From fd550bc25a8472196af573c97ebf5c9ad1cb600e Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Tue, 10 Jan 2023 21:09:48 +0100
Subject: [PATCH 1/3] [ticket/security/275] Gracefully handle exceptions thrown
 by wrong cron route

SECURITY-275
---
 phpBB/cron.php | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/phpBB/cron.php b/phpBB/cron.php
index c99b772487..89b05c45d2 100644
--- a/phpBB/cron.php
+++ b/phpBB/cron.php
@@ -12,6 +12,8 @@
 */
 
 use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Exception\ExceptionInterface;
 
 /**
 */
@@ -30,8 +32,20 @@ $get_params_array = $request->get_super_global(\phpbb\request\request_interface:
 
 /** @var \phpbb\controller\helper $controller_helper */
 $controller_helper = $phpbb_container->get('controller.helper');
-$response = new RedirectResponse(
-	$controller_helper->route('phpbb_cron_run', $get_params_array, false),
-	301
-);
-$response->send();
+try
+{
+	$response = new RedirectResponse(
+		$controller_helper->route('phpbb_cron_run', $get_params_array, false),
+		Response::HTTP_MOVED_PERMANENTLY
+	);
+	$response->send();
+}
+catch(ExceptionInterface $exception)
+{
+	$language = $phpbb_container->get('language');
+	$response = new Response(
+		$language->lang('PAGE_NOT_FOUND'),
+		Response::HTTP_BAD_REQUEST
+	);
+	$response->send();
+}

From e5f069b15b56213fb0a2eebd7553cfe09225c784 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Wed, 11 Jan 2023 20:33:08 +0100
Subject: [PATCH 2/3] [ticket/security/275] Add language vars and proper error
 codes

SECURITY-275
---
 phpBB/cron.php               | 35 +++++++++++++++++++++++++++--------
 phpBB/language/en/common.php |  4 ++++
 2 files changed, 31 insertions(+), 8 deletions(-)

diff --git a/phpBB/cron.php b/phpBB/cron.php
index 89b05c45d2..b74796fb78 100644
--- a/phpBB/cron.php
+++ b/phpBB/cron.php
@@ -14,6 +14,7 @@
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Exception\ExceptionInterface;
+use Symfony\Component\Routing\Exception\RouteNotFoundException;
 
 /**
 */
@@ -32,20 +33,38 @@ $get_params_array = $request->get_super_global(\phpbb\request\request_interface:
 
 /** @var \phpbb\controller\helper $controller_helper */
 $controller_helper = $phpbb_container->get('controller.helper');
+$cron_route = 'phpbb_cron_run';
+
 try
 {
 	$response = new RedirectResponse(
-		$controller_helper->route('phpbb_cron_run', $get_params_array, false),
+		$controller_helper->route($cron_route, $get_params_array, false),
 		Response::HTTP_MOVED_PERMANENTLY
 	);
 	$response->send();
 }
-catch(ExceptionInterface $exception)
+catch (RouteNotFoundException $exception)
 {
-	$language = $phpbb_container->get('language');
-	$response = new Response(
-		$language->lang('PAGE_NOT_FOUND'),
-		Response::HTTP_BAD_REQUEST
-	);
-	$response->send();
+	$error = 'ROUTE_NOT_FOUND';
+	$error_parameters = $cron_route;
+	$error_code = Response::HTTP_NOT_FOUND;
 }
+catch (ExceptionInterface $exception)
+{
+	$error = 'ROUTE_INVALID_MISSING_PARAMS';
+	$error_parameters = $cron_route;
+	$error_code = Response::HTTP_BAD_REQUEST;
+}
+catch (Throwable $exception)
+{
+	$error = $exception->getMessage();
+	$error_parameters = [];
+	$error_code = Response::HTTP_INTERNAL_SERVER_ERROR;
+}
+
+$language = $phpbb_container->get('language');
+$response = new Response(
+	$language->lang($error, $error_parameters),
+	$error_code
+);
+$response->send();
diff --git a/phpBB/language/en/common.php b/phpBB/language/en/common.php
index 9eab230ad4..96e1076007 100644
--- a/phpBB/language/en/common.php
+++ b/phpBB/language/en/common.php
@@ -678,6 +678,10 @@ $lang = array_merge($lang, array(
 	'RETURN_TOPIC'				=> '%sReturn to the topic last visited%s',
 	'RETURN_TO'					=> 'Return to “%s”',
 	'RETURN_TO_INDEX'			=> 'Return to Board Index',
+
+	'ROUTE_NOT_FOUND'				=> 'The requested route "%1$s" could not be found.',
+	'ROUTE_INVALID_MISSING_PARAMS'	=> 'Invalid or missing parameters passed for route "%1$s".',
+
 	'FEED'						=> 'Feed',
 	'FEED_NEWS'					=> 'News',
 	'FEED_TOPICS_ACTIVE'		=> 'Active Topics',

From 34f23477ff1e44e5b7a31648b72c807bb47e4714 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Thu, 12 Jan 2023 20:12:33 +0100
Subject: [PATCH 3/3] [ticket/security/275] Use unicode quote types

SECURITY-275
---
 phpBB/language/en/common.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/phpBB/language/en/common.php b/phpBB/language/en/common.php
index 96e1076007..f112a09e8d 100644
--- a/phpBB/language/en/common.php
+++ b/phpBB/language/en/common.php
@@ -679,8 +679,8 @@ $lang = array_merge($lang, array(
 	'RETURN_TO'					=> 'Return to “%s”',
 	'RETURN_TO_INDEX'			=> 'Return to Board Index',
 
-	'ROUTE_NOT_FOUND'				=> 'The requested route "%1$s" could not be found.',
-	'ROUTE_INVALID_MISSING_PARAMS'	=> 'Invalid or missing parameters passed for route "%1$s".',
+	'ROUTE_NOT_FOUND'				=> 'The requested route “%s” could not be found.',
+	'ROUTE_INVALID_MISSING_PARAMS'	=> 'Invalid or missing parameters passed for route “%s”.',
 
 	'FEED'						=> 'Feed',
 	'FEED_NEWS'					=> 'News',