From 33a789e030ff0a8b1681ddb9d6ea93bf9f8275c8 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Tue, 21 Dec 2021 20:39:14 +0100 Subject: [PATCH 01/10] [ticket/security-272] Use longer random string for activation key SECURITY-272 --- phpBB/includes/ucp/ucp_register.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/ucp/ucp_register.php b/phpBB/includes/ucp/ucp_register.php index 8369d59186..2e962b55ea 100644 --- a/phpBB/includes/ucp/ucp_register.php +++ b/phpBB/includes/ucp/ucp_register.php @@ -363,7 +363,7 @@ class ucp_register $config['require_activation'] == USER_ACTIVATION_SELF || $config['require_activation'] == USER_ACTIVATION_ADMIN) && $config['email_enable']) { - $user_actkey = gen_rand_string(mt_rand(6, 10)); + $user_actkey = gen_rand_string(32); $user_type = USER_INACTIVE; $user_inactive_reason = INACTIVE_REGISTER; $user_inactive_time = time(); From 9bc98278fef13e3b53dd2beeb8f349230fcb9943 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Tue, 21 Dec 2021 21:19:38 +0100 Subject: [PATCH 02/10] [ticket/security-272] Use strtolower for actkey SECURITY-272 --- phpBB/includes/ucp/ucp_register.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/ucp/ucp_register.php b/phpBB/includes/ucp/ucp_register.php index 2e962b55ea..1ef761eaab 100644 --- a/phpBB/includes/ucp/ucp_register.php +++ b/phpBB/includes/ucp/ucp_register.php @@ -363,7 +363,7 @@ class ucp_register $config['require_activation'] == USER_ACTIVATION_SELF || $config['require_activation'] == USER_ACTIVATION_ADMIN) && $config['email_enable']) { - $user_actkey = gen_rand_string(32); + $user_actkey = strtolower(gen_rand_string(32)); $user_type = USER_INACTIVE; $user_inactive_reason = INACTIVE_REGISTER; $user_inactive_time = time(); From 4e5b9b23de15fe6a5d0c7f9c26174e0606e57271 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Tue, 21 Dec 2021 22:23:35 +0100 Subject: [PATCH 03/10] [ticket/security-273] Reset reset token info when re-activating account SECURITY-273 --- phpBB/includes/ucp/ucp_activate.php | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/phpBB/includes/ucp/ucp_activate.php b/phpBB/includes/ucp/ucp_activate.php index bb22fe1437..98093aeeaa 100644 --- a/phpBB/includes/ucp/ucp_activate.php +++ b/phpBB/includes/ucp/ucp_activate.php @@ -76,10 +76,12 @@ class ucp_activate if ($update_password) { $sql_ary = array( - 'user_actkey' => '', - 'user_password' => $user_row['user_newpasswd'], - 'user_newpasswd' => '', - 'user_login_attempts' => 0, + 'user_actkey' => '', + 'user_password' => $user_row['user_newpasswd'], + 'user_newpasswd' => '', + 'user_login_attempts' => 0, + 'reset_token' => '', + 'reset_token_expiration' => 0, ); $sql = 'UPDATE ' . USERS_TABLE . ' @@ -101,8 +103,14 @@ class ucp_activate user_active_flip('activate', $user_row['user_id']); - $sql = 'UPDATE ' . USERS_TABLE . " - SET user_actkey = '' + $sql_ary = [ + 'user_actkey' => '', + 'reset_token' => '', + 'reset_token_expiration' => 0, + ]; + + $sql = 'UPDATE ' . USERS_TABLE . ' + SET ' . $db->sql_build_array('UPDATE', $sql_ary) . " WHERE user_id = {$user_row['user_id']}"; $db->sql_query($sql); From e78664d68b4044627af42ddade5247879f4cfa49 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 20 Feb 2022 11:18:30 +0100 Subject: [PATCH 04/10] [ticket/15028] Rename automatic to advanced update Also made it clear that it's only for expert users. PHPBB3-15028 --- phpBB/docs/INSTALL.html | 10 ++++++---- phpBB/docs/README.html | 2 +- phpBB/language/en/install.php | 10 +++++----- 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/phpBB/docs/INSTALL.html b/phpBB/docs/INSTALL.html index c28b68aa0c..34939f89a5 100644 --- a/phpBB/docs/INSTALL.html +++ b/phpBB/docs/INSTALL.html @@ -64,7 +64,7 @@
  • Full package
  • Changed files
  • Patch file
    • -
  • Automatic update package
    • +
  • Advanced update package
  • All package types
    • @@ -291,7 +291,7 @@

    The patch file package is for those wanting to update through the patch application, and should only be used by those who are comfortable with it.

    -

    The patch file is one solution for those with changes in to the phpBB core files and do not want to re-add them back to all the changed files. To use this you will need command line access to a standard UNIX type patch application. If you do not have access to such an application, but still want to use this update approach, we strongly recommend the Automatic update package explained below. It is also the recommended update method.

    +

    The patch file is one solution for those with changes in to the phpBB core files and do not want to re-add them back to all the changed files. To use this you will need command line access to a standard UNIX type patch application. If you do not have access to such an application, but still want to use this update approach, we strongly recommend the Advanced update package explained below. It is also the recommended update method.

    A number of patch files are provided to allow you to update from previous stable releases. Select the correct patch, e.g. if your current version is 3.3.0, you need the phpBB-3.3.1-patch.zip/tar.bz2 file. Place the correct patch in the parent directory containing the phpBB core files (i.e. index.php, viewforum.php, etc.). With this done you should run the following command: patch -cl -d [PHPBB DIRECTORY] -p1 < [PATCH NAME] (where PHPBB DIRECTORY is the directory name your phpBB Installation resides in, for example phpBB, and where PATCH NAME is the relevant filename of the selected patch file). This should complete quickly, hopefully without any HUNK FAILED comments.

    @@ -299,9 +299,11 @@

    You should, of course, delete the patch file (or files) after use. As for the other update procedures, you should navigate to /install/app.php/update, select "Update database only" and submit the page after you have finished updating the files. This will update your database schema and data (if appropriate) and increment the version number. If you have shell access to your server, you may wish to update via the command line interface. From your board's root, execute the following command: php bin/phpbbcli.php --safe-mode db:migrate.

    -

    4.iv. Automatic update package

    +

    4.iv. Advanced update package (Expert users)

    -

    This update method is only recommended for installations with modifications to core phpBB files. This package detects changed files automatically and merges in changes if needed.

    +

    This update method should only be used for installations with modifications to core phpBB files. If you simply use Extensions or custom Styles and have not modified core files, please use the Full Package update.

    + +

    This package detects changed files and merges in changes if needed. Since this type of update has a potential to cause issues while upgrading, it is not recommended being used for updates and/or upgrades.

    The automatic update package will update the board from a given version to the latest version. A number of automatic update files are available, and you should choose the one that corresponds to the version of the board that you are currently running. For example, if your current version is 3.3.0, you need the phpBB-3.3.0_to_3.3.1.zip/tar.bz2 file.

    diff --git a/phpBB/docs/README.html b/phpBB/docs/README.html index 3028872cad..a2355a0e59 100644 --- a/phpBB/docs/README.html +++ b/phpBB/docs/README.html @@ -104,7 +104,7 @@
    • Updates from phpBB 3.0 RC1, 3.1 RC1 and 3.2 RC1 to the latest version
      • -
    • Note: if using the Automatic Update Package, updates are supported from phpBB 3.0.2 onward. To update a pre-3.0.2 installation, first update to 3.0.2 and then update to the current version.
      • +
    • Note: if using the Advanced Update Package, updates are supported from phpBB 3.0.2 onward. To update a pre-3.0.2 installation, first update to 3.0.2 and then update to the current version.
    • Conversions from phpBB 2.0.x to the latest version
    • New installations of phpBB 3.2.x - only the latest released version
    • New installations of phpBB 3.3.x - only the latest released version
      • diff --git a/phpBB/language/en/install.php b/phpBB/language/en/install.php index 2a62436a4b..bae9f206e6 100644 --- a/phpBB/language/en/install.php +++ b/phpBB/language/en/install.php @@ -347,7 +347,7 @@ $lang = array_merge($lang, array( // Common updater messages $lang = array_merge($lang, array( 'UPDATE_INSTALLATION' => 'Update phpBB installation', - 'UPDATE_INSTALLATION_EXPLAIN' => 'With this option, it is possible to update your phpBB installation to the latest version.
      During the process all of your files will be checked for their integrity. You are able to review all differences and files before the update.

      The file update itself can be done in two different ways.

      Manual Update

      With this update you only download your personal set of changed files to make sure you do not lose your file modifications you may have done. After you downloaded this package you need to manually upload the files to their correct position under your phpBB root directory. Once done, you are able to do the file check stage again to see if you moved the files to their correct location.

      Automatic Update with FTP

      This method is similar to the first one but without the need to download the changed files and uploading them on your own. This will be done for you. In order to use this method you need to know your FTP login details since you will be asked for them. Once finished you will be redirected to the file check again to make sure everything got updated correctly.

      ', + 'UPDATE_INSTALLATION_EXPLAIN' => 'With this option, it is possible to update your phpBB installation to the latest version.
      During the process all of your files will be checked for their integrity. You are able to review all differences and files before the update.

      The file update itself can be done in two different ways.

      Manual Update

      With this update you only download your personal set of changed files to make sure you do not lose your file modifications you may have done. After you downloaded this package you need to manually upload the files to their correct position under your phpBB root directory. Once done, you are able to do the file check stage again to see if you moved the files to their correct location.

      Advanced Update with FTP

      This method is similar to the first one but without the need to download the changed files and uploading them on your own. This will be done for you. In order to use this method you need to know your FTP login details since you will be asked for them. Once finished you will be redirected to the file check again to make sure everything got updated correctly.

      ', 'UPDATE_INSTRUCTIONS' => '

      Release announcement

      @@ -358,7 +358,7 @@ $lang = array_merge($lang, array(

      How to update your installation with the Full Package

      -

      The recommended way of updating your installation is using the full package. If core phpBB files have been modified in your installation you may wish to use the automatic update package in order to not lose these changes. You are also able to update your installation using the other methods listed within the INSTALL.html document. The steps for updating phpBB3 using the full package are:

      +

      The recommended way of updating your installation is using the full package. If core phpBB files have been modified in your installation you may wish to use the advanced update package in order to not lose these changes. You are also able to update your installation using the other methods listed within the INSTALL.html document. The steps for updating phpBB3 using the full package are:

      1. Backup all board files and the database.
        2. @@ -379,12 +379,12 @@ $lang = array_merge($lang, array(
      2. Update your style

    -

    How to update your installation with the Automatic Update Package

    +

    How to update your installation with the Advanced Update Package

    -

    The automatic update package is only recommended in case core phpBB files have been modified in your installation. You are also able to update your installation using the methods listed within the INSTALL.html document. The steps for updating phpBB3 using the automatic update package are:

    +

    The advanced update package is only recommended for expert users in case core phpBB files have been modified in your installation. You are also able to update your installation using the methods listed within the INSTALL.html document. The steps for updating phpBB3 using the automatic update package are:

      -
    1. Go to the phpBB.com downloads page and download the "Automatic Update Package" archive.
      2. +
    2. Go to the phpBB.com downloads page and download the "Advanced Update Package" archive.
    3. Unpack the archive.
    4. Upload the complete uncompressed "install" and "vendor" folders to your phpBB root directory (where your config.php file is).

    From 4044900c699c70436214ec8b18306e42b3e6cce5 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Tue, 22 Feb 2022 21:15:58 +0100 Subject: [PATCH 05/10] [ticket/15028] Rephrase "recommendation" of who should use advanced update PHPBB3-15028 --- phpBB/docs/INSTALL.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/docs/INSTALL.html b/phpBB/docs/INSTALL.html index 34939f89a5..acbb2c5cfb 100644 --- a/phpBB/docs/INSTALL.html +++ b/phpBB/docs/INSTALL.html @@ -303,7 +303,7 @@

    This update method should only be used for installations with modifications to core phpBB files. If you simply use Extensions or custom Styles and have not modified core files, please use the Full Package update.

    -

    This package detects changed files and merges in changes if needed. Since this type of update has a potential to cause issues while upgrading, it is not recommended being used for updates and/or upgrades.

    +

    This package detects changed files and merges in changes if needed. Since this type of update has a potential to cause issues while upgrading, it should only be used by expert users.

    The automatic update package will update the board from a given version to the latest version. A number of automatic update files are available, and you should choose the one that corresponds to the version of the board that you are currently running. For example, if your current version is 3.3.0, you need the phpBB-3.3.0_to_3.3.1.zip/tar.bz2 file.

    From da2364b2c1cb755bc60eb084eb6841169cc4421d Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 12 Mar 2022 22:53:18 +0100 Subject: [PATCH 06/10] [ticket/15028] Replace remaining mentions of automatic update with advanced PHPBB3-15028 --- phpBB/docs/INSTALL.html | 4 ++-- phpBB/language/en/install.php | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/phpBB/docs/INSTALL.html b/phpBB/docs/INSTALL.html index acbb2c5cfb..25b0736eeb 100644 --- a/phpBB/docs/INSTALL.html +++ b/phpBB/docs/INSTALL.html @@ -291,7 +291,7 @@

    The patch file package is for those wanting to update through the patch application, and should only be used by those who are comfortable with it.

    -

    The patch file is one solution for those with changes in to the phpBB core files and do not want to re-add them back to all the changed files. To use this you will need command line access to a standard UNIX type patch application. If you do not have access to such an application, but still want to use this update approach, we strongly recommend the Advanced update package explained below. It is also the recommended update method.

    +

    The patch file is one solution for those with changes in to the phpBB core files and do not want to re-add them back to all the changed files. To use this you will need command line access to a standard UNIX type patch application. If you do not have access to such an application, but still want to use this update approach, we strongly recommend the Full package update explained above. It is also the recommended update method.

    A number of patch files are provided to allow you to update from previous stable releases. Select the correct patch, e.g. if your current version is 3.3.0, you need the phpBB-3.3.1-patch.zip/tar.bz2 file. Place the correct patch in the parent directory containing the phpBB core files (i.e. index.php, viewforum.php, etc.). With this done you should run the following command: patch -cl -d [PHPBB DIRECTORY] -p1 < [PATCH NAME] (where PHPBB DIRECTORY is the directory name your phpBB Installation resides in, for example phpBB, and where PATCH NAME is the relevant filename of the selected patch file). This should complete quickly, hopefully without any HUNK FAILED comments.

    @@ -305,7 +305,7 @@

    This package detects changed files and merges in changes if needed. Since this type of update has a potential to cause issues while upgrading, it should only be used by expert users.

    -

    The automatic update package will update the board from a given version to the latest version. A number of automatic update files are available, and you should choose the one that corresponds to the version of the board that you are currently running. For example, if your current version is 3.3.0, you need the phpBB-3.3.0_to_3.3.1.zip/tar.bz2 file.

    +

    The advanced update package will update the board from a given version to the latest version. A number of advanced update files are available, and you should choose the one that corresponds to the version of the board that you are currently running. For example, if your current version is 3.3.0, you need the phpBB-3.3.0_to_3.3.1.zip/tar.bz2 file.

    To perform the update, either follow the instructions from the Administration Control Panel->System Tab - this should point out that you are running an outdated version and will guide you through the update - or follow the instructions listed below.

    diff --git a/phpBB/language/en/install.php b/phpBB/language/en/install.php index bae9f206e6..6a8d92fc02 100644 --- a/phpBB/language/en/install.php +++ b/phpBB/language/en/install.php @@ -381,7 +381,7 @@ $lang = array_merge($lang, array(

    How to update your installation with the Advanced Update Package

    -

    The advanced update package is only recommended for expert users in case core phpBB files have been modified in your installation. You are also able to update your installation using the methods listed within the INSTALL.html document. The steps for updating phpBB3 using the automatic update package are:

    +

    The advanced update package is only recommended for expert users in case core phpBB files have been modified in your installation. You are also able to update your installation using the methods listed within the INSTALL.html document. The steps for updating phpBB3 using the advanced update package are:

    1. Go to the phpBB.com downloads page and download the "Advanced Update Package" archive.
      2. From b4fa01e9437b712dbe893ab2c72897e78244a077 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 14 Mar 2022 21:15:11 +0100 Subject: [PATCH 07/10] [prep-release-3.3.6] Update stylesheet hashes --- phpBB/styles/prosilver/theme/stylesheet.css | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/phpBB/styles/prosilver/theme/stylesheet.css b/phpBB/styles/prosilver/theme/stylesheet.css index 36199383fd..5665c839ba 100644 --- a/phpBB/styles/prosilver/theme/stylesheet.css +++ b/phpBB/styles/prosilver/theme/stylesheet.css @@ -11,9 +11,9 @@ @import url("base.css?hash=7c5543be"); @import url("utilities.css?hash=d8f72c42"); @import url("common.css?hash=a9741ba1"); -@import url("links.css?hash=cbeb92cc"); -@import url("content.css?hash=56f9e623"); -@import url("buttons.css?hash=5856472d"); +@import url("links.css?hash=18286e16"); +@import url("content.css?hash=be57a41d"); +@import url("buttons.css?hash=56f0d25f"); @import url("cp.css?hash=50d868ab"); @import url("forms.css?hash=b64464fb"); @import url("icons.css?hash=64da33ce"); From 1a8950d01b5a23909e63ec674dea47903f078c7f Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 14 Mar 2022 21:17:11 +0100 Subject: [PATCH 08/10] [prep-release-3.3.6] Update version numbers to 3.3.6 --- build/build.xml | 4 ++-- phpBB/includes/constants.php | 2 +- phpBB/install/phpbbcli.php | 2 +- phpBB/install/schemas/schema_data.sql | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/build/build.xml b/build/build.xml index 5ee64f8823..62ed375343 100644 --- a/build/build.xml +++ b/build/build.xml @@ -2,9 +2,9 @@ - + - + diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php index c4ab50bef6..b5ff4b3cb9 100644 --- a/phpBB/includes/constants.php +++ b/phpBB/includes/constants.php @@ -28,7 +28,7 @@ if (!defined('IN_PHPBB')) */ // phpBB Version -@define('PHPBB_VERSION', '3.3.6-RC1'); +@define('PHPBB_VERSION', '3.3.6'); // QA-related // define('PHPBB_QA', 1); diff --git a/phpBB/install/phpbbcli.php b/phpBB/install/phpbbcli.php index a5ff644cc9..313280d228 100755 --- a/phpBB/install/phpbbcli.php +++ b/phpBB/install/phpbbcli.php @@ -23,7 +23,7 @@ if (php_sapi_name() !== 'cli') define('IN_PHPBB', true); define('IN_INSTALL', true); define('PHPBB_ENVIRONMENT', 'production'); -define('PHPBB_VERSION', '3.3.6-RC1'); +define('PHPBB_VERSION', '3.3.6'); $phpbb_root_path = __DIR__ . '/../'; $phpEx = substr(strrchr(__FILE__, '.'), 1); diff --git a/phpBB/install/schemas/schema_data.sql b/phpBB/install/schemas/schema_data.sql index 5fb7c1d724..69b49c06e6 100644 --- a/phpBB/install/schemas/schema_data.sql +++ b/phpBB/install/schemas/schema_data.sql @@ -316,7 +316,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('update_hashes_lock INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_icons_path', 'images/upload_icons'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_path', 'files'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('use_system_cron', '0'); -INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.3.6-RC1'); +INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.3.6'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_expire_days', '90'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_gc', '14400'); From 8d6a9245c1083b54d28d712ad78fdafeb05774c1 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 14 Mar 2022 21:17:13 +0100 Subject: [PATCH 09/10] [prep-release-3.3.6] Add migration for 3.3.6 --- phpBB/phpbb/db/migration/data/v33x/v336.php | 36 +++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 phpBB/phpbb/db/migration/data/v33x/v336.php diff --git a/phpBB/phpbb/db/migration/data/v33x/v336.php b/phpBB/phpbb/db/migration/data/v33x/v336.php new file mode 100644 index 0000000000..b683eb3902 --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v33x/v336.php @@ -0,0 +1,36 @@ + + * @license GNU General Public License, version 2 (GPL-2.0) + * + * For full copyright and license information, please see + * the docs/CREDITS.txt file. + * + */ + +namespace phpbb\db\migration\data\v33x; + +class v336 extends \phpbb\db\migration\migration +{ + public function effectively_installed() + { + return version_compare($this->config['version'], '3.3.6', '>='); + } + + public static function depends_on() + { + return [ + '\phpbb\db\migration\data\v33x\v336rc1', + ]; + } + + public function update_data() + { + return [ + ['config.update', ['version', '3.3.6']], + ]; + } +} From 2e37b2dc2d34f53f528448893fd3d02604a65760 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 14 Mar 2022 21:17:29 +0100 Subject: [PATCH 10/10] [prep-release-3.3.6] Update changelog for 3.3.6 --- phpBB/docs/CHANGELOG.html | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 2b3b52f69c..50816127e9 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -50,6 +50,7 @@
      1. Changelog