From 7f991e848042fe43849d4e2e31bbf9c7ff3afce3 Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Fri, 5 Mar 2010 18:51:30 +0100 Subject: [PATCH 1/7] Fix Bug #58595 - ATOM Feed exposes forum content under some circumstances. --- phpBB/docs/CHANGELOG.html | 1 + phpBB/feed.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 3042027e83..112e8451cd 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -99,6 +99,7 @@
  • [Fix] Add terminating semicolons to JavaScript code. (Bug #58085 - Patch by nn-)
  • [Fix] Minor language fixes. (Bug #54855)
  • [Fix] Parsing urls in signatures properly uses config settings. (Bug #57105)
    • +
  • [Fix] Do not expose forum content of forums with ACL entries but no actual permission in ATOM Feeds. (Bug #58595)
  • [Feature] Support for Microsoft's Native SQL Server Driver for PHP (Bug #57055 - Patch by Chris Pucci at Microsoft)
    • diff --git a/phpBB/feed.php b/phpBB/feed.php index 1832efbc61..a42aa42a7f 100644 --- a/phpBB/feed.php +++ b/phpBB/feed.php @@ -522,7 +522,7 @@ class phpbb_feed_base if (!isset($forum_ids)) { - $forum_ids = array_keys($auth->acl_getf('f_read')); + $forum_ids = array_keys($auth->acl_getf('f_read', true)); } return $forum_ids; From f0a82396d48829a623ca716dc8c7d95e6aed2941 Mon Sep 17 00:00:00 2001 From: Nils Adermann Date: Fri, 5 Mar 2010 20:50:56 +0100 Subject: [PATCH 2/7] Mark the bugfix #58595 as a security fix --- phpBB/docs/CHANGELOG.html | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 112e8451cd..0897328949 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -53,6 +53,7 @@
    1. Changelog
        +
      1. Changes since 3.0.7-PL1
      2. Changes since 3.0.7
      3. Changes since 3.0.6
      4. Changes since 3.0.5
        5. @@ -88,7 +89,7 @@
        -

        1.i. Changes since 3.0.7

        +

        1.i. Changes since 3.0.7-PL1

        • [Fix] Correctly sort database backup file list by date on database restore page. (Bug #57385)
          • @@ -99,10 +100,15 @@
        • [Fix] Add terminating semicolons to JavaScript code. (Bug #58085 - Patch by nn-)
        • [Fix] Minor language fixes. (Bug #54855)
        • [Fix] Parsing urls in signatures properly uses config settings. (Bug #57105)
          • -
        • [Fix] Do not expose forum content of forums with ACL entries but no actual permission in ATOM Feeds. (Bug #58595)
        • [Feature] Support for Microsoft's Native SQL Server Driver for PHP (Bug #57055 - Patch by Chris Pucci at Microsoft)
        +

        1.i. Changes since 3.0.7

        + +
          +
        • [Sec] Do not expose forum content of forums with ACL entries but no actual permission in ATOM Feeds. (Bug #58595)
          • +
        +

        1.ii. Changes since 3.0.6

          From b1ab74b0431e2934cccf3bfa80aec0eef928eeb3 Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Fri, 5 Mar 2010 18:51:30 +0100 Subject: [PATCH 3/7] Fix Bug #58595 - ATOM Feed exposes forum content under some circumstances. --- phpBB/docs/CHANGELOG.html | 9 ++++++++- phpBB/feed.php | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 6b0c0f08bd..65421aacd3 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -86,7 +86,14 @@
          -

          1.i. Changes since 3.0.6

          + +

          1.i. Changes since 3.0.7

          + +
            +
          • [Fix] Do not expose forum content of forums with ACL entries but no actual permission in ATOM Feeds. (Bug #58595)
            • +
          + +

          1.ii. Changes since 3.0.6

          • [Fix] Allow ban reason and length to be selected and copied in ACP and subsilver2 MCP. (Bug #51095)
            • diff --git a/phpBB/feed.php b/phpBB/feed.php index 1832efbc61..a42aa42a7f 100644 --- a/phpBB/feed.php +++ b/phpBB/feed.php @@ -522,7 +522,7 @@ class phpbb_feed_base if (!isset($forum_ids)) { - $forum_ids = array_keys($auth->acl_getf('f_read')); + $forum_ids = array_keys($auth->acl_getf('f_read', true)); } return $forum_ids; From c8fd9f4266680e2f47a0088d21813b90431ba754 Mon Sep 17 00:00:00 2001 From: Nils Adermann Date: Fri, 5 Mar 2010 20:50:56 +0100 Subject: [PATCH 4/7] Mark the bugfix #58595 as a security fix --- phpBB/docs/CHANGELOG.html | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 65421aacd3..1d5af06f4d 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -53,6 +53,7 @@
            1. Changelog
                +
              1. Changes since 3.0.7
              2. Changes since 3.0.6
              3. Changes since 3.0.5
              4. Changes since 3.0.4
                5. @@ -90,7 +91,7 @@

                1.i. Changes since 3.0.7

                  -
                • [Fix] Do not expose forum content of forums with ACL entries but no actual permission in ATOM Feeds. (Bug #58595)
                  • +
                • [Sec] Do not expose forum content of forums with ACL entries but no actual permission in ATOM Feeds. (Bug #58595)

                1.ii. Changes since 3.0.6

                From 39490abfff0f16c0bb79034c97bc744ae3a3a7c9 Mon Sep 17 00:00:00 2001 From: Nils Adermann Date: Fri, 5 Mar 2010 21:06:48 +0100 Subject: [PATCH 5/7] Incrementing the version number to 3.0.7-PL1 --- build/build_diff.php | 4 ++-- build/package.php | 2 +- phpBB/docs/INSTALL.html | 4 ++-- phpBB/includes/constants.php | 2 +- phpBB/install/convertors/convert_phpbb20.php | 4 ++-- phpBB/install/database_update.php | 8 +++++++- phpBB/install/schemas/schema_data.sql | 2 +- 7 files changed, 16 insertions(+), 10 deletions(-) diff --git a/build/build_diff.php b/build/build_diff.php index c8a40f4f5e..ef815bc0c3 100755 --- a/build/build_diff.php +++ b/build/build_diff.php @@ -11,9 +11,9 @@ // CONFIG - Begin $substitute_old = '3.0.6'; -$substitute_new = '3.0.7'; +$substitute_new = '3.0.7-PL1'; $simple_name_old = 'phpbb306'; -$simple_name_new = 'phpbb307'; +$simple_name_new = 'phpbb307-PL1'; $echo_changes = false; // Set this to true to just compress the changes and do not build them again // This should be used for building custom modified txt file. ;) diff --git a/build/package.php b/build/package.php index e04750d4be..7cb30bd493 100755 --- a/build/package.php +++ b/build/package.php @@ -15,7 +15,7 @@ // If RC8 drops remove the install/data directory //$versions = array('3.0.2', '3.0.3-RC1', '3.0.3', '3.0.4-RC1', '3.0.4', '3.0.5-RC1', '3.0.5', '3.0.6-RC1', '3.0.6-RC2', '3.0.6-RC3'); //$versions = array('3.0.2', '3.0.3', '3.0.4', '3.0.5', '3.0.6', '3.0.7-RC1', '3.0.7'); -$versions = array('3.0.2', '3.0.3', '3.0.4', '3.0.5', '3.0.6', '3.0.7-RC1', '3.0.7-RC2', '3.0.7'); +$versions = array('3.0.2', '3.0.3', '3.0.4', '3.0.5', '3.0.6', '3.0.7-RC1', '3.0.7-RC2', '3.0.7', '3.0.7-PL1'); $verbose = false; require('build_helper.php'); diff --git a/phpBB/docs/INSTALL.html b/phpBB/docs/INSTALL.html index f9d4e28c27..982c28571e 100644 --- a/phpBB/docs/INSTALL.html +++ b/phpBB/docs/INSTALL.html @@ -273,7 +273,7 @@

                This package is meant for those wanting to only replace changed files from a previous version to the latest version. This package normally contains the changed files from up to five previous versions.

                -

                This package contains a number of archives, each contains the files changed from a given release to the latest version. You should select the appropriate archive for your current version, e.g. if you currently have 3.0.6 you should select the phpBB-3.0.6_to_3.0.7.zip/tar.gz file.

                +

                This package contains a number of archives, each contains the files changed from a given release to the latest version. You should select the appropriate archive for your current version, e.g. if you currently have 3.0.6 you should select the phpBB-3.0.6_to_3.0.7-PL1.zip/tar.gz file.

                The directory structure has been preserved enabling you (if you wish) to simply upload the contents of the archive to the appropriate location on your server, i.e. simply overwrite the existing files with the new versions. Do not forget that if you have installed any MODs these files will overwrite the originals possibly destroying them in the process. You will need to re-add MODs to any affected file before uploading.

                @@ -285,7 +285,7 @@

                The patch file is one solution for those with many Modifications (MODs) or other changes who do not want to re-add them back to all the changed files if they use the method explained above. To use this you will need command line access to a standard UNIX type patch application. If you do not have access to such an application but still want to use this update approach, we strongly recommend the Automatic update package explained below. It is also the recommended update method.

                -

                A number of patch files are provided to allow you to update from previous stable releases. Select the correct patch, e.g. if your current version is 3.0.5 you need the phpBB-3.0.6_to_3.0.7.patch file. Place the correct patch in the parent directory containing the phpBB3 core files (i.e. index.php, viewforum.php, etc.). With this done you should run the following command: patch -cl -d [PHPBB DIRECTORY] -p1 < [PATCH NAME] (where PHPBB DIRECTORY is the directory name your phpBB Installation resides in, for example phpBB3, and where PATCH NAME is the relevant filename of the selected patch file). This should complete quickly, hopefully without any HUNK FAILED comments.

                +

                A number of patch files are provided to allow you to update from previous stable releases. Select the correct patch, e.g. if your current version is 3.0.5 you need the phpBB-3.0.6_to_3.0.7-PL1.patch file. Place the correct patch in the parent directory containing the phpBB3 core files (i.e. index.php, viewforum.php, etc.). With this done you should run the following command: patch -cl -d [PHPBB DIRECTORY] -p1 < [PATCH NAME] (where PHPBB DIRECTORY is the directory name your phpBB Installation resides in, for example phpBB3, and where PATCH NAME is the relevant filename of the selected patch file). This should complete quickly, hopefully without any HUNK FAILED comments.

                If you do get failures you should look at using the Changed files only package to replace the files which failed to patch, please note that you will need to manually re-add any Modifications (MODs) to these particular files. Alternatively if you know how you can examine the .rej files to determine what failed where and make manual adjustments to the relevant source.

                diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php index f58b29d232..8d31eaba7f 100644 --- a/phpBB/includes/constants.php +++ b/phpBB/includes/constants.php @@ -25,7 +25,7 @@ if (!defined('IN_PHPBB')) */ // phpBB Version -define('PHPBB_VERSION', '3.0.7'); +define('PHPBB_VERSION', '3.0.7-PL1'); // QA-related // define('PHPBB_QA', 1); diff --git a/phpBB/install/convertors/convert_phpbb20.php b/phpBB/install/convertors/convert_phpbb20.php index 1d6b79bbec..dfade990d2 100644 --- a/phpBB/install/convertors/convert_phpbb20.php +++ b/phpBB/install/convertors/convert_phpbb20.php @@ -32,7 +32,7 @@ unset($dbpasswd); $convertor_data = array( 'forum_name' => 'phpBB 2.0.x', 'version' => '1.0.3', - 'phpbb_version' => '3.0.7', + 'phpbb_version' => '3.0.7-PL1', 'author' => 'phpBB Group', 'dbms' => $dbms, 'dbhost' => $dbhost, @@ -83,7 +83,7 @@ $tables = array( * 'table_format' => 'file', * 'filename' => 'NAME OF FILE', // If the file is not in the root directory, the path needs to be added with no leading slash * 'array_name' => 'NAME OF ARRAY', // Only used if the configuration file stores the setting in an array. -* 'settings' => array( +* 'settings' => array( * 'board_email' => 'SUPPORT_EMAIL', // target config name => source target name * ) * ); diff --git a/phpBB/install/database_update.php b/phpBB/install/database_update.php index e82530189c..f39ed60d43 100644 --- a/phpBB/install/database_update.php +++ b/phpBB/install/database_update.php @@ -8,7 +8,7 @@ * */ -$updates_to_version = '3.0.7'; +$updates_to_version = '3.0.7-PL1'; // Enter any version to update from to test updates. The version within the db will not be updated. $debug_from_version = false; @@ -911,6 +911,8 @@ function database_update_info() '3.0.7-RC1' => array(), // No changes from 3.0.7-RC2 to 3.0.7 '3.0.7-RC2' => array(), + // No changes from 3.0.7 to 3.0.7-PL1 + '3.0.7' => array(), ); } @@ -1642,6 +1644,10 @@ function change_database_data(&$no_updates, $version) // No changes from 3.0.7-RC2 to 3.0.7 case '3.0.7-RC2': break; + + // No changes from 3.0.7 to 3.0.7-PL1 + case '3.0.7': + break; } } diff --git a/phpBB/install/schemas/schema_data.sql b/phpBB/install/schemas/schema_data.sql index 22e8b34f3b..996ab5765d 100644 --- a/phpBB/install/schemas/schema_data.sql +++ b/phpBB/install/schemas/schema_data.sql @@ -241,7 +241,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('topics_per_page', INSERT INTO phpbb_config (config_name, config_value) VALUES ('tpl_allow_php', '0'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_icons_path', 'images/upload_icons'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_path', 'files'); -INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.0.7'); +INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.0.7-PL1'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_expire_days', '90'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_gc', '14400'); From 2e1cd98a5a9145fb2d86e63bf178d6370c301602 Mon Sep 17 00:00:00 2001 From: Nils Adermann Date: Fri, 5 Mar 2010 22:22:39 +0100 Subject: [PATCH 6/7] exclude the image file with text in the name from having newlines fixed --- phpBB/develop/fix_files.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/develop/fix_files.sh b/phpBB/develop/fix_files.sh index d2207289dc..bf58e49e5f 100755 --- a/phpBB/develop/fix_files.sh +++ b/phpBB/develop/fix_files.sh @@ -14,7 +14,7 @@ find . > FILELIST.$$ grep -sv FILELIST FILELIST.$$ > FILELIST2.$$ grep -sv $(basename $0) FILELIST2.$$ > FILELIST.$$ grep -sv "^\.$" FILELIST.$$ > FILELIST2.$$ -file -f FILELIST2.$$ |grep text | sed -e 's/^\([^\:]*\)\:.*$/\1/' > FILELIST +file -f FILELIST2.$$ |grep text | grep -v icon_textbox_search.gif | sed -e 's/^\([^\:]*\)\:.*$/\1/' > FILELIST file -f FILELIST2.$$ |grep -sv text | sed -e 's/^\([^\:]*\)\:.*$/Not Modifying file: \1/' rm FILELIST2.$$ rm FILELIST.$$ From 9d005973b0b31077a81243d7573734bb63af2a27 Mon Sep 17 00:00:00 2001 From: Igor Wiedler Date: Fri, 5 Mar 2010 20:54:16 +0100 Subject: [PATCH 7/7] [bug/51555] proposed fix for bug #51555 --- phpBB/docs/CHANGELOG.html | 1 + phpBB/includes/functions.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 3042027e83..d31e094f93 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -99,6 +99,7 @@
              5. [Fix] Add terminating semicolons to JavaScript code. (Bug #58085 - Patch by nn-)
              6. [Fix] Minor language fixes. (Bug #54855)
              7. [Fix] Parsing urls in signatures properly uses config settings. (Bug #57105)
                8. +
              8. [Fix] Allow multibyte keys in request_var(). (Bug #51555)
              9. [Feature] Support for Microsoft's Native SQL Server Driver for PHP (Bug #57055 - Patch by Chris Pucci at Microsoft)
          diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 38f910974a..917433a970 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -114,7 +114,7 @@ function request_var($var_name, $default, $multibyte = false, $cookie = false) { $_v = null; } - set_var($_k, $_k, $sub_key_type); + set_var($_k, $_k, $sub_key_type, $multibyte); set_var($var[$k][$_k], $_v, $sub_type, $multibyte); } }