Merge branch '3.3.x'

2025-06-07 20:08:53 +00:00 · 2020-08-06 17:23:05 +02:00 · 2020-08-06 17:23:05 +02:00 · 21d656907a
commit 21d656907a
parent 2828d57f5f 2a8239075e
21 changed files with 351 additions and 117 deletions
--- a/build/build.xml
+++ b/build/build.xml
@ -3,8 +3,8 @@
 <project name="phpBB" description="The phpBB forum software" default="all" basedir="../">
 	<!-- a few settings for the build -->
 	<property name="newversion" value="4.0.0-a1-dev" />
-	<property name="prevversion" value="3.3.0" />
-	<property name="olderversions" value="3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10-RC1, 3.2.10-RC2, 3.3.0" />
+	<property name="prevversion" value="3.3.1-RC1" />
+	<property name="olderversions" value="3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.3.0" />
 	<!-- no configuration should be needed beyond this point -->

 	<property name="oldversions" value="${olderversions}, ${prevversion}" />
--- a/phpBB/cache/.htaccess
+++ b/phpBB/cache/.htaccess
@ -1,4 +1,33 @@
-<Files *>
-	Order Allow,Deny
-	Deny from All
-</Files>
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
--- a/phpBB/config/.htaccess
+++ b/phpBB/config/.htaccess
@ -1,4 +1,33 @@
-<Files *>
-	Order Allow,Deny
-	Deny from All
-</Files>
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
--- a/phpBB/docs/CHANGELOG.html
+++ b/phpBB/docs/CHANGELOG.html
@ -55,6 +55,7 @@
 		<li><a href="#v330b2">Changes since 3.3.0-b2</a></li>
 		<li><a href="#v330b1">Changes since 3.3.0-b1</a></li>
 		<li><a href="#v32x">Changes since 3.2.x</a></li>
+		<li><a href="#v3210rc2">Changes since 3.2.10-RC2</a></li>
 		<li><a href="#v3210rc1">Changes since 3.2.10-RC1</a></li>
 		<li><a href="#v329">Changes since 3.2.9</a></li>
 		<li><a href="#v329rc1">Changes since 3.2.9-RC1</a></li>
@ -512,6 +513,28 @@
 				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16185">PHPBB3-16185</a>] - Use Xenial build environment on travis-ci</li>
 			</ul>

+			<a name="v3210rc2"></a><h3>Changes since 3.2.10-RC2</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16417">PHPBB3-16417</a>] - SQL fatal error while updating database from older versions via CLI</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16524">PHPBB3-16524</a>] - General error (SQL ERROR) on adding emoji character to the profile field</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16534">PHPBB3-16534</a>] - Passwords converted from phpBB2 can have invalid hash</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16539">PHPBB3-16539</a>] - General error (SQL error) on posting page in smilies mode</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16550">PHPBB3-16550</a>] - compact(): Undefined variable: url - in PMs</li>
+			</ul>
+			<h4>Improvement</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16554">PHPBB3-16554</a>] - Align all .htaccess files to support Apache 2.4 mod_authz_core directives</li>
+			</ul>
+			<h4>Security Issue</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/SECURITY-259">SECURITY-259</a>] - Server-Side Request Forgery via FastImageSize in s9e textformatter</li>
+			</ul>
+			<h4>Hardening</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/SECURITY-257">SECURITY-257</a>] - Potential RCE via Phar Deserialization through Legacy BBCode Parser</li>
+			</ul>
+
 			<a name="v3210rc1"></a><h3>Changes since 3.2.10-RC1</h3>
 			<h4>Bug</h4>
 			<ul>
--- a/phpBB/files/.htaccess
+++ b/phpBB/files/.htaccess
@ -1,4 +1,33 @@
-<Files *>
-	Order Allow,Deny
-	Deny from All
-</Files>
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
--- a/phpBB/images/avatars/upload/.htaccess
+++ b/phpBB/images/avatars/upload/.htaccess
@ -1,4 +1,33 @@
-<Files *>
-	Order Allow,Deny
-	Deny from All
-</Files>
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
--- a/phpBB/includes/.htaccess
+++ b/phpBB/includes/.htaccess
@ -1,4 +1,33 @@
-<Files *>
-	Order Allow,Deny
-	Deny from All
-</Files>
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
--- a/phpBB/includes/functions_posting.php
+++ b/phpBB/includes/functions_posting.php
@ -118,7 +118,7 @@ function generate_smilies($mode, $forum_id)
 				SMILIES_TABLE => 's',
 			],
 			'GROUP_BY'	=> 's.smiley_url, s.smiley_width, s.smiley_height',
-			'ORDER_BY'	=> 's.min_smiley_order',
+			'ORDER_BY'	=> 'min_smiley_order',
 		];
 	}
 	else
--- a/phpBB/includes/functions_privmsgs.php
+++ b/phpBB/includes/functions_privmsgs.php
@ -2048,6 +2048,8 @@ function message_history($msg_id, $user_id, $message_row, $folder, $in_post_mode
 	while ($row = $db->sql_fetchrow($result));
 	$db->sql_freeresult($result);

+	$url = append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=pm');
+
 	/**
 	* Modify message rows before displaying the history in private messages
 	*
@ -2082,7 +2084,6 @@ function message_history($msg_id, $user_id, $message_row, $folder, $in_post_mode

 	$title = censor_text($title);

-	$url = append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=pm');
 	$next_history_pm = $previous_history_pm = $prev_id = 0;

 	// Re-order rowset to be able to get the next/prev message rows...
--- a/phpBB/includes/message_parser.php
+++ b/phpBB/includes/message_parser.php
@ -391,7 +391,7 @@ class bbcode_firstpass extends bbcode
 		$in = str_replace(' ', '%20', $in);

 		// Checking urls
-		if (!preg_match('#^' . get_preg_expression('url') . '$#iu', $in) && !preg_match('#^' . get_preg_expression('www_url') . '$#iu', $in))
+		if (!preg_match('#^' . get_preg_expression('url_http') . '$#iu', $in) && !preg_match('#^' . get_preg_expression('www_url') . '$#iu', $in))
 		{
 			return '[img]' . $in . '[/img]';
 		}
@ -402,32 +402,6 @@ class bbcode_firstpass extends bbcode
 			$in = 'http://' . $in;
 		}

-		if ($config['max_' . $this->mode . '_img_height'] || $config['max_' . $this->mode . '_img_width'])
-		{
-			$imagesize = new \FastImageSize\FastImageSize();
-			$size_info = $imagesize->getImageSize(htmlspecialchars_decode($in));
-
-			if ($size_info === false)
-			{
-				$error = true;
-				$this->warn_msg[] = $user->lang['UNABLE_GET_IMAGE_SIZE'];
-			}
-			else
-			{
-				if ($config['max_' . $this->mode . '_img_height'] && $config['max_' . $this->mode . '_img_height'] < $size_info['height'])
-				{
-					$error = true;
-					$this->warn_msg[] = $user->lang('MAX_IMG_HEIGHT_EXCEEDED', (int) $config['max_' . $this->mode . '_img_height']);
-				}
-
-				if ($config['max_' . $this->mode . '_img_width'] && $config['max_' . $this->mode . '_img_width'] < $size_info['width'])
-				{
-					$error = true;
-					$this->warn_msg[] = $user->lang('MAX_IMG_WIDTH_EXCEEDED', (int) $config['max_' . $this->mode . '_img_width']);
-				}
-			}
-		}
-
 		if ($error || $this->path_in_domain($in))
 		{
 			return '[img]' . $in . '[/img]';
--- a/phpBB/language/en/acp/board.php
+++ b/phpBB/language/en/acp/board.php
@ -185,10 +185,10 @@ $lang = array_merge($lang, array(
 	'MAX_POLL_OPTIONS'				=> 'Maximum number of poll options',
 	'MAX_POST_FONT_SIZE'			=> 'Maximum font size per post',
 	'MAX_POST_FONT_SIZE_EXPLAIN'	=> 'Maximum font size allowed in a post. Set to 0 for unlimited font size.',
-	'MAX_POST_IMG_HEIGHT'			=> 'Maximum image height per post',
-	'MAX_POST_IMG_HEIGHT_EXPLAIN'	=> 'Maximum height of an image/flash file in postings. Set to 0 for unlimited size.',
-	'MAX_POST_IMG_WIDTH'			=> 'Maximum image width per post',
-	'MAX_POST_IMG_WIDTH_EXPLAIN'	=> 'Maximum width of an image/flash file in postings. Set to 0 for unlimited size.',
+	'MAX_POST_IMG_HEIGHT'			=> 'Maximum flash height per post',
+	'MAX_POST_IMG_HEIGHT_EXPLAIN'	=> 'Maximum height of a flash file in postings. Set to 0 for unlimited size.',
+	'MAX_POST_IMG_WIDTH'			=> 'Maximum flash width per post',
+	'MAX_POST_IMG_WIDTH_EXPLAIN'	=> 'Maximum width of a flash file in postings. Set to 0 for unlimited size.',
 	'MAX_POST_URLS'					=> 'Maximum links per post',
 	'MAX_POST_URLS_EXPLAIN'			=> 'Maximum number of URLs in a post. Set to 0 for unlimited links.',
 	'MIN_CHAR_LIMIT'				=> 'Minimum characters per post/message',
--- a/phpBB/phpbb/db/migration/data/v32x/v3210.php
+++ b/phpBB/phpbb/db/migration/data/v32x/v3210.php
@ -0,0 +1,36 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v32x;
+
+class v3210 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return phpbb_version_compare($this->config['version'], '3.2.10', '>=');
+	}
+
+	static public function depends_on()
+	{
+		return array(
+			'\phpbb\db\migration\data\v32x\v3210rc2',
+		);
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('config.update', array('version', '3.2.10')),
+		);
+	}
+}
--- a/phpBB/phpbb/profilefields/manager.php
+++ b/phpBB/phpbb/profilefields/manager.php
@ -254,6 +254,13 @@ class manager
 			/** @var \phpbb\profilefields\type\type_interface $profile_field */
 			$profile_field = $this->type_collection[$row['field_type']];
 			$cp_data['pf_' . $row['field_ident']] = $profile_field->get_profile_field($row);
+
+			/**
+			 * Replace Emoji and other 4bit UTF-8 chars not allowed by MySQL
+			 * with their Numeric Character Reference's Hexadecimal notation.
+			 */
+			$cp_data['pf_' . $row['field_ident']] = utf8_encode_ucr($cp_data['pf_' . $row['field_ident']]);
+
 			$check_value = $cp_data['pf_' . $row['field_ident']];

 			if (($cp_result = $profile_field->validate_profile_field($check_value, $row)) !== false)
--- a/phpBB/phpbb/textformatter/s9e/factory.php
+++ b/phpBB/phpbb/textformatter/s9e/factory.php
@ -273,8 +273,6 @@ class factory implements \phpbb\textformatter\cache_interface
 			->add('#imageurl', __NAMESPACE__ . '\\parser::filter_img_url')
 			->addParameterByName('urlConfig')
 			->addParameterByName('logger')
-			->addParameterByName('max_img_height')
-			->addParameterByName('max_img_width')
 			->markAsSafeAsURL()
 			->setJS('UrlFilter.filter');

--- a/phpBB/phpbb/textformatter/s9e/parser.php
+++ b/phpBB/phpbb/textformatter/s9e/parser.php
@ -380,11 +380,10 @@ class parser implements \phpbb\textformatter\parser_interface
 	* @param  string  $url        Original URL
 	* @param  array   $url_config Config used by the URL filter
 	* @param  Logger  $logger
-	* @param  integer $max_height Maximum height allowed
-	* @param  integer $max_width  Maximum width allowed
+	*
 	* @return string|bool         Original value if valid, FALSE otherwise
 	*/
-	static public function filter_img_url($url, array $url_config, Logger $logger, $max_height, $max_width)
+	static public function filter_img_url($url, array $url_config, Logger $logger)
 	{
 		// Validate the URL
 		$url = UrlFilter::filter($url, $url_config, $logger);
@ -393,29 +392,6 @@ class parser implements \phpbb\textformatter\parser_interface
 			return false;
 		}

-		if ($max_height || $max_width)
-		{
-			$imagesize = new \FastImageSize\FastImageSize();
-			$size_info = $imagesize->getImageSize($url);
-			if ($size_info === false)
-			{
-				$logger->err('UNABLE_GET_IMAGE_SIZE');
-				return false;
-			}
-
-			if ($max_height && $max_height < $size_info['height'])
-			{
-				$logger->err('MAX_IMG_HEIGHT_EXCEEDED', array('max_height' => $max_height));
-				return false;
-			}
-
-			if ($max_width && $max_width < $size_info['width'])
-			{
-				$logger->err('MAX_IMG_WIDTH_EXCEEDED', array('max_width' => $max_width));
-				return false;
-			}
-		}
-
 		return $url;
 	}

--- a/phpBB/store/.htaccess
+++ b/phpBB/store/.htaccess
@ -1,4 +1,33 @@
-<Files *>
-	Order Allow,Deny
-	Deny from All
-</Files>
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
--- a/tests/bbcode/parser_test.php
+++ b/tests/bbcode/parser_test.php
@ -120,6 +120,11 @@ class phpbb_bbcode_parser_test extends \phpbb_test_case
 				'[img]https://area51.phpbb.com/images/area51.png[/img]',
 				'[img:]https&#58;//area51&#46;phpbb&#46;com/images/area51&#46;png[/img:]',
 			),
+			array(
+				'Test default bbcodes: img with unsupported protocol',
+				'[img]foo://foo/bar[/img]',
+				'[img]foo://foo/bar[/img]',
+			),
 			array(
 				'Test default bbcodes: simple url',
 				'[url]https://area51.phpbb.com/[/url]',
--- a/tests/functional/smilies_test.php
+++ b/tests/functional/smilies_test.php
@ -0,0 +1,47 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+/**
+* @group functional
+*/
+class phpbb_functional_smilies_test extends phpbb_functional_test_case
+{
+	public function test_smilies_mode()
+	{
+		$this->login();
+
+		// Get smilies data
+		$db = $this->get_db();
+		$sql_ary = [
+			'SELECT'	=> 's.smiley_url, MIN(s.emotion) AS emotion, MIN(s.code) AS code, s.smiley_width, s.smiley_height, MIN(s.smiley_order) AS min_smiley_order',
+			'FROM'		=> [
+				SMILIES_TABLE => 's',
+			],
+			'GROUP_BY'	=> 's.smiley_url, s.smiley_width, s.smiley_height',
+			'ORDER_BY'	=> 'min_smiley_order',
+		];
+		$sql = $db->sql_build_query('SELECT', $sql_ary);
+		$result = $db->sql_query($sql);
+		$smilies = $db->sql_fetchrowset($result);
+		$db->sql_freeresult($result);
+
+		// Visit smilies page
+		$crawler = self::request('GET', 'posting.php?mode=smilies');
+		foreach ($smilies as $index => $smiley)
+		{
+			$this->assertContains($smiley['smiley_url'],
+				$crawler->filter('div[class="inner"] > a > img')->eq($index)->attr('src')
+			);
+		}
+	}
+}
--- a/tests/functional/ucp_profile_test.php
+++ b/tests/functional/ucp_profile_test.php
@ -44,4 +44,23 @@ class phpbb_functional_ucp_profile_test extends phpbb_functional_test_case
 		$this->assertEquals('phpbb_twitter', $form->get('pf_phpbb_twitter')->getValue());
 		$this->assertEquals('phpbb.youtube', $form->get('pf_phpbb_youtube')->getValue());
 	}
+
+	public function test_submitting_emoji()
+	{
+		$this->add_lang('ucp');
+		$this->login();
+
+		$crawler = self::request('GET', 'ucp.php?i=ucp_profile&mode=profile_info');
+		$this->assertContainsLang('UCP_PROFILE_PROFILE_INFO', $crawler->filter('#cp-main h2')->text());
+
+		$form = $crawler->selectButton('Submit')->form([
+			'pf_phpbb_location'	=> '😁', // grinning face with smiling eyes Emoji
+		]);
+		$crawler = self::submit($form);
+		$this->assertContainsLang('PROFILE_UPDATED', $crawler->filter('#message')->text());
+
+		$crawler = self::request('GET', 'ucp.php?i=ucp_profile&mode=profile_info');
+		$form = $crawler->selectButton('Submit')->form();
+		$this->assertEquals('😁', $form->get('pf_phpbb_location')->getValue());
+	}
 }
--- a/tests/text_formatter/s9e/default_formatting_test.php
+++ b/tests/text_formatter/s9e/default_formatting_test.php
@ -132,6 +132,10 @@ class phpbb_textformatter_s9e_default_formatting_test extends phpbb_test_case
 				'[img]https://area51.phpbb.com/images/area51.png[/img]',
 				'<img src="https://area51.phpbb.com/images/area51.png" class="postimage" alt="Image">'
 			),
+			array(
+				'[img]foo://area51.phpbb.com/images/area51.png[/img]',
+				'[img]foo://area51.phpbb.com/images/area51.png[/img]'
+			),
 			array(
 				'[url]https://area51.phpbb.com/[/url]',
 				'<a href="https://area51.phpbb.com/" class="postlink">https://area51.phpbb.com/</a>'
--- a/tests/text_processing/message_parser_test.php
+++ b/tests/text_processing/message_parser_test.php
@ -342,26 +342,6 @@ class phpbb_text_processing_message_parser_test extends phpbb_test_case
 				},
 				array('You may only use fonts up to size 120.')
 			),
-			array(
-				'[img]http://example.org/100x100.png[/img]',
-				'<r>[img]<URL url="http://example.org/100x100.png">http://example.org/100x100.png</URL>[/img]</r>',
-				array(true, true, true, true, true, true, true),
-				function ($phpbb_container)
-				{
-					$phpbb_container->get('config')->set('max_post_img_height', 12);
-				},
-				array('Your images may only be up to 12 pixels high.')
-			),
-			array(
-				'[img]http://example.org/100x100.png[/img]',
-				'<r>[img]<URL url="http://example.org/100x100.png">http://example.org/100x100.png</URL>[/img]</r>',
-				array(true, true, true, true, true, true, true),
-				function ($phpbb_container)
-				{
-					$phpbb_container->get('config')->set('max_post_img_width', 34);
-				},
-				array('Your images may only be up to 34 pixels wide.')
-			),
 			array(
 				'[img]http://example.org/100x100.png[/img]',
 				'<r><IMG src="http://example.org/100x100.png"><s>[img]</s><URL url="http://example.org/100x100.png">http://example.org/100x100.png</URL><e>[/img]</e></IMG></r>',
@ -392,16 +372,6 @@ class phpbb_text_processing_message_parser_test extends phpbb_test_case
 					$phpbb_container->get('config')->set('max_sig_img_width', 34);
 				}
 			),
-			array(
-				'[img]http://example.org/404.png[/img]',
-				'<r>[img]<URL url="http://example.org/404.png">http://example.org/404.png</URL>[/img]</r>',
-				array(true, true, true, true, true, true, true),
-				function ($phpbb_container)
-				{
-					$phpbb_container->get('config')->set('max_post_img_height', 12);
-				},
-				array('It was not possible to determine the dimensions of the image.')
-			),
 			array(
 				'[flash=999,999]http://example.org/foo.swf[/flash]',
 				'<r>[flash=999,999]<URL url="http://example.org/foo.swf">http://example.org/foo.swf</URL>[/flash]</r>',