp_prune AND ug.user_id <> ' . ANONYMOUS . ' AND u.user_type <> ' . USER_FOUNDER . ' AND ug.user_pending = 0 + AND ug.group_leader = 0 AND u.user_id = ug.user_id ' . (!empty($user_ids) ? ' AND ' . $db->sql_in_set('ug.user_id', $user_ids) : ''); $result = $db->sql_query($sql); -- cgit v1.2.1 From b0465a6202107a456095e74af5941765414bc71e Mon Sep 17 00:00:00 2001 From: Christian Schnegelberger Date: Thu, 22 Aug 2019 18:37:23 +0200 Subject: [ticket/16136] Implement extended explaination PHPBB3-16136 --- phpBB/language/en/common.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/language/en/common.php b/phpBB/language/en/common.php index 332204b899..68fe6523a2 100644 --- a/phpBB/language/en/common.php +++ b/phpBB/language/en/common.php @@ -91,7 +91,7 @@ $lang = array_merge($lang, array( 'ATTACHED_IMAGE_NOT_IMAGE' => 'The image file you tried to attach is invalid.', 'AUTHOR' => 'Author', 'AUTH_NO_PROFILE_CREATED' => 'The creation of a user profile was unsuccessful.', - 'AUTH_PROVIDER_OAUTH_ERROR_ALREADY_LINKED' => 'The account is already linked to another user.', + 'AUTH_PROVIDER_OAUTH_ERROR_ALREADY_LINKED' => 'This external service is already associated with another board account.', 'AUTH_PROVIDER_OAUTH_ERROR_INVALID_ENTRY' => 'Invalid database entry.', 'AUTH_PROVIDER_OAUTH_ERROR_INVALID_SERVICE_TYPE' => 'Invalid service type provided to OAuth service handler.', 'AUTH_PROVIDER_OAUTH_ERROR_SERVICE_NOT_CREATED' => 'OAuth service not created', -- cgit v1.2.1 From 56477a8f7c1421ecc01f15258f0739ce8438db32 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 30 Jun 2019 22:40:34 +0200 Subject: [ticket/security/244] Add form token check to plupload SECURTIY-244 --- phpBB/assets/javascript/plupload.js | 17 ++++++++++++++++ phpBB/includes/message_parser.php | 29 +++++++++++++++++++++++++++ phpBB/includes/ucp/ucp_pm_compose.php | 7 +++++-- phpBB/styles/prosilver/template/plupload.html | 1 + 4 files changed, 52 insertions(+), 2 deletions(-) diff --git a/phpBB/assets/javascript/plupload.js b/phpBB/assets/javascript/plupload.js index fab1ca6d7c..5e8db8b035 100644 --- a/phpBB/assets/javascript/plupload.js +++ b/phpBB/assets/javascript/plupload.js @@ -90,6 +90,12 @@ phpbb.plupload.getSerializedData = function() { obj['attachment_data[' + i + '][' + key + ']'] = datum[key]; } } + + // Insert form data + var $pluploadForm = $(phpbb.plupload.config.form_hook).first(); + obj.creation_time = $pluploadForm.find('input[type=hidden][name="creation_time"]').val(); + obj.form_token = $pluploadForm.find('input[type=hidden][name="form_token"]').val(); + return obj; }; @@ -264,6 +270,17 @@ phpbb.plupload.deleteFile = function(row, attachId) { return; } + + // Handle errors while deleting file + if (typeof response.error !== 'undefined') { + phpbb.alert(phpbb.plupload.lang.ERROR, response.error.message); + + // We will have to assume that the deletion failed. So leave the file status as uploaded. + row.find('.file-status').toggleClass('file-uploaded'); + + return; + } + phpbb.plupload.update(response, 'removal', index); // Check if the user can upload files now if he had reached the max files limit. phpbb.plupload.handleMaxFilesReached(); diff --git a/phpBB/includes/message_parser.php b/phpBB/includes/message_parser.php index 0b79cca864..e1c28223dc 100644 --- a/phpBB/includes/message_parser.php +++ b/phpBB/includes/message_parser.php @@ -1524,6 +1524,35 @@ class parse_message extends bbcode_firstpass } } + /** + * Check attachment form token depending on submit type + * + * @param \phpbb\language\language $language Language + * @param \phpbb\request\request_interface $request Request + * @param string $form_name Form name for checking form key + * + * @return bool True if form token is not needed or valid, false if needed and invalid + */ + function check_attachment_form_token(\phpbb\language\language $language, \phpbb\request\request_interface $request, $form_name) + { + $add_file = $request->is_set_post('add_file'); + $delete_file = $request->is_set_post('delete_file'); + + if (($add_file || $delete_file) && !check_form_key($form_name)) + { + $this->warn_msg[] = $language->lang('FORM_INVALID'); + + if ($request->is_ajax() && $this->plupload) + { + $this->plupload->emit_error(-400, 'FORM_INVALID'); + } + + return false; + } + + return true; + } + /** * Parse Attachments */ diff --git a/phpBB/includes/ucp/ucp_pm_compose.php b/phpBB/includes/ucp/ucp_pm_compose.php index cb45112b01..06baa279a5 100644 --- a/phpBB/includes/ucp/ucp_pm_compose.php +++ b/phpBB/includes/ucp/ucp_pm_compose.php @@ -26,7 +26,7 @@ if (!defined('IN_PHPBB')) function compose_pm($id, $mode, $action, $user_folders = array()) { global $template, $db, $auth, $user, $cache; - global $phpbb_root_path, $phpEx, $config; + global $phpbb_root_path, $phpEx, $config, $language; global $request, $phpbb_dispatcher, $phpbb_container; // Damn php and globals - i know, this is horrible @@ -799,7 +799,10 @@ function compose_pm($id, $mode, $action, $user_folders = array()) extract($phpbb_dispatcher->trigger_event('core.ucp_pm_compose_modify_parse_before', compact($vars))); // Parse Attachments - before checksum is calculated - $message_parser->parse_attachments('fileupload', $action, 0, $submit, $preview, $refresh, true); + if ($message_parser->check_attachment_form_token($language, $request, 'ucp_pm_compose')) + { + $message_parser->parse_attachments('fileupload', $action, 0, $submit, $preview, $refresh, true); + } if (count($message_parser->warn_msg) && !($remove_u || $remove_g || $add_to || $add_bcc)) { diff --git a/phpBB/styles/prosilver/template/plupload.html b/phpBB/styles/prosilver/template/plupload.html index 1eb84372e8..593070321d 100644 --- a/phpBB/styles/prosilver/template/plupload.html +++ b/phpBB/styles/prosilver/template/plupload.html @@ -57,6 +57,7 @@ phpbb.plupload = { lang: { ERROR: '{LA_ERROR}', TOO_MANY_ATTACHMENTS: '{LA_TOO_MANY_ATTACHMENTS}', + FORM_INVALID: '{LA_FORM_INVALID}', }, order: '{ATTACH_ORDER}', maxFiles: {MAX_ATTACHMENTS}, -- cgit v1.2.1 From 6c8d0063368a1815a270d97dc0defdee0f6bf027 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 1 Jul 2019 20:56:17 +0200 Subject: [ticket/security/244] Add parse_attachment form token check to posting.php SECURITY-244 --- phpBB/posting.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/phpBB/posting.php b/phpBB/posting.php index 5089448483..595d0f0c06 100644 --- a/phpBB/posting.php +++ b/phpBB/posting.php @@ -974,7 +974,10 @@ if ($submit || $preview || $refresh) } // Parse Attachments - before checksum is calculated - $message_parser->parse_attachments('fileupload', $mode, $forum_id, $submit, $preview, $refresh); + if ($message_parser->check_attachment_form_token($language, $request, 'posting')) + { + $message_parser->parse_attachments('fileupload', $mode, $forum_id, $submit, $preview, $refresh); + } /** * This event allows you to modify message text before parsing -- cgit v1.2.1 From 59f489c01f63d76ae879b2e25b8fad1b5a82a3dc Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 21 Jul 2019 16:03:19 +0200 Subject: [ticket/security/244] Add missing form parameters to tests SECURITY-244 --- tests/functional/fileupload_form_test.php | 9 +++- tests/functional/plupload_test.php | 14 ++++-- .../test_framework/phpbb_functional_test_case.php | 51 ++++++++++++++++------ 3 files changed, 55 insertions(+), 19 deletions(-) diff --git a/tests/functional/fileupload_form_test.php b/tests/functional/fileupload_form_test.php index b0780172ff..ff9450be0d 100644 --- a/tests/functional/fileupload_form_test.php +++ b/tests/functional/fileupload_form_test.php @@ -46,6 +46,13 @@ class phpbb_functional_fileupload_form_test extends phpbb_functional_test_case private function upload_file($filename, $mimetype) { + $crawler = self::$client->request( + 'GET', + 'posting.php?mode=reply&f=2&t=1&sid=' . $this->sid + ); + + $file_form_data = array_merge(['add_file' => $this->lang('ADD_FILE')], $this->get_hidden_fields($crawler, 'posting.php?mode=reply&f=2&t=1&sid=' . $this->sid)); + $file = array( 'tmp_name' => $this->path . $filename, 'name' => $filename, @@ -57,7 +64,7 @@ class phpbb_functional_fileupload_form_test extends phpbb_functional_test_case $crawler = self::$client->request( 'POST', 'posting.php?mode=reply&f=2&t=1&sid=' . $this->sid, - array('add_file' => $this->lang('ADD_FILE')), + $file_form_data, array('fileupload' => $file) ); diff --git a/tests/functional/plupload_test.php b/tests/functional/plupload_test.php index 9d284a7e57..4ab1c8e9e5 100644 --- a/tests/functional/plupload_test.php +++ b/tests/functional/plupload_test.php @@ -76,6 +76,10 @@ class phpbb_functional_plupload_test extends phpbb_functional_test_case $chunk_size = ceil(filesize($this->path . 'valid.jpg') / self::CHUNKS); $handle = fopen($this->path . 'valid.jpg', 'rb'); + $crawler = self::$client->request('POST', $url . '&sid=' . $this->sid); + + $file_form_data = $this->get_hidden_fields($crawler, $url); + for ($i = 0; $i < self::CHUNKS; $i++) { $chunk = fread($handle, $chunk_size); @@ -94,13 +98,13 @@ class phpbb_functional_plupload_test extends phpbb_functional_test_case $crawler = self::$client->request( 'POST', $url . '&sid=' . $this->sid, - array( + array_merge(array( 'chunk' => $i, 'chunks' => self::CHUNKS, 'name' => md5('valid') . '.jpg', 'real_filename' => 'valid.jpg', 'add_file' => $this->lang('ADD_FILE'), - ), + ), $file_form_data), array('fileupload' => $file), array('X-PHPBB-USING-PLUPLOAD' => '1') ); @@ -134,17 +138,19 @@ class phpbb_functional_plupload_test extends phpbb_functional_test_case 'error' => UPLOAD_ERR_OK, ); + $file_form_data = $this->get_hidden_fields(null, $url); + self::$client->setServerParameter('HTTP_X_PHPBB_USING_PLUPLOAD', '1'); self::$client->request( 'POST', $url . '&sid=' . $this->sid, - array( + array_merge(array( 'chunk' => '0', 'chunks' => '1', 'name' => md5('valid') . '.jpg', 'real_filename' => 'valid.jpg', 'add_file' => $this->lang('ADD_FILE'), - ), + ), $file_form_data), array('fileupload' => $file) ); diff --git a/tests/test_framework/phpbb_functional_test_case.php b/tests/test_framework/phpbb_functional_test_case.php index 4d294fd523..2659cf6e73 100644 --- a/tests/test_framework/phpbb_functional_test_case.php +++ b/tests/test_framework/phpbb_functional_test_case.php @@ -1166,24 +1166,14 @@ class phpbb_functional_test_case extends phpbb_test_case 'error' => UPLOAD_ERR_OK, ); - $crawler = self::$client->request('POST', $posting_url, array('add_file' => $this->lang('ADD_FILE')), array('fileupload' => $file)); + $file_form_data = array_merge(['add_file' => $this->lang('ADD_FILE')], $this->get_hidden_fields($crawler, $posting_url)); + + $crawler = self::$client->request('POST', $posting_url, $file_form_data, array('fileupload' => $file)); } unset($form_data['upload_files']); } - $hidden_fields = array( - $crawler->filter('[type="hidden"]')->each(function ($node, $i) { - return array('name' => $node->attr('name'), 'value' => $node->attr('value')); - }), - ); - - foreach ($hidden_fields as $fields) - { - foreach($fields as $field) - { - $form_data[$field['name']] = $field['value']; - } - } + $form_data = array_merge($form_data, $this->get_hidden_fields($crawler, $posting_url)); // I use a request because the form submission method does not allow you to send data that is not // contained in one of the actual form fields that the browser sees (i.e. it ignores "hidden" inputs) @@ -1314,4 +1304,37 @@ class phpbb_functional_test_case extends phpbb_test_case return self::request('GET', substr($link, strpos($link, 'mcp.'))); } + + /** + * Get hidden fields for URL + * + * @param Symfony\Component\DomCrawler\Crawler|null $crawler Crawler instance or null + * @param string $url Request URL + * + * @return array Hidden form fields array + */ + protected function get_hidden_fields($crawler, $url) + { + if (!$crawler) + { + $crawler = self::$client->request('GET', $url); + } + $hidden_fields = [ + $crawler->filter('[type="hidden"]')->each(function ($node, $i) { + return ['name' => $node->attr('name'), 'value' => $node->attr('value')]; + }), + ]; + + $file_form_data = []; + + foreach ($hidden_fields as $fields) + { + foreach($fields as $field) + { + $file_form_data[$field['name']] = $field['value']; + } + } + + return $file_form_data; + } } -- cgit v1.2.1 From cc8d6a5a014c994fec8d8bdd61cd1fbc5506de6e Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 31 Aug 2019 18:13:24 +0200 Subject: [ticket/security/243] Fail silently on unsupported values for font size SECURITY-243 --- phpBB/language/en/posting.php | 1 - phpBB/phpbb/textformatter/s9e/parser.php | 13 +------------ 2 files changed, 1 insertion(+), 13 deletions(-) diff --git a/phpBB/language/en/posting.php b/phpBB/language/en/posting.php index 570cf63f17..426475e77a 100644 --- a/phpBB/language/en/posting.php +++ b/phpBB/language/en/posting.php @@ -140,7 +140,6 @@ $lang = array_merge($lang, array( 'IMAGES_ARE_OFF' => '[img] is OFF', 'IMAGES_ARE_ON' => '[img] is ON', 'INVALID_FILENAME' => '%s is an invalid filename.', - 'INVALID_FONT_SIZE' => 'The font size you supplied is invalid: %s', 'LOAD' => 'Load', 'LOAD_DRAFT' => 'Load draft', diff --git a/phpBB/phpbb/textformatter/s9e/parser.php b/phpBB/phpbb/textformatter/s9e/parser.php index 1bc56a8cb4..a36fc63141 100644 --- a/phpBB/phpbb/textformatter/s9e/parser.php +++ b/phpBB/phpbb/textformatter/s9e/parser.php @@ -228,10 +228,6 @@ class parser implements \phpbb\textformatter\parser_interface { $errors[] = array($msg); } - else if ($msg === 'INVALID_FONT_SIZE') - { - $errors[] = [$msg, $context['invalid_size']]; - } } // Deduplicate error messages. array_unique() only works on strings so we have to serialize @@ -339,13 +335,6 @@ class parser implements \phpbb\textformatter\parser_interface */ static public function filter_font_size($size, $max_size, Logger $logger) { - if (!is_numeric($size)) - { - $logger->err('INVALID_FONT_SIZE', ['invalid_size' => htmlspecialchars($size)]); - - return false; - } - if ($max_size && $size > $max_size) { $logger->err('MAX_FONT_SIZE_EXCEEDED', array('max_size' => $max_size)); @@ -353,7 +342,7 @@ class parser implements \phpbb\textformatter\parser_interface return false; } - if ($size < 1) + if ($size < 1 || !is_numeric($size)) { return false; } -- cgit v1.2.1 From f84cc449b91486de753c9476dbbbfcb1ed312f7c Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 2 Sep 2019 21:18:12 +0200 Subject: [ticket/security/243] Remove invalid markup from bbcode.html SECURITY-243 --- phpBB/styles/prosilver/template/bbcode.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/styles/prosilver/template/bbcode.html b/phpBB/styles/prosilver/template/bbcode.html index f4ec94dbfe..940c0ace29 100644 --- a/phpBB/styles/prosilver/template/bbcode.html +++ b/phpBB/styles/prosilver/template/bbcode.html @@ -64,7 +64,7 @@ {TEXT} -font-size: %; line-height: normal +{TEXT} {L_IMAGE} -- cgit v1.2.1 From 850ea776d9757e6cabc6a176b2071ca7471117a0 Mon Sep 17 00:00:00 2001 From: mrgoldy Date: Thu, 5 Sep 2019 15:43:33 +0200 Subject: [ticket/16123] Show proper banned email message PHPBB3-16123 --- phpBB/includes/functions_user.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index 3bf4aa16b7..35fb54d7d3 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -1947,7 +1947,10 @@ function validate_user_email($email, $allowed_email = false) if (($ban = $user->check_ban(false, false, $email, true)) !== false) { - return ($ban === true) ? 'EMAIL_BANNED' : (!empty($ban['ban_give_reason']) ? $ban['ban_give_reason'] : $ban); + if ($ban !== false) + { + return !empty($ban['ban_give_reason']) ? $ban['ban_give_reason'] : 'EMAIL_BANNED'; + } } if (!$config['allow_emailreuse']) -- cgit v1.2.1 From 56e2f1a3f66602efa2977e5c2abe31e884e56bf6 Mon Sep 17 00:00:00 2001 From: mrgoldy Date: Thu, 5 Sep 2019 16:36:29 +0200 Subject: [ticket/16123] Check with empty() PHPBB3-16123 --- phpBB/includes/functions_user.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index 35fb54d7d3..6e12c847c8 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -1947,7 +1947,7 @@ function validate_user_email($email, $allowed_email = false) if (($ban = $user->check_ban(false, false, $email, true)) !== false) { - if ($ban !== false) + if (!empty($ban)) { return !empty($ban['ban_give_reason']) ? $ban['ban_give_reason'] : 'EMAIL_BANNED'; } -- cgit v1.2.1 From cf898133a4fa0c412911a9b65a533c84524edc34 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 7 Sep 2019 13:24:20 +0200 Subject: [ticket/16123] Add tests to cover different ban reasons PHPBB3-16123 --- tests/functions/fixtures/validate_email.xml | 21 +++++++++++++++++++++ tests/functions/validate_user_email_test.php | 10 +++++++--- 2 files changed, 28 insertions(+), 3 deletions(-) diff --git a/tests/functions/fixtures/validate_email.xml b/tests/functions/fixtures/validate_email.xml index eb4fd90217..5a21e51d13 100644 --- a/tests/functions/fixtures/validate_email.xml +++ b/tests/functions/fixtures/validate_email.xml @@ -1,5 +1,26 @@ + + ban_userid + ban_exclude + ban_end + ban_email + ban_give_reason + + 0 + 0 + 0 + banned@example.com + + + + 0 + 0 + 0 + banned2@example.com + just because + +
user_idusername diff --git a/tests/functions/validate_user_email_test.php b/tests/functions/validate_user_email_test.php index 8dcec88103..f64d01517c 100644 --- a/tests/functions/validate_user_email_test.php +++ b/tests/functions/validate_user_email_test.php @@ -28,10 +28,14 @@ class phpbb_functions_validate_user_email_test extends phpbb_database_test_case protected function setUp() { + global $phpbb_dispatcher, $phpbb_root_path, $phpEx; + parent::setUp(); $this->db = $this->new_dbal(); - $this->user = new phpbb_mock_user; + $phpbb_dispatcher = new phpbb_mock_event_dispatcher(); + $language = new phpbb\language\language(new phpbb\language\language_file_loader($phpbb_root_path, $phpEx)); + $this->user = new phpbb\user($language, '\phpbb\datetime'); $this->helper = new phpbb_functions_validate_data_helper($this); } @@ -47,7 +51,6 @@ class phpbb_functions_validate_user_email_test extends phpbb_database_test_case $config['email_check_mx'] = $check_mx; $db = $this->db; $user = $this->user; - $user->optionset('banned_users', array('banned@example.com')); } public static function validate_user_email_data() @@ -58,7 +61,8 @@ class phpbb_functions_validate_user_email_test extends phpbb_database_test_case array('valid_complex', array(), "'%$~test@example.com"), array('invalid', array('EMAIL_INVALID'), 'fööbar@example.com'), array('taken', array('EMAIL_TAKEN'), 'admin@example.com'), - array('banned', array('EMAIL_BANNED'), 'banned@example.com'), + array('banned', ['just because'], 'banned2@example.com'), + array('banned', ['EMAIL_BANNED'], 'banned@example.com') ); } -- cgit v1.2.1 From 6e20cd5d2286e716dc6b9a9b3e7f9e75dcde4f8b Mon Sep 17 00:00:00 2001 From: mrgoldy Date: Sat, 7 Sep 2019 16:47:47 +0200 Subject: [ticket/16123] Remove redundant if check PHPBB3-16123 --- phpBB/includes/functions_user.php | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index 6e12c847c8..e0b6a9d0c6 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -1945,12 +1945,10 @@ function validate_user_email($email, $allowed_email = false) return $validate_email; } - if (($ban = $user->check_ban(false, false, $email, true)) !== false) + $ban = $user->check_ban(false, false, $email, true); + if (!empty($ban)) { - if (!empty($ban)) - { - return !empty($ban['ban_give_reason']) ? $ban['ban_give_reason'] : 'EMAIL_BANNED'; - } + return !empty($ban['ban_give_reason']) ? $ban['ban_give_reason'] : 'EMAIL_BANNED'; } if (!$config['allow_emailreuse']) -- cgit v1.2.1 From d186df8cb40f5375ae7143fb432cb36cafe7d0a1 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 7 Sep 2019 21:57:38 +0200 Subject: [ticket/16123] Purge cache to ensure up to date ban list in tests PHPBB3-16123 --- tests/functions/validate_user_email_test.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/functions/validate_user_email_test.php b/tests/functions/validate_user_email_test.php index f64d01517c..d23ffc0503 100644 --- a/tests/functions/validate_user_email_test.php +++ b/tests/functions/validate_user_email_test.php @@ -28,10 +28,12 @@ class phpbb_functions_validate_user_email_test extends phpbb_database_test_case protected function setUp() { - global $phpbb_dispatcher, $phpbb_root_path, $phpEx; + global $cache, $phpbb_dispatcher, $phpbb_root_path, $phpEx; parent::setUp(); + $cache = new \phpbb\cache\driver\file(); + $cache->purge(); $this->db = $this->new_dbal(); $phpbb_dispatcher = new phpbb_mock_event_dispatcher(); $language = new phpbb\language\language(new phpbb\language\language_file_loader($phpbb_root_path, $phpEx)); -- cgit v1.2.1 From 4abdfd1709d1c39362656de70f95d762e3f031f8 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 8 Sep 2019 09:40:56 +0200 Subject: [ticket/16123] Specify ban_id in validate email fixture PHPBB3-16123 --- tests/functions/fixtures/validate_email.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/functions/fixtures/validate_email.xml b/tests/functions/fixtures/validate_email.xml index 5a21e51d13..fa139f6f18 100644 --- a/tests/functions/fixtures/validate_email.xml +++ b/tests/functions/fixtures/validate_email.xml @@ -1,12 +1,14 @@
+ ban_idban_useridban_excludeban_endban_emailban_give_reason + 1 0 0 0 @@ -14,6 +16,7 @@ + 2 0 0 0 -- cgit v1.2.1 From 6757450a0ffa5d59632c1294ed2b2cabe3f7a29b Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 8 Sep 2019 21:42:02 +0200 Subject: [prep-release-3.2.8] Update CREDITS.txt --- phpBB/docs/CREDITS.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/phpBB/docs/CREDITS.txt b/phpBB/docs/CREDITS.txt index 90e9a31127..596f4545fa 100644 --- a/phpBB/docs/CREDITS.txt +++ b/phpBB/docs/CREDITS.txt @@ -1,7 +1,7 @@ /** * -* phpBB © Copyright phpBB Limited 2003-2016 -* http://www.phpbb.com +* phpBB © Copyright phpBB Limited 2003-2019 +* https://www.phpbb.com * * phpBB is free software. You can redistribute it and/or modify it * under the terms of the GNU General Public License, version 2 (GPL-2.0) @@ -27,7 +27,6 @@ phpBB Developers: bantu (Andreas Fischer) Derky (Derk Ruitenbeek) Elsensee (Oliver Schramm) Hanakin (Michael Miday) - MichaelC (Michael Cullum) Nicofuma (Tristan Darricau) rubencm (Rubén Calvo) @@ -63,6 +62,7 @@ phpBB Developers: A_Jelly_Doughnut (Josh Woody) [01/2010 - 11/2010] igorw (Igor Wiedler) [08/2010 - 02/2013] imkingdavid (David King) [11/2012 - 06/2014] kellanved (Henry Sudhof) [04/2007 - 03/2011] + MichaelC (Michael Cullum) [11/2017 - 09/2019] nickvergessen (Joas Schilling)[04/2010 - 12/2015] Oleg (Oleg Pudeyev) [01/2011 - 05/2013] prototech (Cesar Gallegos) [01/2014 - 12/2016] -- cgit v1.2.1 From ae00da85ec4cbea187957d282932cd9135ca722e Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 8 Sep 2019 21:50:46 +0200 Subject: [prep-release-3.2.8] Update changelog for 3.2.8 --- phpBB/docs/CHANGELOG.html | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index dc68e62f49..06cdb37b56 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -50,6 +50,7 @@
  1. Changelog
      +
    • Changes since 3.2.8-RC1
    • Changes since 3.2.7
    • Changes since 3.2.6
    • Changes since 3.2.6-RC1
      • @@ -139,6 +140,28 @@
      +

      Changes since 3.2.8-RC1

      +

      Bug

      +
        +
      • [PHPBB3-15467] - Permission settings do not take affect when set using All YES/NO/NEVER
        • +
      • [PHPBB3-16123] - PHP error (Array to string conversion) on new user registration if email address is banned and " Reason shown to the banned" is empty
        • +
      • [PHPBB3-16136] - Missing word in 'AUTH_PROVIDER_OAUTH_ERROR_ALREADY_LINKED'
        • +
      +

      Improvement

      +
        +
      • [PHPBB3-16134] - Exclude group leaders on group member purge
        • +
      +

      Security Issue

      +
        +
      • [SECURITY-243] - CSS injection via BBCode tag
        • +
      • [SECURITY-244] - Missing form token check when handling attachments
        • +
      • [SECURITY-246] - Missing form token check when managing BBCodes
        • +
      +

      Hardening

      +
        +
      • [SECURITY-247] - Disable MySQLi local infile to prevent local file inclusion
        • +
      +

      Changes since 3.2.7

      Bug

      +

      Hardening

      +

      Changes since 3.2.6

      Bug

      -- cgit v1.2.1 From 08842e6ba505b162573dff8b942bd7bd832e938a Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 8 Sep 2019 21:52:42 +0200 Subject: [prep-release-3.2.8] Update version numbers for 3.2.8 release --- build/build.xml | 4 ++-- phpBB/includes/constants.php | 2 +- phpBB/install/phpbbcli.php | 2 +- phpBB/install/schemas/schema_data.sql | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/build/build.xml b/build/build.xml index 264ebb7b03..a5a859b1ae 100644 --- a/build/build.xml +++ b/build/build.xml @@ -2,9 +2,9 @@ - + - + diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php index fedd297895..99576b8ce6 100644 --- a/phpBB/includes/constants.php +++ b/phpBB/includes/constants.php @@ -28,7 +28,7 @@ if (!defined('IN_PHPBB')) */ // phpBB Version -@define('PHPBB_VERSION', '3.2.8-RC1'); +@define('PHPBB_VERSION', '3.2.8'); // QA-related // define('PHPBB_QA', 1); diff --git a/phpBB/install/phpbbcli.php b/phpBB/install/phpbbcli.php index 7659b13f56..ddf17fa5f6 100755 --- a/phpBB/install/phpbbcli.php +++ b/phpBB/install/phpbbcli.php @@ -23,7 +23,7 @@ if (php_sapi_name() !== 'cli') define('IN_PHPBB', true); define('IN_INSTALL', true); define('PHPBB_ENVIRONMENT', 'production'); -define('PHPBB_VERSION', '3.2.8-RC1'); +define('PHPBB_VERSION', '3.2.8'); $phpbb_root_path = __DIR__ . '/../'; $phpEx = substr(strrchr(__FILE__, '.'), 1); diff --git a/phpBB/install/schemas/schema_data.sql b/phpBB/install/schemas/schema_data.sql index f1783f4a0f..4ed328f4e3 100644 --- a/phpBB/install/schemas/schema_data.sql +++ b/phpBB/install/schemas/schema_data.sql @@ -279,7 +279,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('tpl_allow_php', '0 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_icons_path', 'images/upload_icons'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_path', 'files'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('use_system_cron', '0'); -INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.2.8-RC1'); +INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.2.8'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_expire_days', '90'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_gc', '14400'); -- cgit v1.2.1 From b94464d06382a4b379d9dcd52f1bee757a4a0500 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 8 Sep 2019 21:53:52 +0200 Subject: [prep-release-3.2.8] Add migration for 3.2.8 --- phpBB/phpbb/db/migration/data/v32x/v328.php | 36 +++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 phpBB/phpbb/db/migration/data/v32x/v328.php diff --git a/phpBB/phpbb/db/migration/data/v32x/v328.php b/phpBB/phpbb/db/migration/data/v32x/v328.php new file mode 100644 index 0000000000..28ff2c7033 --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v32x/v328.php @@ -0,0 +1,36 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\db\migration\data\v32x; + +class v328 extends \phpbb\db\migration\migration +{ + public function effectively_installed() + { + return phpbb_version_compare($this->config['version'], '3.2.8', '>='); + } + + static public function depends_on() + { + return array( + '\phpbb\db\migration\data\v32x\v328rc1', + ); + } + + public function update_data() + { + return array( + array('config.update', array('version', '3.2.8')), + ); + } +} -- cgit v1.2.1