From f3024402978b79b0e6e2b8cc2549e0ec6df5021d Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Mon, 24 May 2021 17:08:28 +0200
Subject: [PATCH 1/5] [ticket/security/254] Disallow whitespace characters that
 might be invisible

SECURITY-254
---
 phpBB/includes/functions_user.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index a820600eb5..8cfad36773 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -1752,7 +1752,8 @@ function validate_username($username, $allowed_username = false, $allow_all_name
 	}
 
 	// ... fast checks first.
-	if (strpos($username, '&quot;') !== false || strpos($username, '"') !== false || empty($clean_username))
+	if (strpos($username, '&quot;') !== false || strpos($username, '"') !== false || empty($clean_username)
+		|| preg_match('/[\x{180E}\x{2005}-\x{200D}\x{202F}\x{205F}\x{2060}\x{FEFF}]/u', $username))
 	{
 		return 'INVALID_CHARS';
 	}

From b82d90eb39f0b787a0e8a05237547702740bd7c8 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Mon, 24 May 2021 20:42:25 +0200
Subject: [PATCH 2/5] [ticket/security/254] Add tests for validation

SECURITY-254
---
 tests/functions/validate_username_test.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/tests/functions/validate_username_test.php b/tests/functions/validate_username_test.php
index 2ff8bb4e46..fc52f91347 100644
--- a/tests/functions/validate_username_test.php
+++ b/tests/functions/validate_username_test.php
@@ -51,6 +51,7 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case
 				'barfoo_disallow'	=> array('USERNAME_DISALLOWED'),
 				'admin_taken'		=> array('USERNAME_TAKEN'),
 				'group_taken'		=> array('USERNAME_TAKEN'),
+				'a d m i n i ᠎strator' => array('INVALID_CHARS'),
 			)),
 			array('USERNAME_ALPHA_ONLY', array(
 				'foobar_allow'		=> array(),
@@ -65,6 +66,7 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case
 				'barfoo_disallow'	=> array('USERNAME_DISALLOWED'),
 				'admin_taken'		=> array('USERNAME_TAKEN'),
 				'group_taken'		=> array('INVALID_CHARS'),
+				'a d m i n i ᠎strator' => array('INVALID_CHARS'),
 			)),
 			array('USERNAME_ALPHA_SPACERS', array(
 				'foobar_allow'		=> array(),
@@ -79,6 +81,7 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case
 				'barfoo_disallow'	=> array('USERNAME_DISALLOWED'),
 				'admin_taken'		=> array('USERNAME_TAKEN'),
 				'group_taken'		=> array('USERNAME_TAKEN'),
+				'a d m i n i ᠎strator' => array('INVALID_CHARS'),
 			)),
 			array('USERNAME_LETTER_NUM', array(
 				'foobar_allow'		=> array(),
@@ -93,6 +96,7 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case
 				'barfoo_disallow'	=> array('USERNAME_DISALLOWED'),
 				'admin_taken'		=> array('USERNAME_TAKEN'),
 				'group_taken'		=> array('INVALID_CHARS'),
+				'a d m i n i ᠎strator' => array('INVALID_CHARS'),
 			)),
 			array('USERNAME_LETTER_NUM_SPACERS', array(
 				'foobar_allow'		=> array(),
@@ -107,6 +111,7 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case
 				'barfoo_disallow'	=> array('USERNAME_DISALLOWED'),
 				'admin_taken'		=> array('USERNAME_TAKEN'),
 				'group_taken'		=> array('USERNAME_TAKEN'),
+				'a d m i n i ᠎strator' => array('INVALID_CHARS'),
 			)),
 			array('USERNAME_ASCII', array(
 				'foobar_allow'		=> array(),
@@ -121,6 +126,7 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case
 				'barfoo_disallow'	=> array('USERNAME_DISALLOWED'),
 				'admin_taken'		=> array('USERNAME_TAKEN'),
 				'group_taken'		=> array('USERNAME_TAKEN'),
+				'a d m i n i ᠎strator' => array('INVALID_CHARS'),
 			)),
 		);
 	}
@@ -201,6 +207,11 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case
 				'foobar_group',
 				array('username'),
 			),
+			'a d m i n i ᠎strator' => array(
+				$expected['a d m i n i ᠎strator'],
+				'a d m i n i ᠎strator',
+				array('username'),
+			),
 		));
 	}
 }

From 7a8d9671c21096c5a648114e8b2a01eb3468ec48 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Fri, 1 Oct 2021 22:40:21 +0200
Subject: [PATCH 3/5] [prep-release-3.3.5] Update version numbers to 3.3.5

---
 build/build.xml                       | 4 ++--
 phpBB/includes/constants.php          | 2 +-
 phpBB/install/phpbbcli.php            | 2 +-
 phpBB/install/schemas/schema_data.sql | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/build/build.xml b/build/build.xml
index 75261b7c27..933b22ef3e 100644
--- a/build/build.xml
+++ b/build/build.xml
@@ -2,9 +2,9 @@
 
 <project name="phpBB" description="The phpBB forum software" default="all" basedir="../">
 	<!-- a few settings for the build -->
-	<property name="newversion" value="3.3.5-RC1" />
+	<property name="newversion" value="3.3.5" />
 	<property name="prevversion" value="3.3.4" />
-	<property name="olderversions" value="3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.3.0, 3.3.1, 3.3.2, 3.3.3" />
+	<property name="olderversions" value="3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.5-RC1" />
 	<!-- no configuration should be needed beyond this point -->
 
 	<property name="oldversions" value="${olderversions}, ${prevversion}" />
diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php
index 5b14250527..77459c47cb 100644
--- a/phpBB/includes/constants.php
+++ b/phpBB/includes/constants.php
@@ -28,7 +28,7 @@ if (!defined('IN_PHPBB'))
 */
 
 // phpBB Version
-@define('PHPBB_VERSION', '3.3.5-RC1');
+@define('PHPBB_VERSION', '3.3.5');
 
 // QA-related
 // define('PHPBB_QA', 1);
diff --git a/phpBB/install/phpbbcli.php b/phpBB/install/phpbbcli.php
index 340159aef2..ac3a7cf9bd 100755
--- a/phpBB/install/phpbbcli.php
+++ b/phpBB/install/phpbbcli.php
@@ -23,7 +23,7 @@ if (php_sapi_name() !== 'cli')
 define('IN_PHPBB', true);
 define('IN_INSTALL', true);
 define('PHPBB_ENVIRONMENT', 'production');
-define('PHPBB_VERSION', '3.3.5-RC1');
+define('PHPBB_VERSION', '3.3.5');
 $phpbb_root_path = __DIR__ . '/../';
 $phpEx = substr(strrchr(__FILE__, '.'), 1);
 
diff --git a/phpBB/install/schemas/schema_data.sql b/phpBB/install/schemas/schema_data.sql
index 5773716255..aed6f3d1ef 100644
--- a/phpBB/install/schemas/schema_data.sql
+++ b/phpBB/install/schemas/schema_data.sql
@@ -316,7 +316,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('update_hashes_lock
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_icons_path', 'images/upload_icons');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_path', 'files');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('use_system_cron', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.3.5-RC1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.3.5');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_expire_days', '90');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_gc', '14400');
 

From 6a72d0305b11fc058c0e674c8969e83cc9af66c8 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Fri, 1 Oct 2021 22:40:24 +0200
Subject: [PATCH 4/5] [prep-release-3.3.5] Add migration for 3.3.5

---
 phpBB/phpbb/db/migration/data/v33x/v335.php | 36 +++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 phpBB/phpbb/db/migration/data/v33x/v335.php

diff --git a/phpBB/phpbb/db/migration/data/v33x/v335.php b/phpBB/phpbb/db/migration/data/v33x/v335.php
new file mode 100644
index 0000000000..bea7e15d8d
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v33x/v335.php
@@ -0,0 +1,36 @@
+<?php
+/**
+ *
+ * This file is part of the phpBB Forum Software package.
+ *
+ * @copyright (c) phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+namespace phpbb\db\migration\data\v33x;
+
+class v335 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return version_compare($this->config['version'], '3.3.5', '>=');
+	}
+
+	public static function depends_on()
+	{
+		return [
+			'\phpbb\db\migration\data\v33x\v335rc1',
+		];
+	}
+
+	public function update_data()
+	{
+		return [
+			['config.update', ['version', '3.3.5']],
+		];
+	}
+}

From ceca69d121fbb5b5952a9f65eb567e54030aaca7 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Fri, 1 Oct 2021 22:42:05 +0200
Subject: [PATCH 5/5] [prep-release-3.3.5] Update changelog for 3.3.5

---
 phpBB/docs/CHANGELOG.html | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html
index c22bdb49bf..5df3f977e4 100644
--- a/phpBB/docs/CHANGELOG.html
+++ b/phpBB/docs/CHANGELOG.html
@@ -50,6 +50,7 @@
 <ol>
 	<li><a href="#changelog">Changelog</a>
 	<ul>
+		<li><a href="#v335rc1">Changes since 3.3.5-RC1</a></li>
 		<li><a href="#v334">Changes since 3.3.4</a></li>
 		<li><a href="#v334rc1">Changes since 3.3.4-RC1</a></li>
 		<li><a href="#v333">Changes since 3.3.3</a></li>
@@ -157,6 +158,16 @@
 		<div class="inner">
 
 		<div class="content">
+			<a name="v335rc1"></a><h3>Changes since 3.3.5-RC1</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16878">PHPBB3-16878</a>] - Error in password_hash() with ARGON2 + Sodium &amp; threadcount &gt; 1</li>
+			</ul>
+			<h4>Hardening</h4>
+			<ul>
+				<li>[<a href="https://tracker.phpbb.com/browse/SECURITY-254">SECURITY-254</a>] - Disallow whitespace characters that might be invisible</li>
+			</ul>
+
 			<a name="v334"></a><h3>Changes since 3.3.4</h3>
 			<h4>Bug</h4>
 			<ul>