From c3aca59cfb58ffc40f8e85f57513c75530abbd18 Mon Sep 17 00:00:00 2001 From: Patrick Webster Date: Sat, 1 Nov 2014 11:49:50 -0500 Subject: [ticket/13268] Properly append ternary result in get_existing_indexes() PHPBB3-13268 --- phpBB/phpbb/db/tools.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/db/tools.php b/phpBB/phpbb/db/tools.php index 0781d7425e..c8d25f23a2 100644 --- a/phpBB/phpbb/db/tools.php +++ b/phpBB/phpbb/db/tools.php @@ -2643,7 +2643,7 @@ class tools AND cols.id = ix.id WHERE ix.id = object_id('{$table_name}') AND cols.name = '{$column_name}' - AND INDEXPROPERTY(ix.id, ix.name, 'IsUnique') = " . ($unique) ? '1' : '0'; + AND INDEXPROPERTY(ix.id, ix.name, 'IsUnique') = " . ($unique ? '1' : '0'); } else { @@ -2657,7 +2657,7 @@ class tools AND cols.object_id = ix.object_id WHERE ix.object_id = object_id('{$table_name}') AND cols.name = '{$column_name}' - AND ix.is_unique = " . ($unique) ? '1' : '0'; + AND ix.is_unique = " . ($unique ? '1' : '0'); } break; -- cgit v1.2.1 From 6b057e026cfb9603c6260d619e0a37e3679aa0d5 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 30 Oct 2014 13:58:09 +0100 Subject: [ticket/13248] Use auth provider collection for getting provider PHPBB3-13248 --- phpBB/phpbb/auth/auth.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/auth/auth.php b/phpBB/phpbb/auth/auth.php index 38755ccf99..b59f0e60ec 100644 --- a/phpBB/phpbb/auth/auth.php +++ b/phpBB/phpbb/auth/auth.php @@ -927,11 +927,11 @@ class auth */ function login($username, $password, $autologin = false, $viewonline = 1, $admin = 0) { - global $config, $db, $user, $phpbb_root_path, $phpEx, $phpbb_container; + global $db, $user, $phpbb_root_path, $phpEx, $phpbb_container; - $method = trim(basename($config['auth_method'])); + $provider_collection = $phpbb_container->get('auth.provider_collection'); - $provider = $phpbb_container->get('auth.provider.' . $method); + $provider = $provider_collection->get_provider(); if ($provider) { $login = $provider->login($username, $password); -- cgit v1.2.1 From c3f5dc75bed689956b7d4ed1e5b7e0d2c80257c9 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 30 Oct 2014 14:24:33 +0100 Subject: [ticket/13248] Allow specifying different auth provider in provider collection PHPBB3-13248 --- phpBB/phpbb/auth/provider_collection.php | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/auth/provider_collection.php b/phpBB/phpbb/auth/provider_collection.php index a74a2135dc..bf724419b7 100644 --- a/phpBB/phpbb/auth/provider_collection.php +++ b/phpBB/phpbb/auth/provider_collection.php @@ -38,6 +38,7 @@ class provider_collection extends \phpbb\di\service_collection /** * Get an auth provider. * + * @param string $provider_name The name of the auth provider * @return object Default auth provider selected in config if it * does exist. Otherwise the standard db auth * provider. @@ -46,11 +47,12 @@ class provider_collection extends \phpbb\di\service_collection * auth provider exist. The db auth provider * should always exist in a phpBB installation. */ - public function get_provider() + public function get_provider($provider_name = '') { - if ($this->offsetExists('auth.provider.' . basename(trim($this->config['auth_method'])))) + $provider_name = ($provider_name !== '') ?: basename(trim($this->config['auth_method'])); + if ($this->offsetExists('auth.provider.' . $provider_name)) { - return $this->offsetGet('auth.provider.' . basename(trim($this->config['auth_method']))); + return $this->offsetGet('auth.provider.' . $provider_name); } // Revert to db auth provider if selected method does not exist else if ($this->offsetExists('auth.provider.db')) -- cgit v1.2.1 From d9c868d0f5f9c2c097e3fded0ac6882c2f2ff988 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 30 Oct 2014 16:54:43 +0100 Subject: [ticket/13248] Correctly pass provider name PHPBB3-13248 --- phpBB/phpbb/auth/provider_collection.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/auth/provider_collection.php b/phpBB/phpbb/auth/provider_collection.php index bf724419b7..8e7e9e2cc1 100644 --- a/phpBB/phpbb/auth/provider_collection.php +++ b/phpBB/phpbb/auth/provider_collection.php @@ -49,7 +49,7 @@ class provider_collection extends \phpbb\di\service_collection */ public function get_provider($provider_name = '') { - $provider_name = ($provider_name !== '') ?: basename(trim($this->config['auth_method'])); + $provider_name = ($provider_name !== '') ? $provider_name : basename(trim($this->config['auth_method'])); if ($this->offsetExists('auth.provider.' . $provider_name)) { return $this->offsetGet('auth.provider.' . $provider_name); -- cgit v1.2.1 From 28ef238a5ccd41833de364ab14ff21a254a9beaf Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 1 Nov 2014 16:26:40 +0100 Subject: [ticket/security-164] Sanitize all global variables in symfony_request class SECURITY-164 --- phpBB/phpbb/symfony_request.php | 3 +++ 1 file changed, 3 insertions(+) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/symfony_request.php b/phpBB/phpbb/symfony_request.php index bf9ddec493..ad949a35f2 100644 --- a/phpBB/phpbb/symfony_request.php +++ b/phpBB/phpbb/symfony_request.php @@ -38,6 +38,9 @@ class symfony_request extends Request array_walk_recursive($get_parameters, $sanitizer); array_walk_recursive($post_parameters, $sanitizer); + array_walk_recursive($server_parameters, $sanitizer); + array_walk_recursive($files_parameters, $sanitizer); + array_walk_recursive($cookie_parameters, $sanitizer); parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters); } -- cgit v1.2.1 From f534503a66fc81e7bbe589b883167d2343871134 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 1 Nov 2014 22:02:47 +0100 Subject: [ticket/security-164] Correctly format page_name SECURITY-164 --- phpBB/phpbb/session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index 477e91efd6..14b4c63207 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -87,7 +87,7 @@ class session $symfony_request_path = $phpbb_filesystem->clean_path($symfony_request->getPathInfo()); if ($symfony_request_path !== '/') { - $page_name .= $symfony_request_path; + $page_name .= str_replace('%2F', '/', urlencode($symfony_request_path)); } // current directory within the phpBB root (for example: adm) -- cgit v1.2.1 From be8b5a41c81853cd8f7ba9ee97b68aa512617366 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 1 Nov 2014 20:09:08 +0100 Subject: [ticket/13263] Use prosilver as default style if user's style doesn't exist If prosilver is not installed for whatever reason, it will be installed by the newly added migration. PHPBB3-13263 --- .../phpbb/db/migration/data/v31x/style_update.php | 175 +++++++++++++++++++++ 1 file changed, 175 insertions(+) create mode 100644 phpBB/phpbb/db/migration/data/v31x/style_update.php (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/db/migration/data/v31x/style_update.php b/phpBB/phpbb/db/migration/data/v31x/style_update.php new file mode 100644 index 0000000000..b0ac80245e --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v31x/style_update.php @@ -0,0 +1,175 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\db\migration\data\v31x; + +class style_update extends \phpbb\db\migration\migration +{ + static public function depends_on() + { + return array('\phpbb\db\migration\data\v310\gold'); + } + + public function update_data() + { + return array( + array('custom', array(array($this, 'update_installed_styles'))), + ); + } + + public function update_installed_styles() + { + // First check if prosilver is properly installed + $sql = 'SELECT style_id, style_active + FROM ' . $this->table_prefix . "styles + WHERE style_name = 'prosilver'"; + $result = $this->db->sql_query($sql); + $row = $this->db->sql_fetchrow($result); + $this->db->sql_freeresult($result); + + // Make sure prosilver is installed + if (empty($row) || !isset($row['style_id'])) + { + // Try to parse config file + $cfg = parse_cfg_file($this->phpbb_root_path . 'styles/prosilver/style.cfg'); + + // Stop running this if prosilver doesn't exist + if (empty($cfg)) + { + return; + } + + // Check data + if (!isset($cfg['template_bitfield'])) + { + $cfg['template_bitfield'] = $this->default_bitfield(); + } + + $style = array( + 'style_name' => 'prosilver', + 'style_copyright' => '© phpBB Limited', + 'style_active' => 1, + 'style_path' => 'prosilver', + 'bbcode_bitfield' => $cfg['template_bitfield'], + 'style_parent_id' => 0, + 'style_parent_tree' => '', + ); + + // Add to database + $this->db->sql_transaction('begin'); + + $sql = 'INSERT INTO ' . $this->table_prefix . 'styles + ' . $this->db->sql_build_array('INSERT', $style); + $this->db->sql_query($sql); + + $row = array('style_id' => $this->db->sql_nextid()); + + $this->db->sql_transaction('commit'); + } + // Make sure prosilver is activated + else if (!isset($row['style_active']) || !$row['style_active']) + { + $sql = 'UPDATE ' . STYLES_TABLE . ' SET style_active = 1 WHERE style_id = ' . $row['style_id']; + $this->db->sql_query($sql); + } + + // Get all currently available styles + $styles = $this->find_style_dirs(); + + // Get IDs of the available styles + $style_ids = array(); + $sql = 'SELECT DISTINCT(style_id) AS style_id + FROM ' . $this->table_prefix . 'styles + WHERE ' . $this->db->sql_in_set('style_name', $styles); + $result = $this->db->sql_query($sql); + while ($styles_row = $this->db->sql_fetchrow()) + { + $style_ids[] = $styles_row['style_id']; + } + $this->db->sql_freeresult($result); + + $sql = 'UPDATE ' . $this->table_prefix . "users + SET user_style = {$row['style_id']} + WHERE " . $this->db->sql_in_set('user_style', $style_ids, true); + $this->db->sql_query($sql); + } + + /** + * Generates default bitfield + * Copied from acp_styles + * + * This bitfield decides which bbcodes are defined in a template. + * + * @return string Bitfield + */ + protected function default_bitfield() + { + static $value; + if (isset($value)) + { + return $value; + } + + if (!class_exists('bitfield')) + { + include($this->phpbb_root_path . 'includes/functions_content.' . $this->php_ext); + } + + // Hardcoded template bitfield to add for new templates + $bitfield = new \bitfield(); + $bitfield->set(0); + $bitfield->set(1); + $bitfield->set(2); + $bitfield->set(3); + $bitfield->set(4); + $bitfield->set(8); + $bitfield->set(9); + $bitfield->set(11); + $bitfield->set(12); + $value = $bitfield->get_base64(); + return $value; + } + + /** + * Find all directories that have styles + * Copied from acp_styles + * + * @return array Directory names + */ + protected function find_style_dirs() + { + $styles = array(); + $styles_path = $this->phpbb_root_path . 'styles/'; + + $dp = @opendir($styles_path); + if ($dp) + { + while (($file = readdir($dp)) !== false) + { + $dir = $styles_path . $file; + if ($file[0] == '.' || !is_dir($dir)) + { + continue; + } + + if (file_exists("{$dir}/style.cfg")) + { + $styles[] = $file; + } + } + closedir($dp); + } + + return $styles; + } +} -- cgit v1.2.1 From d1f85f0de3dd958050df39ea79d2e7cd14147b07 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 1 Nov 2014 23:22:44 +0100 Subject: [ticket/13263] Only install/set prosilver if no style available Users that have a nonexistent style selectd will revert back to the default style. PHPBB3-13263 --- .../phpbb/db/migration/data/v31x/style_update.php | 52 ++++++++++------------ 1 file changed, 24 insertions(+), 28 deletions(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/db/migration/data/v31x/style_update.php b/phpBB/phpbb/db/migration/data/v31x/style_update.php index b0ac80245e..9f01514ff6 100644 --- a/phpBB/phpbb/db/migration/data/v31x/style_update.php +++ b/phpBB/phpbb/db/migration/data/v31x/style_update.php @@ -29,16 +29,25 @@ class style_update extends \phpbb\db\migration\migration public function update_installed_styles() { - // First check if prosilver is properly installed - $sql = 'SELECT style_id, style_active - FROM ' . $this->table_prefix . "styles - WHERE style_name = 'prosilver'"; + // Get all currently available styles + $styles = $this->find_style_dirs(); + $style_paths = $style_ids = array(); + + $sql = 'SELECT style_path, style_id + FROM ' . $this->table_prefix . 'styles'; $result = $this->db->sql_query($sql); - $row = $this->db->sql_fetchrow($result); + while ($styles_row = $this->db->sql_fetchrow()) + { + if (in_array($styles_row['style_path'], $styles)) + { + $style_paths[] = $styles_row['style_path']; + $style_ids[] = $styles_row['style_id']; + } + } $this->db->sql_freeresult($result); - // Make sure prosilver is installed - if (empty($row) || !isset($row['style_id'])) + // Install prosilver if no style is available and prosilver can be installed + if (empty($style_paths) && in_array('prosilver', $styles)) { // Try to parse config file $cfg = parse_cfg_file($this->phpbb_root_path . 'styles/prosilver/style.cfg'); @@ -46,7 +55,7 @@ class style_update extends \phpbb\db\migration\migration // Stop running this if prosilver doesn't exist if (empty($cfg)) { - return; + throw new \RuntimeException('No styles available and could not fall back to prosilver.'); } // Check data @@ -75,31 +84,18 @@ class style_update extends \phpbb\db\migration\migration $row = array('style_id' => $this->db->sql_nextid()); $this->db->sql_transaction('commit'); - } - // Make sure prosilver is activated - else if (!isset($row['style_active']) || !$row['style_active']) - { - $sql = 'UPDATE ' . STYLES_TABLE . ' SET style_active = 1 WHERE style_id = ' . $row['style_id']; - $this->db->sql_query($sql); - } - - // Get all currently available styles - $styles = $this->find_style_dirs(); - // Get IDs of the available styles - $style_ids = array(); - $sql = 'SELECT DISTINCT(style_id) AS style_id - FROM ' . $this->table_prefix . 'styles - WHERE ' . $this->db->sql_in_set('style_name', $styles); - $result = $this->db->sql_query($sql); - while ($styles_row = $this->db->sql_fetchrow()) + // Set prosilver to default style + $this->config->set('default_style', $row['style_id']); + } + else if (empty($styles) && empty($available_styles)) { - $style_ids[] = $styles_row['style_id']; + throw new \RuntimeException('No valid styles available'); } - $this->db->sql_freeresult($result); + // Reset users to default style if their user_style is nonexistent $sql = 'UPDATE ' . $this->table_prefix . "users - SET user_style = {$row['style_id']} + SET user_style = {$this->config['default_style']} WHERE " . $this->db->sql_in_set('user_style', $style_ids, true); $this->db->sql_query($sql); } -- cgit v1.2.1 From 74615364598115a584d01503a5dfcc234d8a42b0 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 1 Nov 2014 23:40:21 +0100 Subject: [ticket/13263] Make sure default style exists and clean up code PHPBB3-13263 --- .../phpbb/db/migration/data/v31x/style_update.php | 59 +++++----------------- 1 file changed, 12 insertions(+), 47 deletions(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/db/migration/data/v31x/style_update.php b/phpBB/phpbb/db/migration/data/v31x/style_update.php index 9f01514ff6..bb030bbe6d 100644 --- a/phpBB/phpbb/db/migration/data/v31x/style_update.php +++ b/phpBB/phpbb/db/migration/data/v31x/style_update.php @@ -52,24 +52,18 @@ class style_update extends \phpbb\db\migration\migration // Try to parse config file $cfg = parse_cfg_file($this->phpbb_root_path . 'styles/prosilver/style.cfg'); - // Stop running this if prosilver doesn't exist + // Stop running this if prosilver cfg file can't be read if (empty($cfg)) { throw new \RuntimeException('No styles available and could not fall back to prosilver.'); } - // Check data - if (!isset($cfg['template_bitfield'])) - { - $cfg['template_bitfield'] = $this->default_bitfield(); - } - $style = array( 'style_name' => 'prosilver', 'style_copyright' => '© phpBB Limited', 'style_active' => 1, 'style_path' => 'prosilver', - 'bbcode_bitfield' => $cfg['template_bitfield'], + 'bbcode_bitfield' => 'kNg=', 'style_parent_id' => 0, 'style_parent_tree' => '', ); @@ -81,61 +75,32 @@ class style_update extends \phpbb\db\migration\migration ' . $this->db->sql_build_array('INSERT', $style); $this->db->sql_query($sql); - $row = array('style_id' => $this->db->sql_nextid()); + $style_id = $this->db->sql_nextid(); + $style_ids[] = $style_id; $this->db->sql_transaction('commit'); // Set prosilver to default style - $this->config->set('default_style', $row['style_id']); + $this->config->set('default_style', $style_id); } else if (empty($styles) && empty($available_styles)) { throw new \RuntimeException('No valid styles available'); } + // Make sure default style is available + if (!in_array($this->config['default_style'], $style_ids)) + { + $this->config->set('default_style', array_pop($style_ids)); + } + // Reset users to default style if their user_style is nonexistent $sql = 'UPDATE ' . $this->table_prefix . "users SET user_style = {$this->config['default_style']} - WHERE " . $this->db->sql_in_set('user_style', $style_ids, true); + WHERE " . $this->db->sql_in_set('user_style', $style_ids, true, true); $this->db->sql_query($sql); } - /** - * Generates default bitfield - * Copied from acp_styles - * - * This bitfield decides which bbcodes are defined in a template. - * - * @return string Bitfield - */ - protected function default_bitfield() - { - static $value; - if (isset($value)) - { - return $value; - } - - if (!class_exists('bitfield')) - { - include($this->phpbb_root_path . 'includes/functions_content.' . $this->php_ext); - } - - // Hardcoded template bitfield to add for new templates - $bitfield = new \bitfield(); - $bitfield->set(0); - $bitfield->set(1); - $bitfield->set(2); - $bitfield->set(3); - $bitfield->set(4); - $bitfield->set(8); - $bitfield->set(9); - $bitfield->set(11); - $bitfield->set(12); - $value = $bitfield->get_base64(); - return $value; - } - /** * Find all directories that have styles * Copied from acp_styles -- cgit v1.2.1 From 4ae9e8cf6e5d4abbcadafa72fa3784d85e847768 Mon Sep 17 00:00:00 2001 From: Nils Adermann Date: Sun, 2 Nov 2014 00:08:21 +0100 Subject: [prep-release-3.1.1] Add 3.1.1 migration file --- phpBB/phpbb/db/migration/data/v31x/v311.php | 32 +++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 phpBB/phpbb/db/migration/data/v31x/v311.php (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/db/migration/data/v31x/v311.php b/phpBB/phpbb/db/migration/data/v31x/v311.php new file mode 100644 index 0000000000..00844dd4c0 --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v31x/v311.php @@ -0,0 +1,32 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\db\migration\data\v31x; + +class v311 extends \phpbb\db\migration\migration +{ + static public function depends_on() + { + return array( + '\phpbb\db\migration\data\v310\gold', + '\phpbb\db\migration\data\v31x\style_update', + ); + } + + public function update_data() + { + return array( + array('config.update', array('version', '3.1.1')), + ); + } +} -- cgit v1.2.1 From 27be69e3b3092def847d497c19bad7d4ad0a33d8 Mon Sep 17 00:00:00 2001 From: Nils Adermann Date: Sat, 1 Nov 2014 18:10:25 +0100 Subject: [ticket/13271] Disable CC sender feature for anonymous users PHPBB3-13271 --- phpBB/phpbb/message/form.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/message/form.php b/phpBB/phpbb/message/form.php index 076b41dc07..21d4de0b4d 100644 --- a/phpBB/phpbb/message/form.php +++ b/phpBB/phpbb/message/form.php @@ -146,7 +146,7 @@ abstract class form WHERE user_id = ' . $this->user->data['user_id']; $this->db->sql_query($sql); - if ($this->cc_sender) + if ($this->cc_sender && $this->user->data['is_registered']) { $this->message->cc_sender(); } -- cgit v1.2.1