From 5bc0f4b3d49ed1bea45464beece42906646eb026 Mon Sep 17 00:00:00 2001 From: Igor Wiedler Date: Sat, 17 Nov 2012 00:24:32 +0100 Subject: [ticket/11015] Move db driver class name fixing to function PHPBB3-11015 --- phpBB/includes/functions.php | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 804d89d1a2..045a28672b 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -5412,3 +5412,19 @@ function phpbb_to_numeric($input) { return ($input > PHP_INT_MAX) ? (float) $input : (int) $input; } + +/** +* Convert 3.0 dbms to 3.1 db driver class name +* +* @param string $dbms dbms parameter +* @return db driver class +*/ +function phpbb_convert_30_dbms_to_31($dbms) +{ + if (!preg_match('#^phpbb_db_driver_#', $dbms)) + { + return 'phpbb_db_driver_'.$dbms; + } + + return $dbms; +} -- cgit v1.2.1 From 0372ecf14141ba2c174782f29d4fb079b4dd56c3 Mon Sep 17 00:00:00 2001 From: Igor Wiedler Date: Sat, 17 Nov 2012 01:40:32 +0100 Subject: [ticket/11015] Make phpbb_convert_30_dbms_to_31 more future proof It should allow any class name in the future, as long as that class exists. And it should give a useful error message otherwise. PHPBB3-11015 --- phpBB/includes/functions.php | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 045a28672b..57136a43ff 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -5421,10 +5421,15 @@ function phpbb_to_numeric($input) */ function phpbb_convert_30_dbms_to_31($dbms) { - if (!preg_match('#^phpbb_db_driver_#', $dbms)) + if (class_exists($dbms)) { - return 'phpbb_db_driver_'.$dbms; + return $dbms; } - return $dbms; + if (class_exists('phpbb_db_driver_' . $dbms)) + { + return 'phpbb_db_driver_' . $dbms; + } + + throw new \RuntimeException('You have specified an invalid dbms driver.'); } -- cgit v1.2.1 From 9c0a03f1d56d069a5ca5092de8e0f3e4e6ee9c1d Mon Sep 17 00:00:00 2001 From: Oleg Pudeyev Date: Thu, 29 Nov 2012 12:05:52 -0500 Subject: [ticket/11095] Python quoteattr port. PHPBB3-11095 --- phpBB/includes/functions.php | 47 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index d7088ac129..5d8a92b63b 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -4893,6 +4893,53 @@ function phpbb_http_login($param) trigger_error('NOT_AUTHORISED'); } +/** +* Escapes and quotes a string for use as an HTML/XML attribute value. +* +* This is a port of Python xml.sax.saxutils quoteattr. +* +* The function will attempt to choose a quote character in such a way as to +* avoid escaping quotes in the string. If this is not possible the string will +* be wrapped in double quotes and double quotes will be escaped. +* +* @param string $data The string to be escaped +* @param array $entities Associative array of additional entities to be escaped +* @return string Escaped and quoted string +*/ +function phpbb_quoteattr($data, $entities = null) +{ + $data = str_replace('&', '&', $data); + $data = str_replace('>', '>', $data); + $data = str_replace('<', '<', $data); + + $data = str_replace("\n", ' ', $data); + $data = str_replace("\r", ' ', $data); + $data = str_replace("\t", ' ', $data); + + if (!empty($entities)) + { + $data = str_replace(array_keys($entities), array_values($entities), $data); + } + + if (strpos($data, '"') !== false) + { + if (strpos($data, "'") !== false) + { + $data = '"' . str_replace('"', '"', $data) . '"'; + } + else + { + $data = "'" . $data . "'"; + } + } + else + { + $data = '"' . $data . '"'; + } + + return $data; +} + /** * Generate page header */ -- cgit v1.2.1 From 2a39df1a53ae4d9798bcba9ceee610190702cc4b Mon Sep 17 00:00:00 2001 From: Oleg Pudeyev Date: Thu, 29 Nov 2012 13:36:00 -0500 Subject: [ticket/11095] Forward GET parameters into hidden fields for jumpbox. PHPBB3-11095 --- phpBB/includes/functions.php | 42 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 5d8a92b63b..ee5a1afd30 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -4940,13 +4940,47 @@ function phpbb_quoteattr($data, $entities = null) return $data; } +function phpbb_build_hidden_fields_for_query_params($request, $exclude = null) +{ + $names = $request->variable_names(phpbb_request_interface::GET); + $hidden = ''; + foreach ($names as $name) + { + // Sessions are dealt with elsewhere, omit sid always + if ($name == 'sid') + { + continue; + } + + // Omit any additional parameters requested + if (!empty($exclude) && in_array($name, $exclude)) + { + continue; + } + + $escaped_name = phpbb_quoteattr($name); + + // Note: we might retrieve the variable from POST or cookies + // here. To avoid exposing cookies, skip variables that are + // overwritten somewhere other than GET entirely. + $value = $request->variable($name, '', true); + $get_value = $request->variable($name, '', true, phpbb_request_interface::GET); + if ($value === $get_value) + { + $escaped_value = phpbb_quoteattr($value); + $hidden .= ""; + } + } + return $hidden; +} + /** * Generate page header */ function page_header($page_title = '', $display_online_list = true, $item_id = 0, $item = 'forum') { global $db, $config, $template, $SID, $_SID, $_EXTRA_URL, $user, $auth, $phpEx, $phpbb_root_path; - global $phpbb_dispatcher; + global $phpbb_dispatcher, $request; if (defined('HEADER_INC')) { @@ -5135,6 +5169,8 @@ function page_header($page_title = '', $display_online_list = true, $item_id = 0 $timezone_name = $user->lang['timezones'][$timezone_name]; } + $hidden_fields_for_jumpbox = phpbb_build_hidden_fields_for_query_params($request, array('f')); + // The following assigns all _common_ variables that may be used at any point in a template. $template->assign_vars(array( 'SITENAME' => $config['sitename'], @@ -5149,6 +5185,7 @@ function page_header($page_title = '', $display_online_list = true, $item_id = 0 'RECORD_USERS' => $l_online_record, 'PRIVATE_MESSAGE_INFO' => $l_privmsgs_text, 'PRIVATE_MESSAGE_INFO_UNREAD' => $l_privmsgs_text_unread, + 'HIDDEN_FIELDS_FOR_JUMPBOX' => $hidden_fields_for_jumpbox, 'S_USER_NEW_PRIVMSG' => $user->data['user_new_privmsg'], 'S_USER_UNREAD_PRIVMSG' => $user->data['user_unread_privmsg'], @@ -5507,7 +5544,8 @@ function phpbb_to_numeric($input) function phpbb_create_symfony_request(phpbb_request $request) { // This function is meant to sanitize the global input arrays - $sanitizer = function(&$value, $key) { + $sanitizer = function(&$value, $key) + { $type_cast_helper = new phpbb_request_type_cast_helper(); $type_cast_helper->set_var($value, $value, gettype($value), true); }; -- cgit v1.2.1 From 3e907265d5782c535d43e503c32390cfde8dc4a8 Mon Sep 17 00:00:00 2001 From: Oleg Pudeyev Date: Thu, 29 Nov 2012 14:41:48 -0500 Subject: [ticket/11095] Docs and tests for phpbb_build_hidden_fields_for_query_params. PHPBB3-11095 --- phpBB/includes/functions.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index ee5a1afd30..9c92adb0ec 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -4940,6 +4940,20 @@ function phpbb_quoteattr($data, $entities = null) return $data; } +/** +* Converts query string (GET) parameters in request into hidden fields. +* +* Useful for forwarding GET parameters when submitting forms with GET method. +* +* It is possible to omit some of the GET parameters, which is useful if +* they are specified in the form being submitted. +* +* sid is always omitted. +* +* @param phpbb_request $request Request object +* @param array $exclude A list of variable names that should not be forwarded +* @return string HTML with hidden fields +*/ function phpbb_build_hidden_fields_for_query_params($request, $exclude = null) { $names = $request->variable_names(phpbb_request_interface::GET); -- cgit v1.2.1 From 11ca272692ed1b46d4ff208705cb30636c98704f Mon Sep 17 00:00:00 2001 From: Oleg Pudeyev Date: Thu, 29 Nov 2012 14:42:56 -0500 Subject: [ticket/11095] Restore brace on previous line. PHPBB3-11095 --- phpBB/includes/functions.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 9c92adb0ec..8df40b26f6 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -5558,8 +5558,7 @@ function phpbb_to_numeric($input) function phpbb_create_symfony_request(phpbb_request $request) { // This function is meant to sanitize the global input arrays - $sanitizer = function(&$value, $key) - { + $sanitizer = function(&$value, $key) { $type_cast_helper = new phpbb_request_type_cast_helper(); $type_cast_helper->set_var($value, $value, gettype($value), true); }; -- cgit v1.2.1 From e765ccd075a19be7ec9c60970677d62dc75f0845 Mon Sep 17 00:00:00 2001 From: Oleg Pudeyev Date: Tue, 4 Dec 2012 04:22:10 -0500 Subject: [ticket/11015] Include dbms name in exception message. PHPBB3-11015 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 57136a43ff..501257956a 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -5431,5 +5431,5 @@ function phpbb_convert_30_dbms_to_31($dbms) return 'phpbb_db_driver_' . $dbms; } - throw new \RuntimeException('You have specified an invalid dbms driver.'); + throw new \RuntimeException("You have specified an invalid dbms driver: $dbms"); } -- cgit v1.2.1 From 9e3fd3bf8e8ff08b159d9151aef6f9bb6b9244ee Mon Sep 17 00:00:00 2001 From: Oleg Pudeyev Date: Thu, 13 Dec 2012 19:07:49 -0500 Subject: [ticket/11015] Fix 3.0 to 3.1 dbms conversion for mysqli. PHPBB3-11015 --- phpBB/includes/functions.php | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 4bf991ca9e..5c08d457b6 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -5550,23 +5550,39 @@ function phpbb_to_numeric($input) } /** -* Convert 3.0 dbms to 3.1 db driver class name +* Convert either 3.0 dbms or 3.1 db driver class name to 3.1 db driver class name. +* +* If $dbms is a valid 3.1 db driver class name, returns it unchanged. +* Otherwise prepends phpbb_db_driver_ to the dbms to convert a 3.0 dbms +* to 3.1 db driver class name. * * @param string $dbms dbms parameter * @return db driver class */ function phpbb_convert_30_dbms_to_31($dbms) { - if (class_exists($dbms)) + // Note: this check is done first because mysqli extension + // supplies a mysqli class, and class_exists($dbms) would return + // true for mysqli class. + // However, per the docblock any valid 3.1 driver name should be + // recognized by this function, and have priority over 3.0 dbms. + if (class_exists('phpbb_db_driver_' . $dbms)) { - return $dbms; + return 'phpbb_db_driver_' . $dbms; } - if (class_exists('phpbb_db_driver_' . $dbms)) + if (class_exists($dbms)) { - return 'phpbb_db_driver_' . $dbms; + return $dbms; } + // Additionally we could check that $dbms extends phpbb_db_driver. + // http://php.net/manual/en/class.reflectionclass.php + // Beware of possible performance issues: + // http://stackoverflow.com/questions/294582/php-5-reflection-api-performance + // We could check for interface implementation in all paths or + // only when we do not prepend phpbb_db_driver_. + throw new \RuntimeException("You have specified an invalid dbms driver: $dbms"); } -- cgit v1.2.1 From ee7dc9e5a061038eadce40ed295d47f978b9e567 Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Fri, 14 Dec 2012 01:08:09 +0100 Subject: [ticket/11015] Correctly transform 'mysqli' etc. in phpbb_convert_30_dbms_to_31 PHPBB3-11015 --- phpBB/includes/functions.php | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 5c08d457b6..575dd11388 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -5573,6 +5573,15 @@ function phpbb_convert_30_dbms_to_31($dbms) if (class_exists($dbms)) { + /* + $reflection = new \ReflectionClass($dbms); + + if ($reflection->isSubclassOf('phpbb_db_driver')) + { + return $dbms; + } + */ + return $dbms; } -- cgit v1.2.1 From 89f069637cd95f584db924407378b64df9910243 Mon Sep 17 00:00:00 2001 From: Oleg Pudeyev Date: Thu, 13 Dec 2012 19:21:23 -0500 Subject: [ticket/11015] Move comment in the right place. PHPBB3-11015 --- phpBB/includes/functions.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 575dd11388..8ef5284134 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -5573,6 +5573,13 @@ function phpbb_convert_30_dbms_to_31($dbms) if (class_exists($dbms)) { + // Additionally we could check that $dbms extends phpbb_db_driver. + // http://php.net/manual/en/class.reflectionclass.php + // Beware of possible performance issues: + // http://stackoverflow.com/questions/294582/php-5-reflection-api-performance + // We could check for interface implementation in all paths or + // only when we do not prepend phpbb_db_driver_. + /* $reflection = new \ReflectionClass($dbms); @@ -5585,13 +5592,6 @@ function phpbb_convert_30_dbms_to_31($dbms) return $dbms; } - // Additionally we could check that $dbms extends phpbb_db_driver. - // http://php.net/manual/en/class.reflectionclass.php - // Beware of possible performance issues: - // http://stackoverflow.com/questions/294582/php-5-reflection-api-performance - // We could check for interface implementation in all paths or - // only when we do not prepend phpbb_db_driver_. - throw new \RuntimeException("You have specified an invalid dbms driver: $dbms"); } -- cgit v1.2.1