diff options
Diffstat (limited to 'phpBB')
| -rw-r--r-- | phpBB/docs/CHANGELOG.html | 1 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_forums.php | 1 | ||||
| -rw-r--r-- | phpBB/includes/functions.php | 7 | ||||
| -rw-r--r-- | phpBB/includes/functions_user.php | 18 | ||||
| -rw-r--r-- | phpBB/includes/ucp/ucp_login_link.php | 8 | ||||
| -rw-r--r-- | phpBB/includes/ucp/ucp_register.php | 4 |
6 files changed, 24 insertions, 15 deletions
diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index c2eb48137a..2be63eb866 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -211,6 +211,7 @@ <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11368">PHPBB3-11368</a>] - Latest pm reports row count</li> <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11583">PHPBB3-11583</a>] - InnoDB supports FULLTEXT index since MySQL 5.6.4.</li> <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11740">PHPBB3-11740</a>] - Update link in FAQ to Ideas Centre</li> +<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11873">PHPBB3-11873</a>] - Prevent expensive hash computation in phpbb_check_hash() by rejecting very long passwords</li> </ul> <h4>Sub-task</h4> <ul> diff --git a/phpBB/includes/acp/acp_forums.php b/phpBB/includes/acp/acp_forums.php index 580c68f3ed..258aabcc0d 100644 --- a/phpBB/includes/acp/acp_forums.php +++ b/phpBB/includes/acp/acp_forums.php @@ -55,7 +55,6 @@ class acp_forums $total = request_var('total', 0); $this->display_progress_bar($start, $total); - exit; break; case 'delete': diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 28c03534ea..e1f96c0b1e 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -442,6 +442,13 @@ function phpbb_hash($password) */ function phpbb_check_hash($password, $hash) { + if (strlen($password) > 4096) + { + // If the password is too huge, we will simply reject it + // and not let the server try to hash it. + return false; + } + $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; if (strlen($hash) == 34) { diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index c248be0864..0a0656377c 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -388,12 +388,13 @@ function user_delete($mode, $user_ids, $retain_username = true) * Event before a user is deleted * * @event core.delete_user_before - * @var string mode Mode of deletion (retain/delete posts) - * @var int user_id ID of the deleted user - * @var mixed post_username Guest username that is being used or false + * @var string mode Mode of deletion (retain/delete posts) + * @var array user_ids IDs of the deleted user + * @var mixed retain_username True if username should be retained + * or false if not * @since 3.1-A1 */ - $vars = array('mode', 'user_id', 'post_username'); + $vars = array('mode', 'user_ids', 'retain_username'); extract($phpbb_dispatcher->trigger_event('core.delete_user_before', compact($vars))); // Before we begin, we will remove the reports the user issued. @@ -616,12 +617,13 @@ function user_delete($mode, $user_ids, $retain_username = true) * Event after a user is deleted * * @event core.delete_user_after - * @var string mode Mode of deletion (retain/delete posts) - * @var int user_id ID of the deleted user - * @var mixed post_username Guest username that is being used or false + * @var string mode Mode of deletion (retain/delete posts) + * @var array user_ids IDs of the deleted user + * @var mixed retain_username True if username should be retained + * or false if not * @since 3.1-A1 */ - $vars = array('mode', 'user_id', 'post_username'); + $vars = array('mode', 'user_ids', 'retain_username'); extract($phpbb_dispatcher->trigger_event('core.delete_user_after', compact($vars))); // Reset newest user info if appropriate diff --git a/phpBB/includes/ucp/ucp_login_link.php b/phpBB/includes/ucp/ucp_login_link.php index 4620eb9b9e..80a553953d 100644 --- a/phpBB/includes/ucp/ucp_login_link.php +++ b/phpBB/includes/ucp/ucp_login_link.php @@ -72,8 +72,8 @@ class ucp_login_link { if ($request->is_set_post('login')) { - $login_username = $request->variable('login_username', '', false, phpbb_request_interface::POST); - $login_password = $request->untrimmed_variable('login_password', '', true, phpbb_request_interface::POST); + $login_username = $request->variable('login_username', '', false, \phpbb\request\request_interface::POST); + $login_password = $request->untrimmed_variable('login_password', '', true, \phpbb\request\request_interface::POST); $login_result = $auth_provider->login($login_username, $login_password); @@ -153,7 +153,7 @@ class ucp_login_link { global $request; - $var_names = $request->variable_names(phpbb_request_interface::GET); + $var_names = $request->variable_names(\phpbb\request\request_interface::GET); $login_link_data = array(); $string_start_length = strlen('login_link_'); @@ -162,7 +162,7 @@ class ucp_login_link if (strpos($var_name, 'login_link_') === 0) { $key_name = substr($var_name, $string_start_length); - $login_link_data[$key_name] = $request->variable($var_name, '', false, phpbb_request_interface::GET); + $login_link_data[$key_name] = $request->variable($var_name, '', false, \phpbb\request\request_interface::GET); } } diff --git a/phpBB/includes/ucp/ucp_register.php b/phpBB/includes/ucp/ucp_register.php index 44621e6dea..1f9ab23326 100644 --- a/phpBB/includes/ucp/ucp_register.php +++ b/phpBB/includes/ucp/ucp_register.php @@ -516,7 +516,7 @@ class ucp_register { global $request; - $var_names = $request->variable_names(phpbb_request_interface::POST); + $var_names = $request->variable_names(\phpbb\request\request_interface::POST); $login_link_data = array(); $string_start_length = strlen('login_link_'); @@ -525,7 +525,7 @@ class ucp_register if (strpos($var_name, 'login_link_') === 0) { $key_name = substr($var_name, $string_start_length); - $login_link_data[$key_name] = $request->variable($var_name, '', false, phpbb_request_interface::POST); + $login_link_data[$key_name] = $request->variable($var_name, '', false, \phpbb\request\request_interface::POST); } } |