From 6f3f6282d192704854ae00a1aa1c0daaa68a307d Mon Sep 17 00:00:00 2001
From: Nils Adermann <naderman@naderman.de>
Date: Wed, 25 Feb 2015 16:20:50 +0100
Subject: [PATCH 1/3] [ticket/13617] Enforce column size limit for
 session_forum_id

PHPBB3-13617
---
 phpBB/includes/session.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php
index 8b93ab762d..04b15b17d3 100644
--- a/phpBB/includes/session.php
+++ b/phpBB/includes/session.php
@@ -121,6 +121,8 @@ class session
 		$script_path .= (substr($script_path, -1, 1) == '/') ? '' : '/';
 		$root_script_path .= (substr($root_script_path, -1, 1) == '/') ? '' : '/';
 
+		$forum_id = (isset($_REQUEST['f']) && $_REQUEST['f'] > 0 && $_REQUEST['f'] < 16777215) ? (int) $_REQUEST['f'] : 0;
+
 		$page_array += array(
 			'page_name'			=> $page_name,
 			'page_dir'			=> $page_dir,
@@ -130,7 +132,7 @@ class session
 			'root_script_path'	=> str_replace(' ', '%20', htmlspecialchars($root_script_path)),
 
 			'page'				=> $page,
-			'forum'				=> (isset($_REQUEST['f']) && $_REQUEST['f'] > 0) ? (int) $_REQUEST['f'] : 0,
+			'forum'				=> $forum_id,
 		);
 
 		return $page_array;

From c5a15c0635ecd164ec27ace93309440d7f1eb87d Mon Sep 17 00:00:00 2001
From: Nils Adermann <naderman@naderman.de>
Date: Wed, 25 Feb 2015 16:58:38 +0100
Subject: [PATCH 2/3] [ticket/13617] Use request->variable instead of
 request_var

PHPBB3-13617
---
 phpBB/phpbb/session.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php
index 0bbb869593..a51baf2f29 100644
--- a/phpBB/phpbb/session.php
+++ b/phpBB/phpbb/session.php
@@ -130,7 +130,7 @@ class session
 		$script_path .= (substr($script_path, -1, 1) == '/') ? '' : '/';
 		$root_script_path .= (substr($root_script_path, -1, 1) == '/') ? '' : '/';
 
-		$forum_id = request_var('f', 0);
+		$forum_id = $request->variable('f', 0);
 		$forum_id = ($forum_id > 0 && $forum_id < 16777215) ? $forum_id : 0;
 
 		$page_array += array(

From 106bc1c232dd7c68b66ed99745635a8efaae8f2f Mon Sep 17 00:00:00 2001
From: Nils Adermann <naderman@naderman.de>
Date: Wed, 25 Feb 2015 17:00:22 +0100
Subject: [PATCH 3/3] [ticket/13617] Document magic number for forum_id

PHPBB3-13617
---
 phpBB/phpbb/session.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php
index a51baf2f29..bedd581725 100644
--- a/phpBB/phpbb/session.php
+++ b/phpBB/phpbb/session.php
@@ -131,6 +131,7 @@ class session
 		$root_script_path .= (substr($root_script_path, -1, 1) == '/') ? '' : '/';
 
 		$forum_id = $request->variable('f', 0);
+		// maximum forum id value is maximum value of mediumint unsigned column
 		$forum_id = ($forum_id > 0 && $forum_id < 16777215) ? $forum_id : 0;
 
 		$page_array += array(