10 files changed, 439 insertions, 21 deletions
diff --git a/phpBB/phpbb/cache/driver/memcache.php b/phpBB/phpbb/cache/driver/memcache.php
index caa82fb0b1..57f138f574 100644
--- a/phpBB/phpbb/cache/driver/memcache.php
+++ b/phpBB/phpbb/cache/driver/memcache.php
@@ -52,8 +52,8 @@ class memcache extends \phpbb\cache\driver\memory
 		$this->memcache = new \Memcache;
 		foreach (explode(',', PHPBB_ACM_MEMCACHE) as $u)
 		{
-			$parts = explode('/', $u);
-			$this->memcache->addServer(trim($parts[0]), trim($parts[1]));
+			preg_match('#(.*)/(\d+)#', $u, $parts);
+			$this->memcache->addServer(trim($parts[1]), (int) trim($parts[2]));
 		}
 		$this->flags = (PHPBB_ACM_MEMCACHE_COMPRESS) ? MEMCACHE_COMPRESSED : 0;
 	}
diff --git a/phpBB/phpbb/cache/driver/memcached.php b/phpBB/phpbb/cache/driver/memcached.php
index 105e763af4..a7da22d7e8 100644
--- a/phpBB/phpbb/cache/driver/memcached.php
+++ b/phpBB/phpbb/cache/driver/memcached.php
@@ -67,8 +67,8 @@ class memcached extends \phpbb\cache\driver\memory
 
 		foreach (explode(',', PHPBB_ACM_MEMCACHE) as $u)
 		{
-			$parts = explode('/', $u);
-			$this->memcached->addServer(trim($parts[0]), trim($parts[1]));
+			preg_match('#(.*)/(\d+)#', $u, $parts);
+			$this->memcache->addServer(trim($parts[1]), (int) trim($parts[2]));
 		}
 	}
 
diff --git a/phpBB/phpbb/console/command/fixup/fix_left_right_ids.php b/phpBB/phpbb/console/command/fixup/fix_left_right_ids.php
new file mode 100644
index 0000000000..f55e1761bc
--- /dev/null
+++ b/phpBB/phpbb/console/command/fixup/fix_left_right_ids.php
@@ -0,0 +1,134 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\console\command\fixup;
+
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class fix_left_right_ids extends \phpbb\console\command\command
+{
+	/** @var \phpbb\user */
+	protected $user;
+
+	/** @var \phpbb\db\driver\driver_interface */
+	protected $db;
+
+	/** @var \phpbb\cache\driver\driver_interface */
+	protected $cache;
+
+	/**
+	* Constructor
+	*
+	* @param \phpbb\user							$user	User instance
+	* @param \phpbb\db\driver\driver_interface		$db		Database connection
+	* @param \phpbb\cache\driver\driver_interface	$cache	Cache instance
+	*/
+	public function __construct(\phpbb\user $user, \phpbb\db\driver\driver_interface $db, \phpbb\cache\driver\driver_interface $cache)
+	{
+		$this->user = $user;
+		$this->db = $db;
+		$this->cache = $cache;
+
+		parent::__construct($user);
+	}
+
+	/**
+	* {@inheritdoc}
+	*/
+	protected function configure()
+	{
+		$this
+			->setName('fixup:fix-left-right-ids')
+			->setDescription($this->user->lang('CLI_DESCRIPTION_FIX_LEFT_RIGHT_IDS'))
+		;
+	}
+
+	/**
+	* Executes the command fixup:fix-left-right-ids.
+	*
+	* Repairs the tree structure of the forums and modules.
+	* The code is mainly borrowed from Support toolkit for phpBB Olympus
+	*
+	* @param InputInterface  $input  An InputInterface instance
+	* @param OutputInterface $output An OutputInterface instance
+	*
+	* @return void
+	*/
+	protected function execute(InputInterface $input, OutputInterface $output)
+	{
+		// Fix Left/Right IDs for the modules table
+		$result = $this->db->sql_query('SELECT DISTINCT(module_class) FROM ' . MODULES_TABLE);
+		while ($row = $this->db->sql_fetchrow($result))
+		{
+			$i = 1;
+			$where = array("module_class = '" . $this->db->sql_escape($row['module_class']) . "'");
+			$this->fix_ids_tree($i, 'module_id', MODULES_TABLE, 0, $where);
+		}
+		$this->db->sql_freeresult($result);
+
+		// Fix the Left/Right IDs for the forums table
+		$i = 1;
+		$this->fix_ids_tree($i, 'forum_id', FORUMS_TABLE);
+
+		$this->cache->purge();
+
+		$output->writeln('<info>' . $this->user->lang('CLI_FIXUP_FIX_LEFT_RIGHT_IDS_SUCCESS') . '</info>');
+	}
+
+	/**
+	 * Item's tree structure rebuild helper
+	 * The item is either forum or ACP/MCP/UCP module
+	 *
+	 * @param int		$i			Item id offset index
+	 * @param string	$field		The key field to fix, forum_id|module_id
+	 * @param string	$table		The table name to perform, FORUMS_TABLE|MODULES_TABLE
+	 * @param int		$parent_id	Parent item id
+	 * @param array		$where		Additional WHERE clause condition
+	 *
+	 * @return bool	True on rebuild success, false otherwise
+	 */
+	protected function fix_ids_tree(&$i, $field, $table, $parent_id = 0, $where = array())
+	{
+		$changes_made = false;
+		$sql = 'SELECT * FROM ' . $table . '
+			WHERE parent_id = ' . (int) $parent_id .
+			((!empty($where)) ? ' AND ' . implode(' AND ', $where) : '') . '
+			ORDER BY left_id ASC';
+		$result = $this->db->sql_query($sql);
+		while ($row = $this->db->sql_fetchrow($result))
+		{
+			// Update the left_id for the item
+			if ($row['left_id'] != $i)
+			{
+				$this->db->sql_query('UPDATE ' . $table . ' SET ' . $this->db->sql_build_array('UPDATE', array('left_id' => $i)) . " WHERE $field = " . (int) $row[$field]);
+				$changes_made = true;
+			}
+			$i++;
+
+			// Go through children and update their left/right IDs
+			$changes_made = (($this->fix_ids_tree($i, $field, $table, $row[$field], $where)) || $changes_made) ? true : false;
+
+			// Update the right_id for the item
+			if ($row['right_id'] != $i)
+			{
+				$this->db->sql_query('UPDATE ' . $table . ' SET ' . $this->db->sql_build_array('UPDATE', array('right_id' => $i)) . " WHERE $field = " . (int) $row[$field]);
+				$changes_made = true;
+			}
+			$i++;
+		}
+		$this->db->sql_freeresult($result);
+
+		return $changes_made;
+	}
+}
diff --git a/phpBB/phpbb/db/migration/data/v30x/.htaccess b/phpBB/phpbb/db/migration/data/v30x/.htaccess
new file mode 100644
index 0000000000..44242b5418
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v30x/.htaccess
@@ -0,0 +1,33 @@
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
diff --git a/phpBB/phpbb/db/migration/data/v310/.htaccess b/phpBB/phpbb/db/migration/data/v310/.htaccess
new file mode 100644
index 0000000000..44242b5418
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v310/.htaccess
@@ -0,0 +1,33 @@
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
diff --git a/phpBB/phpbb/db/migration/data/v31x/.htaccess b/phpBB/phpbb/db/migration/data/v31x/.htaccess
new file mode 100644
index 0000000000..44242b5418
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v31x/.htaccess
@@ -0,0 +1,33 @@
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
diff --git a/phpBB/phpbb/db/migration/data/v31x/v3111rc1.php b/phpBB/phpbb/db/migration/data/v31x/v3111rc1.php
new file mode 100644
index 0000000000..259656283f
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v31x/v3111rc1.php
@@ -0,0 +1,43 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v31x;
+
+class v3111rc1 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return phpbb_version_compare($this->config['version'], '3.1.11-RC1', '>=');
+	}
+
+	static public function depends_on()
+	{
+		return array(
+			'\phpbb\db\migration\data\v31x\v3110',
+			'\phpbb\db\migration\data\v31x\add_log_time_index',
+			'\phpbb\db\migration\data\v31x\increase_size_of_emotion',
+			'\phpbb\db\migration\data\v31x\add_jabber_ssl_context_config_options',
+			'\phpbb\db\migration\data\v31x\add_smtp_ssl_context_config_options',
+			'\phpbb\db\migration\data\v31x\update_hashes',
+			'\phpbb\db\migration\data\v31x\remove_duplicate_migrations',
+			'\phpbb\db\migration\data\v31x\add_latest_topics_index',
+		);
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('config.update', array('version', '3.1.11-RC1')),
+		);
+	}
+}
diff --git a/phpBB/phpbb/search/fulltext_mysql.php b/phpBB/phpbb/search/fulltext_mysql.php
index f8bda9ae81..64a63e83e0 100644
--- a/phpBB/phpbb/search/fulltext_mysql.php
+++ b/phpBB/phpbb/search/fulltext_mysql.php
@@ -272,6 +272,27 @@ class fulltext_mysql extends \phpbb\search\base
 
 		foreach ($this->split_words as $i => $word)
 		{
+			// Check for not allowed search queries for InnoDB.
+			// We assume similar restrictions for MyISAM, which is usually even
+			// slower but not as restrictive as InnoDB.
+			// InnoDB full-text search does not support the use of a leading
+			// plus sign with wildcard ('+*'), a plus and minus sign
+			// combination ('+-'), or leading a plus and minus sign combination.
+			// InnoDB full-text search only supports leading plus or minus signs.
+			// For example, InnoDB supports '+apple' but does not support 'apple+'.
+			// Specifying a trailing plus or minus sign causes InnoDB to report
+			// a syntax error. InnoDB full-text search does not support the use
+			// of multiple operators on a single search word, as in this example:
+			// '++apple'. Use of multiple operators on a single search word
+			// returns a syntax error to standard out.
+			// Also, ensure that the wildcard character is only used at the
+			// end of the line as it's intended by MySQL.
+			if (preg_match('#^(\+[+-]|\+\*|.+[+-]$|.+\*(?!$))#', $word))
+			{
+				unset($this->split_words[$i]);
+				continue;
+			}
+
 			$clean_word = preg_replace('#^[+\-|"]#', '', $word);
 
 			// check word length
diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php
index eb5543b50b..45e82df591 100644
--- a/phpBB/phpbb/session.php
+++ b/phpBB/phpbb/session.php
@@ -460,6 +460,9 @@ class session
 						$this->data['is_bot'] = (!$this->data['is_registered'] && $this->data['user_id'] != ANONYMOUS) ? true : false;
 						$this->data['user_lang'] = basename($this->data['user_lang']);
 
+						// Is user banned? Are they excluded? Won't return on ban, exists within method
+						$this->check_ban_for_current_session($config);
+
 						return true;
 					}
 				}
@@ -666,19 +669,7 @@ class session
 		// session exists in which case session_id will also be set
 
 		// Is user banned? Are they excluded? Won't return on ban, exists within method
-		if ($this->data['user_type'] != USER_FOUNDER)
-		{
-			if (!$config['forwarded_for_check'])
-			{
-				$this->check_ban($this->data['user_id'], $this->ip);
-			}
-			else
-			{
-				$ips = explode(' ', $this->forwarded_for);
-				$ips[] = $this->ip;
-				$this->check_ban($this->data['user_id'], $ips);
-			}
-		}
+		$this->check_ban_for_current_session($config);
 
 		$this->data['is_registered'] = (!$bot && $this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL || $this->data['user_type'] == USER_FOUNDER)) ? true : false;
 		$this->data['is_bot'] = ($bot) ? true : false;
@@ -1268,9 +1259,6 @@ class session
 			$message .= ($ban_row['ban_give_reason']) ? '<br /><br />' . sprintf($this->lang['BOARD_BAN_REASON'], $ban_row['ban_give_reason']) : '';
 			$message .= '<br /><br /><em>' . $this->lang['BAN_TRIGGERED_BY_' . strtoupper($ban_triggered_by)] . '</em>';
 
-			// To circumvent session_begin returning a valid value and the check_ban() not called on second page view, we kill the session again
-			$this->session_kill(false);
-
 			// A very special case... we are within the cron script which is not supposed to print out the ban message... show blank page
 			if (defined('IN_CRON'))
 			{
@@ -1279,6 +1267,9 @@ class session
 				exit;
 			}
 
+			// To circumvent session_begin returning a valid value and the check_ban() not called on second page view, we kill the session again
+			$this->session_kill(false);
+
 			trigger_error($message);
 		}
 
@@ -1286,6 +1277,28 @@ class session
 	}
 
 	/**
+	 * Check the current session for bans
+	 *
+	 * @return true if session user is banned.
+	 */
+	protected function check_ban_for_current_session($config)
+	{
+		if (!defined('SKIP_CHECK_BAN') && $this->data['user_type'] != USER_FOUNDER)
+		{
+			if (!$config['forwarded_for_check'])
+			{
+				$this->check_ban($this->data['user_id'], $this->ip);
+			}
+			else
+			{
+				$ips = explode(' ', $this->forwarded_for);
+				$ips[] = $this->ip;
+				$this->check_ban($this->data['user_id'], $ips);
+			}
+		}
+	}
+
+	/**
 	* Check if ip is blacklisted
 	* This should be called only where absolutely necessary
 	*
@@ -1576,7 +1589,7 @@ class session
 		}
 
 		// Only update session DB a minute or so after last update or if page changes
-		if ($this->time_now - $this->data['session_time'] > 60 || ($this->update_session_page && $this->data['session_page'] != $this->page['page']))
+		if ($this->time_now - ((isset($this->data['session_time'])) ? $this->data['session_time'] : 0) > 60 || ($this->update_session_page && $this->data['session_page'] != $this->page['page']))
 		{
 			$sql_ary = array('session_time' => $this->time_now);
 
diff --git a/phpBB/phpbb/version_helper.php b/phpBB/phpbb/version_helper.php
index 9dc5a2e7c9..7e5edbf522 100644
--- a/phpBB/phpbb/version_helper.php
+++ b/phpBB/phpbb/version_helper.php
@@ -61,6 +61,23 @@ class version_helper
 	/** @var \phpbb\user */
 	protected $user;
 
+	protected $version_schema = array(
+		'stable' => array(
+			'current'		=> 'version',
+			'download'		=> 'url',
+			'announcement'	=> 'url',
+			'eol'			=> 'url',
+			'security'		=> 'bool',
+		),
+		'unstable' => array(
+			'current'		=> 'version',
+			'download'		=> 'url',
+			'announcement'	=> 'url',
+			'eol'			=> 'url',
+			'security'		=> 'bool',
+		),
+	);
+
 	/**
 	 * Constructor
 	 *
@@ -404,9 +421,100 @@ class version_helper
 			$info['stable'] = (empty($info['stable'])) ? array() : $info['stable'];
 			$info['unstable'] = (empty($info['unstable'])) ? $info['stable'] : $info['unstable'];
 
+			$info = $this->validate_versions($info);
+
 			$this->cache->put($cache_file, $info, 86400); // 24 hours
 		}
 
 		return $info;
 	}
+
+	/**
+	 * Validate versions info input
+	 *
+	 * @param array $versions_info Decoded json data array. Will be modified
+	 *		and cleaned by this method
+	 *
+	 * @return array Versions info array
+	 */
+	public function validate_versions($versions_info)
+	{
+		$array_diff = array_diff_key($versions_info, array($this->version_schema));
+
+		// Remove excessive data
+		if (count($array_diff) > 0)
+		{
+			$old_versions_info = $versions_info;
+			$versions_info = array(
+				'stable'	=> !empty($old_versions_info['stable']) ? $old_versions_info['stable'] : array(),
+				'unstable'	=> !empty($old_versions_info['unstable']) ? $old_versions_info['unstable'] : array(),
+			);
+			unset($old_versions_info);
+		}
+
+		foreach ($versions_info as $stability_type => &$versions_data)
+		{
+			foreach ($versions_data as $branch => &$version_data)
+			{
+				if (!preg_match('/^[0-9a-z\-\.]+$/i', $branch))
+				{
+					unset($versions_data[$branch]);
+					continue;
+				}
+
+				$stability_diff = array_diff_key($version_data, $this->version_schema[$stability_type]);
+
+				if (count($stability_diff) > 0)
+				{
+					$old_version_data = $version_data;
+					$version_data = array();
+					foreach ($this->version_schema[$stability_type] as $key => $value)
+					{
+						if (isset($old_version_data[$key]))
+						{
+							$version_data[$key] = $old_version_data[$key];
+						}
+					}
+					unset($old_version_data);
+				}
+
+				foreach ($version_data as $key => &$value)
+				{
+					if (!isset($this->version_schema[$stability_type][$key]))
+					{
+						unset($version_data[$key]);
+						throw new \RuntimeException($this->user->lang('VERSIONCHECK_INVALID_ENTRY'));
+					}
+
+					switch ($this->version_schema[$stability_type][$key])
+					{
+						case 'bool':
+							$value = (bool) $value;
+						break;
+
+						case 'url':
+							if (!empty($value) && !preg_match('#^' . get_preg_expression('url') . '$#iu', $value) &&
+								!preg_match('#^' . get_preg_expression('www_url') . '$#iu', $value))
+							{
+								throw new \RuntimeException($this->user->lang('VERSIONCHECK_INVALID_URL'));
+							}
+						break;
+
+						case 'version':
+							if (!empty($value) && !preg_match(get_preg_expression('semantic_version'), $value))
+							{
+								throw new \RuntimeException($this->user->lang('VERSIONCHECK_INVALID_VERSION'));
+							}
+						break;
+
+						default:
+							// Shouldn't be possible to trigger this
+							throw new \RuntimeException($this->user->lang('VERSIONCHECK_INVALID_ENTRY'));
+					}
+				}
+			}
+		}
+
+		return $versions_info;
+	}
 }