8 files changed, 107 insertions, 25 deletions
diff --git a/phpBB/phpbb/db/migration/data/v310/style_update_p1.php b/phpBB/phpbb/db/migration/data/v310/style_update_p1.php
index 5a3a1d5de7..e8d3a3af64 100644
--- a/phpBB/phpbb/db/migration/data/v310/style_update_p1.php
+++ b/phpBB/phpbb/db/migration/data/v310/style_update_p1.php
@@ -92,7 +92,7 @@ class style_update_p1 extends \phpbb\db\migration\migration
 		else
 		{
 			$sql = 'SELECT s.style_id, t.template_path, t.template_id, t.bbcode_bitfield, t.template_inherits_id, t.template_inherit_path, c.theme_path, c.theme_id
-				FROM ' . STYLES_TABLE . ' s, ' . $this->table_prefix . 'styles_template t, ' . $this->table_prefix . "stles_theme c
+				FROM ' . STYLES_TABLE . ' s, ' . $this->table_prefix . 'styles_template t, ' . $this->table_prefix . "styles_theme c
 				WHERE t.template_id = s.template_id
 					AND c.theme_id = s.theme_id";
 		}
diff --git a/phpBB/phpbb/db/migration/data/v31x/v312.php b/phpBB/phpbb/db/migration/data/v31x/v312.php
new file mode 100644
index 0000000000..bf49935f4d
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v31x/v312.php
@@ -0,0 +1,31 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v31x;
+
+class v312 extends \phpbb\db\migration\migration
+{
+	static public function depends_on()
+	{
+		return array(
+			'\phpbb\db\migration\data\v31x\v312rc1',
+		);
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('config.update', array('version', '3.1.2')),
+		);
+	}
+}
diff --git a/phpBB/phpbb/db/migration/data/v31x/v312rc1.php b/phpBB/phpbb/db/migration/data/v31x/v312rc1.php
new file mode 100644
index 0000000000..d4b133fc01
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v31x/v312rc1.php
@@ -0,0 +1,32 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v31x;
+
+class v312rc1 extends \phpbb\db\migration\migration
+{
+	static public function depends_on()
+	{
+		return array(
+			'\phpbb\db\migration\data\v31x\v311',
+			'\phpbb\db\migration\data\v31x\m_softdelete_global',
+		);
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('config.update', array('version', '3.1.2-RC1')),
+		);
+	}
+}
diff --git a/phpBB/phpbb/extension/metadata_manager.php b/phpBB/phpbb/extension/metadata_manager.php
index edca8ee1af..a64d88fe39 100644
--- a/phpBB/phpbb/extension/metadata_manager.php
+++ b/phpBB/phpbb/extension/metadata_manager.php
@@ -177,6 +177,7 @@ class metadata_manager
 				throw new \phpbb\extension\exception($this->user->lang('FILE_JSON_DECODE_ERR', $this->metadata_file));
 			}
 
+			array_walk_recursive($metadata, array($this, 'sanitize_json'));
 			$this->metadata = $metadata;
 
 			return true;
@@ -184,6 +185,17 @@ class metadata_manager
 	}
 
 	/**
+	 * Sanitize input from JSON array using htmlspecialchars()
+	 *
+	 * @param mixed		$value	Value of array row
+	 * @param string	$key	Key of array row
+	 */
+	public function sanitize_json(&$value, $key)
+	{
+		$value = htmlspecialchars($value);
+	}
+
+	/**
 	* This array handles the cleaning of the array
 	*
 	* @return array Contains the cleaned metadata array
@@ -337,30 +349,30 @@ class metadata_manager
 	public function output_template_data()
 	{
 		$this->template->assign_vars(array(
-			'META_NAME'			=> htmlspecialchars($this->metadata['name']),
-			'META_TYPE'			=> htmlspecialchars($this->metadata['type']),
-			'META_DESCRIPTION'	=> (isset($this->metadata['description'])) ? htmlspecialchars($this->metadata['description']) : '',
+			'META_NAME'			=> $this->metadata['name'],
+			'META_TYPE'			=> $this->metadata['type'],
+			'META_DESCRIPTION'	=> (isset($this->metadata['description'])) ? $this->metadata['description'] : '',
 			'META_HOMEPAGE'		=> (isset($this->metadata['homepage'])) ? $this->metadata['homepage'] : '',
-			'META_VERSION'		=> (isset($this->metadata['version'])) ? htmlspecialchars($this->metadata['version']) : '',
-			'META_TIME'			=> (isset($this->metadata['time'])) ? htmlspecialchars($this->metadata['time']) : '',
-			'META_LICENSE'		=> htmlspecialchars($this->metadata['license']),
+			'META_VERSION'		=> (isset($this->metadata['version'])) ? $this->metadata['version'] : '',
+			'META_TIME'			=> (isset($this->metadata['time'])) ? $this->metadata['time'] : '',
+			'META_LICENSE'		=> $this->metadata['license'],
 
-			'META_REQUIRE_PHP'		=> (isset($this->metadata['require']['php'])) ? htmlspecialchars($this->metadata['require']['php']) : '',
+			'META_REQUIRE_PHP'		=> (isset($this->metadata['require']['php'])) ? $this->metadata['require']['php'] : '',
 			'META_REQUIRE_PHP_FAIL'	=> !$this->validate_require_php(),
 
-			'META_REQUIRE_PHPBB'		=> (isset($this->metadata['extra']['soft-require']['phpbb/phpbb'])) ? htmlspecialchars($this->metadata['extra']['soft-require']['phpbb/phpbb']) : '',
+			'META_REQUIRE_PHPBB'		=> (isset($this->metadata['extra']['soft-require']['phpbb/phpbb'])) ? $this->metadata['extra']['soft-require']['phpbb/phpbb'] : '',
 			'META_REQUIRE_PHPBB_FAIL'	=> !$this->validate_require_phpbb(),
 
-			'META_DISPLAY_NAME'	=> (isset($this->metadata['extra']['display-name'])) ? htmlspecialchars($this->metadata['extra']['display-name']) : '',
+			'META_DISPLAY_NAME'	=> (isset($this->metadata['extra']['display-name'])) ? $this->metadata['extra']['display-name'] : '',
 		));
 
 		foreach ($this->metadata['authors'] as $author)
 		{
 			$this->template->assign_block_vars('meta_authors', array(
-				'AUTHOR_NAME'		=> htmlspecialchars($author['name']),
+				'AUTHOR_NAME'		=> $author['name'],
 				'AUTHOR_EMAIL'		=> (isset($author['email'])) ? $author['email'] : '',
 				'AUTHOR_HOMEPAGE'	=> (isset($author['homepage'])) ? $author['homepage'] : '',
-				'AUTHOR_ROLE'		=> (isset($author['role'])) ? htmlspecialchars($author['role']) : '',
+				'AUTHOR_ROLE'		=> (isset($author['role'])) ? $author['role'] : '',
 			));
 		}
 	}
diff --git a/phpBB/phpbb/path_helper.php b/phpBB/phpbb/path_helper.php
index 4a446a5d9d..b49d8d13c2 100644
--- a/phpBB/phpbb/path_helper.php
+++ b/phpBB/phpbb/path_helper.php
@@ -282,10 +282,16 @@ class path_helper
 			$referer_dir = dirname($referer_dir);
 		}
 
-		while (strpos($absolute_board_url, $referer_dir) !== 0)
+		while (($dir_position = strpos($absolute_board_url, $referer_dir)) !== 0)
 		{
 			$fixed_root_path .= '../';
 			$referer_dir = dirname($referer_dir);
+
+			// Just return phpbb_root_path if we reach the top directory
+			if ($referer_dir === '.')
+			{
+				return $this->phpbb_root_path;
+			}
 		}
 
 		$fixed_root_path .= substr($absolute_board_url, strlen($referer_dir) + 1);
diff --git a/phpBB/phpbb/request/request.php b/phpBB/phpbb/request/request.php
index f0f2f7e2a2..56ce3999ed 100644
--- a/phpBB/phpbb/request/request.php
+++ b/phpBB/phpbb/request/request.php
@@ -275,7 +275,7 @@ class request implements \phpbb\request\request_interface
 	*/
 	public function file($form_name)
 	{
-		return $this->variable($form_name, array('name' => 'none'), false, \phpbb\request\request_interface::FILES);
+		return $this->variable($form_name, array('name' => 'none'), true, \phpbb\request\request_interface::FILES);
 	}
 
 	/**
diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php
index dc90d942c3..691d0d5bef 100644
--- a/phpBB/phpbb/session.php
+++ b/phpBB/phpbb/session.php
@@ -1063,7 +1063,7 @@ class session
 
 		$name_data = rawurlencode($config['cookie_name'] . '_' . $name) . '=' . rawurlencode($cookiedata);
 		$expire = gmdate('D, d-M-Y H:i:s \\G\\M\\T', $cookietime);
-		$domain = (!$config['cookie_domain'] || $config['cookie_domain'] == 'localhost' || $config['cookie_domain'] == '127.0.0.1') ? '' : '; domain=' . $config['cookie_domain'];
+		$domain = (!$config['cookie_domain'] || $config['cookie_domain'] == '127.0.0.1' || strpos($config['cookie_domain'], '.') === false) ? '' : '; domain=' . $config['cookie_domain'];
 
 		header('Set-Cookie: ' . $name_data . (($cookietime) ? '; expires=' . $expire : '') . '; path=' . $config['cookie_path'] . $domain . ((!$config['cookie_secure']) ? '' : '; secure') . ';' . (($httponly) ? ' HttpOnly' : ''), false);
 	}
diff --git a/phpBB/phpbb/version_helper.php b/phpBB/phpbb/version_helper.php
index e34bd0ba60..dc62f06fb2 100644
--- a/phpBB/phpbb/version_helper.php
+++ b/phpBB/phpbb/version_helper.php
@@ -259,7 +259,7 @@ class version_helper
 			}
 			catch (\RuntimeException $exception)
 			{
-				throw new \RuntimeException(call_user_func_array(array($this->user, 'lang'), $exception->getMessage()));
+				throw new \RuntimeException($this->user->lang($exception->getMessage()));
 			}
 			$error_string = $this->file_downloader->get_error_string();
 
@@ -270,6 +270,16 @@ class version_helper
 
 			$info = json_decode($info, true);
 
+			// Sanitize any data we retrieve from a server
+			if (!empty($info))
+			{
+				$json_sanitizer = function (&$value, $key) {
+					$type_cast_helper = new \phpbb\request\type_cast_helper();
+					$type_cast_helper->set_var($value, $value, gettype($value), true);
+				};
+				array_walk_recursive($info, $json_sanitizer);
+			}
+
 			if (empty($info['stable']) && empty($info['unstable']))
 			{
 				$this->user->add_lang('acp/common');
@@ -277,15 +287,6 @@ class version_helper
 				throw new \RuntimeException($this->user->lang('VERSIONCHECK_FAIL'));
 			}
 
-			// Replace & with &amp; on announcement links
-			foreach ($info as $stability => $branches)
-			{
-				foreach ($branches as $branch => $branch_data)
-				{
-					$info[$stability][$branch]['announcement'] = (!empty($branch_data['announcement'])) ? str_replace('&', '&amp;', $branch_data['announcement']) : '';
-				}
-			}
-
 			$info['stable'] = (empty($info['stable'])) ? array() : $info['stable'];
 			$info['unstable'] = (empty($info['unstable'])) ? $info['stable'] : $info['unstable'];