diff options
| -rw-r--r-- | build/build.xml | 6 | ||||
| -rw-r--r-- | phpBB/docs/CHANGELOG.html | 19 | ||||
| -rw-r--r-- | phpBB/docs/INSTALL.html | 6 | ||||
| -rw-r--r-- | phpBB/includes/constants.php | 2 | ||||
| -rw-r--r-- | phpBB/includes/ucp/ucp_auth_link.php | 5 | ||||
| -rw-r--r-- | phpBB/includes/ucp/ucp_login_link.php | 6 | ||||
| -rw-r--r-- | phpBB/includes/ucp/ucp_register.php | 4 | ||||
| -rw-r--r-- | phpBB/install/convertors/convert_phpbb20.php | 2 | ||||
| -rw-r--r-- | phpBB/install/schemas/schema_data.sql | 2 | ||||
| -rw-r--r-- | phpBB/language/en/install.php | 2 | ||||
| -rw-r--r-- | phpBB/phpbb/auth/auth.php | 6 | ||||
| -rw-r--r-- | phpBB/phpbb/auth/provider_collection.php | 8 | ||||
| -rw-r--r-- | phpBB/phpbb/db/migration/data/v31x/style_update.php | 136 | ||||
| -rw-r--r-- | phpBB/phpbb/db/migration/data/v31x/v311.php | 32 | ||||
| -rw-r--r-- | phpBB/phpbb/db/tools.php | 4 | ||||
| -rw-r--r-- | phpBB/styles/prosilver/style.cfg | 4 | ||||
| -rw-r--r-- | phpBB/styles/subsilver2/style.cfg | 4 | ||||
| -rw-r--r-- | tests/functional/auth_test.php | 19 |
18 files changed, 238 insertions, 29 deletions
diff --git a/build/build.xml b/build/build.xml index 69ea508a14..e153d4ff21 100644 --- a/build/build.xml +++ b/build/build.xml @@ -2,9 +2,9 @@ <project name="phpBB" description="The phpBB forum software" default="all" basedir="../"> <!-- a few settings for the build --> - <property name="newversion" value="3.1.0" /> - <property name="prevversion" value="3.1.0-RC6" /> - <property name="olderversions" value="3.0.12, 3.1.0-a1, 3.1.0-a2, 3.1.0-a3, 3.1.0-b1, 3.1.0-b2, 3.1.0-b3, 3.1.0-b4, 3.1.0-RC1, 3.1.0-RC2, 3.1.0-RC3, 3.1.0-RC4, 3.1.0-RC5" /> + <property name="newversion" value="3.1.1" /> + <property name="prevversion" value="3.1.0" /> + <property name="olderversions" value="3.0.12, 3.1.0-a1, 3.1.0-a2, 3.1.0-a3, 3.1.0-b1, 3.1.0-b2, 3.1.0-b3, 3.1.0-b4, 3.1.0-RC1, 3.1.0-RC2, 3.1.0-RC3, 3.1.0-RC4, 3.1.0-RC5, 3.1.0-RC6" /> <!-- no configuration should be needed beyond this point --> <property name="oldversions" value="${olderversions}, ${prevversion}" /> diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 212da25ade..4d96aa4981 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -46,6 +46,7 @@ <ol> <li><a href="#changelog">Changelog</a> <ol style="list-style-type: lower-roman;"> + <li><a href="#v310">Changes since 3.1.0</a></li> <li><a href="#v310RC6">Changes since 3.1.0-RC6</a></li> <li><a href="#v310RC5">Changes since 3.1.0-RC5</a></li> <li><a href="#v310RC4">Changes since 3.1.0-RC4</a></li> @@ -100,6 +101,24 @@ <div class="content"> + <a name="v310"></a><h3>1.i. Changes since 3.1.0</h3> + + <h4>Security</h4> + <ul> + <li>[SECURITY-164] - Cross Site Scripting via PATH_INFO in page_name variable</li> + </ul> + <h4>Bug</h4> + <ul> + <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13248">PHPBB3-13248</a>] - Login functions need to use provider collection for retrieving provider</li> + <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13267">PHPBB3-13267</a>] - Automatic Update instructions indicate that only the install folder is necessary</li> + <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13268">PHPBB3-13268</a>] - MSSQL's get_existing_indexes() function improperly appends ternary result</li> + <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13271">PHPBB3-13271</a>] - Anonymous users can CC themselves on emails sent to admin via contact form</li> + </ul> + <h4>Task</h4> + <ul> + <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13262">PHPBB3-13262</a>] - Add note to docs about htaccess file when upgrading 3.0 to 3.1</li> + </ul> + <a name="v310RC6"></a><h3>1.i. Changes since 3.1.0-RC6</h3> <h4>Bug</h4> diff --git a/phpBB/docs/INSTALL.html b/phpBB/docs/INSTALL.html index 4bde6c01ea..80e09f1bf9 100644 --- a/phpBB/docs/INSTALL.html +++ b/phpBB/docs/INSTALL.html @@ -303,7 +303,7 @@ <ul> <li>Go to the <a href="https://www.phpbb.com/downloads/">downloads page</a> and download the latest update package listed there, matching your current version.</li> - <li>Upload the uncompressed archive contents to your phpBB installation - only the install folder is required. Upload the whole install folder, retaining the file structure.</li> + <li>Upload the uncompressed archive contents to your phpBB installation - only the <code>install/</code> and <code>vendor/</code> folders are required. Upload these folders in their entirety, retaining the file structure.</li> <li>After the install folder is present, phpBB will go offline automatically.</li> <li>Point your browser to the install directory, for example <code>http://www.example.com/phpBB3/install/</code></li> <li>Choose the "Update" Tab and follow the instructions</li> @@ -347,7 +347,7 @@ <li>The <code>store/</code> directory</li> </ul></li> - <li>Upload the contents of the 3.1.x Full Package into your forum's directory.</li> + <li>Upload the contents of the 3.1.x Full Package into your forum's directory. Make sure the root level .htaccess file is included in the upload.</li> <li>Browse to install/database_update.php</li> <li>Delete the <code>install/</code> directory</li> </ol> @@ -462,7 +462,7 @@ <hr /> <a name="anti_spam"></a><h2>8. Anti-Spam Measures</h2> - + <div class="paragraph"> <div class="inner"><span class="corners-top"><span></span></span> diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php index 76c3834c91..3b7ab13d2d 100644 --- a/phpBB/includes/constants.php +++ b/phpBB/includes/constants.php @@ -28,7 +28,7 @@ if (!defined('IN_PHPBB')) */ // phpBB Version -define('PHPBB_VERSION', '3.1.0'); +define('PHPBB_VERSION', '3.1.1'); // QA-related // define('PHPBB_QA', 1); diff --git a/phpBB/includes/ucp/ucp_auth_link.php b/phpBB/includes/ucp/ucp_auth_link.php index a595ce46c3..748f0fdec2 100644 --- a/phpBB/includes/ucp/ucp_auth_link.php +++ b/phpBB/includes/ucp/ucp_auth_link.php @@ -34,11 +34,12 @@ class ucp_auth_link */ public function main($id, $mode) { - global $config, $request, $template, $phpbb_container, $user; + global $request, $template, $phpbb_container, $user; $error = array(); - $auth_provider = $phpbb_container->get('auth.provider.' . $config['auth_method']); + $provider_collection = $phpbb_container->get('auth.provider_collection'); + $auth_provider = $provider_collection->get_provider(); // confirm that the auth provider supports this page $provider_data = $auth_provider->get_auth_link_data(); diff --git a/phpBB/includes/ucp/ucp_login_link.php b/phpBB/includes/ucp/ucp_login_link.php index 5ca5df00f7..27d59c56b7 100644 --- a/phpBB/includes/ucp/ucp_login_link.php +++ b/phpBB/includes/ucp/ucp_login_link.php @@ -39,7 +39,7 @@ class ucp_login_link */ function main($id, $mode) { - global $config, $phpbb_container, $request, $template, $user; + global $phpbb_container, $request, $template, $user; global $phpbb_root_path, $phpEx; // Initialize necessary variables @@ -57,8 +57,8 @@ class ucp_login_link } // Use the auth_provider requested even if different from configured - $auth_provider = 'auth.provider.' . $request->variable('auth_provider', $config['auth_method']); - $auth_provider = $phpbb_container->get($auth_provider); + $provider_collection = $phpbb_container->get('auth.provider_collection'); + $auth_provider = $provider_collection->get_provider($request->variable('auth_provider', '')); // Set the link_method to login_link $data['link_method'] = 'login_link'; diff --git a/phpBB/includes/ucp/ucp_register.php b/phpBB/includes/ucp/ucp_register.php index 9a15967bae..88078c10af 100644 --- a/phpBB/includes/ucp/ucp_register.php +++ b/phpBB/includes/ucp/ucp_register.php @@ -87,8 +87,8 @@ class ucp_register if (!empty($login_link_data)) { // Confirm that we have all necessary data - $auth_provider = 'auth.provider.' . $request->variable('auth_provider', $config['auth_method']); - $auth_provider = $phpbb_container->get($auth_provider); + $provider_collection = $phpbb_container->get('auth.provider_collection'); + $auth_provider = $provider_collection->get_provider($request->variable('auth_provider', '')); $result = $auth_provider->login_link_has_necessary_data($login_link_data); if ($result !== null) diff --git a/phpBB/install/convertors/convert_phpbb20.php b/phpBB/install/convertors/convert_phpbb20.php index 8f6af30426..effd72aeff 100644 --- a/phpBB/install/convertors/convert_phpbb20.php +++ b/phpBB/install/convertors/convert_phpbb20.php @@ -38,7 +38,7 @@ $dbms = $phpbb_config_php_file->convert_30_dbms_to_31($dbms); $convertor_data = array( 'forum_name' => 'phpBB 2.0.x', 'version' => '1.0.3', - 'phpbb_version' => '3.1.0', + 'phpbb_version' => '3.1.1', 'author' => '<a href="https://www.phpbb.com/">phpBB Limited</a>', 'dbms' => $dbms, 'dbhost' => $dbhost, diff --git a/phpBB/install/schemas/schema_data.sql b/phpBB/install/schemas/schema_data.sql index bc4a9f7fe1..48a2f23805 100644 --- a/phpBB/install/schemas/schema_data.sql +++ b/phpBB/install/schemas/schema_data.sql @@ -273,7 +273,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('tpl_allow_php', '0 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_icons_path', 'images/upload_icons'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_path', 'files'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('use_system_cron', '0'); -INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.1.0'); +INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.1.1'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_expire_days', '90'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_gc', '14400'); diff --git a/phpBB/language/en/install.php b/phpBB/language/en/install.php index a2b27f0a60..107de9c64f 100644 --- a/phpBB/language/en/install.php +++ b/phpBB/language/en/install.php @@ -547,7 +547,7 @@ $lang = array_merge($lang, array( <ul style="margin-left: 20px; font-size: 1.1em;"> <li>Go to the <a href="https://www.phpbb.com/downloads/" title="https://www.phpbb.com/downloads/">phpBB.com downloads page</a> and download the "Automatic Update Package" archive.<br /><br /></li> <li>Unpack the archive.<br /><br /></li> - <li>Upload the complete uncompressed install folder to your phpBB root directory (where your config.php file is).<br /><br /></li> + <li>Upload the complete uncompressed "install" and "vendor" folders to your phpBB root directory (where your config.php file is).<br /><br /></li> </ul> <p>Once uploaded your board will be offline for normal users due to the install directory you uploaded now present.<br /><br /> diff --git a/phpBB/phpbb/auth/auth.php b/phpBB/phpbb/auth/auth.php index 38755ccf99..b59f0e60ec 100644 --- a/phpBB/phpbb/auth/auth.php +++ b/phpBB/phpbb/auth/auth.php @@ -927,11 +927,11 @@ class auth */ function login($username, $password, $autologin = false, $viewonline = 1, $admin = 0) { - global $config, $db, $user, $phpbb_root_path, $phpEx, $phpbb_container; + global $db, $user, $phpbb_root_path, $phpEx, $phpbb_container; - $method = trim(basename($config['auth_method'])); + $provider_collection = $phpbb_container->get('auth.provider_collection'); - $provider = $phpbb_container->get('auth.provider.' . $method); + $provider = $provider_collection->get_provider(); if ($provider) { $login = $provider->login($username, $password); diff --git a/phpBB/phpbb/auth/provider_collection.php b/phpBB/phpbb/auth/provider_collection.php index a74a2135dc..8e7e9e2cc1 100644 --- a/phpBB/phpbb/auth/provider_collection.php +++ b/phpBB/phpbb/auth/provider_collection.php @@ -38,6 +38,7 @@ class provider_collection extends \phpbb\di\service_collection /** * Get an auth provider. * + * @param string $provider_name The name of the auth provider * @return object Default auth provider selected in config if it * does exist. Otherwise the standard db auth * provider. @@ -46,11 +47,12 @@ class provider_collection extends \phpbb\di\service_collection * auth provider exist. The db auth provider * should always exist in a phpBB installation. */ - public function get_provider() + public function get_provider($provider_name = '') { - if ($this->offsetExists('auth.provider.' . basename(trim($this->config['auth_method'])))) + $provider_name = ($provider_name !== '') ? $provider_name : basename(trim($this->config['auth_method'])); + if ($this->offsetExists('auth.provider.' . $provider_name)) { - return $this->offsetGet('auth.provider.' . basename(trim($this->config['auth_method']))); + return $this->offsetGet('auth.provider.' . $provider_name); } // Revert to db auth provider if selected method does not exist else if ($this->offsetExists('auth.provider.db')) diff --git a/phpBB/phpbb/db/migration/data/v31x/style_update.php b/phpBB/phpbb/db/migration/data/v31x/style_update.php new file mode 100644 index 0000000000..bb030bbe6d --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v31x/style_update.php @@ -0,0 +1,136 @@ +<?php +/** +* +* This file is part of the phpBB Forum Software package. +* +* @copyright (c) phpBB Limited <https://www.phpbb.com> +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\db\migration\data\v31x; + +class style_update extends \phpbb\db\migration\migration +{ + static public function depends_on() + { + return array('\phpbb\db\migration\data\v310\gold'); + } + + public function update_data() + { + return array( + array('custom', array(array($this, 'update_installed_styles'))), + ); + } + + public function update_installed_styles() + { + // Get all currently available styles + $styles = $this->find_style_dirs(); + $style_paths = $style_ids = array(); + + $sql = 'SELECT style_path, style_id + FROM ' . $this->table_prefix . 'styles'; + $result = $this->db->sql_query($sql); + while ($styles_row = $this->db->sql_fetchrow()) + { + if (in_array($styles_row['style_path'], $styles)) + { + $style_paths[] = $styles_row['style_path']; + $style_ids[] = $styles_row['style_id']; + } + } + $this->db->sql_freeresult($result); + + // Install prosilver if no style is available and prosilver can be installed + if (empty($style_paths) && in_array('prosilver', $styles)) + { + // Try to parse config file + $cfg = parse_cfg_file($this->phpbb_root_path . 'styles/prosilver/style.cfg'); + + // Stop running this if prosilver cfg file can't be read + if (empty($cfg)) + { + throw new \RuntimeException('No styles available and could not fall back to prosilver.'); + } + + $style = array( + 'style_name' => 'prosilver', + 'style_copyright' => '© phpBB Limited', + 'style_active' => 1, + 'style_path' => 'prosilver', + 'bbcode_bitfield' => 'kNg=', + 'style_parent_id' => 0, + 'style_parent_tree' => '', + ); + + // Add to database + $this->db->sql_transaction('begin'); + + $sql = 'INSERT INTO ' . $this->table_prefix . 'styles + ' . $this->db->sql_build_array('INSERT', $style); + $this->db->sql_query($sql); + + $style_id = $this->db->sql_nextid(); + $style_ids[] = $style_id; + + $this->db->sql_transaction('commit'); + + // Set prosilver to default style + $this->config->set('default_style', $style_id); + } + else if (empty($styles) && empty($available_styles)) + { + throw new \RuntimeException('No valid styles available'); + } + + // Make sure default style is available + if (!in_array($this->config['default_style'], $style_ids)) + { + $this->config->set('default_style', array_pop($style_ids)); + } + + // Reset users to default style if their user_style is nonexistent + $sql = 'UPDATE ' . $this->table_prefix . "users + SET user_style = {$this->config['default_style']} + WHERE " . $this->db->sql_in_set('user_style', $style_ids, true, true); + $this->db->sql_query($sql); + } + + /** + * Find all directories that have styles + * Copied from acp_styles + * + * @return array Directory names + */ + protected function find_style_dirs() + { + $styles = array(); + $styles_path = $this->phpbb_root_path . 'styles/'; + + $dp = @opendir($styles_path); + if ($dp) + { + while (($file = readdir($dp)) !== false) + { + $dir = $styles_path . $file; + if ($file[0] == '.' || !is_dir($dir)) + { + continue; + } + + if (file_exists("{$dir}/style.cfg")) + { + $styles[] = $file; + } + } + closedir($dp); + } + + return $styles; + } +} diff --git a/phpBB/phpbb/db/migration/data/v31x/v311.php b/phpBB/phpbb/db/migration/data/v31x/v311.php new file mode 100644 index 0000000000..00844dd4c0 --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v31x/v311.php @@ -0,0 +1,32 @@ +<?php +/** +* +* This file is part of the phpBB Forum Software package. +* +* @copyright (c) phpBB Limited <https://www.phpbb.com> +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\db\migration\data\v31x; + +class v311 extends \phpbb\db\migration\migration +{ + static public function depends_on() + { + return array( + '\phpbb\db\migration\data\v310\gold', + '\phpbb\db\migration\data\v31x\style_update', + ); + } + + public function update_data() + { + return array( + array('config.update', array('version', '3.1.1')), + ); + } +} diff --git a/phpBB/phpbb/db/tools.php b/phpBB/phpbb/db/tools.php index 0781d7425e..c8d25f23a2 100644 --- a/phpBB/phpbb/db/tools.php +++ b/phpBB/phpbb/db/tools.php @@ -2643,7 +2643,7 @@ class tools AND cols.id = ix.id WHERE ix.id = object_id('{$table_name}') AND cols.name = '{$column_name}' - AND INDEXPROPERTY(ix.id, ix.name, 'IsUnique') = " . ($unique) ? '1' : '0'; + AND INDEXPROPERTY(ix.id, ix.name, 'IsUnique') = " . ($unique ? '1' : '0'); } else { @@ -2657,7 +2657,7 @@ class tools AND cols.object_id = ix.object_id WHERE ix.object_id = object_id('{$table_name}') AND cols.name = '{$column_name}' - AND ix.is_unique = " . ($unique) ? '1' : '0'; + AND ix.is_unique = " . ($unique ? '1' : '0'); } break; diff --git a/phpBB/styles/prosilver/style.cfg b/phpBB/styles/prosilver/style.cfg index de7b38c90b..9684df73ba 100644 --- a/phpBB/styles/prosilver/style.cfg +++ b/phpBB/styles/prosilver/style.cfg @@ -21,8 +21,8 @@ # General Information about this style name = prosilver copyright = © phpBB Limited, 2007 -style_version = 3.1.0 -phpbb_version = 3.1.0 +style_version = 3.1.1 +phpbb_version = 3.1.1 # Defining a different template bitfield # template_bitfield = lNg= diff --git a/phpBB/styles/subsilver2/style.cfg b/phpBB/styles/subsilver2/style.cfg index 685e876cc7..3b33c07002 100644 --- a/phpBB/styles/subsilver2/style.cfg +++ b/phpBB/styles/subsilver2/style.cfg @@ -21,8 +21,8 @@ # General Information about this style name = subsilver2 copyright = © 2005 phpBB Limited -style_version = 3.1.0 -phpbb_version = 3.1.0 +style_version = 3.1.1 +phpbb_version = 3.1.1 # Defining a different template bitfield # template_bitfield = lNg= diff --git a/tests/functional/auth_test.php b/tests/functional/auth_test.php index b4b4279bf1..76e1709afb 100644 --- a/tests/functional/auth_test.php +++ b/tests/functional/auth_test.php @@ -34,6 +34,25 @@ class phpbb_functional_auth_test extends phpbb_functional_test_case } /** + * @dependsOn test_login_other + */ + public function test_login_ucp_other_auth_provider() + { + global $cache, $config; + $cache = new phpbb_mock_null_cache; + $db = $this->get_db(); + $sql = 'UPDATE ' . CONFIG_TABLE . " SET config_value = 'foobar' WHERE config_name = 'auth_method'"; + $db->sql_query($sql); + $config['auth_method'] = 'foobar'; + $this->login('anothertestuser'); + $crawler = self::request('GET', 'index.php'); + $this->assertContains('anothertestuser', $crawler->filter('#username_logged_in')->text()); + $sql = 'UPDATE ' . CONFIG_TABLE . " SET config_value = 'db' WHERE config_name = 'auth_method'"; + $db->sql_query($sql); + $config['auth_method'] = 'db'; + } + + /** * @depends test_login */ public function test_logout() |