diff --git a/build/build.xml b/build/build.xml index 04152a1c5a..21ba1763bf 100644 --- a/build/build.xml +++ b/build/build.xml @@ -4,7 +4,7 @@ - + diff --git a/phpBB/cache/.htaccess b/phpBB/cache/.htaccess index aa5afc1640..44242b5418 100644 --- a/phpBB/cache/.htaccess +++ b/phpBB/cache/.htaccess @@ -1,4 +1,33 @@ - - Order Allow,Deny - Deny from All - \ No newline at end of file +# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from +# module mod_authz_host to a new module called mod_access_compat (which may be +# disabled) and a new "Require" syntax has been introduced to mod_authz_host. +# We could just conditionally provide both versions, but unfortunately Apache +# does not explicitly tell us its version if the module mod_version is not +# available. In this case, we check for the availability of module +# mod_authz_core (which should be on 2.4 or higher only) as a best guess. + + + + Order Allow,Deny + Deny from All + + + = 2.4> + + Require all denied + + + + + + + Order Allow,Deny + Deny from All + + + + + Require all denied + + + diff --git a/phpBB/config/.htaccess b/phpBB/config/.htaccess index 4128d345ab..163ddd802f 100644 --- a/phpBB/config/.htaccess +++ b/phpBB/config/.htaccess @@ -1,4 +1,33 @@ - - Order Allow,Deny - Deny from All - +# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from +# module mod_authz_host to a new module called mod_access_compat (which may be +# disabled) and a new "Require" syntax has been introduced to mod_authz_host. +# We could just conditionally provide both versions, but unfortunately Apache +# does not explicitly tell us its version if the module mod_version is not +# available. In this case, we check for the availability of module +# mod_authz_core (which should be on 2.4 or higher only) as a best guess. + + + + Order Allow,Deny + Deny from All + + + = 2.4> + + Require all denied + + + + + + + Order Allow,Deny + Deny from All + + + + + Require all denied + + + \ No newline at end of file diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 1d89d0ace6..872368d200 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -55,6 +55,7 @@
  • Changes since 3.3.0-b2
  • Changes since 3.3.0-b1
  • Changes since 3.2.x
    • +
  • Changes since 3.2.10-RC2
  • Changes since 3.2.10-RC1
  • Changes since 3.2.9
  • Changes since 3.2.9-RC1
    • @@ -512,6 +513,28 @@
  • [PHPBB3-16185] - Use Xenial build environment on travis-ci
    • +

    Changes since 3.2.10-RC2

    +

    Bug

    +
      +
    • [PHPBB3-16417] - SQL fatal error while updating database from older versions via CLI
      • +
    • [PHPBB3-16524] - General error (SQL ERROR) on adding emoji character to the profile field
      • +
    • [PHPBB3-16534] - Passwords converted from phpBB2 can have invalid hash
      • +
    • [PHPBB3-16539] - General error (SQL error) on posting page in smilies mode
      • +
    • [PHPBB3-16550] - compact(): Undefined variable: url - in PMs
      • +
    +

    Improvement

    +
      +
    • [PHPBB3-16554] - Align all .htaccess files to support Apache 2.4 mod_authz_core directives
      • +
    +

    Security Issue

    +
      +
    • [SECURITY-259] - Server-Side Request Forgery via FastImageSize in s9e textformatter
      • +
    +

    Hardening

    +
      +
    • [SECURITY-257] - Potential RCE via Phar Deserialization through Legacy BBCode Parser
      • +
    +

    Changes since 3.2.10-RC1

    Bug

      diff --git a/phpBB/files/.htaccess b/phpBB/files/.htaccess index aa5afc1640..163ddd802f 100644 --- a/phpBB/files/.htaccess +++ b/phpBB/files/.htaccess @@ -1,4 +1,33 @@ - - Order Allow,Deny - Deny from All - \ No newline at end of file +# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from +# module mod_authz_host to a new module called mod_access_compat (which may be +# disabled) and a new "Require" syntax has been introduced to mod_authz_host. +# We could just conditionally provide both versions, but unfortunately Apache +# does not explicitly tell us its version if the module mod_version is not +# available. In this case, we check for the availability of module +# mod_authz_core (which should be on 2.4 or higher only) as a best guess. + + + + Order Allow,Deny + Deny from All + + + = 2.4> + + Require all denied + + + + + + + Order Allow,Deny + Deny from All + + + + + Require all denied + + + \ No newline at end of file diff --git a/phpBB/images/avatars/upload/.htaccess b/phpBB/images/avatars/upload/.htaccess index aa5afc1640..163ddd802f 100644 --- a/phpBB/images/avatars/upload/.htaccess +++ b/phpBB/images/avatars/upload/.htaccess @@ -1,4 +1,33 @@ - - Order Allow,Deny - Deny from All - \ No newline at end of file +# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from +# module mod_authz_host to a new module called mod_access_compat (which may be +# disabled) and a new "Require" syntax has been introduced to mod_authz_host. +# We could just conditionally provide both versions, but unfortunately Apache +# does not explicitly tell us its version if the module mod_version is not +# available. In this case, we check for the availability of module +# mod_authz_core (which should be on 2.4 or higher only) as a best guess. + + + + Order Allow,Deny + Deny from All + + + = 2.4> + + Require all denied + + + + + + + Order Allow,Deny + Deny from All + + + + + Require all denied + + + \ No newline at end of file diff --git a/phpBB/includes/.htaccess b/phpBB/includes/.htaccess index 4128d345ab..163ddd802f 100644 --- a/phpBB/includes/.htaccess +++ b/phpBB/includes/.htaccess @@ -1,4 +1,33 @@ - - Order Allow,Deny - Deny from All - +# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from +# module mod_authz_host to a new module called mod_access_compat (which may be +# disabled) and a new "Require" syntax has been introduced to mod_authz_host. +# We could just conditionally provide both versions, but unfortunately Apache +# does not explicitly tell us its version if the module mod_version is not +# available. In this case, we check for the availability of module +# mod_authz_core (which should be on 2.4 or higher only) as a best guess. + + + + Order Allow,Deny + Deny from All + + + = 2.4> + + Require all denied + + + + + + + Order Allow,Deny + Deny from All + + + + + Require all denied + + + \ No newline at end of file diff --git a/phpBB/includes/functions_posting.php b/phpBB/includes/functions_posting.php index 0a3dc7ac13..c056d93fb4 100644 --- a/phpBB/includes/functions_posting.php +++ b/phpBB/includes/functions_posting.php @@ -118,7 +118,7 @@ function generate_smilies($mode, $forum_id) SMILIES_TABLE => 's', ], 'GROUP_BY' => 's.smiley_url, s.smiley_width, s.smiley_height', - 'ORDER_BY' => 's.min_smiley_order', + 'ORDER_BY' => 'min_smiley_order', ]; } else diff --git a/phpBB/includes/functions_privmsgs.php b/phpBB/includes/functions_privmsgs.php index bd42f93a39..0aceeb90e1 100644 --- a/phpBB/includes/functions_privmsgs.php +++ b/phpBB/includes/functions_privmsgs.php @@ -2046,6 +2046,8 @@ function message_history($msg_id, $user_id, $message_row, $folder, $in_post_mode while ($row = $db->sql_fetchrow($result)); $db->sql_freeresult($result); + $url = append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=pm'); + /** * Modify message rows before displaying the history in private messages * @@ -2080,7 +2082,6 @@ function message_history($msg_id, $user_id, $message_row, $folder, $in_post_mode $title = censor_text($title); - $url = append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=pm'); $next_history_pm = $previous_history_pm = $prev_id = 0; // Re-order rowset to be able to get the next/prev message rows... diff --git a/phpBB/includes/message_parser.php b/phpBB/includes/message_parser.php index d6214c4614..395e613af8 100644 --- a/phpBB/includes/message_parser.php +++ b/phpBB/includes/message_parser.php @@ -391,7 +391,7 @@ class bbcode_firstpass extends bbcode $in = str_replace(' ', '%20', $in); // Checking urls - if (!preg_match('#^' . get_preg_expression('url') . '$#iu', $in) && !preg_match('#^' . get_preg_expression('www_url') . '$#iu', $in)) + if (!preg_match('#^' . get_preg_expression('url_http') . '$#iu', $in) && !preg_match('#^' . get_preg_expression('www_url') . '$#iu', $in)) { return '[img]' . $in . '[/img]'; } @@ -402,32 +402,6 @@ class bbcode_firstpass extends bbcode $in = 'http://' . $in; } - if ($config['max_' . $this->mode . '_img_height'] || $config['max_' . $this->mode . '_img_width']) - { - $imagesize = new \FastImageSize\FastImageSize(); - $size_info = $imagesize->getImageSize(htmlspecialchars_decode($in)); - - if ($size_info === false) - { - $error = true; - $this->warn_msg[] = $user->lang['UNABLE_GET_IMAGE_SIZE']; - } - else - { - if ($config['max_' . $this->mode . '_img_height'] && $config['max_' . $this->mode . '_img_height'] < $size_info['height']) - { - $error = true; - $this->warn_msg[] = $user->lang('MAX_IMG_HEIGHT_EXCEEDED', (int) $config['max_' . $this->mode . '_img_height']); - } - - if ($config['max_' . $this->mode . '_img_width'] && $config['max_' . $this->mode . '_img_width'] < $size_info['width']) - { - $error = true; - $this->warn_msg[] = $user->lang('MAX_IMG_WIDTH_EXCEEDED', (int) $config['max_' . $this->mode . '_img_width']); - } - } - } - if ($error || $this->path_in_domain($in)) { return '[img]' . $in . '[/img]'; diff --git a/phpBB/language/en/acp/board.php b/phpBB/language/en/acp/board.php index 4aee52abbe..d209ee3d08 100644 --- a/phpBB/language/en/acp/board.php +++ b/phpBB/language/en/acp/board.php @@ -185,10 +185,10 @@ $lang = array_merge($lang, array( 'MAX_POLL_OPTIONS' => 'Maximum number of poll options', 'MAX_POST_FONT_SIZE' => 'Maximum font size per post', 'MAX_POST_FONT_SIZE_EXPLAIN' => 'Maximum font size allowed in a post. Set to 0 for unlimited font size.', - 'MAX_POST_IMG_HEIGHT' => 'Maximum image height per post', - 'MAX_POST_IMG_HEIGHT_EXPLAIN' => 'Maximum height of an image/flash file in postings. Set to 0 for unlimited size.', - 'MAX_POST_IMG_WIDTH' => 'Maximum image width per post', - 'MAX_POST_IMG_WIDTH_EXPLAIN' => 'Maximum width of an image/flash file in postings. Set to 0 for unlimited size.', + 'MAX_POST_IMG_HEIGHT' => 'Maximum flash height per post', + 'MAX_POST_IMG_HEIGHT_EXPLAIN' => 'Maximum height of a flash file in postings. Set to 0 for unlimited size.', + 'MAX_POST_IMG_WIDTH' => 'Maximum flash width per post', + 'MAX_POST_IMG_WIDTH_EXPLAIN' => 'Maximum width of a flash file in postings. Set to 0 for unlimited size.', 'MAX_POST_URLS' => 'Maximum links per post', 'MAX_POST_URLS_EXPLAIN' => 'Maximum number of URLs in a post. Set to 0 for unlimited links.', 'MIN_CHAR_LIMIT' => 'Minimum characters per post/message', diff --git a/phpBB/phpbb/db/migration/data/v32x/v3210.php b/phpBB/phpbb/db/migration/data/v32x/v3210.php new file mode 100644 index 0000000000..2817158639 --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v32x/v3210.php @@ -0,0 +1,36 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\db\migration\data\v32x; + +class v3210 extends \phpbb\db\migration\migration +{ + public function effectively_installed() + { + return phpbb_version_compare($this->config['version'], '3.2.10', '>='); + } + + static public function depends_on() + { + return array( + '\phpbb\db\migration\data\v32x\v3210rc2', + ); + } + + public function update_data() + { + return array( + array('config.update', array('version', '3.2.10')), + ); + } +} diff --git a/phpBB/phpbb/profilefields/manager.php b/phpBB/phpbb/profilefields/manager.php index 5daa61076c..8af2fe12ad 100644 --- a/phpBB/phpbb/profilefields/manager.php +++ b/phpBB/phpbb/profilefields/manager.php @@ -254,6 +254,13 @@ class manager /** @var \phpbb\profilefields\type\type_interface $profile_field */ $profile_field = $this->type_collection[$row['field_type']]; $cp_data['pf_' . $row['field_ident']] = $profile_field->get_profile_field($row); + + /** + * Replace Emoji and other 4bit UTF-8 chars not allowed by MySQL + * with their Numeric Character Reference's Hexadecimal notation. + */ + $cp_data['pf_' . $row['field_ident']] = utf8_encode_ucr($cp_data['pf_' . $row['field_ident']]); + $check_value = $cp_data['pf_' . $row['field_ident']]; if (($cp_result = $profile_field->validate_profile_field($check_value, $row)) !== false) diff --git a/phpBB/phpbb/textformatter/s9e/factory.php b/phpBB/phpbb/textformatter/s9e/factory.php index 7d12abad90..2285d99eb8 100644 --- a/phpBB/phpbb/textformatter/s9e/factory.php +++ b/phpBB/phpbb/textformatter/s9e/factory.php @@ -273,8 +273,6 @@ class factory implements \phpbb\textformatter\cache_interface ->add('#imageurl', __NAMESPACE__ . '\\parser::filter_img_url') ->addParameterByName('urlConfig') ->addParameterByName('logger') - ->addParameterByName('max_img_height') - ->addParameterByName('max_img_width') ->markAsSafeAsURL() ->setJS('UrlFilter.filter'); diff --git a/phpBB/phpbb/textformatter/s9e/parser.php b/phpBB/phpbb/textformatter/s9e/parser.php index 1151f09898..590afc0ebc 100644 --- a/phpBB/phpbb/textformatter/s9e/parser.php +++ b/phpBB/phpbb/textformatter/s9e/parser.php @@ -380,11 +380,10 @@ class parser implements \phpbb\textformatter\parser_interface * @param string $url Original URL * @param array $url_config Config used by the URL filter * @param Logger $logger - * @param integer $max_height Maximum height allowed - * @param integer $max_width Maximum width allowed + * * @return string|bool Original value if valid, FALSE otherwise */ - static public function filter_img_url($url, array $url_config, Logger $logger, $max_height, $max_width) + static public function filter_img_url($url, array $url_config, Logger $logger) { // Validate the URL $url = UrlFilter::filter($url, $url_config, $logger); @@ -393,29 +392,6 @@ class parser implements \phpbb\textformatter\parser_interface return false; } - if ($max_height || $max_width) - { - $imagesize = new \FastImageSize\FastImageSize(); - $size_info = $imagesize->getImageSize($url); - if ($size_info === false) - { - $logger->err('UNABLE_GET_IMAGE_SIZE'); - return false; - } - - if ($max_height && $max_height < $size_info['height']) - { - $logger->err('MAX_IMG_HEIGHT_EXCEEDED', array('max_height' => $max_height)); - return false; - } - - if ($max_width && $max_width < $size_info['width']) - { - $logger->err('MAX_IMG_WIDTH_EXCEEDED', array('max_width' => $max_width)); - return false; - } - } - return $url; } diff --git a/phpBB/store/.htaccess b/phpBB/store/.htaccess index aa5afc1640..163ddd802f 100644 --- a/phpBB/store/.htaccess +++ b/phpBB/store/.htaccess @@ -1,4 +1,33 @@ - - Order Allow,Deny - Deny from All - \ No newline at end of file +# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from +# module mod_authz_host to a new module called mod_access_compat (which may be +# disabled) and a new "Require" syntax has been introduced to mod_authz_host. +# We could just conditionally provide both versions, but unfortunately Apache +# does not explicitly tell us its version if the module mod_version is not +# available. In this case, we check for the availability of module +# mod_authz_core (which should be on 2.4 or higher only) as a best guess. + + + + Order Allow,Deny + Deny from All + + + = 2.4> + + Require all denied + + + + + + + Order Allow,Deny + Deny from All + + + + + Require all denied + + + \ No newline at end of file diff --git a/tests/bbcode/parser_test.php b/tests/bbcode/parser_test.php index 6e1fad9ad1..0f11189798 100644 --- a/tests/bbcode/parser_test.php +++ b/tests/bbcode/parser_test.php @@ -120,6 +120,11 @@ class phpbb_bbcode_parser_test extends \phpbb_test_case '[img]https://area51.phpbb.com/images/area51.png[/img]', '[img:]https://area51.phpbb.com/images/area51.png[/img:]', ), + array( + 'Test default bbcodes: img with unsupported protocol', + '[img]foo://foo/bar[/img]', + '[img]foo://foo/bar[/img]', + ), array( 'Test default bbcodes: simple url', '[url]https://area51.phpbb.com/[/url]', diff --git a/tests/functional/smilies_test.php b/tests/functional/smilies_test.php new file mode 100644 index 0000000000..f17171bd1f --- /dev/null +++ b/tests/functional/smilies_test.php @@ -0,0 +1,47 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +/** +* @group functional +*/ +class phpbb_functional_smilies_test extends phpbb_functional_test_case +{ + public function test_smilies_mode() + { + $this->login(); + + // Get smilies data + $db = $this->get_db(); + $sql_ary = [ + 'SELECT' => 's.smiley_url, MIN(s.emotion) AS emotion, MIN(s.code) AS code, s.smiley_width, s.smiley_height, MIN(s.smiley_order) AS min_smiley_order', + 'FROM' => [ + SMILIES_TABLE => 's', + ], + 'GROUP_BY' => 's.smiley_url, s.smiley_width, s.smiley_height', + 'ORDER_BY' => 'min_smiley_order', + ]; + $sql = $db->sql_build_query('SELECT', $sql_ary); + $result = $db->sql_query($sql); + $smilies = $db->sql_fetchrowset($result); + $db->sql_freeresult($result); + + // Visit smilies page + $crawler = self::request('GET', 'posting.php?mode=smilies'); + foreach ($smilies as $index => $smiley) + { + $this->assertContains($smiley['smiley_url'], + $crawler->filter('div[class="inner"] > a > img')->eq($index)->attr('src') + ); + } + } +} diff --git a/tests/functional/ucp_profile_test.php b/tests/functional/ucp_profile_test.php index 2d68704162..68263c11f7 100644 --- a/tests/functional/ucp_profile_test.php +++ b/tests/functional/ucp_profile_test.php @@ -44,4 +44,23 @@ class phpbb_functional_ucp_profile_test extends phpbb_functional_test_case $this->assertEquals('phpbb_twitter', $form->get('pf_phpbb_twitter')->getValue()); $this->assertEquals('phpbb.youtube', $form->get('pf_phpbb_youtube')->getValue()); } + + public function test_submitting_emoji() + { + $this->add_lang('ucp'); + $this->login(); + + $crawler = self::request('GET', 'ucp.php?i=ucp_profile&mode=profile_info'); + $this->assertContainsLang('UCP_PROFILE_PROFILE_INFO', $crawler->filter('#cp-main h2')->text()); + + $form = $crawler->selectButton('Submit')->form([ + 'pf_phpbb_location' => '😁', // grinning face with smiling eyes Emoji + ]); + $crawler = self::submit($form); + $this->assertContainsLang('PROFILE_UPDATED', $crawler->filter('#message')->text()); + + $crawler = self::request('GET', 'ucp.php?i=ucp_profile&mode=profile_info'); + $form = $crawler->selectButton('Submit')->form(); + $this->assertEquals('😁', $form->get('pf_phpbb_location')->getValue()); + } } diff --git a/tests/text_formatter/s9e/default_formatting_test.php b/tests/text_formatter/s9e/default_formatting_test.php index 6c81fc5a4d..28f7061fc3 100644 --- a/tests/text_formatter/s9e/default_formatting_test.php +++ b/tests/text_formatter/s9e/default_formatting_test.php @@ -132,6 +132,10 @@ class phpbb_textformatter_s9e_default_formatting_test extends phpbb_test_case '[img]https://area51.phpbb.com/images/area51.png[/img]', 'Image' ), + array( + '[img]foo://area51.phpbb.com/images/area51.png[/img]', + '[img]foo://area51.phpbb.com/images/area51.png[/img]' + ), array( '[url]https://area51.phpbb.com/[/url]', 'https://area51.phpbb.com/' diff --git a/tests/text_processing/message_parser_test.php b/tests/text_processing/message_parser_test.php index a3dbf644f6..d302ee9504 100644 --- a/tests/text_processing/message_parser_test.php +++ b/tests/text_processing/message_parser_test.php @@ -342,26 +342,6 @@ class phpbb_text_processing_message_parser_test extends phpbb_test_case }, array('You may only use fonts up to size 120.') ), - array( - '[img]http://example.org/100x100.png[/img]', - '[img]http://example.org/100x100.png[/img]', - array(true, true, true, true, true, true, true), - function ($phpbb_container) - { - $phpbb_container->get('config')->set('max_post_img_height', 12); - }, - array('Your images may only be up to 12 pixels high.') - ), - array( - '[img]http://example.org/100x100.png[/img]', - '[img]http://example.org/100x100.png[/img]', - array(true, true, true, true, true, true, true), - function ($phpbb_container) - { - $phpbb_container->get('config')->set('max_post_img_width', 34); - }, - array('Your images may only be up to 34 pixels wide.') - ), array( '[img]http://example.org/100x100.png[/img]', '[img]http://example.org/100x100.png[/img]', @@ -392,16 +372,6 @@ class phpbb_text_processing_message_parser_test extends phpbb_test_case $phpbb_container->get('config')->set('max_sig_img_width', 34); } ), - array( - '[img]http://example.org/404.png[/img]', - '[img]http://example.org/404.png[/img]', - array(true, true, true, true, true, true, true), - function ($phpbb_container) - { - $phpbb_container->get('config')->set('max_post_img_height', 12); - }, - array('It was not possible to determine the dimensions of the image.') - ), array( '[flash=999,999]http://example.org/foo.swf[/flash]', '[flash=999,999]http://example.org/foo.swf[/flash]',