From ac26bb458f2a2ea60848921826c69bfe03e676db Mon Sep 17 00:00:00 2001
From: Andreas Fischer <bantu@phpbb.com>
Date: Thu, 28 Oct 2010 21:41:14 +0200
Subject: [ticket/9764] Allow $config['mime_triggers'] to be an empty string.

explode('|', '') and explode('|', NULL) both return array(0 => '') which can
cause filespec::check_content() to reject everything starting with a '<'
character in case $config['mime_triggers'] is an empty string or not set.

fileupload::set_disallowed_content() now filters out empty strings by calling
array_diff() on the passed array, so setting $config['mime_triggers'] to an
empty string will turn off mime checking completely.

On the other side we want to fail safe if $config['mime_triggers'] is not set
at all. To do this, the array fileupload::$disallowed_content now contains some
default strings to be filtered out.

PHPBB3-9764
---
 phpBB/includes/functions_user.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'phpBB/includes/functions_user.php')

diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index f2c80705ba..90341cd926 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -2080,7 +2080,7 @@ function avatar_upload($data, &$error)
 
 	// Init upload class
 	include_once($phpbb_root_path . 'includes/functions_upload.' . $phpEx);
-	$upload = new fileupload('AVATAR_', array('jpg', 'jpeg', 'gif', 'png'), $config['avatar_filesize'], $config['avatar_min_width'], $config['avatar_min_height'], $config['avatar_max_width'], $config['avatar_max_height'], explode('|', $config['mime_triggers']));
+	$upload = new fileupload('AVATAR_', array('jpg', 'jpeg', 'gif', 'png'), $config['avatar_filesize'], $config['avatar_min_width'], $config['avatar_min_height'], $config['avatar_max_width'], $config['avatar_max_height'], (isset($config['mime_triggers']) ? explode('|', $config['mime_triggers']) : false));
 
 	if (!empty($_FILES['uploadfile']['name']))
 	{
-- 
cgit v1.2.1


From e6219c83c7302424f670d4160798db4952a48f0c Mon Sep 17 00:00:00 2001
From: Callum Macrae <callumacrae95@gmail.com>
Date: Thu, 24 Feb 2011 14:13:45 +0000
Subject: [ticket/9872] Removed some useless code that broke delete_posts

When in the ACP, there is the option to delete a user and all their
posts. This would then call the user_delete function and define $mode as
'remove'.

On lines 485-521 was some code that would delete their topics, then
after that there would be a call to delete_posts - which would also
delete their topics. It would not update the board statistics, and the
thread count would remain the same, even though several had been
deleted. It stopped delete_topics functioning correctly, so
delete_topics would not update the board statistics either.

My solution to this is to delete lines 485-521 and allow delete_posts
to call delete_topics, thus updating the thread count in the statistics.

PHPBB3-9872
---
 phpBB/includes/functions_user.php | 38 --------------------------------------
 1 file changed, 38 deletions(-)

(limited to 'phpBB/includes/functions_user.php')

diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index 90341cd926..0420aa70ab 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -482,44 +482,6 @@ function user_delete($mode, $user_id, $post_username = false)
 				include($phpbb_root_path . 'includes/functions_admin.' . $phpEx);
 			}
 
-			$sql = 'SELECT topic_id, COUNT(post_id) AS total_posts
-				FROM ' . POSTS_TABLE . "
-				WHERE poster_id = $user_id
-				GROUP BY topic_id";
-			$result = $db->sql_query($sql);
-
-			$topic_id_ary = array();
-			while ($row = $db->sql_fetchrow($result))
-			{
-				$topic_id_ary[$row['topic_id']] = $row['total_posts'];
-			}
-			$db->sql_freeresult($result);
-
-			if (sizeof($topic_id_ary))
-			{
-				$sql = 'SELECT topic_id, topic_replies, topic_replies_real
-					FROM ' . TOPICS_TABLE . '
-					WHERE ' . $db->sql_in_set('topic_id', array_keys($topic_id_ary));
-				$result = $db->sql_query($sql);
-
-				$del_topic_ary = array();
-				while ($row = $db->sql_fetchrow($result))
-				{
-					if (max($row['topic_replies'], $row['topic_replies_real']) + 1 == $topic_id_ary[$row['topic_id']])
-					{
-						$del_topic_ary[] = $row['topic_id'];
-					}
-				}
-				$db->sql_freeresult($result);
-
-				if (sizeof($del_topic_ary))
-				{
-					$sql = 'DELETE FROM ' . TOPICS_TABLE . '
-						WHERE ' . $db->sql_in_set('topic_id', $del_topic_ary);
-					$db->sql_query($sql);
-				}
-			}
-
 			// Delete posts, attachments, etc.
 			delete_posts('poster_id', $user_id);
 
-- 
cgit v1.2.1


From f7723b3e959b0cfd5ae738f9745f367aef1f0d47 Mon Sep 17 00:00:00 2001
From: Josh Woody <a_jelly_doughnut@phpbb.com>
Date: Wed, 5 Jan 2011 18:48:57 -0600
Subject: [ticket/9970] User language input is checked for existance

Users could select a language which did not exist in the database by altering
form fields because there was no back-end verification.

PHPBB3-9970
---
 phpBB/includes/functions_user.php | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

(limited to 'phpBB/includes/functions_user.php')

diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index 0420aa70ab..7bab51323b 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -1421,6 +1421,36 @@ function validate_match($string, $optional = false, $match = '')
 	return false;
 }
 
+/**
+* Validate Language string
+*
+* Tests whether a language string is valid and exists on the disk
+* This is the same criteria used to determine whether to include it or not.
+*
+* @param $lang - The language string to test
+*
+* @return	boolean|string	Either false if validation succeeded or a string which will be used as the error message (with the variable name appended)
+*/
+function validate_language($lang)
+{
+	global $phpbb_root_path;
+
+	// Note: Two language strings are identical here because the English
+	// version "Language you specified is not valid" is correct for both
+	// cases
+	if (!preg_match('#^[a-z_\-]{2,}$#i', $lang))
+	{
+		return 'WRONG_DATA';
+	}
+
+	if (!file_exists($phpbb_root_path . 'language/' . $lang . '/'))
+	{
+		return 'WRONG_DATA';
+	}
+
+	return false;
+}
+
 /**
 * Check to see if the username has been taken, or if it is disallowed.
 * Also checks if it includes the " character, which we don't allow in usernames.
-- 
cgit v1.2.1


From 405ef3982891712b0d88a04502ee2ad0141d571f Mon Sep 17 00:00:00 2001
From: Andreas Fischer <bantu@phpbb.com>
Date: Sun, 6 Mar 2011 23:47:47 +0100
Subject: [ticket/9970] Check whether language pack is installed.

PHPBB3-9970
---
 phpBB/includes/functions_user.php | 33 ++++++++++++++-------------------
 1 file changed, 14 insertions(+), 19 deletions(-)

(limited to 'phpBB/includes/functions_user.php')

diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index 7bab51323b..9b0175694d 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -1422,33 +1422,28 @@ function validate_match($string, $optional = false, $match = '')
 }
 
 /**
-* Validate Language string
+* Validate Language Pack ISO Name
 *
-* Tests whether a language string is valid and exists on the disk
-* This is the same criteria used to determine whether to include it or not.
+* Tests whether a language name is valid and installed
 *
-* @param $lang - The language string to test
+* @param string $lang	The language string to test
 *
-* @return	boolean|string	Either false if validation succeeded or a string which will be used as the error message (with the variable name appended)
+* @return bool|string	Either false if validation succeeded or
+*						a string which will be used as the error message
+*						(with the variable name appended)
 */
 function validate_language($lang)
 {
-	global $phpbb_root_path;
-
-	// Note: Two language strings are identical here because the English
-	// version "Language you specified is not valid" is correct for both
-	// cases
-	if (!preg_match('#^[a-z_\-]{2,}$#i', $lang))
-	{
-		return 'WRONG_DATA';
-	}
+	global $db;
 
-	if (!file_exists($phpbb_root_path . 'language/' . $lang . '/'))
-	{
-		return 'WRONG_DATA';
-	}
+	$sql = 'SELECT lang_id
+		FROM ' . LANG_TABLE . "
+		WHERE lang_iso = '" . $db->sql_escape($lang) . "'";
+	$result = $db->sql_query($sql);
+	$lang_id = (int) $db->sql_fetchfield('lang_id');
+	$db->sql_freeresult($result);
 
-	return false;
+	return ($lang_id) ? false : 'WRONG_DATA';
 }
 
 /**
-- 
cgit v1.2.1


From ac9019068202efde7c532462ca5fce8523956db7 Mon Sep 17 00:00:00 2001
From: Andreas Fischer <bantu@phpbb.com>
Date: Mon, 7 Mar 2011 00:23:49 +0100
Subject: [ticket/9970] Rename validate_language() to
 validate_language_iso_name().

PHPBB3-9970
---
 phpBB/includes/functions_user.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'phpBB/includes/functions_user.php')

diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index 9b0175694d..8a204995aa 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -1426,19 +1426,19 @@ function validate_match($string, $optional = false, $match = '')
 *
 * Tests whether a language name is valid and installed
 *
-* @param string $lang	The language string to test
+* @param string $lang_iso	The language string to test
 *
-* @return bool|string	Either false if validation succeeded or
-*						a string which will be used as the error message
-*						(with the variable name appended)
+* @return bool|string		Either false if validation succeeded or
+*							a string which will be used as the error message
+*							(with the variable name appended)
 */
-function validate_language($lang)
+function validate_language_iso_name($lang_iso)
 {
 	global $db;
 
 	$sql = 'SELECT lang_id
 		FROM ' . LANG_TABLE . "
-		WHERE lang_iso = '" . $db->sql_escape($lang) . "'";
+		WHERE lang_iso = '" . $db->sql_escape($lang_iso) . "'";
 	$result = $db->sql_query($sql);
 	$lang_id = (int) $db->sql_fetchfield('lang_id');
 	$db->sql_freeresult($result);
-- 
cgit v1.2.1


From a83518982394f93e843e68f663fd39b2d6fd5150 Mon Sep 17 00:00:00 2001
From: rxu <rxu@mail.ru>
Date: Tue, 15 Mar 2011 22:21:43 +0700
Subject: [ticket/9751] Password requirement "Must contain letters and numbers"
 fails

PHPBB3-9751
---
 phpBB/includes/functions_user.php | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

(limited to 'phpBB/includes/functions_user.php')

diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index 8a204995aa..88e07f729c 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -1617,7 +1617,6 @@ function validate_password($password)
 	{
 		$upp = '\p{Lu}';
 		$low = '\p{Ll}';
-		$let = '\p{L}';
 		$num = '\p{N}';
 		$sym = '[^\p{Lu}\p{Ll}\p{N}]';
 		$pcre = true;
@@ -1627,7 +1626,6 @@ function validate_password($password)
 		mb_regex_encoding('UTF-8');
 		$upp = '[[:upper:]]';
 		$low = '[[:lower:]]';
-		$let = '[[:lower:][:upper:]]';
 		$num = '[[:digit:]]';
 		$sym = '[^[:upper:][:lower:][:digit:]]';
 		$mbstring = true;
@@ -1636,7 +1634,6 @@ function validate_password($password)
 	{
 		$upp = '[A-Z]';
 		$low = '[a-z]';
-		$let = '[a-zA-Z]';
 		$num = '[0-9]';
 		$sym = '[^A-Za-z0-9]';
 		$pcre = true;
@@ -1652,7 +1649,8 @@ function validate_password($password)
 		break;
 
 		case 'PASS_TYPE_ALPHA':
-			$chars[] = $let;
+			$chars[] = $low;
+			$chars[] = $upp;
 			$chars[] = $num;
 		break;
 
-- 
cgit v1.2.1


From dba8cf12fd2573edc9722076770140c7b4024f6b Mon Sep 17 00:00:00 2001
From: Andreas Fischer <bantu@phpbb.com>
Date: Fri, 25 Mar 2011 22:48:44 +0100
Subject: [ticket/9751] Use a switch/case block without break for password
 complexity.

PHPBB3-9751
---
 phpBB/includes/functions_user.php | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

(limited to 'phpBB/includes/functions_user.php')

diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index 88e07f729c..c51e571e31 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -1643,23 +1643,25 @@ function validate_password($password)
 
 	switch ($config['pass_complex'])
 	{
-		case 'PASS_TYPE_CASE':
-			$chars[] = $low;
-			$chars[] = $upp;
-		break;
+		// No break statements below ...
+		// We require strong passwords in case pass_complex is not set or is invalid
+		default:
 
+		// Require mixed case letters, numbers and symbols
+		case 'PASS_TYPE_SYMBOL':
+			$chars[] = $sym;
+
+		// Require mixed case letters and numbers
 		case 'PASS_TYPE_ALPHA':
-			$chars[] = $low;
-			$chars[] = $upp;
 			$chars[] = $num;
-		break;
 
-		case 'PASS_TYPE_SYMBOL':
+		// Require mixed case letters
+		case 'PASS_TYPE_CASE':
 			$chars[] = $low;
 			$chars[] = $upp;
-			$chars[] = $num;
-			$chars[] = $sym;
-		break;
+
+		// No requirements
+		case 'PASS_TYPE_ANY':
 	}
 
 	if ($pcre)
-- 
cgit v1.2.1


From 7cc32d3843afbb754b3de101bda2267012647c2f Mon Sep 17 00:00:00 2001
From: Andreas Fischer <bantu@phpbb.com>
Date: Fri, 25 Mar 2011 23:11:15 +0100
Subject: [ticket/9751] Compare $password with empty string instead of casting
 it to bool

PHPBB3-9751
---
 phpBB/includes/functions_user.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'phpBB/includes/functions_user.php')

diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index c51e571e31..6ac6317dd2 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -1605,7 +1605,7 @@ function validate_password($password)
 {
 	global $config, $db, $user;
 
-	if (!$password)
+	if ($password === '')
 	{
 		return false;
 	}
-- 
cgit v1.2.1


From 4dce53628c97062b1085eb714892f6d81ae07699 Mon Sep 17 00:00:00 2001
From: Andreas Fischer <bantu@phpbb.com>
Date: Fri, 25 Mar 2011 23:15:40 +0100
Subject: [ticket/9751] Add shortcut logic for pass_complex == PASS_TYPE_ANY.

Add shortcut logic for pass_complex because this is the default value phpBB
ships with and there is nothing to do in that function in that case.

PHPBB3-9751
---
 phpBB/includes/functions_user.php | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

(limited to 'phpBB/includes/functions_user.php')

diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index 6ac6317dd2..89ce52dc39 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -1605,8 +1605,9 @@ function validate_password($password)
 {
 	global $config, $db, $user;
 
-	if ($password === '')
+	if ($password === '' || $config['pass_complex'] === 'PASS_TYPE_ANY')
 	{
+		// Password empty or no password complexity required.
 		return false;
 	}
 
@@ -1659,9 +1660,6 @@ function validate_password($password)
 		case 'PASS_TYPE_CASE':
 			$chars[] = $low;
 			$chars[] = $upp;
-
-		// No requirements
-		case 'PASS_TYPE_ANY':
 	}
 
 	if ($pcre)
-- 
cgit v1.2.1


From 259929ad4e7e0c527f652e3bff1db48e7533fd08 Mon Sep 17 00:00:00 2001
From: Andreas Fischer <bantu@phpbb.com>
Date: Mon, 11 Apr 2011 00:29:48 +0200
Subject: [ticket/10128] Pass E_USER_WARNING to trigger_error() calls from
 user_ban().

The user_ban() function is shared by the MCP and the ACP.

Mark trigger_error() calls as errors by passing E_USER_WARNING to make the
error message appear on red background (instead of green background) in the
ACP.

PHPBB3-10128
---
 phpBB/includes/functions_user.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'phpBB/includes/functions_user.php')

diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index 89ce52dc39..6b5cca8abb 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -733,7 +733,7 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas
 			}
 			else
 			{
-				trigger_error('LENGTH_BAN_INVALID');
+				trigger_error('LENGTH_BAN_INVALID', E_USER_WARNING);
 			}
 		}
 	}
@@ -793,7 +793,7 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas
 			// Make sure we have been given someone to ban
 			if (!sizeof($sql_usernames))
 			{
-				trigger_error('NO_USER_SPECIFIED');
+				trigger_error('NO_USER_SPECIFIED', E_USER_WARNING);
 			}
 
 			$sql = 'SELECT user_id
@@ -824,7 +824,7 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas
 			else
 			{
 				$db->sql_freeresult($result);
-				trigger_error('NO_USERS');
+				trigger_error('NO_USERS', E_USER_WARNING);
 			}
 			$db->sql_freeresult($result);
 		break;
@@ -926,7 +926,7 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas
 
 				if (empty($banlist_ary))
 				{
-					trigger_error('NO_IPS_DEFINED');
+					trigger_error('NO_IPS_DEFINED', E_USER_WARNING);
 				}
 			}
 		break;
@@ -954,12 +954,12 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas
 
 			if (sizeof($ban_list) == 0)
 			{
-				trigger_error('NO_EMAILS_DEFINED');
+				trigger_error('NO_EMAILS_DEFINED', E_USER_WARNING);
 			}
 		break;
 
 		default:
-			trigger_error('NO_MODE');
+			trigger_error('NO_MODE', E_USER_WARNING);
 		break;
 	}
 
-- 
cgit v1.2.1