11 files changed, 95 insertions, 27 deletions
diff --git a/phpBB/includes/acp/acp_bbcodes.php b/phpBB/includes/acp/acp_bbcodes.php
index 0644b38eb1..31166a56dc 100644
--- a/phpBB/includes/acp/acp_bbcodes.php
+++ b/phpBB/includes/acp/acp_bbcodes.php
@@ -113,8 +113,8 @@ class acp_bbcodes
 				{
 					$template->assign_block_vars('token', array(
 						'TOKEN'		=> '{' . $token . '}',
-						'EXPLAIN'	=> $token_explain)
-					);
+						'EXPLAIN'	=> ($token === 'LOCAL_URL') ? sprintf($token_explain, generate_board_url() . '/') : $token_explain,
+					));
 				}
 
 				return;
@@ -345,6 +345,9 @@ class acp_bbcodes
 			'LOCAL_URL'	 => array(
 				'!(' . str_replace(array('!', '\#'), array('\!', '#'), get_preg_expression('relative_url')) . ')!e'	=>	"\$this->bbcode_specialchars('$1')"
 			),
+			'RELATIVE_URL'	=> array(
+				'!(' . str_replace(array('!', '\#'), array('\!', '#'), get_preg_expression('relative_url')) . ')!e'	=>	"\$this->bbcode_specialchars('$1')"
+			),
 			'EMAIL' => array(
 				'!(' . get_preg_expression('email') . ')!ie'	=>	"\$this->bbcode_specialchars('$1')"
 			),
@@ -371,6 +374,7 @@ class acp_bbcodes
 		$sp_tokens = array(
 			'URL'	 => '(?i)((?:' . str_replace(array('!', '\#'), array('\!', '#'), get_preg_expression('url')) . ')|(?:' . str_replace(array('!', '\#'), array('\!', '#'), get_preg_expression('www_url')) . '))(?-i)',
 			'LOCAL_URL'	 => '(?i)(' . str_replace(array('!', '\#'), array('\!', '#'), get_preg_expression('relative_url')) . ')(?-i)',
+			'RELATIVE_URL'	 => '(?i)(' . str_replace(array('!', '\#'), array('\!', '#'), get_preg_expression('relative_url')) . ')(?-i)',
 			'EMAIL' => '(' . get_preg_expression('email') . ')',
 			'TEXT' => '(.*?)',
 			'SIMPLETEXT' => '([a-zA-Z0-9-+.,_ ]+)',
@@ -427,7 +431,11 @@ class acp_bbcodes
 				$fp_replace = str_replace($token, $replace, $fp_replace);
 
 				$sp_match = str_replace(preg_quote($token, '!'), $sp_tokens[$token_type], $sp_match);
-				$sp_replace = str_replace($token, '${' . ($n + 1) . '}', $sp_replace);
+
+				// Prepend the board url to local relative links
+				$replace_prepend = ($token_type === 'LOCAL_URL') ? generate_board_url() . '/' : '';
+
+				$sp_replace = str_replace($token, $replace_prepend . '${' . ($n + 1) . '}', $sp_replace);
 			}
 
 			$fp_match = '!' . $fp_match . '!' . $modifiers;
diff --git a/phpBB/includes/acp/acp_captcha.php b/phpBB/includes/acp/acp_captcha.php
index 469a367bba..bfec7c27d8 100644
--- a/phpBB/includes/acp/acp_captcha.php
+++ b/phpBB/includes/acp/acp_captcha.php
@@ -124,6 +124,8 @@ class acp_captcha
 					'CAPTCHA_PREVIEW_TPL'	=> $demo_captcha->get_demo_template($id),
 					'S_CAPTCHA_HAS_CONFIG'	=> $demo_captcha->has_config(),
 					'CAPTCHA_SELECT'		=> $captcha_select,
+
+					'U_ACTION'				=> $this->u_action,
 				));
 			}
 		}
diff --git a/phpBB/includes/acp/acp_groups.php b/phpBB/includes/acp/acp_groups.php
index beb7aefee5..9b9ea38e07 100644
--- a/phpBB/includes/acp/acp_groups.php
+++ b/phpBB/includes/acp/acp_groups.php
@@ -80,6 +80,11 @@ class acp_groups
 			case 'approve':
 			case 'demote':
 			case 'promote':
+				if (!check_form_key($form_key))
+				{
+					trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
+				}
+
 				if (!$group_id)
 				{
 					trigger_error($user->lang['NO_GROUP'] . adm_back_link($this->u_action), E_USER_WARNING);
@@ -252,6 +257,11 @@ class acp_groups
 			break;
 
 			case 'addusers':
+				if (!check_form_key($form_key))
+				{
+					trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
+				}
+
 				if (!$group_id)
 				{
 					trigger_error($user->lang['NO_GROUP'] . adm_back_link($this->u_action), E_USER_WARNING);
@@ -413,13 +423,21 @@ class acp_groups
 						}
 					}
 
-					// Validate the length of "Maximum number of allowed recipients per private message" setting.
-					// We use 16777215 as a maximum because it matches MySQL unsigned mediumint maximum value
-					// which is the lowest amongst DBMSes supported by phpBB3
-					if ($max_recipients_error = validate_data($submit_ary, array('max_recipients' => array('num', false, 0, 16777215))))
+					/*
+					* Validate the length of "Maximum number of allowed recipients per
+					* private message" setting. We use 16777215 as a maximum because it matches
+					* MySQL unsigned mediumint maximum value which is the lowest amongst DBMSes
+					* supported by phpBB3. Also validate the submitted colour value.
+					*/
+					$validation_checks = array(
+						'max_recipients' => array('num', false, 0, 16777215),
+						'colour'	=> array('hex_colour', true),
+					);
+
+					if ($validation_error = validate_data($submit_ary, $validation_checks))
 					{
 						// Replace "error" string with its real, localised form
-						$error = array_merge($error, array_map(array(&$user, 'lang'), $max_recipients_error));
+						$error = array_merge($error, array_map(array(&$user, 'lang'), $validation_error));
 					}
 
 					if (!sizeof($error))
diff --git a/phpBB/includes/acp/acp_update.php b/phpBB/includes/acp/acp_update.php
index 7e3d1a1024..5d3e9abcea 100644
--- a/phpBB/includes/acp/acp_update.php
+++ b/phpBB/includes/acp/acp_update.php
@@ -39,7 +39,7 @@ class acp_update
 
 		$info = obtain_latest_version_info(request_var('versioncheck_force', false));
 
-		if ($info === false)
+		if (empty($info))
 		{
 			trigger_error('VERSIONCHECK_FAIL', E_USER_WARNING);
 		}
diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php
index 17c25ee3c6..ad5b43bc9a 100644
--- a/phpBB/includes/constants.php
+++ b/phpBB/includes/constants.php
@@ -157,6 +157,7 @@ define('PHYSICAL_LINK', 2);
 define('CONFIRM_REG', 1);
 define('CONFIRM_LOGIN', 2);
 define('CONFIRM_POST', 3);
+define('CONFIRM_REPORT', 4);
 
 // Categories - Attachments
 define('ATTACHMENT_CATEGORY_NONE', 0);
diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php
index 98a1dab722..b2b12c1445 100644
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@@ -1005,7 +1005,7 @@ if (!function_exists('stripos'))
 */
 function is_absolute($path)
 {
-	return ($path[0] == '/' || (DIRECTORY_SEPARATOR == '\\' && preg_match('#^[a-z]:[/\\\]#i', $path))) ? true : false;
+	return (isset($path[0]) && $path[0] == '/' || preg_match('#^[a-z]:[/\\\]#i', $path)) ? true : false;
 }
 
 /**
@@ -2740,7 +2740,7 @@ function meta_refresh($time, $url, $disable_cd_check = false)
 
 	// For XHTML compatibility we change back & to &amp;
 	$template->assign_vars(array(
-		'META' => '<meta http-equiv="refresh" content="' . $time . ';url=' . $url . '" />')
+		'META' => '<meta http-equiv="refresh" content="' . $time . '; url=' . $url . '" />')
 	);
 
 	return $url;
diff --git a/phpBB/includes/functions_admin.php b/phpBB/includes/functions_admin.php
index 190185cfcf..2f73858ea2 100644
--- a/phpBB/includes/functions_admin.php
+++ b/phpBB/includes/functions_admin.php
@@ -3121,7 +3121,7 @@ function get_remote_file($host, $directory, $filename, &$errstr, &$errno, $port
 
 	if ($fsock = @fsockopen($host, $port, $errno, $errstr, $timeout))
 	{
-		@fputs($fsock, "GET $directory/$filename HTTP/1.1\r\n");
+		@fputs($fsock, "GET $directory/$filename HTTP/1.0\r\n");
 		@fputs($fsock, "HOST: $host\r\n");
 		@fputs($fsock, "Connection: close\r\n\r\n");
 
@@ -3319,7 +3319,7 @@ function obtain_latest_version_info($force_update = false, $warn_fail = false, $
 		$info = get_remote_file('version.phpbb.com', '/phpbb',
 				((defined('PHPBB_QA')) ? '30x_qa.txt' : '30x.txt'), $errstr, $errno);
 
-		if ($info === false)
+		if (empty($info))
 		{
 			$cache->destroy('versioncheck');
 			if ($warn_fail)
diff --git a/phpBB/includes/functions_posting.php b/phpBB/includes/functions_posting.php
index e5cbae0d71..2e5130c5b8 100644
--- a/phpBB/includes/functions_posting.php
+++ b/phpBB/includes/functions_posting.php
@@ -423,16 +423,6 @@ function upload_attachment($form_name, $forum_id, $local = false, $local_storage
 
 	$cat_id = (isset($extensions[$file->get('extension')]['display_cat'])) ? $extensions[$file->get('extension')]['display_cat'] : ATTACHMENT_CATEGORY_NONE;
 
-	// Make sure the image category only holds valid images...
-	if ($cat_id == ATTACHMENT_CATEGORY_IMAGE && !$file->is_image())
-	{
-		$file->remove();
-
-		// If this error occurs a user tried to exploit an IE Bug by renaming extensions
-		// Since the image category is displaying content inline we need to catch this.
-		trigger_error($user->lang['ATTACHED_IMAGE_NOT_IMAGE']);
-	}
-
 	// Do we have to create a thumbnail?
 	$filedata['thumbnail'] = ($cat_id == ATTACHMENT_CATEGORY_IMAGE && $config['img_create_thumbnail']) ? 1 : 0;
 
@@ -473,6 +463,16 @@ function upload_attachment($form_name, $forum_id, $local = false, $local_storage
 		return $filedata;
 	}
 
+	// Make sure the image category only holds valid images...
+	if ($cat_id == ATTACHMENT_CATEGORY_IMAGE && !$file->is_image())
+	{
+		$file->remove();
+
+		// If this error occurs a user tried to exploit an IE Bug by renaming extensions
+		// Since the image category is displaying content inline we need to catch this.
+		trigger_error($user->lang['ATTACHED_IMAGE_NOT_IMAGE']);
+	}
+
 	$filedata['filesize'] = $file->get('filesize');
 	$filedata['mimetype'] = $file->get('mimetype');
 	$filedata['extension'] = $file->get('extension');
diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index 5a6a0b4a05..ea8b0a4640 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -1247,8 +1247,9 @@ function validate_data($data, $val_ary)
 		{
 			$function = array_shift($validate);
 			array_unshift($validate, $data[$var]);
+			$function_prefix = (function_exists('phpbb_validate_' . $function)) ? 'phpbb_validate_' : 'validate_';
 
-			if ($result = call_user_func_array('validate_' . $function, $validate))
+			if ($result = call_user_func_array($function_prefix . $function, $validate))
 			{
 				// Since errors are checked later for their language file existence, we need to make sure custom errors are not adjusted.
 				$error[] = (empty($user->lang[$result . '_' . strtoupper($var)])) ? $result : $result . '_' . strtoupper($var);
@@ -1553,7 +1554,7 @@ function validate_username($username, $allowed_username = false)
 */
 function validate_password($password)
 {
-	global $config, $db, $user;
+	global $config;
 
 	if ($password === '' || $config['pass_complex'] === 'PASS_TYPE_ANY')
 	{
@@ -1899,6 +1900,30 @@ function validate_jabber($jid)
 }
 
 /**
+* Validate hex colour value
+*
+* @param string $colour The hex colour value
+* @param bool $optional Whether the colour value is optional. True if an empty
+*			string will be accepted as correct input, false if not.
+* @return bool|string Error message if colour value is incorrect, false if it
+*			fits the hex colour code
+*/
+function phpbb_validate_hex_colour($colour, $optional = false)
+{
+	if ($colour === '')
+	{
+		return (($optional) ? false : 'WRONG_DATA');
+	}
+
+	if (!preg_match('/^([0-9a-fA-F]{6}|[0-9a-fA-F]{3})$/', $colour))
+	{
+		return 'WRONG_DATA';
+	}
+
+	return false;
+}
+
+/**
 * Verifies whether a style ID corresponds to an active style.
 *
 * @param int $style_id The style_id of a style which should be checked if activated or not.
diff --git a/phpBB/includes/search/fulltext_mysql.php b/phpBB/includes/search/fulltext_mysql.php
index bd4c003397..f28b8885e7 100644
--- a/phpBB/includes/search/fulltext_mysql.php
+++ b/phpBB/includes/search/fulltext_mysql.php
@@ -86,9 +86,16 @@ class fulltext_mysql extends search_backend
 			$engine = $info['Type'];
 		}
 
-		if ($engine != 'MyISAM')
+		$fulltext_supported =
+			$engine === 'MyISAM' ||
+			// FULLTEXT is supported on InnoDB since MySQL 5.6.4 according to
+			// http://dev.mysql.com/doc/refman/5.6/en/innodb-storage-engine.html
+			$engine === 'InnoDB' &&
+			phpbb_version_compare($db->sql_server_info(true), '5.6.4', '>=');
+
+		if (!$fulltext_supported)
 		{
-			return $user->lang['FULLTEXT_MYSQL_NOT_MYISAM'];
+			return $user->lang['FULLTEXT_MYSQL_NOT_SUPPORTED'];
 		}
 
 		$sql = 'SHOW VARIABLES
diff --git a/phpBB/includes/ucp/ucp_groups.php b/phpBB/includes/ucp/ucp_groups.php
index d62dbb1866..9365913541 100644
--- a/phpBB/includes/ucp/ucp_groups.php
+++ b/phpBB/includes/ucp/ucp_groups.php
@@ -595,6 +595,13 @@ class ucp_groups
 								$error[] = $user->lang['FORM_INVALID'];
 							}
 
+							// Validate submitted colour value
+							if ($colour_error = validate_data($submit_ary, array('colour'	=> array('hex_colour', true))))
+							{
+								// Replace "error" string with its real, localised form
+								$error = array_merge($error, array_map(array(&$user, 'lang'), $colour_error));
+							}
+
 							if (!sizeof($error))
 							{
 								// Only set the rank, colour, etc. if it's changed or if we're adding a new