diff options
Diffstat (limited to 'phpBB')
| -rw-r--r-- | phpBB/docs/CHANGELOG.html | 12 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_bbcodes.php | 6 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_extensions.php | 4 | ||||
| -rw-r--r-- | phpBB/phpbb/db/migration/data/v31x/v317pl1.php | 31 | ||||
| -rw-r--r-- | phpBB/phpbb/file_downloader.php | 2 | ||||
| -rw-r--r-- | phpBB/phpbb/session.php | 2 | ||||
| -rw-r--r-- | phpBB/phpbb/version_helper.php | 13 |
7 files changed, 62 insertions, 8 deletions
diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index a59ea31509..97998e7d00 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -49,6 +49,7 @@ <ol> <li><a href="#changelog">Changelog</a> <ul> + <li><a href="#v317">Changes since 3.1.7</a></li> <li><a href="#v316">Changes since 3.1.6</a></li> <li><a href="#v315">Changes since 3.1.5</a></li> <li><a href="#v314">Changes since 3.1.4</a></li> @@ -114,6 +115,17 @@ <div class="content"> + <a name="v317"></a><h3>Changes since 3.1.7</h3> + + <h4>Security Issue</h4> + <ul> + <li>[SECURITY-188] - Check form key in acp_bbcodes</li> + </ul> + <h4>Bug</h4> + <ul> + <li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-14343">PHPBB3-14343</a>] - Undefined variable $phpbb_dispatcher when (un-)locking a topic or post</li> + </ul> + <a name="v316"></a><h3>Changes since 3.1.6</h3> <h4>Bug</h4> diff --git a/phpBB/includes/acp/acp_bbcodes.php b/phpBB/includes/acp/acp_bbcodes.php index e245eea069..35ac33882e 100644 --- a/phpBB/includes/acp/acp_bbcodes.php +++ b/phpBB/includes/acp/acp_bbcodes.php @@ -33,6 +33,7 @@ class acp_bbcodes // Set up general vars $action = request_var('action', ''); $bbcode_id = request_var('bbcode', 0); + $submit = $request->is_set_post('submit'); $this->tpl_name = 'acp_bbcodes'; $this->page_title = 'ACP_BBCODES'; @@ -40,6 +41,11 @@ class acp_bbcodes add_form_key($form_key); + if ($submit && !check_form_key($form_key)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + // Set up mode-specific vars switch ($action) { diff --git a/phpBB/includes/acp/acp_extensions.php b/phpBB/includes/acp/acp_extensions.php index a3849d8ba1..f97711d69d 100644 --- a/phpBB/includes/acp/acp_extensions.php +++ b/phpBB/includes/acp/acp_extensions.php @@ -121,8 +121,6 @@ class acp_extensions 'U_ACTION' => $this->u_action, )); - add_form_key('version_check_settings'); - $this->tpl_name = 'acp_ext_list'; break; @@ -537,7 +535,7 @@ class acp_extensions $version_helper = new \phpbb\version_helper($this->cache, $this->config, new \phpbb\file_downloader(), $this->user); $version_helper->set_current_version($meta['version']); - $version_helper->set_file_location($version_check['host'], $version_check['directory'], $version_check['filename']); + $version_helper->set_file_location($version_check['host'], $version_check['directory'], $version_check['filename'], isset($version_check['ssl']) ? $version_check['ssl'] : false); $version_helper->force_stability($this->config['extension_force_unstable'] ? 'unstable' : null); return $updates = $version_helper->get_suggested_updates($force_update, $force_cache); diff --git a/phpBB/phpbb/db/migration/data/v31x/v317pl1.php b/phpBB/phpbb/db/migration/data/v31x/v317pl1.php new file mode 100644 index 0000000000..2e1b0e9b9d --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v31x/v317pl1.php @@ -0,0 +1,31 @@ +<?php +/** +* +* This file is part of the phpBB Forum Software package. +* +* @copyright (c) phpBB Limited <https://www.phpbb.com> +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\db\migration\data\v31x; + +class v317pl1 extends \phpbb\db\migration\migration +{ + static public function depends_on() + { + return array( + '\phpbb\db\migration\data\v31x\v317', + ); + } + + public function update_data() + { + return array( + array('config.update', array('version', '3.1.7-pl1')), + ); + } +} diff --git a/phpBB/phpbb/file_downloader.php b/phpBB/phpbb/file_downloader.php index 462b87ca51..ab9505a14c 100644 --- a/phpBB/phpbb/file_downloader.php +++ b/phpBB/phpbb/file_downloader.php @@ -42,7 +42,7 @@ class file_downloader $this->error_number = 0; $this->error_string = ''; - if ($socket = @fsockopen($host, $port, $this->error_number, $this->error_string, $timeout)) + if ($socket = @fsockopen(($port == 443 ? 'tls://' : '') . $host, $port, $this->error_number, $this->error_string, $timeout)) { @fputs($socket, "GET $directory/$filename HTTP/1.0\r\n"); @fputs($socket, "HOST: $host\r\n"); diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index 999d9e58ad..6cff75c62c 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -1557,7 +1557,7 @@ class session public function update_session_infos() { - global $db, $request; + global $config, $db, $request; // No need to update if it's a new session. Informations are already inserted by session_create() if (isset($this->data['session_created']) && $this->data['session_created']) diff --git a/phpBB/phpbb/version_helper.php b/phpBB/phpbb/version_helper.php index e4f68f5aab..a1e66ba8fe 100644 --- a/phpBB/phpbb/version_helper.php +++ b/phpBB/phpbb/version_helper.php @@ -34,6 +34,11 @@ class version_helper protected $file = 'versions.json'; /** + * @var bool Use SSL or not + */ + protected $use_ssl = false; + + /** * @var string Current version installed */ protected $current_version; @@ -85,13 +90,15 @@ class version_helper * @param string $host Host (e.g. version.phpbb.com) * @param string $path Path to file (e.g. /phpbb) * @param string $file File name (Default: versions.json) + * @param bool $use_ssl Use SSL or not (Default: false) * @return version_helper */ - public function set_file_location($host, $path, $file = 'versions.json') + public function set_file_location($host, $path, $file = 'versions.json', $use_ssl = false) { $this->host = $host; $this->path = $path; $this->file = $file; + $this->use_ssl = $use_ssl; return $this; } @@ -244,7 +251,7 @@ class version_helper */ public function get_versions($force_update = false, $force_cache = false) { - $cache_file = '_versioncheck_' . $this->host . $this->path . $this->file; + $cache_file = '_versioncheck_' . $this->host . $this->path . $this->file . $this->use_ssl; $info = $this->cache->get($cache_file); @@ -255,7 +262,7 @@ class version_helper else if ($info === false || $force_update) { try { - $info = $this->file_downloader->get($this->host, $this->path, $this->file); + $info = $this->file_downloader->get($this->host, $this->path, $this->file, $this->use_ssl ? 443 : 80); } catch (\phpbb\exception\runtime_exception $exception) { |