diff options
| -rw-r--r-- | phpBB/docs/INSTALL.html | 7 | ||||
| -rw-r--r-- | phpBB/includes/db/oracle.php | 3 | ||||
| -rw-r--r-- | tests/session/continue_test.php | 14 | ||||
| -rw-r--r-- | tests/session/fixtures/sessions_full.xml | 4 |
4 files changed, 20 insertions, 8 deletions
diff --git a/phpBB/docs/INSTALL.html b/phpBB/docs/INSTALL.html index 4af185beb3..9f635fe50b 100644 --- a/phpBB/docs/INSTALL.html +++ b/phpBB/docs/INSTALL.html @@ -79,6 +79,7 @@ <li><a href="#postinstall">Important (security related) post-Install tasks for all installation methods</a> <ol style="list-style-type: lower-roman;"> <li><a href="#avatars">Uploadable avatars</a></li> + <li><a href="#webserver_configuration">Webserver configuration</a></li> </ol> </li> <li><a href="#disclaimer">Disclaimer</a></li> @@ -408,6 +409,12 @@ <p>Please be aware that setting a directories permissions to global write access is a potential security issue. While it is unlikely that anything nasty will occur (such as all the avatars being deleted) there are always people out there to cause trouble. Therefore you should monitor this directory and if possible make regular backups.</p> +<a name="webserver_configuration"></a><h3>6.ii. Webserver configuration</h3> + + <p>Depending on your web server you may have to configure your server to deny web access to the <code>cache/</code>, <code>files/</code>, <code>store/</code> and other directories. This is to prevent users from accessing sensitive files.</p> + + <p>For <strong>apache</strong> there are <code>.htaccess</code> files already in place to do this for you. For other webservers you will have to adjust the configuration yourself. Sample files for <strong>nginx</strong> and <strong>lighttpd</strong> to help you get started may be found in docs directory.</p> + </div> <div class="back2top"><a href="#wrap" class="top">Back to Top</a></div> diff --git a/phpBB/includes/db/oracle.php b/phpBB/includes/db/oracle.php index c8a9a5f604..62b36aa8bf 100644 --- a/phpBB/includes/db/oracle.php +++ b/phpBB/includes/db/oracle.php @@ -269,11 +269,12 @@ class dbal_oracle extends dbal { $cols = explode(', ', $regs[2]); + preg_match_all('/\'(?:[^\']++|\'\')*+\'|[\d-.]+/', $regs[3], $vals, PREG_PATTERN_ORDER); + /* The code inside this comment block breaks clob handling, but does allow the database restore script to work. If you want to allow no posts longer than 4KB and/or need the db restore script, uncomment this. - preg_match_all('/\'(?:[^\']++|\'\')*+\'|[\d-.]+/', $regs[3], $vals, PREG_PATTERN_ORDER); if (sizeof($cols) !== sizeof($vals)) { diff --git a/tests/session/continue_test.php b/tests/session/continue_test.php index 3080121978..6737562a0a 100644 --- a/tests/session/continue_test.php +++ b/tests/session/continue_test.php @@ -19,21 +19,25 @@ class phpbb_session_continue_test extends phpbb_database_test_case static public function session_begin_attempts() { + // The session_id field is defined as CHAR(32) in the database schema. + // Thus the data we put in session_id fields has to have a length of 32 characters on stricter DBMSes. + // Thus we fill those strings up with zeroes until they have a string length of 32. + return array( array( - 'bar_session', '4', 'user agent', '127.0.0.1', + 'bar_session000000000000000000000', '4', 'user agent', '127.0.0.1', array( - array('session_id' => 'anon_session', 'session_user_id' => 1), - array('session_id' => 'bar_session', 'session_user_id' => 4), + array('session_id' => 'anon_session00000000000000000000', 'session_user_id' => 1), + array('session_id' => 'bar_session000000000000000000000', 'session_user_id' => 4), ), array(), 'If a request comes with a valid session id with matching user agent and IP, no new session should be created.', ), array( - 'anon_session', '4', 'user agent', '127.0.0.1', + 'anon_session00000000000000000000', '4', 'user agent', '127.0.0.1', array( array('session_id' => '__new_session_id__', 'session_user_id' => 1), // use generated SID - array('session_id' => 'bar_session', 'session_user_id' => 4), + array('session_id' => 'bar_session000000000000000000000', 'session_user_id' => 4), ), array( 'u' => array('1', null), diff --git a/tests/session/fixtures/sessions_full.xml b/tests/session/fixtures/sessions_full.xml index 4559a08c55..bf6fc65997 100644 --- a/tests/session/fixtures/sessions_full.xml +++ b/tests/session/fixtures/sessions_full.xml @@ -22,13 +22,13 @@ <column>session_ip</column> <column>session_browser</column> <row> - <value>anon_session</value> + <value>anon_session00000000000000000000</value> <value>1</value> <value>127.0.0.1</value> <value>anonymous user agent</value> </row> <row> - <value>bar_session</value> + <value>bar_session000000000000000000000</value> <value>4</value> <value>127.0.0.1</value> <value>user agent</value> |