diff options
Diffstat (limited to 'phpBB')
31 files changed, 236 insertions, 93 deletions
diff --git a/phpBB/assets/javascript/core.js b/phpBB/assets/javascript/core.js index 6ddbba7515..6481a2e113 100644 --- a/phpBB/assets/javascript/core.js +++ b/phpBB/assets/javascript/core.js @@ -386,7 +386,8 @@ phpbb.ajaxify = function(options) { type: method, data: data, success: returnHandler, - error: errorHandler + error: errorHandler, + cache: false }); request.always(function() { $loadingIndicator.fadeOut(phpbb.alertTime); diff --git a/phpBB/assets/javascript/plupload.js b/phpBB/assets/javascript/plupload.js index 5445e83e15..a58c71e64d 100644 --- a/phpBB/assets/javascript/plupload.js +++ b/phpBB/assets/javascript/plupload.js @@ -34,6 +34,14 @@ phpbb.plupload.initialize = function() { if (uploader.features.dragdrop) { $('#drag-n-drop-message').show(); } + + // Ensure "Add files" button position is correctly calculated. + if ($('#attach-panel-multi').is(':visible')) { + uploader.refresh(); + } + $('[data-subpanel="attach-panel"]').one('click', function() { + uploader.refresh(); + }); }); }; diff --git a/phpBB/composer.lock b/phpBB/composer.lock index a7bb0addce..07ae59f863 100644 --- a/phpBB/composer.lock +++ b/phpBB/composer.lock @@ -703,21 +703,21 @@ "packages-dev": [ { "name": "fabpot/goutte", - "version": "v1.0.3", + "version": "v1.0.7", "source": { "type": "git", - "url": "https://github.com/fabpot/Goutte.git", - "reference": "75c9f23c4122caf4ea3e87a42a00b471366e707f" + "url": "https://github.com/FriendsOfPHP/Goutte.git", + "reference": "794b196e76bdd37b5155cdecbad311f0a3b07625" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/fabpot/Goutte/zipball/75c9f23c4122caf4ea3e87a42a00b471366e707f", - "reference": "75c9f23c4122caf4ea3e87a42a00b471366e707f", + "url": "https://api.github.com/repos/FriendsOfPHP/Goutte/zipball/794b196e76bdd37b5155cdecbad311f0a3b07625", + "reference": "794b196e76bdd37b5155cdecbad311f0a3b07625", "shasum": "" }, "require": { "ext-curl": "*", - "guzzle/http": ">=3.0.5,<3.8-dev", + "guzzle/http": "~3.1", "php": ">=5.3.0", "symfony/browser-kit": "~2.1", "symfony/css-selector": "~2.1", @@ -726,8 +726,8 @@ "symfony/process": "~2.1" }, "require-dev": { - "guzzle/plugin-history": ">=3.0.5,<3.8-dev", - "guzzle/plugin-mock": ">=3.0.5,<3.8-dev" + "guzzle/plugin-history": "~3.1", + "guzzle/plugin-mock": "~3.1" }, "type": "application", "extra": { @@ -747,9 +747,7 @@ "authors": [ { "name": "Fabien Potencier", - "email": "fabien@symfony.com", - "homepage": "http://fabien.potencier.org", - "role": "Lead Developer" + "email": "fabien@symfony.com" } ], "description": "A simple PHP Web Scraper", @@ -757,7 +755,7 @@ "keywords": [ "scraper" ], - "time": "2013-08-16 06:03:22" + "time": "2014-10-09 15:52:51" }, { "name": "guzzle/common", @@ -1592,16 +1590,16 @@ }, { "name": "sami/sami", - "version": "v1.3", + "version": "v1.4", "source": { "type": "git", - "url": "https://github.com/fabpot/Sami.git", - "reference": "76f2ed80b3420f7e2f6dcd5b7218b5a5781f4110" + "url": "https://github.com/FriendsOfPHP/Sami.git", + "reference": "70f29c781f7bef30181c814b9471b2ceac694454" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/fabpot/Sami/zipball/76f2ed80b3420f7e2f6dcd5b7218b5a5781f4110", - "reference": "76f2ed80b3420f7e2f6dcd5b7218b5a5781f4110", + "url": "https://api.github.com/repos/FriendsOfPHP/Sami/zipball/70f29c781f7bef30181c814b9471b2ceac694454", + "reference": "70f29c781f7bef30181c814b9471b2ceac694454", "shasum": "" }, "require": { @@ -1622,7 +1620,7 @@ "type": "application", "extra": { "branch-alias": { - "dev-master": "1.3-dev" + "dev-master": "1.4-dev" } }, "autoload": { @@ -1637,9 +1635,7 @@ "authors": [ { "name": "Fabien Potencier", - "email": "fabien@symfony.com", - "homepage": "http://fabien.potencier.org", - "role": "Lead Developer" + "email": "fabien@symfony.com" } ], "description": "Sami, an API documentation generator", @@ -1647,7 +1643,7 @@ "keywords": [ "phpdoc" ], - "time": "2013-11-30 17:16:25" + "time": "2014-06-25 11:24:03" }, { "name": "sebastian/comparator", diff --git a/phpBB/config/services.yml b/phpBB/config/services.yml index 5003697564..975f2f7580 100644 --- a/phpBB/config/services.yml +++ b/phpBB/config/services.yml @@ -75,6 +75,7 @@ services: - @controller.provider - @ext.manager - @symfony_request + - @request - @filesystem - %core.root_path% - %core.php_ext% @@ -155,6 +156,8 @@ services: - null - %core.disable_super_globals% + # WARNING: The Symfony request does not escape the input and should be used very carefully + # prefer the phpbb request (service @request) as possible symfony_request: class: phpbb\symfony_request arguments: diff --git a/phpBB/docs/events.md b/phpBB/docs/events.md index 261af1923d..c47aa64ce7 100644 --- a/phpBB/docs/events.md +++ b/phpBB/docs/events.md @@ -424,6 +424,30 @@ memberlist_body_username_prepend * Purpose: Add information before every username in the memberlist. Works in all display modes (leader, group and normal memberlist). +memberlist_search_fields_after +=== +* Locations: + + styles/prosilver/template/memberlist_search.html + + styles/subsilver2/template/memberlist_search.html +* Since: 3.1.2-RC1 +* Purpose: Add information after the search fields column. + +memberlist_search_fields_before +=== +* Locations: + + styles/prosilver/template/memberlist_search.html + + styles/subsilver2/template/memberlist_search.html +* Since: 3.1.2-RC1 +* Purpose: Add information before the search fields column. + +memberlist_search_sorting_options_before +=== +* Locations: + + styles/prosilver/template/memberlist_search.html + + styles/subsilver2/template/memberlist_search.html +* Since: 3.1.2-RC1 +* Purpose: Add information before the search sorting options field. + memberlist_view_contact_after === * Locations: @@ -762,6 +786,14 @@ posting_editor_buttons_before * Since: 3.1.0-a3 * Purpose: Add content before the BBCode posting buttons +posting_editor_buttons_custom_tags_before +=== +* Locations: + + styles/prosilver/template/posting_buttons.html + + styles/subsilver2/template/posting_buttons.html +* Since: 3.1.2-RC1 +* Purpose: Add content inside the BBCode posting buttons and before the customs BBCode + posting_editor_message_after === * Locations: diff --git a/phpBB/includes/functions_admin.php b/phpBB/includes/functions_admin.php index e3e8657afb..5ddaf31cf5 100644 --- a/phpBB/includes/functions_admin.php +++ b/phpBB/includes/functions_admin.php @@ -2512,6 +2512,7 @@ function phpbb_cache_moderators($db, $cache, $auth) { $usernames_ary[$row['user_id']] = $row['username']; } + $db->sql_freeresult($result); foreach ($hold_ary as $user_id => $forum_id_ary) { @@ -2806,6 +2807,7 @@ function view_inactive_users(&$users, &$user_count, $limit = 0, $offset = 0, $li $users[] = $row; } + $db->sql_freeresult($result); return $offset; } diff --git a/phpBB/includes/functions_display.php b/phpBB/includes/functions_display.php index 48c34ecfe6..31cf43e599 100644 --- a/phpBB/includes/functions_display.php +++ b/phpBB/includes/functions_display.php @@ -1608,8 +1608,8 @@ function phpbb_show_profile($data, $user_notes_enabled = false, $warn_user_enabl 'U_EMAIL' => $email, 'U_JABBER' => ($data['user_jabber'] && $auth->acl_get('u_sendim')) ? append_sid("{$phpbb_root_path}memberlist.$phpEx", 'mode=contact&action=jabber&u=' . $user_id) : '', - 'USER_JABBER' => $data['user_jabber'], - 'USER_JABBER_IMG' => ($data['user_jabber']) ? $user->img('icon_contact_jabber', $data['user_jabber']) : '', + 'USER_JABBER' => ($config['jab_enable']) ? $data['user_jabber'] : '', + 'USER_JABBER_IMG' => ($config['jab_enable'] && $data['user_jabber']) ? $user->img('icon_contact_jabber', $data['user_jabber']) : '', 'L_SEND_EMAIL_USER' => $user->lang('SEND_EMAIL_USER', $username), 'L_CONTACT_USER' => $user->lang('CONTACT_USER', $username), diff --git a/phpBB/includes/message_parser.php b/phpBB/includes/message_parser.php index 92ace7b585..bc996cf275 100644 --- a/phpBB/includes/message_parser.php +++ b/phpBB/includes/message_parser.php @@ -1103,7 +1103,7 @@ class parse_message extends bbcode_firstpass */ function parse($allow_bbcode, $allow_magic_url, $allow_smilies, $allow_img_bbcode = true, $allow_flash_bbcode = true, $allow_quote_bbcode = true, $allow_url_bbcode = true, $update_this_message = true, $mode = 'post') { - global $config, $db, $user; + global $config, $db, $user, $phpbb_dispatcher; $this->mode = $mode; @@ -1158,6 +1158,49 @@ class parse_message extends bbcode_firstpass } } + /** + * This event can be used for additional message checks/cleanup before parsing + * + * @event core.message_parser_check_message + * @var bool allow_bbcode Do we allow BBCodes + * @var bool allow_magic_url Do we allow magic urls + * @var bool allow_smilies Do we allow smilies + * @var bool allow_img_bbcode Do we allow image BBCode + * @var bool allow_flash_bbcode Do we allow flash BBCode + * @var bool allow_quote_bbcode Do we allow quote BBCode + * @var bool allow_url_bbcode Do we allow url BBCode + * @var bool update_this_message Do we alter the parsed message + * @var string mode Posting mode + * @var string message The message text to parse + * @var bool return Do we return after the event is triggered if $warn_msg is not empty + * @var array warn_msg Array of the warning messages + * @since 3.1.2-RC1 + */ + $message = $this->message; + $warn_msg = $this->warn_msg; + $return = false; + $vars = array( + 'allow_bbcode', + 'allow_magic_url', + 'allow_smilies', + 'allow_img_bbcode', + 'allow_flash_bbcode', + 'allow_quote_bbcode', + 'allow_url_bbcode', + 'update_this_message', + 'mode', + 'message', + 'return', + 'warn_msg', + ); + extract($phpbb_dispatcher->trigger_event('core.message_parser_check_message', compact($vars))); + $this->message = $message; + $this->warn_msg = $warn_msg; + if ($return && !empty($this->warn_msg)) + { + return (!$update_this_message) ? $return_message : $this->warn_msg; + } + // Prepare BBcode (just prepares some tags for better parsing) if ($allow_bbcode && strpos($this->message, '[') !== false) { diff --git a/phpBB/includes/ucp/ucp_login_link.php b/phpBB/includes/ucp/ucp_login_link.php index 27d59c56b7..bfe4804286 100644 --- a/phpBB/includes/ucp/ucp_login_link.php +++ b/phpBB/includes/ucp/ucp_login_link.php @@ -75,7 +75,7 @@ class ucp_login_link { if ($request->is_set_post('login')) { - $login_username = $request->variable('login_username', '', false, \phpbb\request\request_interface::POST); + $login_username = $request->variable('login_username', '', true, \phpbb\request\request_interface::POST); $login_password = $request->untrimmed_variable('login_password', '', true, \phpbb\request\request_interface::POST); $login_result = $auth_provider->login($login_username, $login_password); diff --git a/phpBB/includes/ucp/ucp_pm_viewmessage.php b/phpBB/includes/ucp/ucp_pm_viewmessage.php index b2dc962f57..888c2e6825 100644 --- a/phpBB/includes/ucp/ucp_pm_viewmessage.php +++ b/phpBB/includes/ucp/ucp_pm_viewmessage.php @@ -197,7 +197,7 @@ function view_message($id, $mode, $folder_id, $msg_id, $folder, $message_row) $u_pm = append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=pm&mode=compose&u=' . $author_id); } - if ($user_info['user_jabber'] && $auth->acl_get('u_sendim')) + if ($config['jab_enable'] && $user_info['user_jabber'] && $auth->acl_get('u_sendim')) { $u_jabber = append_sid("{$phpbb_root_path}memberlist.$phpEx", 'mode=contact&action=jabber&u=' . $author_id); } diff --git a/phpBB/language/en/mcp.php b/phpBB/language/en/mcp.php index bc0fd03520..a961068657 100644 --- a/phpBB/language/en/mcp.php +++ b/phpBB/language/en/mcp.php @@ -237,7 +237,7 @@ $lang = array_merge($lang, array( 'NOT_MODERATOR' => 'You are not a moderator of this forum.', 'NO_DESTINATION_FORUM' => 'Please select a forum for destination.', 'NO_DESTINATION_FORUM_FOUND' => 'There is no destination forum available.', - 'NO_ENTRIES' => 'No log entries for this period.', + 'NO_ENTRIES' => 'No log entries.', 'NO_FEEDBACK' => 'No feedback exists for this user.', 'NO_FINAL_TOPIC_SELECTED' => 'You have to select a destination topic for merging posts.', 'NO_MATCHES_FOUND' => 'No matches found.', diff --git a/phpBB/phpbb/auth/provider/apache.php b/phpBB/phpbb/auth/provider/apache.php index 9137a77210..aa5bf64335 100644 --- a/phpBB/phpbb/auth/provider/apache.php +++ b/phpBB/phpbb/auth/provider/apache.php @@ -137,7 +137,7 @@ class apache extends \phpbb\auth\provider\base return array( 'status' => LOGIN_SUCCESS_CREATE_PROFILE, 'error_msg' => false, - 'user_row' => user_row_apache($php_auth_user, $php_auth_pw), + 'user_row' => $this->user_row($php_auth_user, $php_auth_pw), ); } @@ -185,7 +185,7 @@ class apache extends \phpbb\auth\provider\base } // create the user if he does not exist yet - user_add(user_row_apache($php_auth_user, $php_auth_pw)); + user_add($this->user_row($php_auth_user, $php_auth_pw)); $sql = 'SELECT * FROM ' . USERS_TABLE . " diff --git a/phpBB/phpbb/auth/provider/db.php b/phpBB/phpbb/auth/provider/db.php index 722eeffa9a..ba67c11e75 100644 --- a/phpBB/phpbb/auth/provider/db.php +++ b/phpBB/phpbb/auth/provider/db.php @@ -87,7 +87,7 @@ class db extends \phpbb\auth\provider\base $username_clean = utf8_clean_string($username); - $sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type, user_login_attempts + $sql = 'SELECT * FROM ' . USERS_TABLE . " WHERE username_clean = '" . $this->db->sql_escape($username_clean) . "'"; $result = $this->db->sql_query($sql); @@ -123,7 +123,7 @@ class db extends \phpbb\auth\provider\base 'username_clean' => $username_clean, ); $sql = 'INSERT INTO ' . LOGIN_ATTEMPT_TABLE . $this->db->sql_build_array('INSERT', $attempt_data); - $result = $this->db->sql_query($sql); + $this->db->sql_query($sql); } else { @@ -175,7 +175,7 @@ class db extends \phpbb\auth\provider\base } // Check password ... - if ($this->passwords_manager->check($password, $row['user_password'])) + if ($this->passwords_manager->check($password, $row['user_password'], $row)) { // Check for old password hash... if ($this->passwords_manager->convert_flag || strlen($row['user_password']) == 32) diff --git a/phpBB/phpbb/controller/helper.php b/phpBB/phpbb/controller/helper.php index 187e455d48..52e6947c2c 100644 --- a/phpBB/phpbb/controller/helper.php +++ b/phpBB/phpbb/controller/helper.php @@ -44,6 +44,9 @@ class helper /* @var \phpbb\symfony_request */ protected $symfony_request; + /* @var \phpbb\request\request_interface */ + protected $request; + /** * @var \phpbb\filesystem The filesystem object */ @@ -70,16 +73,18 @@ class helper * @param \phpbb\controller\provider $provider Path provider * @param \phpbb\extension\manager $manager Extension manager object * @param \phpbb\symfony_request $symfony_request Symfony Request object + * @param \phpbb\request\request_interface $request phpBB request object * @param \phpbb\filesystem $filesystem The filesystem object * @param string $phpbb_root_path phpBB root path * @param string $php_ext PHP file extension */ - public function __construct(\phpbb\template\template $template, \phpbb\user $user, \phpbb\config\config $config, \phpbb\controller\provider $provider, \phpbb\extension\manager $manager, \phpbb\symfony_request $symfony_request, \phpbb\filesystem $filesystem, $phpbb_root_path, $php_ext) + public function __construct(\phpbb\template\template $template, \phpbb\user $user, \phpbb\config\config $config, \phpbb\controller\provider $provider, \phpbb\extension\manager $manager, \phpbb\symfony_request $symfony_request, \phpbb\request\request_interface $request, \phpbb\filesystem $filesystem, $phpbb_root_path, $php_ext) { $this->template = $template; $this->user = $user; $this->config = $config; $this->symfony_request = $symfony_request; + $this->request = $request; $this->filesystem = $filesystem; $this->phpbb_root_path = $phpbb_root_path; $this->php_ext = $php_ext; @@ -153,7 +158,7 @@ class helper } } - $base_url = $this->filesystem->clean_path($base_url); + $base_url = $this->request->escape($this->filesystem->clean_path($base_url), true); $context->setBaseUrl($base_url); @@ -197,6 +202,6 @@ class helper */ public function get_current_url() { - return generate_board_url(true) . $this->symfony_request->getRequestUri(); + return generate_board_url(true) . $this->request->escape($this->symfony_request->getRequestUri(), true); } } diff --git a/phpBB/phpbb/db/migration/data/v310/captcha_plugins.php b/phpBB/phpbb/db/migration/data/v310/captcha_plugins.php index 13071e9891..328c08f1ec 100644 --- a/phpBB/phpbb/db/migration/data/v310/captcha_plugins.php +++ b/phpBB/phpbb/db/migration/data/v310/captcha_plugins.php @@ -25,9 +25,13 @@ class captcha_plugins extends \phpbb\db\migration\migration public function update_data() { $captcha_plugin = $this->config['captcha_plugin']; - if (strpos($this->config['captcha_plugin'], 'phpbb_captcha_') === 0) + if (strpos($captcha_plugin, 'phpbb_captcha_') === 0) { - $captcha_plugin = substr($this->config['captcha_plugin'], strlen('phpbb_captcha_')); + $captcha_plugin = substr($captcha_plugin, strlen('phpbb_captcha_')); + } + else if (strpos($captcha_plugin, 'phpbb_') === 0) + { + $captcha_plugin = substr($captcha_plugin, strlen('phpbb_')); } return array( diff --git a/phpBB/phpbb/db/migration/data/v310/reset_missing_captcha_plugin.php b/phpBB/phpbb/db/migration/data/v310/reset_missing_captcha_plugin.php index d5f9076196..8211457dc6 100644 --- a/phpBB/phpbb/db/migration/data/v310/reset_missing_captcha_plugin.php +++ b/phpBB/phpbb/db/migration/data/v310/reset_missing_captcha_plugin.php @@ -29,7 +29,8 @@ class reset_missing_captcha_plugin extends \phpbb\db\migration\migration { return array( array('if', array( - (!is_file($this->phpbb_root_path . "includes/captcha/plugins/{$this->config['captcha_plugin']}_plugin." . $this->php_ext)), + (is_dir($this->phpbb_root_path . 'includes/captcha/plugins/') && + !is_file($this->phpbb_root_path . "includes/captcha/plugins/{$this->config['captcha_plugin']}_plugin." . $this->php_ext)), array('config.update', array('captcha_plugin', 'phpbb_captcha_nogd')), )), ); diff --git a/phpBB/phpbb/di/extension/config.php b/phpBB/phpbb/di/extension/config.php index 27ebc94bae..7984a783df 100644 --- a/phpBB/phpbb/di/extension/config.php +++ b/phpBB/phpbb/di/extension/config.php @@ -39,16 +39,24 @@ class config extends Extension */ public function load(array $config, ContainerBuilder $container) { - $container->setParameter('core.adm_relative_path', ($this->config_php->get('phpbb_adm_relative_path') ? $this->config_php->get('phpbb_adm_relative_path') : 'adm/')); - $container->setParameter('core.table_prefix', $this->config_php->get('table_prefix')); - $container->setParameter('cache.driver.class', $this->convert_30_acm_type($this->config_php->get('acm_type'))); - $container->setParameter('dbal.driver.class', $this->config_php->convert_30_dbms_to_31($this->config_php->get('dbms'))); - $container->setParameter('dbal.dbhost', $this->config_php->get('dbhost')); - $container->setParameter('dbal.dbuser', $this->config_php->get('dbuser')); - $container->setParameter('dbal.dbpasswd', $this->config_php->get('dbpasswd')); - $container->setParameter('dbal.dbname', $this->config_php->get('dbname')); - $container->setParameter('dbal.dbport', $this->config_php->get('dbport')); - $container->setParameter('dbal.new_link', defined('PHPBB_DB_NEW_LINK') && PHPBB_DB_NEW_LINK); + $parameters = array( + 'core.adm_relative_path' => $this->config_php->get('phpbb_adm_relative_path') ? $this->config_php->get('phpbb_adm_relative_path') : 'adm/', + 'core.table_prefix' => $this->config_php->get('table_prefix'), + 'cache.driver.class' => $this->convert_30_acm_type($this->config_php->get('acm_type')), + 'dbal.driver.class' => $this->config_php->convert_30_dbms_to_31($this->config_php->get('dbms')), + 'dbal.dbhost' => $this->config_php->get('dbhost'), + 'dbal.dbuser' => $this->config_php->get('dbuser'), + 'dbal.dbpasswd' => $this->config_php->get('dbpasswd'), + 'dbal.dbname' => $this->config_php->get('dbname'), + 'dbal.dbport' => $this->config_php->get('dbport'), + 'dbal.new_link' => defined('PHPBB_DB_NEW_LINK') && PHPBB_DB_NEW_LINK, + ); + $parameter_bag = $container->getParameterBag(); + + foreach ($parameters as $parameter => $value) + { + $container->setParameter($parameter, $parameter_bag->escapeValue($value)); + } } /** diff --git a/phpBB/phpbb/path_helper.php b/phpBB/phpbb/path_helper.php index 936564d8b6..4a446a5d9d 100644 --- a/phpBB/phpbb/path_helper.php +++ b/phpBB/phpbb/path_helper.php @@ -154,6 +154,7 @@ class path_helper return $this->web_root_path; } + // We do not need to escape $path_info, $request_uri and $script_name because we can not find their content in the result. // Path info (e.g. /foo/bar) $path_info = $this->filesystem->clean_path($this->symfony_request->getPathInfo()); @@ -203,9 +204,12 @@ class path_helper */ if ($this->request->is_ajax() && $this->symfony_request->get('_referer')) { + // We need to escape $absolute_board_url because it can be partially concatenated to the result. + $absolute_board_url = $this->request->escape($this->symfony_request->getSchemeAndHttpHost() . $this->symfony_request->getBasePath(), true); + $referer_web_root_path = $this->get_web_root_path_from_ajax_referer( $this->symfony_request->get('_referer'), - $this->symfony_request->getSchemeAndHttpHost() . $this->symfony_request->getBasePath() + $absolute_board_url ); return $this->web_root_path = $this->phpbb_root_path . $referer_web_root_path; } diff --git a/phpBB/phpbb/profilefields/type/type_base.php b/phpBB/phpbb/profilefields/type/type_base.php index 52f5d15511..9b4bada26d 100644 --- a/phpBB/phpbb/profilefields/type/type_base.php +++ b/phpBB/phpbb/profilefields/type/type_base.php @@ -158,7 +158,19 @@ abstract class type_base implements type_interface } else { - return $this->request->variable($key, '', true); + $default_value = ''; + $lang_fields = array( + 'l_lang_name', + 'l_lang_explain', + 'l_lang_default_value', + 'l_lang_options', + ); + + if (in_array($key, $lang_fields)) + { + $default_value = array(0 => ''); + } + return $this->request->variable($key, $default_value, true); } } diff --git a/phpBB/phpbb/profilefields/type/type_bool.php b/phpBB/phpbb/profilefields/type/type_bool.php index 0582722833..75934e3be7 100644 --- a/phpBB/phpbb/profilefields/type/type_bool.php +++ b/phpBB/phpbb/profilefields/type/type_bool.php @@ -352,7 +352,7 @@ class type_bool extends type_base } } - if ($step == 3 && ($field_data[$key] || $action != 'edit') && $key == 'l_lang_options') + if ($key == 'l_lang_options' && $this->request->is_set($key)) { $field_data[$key] = $this->request->variable($key, array(0 => array('')), true); diff --git a/phpBB/phpbb/request/request.php b/phpBB/phpbb/request/request.php index ea9854894c..f0f2f7e2a2 100644 --- a/phpBB/phpbb/request/request.php +++ b/phpBB/phpbb/request/request.php @@ -416,4 +416,27 @@ class request implements \phpbb\request\request_interface { return $this->input[$super_global]; } + + /** + * {@inheritdoc} + */ + public function escape($var, $multibyte) + { + if (is_array($var)) + { + $result = array(); + foreach ($var as $key => $value) + { + $this->type_cast_helper->set_var($key, $key, gettype($key), $multibyte); + $result[$key] = $this->escape($value, $multibyte); + } + $var = $result; + } + else + { + $this->type_cast_helper->set_var($var, $var, 'string', $multibyte); + } + + return $var; + } } diff --git a/phpBB/phpbb/request/request_interface.php b/phpBB/phpbb/request/request_interface.php index 3236f73990..47b3b3a4ed 100644 --- a/phpBB/phpbb/request/request_interface.php +++ b/phpBB/phpbb/request/request_interface.php @@ -142,4 +142,14 @@ interface request_interface * @return array The original array of the requested super global. */ public function get_super_global($super_global = \phpbb\request\request_interface::REQUEST); + + /** + * Escape a string variable. + * + * @param mixed $value The contents to fill with + * @param bool $multibyte Indicates whether string values may contain UTF-8 characters. + * Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks. + * @return string|array + */ + public function escape($value, $multibyte); } diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index a06ff9c594..dc90d942c3 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -31,10 +31,11 @@ class session var $update_session_page = true; /** - * Extract current session page - * - * @param string $root_path current root path (phpbb_root_path) - */ + * Extract current session page + * + * @param string $root_path current root path (phpbb_root_path) + * @return array + */ static function extract_current_page($root_path) { global $request, $symfony_request, $phpbb_filesystem; @@ -42,8 +43,8 @@ class session $page_array = array(); // First of all, get the request uri... - $script_name = $symfony_request->getScriptName(); - $args = explode('&', $symfony_request->getQueryString()); + $script_name = $request->escape($symfony_request->getScriptName(), true); + $args = $request->escape(explode('&', $symfony_request->getQueryString()), true); // If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support... if (!$script_name) diff --git a/phpBB/phpbb/symfony_request.php b/phpBB/phpbb/symfony_request.php index 02d22c480f..2931cae3cc 100644 --- a/phpBB/phpbb/symfony_request.php +++ b/phpBB/phpbb/symfony_request.php @@ -15,6 +15,10 @@ namespace phpbb; use Symfony\Component\HttpFoundation\Request; +/** + * WARNING: The Symfony request does not escape the input and should be used very carefully + * prefer the phpbb request as possible + */ class symfony_request extends Request { /** @@ -24,32 +28,12 @@ class symfony_request extends Request */ public function __construct(\phpbb\request\request_interface $phpbb_request) { - // This function is meant to sanitize the global input arrays - $sanitizer = function(&$value, $key) { - $type_cast_helper = new \phpbb\request\type_cast_helper(); - $type_cast_helper->set_var($value, $value, gettype($value), true); - }; - - // This function is meant for additional handling of server variables - $server_sanitizer = function(&$value, $key) use ($sanitizer) { - $sanitizer($value, $key); - $value = str_replace('&', '&', $value); - }; - $get_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::GET); $post_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::POST); $server_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::SERVER); $files_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::FILES); $cookie_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::COOKIE); - array_walk_recursive($get_parameters, $sanitizer); - array_walk_recursive($post_parameters, $sanitizer); - array_walk_recursive($files_parameters, $sanitizer); - array_walk_recursive($cookie_parameters, $sanitizer); - - // Run special sanitizer for server superglobal - array_walk_recursive($server_parameters, $server_sanitizer); - parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters); } } diff --git a/phpBB/phpbb/version_helper.php b/phpBB/phpbb/version_helper.php index 96386f6d04..c3c3602944 100644 --- a/phpBB/phpbb/version_helper.php +++ b/phpBB/phpbb/version_helper.php @@ -271,7 +271,7 @@ class version_helper { foreach ($branches as $branch => $branch_data) { - $info[$stability][$branch]['announcement'] = str_replace('&', '&', $branch_data['announcement']); + $info[$stability][$branch]['announcement'] = (!empty($branch_data['announcement'])) ? str_replace('&', '&', $branch_data['announcement']) : ''; } } diff --git a/phpBB/styles/prosilver/template/memberlist_search.html b/phpBB/styles/prosilver/template/memberlist_search.html index 4fba966151..ef5d29a8fa 100644 --- a/phpBB/styles/prosilver/template/memberlist_search.html +++ b/phpBB/styles/prosilver/template/memberlist_search.html @@ -6,6 +6,7 @@ <p>{L_FIND_USERNAME_EXPLAIN}</p> + <!-- EVENT memberlist_search_fields_before --> <fieldset class="fields1 column1"> <dl style="overflow: visible;"> <dt><label for="username">{L_USERNAME}{L_COLON}</label></dt> @@ -39,6 +40,7 @@ <dt><label for="search_group_id">{L_GROUP}{L_COLON}</label></dt> <dd><select name="search_group_id" id="search_group_id">{S_GROUP_SELECT}</select></dd> </dl> + <!-- EVENT memberlist_search_sorting_options_before --> <dl> <dt><label for="sk" class="label3">{L_SORT_BY}{L_COLON}</label></dt> <dd><select name="sk" id="sk">{S_SORT_OPTIONS}</select> <select name="sd">{S_ORDER_SELECT}</select></dd> @@ -66,6 +68,7 @@ <dd><input class="inputbox medium" type="text" name="ip" id="ip" value="{IP}" /></dd> </dl> <!-- ENDIF --> + <!-- EVENT memberlist_search_fields_after --> </fieldset> <div class="clear"></div> diff --git a/phpBB/styles/prosilver/template/posting_buttons.html b/phpBB/styles/prosilver/template/posting_buttons.html index 3dad6606bb..1555b12369 100644 --- a/phpBB/styles/prosilver/template/posting_buttons.html +++ b/phpBB/styles/prosilver/template/posting_buttons.html @@ -92,6 +92,9 @@ <!-- ENDIF --> </select> <input type="button" class="button2 bbcode-color" name="bbpalette" id="bbpalette" value="{L_FONT_COLOR}" onclick="change_palette();" title="{L_BBCODE_S_HELP}" /> + + <!-- EVENT posting_editor_buttons_custom_tags_before --> + <!-- BEGIN custom_tags --> <input type="button" class="button2 bbcode-{custom_tags.BBCODE_TAG_CLEAN}" name="addbbcode{custom_tags.BBCODE_ID}" value="{custom_tags.BBCODE_TAG}" onclick="bbstyle({custom_tags.BBCODE_ID})" title="{custom_tags.BBCODE_HELPLINE}" /> <!-- END custom_tags --> diff --git a/phpBB/styles/prosilver/theme/common.css b/phpBB/styles/prosilver/theme/common.css index adcd04b15e..9da24b6ef9 100644 --- a/phpBB/styles/prosilver/theme/common.css +++ b/phpBB/styles/prosilver/theme/common.css @@ -601,7 +601,7 @@ ul.linklist.bulletin > li.no-bulletin:before { } .breadcrumbs .crumb:before { - content: '‹'; + content: '\2039'; font-weight: bold; padding: 0 0.5em; } diff --git a/phpBB/styles/subsilver2/template/memberlist_search.html b/phpBB/styles/subsilver2/template/memberlist_search.html index 12dd10be2e..2096062607 100644 --- a/phpBB/styles/subsilver2/template/memberlist_search.html +++ b/phpBB/styles/subsilver2/template/memberlist_search.html @@ -66,6 +66,7 @@ <form method="post" action="{S_MODE_ACTION}" name="search"> +<!-- EVENT memberlist_search_fields_before --> <table class="tablebg" width="100%" cellspacing="1"> <tr> <th colspan="4">{L_FIND_USERNAME}</th> @@ -111,6 +112,7 @@ <td colspan="2" class="row1"> </td> <!-- ENDIF --> </tr> +<!-- EVENT memberlist_search_sorting_options_before --> <tr> <td class="row1"><b class="genmed">{L_SORT_BY}{L_COLON}</b></td> <td class="row2" nowrap="nowrap"><select name="sk">{S_SORT_OPTIONS}</select> <select name="sd">{S_ORDER_SELECT}</select> </td> @@ -120,6 +122,7 @@ <td class="cat" colspan="4" align="center"><input class="btnmain" type="submit" name="submit" value="{L_SEARCH}" /> <input class="btnlite" type="reset" value="{L_RESET}" /></td> </tr> </table> +<!-- EVENT memberlist_search_fields_after --> {S_FORM_TOKEN} </form> diff --git a/phpBB/styles/subsilver2/template/posting_buttons.html b/phpBB/styles/subsilver2/template/posting_buttons.html index d1c0f79a16..516cd0922b 100644 --- a/phpBB/styles/subsilver2/template/posting_buttons.html +++ b/phpBB/styles/subsilver2/template/posting_buttons.html @@ -69,21 +69,18 @@ <!-- ENDIF --> </select></span> </div> - <!-- EVENT posting_editor_buttons_after --> -<!-- ENDIF --> - </td> -</tr> -<!-- IF S_BBCODE_ALLOWED and .custom_tags --> - <tr valign="middle" align="{S_CONTENT_FLOW_BEGIN}"> - <td colspan="2"> + <!-- EVENT posting_editor_buttons_custom_tags_before --> + <!-- IF .custom_tags --> <div id="custom-bbcode-buttons"> - <!-- BEGIN custom_tags --> + <!-- BEGIN custom_tags --> <input type="button" class="btnbbcode bbcode-{custom_tags.BBCODE_TAG_CLEAN}" name="addbbcode{custom_tags.BBCODE_ID}" value="{custom_tags.BBCODE_TAG}" onclick="bbstyle({custom_tags.BBCODE_ID})"<!-- IF custom_tags.BBCODE_HELPLINE !== '' --> onmouseover="helpline('cb_{custom_tags.BBCODE_ID}')" onmouseout="helpline('tip')"<!-- ENDIF --> /> - <!-- END custom_tags --> + <!-- END custom_tags --> </div> - </td> - </tr> + <!-- ENDIF --> + <!-- EVENT posting_editor_buttons_after --> <!-- ENDIF --> + </td> +</tr> <!-- IF S_BBCODE_ALLOWED --> <tr> <td<!-- IF $S_SIGNATURE or S_EDIT_DRAFT --> colspan="2"<!-- ENDIF -->><input type="text" readonly="readonly" name="helpbox" style="width:100%" class="helpline" value="{L_STYLES_TIP}" /></td> diff --git a/phpBB/viewtopic.php b/phpBB/viewtopic.php index 7bedcdfb49..30beea337a 100644 --- a/phpBB/viewtopic.php +++ b/phpBB/viewtopic.php @@ -1247,7 +1247,7 @@ while ($row = $db->sql_fetchrow($result)) 'contact_user' => $user->lang('CONTACT_USER', get_username_string('username', $poster_id, $row['username'], $row['user_colour'], $row['username'])), 'online' => false, - 'jabber' => ($row['user_jabber'] && $auth->acl_get('u_sendim')) ? append_sid("{$phpbb_root_path}memberlist.$phpEx", "mode=contact&action=jabber&u=$poster_id") : '', + 'jabber' => ($config['jab_enable'] && $row['user_jabber'] && $auth->acl_get('u_sendim')) ? append_sid("{$phpbb_root_path}memberlist.$phpEx", "mode=contact&action=jabber&u=$poster_id") : '', 'search' => ($config['load_search'] && $auth->acl_get('u_search')) ? append_sid("{$phpbb_root_path}search.$phpEx", "author_id=$poster_id&sr=posts") : '', 'author_full' => get_username_string('full', $poster_id, $row['username'], $row['user_colour']), |