From 882a3c383103802c491404032c5d267e4f5271a0 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 22 Jul 2017 17:26:41 +0200 Subject: [ticket/security/211] Make sure website URL only uses http & https schemes SECURITY-211 --- phpBB/includes/functions.php | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 84178f74e4..7aa63f2e0c 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -3409,6 +3409,11 @@ function get_preg_expression($mode) return "[a-z][a-z\d+\-.]*:/{2}(?:(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'()*+,;=:@|]+|%[\dA-F]{2})+|[0-9.]+|\[[a-z0-9.]+:[a-z0-9.]+:[a-z0-9.:]+\])(?::\d*)?(?:/(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'()*+,;=:@|]+|%[\dA-F]{2})*)*(?:\?(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'()*+,;=:@/?|]+|%[\dA-F]{2})*)?(?:\#(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'()*+,;=:@/?|]+|%[\dA-F]{2})*)?"; break; + case 'url_http': + // generated with regex_idn.php file in the develop folder + return "http[s]?:/{2}(?:(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'()*+,;=:@|]+|%[\dA-F]{2})+|[0-9.]+|\[[a-z0-9.]+:[a-z0-9.]+:[a-z0-9.:]+\])(?::\d*)?(?:/(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'()*+,;=:@|]+|%[\dA-F]{2})*)*(?:\?(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'()*+,;=:@/?|]+|%[\dA-F]{2})*)?(?:\#(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'()*+,;=:@/?|]+|%[\dA-F]{2})*)?"; + break; + case 'url_inline': // generated with regex_idn.php file in the develop folder return "[a-z][a-z\d+]*:/{2}(?:(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'(*+,;=:@|]+|%[\dA-F]{2})+|[0-9.]+|\[[a-z0-9.]+:[a-z0-9.]+:[a-z0-9.:]+\])(?::\d*)?(?:/(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'(*+,;=:@|]+|%[\dA-F]{2})*)*(?:\?(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'(*+,;=:@/?|]+|%[\dA-F]{2})*)?(?:\#(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'(*+,;=:@/?|]+|%[\dA-F]{2})*)?"; -- cgit v1.2.1 From 0aba1faa0803af6013c9ac2071e87f117e9c4835 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Wed, 26 Jul 2017 21:14:05 +0200 Subject: [ticket/security/211] Do not match javascript URIs with URL regexes SECURITY-211 --- phpBB/includes/functions.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 7aa63f2e0c..29abadfcaf 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -3406,7 +3406,7 @@ function get_preg_expression($mode) case 'url': // generated with regex_idn.php file in the develop folder - return "[a-z][a-z\d+\-.]*:/{2}(?:(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'()*+,;=:@|]+|%[\dA-F]{2})+|[0-9.]+|\[[a-z0-9.]+:[a-z0-9.]+:[a-z0-9.:]+\])(?::\d*)?(?:/(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'()*+,;=:@|]+|%[\dA-F]{2})*)*(?:\?(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'()*+,;=:@/?|]+|%[\dA-F]{2})*)?(?:\#(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'()*+,;=:@/?|]+|%[\dA-F]{2})*)?"; + return "[a-z][a-z\d+\-.]*(? Date: Mon, 9 Jan 2017 00:23:08 +0700 Subject: [ticket/14972] Fix sizeof calls As of PHP 7.2, only arrays and objects implementing the Countable interface should be passed as a count() or sizeof() parameter. See https://github.com/php/php-src/blob/php-7.2.0alpha2/UPGRADING#L197-L198 Also, sizeof() seems to be sheduled for deprecation, see https://wiki.php.net/rfc/deprecations_php_7_2#suggested_deprecations PHPBB3-14972 --- phpBB/includes/functions.php | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 2cd62d7bac..e9b7d999b5 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -602,7 +602,7 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $ if ($mode == 'all') { - if ($forum_id === false || !sizeof($forum_id)) + if (empty($forum_id)) { // Mark all forums read (index page) /* @var $phpbb_notifications \phpbb\notification\manager */ @@ -727,7 +727,7 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $ } $db->sql_freeresult($result); - if (sizeof($sql_update)) + if (count($sql_update)) { $sql = 'UPDATE ' . FORUMS_TRACK_TABLE . " SET mark_time = $post_time @@ -863,7 +863,7 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $ // We get the ten most minimum stored time offsets and its associated topic ids $time_keys = array(); - for ($i = 0; $i < 10 && sizeof($tracking['t']); $i++) + for ($i = 0; $i < 10 && count($tracking['t']); $i++) { $min_value = min($tracking['t']); $m_tkey = array_search($min_value, $tracking['t']); @@ -959,7 +959,7 @@ function get_topic_tracking($forum_id, $topic_ids, &$rowset, $forum_mark_time, $ $topic_ids = array_diff($topic_ids, array_keys($last_read)); - if (sizeof($topic_ids)) + if (count($topic_ids)) { $mark_time = array(); @@ -1011,7 +1011,7 @@ function get_complete_topic_tracking($forum_id, $topic_ids, $global_announce_lis $topic_ids = array_diff($topic_ids, array_keys($last_read)); - if (sizeof($topic_ids)) + if (count($topic_ids)) { $sql = 'SELECT forum_id, mark_time FROM ' . FORUMS_TRACK_TABLE . " @@ -1038,7 +1038,7 @@ function get_complete_topic_tracking($forum_id, $topic_ids, $global_announce_lis { global $tracking_topics; - if (!isset($tracking_topics) || !sizeof($tracking_topics)) + if (!isset($tracking_topics) || !count($tracking_topics)) { $tracking_topics = $request->variable($config['cookie_name'] . '_track', '', true, \phpbb\request\request_interface::COOKIE); $tracking_topics = ($tracking_topics) ? tracking_unserialize($tracking_topics) : array(); @@ -1065,7 +1065,7 @@ function get_complete_topic_tracking($forum_id, $topic_ids, $global_announce_lis $topic_ids = array_diff($topic_ids, array_keys($last_read)); - if (sizeof($topic_ids)) + if (count($topic_ids)) { $mark_time = array(); @@ -1407,7 +1407,7 @@ function tracking_unserialize($string, $max_depth = 3) switch ($string[$i]) { case '(': - if (sizeof($stack) >= $max_depth) + if (count($stack) >= $max_depth) { die('Invalid data supplied'); } @@ -1461,7 +1461,7 @@ function tracking_unserialize($string, $max_depth = 3) } } - if (sizeof($stack) != 0 || ($mode != 0 && $mode != 3)) + if (count($stack) != 0 || ($mode != 0 && $mode != 3)) { die('Invalid data supplied'); } @@ -2676,9 +2676,9 @@ function parse_cfg_file($filename, $lines = false) { $value = ''; } - else if (($value[0] == "'" && $value[sizeof($value) - 1] == "'") || ($value[0] == '"' && $value[sizeof($value) - 1] == '"')) + else if (($value[0] == "'" && $value[strlen($value) - 1] == "'") || ($value[0] == '"' && $value[strlen($value) - 1] == '"')) { - $value = htmlspecialchars(substr($value, 1, sizeof($value)-2)); + $value = htmlspecialchars(substr($value, 1, strlen($value)-2)); } else { @@ -3007,7 +3007,7 @@ function phpbb_inet_pton($address) if (preg_match(get_preg_expression('ipv6'), $address)) { $parts = explode(':', $address); - $missing_parts = 8 - sizeof($parts) + 1; + $missing_parts = 8 - count($parts) + 1; if (substr($address, 0, 2) === '::') { @@ -3024,7 +3024,7 @@ function phpbb_inet_pton($address) if (preg_match(get_preg_expression('ipv4'), $last_part)) { - $parts[sizeof($parts) - 1] = ''; + $parts[count($parts) - 1] = ''; $last_part = phpbb_inet_pton($last_part); $embedded_ipv4 = true; --$missing_parts; @@ -3036,7 +3036,7 @@ function phpbb_inet_pton($address) { $ret .= str_pad($part, 4, '0', STR_PAD_LEFT); } - else if ($i && $i < sizeof($parts) - 1) + else if ($i && $i < count($parts) - 1) { $ret .= str_repeat('0000', $missing_parts); } @@ -3632,7 +3632,7 @@ function obtain_users_online_string($online_users, $item_id = 0, $item = 'forum' // Need caps version of $item for language-strings $item_caps = strtoupper($item); - if (sizeof($online_users['online_users'])) + if (count($online_users['online_users'])) { $sql_ary = array( 'SELECT' => 'u.username, u.username_clean, u.user_id, u.user_type, u.user_allow_viewonline, u.user_colour', -- cgit v1.2.1 From e31474542dac500c76ed67d2b80f90a38da149d1 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 6 Jan 2018 10:53:12 +0100 Subject: [ticket/15498] Do not pass whether URL uses router to is_route is_route expects a flag of whether this is a route that was generated with the router as opposed to is_router_used() which returns whether the router will be used via app.php. PHPBB3-15498 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 2cd62d7bac..97e1e8e340 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2185,7 +2185,7 @@ function confirm_box($check, $title = '', $hidden = '', $html_body = 'confirm_bo // re-add sid / transform & to & for user->page (user->page is always using &) $use_page = ($u_action) ? $u_action : str_replace('&', '&', $user->page['page']); - $u_action = reapply_sid($phpbb_path_helper->get_valid_page($use_page, $config['enable_mod_rewrite']), $phpbb_path_helper->is_router_used()); + $u_action = reapply_sid($phpbb_path_helper->get_valid_page($use_page, $config['enable_mod_rewrite'])); $u_action .= ((strpos($u_action, '?') === false) ? '?' : '&') . 'confirm_key=' . $confirm_key; $template->assign_vars(array( -- cgit v1.2.1 From c6a35237a23d8d1e2ca7af72c5f31a42cad6df41 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 31 May 2018 07:56:05 +0200 Subject: [ticket/15676] Display privacy notice in footer & allow overriding U_PRIVACY PHPBB3-15676 --- phpBB/includes/functions.php | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 4aae84705b..aeba5b74c0 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2463,7 +2463,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa $s_hidden_fields = build_hidden_fields($s_hidden_fields); - $template->assign_vars(array( + $login_box_template_data = array( 'LOGIN_ERROR' => $err, 'LOGIN_EXPLAIN' => $l_explain, @@ -2480,7 +2480,29 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa 'USERNAME_CREDENTIAL' => 'username', 'PASSWORD_CREDENTIAL' => ($admin) ? 'password_' . $credential : 'password', - )); + ); + + /** + * Event to add/modify login box template data + * + * @event core.login_box_modify_template_data + * @var int admin Flag whether user is admin + * @var string username User name + * @var int autologin Flag whether autologin is enabled + * @var string redirect Redirect URL + * @var array login_box_template_data Array with the login box template data + * @since 3.2.3-RC2 + */ + $vars = array( + 'admin', + 'username', + 'autologin', + 'redirect', + 'login_box_template_data', + ); + extract($phpbb_dispatcher->trigger_event('core.login_box_modify_template_data', compact($vars))); + + $template->assign_vars($login_box_template_data); page_header($user->lang['LOGIN']); -- cgit v1.2.1 From 25a46ef4b3a79ff87f3ac9bf6b52fa97363809b6 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 31 May 2018 22:15:36 +0200 Subject: [ticket/15676] Simplify link text and use privacy link in cookie notice PHPBB3-15676 --- phpBB/includes/functions.php | 2 ++ 1 file changed, 2 insertions(+) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index aeba5b74c0..24642faade 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2471,6 +2471,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa 'U_RESEND_ACTIVATION' => ($config['require_activation'] == USER_ACTIVATION_SELF && $config['email_enable']) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=resend_act') : '', 'U_TERMS_USE' => append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=terms'), 'U_PRIVACY' => append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=privacy'), + 'UA_PRIVACY' => addslashes(append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=privacy')), 'S_DISPLAY_FULL_LOGIN' => ($s_display) ? true : false, 'S_HIDDEN_FIELDS' => $s_hidden_fields, @@ -4426,6 +4427,7 @@ function page_header($page_title = '', $display_online_list = false, $item_id = 'U_TEAM' => ($user->data['user_id'] != ANONYMOUS && !$auth->acl_get('u_viewprofile')) ? '' : append_sid("{$phpbb_root_path}memberlist.$phpEx", 'mode=team'), 'U_TERMS_USE' => append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=terms'), 'U_PRIVACY' => append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=privacy'), + 'UA_PRIVACY' => addslashes(append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=privacy')), 'U_RESTORE_PERMISSIONS' => ($user->data['user_perm_from'] && $auth->acl_get('a_switchperm')) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=restore_perm') : '', 'U_FEED' => $controller_helper->route('phpbb_feed_index'), -- cgit v1.2.1 From f75c400db44387863abbc0f6f2944df546d5a137 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20Calvo?= Date: Fri, 15 Jun 2018 19:22:35 +0200 Subject: [ticket/15693] Fix get_rand_string() PHPBB3-15693 --- phpBB/includes/functions.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 4aae84705b..3b3218a3aa 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -71,7 +71,7 @@ function set_var(&$result, $var, $type, $multibyte = false) function gen_rand_string($num_chars = 8) { // [a, z] + [0, 9] = 36 - return substr(strtoupper(base_convert(unique_id(), 16, 36)), 0, $num_chars); + return substr(strtoupper(base_convert(bin2hex(random_bytes($num_chars)), 16, 36)), 0, $num_chars); } /** @@ -82,7 +82,7 @@ function gen_rand_string($num_chars = 8) */ function gen_rand_string_friendly($num_chars = 8) { - $rand_str = unique_id(); + $rand_str = bin2hex(random_bytes($num_chars)); // Remove Z and Y from the base_convert(), replace 0 with Z and O with Y // [a, z] + [0, 9] - {z, y} = [a, z] + [0, 9] - {0, o} = 34 -- cgit v1.2.1 From 9e50e52fa5c72ee668c0d4c43b15e441f31ada5c Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 17 Jun 2018 11:01:11 +0200 Subject: [ticket/15693] Update tests to reflect changes to gen_rand_string() PHPBB3-15693 --- phpBB/includes/functions.php | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 3b3218a3aa..270d513a26 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -66,6 +66,8 @@ function set_var(&$result, $var, $type, $multibyte = false) /** * Generates an alphanumeric random string of given length * +* @param int $num_chars Length of random string, defaults to 8 +* * @return string */ function gen_rand_string($num_chars = 8) @@ -78,6 +80,8 @@ function gen_rand_string($num_chars = 8) * Generates a user-friendly alphanumeric random string of given length * We remove 0 and O so users cannot confuse those in passwords etc. * +* @param int $num_chars Length of random string, defaults to 8 +* * @return string */ function gen_rand_string_friendly($num_chars = 8) -- cgit v1.2.1 From c61b9358ff7e8052e1f700c7a97a2ca3b392098a Mon Sep 17 00:00:00 2001 From: Jakub Senko Date: Mon, 18 Jun 2018 12:55:24 +0200 Subject: [ticket/15618] Display The team link only to users with permission PHPBB3-15618 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 270d513a26..29b9ebace4 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -4405,7 +4405,7 @@ function page_header($page_title = '', $display_online_list = false, $item_id = 'U_SEARCH_ACTIVE_TOPICS'=> append_sid("{$phpbb_root_path}search.$phpEx", 'search_id=active_topics'), 'U_DELETE_COOKIES' => append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=delete_cookies'), 'U_CONTACT_US' => ($config['contact_admin_form_enable'] && $config['email_enable']) ? append_sid("{$phpbb_root_path}memberlist.$phpEx", 'mode=contactadmin') : '', - 'U_TEAM' => ($user->data['user_id'] != ANONYMOUS && !$auth->acl_get('u_viewprofile')) ? '' : append_sid("{$phpbb_root_path}memberlist.$phpEx", 'mode=team'), + 'U_TEAM' => (!$auth->acl_get('u_viewprofile')) ? '' : append_sid("{$phpbb_root_path}memberlist.$phpEx", 'mode=team'), 'U_TERMS_USE' => append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=terms'), 'U_PRIVACY' => append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=privacy'), 'U_RESTORE_PERMISSIONS' => ($user->data['user_perm_from'] && $auth->acl_get('a_switchperm')) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=restore_perm') : '', -- cgit v1.2.1 From d4d8aec02af958b40a4c0220cc60498cf32c6549 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20Calvo?= Date: Mon, 18 Jun 2018 22:29:51 +0200 Subject: [ticket/15695] Fix gen_rand_string returning less characters than expected PHPBB3-15695 --- phpBB/includes/functions.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 270d513a26..97f25cc701 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -66,27 +66,29 @@ function set_var(&$result, $var, $type, $multibyte = false) /** * Generates an alphanumeric random string of given length * -* @param int $num_chars Length of random string, defaults to 8 +* @param int $num_chars Length of random string, defaults to 8. +* This number should be less or equal than 64. * * @return string */ function gen_rand_string($num_chars = 8) { // [a, z] + [0, 9] = 36 - return substr(strtoupper(base_convert(bin2hex(random_bytes($num_chars)), 16, 36)), 0, $num_chars); + return substr(strtoupper(base_convert(bin2hex(random_bytes($num_chars + 1)), 16, 36)), 0, $num_chars); } /** * Generates a user-friendly alphanumeric random string of given length * We remove 0 and O so users cannot confuse those in passwords etc. * -* @param int $num_chars Length of random string, defaults to 8 +* @param int $num_chars Length of random string, defaults to 8. +* This number should be less or equal than 64. * * @return string */ function gen_rand_string_friendly($num_chars = 8) { - $rand_str = bin2hex(random_bytes($num_chars)); + $rand_str = bin2hex(random_bytes($num_chars + 1)); // Remove Z and Y from the base_convert(), replace 0 with Z and O with Y // [a, z] + [0, 9] - {z, y} = [a, z] + [0, 9] - {0, o} = 34 -- cgit v1.2.1 From ffcfec044b73bfa1b5522499b82b074ee99b3869 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20Calvo?= Date: Sat, 14 Jul 2018 11:42:32 +0200 Subject: [ticket/15723] Rewrite gen_rand_string() and gen_rand_string_friendly() PHPBB3-15723 --- phpBB/includes/functions.php | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index cbea7afe6e..51f5bc0fd5 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -73,8 +73,17 @@ function set_var(&$result, $var, $type, $multibyte = false) */ function gen_rand_string($num_chars = 8) { - // [a, z] + [0, 9] = 36 - return substr(strtoupper(base_convert(bin2hex(random_bytes($num_chars + 1)), 16, 36)), 0, $num_chars); + $range = array_merge(range('A', 'Z'), range(0, 9)); + $size = count($range); + + $output = ''; + for ($i = 0; $i < $num_chars; $i++) + { + $rand = random_int(0, $size-1); + $output .= $range[$rand]; + } + + return $output; } /** @@ -88,13 +97,17 @@ function gen_rand_string($num_chars = 8) */ function gen_rand_string_friendly($num_chars = 8) { - $rand_str = bin2hex(random_bytes($num_chars + 1)); + $range = array_merge(range('A', 'N'), range('P', 'Z'), range(1, 9)); + $size = count($range); - // Remove Z and Y from the base_convert(), replace 0 with Z and O with Y - // [a, z] + [0, 9] - {z, y} = [a, z] + [0, 9] - {0, o} = 34 - $rand_str = str_replace(array('0', 'O'), array('Z', 'Y'), strtoupper(base_convert($rand_str, 16, 34))); + $output = ''; + for ($i = 0; $i < $num_chars; $i++) + { + $rand = random_int(0, $size-1); + $output .= $range[$rand]; + } - return substr($rand_str, 0, $num_chars); + return $output; } /** -- cgit v1.2.1 From ced8599e306fdbc5e496b3119ef46c4c27e3e335 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20Calvo?= Date: Wed, 8 Aug 2018 20:36:16 +0200 Subject: [ticket/15723] Rewrite unique_id too PHPBB3-15723 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 51f5bc0fd5..1457888c9f 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -115,7 +115,7 @@ function gen_rand_string_friendly($num_chars = 8) */ function unique_id() { - return bin2hex(random_bytes(8)); + return gen_rand_string(32); } /** -- cgit v1.2.1 From 1d0fdc446f4642584a58eb23d8510ec73caa475a Mon Sep 17 00:00:00 2001 From: Jakub Senko Date: Mon, 24 Sep 2018 16:09:28 +0200 Subject: [ticket/15805] Add result to core.login_box_redirect PHPBB3-15805 --- phpBB/includes/functions.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index cbea7afe6e..5caa144801 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2350,10 +2350,12 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa * @event core.login_box_redirect * @var string redirect Redirect string * @var bool admin Is admin? + * @var array result Result from auth provider * @since 3.1.0-RC5 * @changed 3.1.9-RC1 Removed undefined return variable + * @changed 3.2.4-RC1 Added result */ - $vars = array('redirect', 'admin'); + $vars = array('redirect', 'admin', 'result'); extract($phpbb_dispatcher->trigger_event('core.login_box_redirect', compact($vars))); // append/replace SID (may change during the session for AOL users) -- cgit v1.2.1 From dab4c10c2fe0a2e283ecf5227ef9a253127a1381 Mon Sep 17 00:00:00 2001 From: Jakub Senko Date: Tue, 25 Sep 2018 15:24:34 +0200 Subject: [ticket/15700] Use correct T_THEME_LANG_NAME PHPBB3-15700 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 1457888c9f..3b0ac17806 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -4506,7 +4506,7 @@ function page_header($page_title = '', $display_online_list = false, $item_id = 'S_COOKIE_NOTICE' => !empty($config['cookie_notice']), 'T_THEME_NAME' => rawurlencode($user->style['style_path']), - 'T_THEME_LANG_NAME' => $user->data['user_lang'], + 'T_THEME_LANG_NAME' => $user->lang_name, 'T_TEMPLATE_NAME' => $user->style['style_path'], 'T_SUPER_TEMPLATE_NAME' => rawurlencode((isset($user->style['style_parent_tree']) && $user->style['style_parent_tree']) ? $user->style['style_parent_tree'] : $user->style['style_path']), 'T_IMAGES' => 'images', -- cgit v1.2.1 From f82e0a83d1c6ec488f47013d583912f7082406d4 Mon Sep 17 00:00:00 2001 From: Jakub Senko Date: Tue, 25 Sep 2018 16:18:58 +0200 Subject: [ticket/15616] Add jumpbox to login_forum.html PHPBB3-15616 --- phpBB/includes/functions.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 1457888c9f..20d24819ec 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2539,7 +2539,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa */ function login_forum_box($forum_data) { - global $db, $phpbb_container, $request, $template, $user, $phpbb_dispatcher; + global $db, $phpbb_container, $request, $template, $user, $phpbb_dispatcher, $phpbb_root_path, $phpEx; $password = $request->variable('password', '', true); @@ -2624,6 +2624,8 @@ function login_forum_box($forum_data) 'body' => 'login_forum.html') ); + make_jumpbox(append_sid("{$phpbb_root_path}viewforum.$phpEx"), $forum_data['forum_id']); + page_footer(); } -- cgit v1.2.1 From d29d4389f9efdec4986c62052df7cd8a87135645 Mon Sep 17 00:00:00 2001 From: Jakub Senko Date: Tue, 25 Sep 2018 14:42:03 +0200 Subject: [ticket/15758] Show translated msg for INSECURE_REDIRECT PHPBB3-15758 --- phpBB/includes/functions.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 1457888c9f..5351db31f6 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -1744,14 +1744,14 @@ function redirect($url, $return = false, $disable_cd_check = false) if ($url_parts === false) { // Malformed url - trigger_error('INSECURE_REDIRECT', E_USER_ERROR); + trigger_error('INSECURE_REDIRECT', E_USER_WARNING); } else if (!empty($url_parts['scheme']) && !empty($url_parts['host'])) { // Attention: only able to redirect within the same domain if $disable_cd_check is false (yourdomain.com -> www.yourdomain.com will not work) if (!$disable_cd_check && $url_parts['host'] !== $user->host) { - trigger_error('INSECURE_REDIRECT', E_USER_ERROR); + trigger_error('INSECURE_REDIRECT', E_USER_WARNING); } } else if ($url[0] == '/') @@ -1791,13 +1791,13 @@ function redirect($url, $return = false, $disable_cd_check = false) if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0) { - trigger_error('INSECURE_REDIRECT', E_USER_ERROR); + trigger_error('INSECURE_REDIRECT', E_USER_WARNING); } // Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2 if (strpos(urldecode($url), "\n") !== false || strpos(urldecode($url), "\r") !== false || strpos($url, ';') !== false) { - trigger_error('INSECURE_REDIRECT', E_USER_ERROR); + trigger_error('INSECURE_REDIRECT', E_USER_WARNING); } // Now, also check the protocol and for a valid url the last time... @@ -1806,7 +1806,7 @@ function redirect($url, $return = false, $disable_cd_check = false) if ($url_parts === false || empty($url_parts['scheme']) || !in_array($url_parts['scheme'], $allowed_protocols)) { - trigger_error('INSECURE_REDIRECT', E_USER_ERROR); + trigger_error('INSECURE_REDIRECT', E_USER_WARNING); } /** -- cgit v1.2.1 From 1f14f7c327e52ec67a593d3d0b87e67a4bf7ebd6 Mon Sep 17 00:00:00 2001 From: Ruben Calvo Date: Tue, 30 Oct 2018 11:16:51 +0000 Subject: [ticket/15860] Fix format of backup files PHPBB3-15860 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 3fec88a354..79d88fb3a5 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -115,7 +115,7 @@ function gen_rand_string_friendly($num_chars = 8) */ function unique_id() { - return gen_rand_string(32); + return strtolower(gen_rand_string(32)); } /** -- cgit v1.2.1 From 31703585cb2faf9ca0c2072ebabdc2b3ec62e146 Mon Sep 17 00:00:00 2001 From: Ruben Calvo Date: Wed, 31 Oct 2018 10:41:57 +0000 Subject: [ticket/15860] Unique_id() return 16 characters again PHPBB3-15860 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 79d88fb3a5..99f65a0e92 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -115,7 +115,7 @@ function gen_rand_string_friendly($num_chars = 8) */ function unique_id() { - return strtolower(gen_rand_string(32)); + return strtolower(gen_rand_string(16)); } /** -- cgit v1.2.1 From 50cec4d54cfe2985df3d7fb4fd381c1c810a356b Mon Sep 17 00:00:00 2001 From: mrgoldy Date: Sun, 30 Dec 2018 14:15:03 +0100 Subject: [ticket/15886] Change phpbb_get_group_avatar variable names PHPBB3-15886 --- phpBB/includes/functions.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 99f65a0e92..e3c3a19c96 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -4081,9 +4081,9 @@ function phpbb_get_user_avatar($user_row, $alt = 'USER_AVATAR', $ignore_config = * * @return string Avatar html */ -function phpbb_get_group_avatar($user_row, $alt = 'GROUP_AVATAR', $ignore_config = false, $lazy = false) +function phpbb_get_group_avatar($group_row, $alt = 'GROUP_AVATAR', $ignore_config = false, $lazy = false) { - $row = \phpbb\avatar\manager::clean_row($user_row, 'group'); + $row = \phpbb\avatar\manager::clean_row($group_row, 'group'); return phpbb_get_avatar($row, $alt, $ignore_config, $lazy); } -- cgit v1.2.1 From 3f4b7059cb4903a314565ae448d142121e9e9611 Mon Sep 17 00:00:00 2001 From: mrgoldy Date: Tue, 15 Jan 2019 20:50:37 +0100 Subject: [ticket/15942] Allow array in confirm_box title PHPBB3-15942 --- phpBB/includes/functions.php | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 99f65a0e92..067f453e6d 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2130,7 +2130,7 @@ function check_form_key($form_name, $timespan = false) /** * Build Confirm box * @param boolean $check True for checking if confirmed (without any additional parameters) and false for displaying the confirm box -* @param string $title Title/Message used for confirm box. +* @param string|array $title Title/Message used for confirm box. * message text is _CONFIRM appended to title. * If title cannot be found in user->lang a default one is displayed * If title_CONFIRM cannot be found in user->lang the text given is used. @@ -2182,13 +2182,27 @@ function confirm_box($check, $title = '', $hidden = '', $html_body = 'confirm_bo // generate activation key $confirm_key = gen_rand_string(10); + // generate language strings + if (is_array($title)) + { + $key = array_shift($title); + $count = array_shift($title); + $confirm_title = isset($user->lang[$key]) ? $user->lang($key, $count, $title) : $user->lang('CONFIRM'); + $confirm_text = isset($user->lang[$key . '_CONFIRM']) ? $user->lang($key . '_CONFIRM', $count, $title) : $key; + } + else + { + $confirm_title = isset($user->lang[$title]) ? $user->lang($title) : $user->lang('CONFIRM'); + $confirm_text = isset($user->lang[$title . '_CONFIRM']) ? $user->lang($title . '_CONFIRM') : $title; + } + if (defined('IN_ADMIN') && isset($user->data['session_admin']) && $user->data['session_admin']) { - adm_page_header((!isset($user->lang[$title])) ? $user->lang['CONFIRM'] : $user->lang[$title]); + adm_page_header($confirm_title); } else { - page_header((!isset($user->lang[$title])) ? $user->lang['CONFIRM'] : $user->lang[$title]); + page_header($confirm_title); } $template->set_filenames(array( @@ -2208,8 +2222,8 @@ function confirm_box($check, $title = '', $hidden = '', $html_body = 'confirm_bo $u_action .= ((strpos($u_action, '?') === false) ? '?' : '&') . 'confirm_key=' . $confirm_key; $template->assign_vars(array( - 'MESSAGE_TITLE' => (!isset($user->lang[$title])) ? $user->lang['CONFIRM'] : $user->lang($title, 1), - 'MESSAGE_TEXT' => (!isset($user->lang[$title . '_CONFIRM'])) ? $title : $user->lang[$title . '_CONFIRM'], + 'MESSAGE_TITLE' => $confirm_title, + 'MESSAGE_TEXT' => $confirm_text, 'YES_VALUE' => $user->lang['YES'], 'S_CONFIRM_ACTION' => $u_action, @@ -2227,8 +2241,8 @@ function confirm_box($check, $title = '', $hidden = '', $html_body = 'confirm_bo $json_response = new \phpbb\json_response; $json_response->send(array( 'MESSAGE_BODY' => $template->assign_display('body'), - 'MESSAGE_TITLE' => (!isset($user->lang[$title])) ? $user->lang['CONFIRM'] : $user->lang[$title], - 'MESSAGE_TEXT' => (!isset($user->lang[$title . '_CONFIRM'])) ? $title : $user->lang[$title . '_CONFIRM'], + 'MESSAGE_TITLE' => $confirm_title, + 'MESSAGE_TEXT' => $confirm_text, 'YES_VALUE' => $user->lang['YES'], 'S_CONFIRM_ACTION' => str_replace('&', '&', $u_action), //inefficient, rewrite whole function -- cgit v1.2.1 From 2cd574321fb4cfbdff58c71df5c70565c1c88e8c Mon Sep 17 00:00:00 2001 From: 3D-I Date: Wed, 20 Feb 2019 19:56:46 +0100 Subject: [ticket/15972] Add core.markread_after PHPBB3-15972 --- phpBB/includes/functions.php | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 99f65a0e92..7a42852094 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -952,6 +952,27 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $ return; } + + /** + * This event is used for performing actions directly after forums, + * topics or posts have been marked as read. + * + * @event core.markread_after + * @var string mode Variable containing marking mode value + * @var mixed forum_id Variable containing forum id, or false + * @var mixed topic_id Variable containing topic id, or false + * @var int post_time Variable containing post time + * @var int user_id Variable containing the user id + * @since 3.2.6-RC1 + */ + $vars = array( + 'mode', + 'forum_id', + 'topic_id', + 'post_time', + 'user_id', + ); + extract($phpbb_dispatcher->trigger_event('core.markread_after', compact($vars))); } /** -- cgit v1.2.1 From 8e8fa203b98191428a28207c7e4ae3c3f3bef04a Mon Sep 17 00:00:00 2001 From: 3D-I Date: Tue, 26 Feb 2019 23:53:59 +0100 Subject: [ticket/15972] Let the event be triggered Removes old coding which is there just to save a few iterations. PHPBB3-15972 --- phpBB/includes/functions.php | 8 -------- 1 file changed, 8 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 7a42852094..e2ea7ad232 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -680,8 +680,6 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $ } } } - - return; } else if ($mode == 'topics') { @@ -808,8 +806,6 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $ unset($tracking); } - - return; } else if ($mode == 'topic') { @@ -923,8 +919,6 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $ $user->set_cookie('track', tracking_serialize($tracking), $post_time + 31536000); $request->overwrite($config['cookie_name'] . '_track', tracking_serialize($tracking), \phpbb\request\request_interface::COOKIE); } - - return; } else if ($mode == 'post') { @@ -949,8 +943,6 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $ $db->sql_return_on_error(false); } - - return; } /** -- cgit v1.2.1 From 2131adac5c82ec14995f1e2cbcaee74f855b430c Mon Sep 17 00:00:00 2001 From: mrgoldy Date: Tue, 16 Apr 2019 10:15:01 +0200 Subject: [ticket/15942] Update DocBlock PHPBB3-15942 --- phpBB/includes/functions.php | 2 ++ 1 file changed, 2 insertions(+) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 067f453e6d..01b292f822 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2134,6 +2134,8 @@ function check_form_key($form_name, $timespan = false) * message text is _CONFIRM appended to title. * If title cannot be found in user->lang a default one is displayed * If title_CONFIRM cannot be found in user->lang the text given is used. +* If title is an array, the first array value is used as explained per above, +* all other array values are send as parameters to the language function. * @param string $hidden Hidden variables * @param string $html_body Template used for confirm box * @param string $u_action Custom form action -- cgit v1.2.1 From a16ebf04d397095df3ef4e6ee426df4959468c4f Mon Sep 17 00:00:00 2001 From: mrgoldy Date: Tue, 16 Apr 2019 10:38:26 +0200 Subject: [ticket/15942] Past tense PHPBB3-15942 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 01b292f822..e55866cb74 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2135,7 +2135,7 @@ function check_form_key($form_name, $timespan = false) * If title cannot be found in user->lang a default one is displayed * If title_CONFIRM cannot be found in user->lang the text given is used. * If title is an array, the first array value is used as explained per above, -* all other array values are send as parameters to the language function. +* all other array values are sent as parameters to the language function. * @param string $hidden Hidden variables * @param string $html_body Template used for confirm box * @param string $u_action Custom form action -- cgit v1.2.1 From 0e38bebaa56dcf8921df99e8eb85e3046721dd13 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Wed, 17 Apr 2019 08:22:44 +0200 Subject: [ticket/15942] Add language to compatibility globals & use in confirm_box PHPBB3-15942 --- phpBB/includes/functions.php | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index e55866cb74..40b6f7bb45 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2139,18 +2139,20 @@ function check_form_key($form_name, $timespan = false) * @param string $hidden Hidden variables * @param string $html_body Template used for confirm box * @param string $u_action Custom form action +* +* @return bool True if confirmation was successful, false if not */ function confirm_box($check, $title = '', $hidden = '', $html_body = 'confirm_body.html', $u_action = '') { global $user, $template, $db, $request; - global $config, $phpbb_path_helper; + global $config, $language, $phpbb_path_helper; if (isset($_POST['cancel'])) { return false; } - $confirm = ($user->lang['YES'] === $request->variable('confirm', '', true, \phpbb\request\request_interface::POST)); + $confirm = ($language->lang('YES') === $request->variable('confirm', '', true, \phpbb\request\request_interface::POST)); if ($check && $confirm) { @@ -2189,13 +2191,13 @@ function confirm_box($check, $title = '', $hidden = '', $html_body = 'confirm_bo { $key = array_shift($title); $count = array_shift($title); - $confirm_title = isset($user->lang[$key]) ? $user->lang($key, $count, $title) : $user->lang('CONFIRM'); - $confirm_text = isset($user->lang[$key . '_CONFIRM']) ? $user->lang($key . '_CONFIRM', $count, $title) : $key; + $confirm_title = $language->is_set($key) ? $language->lang($key, $count, $title) : $language->lang('CONFIRM'); + $confirm_text = $language->is_set($key . '_CONFIRM') ? $language->lang($key . '_CONFIRM', $count, $title) : $key; } else { - $confirm_title = isset($user->lang[$title]) ? $user->lang($title) : $user->lang('CONFIRM'); - $confirm_text = isset($user->lang[$title . '_CONFIRM']) ? $user->lang($title . '_CONFIRM') : $title; + $confirm_title = $language->is_set($title) ? $language->lang($title) : $language->lang('CONFIRM'); + $confirm_text = $language->is_set($title . '_CONFIRM') ? $language->lang($title . '_CONFIRM') : $title; } if (defined('IN_ADMIN') && isset($user->data['session_admin']) && $user->data['session_admin']) @@ -2227,7 +2229,7 @@ function confirm_box($check, $title = '', $hidden = '', $html_body = 'confirm_bo 'MESSAGE_TITLE' => $confirm_title, 'MESSAGE_TEXT' => $confirm_text, - 'YES_VALUE' => $user->lang['YES'], + 'YES_VALUE' => $language->lang('YES'), 'S_CONFIRM_ACTION' => $u_action, 'S_HIDDEN_FIELDS' => $hidden . $s_hidden_fields, 'S_AJAX_REQUEST' => $request->is_ajax(), @@ -2246,7 +2248,7 @@ function confirm_box($check, $title = '', $hidden = '', $html_body = 'confirm_bo 'MESSAGE_TITLE' => $confirm_title, 'MESSAGE_TEXT' => $confirm_text, - 'YES_VALUE' => $user->lang['YES'], + 'YES_VALUE' => $language->lang('YES'), 'S_CONFIRM_ACTION' => str_replace('&', '&', $u_action), //inefficient, rewrite whole function 'S_HIDDEN_FIELDS' => $hidden . $s_hidden_fields )); @@ -2260,6 +2262,8 @@ function confirm_box($check, $title = '', $hidden = '', $html_body = 'confirm_bo { page_footer(); } + + exit; // unreachable, page_footer() above will call exit() } /** -- cgit v1.2.1 From b8368980162392bf9f97496ecec18abe2bd34fad Mon Sep 17 00:00:00 2001 From: Derky Date: Fri, 26 Apr 2019 12:08:37 +0200 Subject: [ticket/security/228] Add form token to login box SECURITY-228 --- phpBB/includes/functions.php | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index e2ea7ad232..6df2ebaba7 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2268,6 +2268,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa global $request, $phpbb_container, $phpbb_dispatcher, $phpbb_log; $err = ''; + $form_name = 'login'; // Make sure user->setup() has been called if (!$user->is_setup()) @@ -2343,8 +2344,19 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa trigger_error('NO_AUTH_ADMIN_USER_DIFFER'); } - // If authentication is successful we redirect user to previous page - $result = $auth->login($username, $password, $autologin, $viewonline, $admin); + // Check form key + if ($password && !check_form_key($form_name)) + { + $result = array( + 'status' => false, + 'error_msg' => 'FORM_INVALID', + ); + } + else + { + // If authentication is successful we redirect user to previous page + $result = $auth->login($username, $password, $autologin, $viewonline, $admin); + } // If admin authentication and login, we will log if it was a success or not... // We also break the operation on the first non-success login - it could be argued that the user already knows @@ -2495,6 +2507,9 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa )); } + // Add form token for login box + add_form_key($form_name, '_LOGIN'); + $s_hidden_fields = build_hidden_fields($s_hidden_fields); $login_box_template_data = array( -- cgit v1.2.1 From 540a6b7d2e7bfb9f2c24636a37127b16bbf6bc46 Mon Sep 17 00:00:00 2001 From: rubencm Date: Mon, 29 Apr 2019 15:44:31 +0000 Subject: [ticket/16036] Add S_FORM_TOKEN_LOGIN to all login forms PHPBB3-16036 --- phpBB/includes/functions.php | 3 +++ 1 file changed, 3 insertions(+) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 1d1c9f6f4f..9032b79cbf 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2664,6 +2664,9 @@ function login_forum_box($forum_data) page_header($user->lang['LOGIN']); + // Add form token for login box + add_form_key('login', '_LOGIN'); + $template->assign_vars(array( 'FORUM_NAME' => isset($forum_data['forum_name']) ? $forum_data['forum_name'] : '', 'S_LOGIN_ACTION' => build_url(array('f')), -- cgit v1.2.1 From 3c822556c137a8517dd6a34963bced89b2a150ed Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 2 May 2019 21:21:07 +0200 Subject: [ticket/16042] Use S_LOGIN_REDIRECT to output login form token PHPBB3-16042 --- phpBB/includes/functions.php | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 9032b79cbf..f39b24d94a 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -4439,6 +4439,18 @@ function page_header($page_title = '', $display_online_list = false, $item_id = $controller_helper = $phpbb_container->get('controller.helper'); $notification_mark_hash = generate_link_hash('mark_all_notifications_read'); + /** + * Workaround for missing template variable in pre phpBB 3.2.6 styles. + * @deprecated 3.2.7 (To be removed: 3.3.0-a1) + */ + $form_token_login = $template->retrieve_var('S_FORM_TOKEN_LOGIN'); + $s_login_redirect = build_hidden_fields(array('redirect' => $phpbb_path_helper->remove_web_root_path(build_url()))); + if (!empty($form_token_login)) + { + $s_login_redirect .= $form_token_login; + $template->assign_var('S_FORM_TOKEN_LOGIN', ''); + } + // The following assigns all _common_ variables that may be used at any point in a template. $template->assign_vars(array( 'SITENAME' => $config['sitename'], @@ -4528,7 +4540,7 @@ function page_header($page_title = '', $display_online_list = false, $item_id = 'S_TOPIC_ID' => $topic_id, 'S_LOGIN_ACTION' => ((!defined('ADMIN_START')) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=login') : append_sid("{$phpbb_admin_path}index.$phpEx", false, true, $user->session_id)), - 'S_LOGIN_REDIRECT' => build_hidden_fields(array('redirect' => $phpbb_path_helper->remove_web_root_path(build_url()))), + 'S_LOGIN_REDIRECT' => $s_login_redirect, 'S_ENABLE_FEEDS' => ($config['feed_enable']) ? true : false, 'S_ENABLE_FEEDS_OVERALL' => ($config['feed_overall']) ? true : false, -- cgit v1.2.1 From 4b6bdbe5580ccaaa73e51e15554aa9013c7020ce Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 2 May 2019 21:29:11 +0200 Subject: [ticket/16042] Adjust positioning and add comment to overwrite PHPBB3-16042 --- phpBB/includes/functions.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index f39b24d94a..5234c3472d 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -4439,15 +4439,16 @@ function page_header($page_title = '', $display_online_list = false, $item_id = $controller_helper = $phpbb_container->get('controller.helper'); $notification_mark_hash = generate_link_hash('mark_all_notifications_read'); + $s_login_redirect = build_hidden_fields(array('redirect' => $phpbb_path_helper->remove_web_root_path(build_url()))); /** * Workaround for missing template variable in pre phpBB 3.2.6 styles. * @deprecated 3.2.7 (To be removed: 3.3.0-a1) */ $form_token_login = $template->retrieve_var('S_FORM_TOKEN_LOGIN'); - $s_login_redirect = build_hidden_fields(array('redirect' => $phpbb_path_helper->remove_web_root_path(build_url()))); if (!empty($form_token_login)) { $s_login_redirect .= $form_token_login; + // Remove S_FORM_TOKEN_LOGIN as it's already appended to S_LOGIN_REDIRECT $template->assign_var('S_FORM_TOKEN_LOGIN', ''); } -- cgit v1.2.1 From 0c3ff0419c81c0901b6a991d70f2e5e709e4a233 Mon Sep 17 00:00:00 2001 From: espipj Date: Mon, 27 May 2019 21:26:44 +0100 Subject: [ticket/16070] Remove unused code PHPBB3-16070 --- phpBB/includes/functions.php | 21 --------------------- 1 file changed, 21 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 5234c3472d..5ade4854c1 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -1843,27 +1843,6 @@ function redirect($url, $return = false, $disable_cd_check = false) garbage_collection(); } - // Redirect via an HTML form for PITA webservers - if (@preg_match('#WebSTAR|Xitami#', getenv('SERVER_SOFTWARE'))) - { - header('Refresh: 0; URL=' . $url); - - echo ''; - echo ''; - echo ''; - echo ''; - echo ''; - echo ''; - echo '' . $user->lang['REDIRECT'] . ''; - echo ''; - echo ''; - echo '
' . sprintf($user->lang['URL_REDIRECT'], '', '') . '
'; - echo ''; - echo ''; - - exit; - } - // Behave as per HTTP/1.1 spec for others header('Location: ' . $url); exit; -- cgit v1.2.1 From 30f8e5d638dd7f6d321c152b0eeea6ddf5ed361c Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 20 Jul 2019 09:41:55 +0200 Subject: [ticket/16101] Add Referrer-Policy header to phpBB's headers PHPBB3-16101 --- phpBB/includes/functions.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 5234c3472d..73d333bd7e 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -4592,12 +4592,13 @@ function page_header($page_title = '', $display_online_list = false, $item_id = if ($send_headers) { - // An array of http headers that phpbb will set. The following event may override these. + // An array of http headers that phpBB will set. The following event may override these. $http_headers += array( // application/xhtml+xml not used because of IE 'Content-type' => 'text/html; charset=UTF-8', 'Cache-Control' => 'private, no-cache="set-cookie"', 'Expires' => gmdate('D, d M Y H:i:s', time()) . ' GMT', + 'Referrer-Policy' => 'strict-origin-when-cross-origin', ); if (!empty($user->data['is_bot'])) { -- cgit v1.2.1 From 90dcd1a0f48b45a92d047c9c0353ace1360d6431 Mon Sep 17 00:00:00 2001 From: Jakub Senko Date: Mon, 24 Jun 2019 11:05:45 +0200 Subject: [ticket/16089] Add core.confirm_box_ajax_before PHPBB3-16089 --- phpBB/includes/functions.php | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 5234c3472d..3acccb1e93 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2158,7 +2158,7 @@ function check_form_key($form_name, $timespan = false) function confirm_box($check, $title = '', $hidden = '', $html_body = 'confirm_body.html', $u_action = '') { global $user, $template, $db, $request; - global $config, $language, $phpbb_path_helper; + global $config, $language, $phpbb_path_helper, $phpbb_dispatcher; if (isset($_POST['cancel'])) { @@ -2255,8 +2255,7 @@ function confirm_box($check, $title = '', $hidden = '', $html_body = 'confirm_bo if ($request->is_ajax()) { $u_action .= '&confirm_uid=' . $user->data['user_id'] . '&sess=' . $user->session_id . '&sid=' . $user->session_id; - $json_response = new \phpbb\json_response; - $json_response->send(array( + $data = array( 'MESSAGE_BODY' => $template->assign_display('body'), 'MESSAGE_TITLE' => $confirm_title, 'MESSAGE_TEXT' => $confirm_text, @@ -2264,7 +2263,28 @@ function confirm_box($check, $title = '', $hidden = '', $html_body = 'confirm_bo 'YES_VALUE' => $language->lang('YES'), 'S_CONFIRM_ACTION' => str_replace('&', '&', $u_action), //inefficient, rewrite whole function 'S_HIDDEN_FIELDS' => $hidden . $s_hidden_fields - )); + ); + + /** + * This event allows an extension to modify the ajax output of confirm box. + * + * @event core.confirm_box_ajax_before + * @var string u_action Action of the form + * @var array data Data to be sent + * @var string hidden Hidden fields generated by caller + * @var string s_hidden_fields Hidden fields generated by this function + * @since 3.2.8-RC1 + */ + $vars = array( + 'u_action', + 'data', + 'hidden', + 's_hidden_fields', + ); + extract($phpbb_dispatcher->trigger_event('core.confirm_box_ajax_before', compact($vars))); + + $json_response = new \phpbb\json_response; + $json_response->send($data); } if (defined('IN_ADMIN') && isset($user->data['session_admin']) && $user->data['session_admin']) -- cgit v1.2.1 From 636fc7fad7dcb61622f23b36141b87ee13a1090d Mon Sep 17 00:00:00 2001 From: EA117 Date: Sun, 28 Jul 2019 12:25:54 -0500 Subject: [ticket/16066] Fix FORM_INVALID always returned for banned user. After the introduction of add_form_key() and check_form_key() calls to login_box() in phpBB 3.2.6 and later, if a banned user attempts to login, they receive a "The submitted form was invalid. Try submitting again." Instead of the message indicating that they are banned, and why. This is happening because check_ban() actually calls into login_box() recursively, but after the $user->session_id has been switched to a new session ID for the logging-on user. Therefore, now that check_form_key() has been introduced to login_box(), it is impossible for check_form_key() to succeed during this recursive call. Fix is to make login_box()'s use of check_form_key() conditional on whether IN_CHECK_BAN is defined, so that the recursive call does not attempt to re-validate the form_key again. Note the form_key has already been successfully verified by the original call into login_box(), prior to calling into check_ban() and attempting to recursively call login_box(). So the protection of why check_form_key() was added is still intact with this change. PHPBB3-16066 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 5cc6826cb9..7b48ca9333 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2364,7 +2364,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa } // Check form key - if ($password && !check_form_key($form_name)) + if ($password && !defined('IN_CHECK_BAN') && !check_form_key($form_name)) { $result = array( 'status' => false, -- cgit v1.2.1 From 792882ef63977c6b7ca068c65383fb8be8372172 Mon Sep 17 00:00:00 2001 From: EA117 Date: Sun, 28 Jul 2019 15:15:39 -0500 Subject: [ticket/16054] Restore ability to login from any template. Moving the login form's add_form_key() work into page_header(), so that the template variables required for presenting a login form are again available to any template that chooses to consume them. PHPBB3-16054 --- phpBB/includes/functions.php | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 5cc6826cb9..3a3cc44ad5 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2526,9 +2526,6 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa )); } - // Add form token for login box - add_form_key($form_name, '_LOGIN'); - $s_hidden_fields = build_hidden_fields($s_hidden_fields); $login_box_template_data = array( @@ -2663,9 +2660,6 @@ function login_forum_box($forum_data) page_header($user->lang['LOGIN']); - // Add form token for login box - add_form_key('login', '_LOGIN'); - $template->assign_vars(array( 'FORUM_NAME' => isset($forum_data['forum_name']) ? $forum_data['forum_name'] : '', 'S_LOGIN_ACTION' => build_url(array('f')), @@ -4439,6 +4433,10 @@ function page_header($page_title = '', $display_online_list = false, $item_id = $notification_mark_hash = generate_link_hash('mark_all_notifications_read'); $s_login_redirect = build_hidden_fields(array('redirect' => $phpbb_path_helper->remove_web_root_path(build_url()))); + + // Add form token for login box, in case page is presenting a login form. + add_form_key('login', '_LOGIN'); + /** * Workaround for missing template variable in pre phpBB 3.2.6 styles. * @deprecated 3.2.7 (To be removed: 3.3.0-a1) -- cgit v1.2.1