diff --git a/build/build.xml b/build/build.xml index a190a1dd91..2af1892b46 100644 --- a/build/build.xml +++ b/build/build.xml @@ -2,10 +2,9 @@ - - - + + diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 212da25ade..4d96aa4981 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -46,6 +46,7 @@
  1. Changelog
      +
    1. Changes since 3.1.0
    2. Changes since 3.1.0-RC6
    3. Changes since 3.1.0-RC5
    4. Changes since 3.1.0-RC4
      5. @@ -100,6 +101,24 @@
      +

      1.i. Changes since 3.1.0

      + +

      Security

      +
        +
      • [SECURITY-164] - Cross Site Scripting via PATH_INFO in page_name variable
        • +
      +

      Bug

      +
        +
      • [PHPBB3-13248] - Login functions need to use provider collection for retrieving provider
        • +
      • [PHPBB3-13267] - Automatic Update instructions indicate that only the install folder is necessary
        • +
      • [PHPBB3-13268] - MSSQL's get_existing_indexes() function improperly appends ternary result
        • +
      • [PHPBB3-13271] - Anonymous users can CC themselves on emails sent to admin via contact form
        • +
      +

      Task

      +
        +
      • [PHPBB3-13262] - Add note to docs about htaccess file when upgrading 3.0 to 3.1
        • +
      +

      1.i. Changes since 3.1.0-RC6

      Bug

      diff --git a/phpBB/docs/INSTALL.html b/phpBB/docs/INSTALL.html index f30362d976..0fc2bb4ddd 100644 --- a/phpBB/docs/INSTALL.html +++ b/phpBB/docs/INSTALL.html @@ -303,7 +303,7 @@
      • Go to the downloads page and download the latest update package listed there, matching your current version.
        • -
      • Upload the uncompressed archive contents to your phpBB installation - only the install folder is required. Upload the whole install folder, retaining the file structure.
        • +
      • Upload the uncompressed archive contents to your phpBB installation - only the install/ and vendor/ folders are required. Upload these folders in their entirety, retaining the file structure.
      • After the install folder is present, phpBB will go offline automatically.
      • Point your browser to the install directory, for example http://www.example.com/phpBB3/install/
      • Choose the "Update" Tab and follow the instructions
        • diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php index b93b305632..126cf44842 100644 --- a/phpBB/includes/constants.php +++ b/phpBB/includes/constants.php @@ -29,6 +29,7 @@ if (!defined('IN_PHPBB')) // phpBB Version define('PHPBB_VERSION', '3.2.0-a1-dev'); + // QA-related // define('PHPBB_QA', 1); diff --git a/phpBB/includes/ucp/ucp_auth_link.php b/phpBB/includes/ucp/ucp_auth_link.php index a595ce46c3..748f0fdec2 100644 --- a/phpBB/includes/ucp/ucp_auth_link.php +++ b/phpBB/includes/ucp/ucp_auth_link.php @@ -34,11 +34,12 @@ class ucp_auth_link */ public function main($id, $mode) { - global $config, $request, $template, $phpbb_container, $user; + global $request, $template, $phpbb_container, $user; $error = array(); - $auth_provider = $phpbb_container->get('auth.provider.' . $config['auth_method']); + $provider_collection = $phpbb_container->get('auth.provider_collection'); + $auth_provider = $provider_collection->get_provider(); // confirm that the auth provider supports this page $provider_data = $auth_provider->get_auth_link_data(); diff --git a/phpBB/includes/ucp/ucp_login_link.php b/phpBB/includes/ucp/ucp_login_link.php index 5ca5df00f7..27d59c56b7 100644 --- a/phpBB/includes/ucp/ucp_login_link.php +++ b/phpBB/includes/ucp/ucp_login_link.php @@ -39,7 +39,7 @@ class ucp_login_link */ function main($id, $mode) { - global $config, $phpbb_container, $request, $template, $user; + global $phpbb_container, $request, $template, $user; global $phpbb_root_path, $phpEx; // Initialize necessary variables @@ -57,8 +57,8 @@ class ucp_login_link } // Use the auth_provider requested even if different from configured - $auth_provider = 'auth.provider.' . $request->variable('auth_provider', $config['auth_method']); - $auth_provider = $phpbb_container->get($auth_provider); + $provider_collection = $phpbb_container->get('auth.provider_collection'); + $auth_provider = $provider_collection->get_provider($request->variable('auth_provider', '')); // Set the link_method to login_link $data['link_method'] = 'login_link'; diff --git a/phpBB/includes/ucp/ucp_register.php b/phpBB/includes/ucp/ucp_register.php index 9a15967bae..88078c10af 100644 --- a/phpBB/includes/ucp/ucp_register.php +++ b/phpBB/includes/ucp/ucp_register.php @@ -87,8 +87,8 @@ class ucp_register if (!empty($login_link_data)) { // Confirm that we have all necessary data - $auth_provider = 'auth.provider.' . $request->variable('auth_provider', $config['auth_method']); - $auth_provider = $phpbb_container->get($auth_provider); + $provider_collection = $phpbb_container->get('auth.provider_collection'); + $auth_provider = $provider_collection->get_provider($request->variable('auth_provider', '')); $result = $auth_provider->login_link_has_necessary_data($login_link_data); if ($result !== null) diff --git a/phpBB/install/convertors/convert_phpbb20.php b/phpBB/install/convertors/convert_phpbb20.php index 8f6af30426..effd72aeff 100644 --- a/phpBB/install/convertors/convert_phpbb20.php +++ b/phpBB/install/convertors/convert_phpbb20.php @@ -38,7 +38,7 @@ $dbms = $phpbb_config_php_file->convert_30_dbms_to_31($dbms); $convertor_data = array( 'forum_name' => 'phpBB 2.0.x', 'version' => '1.0.3', - 'phpbb_version' => '3.1.0', + 'phpbb_version' => '3.1.1', 'author' => 'phpBB Limited', 'dbms' => $dbms, 'dbhost' => $dbhost, diff --git a/phpBB/language/en/install.php b/phpBB/language/en/install.php index a2b27f0a60..107de9c64f 100644 --- a/phpBB/language/en/install.php +++ b/phpBB/language/en/install.php @@ -547,7 +547,7 @@ $lang = array_merge($lang, array(
        • Go to the phpBB.com downloads page and download the "Automatic Update Package" archive.

        • Unpack the archive.

          • -
        • Upload the complete uncompressed install folder to your phpBB root directory (where your config.php file is).

          • +
        • Upload the complete uncompressed "install" and "vendor" folders to your phpBB root directory (where your config.php file is).

        Once uploaded your board will be offline for normal users due to the install directory you uploaded now present.

        diff --git a/phpBB/phpbb/auth/auth.php b/phpBB/phpbb/auth/auth.php index 38755ccf99..b59f0e60ec 100644 --- a/phpBB/phpbb/auth/auth.php +++ b/phpBB/phpbb/auth/auth.php @@ -927,11 +927,11 @@ class auth */ function login($username, $password, $autologin = false, $viewonline = 1, $admin = 0) { - global $config, $db, $user, $phpbb_root_path, $phpEx, $phpbb_container; + global $db, $user, $phpbb_root_path, $phpEx, $phpbb_container; - $method = trim(basename($config['auth_method'])); + $provider_collection = $phpbb_container->get('auth.provider_collection'); - $provider = $phpbb_container->get('auth.provider.' . $method); + $provider = $provider_collection->get_provider(); if ($provider) { $login = $provider->login($username, $password); diff --git a/phpBB/phpbb/auth/provider_collection.php b/phpBB/phpbb/auth/provider_collection.php index a74a2135dc..8e7e9e2cc1 100644 --- a/phpBB/phpbb/auth/provider_collection.php +++ b/phpBB/phpbb/auth/provider_collection.php @@ -38,6 +38,7 @@ class provider_collection extends \phpbb\di\service_collection /** * Get an auth provider. * + * @param string $provider_name The name of the auth provider * @return object Default auth provider selected in config if it * does exist. Otherwise the standard db auth * provider. @@ -46,11 +47,12 @@ class provider_collection extends \phpbb\di\service_collection * auth provider exist. The db auth provider * should always exist in a phpBB installation. */ - public function get_provider() + public function get_provider($provider_name = '') { - if ($this->offsetExists('auth.provider.' . basename(trim($this->config['auth_method'])))) + $provider_name = ($provider_name !== '') ? $provider_name : basename(trim($this->config['auth_method'])); + if ($this->offsetExists('auth.provider.' . $provider_name)) { - return $this->offsetGet('auth.provider.' . basename(trim($this->config['auth_method']))); + return $this->offsetGet('auth.provider.' . $provider_name); } // Revert to db auth provider if selected method does not exist else if ($this->offsetExists('auth.provider.db')) diff --git a/phpBB/phpbb/db/migration/data/v31x/style_update.php b/phpBB/phpbb/db/migration/data/v31x/style_update.php new file mode 100644 index 0000000000..bb030bbe6d --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v31x/style_update.php @@ -0,0 +1,136 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\db\migration\data\v31x; + +class style_update extends \phpbb\db\migration\migration +{ + static public function depends_on() + { + return array('\phpbb\db\migration\data\v310\gold'); + } + + public function update_data() + { + return array( + array('custom', array(array($this, 'update_installed_styles'))), + ); + } + + public function update_installed_styles() + { + // Get all currently available styles + $styles = $this->find_style_dirs(); + $style_paths = $style_ids = array(); + + $sql = 'SELECT style_path, style_id + FROM ' . $this->table_prefix . 'styles'; + $result = $this->db->sql_query($sql); + while ($styles_row = $this->db->sql_fetchrow()) + { + if (in_array($styles_row['style_path'], $styles)) + { + $style_paths[] = $styles_row['style_path']; + $style_ids[] = $styles_row['style_id']; + } + } + $this->db->sql_freeresult($result); + + // Install prosilver if no style is available and prosilver can be installed + if (empty($style_paths) && in_array('prosilver', $styles)) + { + // Try to parse config file + $cfg = parse_cfg_file($this->phpbb_root_path . 'styles/prosilver/style.cfg'); + + // Stop running this if prosilver cfg file can't be read + if (empty($cfg)) + { + throw new \RuntimeException('No styles available and could not fall back to prosilver.'); + } + + $style = array( + 'style_name' => 'prosilver', + 'style_copyright' => '© phpBB Limited', + 'style_active' => 1, + 'style_path' => 'prosilver', + 'bbcode_bitfield' => 'kNg=', + 'style_parent_id' => 0, + 'style_parent_tree' => '', + ); + + // Add to database + $this->db->sql_transaction('begin'); + + $sql = 'INSERT INTO ' . $this->table_prefix . 'styles + ' . $this->db->sql_build_array('INSERT', $style); + $this->db->sql_query($sql); + + $style_id = $this->db->sql_nextid(); + $style_ids[] = $style_id; + + $this->db->sql_transaction('commit'); + + // Set prosilver to default style + $this->config->set('default_style', $style_id); + } + else if (empty($styles) && empty($available_styles)) + { + throw new \RuntimeException('No valid styles available'); + } + + // Make sure default style is available + if (!in_array($this->config['default_style'], $style_ids)) + { + $this->config->set('default_style', array_pop($style_ids)); + } + + // Reset users to default style if their user_style is nonexistent + $sql = 'UPDATE ' . $this->table_prefix . "users + SET user_style = {$this->config['default_style']} + WHERE " . $this->db->sql_in_set('user_style', $style_ids, true, true); + $this->db->sql_query($sql); + } + + /** + * Find all directories that have styles + * Copied from acp_styles + * + * @return array Directory names + */ + protected function find_style_dirs() + { + $styles = array(); + $styles_path = $this->phpbb_root_path . 'styles/'; + + $dp = @opendir($styles_path); + if ($dp) + { + while (($file = readdir($dp)) !== false) + { + $dir = $styles_path . $file; + if ($file[0] == '.' || !is_dir($dir)) + { + continue; + } + + if (file_exists("{$dir}/style.cfg")) + { + $styles[] = $file; + } + } + closedir($dp); + } + + return $styles; + } +} diff --git a/phpBB/phpbb/db/migration/data/v31x/v311.php b/phpBB/phpbb/db/migration/data/v31x/v311.php new file mode 100644 index 0000000000..00844dd4c0 --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v31x/v311.php @@ -0,0 +1,32 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\db\migration\data\v31x; + +class v311 extends \phpbb\db\migration\migration +{ + static public function depends_on() + { + return array( + '\phpbb\db\migration\data\v310\gold', + '\phpbb\db\migration\data\v31x\style_update', + ); + } + + public function update_data() + { + return array( + array('config.update', array('version', '3.1.1')), + ); + } +} diff --git a/phpBB/phpbb/db/tools.php b/phpBB/phpbb/db/tools.php index 0781d7425e..c8d25f23a2 100644 --- a/phpBB/phpbb/db/tools.php +++ b/phpBB/phpbb/db/tools.php @@ -2643,7 +2643,7 @@ class tools AND cols.id = ix.id WHERE ix.id = object_id('{$table_name}') AND cols.name = '{$column_name}' - AND INDEXPROPERTY(ix.id, ix.name, 'IsUnique') = " . ($unique) ? '1' : '0'; + AND INDEXPROPERTY(ix.id, ix.name, 'IsUnique') = " . ($unique ? '1' : '0'); } else { @@ -2657,7 +2657,7 @@ class tools AND cols.object_id = ix.object_id WHERE ix.object_id = object_id('{$table_name}') AND cols.name = '{$column_name}' - AND ix.is_unique = " . ($unique) ? '1' : '0'; + AND ix.is_unique = " . ($unique ? '1' : '0'); } break; diff --git a/phpBB/phpbb/message/form.php b/phpBB/phpbb/message/form.php index 076b41dc07..21d4de0b4d 100644 --- a/phpBB/phpbb/message/form.php +++ b/phpBB/phpbb/message/form.php @@ -146,7 +146,7 @@ abstract class form WHERE user_id = ' . $this->user->data['user_id']; $this->db->sql_query($sql); - if ($this->cc_sender) + if ($this->cc_sender && $this->user->data['is_registered']) { $this->message->cc_sender(); } diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index 477e91efd6..14b4c63207 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -87,7 +87,7 @@ class session $symfony_request_path = $phpbb_filesystem->clean_path($symfony_request->getPathInfo()); if ($symfony_request_path !== '/') { - $page_name .= $symfony_request_path; + $page_name .= str_replace('%2F', '/', urlencode($symfony_request_path)); } // current directory within the phpBB root (for example: adm) diff --git a/phpBB/phpbb/symfony_request.php b/phpBB/phpbb/symfony_request.php index bf9ddec493..ad949a35f2 100644 --- a/phpBB/phpbb/symfony_request.php +++ b/phpBB/phpbb/symfony_request.php @@ -38,6 +38,9 @@ class symfony_request extends Request array_walk_recursive($get_parameters, $sanitizer); array_walk_recursive($post_parameters, $sanitizer); + array_walk_recursive($server_parameters, $sanitizer); + array_walk_recursive($files_parameters, $sanitizer); + array_walk_recursive($cookie_parameters, $sanitizer); parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters); } diff --git a/phpBB/styles/prosilver/template/memberlist_email.html b/phpBB/styles/prosilver/template/memberlist_email.html index 865f0b883c..e848844093 100644 --- a/phpBB/styles/prosilver/template/memberlist_email.html +++ b/phpBB/styles/prosilver/template/memberlist_email.html @@ -77,10 +77,12 @@ {L_EMAIL_BODY_EXPLAIN}

        +
         
        +
      diff --git a/tests/functional/auth_test.php b/tests/functional/auth_test.php index b4b4279bf1..76e1709afb 100644 --- a/tests/functional/auth_test.php +++ b/tests/functional/auth_test.php @@ -33,6 +33,25 @@ class phpbb_functional_auth_test extends phpbb_functional_test_case $this->assertContains('anothertestuser', $crawler->filter('#username_logged_in')->text()); } + /** + * @dependsOn test_login_other + */ + public function test_login_ucp_other_auth_provider() + { + global $cache, $config; + $cache = new phpbb_mock_null_cache; + $db = $this->get_db(); + $sql = 'UPDATE ' . CONFIG_TABLE . " SET config_value = 'foobar' WHERE config_name = 'auth_method'"; + $db->sql_query($sql); + $config['auth_method'] = 'foobar'; + $this->login('anothertestuser'); + $crawler = self::request('GET', 'index.php'); + $this->assertContains('anothertestuser', $crawler->filter('#username_logged_in')->text()); + $sql = 'UPDATE ' . CONFIG_TABLE . " SET config_value = 'db' WHERE config_name = 'auth_method'"; + $db->sql_query($sql); + $config['auth_method'] = 'db'; + } + /** * @depends test_login */