Merge remote-tracking branch 'remotes/nickv/ticket/8319-develop' into develop

# By Joas Schilling
# Via Joas Schilling
* remotes/nickv/ticket/8319-develop:
  [ticket/8319] Add migration file for update change
  [ticket/8319] Do not repeat the replacement
  [ticket/8319] Add explanation for RELATIVE_URL and update LOCAL_URL
  [ticket/8319] Update BBCodes that currently use the LOCAL_URL tag on update
  [ticket/8319] Add new token RELATIVE_URL to allow foreign relative URL parts
  [ticket/8319] Prepend Board URL to LOCAL_URL links to prevent abuse

phpBB/includes/acp/acp_bbcodes.php

@@ -112,8 +112,8 @@ class acp_bbcodes
 				{
 					$template->assign_block_vars('token', array(
 						'TOKEN'		=> '{' . $token . '}',
-						'EXPLAIN'	=> $token_explain)
+						'EXPLAIN'	=> ($token === 'LOCAL_URL') ? sprintf($token_explain, generate_board_url() . '/') : $token_explain,
-					);
+					));
 				}
 
 				return;
@@ -347,6 +347,9 @@ class acp_bbcodes
 			'LOCAL_URL'	 => array(
 				'!(' . str_replace(array('!', '\#'), array('\!', '#'), get_preg_expression('relative_url')) . ')!e'	=>	"\$this->bbcode_specialchars('$1')"
 			),
+			'RELATIVE_URL'	=> array(
+				'!(' . str_replace(array('!', '\#'), array('\!', '#'), get_preg_expression('relative_url')) . ')!e'	=>	"\$this->bbcode_specialchars('$1')"
+			),
 			'EMAIL' => array(
 				'!(' . get_preg_expression('email') . ')!ie'	=>	"\$this->bbcode_specialchars('$1')"
 			),
@@ -373,6 +376,7 @@ class acp_bbcodes
 		$sp_tokens = array(
 			'URL'	 => '(?i)((?:' . str_replace(array('!', '\#'), array('\!', '#'), get_preg_expression('url')) . ')|(?:' . str_replace(array('!', '\#'), array('\!', '#'), get_preg_expression('www_url')) . '))(?-i)',
 			'LOCAL_URL'	 => '(?i)(' . str_replace(array('!', '\#'), array('\!', '#'), get_preg_expression('relative_url')) . ')(?-i)',
+			'RELATIVE_URL'	 => '(?i)(' . str_replace(array('!', '\#'), array('\!', '#'), get_preg_expression('relative_url')) . ')(?-i)',
 			'EMAIL' => '(' . get_preg_expression('email') . ')',
 			'TEXT' => '(.*?)',
 			'SIMPLETEXT' => '([a-zA-Z0-9-+.,_ ]+)',
@@ -429,7 +433,11 @@ class acp_bbcodes
 				$fp_replace = str_replace($token, $replace, $fp_replace);
 
 				$sp_match = str_replace(preg_quote($token, '!'), $sp_tokens[$token_type], $sp_match);
-				$sp_replace = str_replace($token, '${' . ($n + 1) . '}', $sp_replace);
+
+				// Prepend the board url to local relative links
+				$replace_prepend = ($token_type === 'LOCAL_URL') ? generate_board_url() . '/' : '';
+
+				$sp_replace = str_replace($token, $replace_prepend . '${' . ($n + 1) . '}', $sp_replace);
 			}
 
 			$fp_match = '!' . $fp_match . '!' . $modifiers;

phpBB/includes/db/migration/data/30x/local_url_bbcode.php

@@ -0,0 +1,57 @@
+<?php
+/**
+*
+* @package migration
+* @copyright (c) 2013 phpBB Group
+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
+*
+*/
+
+class phpbb_db_migration_data_30x_local_url_bbcode extends phpbb_db_migration
+{
+	static public function depends_on()
+	{
+		return array('phpbb_db_migration_data_30x_3_0_12_rc1');
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('custom', array(array($this, 'update_local_url_bbcode'))),
+		);
+	}
+
+	/**
+	* Update BBCodes that currently use the LOCAL_URL tag
+	*
+	* To fix http://tracker.phpbb.com/browse/PHPBB3-8319 we changed
+	* the second_pass_replace value, so that needs updating for existing ones
+	*/
+	public function update_local_url_bbcode()
+	{
+		$sql = 'SELECT *
+			FROM ' . BBCODES_TABLE . '
+			WHERE bbcode_match ' . $this->db->sql_like_expression($this->db->any_char . 'LOCAL_URL' . $this->db->any_char);
+		$result = $this->db->sql_query($sql);
+
+		while ($row = $this->db->sql_fetchrow($result))
+		{
+			if (!class_exists('acp_bbcodes'))
+			{
+				global $phpEx;
+				phpbb_require_updated('includes/acp/acp_bbcodes.' . $phpEx);
+			}
+			$bbcode_match = $row['bbcode_match'];
+			$bbcode_tpl = $row['bbcode_tpl'];
+
+			$acp_bbcodes = new acp_bbcodes();
+			$sql_ary = $acp_bbcodes->build_regexp($bbcode_match, $bbcode_tpl);
+
+			$sql = 'UPDATE ' . BBCODES_TABLE . '
+				SET ' . $this->db->sql_build_array('UPDATE', $sql_ary) . '
+				WHERE bbcode_id = ' . (int) $row['bbcode_id'];
+			$this->sql_query($sql);
+		}
+		$this->db->sql_freeresult($result);
+	}
+}

phpBB/language/en/acp/posting.php

@@ -83,7 +83,8 @@ $lang = array_merge($lang, array(
 		'NUMBER'		=> 'Any series of digits',
 		'EMAIL'			=> 'A valid email address',
 		'URL'			=> 'A valid URL using any protocol (http, ftp, etc… cannot be used for javascript exploits). If none is given, “http://” is prefixed to the string.',
-		'LOCAL_URL'		=> 'A local URL. The URL must be relative to the topic page and cannot contain a server name or protocol.',
+		'LOCAL_URL'		=> 'A local URL. The URL must be relative to the topic page and cannot contain a server name or protocol, as links are prefixed with “%s”',
+		'RELATIVE_URL'	=> 'A relative URL. You can use this to match parts of a URL, but be careful: a full URL is a valid relative URL. When you want to use relative URLs of your board, use the LOCAL_URL token.',
 		'COLOR'			=> 'A HTML colour, can be either in the numeric form <samp>#FF1234</samp> or a <a href="http://www.w3.org/TR/CSS21/syndata.html#value-def-color">CSS colour keyword</a> such as <samp>fuchsia</samp> or <samp>InactiveBorder</samp>'
 	)
 ));