From b5a997ce183fa655af4c03b5f92a58a1a3e7c2f1 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Tue, 16 Jul 2019 20:44:12 +0200 Subject: [ticket/security/243] Limit size values to supported values SECURITY-243 --- phpBB/phpbb/textformatter/s9e/parser.php | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/textformatter/s9e/parser.php b/phpBB/phpbb/textformatter/s9e/parser.php index 3698dca224..e30bc2b0d9 100644 --- a/phpBB/phpbb/textformatter/s9e/parser.php +++ b/phpBB/phpbb/textformatter/s9e/parser.php @@ -228,6 +228,10 @@ class parser implements \phpbb\textformatter\parser_interface { $errors[] = array($msg); } + else if ($msg === 'INVALID_FONT_SIZE') + { + $errors[] = [$msg, $context['invalid_size']]; + } } // Deduplicate error messages. array_unique() only works on strings so we have to serialize @@ -335,6 +339,13 @@ class parser implements \phpbb\textformatter\parser_interface */ static public function filter_font_size($size, $max_size, Logger $logger) { + if (!is_int($size)) + { + $logger->err('INVALID_FONT_SIZE', ['invalid_size' => htmlspecialchars($size)]); + + return false; + } + if ($max_size && $size > $max_size) { $logger->err('MAX_FONT_SIZE_EXCEEDED', array('max_size' => $max_size)); -- cgit v1.2.1 From c934d3fcfdaaa1e8c2161577690fef9dcb41b1e1 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Wed, 17 Jul 2019 22:02:32 +0200 Subject: [ticket/security/243] Limit size BBCode to 4 numeric characters SECURITY-243 --- phpBB/phpbb/textformatter/s9e/factory.php | 2 +- phpBB/phpbb/textformatter/s9e/parser.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/textformatter/s9e/factory.php b/phpBB/phpbb/textformatter/s9e/factory.php index 6191b9a315..d339e3311d 100644 --- a/phpBB/phpbb/textformatter/s9e/factory.php +++ b/phpBB/phpbb/textformatter/s9e/factory.php @@ -110,7 +110,7 @@ class factory implements \phpbb\textformatter\cache_interface 'i' => '', 'u' => '', 'img' => '{L_IMAGE}', - 'size' => '', + 'size' => 'font-size: %; line-height: normal', 'color' => '', 'email' => ' diff --git a/phpBB/phpbb/textformatter/s9e/parser.php b/phpBB/phpbb/textformatter/s9e/parser.php index e30bc2b0d9..1bc56a8cb4 100644 --- a/phpBB/phpbb/textformatter/s9e/parser.php +++ b/phpBB/phpbb/textformatter/s9e/parser.php @@ -339,7 +339,7 @@ class parser implements \phpbb\textformatter\parser_interface */ static public function filter_font_size($size, $max_size, Logger $logger) { - if (!is_int($size)) + if (!is_numeric($size)) { $logger->err('INVALID_FONT_SIZE', ['invalid_size' => htmlspecialchars($size)]); -- cgit v1.2.1 From f75577e5f858e43e202010f6889bd55096f75ea3 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 18 Jul 2019 22:32:19 +0200 Subject: [ticket/security/243] Use bbcode.html like formatting SECURITY-243 --- phpBB/phpbb/textformatter/s9e/factory.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/textformatter/s9e/factory.php b/phpBB/phpbb/textformatter/s9e/factory.php index d339e3311d..dca1c78d40 100644 --- a/phpBB/phpbb/textformatter/s9e/factory.php +++ b/phpBB/phpbb/textformatter/s9e/factory.php @@ -110,7 +110,7 @@ class factory implements \phpbb\textformatter\cache_interface 'i' => '', 'u' => '', 'img' => '{L_IMAGE}', - 'size' => 'font-size: %; line-height: normal', + 'size' => 'font-size: %; line-height: normal', 'color' => '', 'email' => ' -- cgit v1.2.1 From 4555817a8b6dc3910fff0c26422a82aa769c8904 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 11 Aug 2019 21:31:59 +0200 Subject: [ticket/security/247] Disable loading of local files on client side SECURITY-247 --- phpBB/phpbb/db/driver/mysqli.php | 3 +++ 1 file changed, 3 insertions(+) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/db/driver/mysqli.php b/phpBB/phpbb/db/driver/mysqli.php index d43e201526..b429ad97aa 100644 --- a/phpBB/phpbb/db/driver/mysqli.php +++ b/phpBB/phpbb/db/driver/mysqli.php @@ -68,6 +68,9 @@ class mysqli extends \phpbb\db\driver\mysql_base if ($this->db_connect_id && $this->dbname != '') { + // Disable loading local files on client side + @mysqli_options($this->db_connect_id, MYSQLI_OPT_LOCAL_INFILE, false); + @mysqli_query($this->db_connect_id, "SET NAMES 'utf8'"); // enforce strict mode on databases that support it -- cgit v1.2.1 From 8bc056ebe6d5876c6de2a2ca84bf234678c3e702 Mon Sep 17 00:00:00 2001 From: mrgoldy Date: Sun, 25 Aug 2019 21:24:22 +0200 Subject: [ticket/16076] addFileFilter to check max file size per mime type PHPBB3-16076 --- phpBB/phpbb/plupload/plupload.php | 36 +++++++++++++++++------------------- 1 file changed, 17 insertions(+), 19 deletions(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/plupload/plupload.php b/phpBB/phpbb/plupload/plupload.php index eb698fb35d..9ad12b1082 100644 --- a/phpBB/phpbb/plupload/plupload.php +++ b/phpBB/phpbb/plupload/plupload.php @@ -216,38 +216,36 @@ class plupload } /** - * Looks at the list of allowed extensions and generates a string - * appropriate for use in configuring plupload with - * - * @param \phpbb\cache\service $cache - * @param string $forum_id The ID of the forum - * - * @return string - */ + * Looks at the list of allowed extensions and generates a string + * appropriate for use in configuring plupload with + * + * @param \phpbb\cache\service $cache Cache service object + * @param string $forum_id The forum identifier + * + * @return string + */ public function generate_filter_string(\phpbb\cache\service $cache, $forum_id) { + $groups = []; + $filters = []; + $attach_extensions = $cache->obtain_attach_extensions($forum_id); unset($attach_extensions['_allowed_']); - $groups = array(); // Re-arrange the extension array to $groups[$group_name][] foreach ($attach_extensions as $extension => $extension_info) { - if (!isset($groups[$extension_info['group_name']])) - { - $groups[$extension_info['group_name']] = array(); - } - - $groups[$extension_info['group_name']][] = $extension; + $groups[$extension_info['group_name']]['extensions'][] = $extension; + $groups[$extension_info['group_name']]['max_file_size'] = (int) $extension_info['max_filesize']; } - $filters = array(); - foreach ($groups as $group => $extensions) + foreach ($groups as $group => $group_info) { $filters[] = sprintf( - "{title: '%s', extensions: '%s'}", + "{title: '%s', extensions: '%s', max_file_size: %s}", addslashes(ucfirst(strtolower($group))), - addslashes(implode(',', $extensions)) + addslashes(implode(',', $group_info['extensions'])), + $group_info['max_file_size'] ); } -- cgit v1.2.1 From 4cdfb3f4eddb1c3ccaa304b1c8d3fade7e18f75e Mon Sep 17 00:00:00 2001 From: EA117 Date: Mon, 26 Aug 2019 21:07:01 -0500 Subject: [ticket/16141] plupload chunk_size incorrect when 'unlimited' is involved. Change get_chunk_size() calculation to correctly calculate limits without letting a zero "unlimited" value always win. Also ensure get_chunk_size() can only return zero if all of the limits were in fact set to unlimited. PHPBB3-16141 --- phpBB/phpbb/plupload/plupload.php | 52 +++++++++++++++++++++++++++++++++------ 1 file changed, 44 insertions(+), 8 deletions(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/plupload/plupload.php b/phpBB/phpbb/plupload/plupload.php index eb698fb35d..ac4811e4ef 100644 --- a/phpBB/phpbb/plupload/plupload.php +++ b/phpBB/phpbb/plupload/plupload.php @@ -283,15 +283,51 @@ class plupload */ public function get_chunk_size() { - $max = min( - $this->php_ini->getBytes('upload_max_filesize'), - $this->php_ini->getBytes('post_max_size'), - max(1, $this->php_ini->getBytes('memory_limit')), - $this->config['max_filesize'] - ); + $max = 0; + + $limit = $this->php_ini->getBytes('memory_limit'); + + // unlimited is -1 for memory_limit. 0 would be an invalid configuration. + + if ($limit > 0) + { + $max = $limit; + } + + // For all remaining limits, 0 means "unlimited". + + // For each limit, if there is a non-unlimited value to + // apply, apply the limit if it's less than whatever non- + // unlimited max value is currently set. Also, apply the + // limit if the current max value is otherwise unlimited. + + $limit = $this->php_ini->getBytes('upload_max_filesize'); + + if ($limit > 0) + { + $max = min($limit, max($max, $limit)); + } + + $limit = $this->php_ini->getBytes('post_max_size'); + + if ($limit > 0) + { + $max = min($limit, max($max, $limit)); + } + + $limit = $this->config['max_filesize']; + + if ($limit > 0) + { + $max = min($limit, max($max, $limit)); + } + + // Only if every limit was 0/unlimited will we still + // have a zero value in $max at this point. + + // Use half of the maximum possible to leave plenty of + // room for other POST data and be well under limits. - // Use half of the maximum possible to leave plenty of room for other - // POST data. return floor($max / 2); } -- cgit v1.2.1 From 73537bcc7d8b10fe77e91068d494c1181b11d6c7 Mon Sep 17 00:00:00 2001 From: EA117 Date: Wed, 28 Aug 2019 20:22:33 -0500 Subject: [ticket/16141] plupload chunk_size incorrect when 'unlimited' is involved. Change get_chunk_size() calculation to correctly calculate limits without letting a zero "unlimited" value always win. Also ensure get_chunk_size() can only return zero if all of the limits were in fact set to unlimited. PHPBB3-16141 --- phpBB/phpbb/plupload/plupload.php | 51 +++++++++++++++------------------------ 1 file changed, 20 insertions(+), 31 deletions(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/plupload/plupload.php b/phpBB/phpbb/plupload/plupload.php index ac4811e4ef..601b3fb440 100644 --- a/phpBB/phpbb/plupload/plupload.php +++ b/phpBB/phpbb/plupload/plupload.php @@ -276,8 +276,14 @@ class plupload } /** - * Checks various php.ini values and the maximum file size to determine - * the maximum size chunks a file can be split up into for upload + * Checks various php.ini values to determine the maximum chunk + * size a file should be split into for upload. + * + * The intention is to calculate a value which reflects whatever + * the most restrictive limit is set to. And to then set the chunk + * size to half that value, to ensure any required transfer overhead + * and POST data remains well within the limit. Or, if all of the + * limits are set to unlimited, the chunk size will also be unlimited. * * @return int */ @@ -285,48 +291,31 @@ class plupload { $max = 0; - $limit = $this->php_ini->getBytes('memory_limit'); - - // unlimited is -1 for memory_limit. 0 would be an invalid configuration. + // unlimited is -1 for memory_limit. 0 should be an invalid configuration. + $limit_memory = $this->php_ini->getBytes('memory_limit'); - if ($limit > 0) + if ($limit_memory > 0) { - $max = $limit; + $max = $limit_memory; } // For all remaining limits, 0 means "unlimited". - // For each limit, if there is a non-unlimited value to - // apply, apply the limit if it's less than whatever non- - // unlimited max value is currently set. Also, apply the - // limit if the current max value is otherwise unlimited. - - $limit = $this->php_ini->getBytes('upload_max_filesize'); + $limit_upload = $this->php_ini->getBytes('upload_max_filesize'); - if ($limit > 0) + if ($limit_upload > 0) { - $max = min($limit, max($max, $limit)); + $max = min($limit_upload, $max ? $max : $limit_upload); } - $limit = $this->php_ini->getBytes('post_max_size'); + $limit_post = $this->php_ini->getBytes('post_max_size'); - if ($limit > 0) + if ($limit_post > 0) { - $max = min($limit, max($max, $limit)); + $max = min($limit_post, $max ? $max : $limit_post); } - - $limit = $this->config['max_filesize']; - - if ($limit > 0) - { - $max = min($limit, max($max, $limit)); - } - - // Only if every limit was 0/unlimited will we still - // have a zero value in $max at this point. - - // Use half of the maximum possible to leave plenty of - // room for other POST data and be well under limits. + + // $config['max_filesize'] is not a limiter to chunk size. return floor($max / 2); } -- cgit v1.2.1 From 29d43670430f3edad2366ddbca15d1b34315ce1d Mon Sep 17 00:00:00 2001 From: EA117 Date: Wed, 28 Aug 2019 23:34:52 -0500 Subject: [ticket/16141] plupload chunk_size when 'unlimited' is involved. Change get_chunk_size() calculation to correctly calculate limits without letting a zero "unlimited" value always win. Also ensure get_chunk_size() can only return zero if all of the limits were in fact set to unlimited. PHPBB3-16141 --- phpBB/phpbb/plupload/plupload.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/plupload/plupload.php b/phpBB/phpbb/plupload/plupload.php index 601b3fb440..f9403938ed 100644 --- a/phpBB/phpbb/plupload/plupload.php +++ b/phpBB/phpbb/plupload/plupload.php @@ -305,14 +305,14 @@ class plupload if ($limit_upload > 0) { - $max = min($limit_upload, $max ? $max : $limit_upload); + $max = min($limit_upload, ($max ? $max : $limit_upload)); } $limit_post = $this->php_ini->getBytes('post_max_size'); if ($limit_post > 0) { - $max = min($limit_post, $max ? $max : $limit_post); + $max = min($limit_post, ($max ? $max : $limit_post)); } // $config['max_filesize'] is not a limiter to chunk size. -- cgit v1.2.1 From bf359d153dd0ff6cc9505cdd7bf8a7754b6a6073 Mon Sep 17 00:00:00 2001 From: EA117 Date: Thu, 29 Aug 2019 00:17:14 -0500 Subject: [ticket/16141] plupload chunk_size when 'unlimited' is involved. Change get_chunk_size() calculation to correctly calculate limits without letting a zero "unlimited" value always win. Also ensure get_chunk_size() can only return zero if all of the limits were in fact set to unlimited. PHPBB3-16141 --- phpBB/phpbb/plupload/plupload.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/plupload/plupload.php b/phpBB/phpbb/plupload/plupload.php index f9403938ed..91b635b617 100644 --- a/phpBB/phpbb/plupload/plupload.php +++ b/phpBB/phpbb/plupload/plupload.php @@ -314,7 +314,7 @@ class plupload { $max = min($limit_post, ($max ? $max : $limit_post)); } - + // $config['max_filesize'] is not a limiter to chunk size. return floor($max / 2); -- cgit v1.2.1 From 5bd3b7ec378579dc84d2d838ba43d3a77f519159 Mon Sep 17 00:00:00 2001 From: EA117 Date: Fri, 30 Aug 2019 07:01:04 -0500 Subject: [ticket/16141] plupload chunk_size when 'unlimited' is involved. Change get_chunk_size() calculation to correctly calculate limits without letting a zero "unlimited" value always win. Also ensure get_chunk_size() can only return zero if all of the limits were in fact set to unlimited. PHPBB3-16141 --- phpBB/phpbb/plupload/plupload.php | 56 ++++++++++++++++----------------------- 1 file changed, 23 insertions(+), 33 deletions(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/plupload/plupload.php b/phpBB/phpbb/plupload/plupload.php index 91b635b617..70070b9835 100644 --- a/phpBB/phpbb/plupload/plupload.php +++ b/phpBB/phpbb/plupload/plupload.php @@ -276,47 +276,37 @@ class plupload } /** - * Checks various php.ini values to determine the maximum chunk - * size a file should be split into for upload. - * - * The intention is to calculate a value which reflects whatever - * the most restrictive limit is set to. And to then set the chunk - * size to half that value, to ensure any required transfer overhead - * and POST data remains well within the limit. Or, if all of the - * limits are set to unlimited, the chunk size will also be unlimited. - * - * @return int - */ + * Checks various php.ini values to determine the maximum chunk + * size a file should be split into for upload. + * + * The intention is to calculate a value which reflects whatever + * the most restrictive limit is set to. And to then set the chunk + * size to half that value, to ensure any required transfer overhead + * and POST data remains well within the limit. Or, if all of the + * limits are set to unlimited, the chunk size will also be unlimited. + * + * @return int + * + * @access public + */ public function get_chunk_size() { $max = 0; - // unlimited is -1 for memory_limit. 0 should be an invalid configuration. - $limit_memory = $this->php_ini->getBytes('memory_limit'); - - if ($limit_memory > 0) - { - $max = $limit_memory; - } - - // For all remaining limits, 0 means "unlimited". - - $limit_upload = $this->php_ini->getBytes('upload_max_filesize'); + $limits = [ + $this->php_ini->getBytes('memory_limit'), + $this->php_ini->getBytes('upload_max_filesize'), + $this->php_ini->getBytes('post_max_size'), + ]; - if ($limit_upload > 0) + foreach ($limits as $limit_type) { - $max = min($limit_upload, ($max ? $max : $limit_upload)); - } - - $limit_post = $this->php_ini->getBytes('post_max_size'); - - if ($limit_post > 0) - { - $max = min($limit_post, ($max ? $max : $limit_post)); + if ($limit_type > 0) + { + $max = ($max !== 0) ? min($limit_type, $max) : $limit_type; + } } - // $config['max_filesize'] is not a limiter to chunk size. - return floor($max / 2); } -- cgit v1.2.1 From cc8d6a5a014c994fec8d8bdd61cd1fbc5506de6e Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 31 Aug 2019 18:13:24 +0200 Subject: [ticket/security/243] Fail silently on unsupported values for font size SECURITY-243 --- phpBB/phpbb/textformatter/s9e/parser.php | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/textformatter/s9e/parser.php b/phpBB/phpbb/textformatter/s9e/parser.php index 1bc56a8cb4..a36fc63141 100644 --- a/phpBB/phpbb/textformatter/s9e/parser.php +++ b/phpBB/phpbb/textformatter/s9e/parser.php @@ -228,10 +228,6 @@ class parser implements \phpbb\textformatter\parser_interface { $errors[] = array($msg); } - else if ($msg === 'INVALID_FONT_SIZE') - { - $errors[] = [$msg, $context['invalid_size']]; - } } // Deduplicate error messages. array_unique() only works on strings so we have to serialize @@ -339,13 +335,6 @@ class parser implements \phpbb\textformatter\parser_interface */ static public function filter_font_size($size, $max_size, Logger $logger) { - if (!is_numeric($size)) - { - $logger->err('INVALID_FONT_SIZE', ['invalid_size' => htmlspecialchars($size)]); - - return false; - } - if ($max_size && $size > $max_size) { $logger->err('MAX_FONT_SIZE_EXCEEDED', array('max_size' => $max_size)); @@ -353,7 +342,7 @@ class parser implements \phpbb\textformatter\parser_interface return false; } - if ($size < 1) + if ($size < 1 || !is_numeric($size)) { return false; } -- cgit v1.2.1 From 3e23adf030329fac3746251c54c85d3061ec69d1 Mon Sep 17 00:00:00 2001 From: 3D-I <480857+3D-I@users.noreply.github.com> Date: Sun, 1 Sep 2019 09:19:33 +0200 Subject: [ticket/16144] Provide extra fallback to board's default style for $user PHPBB3-16144 --- phpBB/phpbb/user.php | 41 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/user.php b/phpBB/phpbb/user.php index 7363290e11..8e2b278650 100644 --- a/phpBB/phpbb/user.php +++ b/phpBB/phpbb/user.php @@ -281,9 +281,48 @@ class user extends \phpbb\session $db->sql_freeresult($result); } + /** + * Something went very bad this time. + * Fallback to board's default style upon its strict verification. + */ + if (!$this->style) + { + /** Verify default style exists in the database */ + $sql = 'SELECT style_id + FROM ' . STYLES_TABLE . ' + WHERE style_id = ' . (int) $config['default_style']; + $result = $db->sql_query($sql); + $style_id = (int) $db->sql_fetchfield('style_id'); + $db->sql_freeresult($result); + + $style_id = $style_id ?: false; + + if ($style_id > 0) + { + $db->sql_transaction('begin'); + + /** Update $user row */ + $sql = 'SELECT * + FROM ' . STYLES_TABLE . ' + WHERE style_id = ' . (int) $config['default_style']; + $result = $db->sql_query($sql); + $this->style = $db->sql_fetchrow($result); + $db->sql_freeresult($result); + + /** Update user style preference */ + $sql = 'UPDATE ' . USERS_TABLE . ' + SET user_style = ' . (int) $style_id . ' + WHERE user_id = ' . (int) $this->data['user_id']; + $db->sql_query($sql); + + $db->sql_transaction('commit'); + } + } + + /** This should never happens */ if (!$this->style) { - trigger_error('NO_STYLE_DATA', E_USER_ERROR); + trigger_error($this->language->lang('NO_STYLE_DATA', $this->data['user_style'], $this->data['user_id']), E_USER_ERROR); } // Now parse the cfg file and cache it -- cgit v1.2.1 From 2224a76c24319b7f9456ecc42f16e22d38178ee0 Mon Sep 17 00:00:00 2001 From: Alfredo Ramos Date: Tue, 3 Sep 2019 17:21:51 -0500 Subject: [ticket/15643] Fix open_basedir warnings Suppress warnings when trying to call is_link(), is_dir() and is_file() on the web server root directory when open_basedir is set. PHPBB3-15643 --- phpBB/phpbb/filesystem/filesystem.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/filesystem/filesystem.php b/phpBB/phpbb/filesystem/filesystem.php index bfafdf5ddd..c5be284d8c 100644 --- a/phpBB/phpbb/filesystem/filesystem.php +++ b/phpBB/phpbb/filesystem/filesystem.php @@ -835,7 +835,7 @@ class filesystem implements filesystem_interface $current_path = $resolved_path . '/' . $path_part; // Resolve symlinks - if (is_link($current_path)) + if (@is_link($current_path)) { if (!function_exists('readlink')) { @@ -872,12 +872,12 @@ class filesystem implements filesystem_interface $resolved_path = false; } - else if (is_dir($current_path . '/')) + else if (@is_dir($current_path . '/')) { $resolved[] = $path_part; $resolved_path = $current_path; } - else if (is_file($current_path)) + else if (@is_file($current_path)) { $resolved[] = $path_part; $resolved_path = $current_path; -- cgit v1.2.1 From b94464d06382a4b379d9dcd52f1bee757a4a0500 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 8 Sep 2019 21:53:52 +0200 Subject: [prep-release-3.2.8] Add migration for 3.2.8 --- phpBB/phpbb/db/migration/data/v32x/v328.php | 36 +++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 phpBB/phpbb/db/migration/data/v32x/v328.php (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/db/migration/data/v32x/v328.php b/phpBB/phpbb/db/migration/data/v32x/v328.php new file mode 100644 index 0000000000..28ff2c7033 --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v32x/v328.php @@ -0,0 +1,36 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\db\migration\data\v32x; + +class v328 extends \phpbb\db\migration\migration +{ + public function effectively_installed() + { + return phpbb_version_compare($this->config['version'], '3.2.8', '>='); + } + + static public function depends_on() + { + return array( + '\phpbb\db\migration\data\v32x\v328rc1', + ); + } + + public function update_data() + { + return array( + array('config.update', array('version', '3.2.8')), + ); + } +} -- cgit v1.2.1 From 177cc226832b7a96be338b0eee71cd61746d8a02 Mon Sep 17 00:00:00 2001 From: rxu Date: Fri, 13 Sep 2019 00:25:18 +0700 Subject: [ticket/16157] Fix FORM_INVALID error in the sending email form PHPBB3-16157 --- phpBB/phpbb/message/form.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/message/form.php b/phpBB/phpbb/message/form.php index 63bada91ff..6573a04f8b 100644 --- a/phpBB/phpbb/message/form.php +++ b/phpBB/phpbb/message/form.php @@ -136,7 +136,7 @@ abstract class form { if (!check_form_key('memberlist_email')) { - $this->errors[] = 'FORM_INVALID'; + $this->errors[] = $this->user->lang('FORM_INVALID'); } if (!count($this->errors)) -- cgit v1.2.1 From 942bfd65065e753cc602cce4976c7076aba4e7cb Mon Sep 17 00:00:00 2001 From: 3D-I <480857+3D-I@users.noreply.github.com> Date: Sun, 22 Sep 2019 20:10:53 +0200 Subject: [ticket/16144] As per request PHPBB3-16144 --- phpBB/phpbb/user.php | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/user.php b/phpBB/phpbb/user.php index 8e2b278650..e6e8e7f167 100644 --- a/phpBB/phpbb/user.php +++ b/phpBB/phpbb/user.php @@ -281,13 +281,10 @@ class user extends \phpbb\session $db->sql_freeresult($result); } - /** - * Something went very bad this time. - * Fallback to board's default style upon its strict verification. - */ + // Fallback to board's default style if (!$this->style) { - /** Verify default style exists in the database */ + // Verify default style exists in the database $sql = 'SELECT style_id FROM ' . STYLES_TABLE . ' WHERE style_id = ' . (int) $config['default_style']; @@ -295,13 +292,11 @@ class user extends \phpbb\session $style_id = (int) $db->sql_fetchfield('style_id'); $db->sql_freeresult($result); - $style_id = $style_id ?: false; - if ($style_id > 0) { $db->sql_transaction('begin'); - /** Update $user row */ + // Update $user row $sql = 'SELECT * FROM ' . STYLES_TABLE . ' WHERE style_id = ' . (int) $config['default_style']; @@ -309,7 +304,7 @@ class user extends \phpbb\session $this->style = $db->sql_fetchrow($result); $db->sql_freeresult($result); - /** Update user style preference */ + // Update user style preference $sql = 'UPDATE ' . USERS_TABLE . ' SET user_style = ' . (int) $style_id . ' WHERE user_id = ' . (int) $this->data['user_id']; @@ -319,7 +314,7 @@ class user extends \phpbb\session } } - /** This should never happens */ + // This should never happens if (!$this->style) { trigger_error($this->language->lang('NO_STYLE_DATA', $this->data['user_style'], $this->data['user_id']), E_USER_ERROR); -- cgit v1.2.1 From a84e4b5ab4cdbbb241004e5c1621b42490e6ba94 Mon Sep 17 00:00:00 2001 From: 3D-I <480857+3D-I@users.noreply.github.com> Date: Mon, 23 Sep 2019 18:54:45 +0200 Subject: [ticket/16144] Provide extra fallback to board's default style for $user PHPBB3-16144 --- phpBB/phpbb/user.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/user.php b/phpBB/phpbb/user.php index e6e8e7f167..9817e40edb 100644 --- a/phpBB/phpbb/user.php +++ b/phpBB/phpbb/user.php @@ -314,7 +314,7 @@ class user extends \phpbb\session } } - // This should never happens + // This should never happen if (!$this->style) { trigger_error($this->language->lang('NO_STYLE_DATA', $this->data['user_style'], $this->data['user_id']), E_USER_ERROR); -- cgit v1.2.1 From 6b85faf7dad5a83eb28a06fdcf428102ae63bc28 Mon Sep 17 00:00:00 2001 From: Jakub Senko Date: Fri, 4 Oct 2019 14:11:37 +0200 Subject: [ticket/16174] Add core.set_cookie PHPBB3-16174 --- phpBB/phpbb/session.php | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index 31f32af7c4..057c69b666 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -1077,7 +1077,7 @@ class session */ function set_cookie($name, $cookiedata, $cookietime, $httponly = true) { - global $config; + global $config, $phpbb_dispatcher; // If headers are already set, we just return if (headers_sent()) @@ -1085,6 +1085,22 @@ class session return; } + $disable_cookie = false; + /** + * Event to disable setting cookie + * + * @event core.set_cookie + * @var bool disable_cookie Set to true to disable setting this cookie + * @since 3.2.9-RC1 + */ + $vars = array('disable_cookie'); + extract($phpbb_dispatcher->trigger_event('core.set_cookie', compact($vars))); + + if ($disable_cookie) + { + return; + } + $name_data = rawurlencode($config['cookie_name'] . '_' . $name) . '=' . rawurlencode($cookiedata); $expire = gmdate('D, d-M-Y H:i:s \\G\\M\\T', $cookietime); $domain = (!$config['cookie_domain'] || $config['cookie_domain'] == '127.0.0.1' || strpos($config['cookie_domain'], '.') === false) ? '' : '; domain=' . $config['cookie_domain']; -- cgit v1.2.1 From 367b0bc2084d53ab6c7f2b6c7a61a0aba9cf04a2 Mon Sep 17 00:00:00 2001 From: Jakub Senko Date: Mon, 7 Oct 2019 13:47:02 +0200 Subject: [ticket/16174] Add function params to the event PHPBB3-16174 --- phpBB/phpbb/session.php | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index 057c69b666..237513e05f 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -1090,10 +1090,20 @@ class session * Event to disable setting cookie * * @event core.set_cookie - * @var bool disable_cookie Set to true to disable setting this cookie + * @var bool disable_cookie Set to true to disable setting this cookie + * @var string name Name of the cookie + * @var string cookiedata The data to hold within the cookie + * @var int cookietime The expiration time as UNIX timestamp + * @var bool httponly Use HttpOnly? * @since 3.2.9-RC1 */ - $vars = array('disable_cookie'); + $vars = array( + 'disable_cookie', + 'name', + 'cookiedata', + 'cookietime', + 'httponly', + ); extract($phpbb_dispatcher->trigger_event('core.set_cookie', compact($vars))); if ($disable_cookie) -- cgit v1.2.1 From 1aaeb2bca997282800f4cc30a6951104322ae433 Mon Sep 17 00:00:00 2001 From: Jakub Senko Date: Tue, 8 Oct 2019 09:29:22 +0200 Subject: [ticket/16174] Improve event desc PHPBB3-16174 --- phpBB/phpbb/session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index 237513e05f..cc5a1b8f8f 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -1087,7 +1087,7 @@ class session $disable_cookie = false; /** - * Event to disable setting cookie + * Event to modify or disable setting cookies * * @event core.set_cookie * @var bool disable_cookie Set to true to disable setting this cookie -- cgit v1.2.1 From 1f669a31a08a817c5614386658d01f8827bb4372 Mon Sep 17 00:00:00 2001 From: mrgoldy Date: Tue, 8 Oct 2019 20:12:24 +0200 Subject: [ticket/16181] Enforce string data type PHPBB3-16181 --- phpBB/phpbb/auth/provider/oauth/oauth.php | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/auth/provider/oauth/oauth.php b/phpBB/phpbb/auth/provider/oauth/oauth.php index 0d94acfbca..8352fb649d 100644 --- a/phpBB/phpbb/auth/provider/oauth/oauth.php +++ b/phpBB/phpbb/auth/provider/oauth/oauth.php @@ -216,10 +216,15 @@ class oauth extends \phpbb\auth\provider\base $this->service_providers[$service_name]->set_external_service_provider($service); $unique_id = $this->service_providers[$service_name]->perform_auth_login(); - // Check to see if this provider is already assosciated with an account + /** + * Check to see if this provider is already assosciated with an account. + * + * Enforcing a data type to make sure it are strings and not integers, + * so values are quoted in the SQL WHERE statement. + */ $data = array( - 'provider' => $service_name_original, - 'oauth_provider_id' => $unique_id + 'provider' => (string) $service_name_original, + 'oauth_provider_id' => (string) $unique_id ); $sql = 'SELECT user_id FROM ' . $this->auth_provider_oauth_token_account_assoc . ' -- cgit v1.2.1 From 29957a92ef14a368a1a53a9620955f34eb8536f8 Mon Sep 17 00:00:00 2001 From: mrgoldy Date: Tue, 8 Oct 2019 20:19:46 +0200 Subject: [ticket/16181] Fix spelling mistake in associated PHPBB3-16181 --- phpBB/phpbb/auth/provider/oauth/oauth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/auth/provider/oauth/oauth.php b/phpBB/phpbb/auth/provider/oauth/oauth.php index 8352fb649d..1609128b92 100644 --- a/phpBB/phpbb/auth/provider/oauth/oauth.php +++ b/phpBB/phpbb/auth/provider/oauth/oauth.php @@ -217,7 +217,7 @@ class oauth extends \phpbb\auth\provider\base $unique_id = $this->service_providers[$service_name]->perform_auth_login(); /** - * Check to see if this provider is already assosciated with an account. + * Check to see if this provider is already associated with an account. * * Enforcing a data type to make sure it are strings and not integers, * so values are quoted in the SQL WHERE statement. -- cgit v1.2.1 From ebdb38857c5409e63853cd4d24906f18cb64267d Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 20 Oct 2019 20:54:39 +0200 Subject: [ticket/16181] Fix typo in comment PHPBB3-16181 --- phpBB/phpbb/auth/provider/oauth/oauth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/phpbb') diff --git a/phpBB/phpbb/auth/provider/oauth/oauth.php b/phpBB/phpbb/auth/provider/oauth/oauth.php index 1609128b92..e3f8394bba 100644 --- a/phpBB/phpbb/auth/provider/oauth/oauth.php +++ b/phpBB/phpbb/auth/provider/oauth/oauth.php @@ -219,7 +219,7 @@ class oauth extends \phpbb\auth\provider\base /** * Check to see if this provider is already associated with an account. * - * Enforcing a data type to make sure it are strings and not integers, + * Enforcing a data type to make data contains strings and not integers, * so values are quoted in the SQL WHERE statement. */ $data = array( -- cgit v1.2.1