Merge branch 'prep-release-3.1.1' into develop-ascraeus

* prep-release-3.1.1:
  [ticket/13271] Disable CC sender feature for anonymous users
  [prep-release-3.1.1] Add 3.1.1 CHANGELOG
  [prep-release-3.1.1] Add 3.1.1 migration file
  [ticket/13263] Make sure default style exists and clean up code
  [ticket/13263] Only install/set prosilver if no style available
  [ticket/13263] Use prosilver as default style if user's style doesn't exist
  [ticket/security-164] Correctly format page_name
  [ticket/security-164] Sanitize all global variables in symfony_request class
  [ticket/13248] Use functional framework login method in tests
  [ticket/13248] Correctly pass provider name
  [ticket/13248] Always use provider collection for getting provider
  [ticket/13248] Allow specifying different auth provider in provider collection
  [ticket/13248] Use auth provider collection for getting provider
  [ticket/13262] Mention htaccess file when updating from 3.0 to 3.1
  [ticket/13267] Update Automatic Update instructions to include vendor directory
  [ticket/13268] Properly append ternary result in get_existing_indexes()
  [prep-release-3.1.1] Update version number to 3.1.1

Conflicts:
	build/build.xml
	phpBB/includes/constants.php
	phpBB/install/schemas/schema_data.sql

build/build.xml

@@ -2,9 +2,9 @@
 
 <project name="phpBB" description="The phpBB forum software" default="all" basedir="../">
 	<!-- a few settings for the build -->
-	<property name="newversion" value="3.1.1-RC1-dev" />
-	<property name="prevversion" value="3.1.0" />
-	<property name="olderversions" value="3.0.12, 3.1.0-a1, 3.1.0-a2, 3.1.0-a3, 3.1.0-b1, 3.1.0-b2, 3.1.0-b3, 3.1.0-b4, 3.1.0-RC1, 3.1.0-RC2, 3.1.0-RC3, 3.1.0-RC4, 3.1.0-RC5, 3.1.0-RC6" />
+	<property name="newversion" value="3.1.2-RC1-dev" />
+	<property name="prevversion" value="3.1.1" />
+	<property name="olderversions" value="3.0.12, 3.1.0-a1, 3.1.0-a2, 3.1.0-a3, 3.1.0-b1, 3.1.0-b2, 3.1.0-b3, 3.1.0-b4, 3.1.0-RC1, 3.1.0-RC2, 3.1.0-RC3, 3.1.0-RC4, 3.1.0-RC5, 3.1.0-RC6, 3.1.0" />
 	<!-- no configuration should be needed beyond this point -->
 
 	<property name="oldversions" value="${olderversions}, ${prevversion}" />

phpBB/docs/CHANGELOG.html

@@ -46,6 +46,7 @@
 <ol>
 	<li><a href="#changelog">Changelog</a>
 	<ol style="list-style-type: lower-roman;">
+		<li><a href="#v310">Changes since 3.1.0</a></li>
 		<li><a href="#v310RC6">Changes since 3.1.0-RC6</a></li>
 		<li><a href="#v310RC5">Changes since 3.1.0-RC5</a></li>
 		<li><a href="#v310RC4">Changes since 3.1.0-RC4</a></li>
@@ -100,6 +101,24 @@
 
 		<div class="content">
 
+	<a name="v310"></a><h3>1.i. Changes since 3.1.0</h3>
+
+	<h4>Security</h4>
+	<ul>
+		<li>[SECURITY-164] - Cross Site Scripting via PATH_INFO in page_name variable</li>
+	</ul>
+	<h4>Bug</h4>
+	<ul>
+		<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13248">PHPBB3-13248</a>] - Login functions need to use provider collection for retrieving provider</li>
+		<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13267">PHPBB3-13267</a>] - Automatic Update instructions indicate that only the install folder is necessary</li>
+		<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13268">PHPBB3-13268</a>] - MSSQL's get_existing_indexes() function improperly appends ternary result</li>
+		<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13271">PHPBB3-13271</a>] - Anonymous users can CC themselves on emails sent to admin via contact form</li>
+	</ul>
+	<h4>Task</h4>
+	<ul>
+		<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13262">PHPBB3-13262</a>] - Add note to docs about htaccess file when upgrading 3.0 to 3.1</li>
+	</ul>
+
 	<a name="v310RC6"></a><h3>1.i. Changes since 3.1.0-RC6</h3>
 
 	<h4>Bug</h4>

phpBB/docs/INSTALL.html

@@ -303,7 +303,7 @@
 
 	<ul>
 		<li>Go to the <a href="https://www.phpbb.com/downloads/">downloads page</a> and download the latest update package listed there, matching your current version.</li>
-		<li>Upload the uncompressed archive contents to your phpBB installation - only the install folder is required. Upload the whole install folder, retaining the file structure.</li>
+		<li>Upload the uncompressed archive contents to your phpBB installation - only the <code>install/</code> and <code>vendor/</code> folders are required. Upload these folders in their entirety, retaining the file structure.</li>
 		<li>After the install folder is present, phpBB will go offline automatically.</li>
 		<li>Point your browser to the install directory, for example <code>http://www.example.com/phpBB3/install/</code></li>
 		<li>Choose the "Update" Tab and follow the instructions</li>

phpBB/includes/constants.php

@@ -28,7 +28,7 @@ if (!defined('IN_PHPBB'))
 */
 
 // phpBB Version
-define('PHPBB_VERSION', '3.1.1-RC1-dev');
+define('PHPBB_VERSION', '3.1.2-RC1-dev');
 
 // QA-related
 // define('PHPBB_QA', 1);

phpBB/includes/ucp/ucp_auth_link.php

@@ -34,11 +34,12 @@ class ucp_auth_link
 	*/
 	public function main($id, $mode)
 	{
-		global $config, $request, $template, $phpbb_container, $user;
+		global $request, $template, $phpbb_container, $user;
 
 		$error = array();
 
-		$auth_provider = $phpbb_container->get('auth.provider.' . $config['auth_method']);
+		$provider_collection = $phpbb_container->get('auth.provider_collection');
+		$auth_provider = $provider_collection->get_provider();
 
 		// confirm that the auth provider supports this page
 		$provider_data = $auth_provider->get_auth_link_data();

phpBB/includes/ucp/ucp_login_link.php

@@ -39,7 +39,7 @@ class ucp_login_link
 	*/
 	function main($id, $mode)
 	{
-		global $config, $phpbb_container, $request, $template, $user;
+		global $phpbb_container, $request, $template, $user;
 		global $phpbb_root_path, $phpEx;
 
 		// Initialize necessary variables
@@ -57,8 +57,8 @@ class ucp_login_link
 		}
 
 		// Use the auth_provider requested even if different from configured
-		$auth_provider = 'auth.provider.' . $request->variable('auth_provider', $config['auth_method']);
-		$auth_provider = $phpbb_container->get($auth_provider);
+		$provider_collection = $phpbb_container->get('auth.provider_collection');
+		$auth_provider = $provider_collection->get_provider($request->variable('auth_provider', ''));
 
 		// Set the link_method to login_link
 		$data['link_method'] = 'login_link';

phpBB/includes/ucp/ucp_register.php

@@ -87,8 +87,8 @@ class ucp_register
 		if (!empty($login_link_data))
 		{
 			// Confirm that we have all necessary data
-			$auth_provider = 'auth.provider.' . $request->variable('auth_provider', $config['auth_method']);
-			$auth_provider = $phpbb_container->get($auth_provider);
+			$provider_collection = $phpbb_container->get('auth.provider_collection');
+			$auth_provider = $provider_collection->get_provider($request->variable('auth_provider', ''));
 
 			$result = $auth_provider->login_link_has_necessary_data($login_link_data);
 			if ($result !== null)

phpBB/install/convertors/convert_phpbb20.php

@@ -38,7 +38,7 @@ $dbms = $phpbb_config_php_file->convert_30_dbms_to_31($dbms);
 $convertor_data = array(
 	'forum_name'	=> 'phpBB 2.0.x',
 	'version'		=> '1.0.3',
-	'phpbb_version'	=> '3.1.0',
+	'phpbb_version'	=> '3.1.1',
 	'author'		=> '<a href="https://www.phpbb.com/">phpBB Limited</a>',
 	'dbms'			=> $dbms,
 	'dbhost'		=> $dbhost,

phpBB/install/schemas/schema_data.sql

@@ -273,7 +273,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('tpl_allow_php', '0
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_icons_path', 'images/upload_icons');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_path', 'files');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('use_system_cron', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.1.1-RC1-dev');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.1.2-RC1-dev');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_expire_days', '90');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_gc', '14400');
 

phpBB/language/en/install.php

@@ -547,7 +547,7 @@ $lang = array_merge($lang, array(
 		<ul style="margin-left: 20px; font-size: 1.1em;">
 			<li>Go to the <a href="https://www.phpbb.com/downloads/" title="https://www.phpbb.com/downloads/">phpBB.com downloads page</a> and download the "Automatic Update Package" archive.<br /><br /></li>
 			<li>Unpack the archive.<br /><br /></li>
-			<li>Upload the complete uncompressed install folder to your phpBB root directory (where your config.php file is).<br /><br /></li>
+			<li>Upload the complete uncompressed "install" and "vendor" folders to your phpBB root directory (where your config.php file is).<br /><br /></li>
 		</ul>
 
 		<p>Once uploaded your board will be offline for normal users due to the install directory you uploaded now present.<br /><br />

phpBB/phpbb/auth/auth.php

@@ -927,11 +927,11 @@ class auth
 	*/
 	function login($username, $password, $autologin = false, $viewonline = 1, $admin = 0)
 	{
-		global $config, $db, $user, $phpbb_root_path, $phpEx, $phpbb_container;
+		global $db, $user, $phpbb_root_path, $phpEx, $phpbb_container;
 
-		$method = trim(basename($config['auth_method']));
+		$provider_collection = $phpbb_container->get('auth.provider_collection');
 
-		$provider = $phpbb_container->get('auth.provider.' . $method);
+		$provider = $provider_collection->get_provider();
 		if ($provider)
 		{
 			$login = $provider->login($username, $password);

phpBB/phpbb/auth/provider_collection.php

@@ -38,6 +38,7 @@ class provider_collection extends \phpbb\di\service_collection
 	/**
 	* Get an auth provider.
 	*
+	* @param string $provider_name The name of the auth provider
 	* @return object	Default auth provider selected in config if it
 	*			does exist. Otherwise the standard db auth
 	*			provider.
@@ -46,11 +47,12 @@ class provider_collection extends \phpbb\di\service_collection
 	*			auth provider exist. The db auth provider
 	*			should always exist in a phpBB installation.
 	*/
-	public function get_provider()
+	public function get_provider($provider_name = '')
 	{
-		if ($this->offsetExists('auth.provider.' . basename(trim($this->config['auth_method']))))
+		$provider_name = ($provider_name !== '') ? $provider_name : basename(trim($this->config['auth_method']));
+		if ($this->offsetExists('auth.provider.' . $provider_name))
 		{
-			return $this->offsetGet('auth.provider.' . basename(trim($this->config['auth_method'])));
+			return $this->offsetGet('auth.provider.' . $provider_name);
 		}
 		// Revert to db auth provider if selected method does not exist
 		else if ($this->offsetExists('auth.provider.db'))

phpBB/phpbb/db/migration/data/v31x/style_update.php

@@ -0,0 +1,136 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v31x;
+
+class style_update extends \phpbb\db\migration\migration
+{
+	static public function depends_on()
+	{
+		return array('\phpbb\db\migration\data\v310\gold');
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('custom', array(array($this, 'update_installed_styles'))),
+		);
+	}
+
+	public function update_installed_styles()
+	{
+		// Get all currently available styles
+		$styles = $this->find_style_dirs();
+		$style_paths = $style_ids = array();
+
+		$sql = 'SELECT style_path, style_id
+				FROM ' . $this->table_prefix . 'styles';
+		$result = $this->db->sql_query($sql);
+		while ($styles_row = $this->db->sql_fetchrow())
+		{
+			if (in_array($styles_row['style_path'], $styles))
+			{
+				$style_paths[] = $styles_row['style_path'];
+				$style_ids[] = $styles_row['style_id'];
+			}
+		}
+		$this->db->sql_freeresult($result);
+
+		// Install prosilver if no style is available and prosilver can be installed
+		if (empty($style_paths) && in_array('prosilver', $styles))
+		{
+			// Try to parse config file
+			$cfg = parse_cfg_file($this->phpbb_root_path . 'styles/prosilver/style.cfg');
+
+			// Stop running this if prosilver cfg file can't be read
+			if (empty($cfg))
+			{
+				throw new \RuntimeException('No styles available and could not fall back to prosilver.');
+			}
+
+			$style = array(
+				'style_name'		=> 'prosilver',
+				'style_copyright'	=> '&copy; phpBB Limited',
+				'style_active'		=> 1,
+				'style_path'		=> 'prosilver',
+				'bbcode_bitfield'	=> 'kNg=',
+				'style_parent_id'	=> 0,
+				'style_parent_tree'	=> '',
+			);
+
+			// Add to database
+			$this->db->sql_transaction('begin');
+
+			$sql = 'INSERT INTO ' . $this->table_prefix . 'styles
+					' . $this->db->sql_build_array('INSERT', $style);
+			$this->db->sql_query($sql);
+
+			$style_id = $this->db->sql_nextid();
+			$style_ids[] = $style_id;
+
+			$this->db->sql_transaction('commit');
+
+			// Set prosilver to default style
+			$this->config->set('default_style', $style_id);
+		}
+		else if (empty($styles) && empty($available_styles))
+		{
+			throw new \RuntimeException('No valid styles available');
+		}
+
+		// Make sure default style is available
+		if (!in_array($this->config['default_style'], $style_ids))
+		{
+			$this->config->set('default_style', array_pop($style_ids));
+		}
+
+		// Reset users to default style if their user_style is nonexistent
+		$sql = 'UPDATE ' . $this->table_prefix . "users
+			SET user_style = {$this->config['default_style']}
+			WHERE " . $this->db->sql_in_set('user_style', $style_ids, true, true);
+		$this->db->sql_query($sql);
+	}
+
+	/**
+	 * Find all directories that have styles
+	 * Copied from acp_styles
+	 *
+	 * @return array Directory names
+	 */
+	protected function find_style_dirs()
+	{
+		$styles = array();
+		$styles_path = $this->phpbb_root_path . 'styles/';
+
+		$dp = @opendir($styles_path);
+		if ($dp)
+		{
+			while (($file = readdir($dp)) !== false)
+			{
+				$dir = $styles_path . $file;
+				if ($file[0] == '.' || !is_dir($dir))
+				{
+					continue;
+				}
+
+				if (file_exists("{$dir}/style.cfg"))
+				{
+					$styles[] = $file;
+				}
+			}
+			closedir($dp);
+		}
+
+		return $styles;
+	}
+}

phpBB/phpbb/db/migration/data/v31x/v311.php

@@ -0,0 +1,32 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v31x;
+
+class v311 extends \phpbb\db\migration\migration
+{
+	static public function depends_on()
+	{
+		return array(
+			'\phpbb\db\migration\data\v310\gold',
+			'\phpbb\db\migration\data\v31x\style_update',
+		);
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('config.update', array('version', '3.1.1')),
+		);
+	}
+}

phpBB/phpbb/db/tools.php

@@ -2643,7 +2643,7 @@ class tools
 							AND cols.id = ix.id
 					WHERE ix.id = object_id('{$table_name}')
 						AND cols.name = '{$column_name}'
-						AND INDEXPROPERTY(ix.id, ix.name, 'IsUnique') = " . ($unique) ? '1' : '0';
+						AND INDEXPROPERTY(ix.id, ix.name, 'IsUnique') = " . ($unique ? '1' : '0');
 				}
 				else
 				{
@@ -2657,7 +2657,7 @@ class tools
 							AND cols.object_id = ix.object_id
 					WHERE ix.object_id = object_id('{$table_name}')
 						AND cols.name = '{$column_name}'
-						AND ix.is_unique = " . ($unique) ? '1' : '0';
+						AND ix.is_unique = " . ($unique ? '1' : '0');
 				}
 			break;
 

phpBB/phpbb/message/form.php

@@ -146,7 +146,7 @@ abstract class form
 				WHERE user_id = ' . $this->user->data['user_id'];
 			$this->db->sql_query($sql);
 
-			if ($this->cc_sender)
+			if ($this->cc_sender && $this->user->data['is_registered'])
 			{
 				$this->message->cc_sender();
 			}

phpBB/phpbb/session.php

@@ -87,7 +87,7 @@ class session
 		$symfony_request_path = $phpbb_filesystem->clean_path($symfony_request->getPathInfo());
 		if ($symfony_request_path !== '/')
 		{
-			$page_name .= $symfony_request_path;
+			$page_name .= str_replace('%2F', '/', urlencode($symfony_request_path));
 		}
 
 		// current directory within the phpBB root (for example: adm)

phpBB/phpbb/symfony_request.php

@@ -38,6 +38,9 @@ class symfony_request extends Request
 
 		array_walk_recursive($get_parameters, $sanitizer);
 		array_walk_recursive($post_parameters, $sanitizer);
+		array_walk_recursive($server_parameters, $sanitizer);
+		array_walk_recursive($files_parameters, $sanitizer);
+		array_walk_recursive($cookie_parameters, $sanitizer);
 
 		parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters);
 	}

phpBB/styles/prosilver/style.cfg

@@ -21,8 +21,8 @@
 # General Information about this style
 name = prosilver
 copyright = © phpBB Limited, 2007
-style_version = 3.1.0
-phpbb_version = 3.1.0
+style_version = 3.1.1
+phpbb_version = 3.1.1
 
 # Defining a different template bitfield
 # template_bitfield = lNg=

phpBB/styles/prosilver/template/memberlist_email.html

@@ -77,10 +77,12 @@
 			<span>{L_EMAIL_BODY_EXPLAIN}</span></dt>
 			<dd><textarea class="inputbox" name="message" id="message" rows="15" cols="76" tabindex="4">{MESSAGE}</textarea></dd>
 		</dl>
+		<!-- IF S_REGISTERED_USER -->
 		<dl>
 			<dt>&nbsp;</dt>
 			<dd><label for="cc_email"><input type="checkbox" name="cc_email" id="cc_email" value="1" checked="checked" tabindex="5" /> {L_CC_EMAIL}</label></dd>
 		</dl>
+		<!-- ENDIF -->
 		</fieldset>
 	</div>
 

phpBB/styles/subsilver2/style.cfg

@@ -21,8 +21,8 @@
 # General Information about this style
 name = subsilver2
 copyright = © 2005 phpBB Limited
-style_version = 3.1.0
-phpbb_version = 3.1.0
+style_version = 3.1.1
+phpbb_version = 3.1.1
 
 # Defining a different template bitfield
 # template_bitfield = lNg=

phpBB/styles/subsilver2/template/memberlist_email.html

@@ -66,6 +66,7 @@
 		<td class="row1" valign="top"><b class="genmed">{L_MESSAGE_BODY}</b><br /><span class="gensmall">{L_EMAIL_BODY_EXPLAIN}</span></td>
 		<td class="row2"><textarea class="post" name="message" rows="15" cols="76" tabindex="3">{MESSAGE}</textarea></td>
 	</tr>
+	<!-- IF S_REGISTERED_USER -->
 	<tr>
 		<td class="row1" valign="top"><span class="gen"><b>{L_OPTIONS}</b></span></td>
 		<td class="row2">
@@ -77,6 +78,7 @@
 			</table>
 		</td>
 	</tr>
+	<!-- ENDIF -->
 	<tr>
 		<td class="cat" colspan="2" align="center"><input type="submit" tabindex="6" name="submit" class="btnmain" value="{L_SEND_EMAIL}" /></td>
 	</tr>

tests/functional/auth_test.php

@@ -33,6 +33,25 @@ class phpbb_functional_auth_test extends phpbb_functional_test_case
 		$this->assertContains('anothertestuser', $crawler->filter('#username_logged_in')->text());
 	}
 
+	/**
+	 * @dependsOn test_login_other
+	 */
+	public function test_login_ucp_other_auth_provider()
+	{
+		global $cache, $config;
+		$cache = new phpbb_mock_null_cache;
+		$db = $this->get_db();
+		$sql = 'UPDATE ' . CONFIG_TABLE . " SET config_value = 'foobar' WHERE config_name = 'auth_method'";
+		$db->sql_query($sql);
+		$config['auth_method'] = 'foobar';
+		$this->login('anothertestuser');
+		$crawler = self::request('GET', 'index.php');
+		$this->assertContains('anothertestuser', $crawler->filter('#username_logged_in')->text());
+		$sql = 'UPDATE ' . CONFIG_TABLE . " SET config_value = 'db' WHERE config_name =  'auth_method'";
+		$db->sql_query($sql);
+		$config['auth_method'] = 'db';
+	}
+
 	/**
 	* @depends test_login
 	*/