1 files changed, 41 insertions, 13 deletions
diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index 26bb987561..d86470adf9 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -26,8 +26,10 @@ if (!defined('IN_PHPBB'))
 * @param array &$user_id_ary The user ids to check or empty if usernames used
 * @param array &$username_ary The usernames to check or empty if user ids used
 * @param mixed $user_type Array of user types to check, false if not restricting by user type
+* @param boolean $update_references If false, the supplied array is unset and appears unchanged from where it was called
+* @return boolean|string Returns false on success, error string on failure
 */
-function user_get_id_name(&$user_id_ary, &$username_ary, $user_type = false)
+function user_get_id_name(&$user_id_ary, &$username_ary, $user_type = false, $update_references = false)
 {
 	global $db;
 
@@ -50,7 +52,13 @@ function user_get_id_name(&$user_id_ary, &$username_ary, $user_type = false)
 	}
 
 	$sql_in = ($which_ary == 'user_id_ary') ? array_map('intval', ${$which_ary}) : array_map('utf8_clean_string', ${$which_ary});
-	unset(${$which_ary});
+
+	// By unsetting the array here, the values passed in at the point user_get_id_name() was called will be retained.
+	// Otherwise, if we don't unset (as the array was passed by reference) the original array will be updated below.
+	if ($update_references === false)
+	{
+		unset(${$which_ary});
+	}
 
 	$user_id_ary = $username_ary = array();
 
@@ -684,7 +692,8 @@ function user_delete($mode, $user_ids, $retain_username = true)
 		PRIVMSGS_RULES_TABLE,
 		$phpbb_container->getParameter('tables.auth_provider_oauth_token_storage'),
 		$phpbb_container->getParameter('tables.auth_provider_oauth_states'),
-		$phpbb_container->getParameter('tables.auth_provider_oauth_account_assoc')
+		$phpbb_container->getParameter('tables.auth_provider_oauth_account_assoc'),
+		$phpbb_container->getParameter('tables.user_notifications')
 	];
 
 	// Ignore errors on deleting from non-existent tables, e.g. when migrating
@@ -1709,16 +1718,20 @@ function phpbb_validate_timezone($timezone)
 	return (in_array($timezone, phpbb_get_timezone_identifiers($timezone))) ? false : 'TIMEZONE_INVALID';
 }
 
-/**
-* Check to see if the username has been taken, or if it is disallowed.
-* Also checks if it includes the " character, which we don't allow in usernames.
-* Used for registering, changing names, and posting anonymously with a username
-*
-* @param string $username The username to check
-* @param string $allowed_username An allowed username, default being $user->data['username']
-*
-* @return	mixed	Either false if validation succeeded or a string which will be used as the error message (with the variable name appended)
-*/
+/***
+ * Validate Username
+ *
+ * Check to see if the username has been taken, or if it is disallowed.
+ * Also checks if it includes the " character or the 4-bytes Unicode ones
+ * (aka emojis) which we don't allow in usernames.
+ * Used for registering, changing names, and posting anonymously with a username
+ *
+ * @param string	$username				The username to check
+ * @param string	$allowed_username		An allowed username, default being $user->data['username']
+ *
+ * @return mixed							Either false if validation succeeded or a string which will be
+ *											used as the error message (with the variable name appended)
+ */
 function validate_username($username, $allowed_username = false)
 {
 	global $config, $db, $user, $cache;
@@ -1731,6 +1744,14 @@ function validate_username($username, $allowed_username = false)
 		return false;
 	}
 
+	// The very first check is for
+	// out-of-bounds characters that are currently
+	// not supported by utf8_bin in MySQL
+	if (preg_match('/[\x{10000}-\x{10FFFF}]/u', $username))
+	{
+		return 'INVALID_EMOJIS';
+	}
+
 	// ... fast checks first.
 	if (strpos($username, '&quot;') !== false || strpos($username, '"') !== false || empty($clean_username))
 	{
@@ -2698,6 +2719,13 @@ function group_user_add($group_id, $user_id_ary = false, $username_ary = false,
 		return 'NO_USER';
 	}
 
+	// Because the item that gets passed into the previous function is unset, the reference is lost and our original
+	// array is retained - so we know there's a problem if there's a different number of ids to usernames now.
+	if (count($user_id_ary) != count($username_ary))
+	{
+		return 'GROUP_USERS_INVALID';
+	}
+
 	// Remove users who are already members of this group
 	$sql = 'SELECT user_id, group_leader
 		FROM ' . USER_GROUP_TABLE . '