+
Changes since 3.2.8-RC1
+
Bug
+
+ - [PHPBB3-15467] - Permission settings do not take affect when set using All YES/NO/NEVER
+ - [PHPBB3-16123] - PHP error (Array to string conversion) on new user registration if email address is banned and " Reason shown to the banned" is empty
+ - [PHPBB3-16136] - Missing word in 'AUTH_PROVIDER_OAUTH_ERROR_ALREADY_LINKED'
+
+
Improvement
+
+ - [PHPBB3-16134] - Exclude group leaders on group member purge
+
+
Security Issue
+
+ - [SECURITY-243] - CSS injection via BBCode tag
+ - [SECURITY-244] - Missing form token check when handling attachments
+ - [SECURITY-246] - Missing form token check when managing BBCodes
+
+
Hardening
+
+ - [SECURITY-247] - Disable MySQLi local infile to prevent local file inclusion
+
+
Changes since 3.2.7
Bug
+
Hardening
+
Changes since 3.2.6
Bug
diff --git a/phpBB/docs/CREDITS.txt b/phpBB/docs/CREDITS.txt
index 337c9cf536..64f5588bac 100644
--- a/phpBB/docs/CREDITS.txt
+++ b/phpBB/docs/CREDITS.txt
@@ -1,7 +1,7 @@
/**
*
-* phpBB © Copyright phpBB Limited 2003-2016
-* http://www.phpbb.com
+* phpBB © Copyright phpBB Limited 2003-2019
+* https://www.phpbb.com
*
* phpBB is free software. You can redistribute it and/or modify it
* under the terms of the GNU General Public License, version 2 (GPL-2.0)
@@ -27,7 +27,6 @@ phpBB Developers: bantu (Andreas Fischer)
Derky (Derk Ruitenbeek)
Elsensee (Oliver Schramm)
Hanakin (Michael Miday)
- MichaelC (Michael Cullum)
Nicofuma (Tristan Darricau)
rubencm (Rubén Calvo)
@@ -63,6 +62,7 @@ phpBB Developers: A_Jelly_Doughnut (Josh Woody) [01/2010 - 11/2010]
igorw (Igor Wiedler) [08/2010 - 02/2013]
imkingdavid (David King) [11/2012 - 06/2014]
kellanved (Henry Sudhof) [04/2007 - 03/2011]
+ MichaelC (Michael Cullum) [11/2017 - 09/2019]
nickvergessen (Joas Schilling)[04/2010 - 12/2015]
Oleg (Oleg Pudeyev) [01/2011 - 05/2013]
prototech (Cesar Gallegos) [01/2014 - 12/2016]
diff --git a/phpBB/includes/acp/acp_bbcodes.php b/phpBB/includes/acp/acp_bbcodes.php
index b59f9e3a39..5360ab0f7b 100644
--- a/phpBB/includes/acp/acp_bbcodes.php
+++ b/phpBB/includes/acp/acp_bbcodes.php
@@ -33,7 +33,6 @@ class acp_bbcodes
// Set up general vars
$action = $request->variable('action', '');
$bbcode_id = $request->variable('bbcode', 0);
- $submit = $request->is_set_post('submit');
$this->tpl_name = 'acp_bbcodes';
$this->page_title = 'ACP_BBCODES';
@@ -41,11 +40,6 @@ class acp_bbcodes
add_form_key($form_key);
- if ($submit && !check_form_key($form_key))
- {
- trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
- }
-
// Set up mode-specific vars
switch ($action)
{
@@ -179,6 +173,12 @@ class acp_bbcodes
extract($phpbb_dispatcher->trigger_event('core.acp_bbcodes_modify_create', compact($vars)));
$warn_text = preg_match('%<[^>]*\{text[\d]*\}[^>]*>%i', $bbcode_tpl);
+
+ if (!$warn_text && !check_form_key($form_key))
+ {
+ trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
+ }
+
if (!$warn_text || confirm_box(true))
{
$data = $this->build_regexp($bbcode_match, $bbcode_tpl);
diff --git a/phpBB/includes/acp/acp_prune.php b/phpBB/includes/acp/acp_prune.php
index 3eee4f7922..c5f7789de8 100644
--- a/phpBB/includes/acp/acp_prune.php
+++ b/phpBB/includes/acp/acp_prune.php
@@ -537,6 +537,7 @@ class acp_prune
AND ug.user_id <> ' . ANONYMOUS . '
AND u.user_type <> ' . USER_FOUNDER . '
AND ug.user_pending = 0
+ AND ug.group_leader = 0
AND u.user_id = ug.user_id
' . (!empty($user_ids) ? ' AND ' . $db->sql_in_set('ug.user_id', $user_ids) : '');
$result = $db->sql_query($sql);
diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index e4fb568f0c..919f17bb1b 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -1945,9 +1945,10 @@ function validate_user_email($email, $allowed_email = false)
return $validate_email;
}
- if (($ban = $user->check_ban(false, false, $email, true)) !== false)
+ $ban = $user->check_ban(false, false, $email, true);
+ if (!empty($ban))
{
- return ($ban === true) ? 'EMAIL_BANNED' : (!empty($ban['ban_give_reason']) ? $ban['ban_give_reason'] : $ban);
+ return !empty($ban['ban_give_reason']) ? $ban['ban_give_reason'] : 'EMAIL_BANNED';
}
if (!$config['allow_emailreuse'])
diff --git a/phpBB/includes/message_parser.php b/phpBB/includes/message_parser.php
index 0b79cca864..e1c28223dc 100644
--- a/phpBB/includes/message_parser.php
+++ b/phpBB/includes/message_parser.php
@@ -1524,6 +1524,35 @@ class parse_message extends bbcode_firstpass
}
}
+ /**
+ * Check attachment form token depending on submit type
+ *
+ * @param \phpbb\language\language $language Language
+ * @param \phpbb\request\request_interface $request Request
+ * @param string $form_name Form name for checking form key
+ *
+ * @return bool True if form token is not needed or valid, false if needed and invalid
+ */
+ function check_attachment_form_token(\phpbb\language\language $language, \phpbb\request\request_interface $request, $form_name)
+ {
+ $add_file = $request->is_set_post('add_file');
+ $delete_file = $request->is_set_post('delete_file');
+
+ if (($add_file || $delete_file) && !check_form_key($form_name))
+ {
+ $this->warn_msg[] = $language->lang('FORM_INVALID');
+
+ if ($request->is_ajax() && $this->plupload)
+ {
+ $this->plupload->emit_error(-400, 'FORM_INVALID');
+ }
+
+ return false;
+ }
+
+ return true;
+ }
+
/**
* Parse Attachments
*/
diff --git a/phpBB/includes/ucp/ucp_pm_compose.php b/phpBB/includes/ucp/ucp_pm_compose.php
index cb45112b01..06baa279a5 100644
--- a/phpBB/includes/ucp/ucp_pm_compose.php
+++ b/phpBB/includes/ucp/ucp_pm_compose.php
@@ -26,7 +26,7 @@ if (!defined('IN_PHPBB'))
function compose_pm($id, $mode, $action, $user_folders = array())
{
global $template, $db, $auth, $user, $cache;
- global $phpbb_root_path, $phpEx, $config;
+ global $phpbb_root_path, $phpEx, $config, $language;
global $request, $phpbb_dispatcher, $phpbb_container;
// Damn php and globals - i know, this is horrible
@@ -799,7 +799,10 @@ function compose_pm($id, $mode, $action, $user_folders = array())
extract($phpbb_dispatcher->trigger_event('core.ucp_pm_compose_modify_parse_before', compact($vars)));
// Parse Attachments - before checksum is calculated
- $message_parser->parse_attachments('fileupload', $action, 0, $submit, $preview, $refresh, true);
+ if ($message_parser->check_attachment_form_token($language, $request, 'ucp_pm_compose'))
+ {
+ $message_parser->parse_attachments('fileupload', $action, 0, $submit, $preview, $refresh, true);
+ }
if (count($message_parser->warn_msg) && !($remove_u || $remove_g || $add_to || $add_bcc))
{
diff --git a/phpBB/language/en/common.php b/phpBB/language/en/common.php
index 3a00e61bf7..83958b19b4 100644
--- a/phpBB/language/en/common.php
+++ b/phpBB/language/en/common.php
@@ -91,7 +91,7 @@ $lang = array_merge($lang, array(
'ATTACHED_IMAGE_NOT_IMAGE' => 'The image file you tried to attach is invalid.',
'AUTHOR' => 'Author',
'AUTH_NO_PROFILE_CREATED' => 'The creation of a user profile was unsuccessful.',
- 'AUTH_PROVIDER_OAUTH_ERROR_ALREADY_LINKED' => 'The account is already linked with other user.',
+ 'AUTH_PROVIDER_OAUTH_ERROR_ALREADY_LINKED' => 'This external service is already associated with another board account.',
'AUTH_PROVIDER_OAUTH_ERROR_INVALID_ENTRY' => 'Invalid database entry.',
'AUTH_PROVIDER_OAUTH_ERROR_INVALID_SERVICE_TYPE' => 'Invalid service type provided to OAuth service handler.',
'AUTH_PROVIDER_OAUTH_ERROR_SERVICE_NOT_CREATED' => 'OAuth service not created',
diff --git a/phpBB/phpbb/db/driver/mysqli.php b/phpBB/phpbb/db/driver/mysqli.php
index df8b88c315..0c1c063262 100644
--- a/phpBB/phpbb/db/driver/mysqli.php
+++ b/phpBB/phpbb/db/driver/mysqli.php
@@ -68,6 +68,9 @@ class mysqli extends \phpbb\db\driver\mysql_base
if ($this->db_connect_id && $this->dbname != '')
{
+ // Disable loading local files on client side
+ @mysqli_options($this->db_connect_id, MYSQLI_OPT_LOCAL_INFILE, false);
+
@mysqli_query($this->db_connect_id, "SET NAMES 'utf8'");
// enforce strict mode on databases that support it
diff --git a/phpBB/phpbb/db/migration/data/v32x/v328.php b/phpBB/phpbb/db/migration/data/v32x/v328.php
new file mode 100644
index 0000000000..28ff2c7033
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v32x/v328.php
@@ -0,0 +1,36 @@
+
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v32x;
+
+class v328 extends \phpbb\db\migration\migration
+{
+ public function effectively_installed()
+ {
+ return phpbb_version_compare($this->config['version'], '3.2.8', '>=');
+ }
+
+ static public function depends_on()
+ {
+ return array(
+ '\phpbb\db\migration\data\v32x\v328rc1',
+ );
+ }
+
+ public function update_data()
+ {
+ return array(
+ array('config.update', array('version', '3.2.8')),
+ );
+ }
+}
diff --git a/phpBB/phpbb/textformatter/s9e/factory.php b/phpBB/phpbb/textformatter/s9e/factory.php
index 6191b9a315..dca1c78d40 100644
--- a/phpBB/phpbb/textformatter/s9e/factory.php
+++ b/phpBB/phpbb/textformatter/s9e/factory.php
@@ -110,7 +110,7 @@ class factory implements \phpbb\textformatter\cache_interface
'i' => '
',
'u' => '
',
'img' => '
',
- 'size' => '
',
+ 'size' => '
font-size: %; line-height: normal',
'color' => '
',
'email' => '
diff --git a/phpBB/phpbb/textformatter/s9e/parser.php b/phpBB/phpbb/textformatter/s9e/parser.php
index 3698dca224..a36fc63141 100644
--- a/phpBB/phpbb/textformatter/s9e/parser.php
+++ b/phpBB/phpbb/textformatter/s9e/parser.php
@@ -342,7 +342,7 @@ class parser implements \phpbb\textformatter\parser_interface
return false;
}
- if ($size < 1)
+ if ($size < 1 || !is_numeric($size))
{
return false;
}
diff --git a/phpBB/posting.php b/phpBB/posting.php
index e4ba0303cc..20f6ddf8e5 100644
--- a/phpBB/posting.php
+++ b/phpBB/posting.php
@@ -974,7 +974,10 @@ if ($submit || $preview || $refresh)
}
// Parse Attachments - before checksum is calculated
- $message_parser->parse_attachments('fileupload', $mode, $forum_id, $submit, $preview, $refresh);
+ if ($message_parser->check_attachment_form_token($language, $request, 'posting'))
+ {
+ $message_parser->parse_attachments('fileupload', $mode, $forum_id, $submit, $preview, $refresh);
+ }
/**
* This event allows you to modify message text before parsing
diff --git a/phpBB/styles/prosilver/template/plupload.html b/phpBB/styles/prosilver/template/plupload.html
index 1eb84372e8..593070321d 100644
--- a/phpBB/styles/prosilver/template/plupload.html
+++ b/phpBB/styles/prosilver/template/plupload.html
@@ -57,6 +57,7 @@ phpbb.plupload = {
lang: {
ERROR: '{LA_ERROR}',
TOO_MANY_ATTACHMENTS: '{LA_TOO_MANY_ATTACHMENTS}',
+ FORM_INVALID: '{LA_FORM_INVALID}',
},
order: '{ATTACH_ORDER}',
maxFiles: {MAX_ATTACHMENTS},
diff --git a/tests/functional/fileupload_form_test.php b/tests/functional/fileupload_form_test.php
index b0838344de..b2f230b66f 100644
--- a/tests/functional/fileupload_form_test.php
+++ b/tests/functional/fileupload_form_test.php
@@ -46,6 +46,13 @@ class phpbb_functional_fileupload_form_test extends phpbb_functional_test_case
private function upload_file($filename, $mimetype)
{
+ $crawler = self::$client->request(
+ 'GET',
+ 'posting.php?mode=reply&f=2&t=1&sid=' . $this->sid
+ );
+
+ $file_form_data = array_merge(['add_file' => $this->lang('ADD_FILE')], $this->get_hidden_fields($crawler, 'posting.php?mode=reply&f=2&t=1&sid=' . $this->sid));
+
$file = array(
'tmp_name' => $this->path . $filename,
'name' => $filename,
@@ -57,7 +64,7 @@ class phpbb_functional_fileupload_form_test extends phpbb_functional_test_case
$crawler = self::$client->request(
'POST',
'posting.php?mode=reply&f=2&t=1&sid=' . $this->sid,
- array('add_file' => $this->lang('ADD_FILE')),
+ $file_form_data,
array('fileupload' => $file)
);
diff --git a/tests/functional/plupload_test.php b/tests/functional/plupload_test.php
index c3b2e5b9eb..b7b5b08360 100644
--- a/tests/functional/plupload_test.php
+++ b/tests/functional/plupload_test.php
@@ -76,6 +76,10 @@ class phpbb_functional_plupload_test extends phpbb_functional_test_case
$chunk_size = ceil(filesize($this->path . 'valid.jpg') / self::CHUNKS);
$handle = fopen($this->path . 'valid.jpg', 'rb');
+ $crawler = self::$client->request('POST', $url . '&sid=' . $this->sid);
+
+ $file_form_data = $this->get_hidden_fields($crawler, $url);
+
for ($i = 0; $i < self::CHUNKS; $i++)
{
$chunk = fread($handle, $chunk_size);
@@ -94,13 +98,13 @@ class phpbb_functional_plupload_test extends phpbb_functional_test_case
$crawler = self::$client->request(
'POST',
$url . '&sid=' . $this->sid,
- array(
+ array_merge(array(
'chunk' => $i,
'chunks' => self::CHUNKS,
'name' => md5('valid') . '.jpg',
'real_filename' => 'valid.jpg',
'add_file' => $this->lang('ADD_FILE'),
- ),
+ ), $file_form_data),
array('fileupload' => $file),
array('X-PHPBB-USING-PLUPLOAD' => '1')
);
@@ -134,17 +138,19 @@ class phpbb_functional_plupload_test extends phpbb_functional_test_case
'error' => UPLOAD_ERR_OK,
);
+ $file_form_data = $this->get_hidden_fields(null, $url);
+
self::$client->setServerParameter('HTTP_X_PHPBB_USING_PLUPLOAD', '1');
self::$client->request(
'POST',
$url . '&sid=' . $this->sid,
- array(
+ array_merge(array(
'chunk' => '0',
'chunks' => '1',
'name' => md5('valid') . '.jpg',
'real_filename' => 'valid.jpg',
'add_file' => $this->lang('ADD_FILE'),
- ),
+ ), $file_form_data),
array('fileupload' => $file)
);
diff --git a/tests/functions/fixtures/validate_email.xml b/tests/functions/fixtures/validate_email.xml
index eb4fd90217..fa139f6f18 100644
--- a/tests/functions/fixtures/validate_email.xml
+++ b/tests/functions/fixtures/validate_email.xml
@@ -1,5 +1,29 @@
+
+ ban_id
+ ban_userid
+ ban_exclude
+ ban_end
+ ban_email
+ ban_give_reason
+
+ 1
+ 0
+ 0
+ 0
+ banned@example.com
+
+
+
+ 2
+ 0
+ 0
+ 0
+ banned2@example.com
+ just because
+
+
user_id
username
diff --git a/tests/functions/validate_user_email_test.php b/tests/functions/validate_user_email_test.php
index a05a7808a4..eeb5bfc2a9 100644
--- a/tests/functions/validate_user_email_test.php
+++ b/tests/functions/validate_user_email_test.php
@@ -28,10 +28,16 @@ class phpbb_functions_validate_user_email_test extends phpbb_database_test_case
protected function setUp(): void
{
+ global $cache, $phpbb_dispatcher, $phpbb_root_path, $phpEx;
+
parent::setUp();
+ $cache = new \phpbb\cache\driver\file();
+ $cache->purge();
$this->db = $this->new_dbal();
- $this->user = new phpbb_mock_user;
+ $phpbb_dispatcher = new phpbb_mock_event_dispatcher();
+ $language = new phpbb\language\language(new phpbb\language\language_file_loader($phpbb_root_path, $phpEx));
+ $this->user = new phpbb\user($language, '\phpbb\datetime');
$this->helper = new phpbb_functions_validate_data_helper($this);
}
@@ -47,7 +53,6 @@ class phpbb_functions_validate_user_email_test extends phpbb_database_test_case
$config['email_check_mx'] = $check_mx;
$db = $this->db;
$user = $this->user;
- $user->optionset('banned_users', array('banned@example.com'));
}
public static function validate_user_email_data()
@@ -58,7 +63,8 @@ class phpbb_functions_validate_user_email_test extends phpbb_database_test_case
array('valid_complex', array(), "'%$~test@example.com"),
array('invalid', array('EMAIL_INVALID'), 'fööbar@example.com'),
array('taken', array('EMAIL_TAKEN'), 'admin@example.com'),
- array('banned', array('EMAIL_BANNED'), 'banned@example.com'),
+ array('banned', ['just because'], 'banned2@example.com'),
+ array('banned', ['EMAIL_BANNED'], 'banned@example.com')
);
}
diff --git a/tests/test_framework/phpbb_functional_test_case.php b/tests/test_framework/phpbb_functional_test_case.php
index 9f145b8751..82f67c4e4c 100644
--- a/tests/test_framework/phpbb_functional_test_case.php
+++ b/tests/test_framework/phpbb_functional_test_case.php
@@ -1231,24 +1231,14 @@ class phpbb_functional_test_case extends phpbb_test_case
'error' => UPLOAD_ERR_OK,
);
- $crawler = self::$client->request('POST', $posting_url, array('add_file' => $this->lang('ADD_FILE')), array('fileupload' => $file));
+ $file_form_data = array_merge(['add_file' => $this->lang('ADD_FILE')], $this->get_hidden_fields($crawler, $posting_url));
+
+ $crawler = self::$client->request('POST', $posting_url, $file_form_data, array('fileupload' => $file));
}
unset($form_data['upload_files']);
}
- $hidden_fields = array(
- $crawler->filter('[type="hidden"]')->each(function ($node, $i) {
- return array('name' => $node->attr('name'), 'value' => $node->attr('value'));
- }),
- );
-
- foreach ($hidden_fields as $fields)
- {
- foreach($fields as $field)
- {
- $form_data[$field['name']] = $field['value'];
- }
- }
+ $form_data = array_merge($form_data, $this->get_hidden_fields($crawler, $posting_url));
// I use a request because the form submission method does not allow you to send data that is not
// contained in one of the actual form fields that the browser sees (i.e. it ignores "hidden" inputs)
@@ -1379,4 +1369,37 @@ class phpbb_functional_test_case extends phpbb_test_case
return self::request('GET', substr($link, strpos($link, 'mcp.')));
}
+
+ /**
+ * Get hidden fields for URL
+ *
+ * @param Symfony\Component\DomCrawler\Crawler|null $crawler Crawler instance or null
+ * @param string $url Request URL
+ *
+ * @return array Hidden form fields array
+ */
+ protected function get_hidden_fields($crawler, $url)
+ {
+ if (!$crawler)
+ {
+ $crawler = self::$client->request('GET', $url);
+ }
+ $hidden_fields = [
+ $crawler->filter('[type="hidden"]')->each(function ($node, $i) {
+ return ['name' => $node->attr('name'), 'value' => $node->attr('value')];
+ }),
+ ];
+
+ $file_form_data = [];
+
+ foreach ($hidden_fields as $fields)
+ {
+ foreach($fields as $field)
+ {
+ $file_form_data[$field['name']] = $field['value'];
+ }
+ }
+
+ return $file_form_data;
+ }
}
diff --git a/tests/text_formatter/s9e/default_formatting_test.php b/tests/text_formatter/s9e/default_formatting_test.php
index a35c9138a5..1aa4f0bc3a 100644
--- a/tests/text_formatter/s9e/default_formatting_test.php
+++ b/tests/text_formatter/s9e/default_formatting_test.php
@@ -70,7 +70,7 @@ class phpbb_textformatter_s9e_default_formatting_test extends phpbb_test_case
),
array(
'[size=75]smaller[/size]',
- 'smaller'
+ 'smaller'
),
array(
'[quote]quoted[/quote]',
diff --git a/tests/text_processing/tickets_data/PHPBB3-13921.html b/tests/text_processing/tickets_data/PHPBB3-13921.html
index 690668ef28..6a9dc7f504 100644
--- a/tests/text_processing/tickets_data/PHPBB3-13921.html
+++ b/tests/text_processing/tickets_data/PHPBB3-13921.html
@@ -1 +1 @@
-xxx
\ No newline at end of file
+xxx
\ No newline at end of file