From c44c398626e933a89c1b897bd8a71f94a29336a6 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Thu, 26 Dec 2019 14:59:14 +0100
Subject: [ticket/security-253] Check form key when exporting PM data

SECURITY-253
---
 phpBB/includes/ucp/ucp_pm_viewfolder.php | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'phpBB')

diff --git a/phpBB/includes/ucp/ucp_pm_viewfolder.php b/phpBB/includes/ucp/ucp_pm_viewfolder.php
index 09e7bf4d7c..ce40a2507d 100644
--- a/phpBB/includes/ucp/ucp_pm_viewfolder.php
+++ b/phpBB/includes/ucp/ucp_pm_viewfolder.php
@@ -32,6 +32,8 @@ function view_folder($id, $mode, $folder_id, $folder)
 
 	$folder_info = get_pm_from($folder_id, $folder, $user->data['user_id']);
 
+	add_form_key('ucp_pm_view_folder');
+
 	if (!$submit_export)
 	{
 		$user->add_lang('viewforum');
@@ -197,6 +199,11 @@ function view_folder($id, $mode, $folder_id, $folder)
 		$enclosure = $request->variable('enclosure', '');
 		$delimiter = $request->variable('delimiter', '');
 
+		if (!check_form_key('ucp_pm_view_folder'))
+		{
+			trigger_error('FORM_INVALID');
+		}
+
 		if ($export_type == 'CSV' && ($delimiter === '' || $enclosure === ''))
 		{
 			$template->assign_var('PROMPT', true);
-- 
cgit v1.2.1


From 6320da67e4f031e5d47c74ecaea477c2e721f99a Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Mon, 11 Nov 2019 20:35:09 +0100
Subject: [ticket/security-249] Do not handle avatar submit on invalid token

SECURITY-249
---
 phpBB/includes/ucp/ucp_groups.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'phpBB')

diff --git a/phpBB/includes/ucp/ucp_groups.php b/phpBB/includes/ucp/ucp_groups.php
index 2423af86be..24b94126b0 100644
--- a/phpBB/includes/ucp/ucp_groups.php
+++ b/phpBB/includes/ucp/ucp_groups.php
@@ -534,7 +534,12 @@ class ucp_groups
 								'teampage'	=> $group_row['group_teampage'],
 							);
 
-							if ($config['allow_avatar'])
+							if (!check_form_key('ucp_groups'))
+							{
+								$error[] = $user->lang['FORM_INVALID'];
+							}
+
+							if (!count($error) && $config['allow_avatar'])
 							{
 								// Handle avatar
 								$driver_name = $phpbb_avatar_manager->clean_driver_name($request->variable('avatar_driver', ''));
@@ -556,11 +561,6 @@ class ucp_groups
 								$error = array_merge($error, $phpbb_avatar_manager->localize_errors($user, $avatar_error));
 							}
 
-							if (!check_form_key('ucp_groups'))
-							{
-								$error[] = $user->lang['FORM_INVALID'];
-							}
-
 							// Validate submitted colour value
 							if ($colour_error = validate_data($submit_ary, array('colour'	=> array('hex_colour', true))))
 							{
-- 
cgit v1.2.1


From e7a6ed20e8ea073d7bf14890c766b17de444cf79 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Tue, 24 Dec 2019 15:27:43 +0100
Subject: [ticket/security-251] Check form token when moving PM to folder

SECURITY-251
---
 phpBB/includes/ucp/ucp_pm.php | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'phpBB')

diff --git a/phpBB/includes/ucp/ucp_pm.php b/phpBB/includes/ucp/ucp_pm.php
index 4d02620e89..3f982c8dd0 100644
--- a/phpBB/includes/ucp/ucp_pm.php
+++ b/phpBB/includes/ucp/ucp_pm.php
@@ -193,6 +193,8 @@ class ucp_pm
 					trigger_error('NO_AUTH_READ_HOLD_MESSAGE');
 				}
 
+				add_form_key('ucp_pm_view');
+
 				// First Handle Mark actions and moving messages
 				$submit_mark	= (isset($_POST['submit_mark'])) ? true : false;
 				$move_pm		= (isset($_POST['move_pm'])) ? true : false;
@@ -210,6 +212,11 @@ class ucp_pm
 				// Move PM
 				if ($move_pm)
 				{
+					if (!check_form_key('ucp_pm_view'))
+					{
+						trigger_error('FORM_INVALID');
+					}
+
 					$move_msg_ids	= (isset($_POST['marked_msg_id'])) ? $request->variable('marked_msg_id', array(0)) : array();
 					$cur_folder_id	= $request->variable('cur_folder_id', PRIVMSGS_NO_BOX);
 
-- 
cgit v1.2.1


From 25c80df156ecd5389734265f8fdf6908212984b4 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Thu, 26 Dec 2019 14:40:23 +0100
Subject: [ticket/security-252] Check form token on marking PM

SECURITY-252
---
 phpBB/includes/ucp/ucp_pm.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'phpBB')

diff --git a/phpBB/includes/ucp/ucp_pm.php b/phpBB/includes/ucp/ucp_pm.php
index 3f982c8dd0..00d1ce7149 100644
--- a/phpBB/includes/ucp/ucp_pm.php
+++ b/phpBB/includes/ucp/ucp_pm.php
@@ -209,14 +209,14 @@ class ucp_pm
 					$submit_mark = false;
 				}
 
+				if (($move_pm || $submit_mark) && !check_form_key('ucp_pm_view'))
+				{
+					trigger_error('FORM_INVALID');
+				}
+
 				// Move PM
 				if ($move_pm)
 				{
-					if (!check_form_key('ucp_pm_view'))
-					{
-						trigger_error('FORM_INVALID');
-					}
-
 					$move_msg_ids	= (isset($_POST['marked_msg_id'])) ? $request->variable('marked_msg_id', array(0)) : array();
 					$cur_folder_id	= $request->variable('cur_folder_id', PRIVMSGS_NO_BOX);
 
-- 
cgit v1.2.1


From 4f007321e19e18e9166c4df2e8cb0d98d17fc14c Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Tue, 24 Dec 2019 12:44:16 +0100
Subject: [ticket/security-250] Check form key when approving group membership

SECURITY-250
---
 phpBB/includes/ucp/ucp_groups.php | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'phpBB')

diff --git a/phpBB/includes/ucp/ucp_groups.php b/phpBB/includes/ucp/ucp_groups.php
index 24b94126b0..cf6e049748 100644
--- a/phpBB/includes/ucp/ucp_groups.php
+++ b/phpBB/includes/ucp/ucp_groups.php
@@ -875,6 +875,11 @@ class ucp_groups
 							trigger_error($user->lang['NO_GROUP'] . $return_page);
 						}
 
+						if (!check_form_key('ucp_groups'))
+						{
+							trigger_error($user->lang('FORM_INVALID') . $return_page);
+						}
+
 						if (!($row = group_memberships($group_id, $user->data['user_id'])))
 						{
 							trigger_error($user->lang['NOT_MEMBER_OF_GROUP'] . $return_page);
-- 
cgit v1.2.1


From a2a003836896124c9c35fe6720890b40bf62cb48 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sat, 4 Jan 2020 10:16:06 +0100
Subject: [prep-release-3.2.9] Update version numbers for 3.2.9

---
 phpBB/includes/constants.php          | 2 +-
 phpBB/install/phpbbcli.php            | 2 +-
 phpBB/install/schemas/schema_data.sql | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'phpBB')

diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php
index 12df965bd9..ff3bbbc543 100644
--- a/phpBB/includes/constants.php
+++ b/phpBB/includes/constants.php
@@ -28,7 +28,7 @@ if (!defined('IN_PHPBB'))
 */
 
 // phpBB Version
-@define('PHPBB_VERSION', '3.2.9-RC1');
+@define('PHPBB_VERSION', '3.2.9');
 
 // QA-related
 // define('PHPBB_QA', 1);
diff --git a/phpBB/install/phpbbcli.php b/phpBB/install/phpbbcli.php
index dbc8a17f8c..86ec87b38f 100755
--- a/phpBB/install/phpbbcli.php
+++ b/phpBB/install/phpbbcli.php
@@ -23,7 +23,7 @@ if (php_sapi_name() !== 'cli')
 define('IN_PHPBB', true);
 define('IN_INSTALL', true);
 define('PHPBB_ENVIRONMENT', 'production');
-define('PHPBB_VERSION', '3.2.9-RC1');
+define('PHPBB_VERSION', '3.2.9');
 $phpbb_root_path = __DIR__ . '/../';
 $phpEx = substr(strrchr(__FILE__, '.'), 1);
 
diff --git a/phpBB/install/schemas/schema_data.sql b/phpBB/install/schemas/schema_data.sql
index c9afe0176b..45685051f2 100644
--- a/phpBB/install/schemas/schema_data.sql
+++ b/phpBB/install/schemas/schema_data.sql
@@ -279,7 +279,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('tpl_allow_php', '0
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_icons_path', 'images/upload_icons');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_path', 'files');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('use_system_cron', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.2.9-RC1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.2.9');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_expire_days', '90');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_gc', '14400');
 
-- 
cgit v1.2.1


From 4f39da4343c465f6d6e0053090d2619c14a908b1 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sat, 4 Jan 2020 10:17:57 +0100
Subject: [prep-release-3.2.9] Add migration for 3.2.9

---
 phpBB/phpbb/db/migration/data/v32x/v329.php | 37 +++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 phpBB/phpbb/db/migration/data/v32x/v329.php

(limited to 'phpBB')

diff --git a/phpBB/phpbb/db/migration/data/v32x/v329.php b/phpBB/phpbb/db/migration/data/v32x/v329.php
new file mode 100644
index 0000000000..e88e264aef
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v32x/v329.php
@@ -0,0 +1,37 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v32x;
+
+class v329 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return phpbb_version_compare($this->config['version'], '3.2.9', '>=');
+	}
+
+	static public function depends_on()
+	{
+		return array(
+			'\phpbb\db\migration\data\v32x\v329rc1',
+			'\phpbb\db\migration\data\v32x\user_emoji_permission',
+		);
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('config.update', array('version', '3.2.9')),
+		);
+	}
+}
-- 
cgit v1.2.1


From 2fdd46b36431ae0f58bb2e78e42553168db9a0ff Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sat, 4 Jan 2020 11:28:54 +0100
Subject: [prep-release-3.2.9] Update changelog for 3.2.9

---
 phpBB/docs/CHANGELOG.html | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

(limited to 'phpBB')

diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html
index 33faa961a1..45300c4986 100644
--- a/phpBB/docs/CHANGELOG.html
+++ b/phpBB/docs/CHANGELOG.html
@@ -50,6 +50,7 @@
 <ol>
 	<li><a href="#changelog">Changelog</a>
 	<ul>
+		<li><a href="#v329rc1">Changes since 3.2.9-RC1</a></li>
 		<li><a href="#v328">Changes since 3.2.8</a></li>
 		<li><a href="#v328rc1">Changes since 3.2.8-RC1</a></li>
 		<li><a href="#v327">Changes since 3.2.7</a></li>
@@ -141,6 +142,30 @@
 		<div class="inner">
 
 		<div class="content">
+			<a name="v329rc1"></a><h3>Changes since 3.2.9-RC1</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15592">PHPBB3-15592</a>] - &quot;Place inline&quot; button appears when BBcode is disabled (Post settings)</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16269">PHPBB3-16269</a>] - Sphinx backend indexes HTML markup as keywords</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16282">PHPBB3-16282</a>] - Default jQuery CDN URL is outdated on new installs</li>
+			</ul>
+			<h4>Improvement</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16271">PHPBB3-16271</a>] - Add support for 3.3.x API documentation</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16279">PHPBB3-16279</a>] - Add permission for Emojii in topic title</li>
+			</ul>
+			<h4>Security</h4>
+			<ul>
+				<li>[SECURITY-249] - Group avatar overwrite on invalid submit</li>
+				<li>[SECURITY-250] - Group leader can be tricked into approving user</li>
+			</ul>
+			<h4>Hardening</h4>
+			<ul>
+				<li>[SECURITY-251] - Unwanted move of PMs to folders</li>
+				<li>[SECURITY-252] - PMs of unsuspecting users can be marked as important</li>
+				<li>[SECURITY-253] - PM export without proper validation</li>
+			</ul>
+
 			<a name="v328"></a><h3>Changes since 3.2.8</h3>
 			<h4>Bug</h4>
 			<ul>
-- 
cgit v1.2.1