fixed bugs #1437, #686 (only changed old update scripts), #1426 and #1424

fixed username validation if username is already parsed through htmlspecialchars or user try to enforce invalid characters.


git-svn-id: file:///svn/phpbb/branches/phpBB-2_0_0@3522 89ea8834-ac86-4346-8a33-228a782c2dd0

phpBB/includes/bbcode.php

@@ -576,6 +576,9 @@ function bbencode_second_pass_code($text, $uid, $bbcode_tpl)
 		// Replace tabs with "   " so tabbed code indents sorta right without making huge long lines.
 		$after_replace = str_replace("\t", "   ", $after_replace);
 
+		// now Replace space occurring at the beginning of a line
+		$after_replace = preg_replace("/^ {1}/m", ' ', $after_replace);
+
 		$str_to_match = "[code:1:$uid]" . $before_replace . "[/code:1:$uid]";
 
 		$replacement = $code_start_html;

phpBB/includes/functions_validate.php

@@ -99,7 +99,7 @@ function validate_username($username)
 	$db->sql_freeresult($result);
 
 	// Don't allow " in username.
-	if (strstr($username, '"'))
+	if (strstr($username, '"') || strstr($username, '"'))
 	{
 		return array('error' => true, 'error_msg' => $lang['Username_invalid']);
 	}

phpBB/includes/usercp_register.php

@@ -799,6 +799,15 @@ else
 		$template->assign_block_vars('switch_edit_profile', array());
 	}
 
+	if ( ($mode == 'register') || ($board_config['allow_namechange']) )
+	{
+		$template->assign_block_vars('switch_namechange_allowed', array());
+	}
+	else
+	{
+		$template->assign_block_vars('switch_namechange_disallowed', array());
+	}
+
 	//
 	// Let's do an overall check for settings/versions which would prevent
 	// us from doing file uploads....

phpBB/install/update_to_202.php

@@ -285,7 +285,7 @@ switch ( $row['config_value'] )
 				   --------------------------------------------------------------------- */
 				$sql[] = "CREATE TABLE Tmp_" . GROUPS_TABLE . " 
 					(group_id int IDENTITY (1, 1) NOT NULL, group_type smallint NULL, group_name varchar(50) NOT NULL, group_description varchar(255) NOT NULL, group_moderator int NULL, group_single_user smallint NOT NULL) ON [PRIMARY]";
-				$sql[] = "INSERT INTO Tmp_" . GROPUS_TABLE . " (group_id, group_type, group_name, group_description, group_moderator, group_single_user)
+				$sql[] = "INSERT INTO Tmp_" . GROUPS_TABLE . " (group_id, group_type, group_name, group_description, group_moderator, group_single_user)
 						SELECT group_id, group_type, group_name, group_description, group_moderator, group_single_user FROM " . GROUPS_TABLE . " TABLOCKX";
 				$sql[] = "DROP TABLE " . GROUPS_TABLE;
 				$sql[] = "EXECUTE sp_rename N'Tmp_" . GROUPS_TABLE . "', N'" . GROUPS_TABLE . "', 'OBJECT'";
@@ -398,7 +398,7 @@ switch ( $row['config_value'] )
 				   --------------------------------------------------------------------- */
 				$sql[] = "CREATE TABLE Tmp_" . GROUPS_TABLE . " 
 					(group_id int IDENTITY (1, 1) NOT NULL, group_type smallint NULL, group_name varchar(50) NOT NULL, group_description varchar(255) NOT NULL, group_moderator int NULL, group_single_user smallint NOT NULL) ON [PRIMARY]";
-				$sql[] = "INSERT INTO Tmp_" . GROPUS_TABLE . " (group_id, group_type, group_name, group_description, group_moderator, group_single_user)
+				$sql[] = "INSERT INTO Tmp_" . GROUPS_TABLE . " (group_id, group_type, group_name, group_description, group_moderator, group_single_user)
 						SELECT group_id, group_type, group_name, group_description, group_moderator, group_single_user FROM " . GROUPS_TABLE . " TABLOCKX";
 				$sql[] = "DROP TABLE " . GROUPS_TABLE;
 				$sql[] = "EXECUTE sp_rename N'Tmp_" . GROUPS_TABLE . "', N'" . GROUPS_TABLE . "', 'OBJECT'";
@@ -429,7 +429,7 @@ switch ( $row['config_value'] )
 				   --------------------------------------------------------------------- */
 				$sql[] = "CREATE TABLE Tmp_" . GROUPS_TABLE . " 
 					(group_id int IDENTITY (1, 1) NOT NULL, group_type smallint NULL, group_name varchar(50) NOT NULL, group_description varchar(255) NOT NULL, group_moderator int NULL, group_single_user smallint NOT NULL) ON [PRIMARY]";
-				$sql[] = "INSERT INTO Tmp_" . GROPUS_TABLE . " (group_id, group_type, group_name, group_description, group_moderator, group_single_user)
+				$sql[] = "INSERT INTO Tmp_" . GROUPS_TABLE . " (group_id, group_type, group_name, group_description, group_moderator, group_single_user)
 						SELECT group_id, group_type, group_name, group_description, group_moderator, group_single_user FROM " . GROUPS_TABLE . " TABLOCKX";
 				$sql[] = "DROP TABLE " . GROUPS_TABLE;
 				$sql[] = "EXECUTE sp_rename N'Tmp_" . GROUPS_TABLE . "', N'" . GROUPS_TABLE . "', 'OBJECT'";

phpBB/install/update_to_203.php

@@ -285,7 +285,7 @@ switch ( $row['config_value'] )
 				   --------------------------------------------------------------------- */
 				$sql[] = "CREATE TABLE Tmp_" . GROUPS_TABLE . "
 					(group_id int IDENTITY (1, 1) NOT NULL, group_type smallint NULL, group_name varchar(50) NOT NULL, group_description varchar(255) NOT NULL, group_moderator int NULL, group_single_user smallint NOT NULL) ON [PRIMARY]";
-				$sql[] = "INSERT INTO Tmp_" . GROPUS_TABLE . " (group_id, group_type, group_name, group_description, group_moderator, group_single_user)
+				$sql[] = "INSERT INTO Tmp_" . GROUPS_TABLE . " (group_id, group_type, group_name, group_description, group_moderator, group_single_user)
 						SELECT group_id, group_type, group_name, group_description, group_moderator, group_signle_user FROM " . GROUPS_TABLE . " TABLOCKX";
 				$sql[] = "DROP TABLE " . GROUPS_TABLE;
 				$sql[] = "EXECUTE sp_rename N'Tmp_" . GROUPS_TABLE . "', N'" . GROUPS_TABLE . "', 'OBJECT'";
@@ -398,7 +398,7 @@ switch ( $row['config_value'] )
 				   --------------------------------------------------------------------- */
 				$sql[] = "CREATE TABLE Tmp_" . GROUPS_TABLE . "
 					(group_id int IDENTITY (1, 1) NOT NULL, group_type smallint NULL, group_name varchar(50) NOT NULL, group_description varchar(255) NOT NULL, group_moderator int NULL, group_single_user smallint NOT NULL) ON [PRIMARY]";
-				$sql[] = "INSERT INTO Tmp_" . GROPUS_TABLE . " (group_id, group_type, group_name, group_description, group_moderator, group_single_user)
+				$sql[] = "INSERT INTO Tmp_" . GROUPS_TABLE . " (group_id, group_type, group_name, group_description, group_moderator, group_single_user)
 						SELECT group_id, group_type, group_name, group_description, group_moderator, group_signle_user FROM " . GROUPS_TABLE . " TABLOCKX";
 				$sql[] = "DROP TABLE " . GROUPS_TABLE;
 				$sql[] = "EXECUTE sp_rename N'Tmp_" . GROUPS_TABLE . "', N'" . GROUPS_TABLE . "', 'OBJECT'";
@@ -429,7 +429,7 @@ switch ( $row['config_value'] )
 				   --------------------------------------------------------------------- */
 				$sql[] = "CREATE TABLE Tmp_" . GROUPS_TABLE . "
 					(group_id int IDENTITY (1, 1) NOT NULL, group_type smallint NULL, group_name varchar(50) NOT NULL, group_description varchar(255) NOT NULL, group_moderator int NULL, group_single_user smallint NOT NULL) ON [PRIMARY]";
-				$sql[] = "INSERT INTO Tmp_" . GROPUS_TABLE . " (group_id, group_type, group_name, group_description, group_moderator, group_single_user)
+				$sql[] = "INSERT INTO Tmp_" . GROUPS_TABLE . " (group_id, group_type, group_name, group_description, group_moderator, group_single_user)
 						SELECT group_id, group_type, group_name, group_description, group_moderator, group_signle_user FROM " . GROUPS_TABLE . " TABLOCKX";
 				$sql[] = "DROP TABLE " . GROUPS_TABLE;
 				$sql[] = "EXECUTE sp_rename N'Tmp_" . GROUPS_TABLE . "', N'" . GROUPS_TABLE . "', 'OBJECT'";

phpBB/privmsg.php

@@ -1710,8 +1710,11 @@ else if ( $submit || $refresh || $mode != '' )
 	//
 	generate_smilies('inline', PAGE_PRIVMSGS);
 
+	$privmsg_subject = preg_replace($html_entities_match, $html_entities_replace, $privmsg_subject);
+	$privmsg_subject = str_replace('"', '"', $privmsg_subject);
+
 	$template->assign_vars(array(
-		'SUBJECT' => preg_replace($html_entities_match, $html_entities_replace, $privmsg_subject), 
+		'SUBJECT' => $privmsg_subject, 
 		'USERNAME' => preg_replace($html_entities_match, $html_entities_replace, $to_username),
 		'MESSAGE' => $privmsg_message,
 		'HTML_STATUS' => $html_status, 

phpBB/templates/subSilver/profile_add_body.tpl

@@ -16,10 +16,18 @@
 	<tr> 
 		<td class="row2" colspan="2"><span class="gensmall">{L_ITEMS_REQUIRED}</span></td>
 	</tr>
+	<!-- BEGIN switch_namechange_disallowed -->
+	<tr> 
+		<td class="row1" width="38%"><span class="gen">{L_USERNAME}: *</span></td>
+		<td class="row2"><input type="hidden" name="username" value="{USERNAME}" /><span class="gen"><b>{USERNAME}</b></span></td>
+	</tr>
+	<!-- END switch_namechange_disallowed -->
+	<!-- BEGIN switch_namechange_allowed -->
 	<tr> 
 		<td class="row1" width="38%"><span class="gen">{L_USERNAME}: *</span></td>
 		<td class="row2"><input type="text" class="post" style="width:200px" name="username" size="25" maxlength="25" value="{USERNAME}" /></td>
 	</tr>
+	<!-- END switch_namechange_allowed -->
 	<tr> 
 		<td class="row1"><span class="gen">{L_EMAIL_ADDRESS}: *</span></td>
 		<td class="row2"><input type="text" class="post" style="width:200px" name="email" size="25" maxlength="255" value="{EMAIL}" /></td>