2.0.18 changes

git-svn-id: file:///svn/phpbb/branches/phpBB-2_0_0@5283 89ea8834-ac86-4346-8a33-228a782c2dd0
2025-06-08 04:18:52 +00:00 · 2005-10-30 15:17:14 +00:00 · 2005-10-30 15:17:14 +00:00 · 9b9618f2dd
commit 9b9618f2dd
parent 37f67fdea9
30 changed files with 503 additions and 178 deletions
--- a/phpBB/admin/admin_board.php
+++ b/phpBB/admin/admin_board.php
@ -100,6 +100,9 @@ $activation_admin = ( $new['require_activation'] == USER_ACTIVATION_ADMIN ) ? "c
 $confirm_yes = ($new['enable_confirm']) ? 'checked="checked"' : '';
 $confirm_no = (!$new['enable_confirm']) ? 'checked="checked"' : '';

+$allow_autologin_yes = ($new['allow_autologin']) ? 'checked="checked"' : '';
+$allow_autologin_no = (!$new['allow_autologin']) ? 'checked="checked"' : '';
+
 $board_email_form_yes = ( $new['board_email_form'] ) ? "checked=\"checked\"" : "";
 $board_email_form_no = ( !$new['board_email_form'] ) ? "checked=\"checked\"" : "";

@ -165,6 +168,10 @@ $template->assign_vars(array(
 	"L_ADMIN" => $lang['Acc_Admin'], 
 	"L_VISUAL_CONFIRM" => $lang['Visual_confirm'], 
 	"L_VISUAL_CONFIRM_EXPLAIN" => $lang['Visual_confirm_explain'], 
+	"L_ALLOW_AUTOLOGIN" => $lang['Allow_autologin'],
+	"L_ALLOW_AUTOLOGIN_EXPLAIN" => $lang['Allow_autologin_explain'],
+	"L_AUTOLOGIN_TIME" => $lang['Autologin_time'],
+	"L_AUTOLOGIN_TIME_EXPLAIN" => $lang['Autologin_time_explain'],
 	"L_COOKIE_SETTINGS" => $lang['Cookie_settings'], 
 	"L_COOKIE_SETTINGS_EXPLAIN" => $lang['Cookie_settings_explain'], 
 	"L_COOKIE_DOMAIN" => $lang['Cookie_domain'],
@ -254,6 +261,9 @@ $template->assign_vars(array(
 	"ACTIVATION_ADMIN_CHECKED" => $activation_admin, 
 	"CONFIRM_ENABLE" => $confirm_yes,
 	"CONFIRM_DISABLE" => $confirm_no,
+	'ALLOW_AUTOLOGIN_YES' => $allow_autologin_yes,
+	'ALLOW_AUTOLOGIN_NO' => $allow_autologin_no,
+	'AUTOLOGIN_TIME' => (int) $new['max_autologin_time'],
 	"BOARD_EMAIL_FORM_ENABLE" => $board_email_form_yes, 
 	"BOARD_EMAIL_FORM_DISABLE" => $board_email_form_no, 
 	"MAX_POLL_OPTIONS" => $new['max_poll_options'], 
--- a/phpBB/admin/admin_smilies.php
+++ b/phpBB/admin/admin_smilies.php
@ -404,6 +404,7 @@ else if ( $mode != "" )
 			//
 			$smile_code = ( isset($HTTP_POST_VARS['smile_code']) ) ? trim($HTTP_POST_VARS['smile_code']) : trim($HTTP_GET_VARS['smile_code']);
 			$smile_url = ( isset($HTTP_POST_VARS['smile_url']) ) ? trim($HTTP_POST_VARS['smile_url']) : trim($HTTP_GET_VARS['smile_url']);
+			$smile_url = phpbb_ltrim(basename($smile_url), "'");
 			$smile_emotion = ( isset($HTTP_POST_VARS['smile_emotion']) ) ? trim($HTTP_POST_VARS['smile_emotion']) : trim($HTTP_GET_VARS['smile_emotion']);
 			$smile_id = ( isset($HTTP_POST_VARS['smile_id']) ) ? intval($HTTP_POST_VARS['smile_id']) : intval($HTTP_GET_VARS['smile_id']);

@ -446,6 +447,7 @@ else if ( $mode != "" )
 			//
 			$smile_code = ( isset($HTTP_POST_VARS['smile_code']) ) ? $HTTP_POST_VARS['smile_code'] : $HTTP_GET_VARS['smile_code'];
 			$smile_url = ( isset($HTTP_POST_VARS['smile_url']) ) ? $HTTP_POST_VARS['smile_url'] : $HTTP_GET_VARS['smile_url'];
+			$smile_url = phpbb_ltrim(basename($smile_url), "'");
 			$smile_emotion = ( isset($HTTP_POST_VARS['smile_emotion']) ) ? $HTTP_POST_VARS['smile_emotion'] : $HTTP_GET_VARS['smile_emotion'];
 			$smile_code = trim($smile_code);
 			$smile_url = trim($smile_url);
--- a/phpBB/admin/admin_user_ban.php
+++ b/phpBB/admin/admin_user_ban.php
@ -155,7 +155,7 @@ if ( isset($HTTP_POST_VARS['submit']) )
 			// contained in the annotated php manual at php.com (ereg
 			// section)
 			//
-			if (preg_match('#^(([a-z0-9&.-_+])|(\*))+@[a-z0-9\-]+\.([a-z0-9\-]+\.)*?[a-z]+$#is', trim($email_list_temp[$i])))
+			if (preg_match('/^(([a-z0-9&\'\.\-_\+])|(\*))+@(([a-z0-9\-])|(\*))+\.([a-z0-9\-]+\.)*?[a-z]+$/is', trim($email_list_temp[$i])))
 			{
 				$email_list[] = trim($email_list_temp[$i]);
 			}
--- a/phpBB/admin/admin_users.php
+++ b/phpBB/admin/admin_users.php
@ -254,6 +254,7 @@ if ( $mode == 'edit' || $mode == 'save' && ( isset($HTTP_POST_VARS['username'])
 		$user_dateformat = ( $HTTP_POST_VARS['dateformat'] ) ? trim( $HTTP_POST_VARS['dateformat'] ) : $board_config['default_dateformat'];

 		$user_avatar_local = ( isset( $HTTP_POST_VARS['avatarselect'] ) && !empty($HTTP_POST_VARS['submitavatar'] ) && $board_config['allow_avatar_local'] ) ? $HTTP_POST_VARS['avatarselect'] : ( ( isset( $HTTP_POST_VARS['avatarlocal'] )  ) ? $HTTP_POST_VARS['avatarlocal'] : '' );
+		$user_avatar_category = ( isset($HTTP_POST_VARS['avatarcatname']) && $board_config['allow_avatar_local'] ) ? htmlspecialchars($HTTP_POST_VARS['avatarcatname']) : '' ;

 		$user_avatar_remoteurl = ( !empty($HTTP_POST_VARS['avatarremoteurl']) ) ? trim( $HTTP_POST_VARS['avatarremoteurl'] ) : '';
 		$user_avatar_url = ( !empty($HTTP_POST_VARS['avatarurl']) ) ? trim( $HTTP_POST_VARS['avatarurl'] ) : '';
@ -293,7 +294,7 @@ if ( $mode == 'edit' || $mode == 'save' && ( isset($HTTP_POST_VARS['username'])

 			if ( !isset($HTTP_POST_VARS['cancelavatar'])) 
 			{
-				$user_avatar = $user_avatar_local;
+				$user_avatar = $user_avatar_category . '/' . $user_avatar_local;
 				$user_avatar_type = USER_AVATAR_GALLERY;
 			}
 		}
@ -645,7 +646,7 @@ if ( $mode == 'edit' || $mode == 'save' && ( isset($HTTP_POST_VARS['username'])
 		}
 		else if( $user_avatar_local != "" && $avatar_sql == "" && !$error )
 		{
-			$avatar_sql = ", user_avatar = '" . str_replace("\'", "''", $user_avatar_local) . "', user_avatar_type = " . USER_AVATAR_GALLERY;
+			$avatar_sql = ", user_avatar = '" . str_replace("\'", "''", phpbb_ltrim(basename($user_avatar_category), "'") . '/' . phpbb_ltrim(basename($user_avatar_local), "'")) . "', user_avatar_type = " . USER_AVATAR_GALLERY;
 		}
 	
 		//
@ -822,7 +823,7 @@ if ( $mode == 'edit' || $mode == 'save' && ( isset($HTTP_POST_VARS['username'])
 					{
 						if( preg_match("/(\.gif$|\.png$|\.jpg)$/is", $sub_file) )
 						{
-							$avatar_images[$file][$avatar_row_count][$avatar_col_count] = $file . "/" . $sub_file;
+							$avatar_images[$file][$avatar_row_count][$avatar_col_count] = $sub_file;

 							$avatar_col_count++;
 							if( $avatar_col_count == 5 )
@ -867,7 +868,7 @@ if ( $mode == 'edit' || $mode == 'save' && ( isset($HTTP_POST_VARS['username'])
 				for($j = 0; $j < count($avatar_images[$category][$i]); $j++)
 				{
 					$template->assign_block_vars("avatar_row.avatar_column", array(
-						"AVATAR_IMAGE" => "../" . $board_config['avatar_gallery_path'] . "/" . $avatar_images[$category][$i][$j])
+						"AVATAR_IMAGE" => "../" . $board_config['avatar_gallery_path'] . '/' . $category . '/' . $avatar_images[$category][$i][$j])
 					);

 					$template->assign_block_vars("avatar_row.avatar_option_column", array(
@ -878,7 +879,7 @@ if ( $mode == 'edit' || $mode == 'save' && ( isset($HTTP_POST_VARS['username'])

 			$coppa = ( ( !$HTTP_POST_VARS['coppa'] && !$HTTP_GET_VARS['coppa'] ) || $mode == "register") ? 0 : TRUE;

-			$s_hidden_fields = '<input type="hidden" name="mode" value="edit" /><input type="hidden" name="agreed" value="true" /><input type="hidden" name="coppa" value="' . $coppa . '" />';
+			$s_hidden_fields = '<input type="hidden" name="mode" value="edit" /><input type="hidden" name="agreed" value="true" /><input type="hidden" name="coppa" value="' . $coppa . '" /><input type="hidden" name="avatarcatname" value="' . $category . '" />';
 			$s_hidden_fields .= '<input type="hidden" name="id" value="' . $user_id . '" />';

 			$s_hidden_fields .= '<input type="hidden" name="username" value="' . str_replace("\"", "&quot;", $username) . '" />';
@ -934,7 +935,7 @@ if ( $mode == 'edit' || $mode == 'save' && ( isset($HTTP_POST_VARS['username'])

 		if( !empty($user_avatar_local) )
 		{
-			$s_hidden_fields .= '<input type="hidden" name="avatarlocal" value="' . $user_avatar_local . '" />';
+			$s_hidden_fields .= '<input type="hidden" name="avatarlocal" value="' . $user_avatar_local . '" /><input type="hidden" name="avatarcatname" value="' . $user_avatar_category . '" />';
 		}

 		if( $user_avatar_type )
--- a/phpBB/common.php
+++ b/phpBB/common.php
@ -28,10 +28,11 @@ if ( !defined('IN_PHPBB') )
 error_reporting  (E_ERROR | E_WARNING | E_PARSE); // This will NOT report uninitialized variables
 set_magic_quotes_runtime(0); // Disable magic_quotes_runtime

-// The following code (unsetting globals) was contributed by Matt Kavanagh
+// The following code (unsetting globals)
+// Thanks to Matt Kavanagh and Stefan Esser for providing feedback as well as patch files

 // PHP5 with register_long_arrays off?
-if (!isset($HTTP_POST_VARS) && isset($_POST))
+if (@phpversion() >= '5.0.0' && (!ini_get('register_long_arrays') || @ini_get('register_long_arrays') == '0' || strtolower(@ini_get('register_long_arrays')) == 'off'))
 {
 	$HTTP_POST_VARS = $_POST;
 	$HTTP_GET_VARS = $_GET;
@ -47,29 +48,19 @@ if (!isset($HTTP_POST_VARS) && isset($_POST))
 	}
 }

-if (@phpversion() < '4.0.0')
+// Protect against GLOBALS tricks
+if (isset($HTTP_POST_VARS['GLOBALS']) || isset($HTTP_POST_FILES['GLOBALS']) || isset($HTTP_GET_VARS['GLOBALS']) || isset($HTTP_COOKIE_VARS['GLOBALS']))
 {
-	// PHP3 path; in PHP3, globals are _always_ registered
-	
-	// We 'flip' the array of variables to test like this so that
-	// we can validate later with isset($test[$var]) (no in_array())
-	$test = array('HTTP_GET_VARS' => NULL, 'HTTP_POST_VARS' => NULL, 'HTTP_COOKIE_VARS' => NULL, 'HTTP_SERVER_VARS' => NULL, 'HTTP_ENV_VARS' => NULL, 'HTTP_POST_FILES' => NULL, 'phpEx' => NULL, 'phpbb_root_path' => NULL);
-
-	// Loop through each input array
-	@reset($test);
-	while (list($input,) = @each($test))
-	{
-		while (list($var,) = @each($$input))
-		{
-			// Validate the variable to be unset
-			if (!isset($test[$var]) && $var != 'test' && $var != 'input')
-			{
-				unset($$var);
-			}
-		}
-	}
+	die("Hacking attempt");
 }
-else if (@ini_get('register_globals') == '1' || strtolower(@ini_get('register_globals')) == 'on')
+
+// Protect against HTTP_SESSION_VARS tricks
+if (isset($HTTP_SESSION_VARS) && !is_array($HTTP_SESSION_VARS))
+{
+	die("Hacking attempt");
+}
+
+if (@ini_get('register_globals') == '1' || strtolower(@ini_get('register_globals')) == 'on')
 {
 	// PHP4+ path
 	$not_unset = array('HTTP_GET_VARS', 'HTTP_POST_VARS', 'HTTP_COOKIE_VARS', 'HTTP_SERVER_VARS', 'HTTP_SESSION_VARS', 'HTTP_ENV_VARS', 'HTTP_POST_FILES', 'phpEx', 'phpbb_root_path');
@ -77,7 +68,7 @@ else if (@ini_get('register_globals') == '1' || strtolower(@ini_get('register_gl
 	// Not only will array_merge give a warning if a parameter
 	// is not an array, it will actually fail. So we check if
 	// HTTP_SESSION_VARS has been initialised.
-	if (!isset($HTTP_SESSION_VARS))
+	if (!isset($HTTP_SESSION_VARS) || !is_array($HTTP_SESSION_VARS))
 	{
 		$HTTP_SESSION_VARS = array();
 	}
--- a/phpBB/docs/AUTHORS
+++ b/phpBB/docs/AUTHORS
@ -1 +1,6 @@
 Please see: http://www.phpbb.com/about.php for a list of all the people involved in phpBB.
+Please see: http://www.phpbb.com/about.php for a list of people involved within the security audit of phpBB (since phpBB 2.0.17).
+
+[September 2005]
+Our special thanks goes to our former developer and manager psoTFX (Paul S. Owen) for being a wonderful teammate and talented programer.
+He was a driving force in the project for over 3 years and helped a lot in making phpBB what it is now.
--- a/phpBB/docs/INSTALL.html
+++ b/phpBB/docs/INSTALL.html
@ -194,7 +194,7 @@ p,ul,td {font-size:10pt;}

 <a name="upgradeSTABLE_files"></a><h3 class="h3">7.ii. Changed files only</h3>

-<p>This package contains a number of archives, each contains the files changed from a given release to the latest version. You should select the appropriate archive for your current version, e.g. if you currently have 2.0.16 you should select the phpBB-2.0.16_to_2.0.17.zip/tar.gz file.</p>
+<p>This package contains a number of archives, each contains the files changed from a given release to the latest version. You should select the appropriate archive for your current version, e.g. if you currently have 2.0.17 you should select the phpBB-2.0.17_to_2.0.18.zip/tar.gz file.</p>

 <p>The directory structure has been preserved enabling you (if you wish) to simply upload the contents of the archive to the appropriate location on your server, i.e. simply overwrite the existing files with the new versions. Do not forget that if you have installed any Mods these files will overwrite the originals possibly destroying them in the process. You will need to re-add Mods to any affected file before uploading.</p>

@ -204,7 +204,7 @@ p,ul,td {font-size:10pt;}

 <p>The patch file is probably the best solution for those with many Mods or other changes who do not want to re-add them back to all the changed files. To use this you will need command line access to a standard UNIX type <b>patch</b> application.</p>

-<p>A number of patch files are provided to allow you to upgrade from previous stable releases. Select the correct patch, e.g. if your current version is 2.0.16 you need the phpBB-2.0.16_to_2.0.17.patch. Place the correct patch in the parent directory containing the phpBB 2 core files (i.e. index.php, viewforum.php, etc.). With this done you should run the following command: <b>patch -cl -d [PHPBB DIRECTORY] -p1 &lt; [PATCH NAME]</b> (where PHPBB DIRECTORY is the directory name your phpBB Installation resides in, for example phpBB2, and where PATCH NAME is the relevant filename of the selected patch file). This should complete quickly, hopefully without any HUNK FAILED comments.</p>
+<p>A number of patch files are provided to allow you to upgrade from previous stable releases. Select the correct patch, e.g. if your current version is 2.0.17 you need the phpBB-2.0.17_to_2.0.18.patch. Place the correct patch in the parent directory containing the phpBB 2 core files (i.e. index.php, viewforum.php, etc.). With this done you should run the following command: <b>patch -cl -d [PHPBB DIRECTORY] -p1 &lt; [PATCH NAME]</b> (where PHPBB DIRECTORY is the directory name your phpBB Installation resides in, for example phpBB2, and where PATCH NAME is the relevant filename of the selected patch file). This should complete quickly, hopefully without any HUNK FAILED comments.</p>

 <p>If you do get failures you should look at using the <a href="#upgradeSTABLE_files">Changed files only</a> package to replace the files which failed to patch, please note that you will need to manually re-add any Mods to these particular files. Alternatively if you know how you can examine the .rej files to determine what failed where and make manual adjustments to the relevant source.</p>

--- a/phpBB/includes/constants.php
+++ b/phpBB/includes/constants.php
@ -167,6 +167,7 @@ define('SEARCH_TABLE', $table_prefix.'search_results');
 define('SEARCH_WORD_TABLE', $table_prefix.'search_wordlist');
 define('SEARCH_MATCH_TABLE', $table_prefix.'search_wordmatch');
 define('SESSIONS_TABLE', $table_prefix.'sessions');
+define('SESSIONS_KEYS_TABLE', $table_prefix.'sessions_keys');
 define('SMILIES_TABLE', $table_prefix.'smilies');
 define('THEMES_TABLE', $table_prefix.'themes');
 define('THEMES_NAME_TABLE', $table_prefix.'themes_name');
--- a/phpBB/includes/db.php
+++ b/phpBB/includes/db.php
@ -60,7 +60,7 @@ switch($dbms)
 $db = new sql_db($dbhost, $dbuser, $dbpasswd, $dbname, false);
 if(!$db->db_connect_id)
 {
-   message_die(CRITICAL_ERROR, "Could not connect to the database");
+	message_die(CRITICAL_ERROR, "Could not connect to the database");
 }

 ?>
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@ -84,6 +84,35 @@ function phpbb_clean_username($username)
 	return $username;
 }

+/**
+* This function is a wrapper for ltrim, as charlist is only supported in php >= 4.1.0
+* Added in phpBB 2.0.18
+*/
+function phpbb_ltrim($str, $charlist = false)
+{
+	if ($charlist === false)
+	{
+		return ltrim($str);
+	}
+	
+	$php_version = explode('.', PHP_VERSION);
+
+	// php version < 4.1.0
+	if ((int) $php_version[0] < 4 || ((int) $php_version[0] == 4 && (int) $php_version[1] < 1))
+	{
+		while ($str{0} == $charlist)
+		{
+			$str = substr($str, 1);
+		}
+	}
+	else
+	{
+		$str = ltrim($str, $charlist);
+	}
+
+	return $str;
+}
+
 // added at phpBB 2.0.12 to fix a bug in PHP 4.3.10 (only supporting charlist in php >= 4.1.0)
 function phpbb_rtrim($str, $charlist = false)
 {
--- a/phpBB/includes/functions_validate.php
+++ b/phpBB/includes/functions_validate.php
@ -38,7 +38,7 @@ function validate_username($username)
 		WHERE LOWER(username) = '" . strtolower($username) . "'";
 	if ($result = $db->sql_query($sql))
 	{
-		if ($row = $db->sql_fetchrow($result))
+		while ($row = $db->sql_fetchrow($result))
 		{
 			if (($userdata['session_logged_in'] && $row['username'] != $userdata['username']) || !$userdata['session_logged_in'])
 			{
--- a/phpBB/includes/page_header.php
+++ b/phpBB/includes/page_header.php
@ -450,6 +450,14 @@ $template->assign_vars(array(
 if ( !$userdata['session_logged_in'] )
 {
 	$template->assign_block_vars('switch_user_logged_out', array());
+	//
+	// Allow autologin?
+	//
+	if (!isset($board_config['allow_autologin']) || $board_config['allow_autologin'] )
+	{
+		$template->assign_block_vars('switch_allow_autologin', array());
+		$template->assign_block_vars('switch_user_logged_out.switch_allow_autologin', array());
+	}
 }
 else
 {
--- a/phpBB/includes/sessions.php
+++ b/phpBB/includes/sessions.php
@ -57,73 +57,90 @@ function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_a

 	$last_visit = 0;
 	$current_time = time();
-	$expiry_time = $current_time - $board_config['session_length'];

 	//
-	// Try and pull the last time stored in a cookie, if it exists
+	// Are auto-logins allowed?
+	// If allow_autologin is not set or is true then they are
+	// (same behaviour as old 2.0.x session code)
 	//
-	$sql = "SELECT * 
-		FROM " . USERS_TABLE . " 
-		WHERE user_id = $user_id";
-	if ( !($result = $db->sql_query($sql)) )
+	if (isset($board_config['allow_autologin']) && !$board_config['allow_autologin'])
 	{
-		message_die(CRITICAL_ERROR, 'Could not obtain lastvisit data from user table', '', __LINE__, __FILE__, $sql);
+		$enable_autologin = $sessiondata['autologinid'] = false;
 	}

-	$userdata = $db->sql_fetchrow($result);
+	// 
+	// First off attempt to join with the autologin value if we have one
+	// If not, just use the user_id value
+	//
+	$userdata = array();

-	if ( $user_id != ANONYMOUS )
+	if ($user_id != ANONYMOUS)
 	{
-		$auto_login_key = $userdata['user_password'];
-
-		if ( $auto_create )
+		if (isset($sessiondata['autologinid']) && (string) $sessiondata['autologinid'] != '' && $user_id)
 		{
-			if ( isset($sessiondata['autologinid']) && $userdata['user_active'] )
+			$sql = 'SELECT u.* 
+				FROM ' . USERS_TABLE . ' u, ' . SESSIONS_KEYS_TABLE . ' k
+				WHERE u.user_id = ' . (int) $user_id . "
+					AND u.user_active = 1
+					AND k.user_id = u.user_id
+					AND k.key_id = '" . md5($sessiondata['autologinid']) . "'";
+			if (!($result = $db->sql_query($sql)))
 			{
-				// We have to login automagically
-				if( $sessiondata['autologinid'] === $auto_login_key )
-				{
-					// autologinid matches password
-					$login = 1;
-					$enable_autologin = 1;
-				}
-				else
-				{
-					// No match; don't login, set as anonymous user
-					$login = 0; 
-					$enable_autologin = 0; 
-					$user_id = $userdata['user_id'] = ANONYMOUS;
-				
-					$sql = 'SELECT * FROM ' . USERS_TABLE . ' WHERE user_id = ' . ANONYMOUS;
-					$result = $db->sql_query($sql);
-					$userdata = $db->sql_fetchrow($result);
-					$db->sql_freeresult($result);
-				}
+				message_die(CRITICAL_ERROR, 'Error doing DB query userdata row fetch', '', __LINE__, __FILE__, $sql);
 			}
-			else
-			{
-				// Autologin is not set. Don't login, set as anonymous user
-				$login = 0;
-				$enable_autologin = 0;
-				$user_id = $userdata['user_id'] = ANONYMOUS;

-				$sql = 'SELECT * FROM ' . USERS_TABLE . ' WHERE user_id = ' . ANONYMOUS;
-				$result = $db->sql_query($sql);
-				$userdata = $db->sql_fetchrow($result);
-				$db->sql_freeresult($result);
-			}
+			$userdata = $db->sql_fetchrow($result);
+			$db->sql_freeresult($result);
+		
+			$enable_autologin = $login = 1;
 		}
-		else
+		else if (!$auto_create)
 		{
+			$sessiondata['autologinid'] = '';
+			$sessiondata['userid'] = $user_id;
+
+			$sql = 'SELECT *
+				FROM ' . USERS_TABLE . '
+				WHERE user_id = ' . (int) $user_id . '
+					AND user_active = 1';
+			if (!($result = $db->sql_query($sql)))
+			{
+				message_die(CRITICAL_ERROR, 'Error doing DB query userdata row fetch', '', __LINE__, __FILE__, $sql);
+			}
+
+			$userdata = $db->sql_fetchrow($result);
+			$db->sql_freeresult($result);
+
 			$login = 1;
 		}
 	}
-	else
+
+	//
+	// At this point either $userdata should be populated or
+	// one of the below is true
+	// * Key didn't match one in the DB
+	// * User does not exist
+	// * User is inactive
+	//
+	if (!sizeof($userdata) || !is_array($userdata) || !$userdata)
 	{
-		$login = 0;
-		$enable_autologin = 0;
+		$sessiondata['autologinid'] = '';
+		$sessiondata['userid'] = $user_id = ANONYMOUS;
+		$enable_autologin = $login = 0;
+
+		$sql = 'SELECT *
+			FROM ' . USERS_TABLE . '
+			WHERE user_id = ' . (int) $user_id;
+		if (!($result = $db->sql_query($sql)))
+		{
+			message_die(CRITICAL_ERROR, 'Error doing DB query userdata row fetch', '', __LINE__, __FILE__, $sql);
+		}
+
+		$userdata = $db->sql_fetchrow($result);
+		$db->sql_freeresult($result);
 	}

+
 	//
 	// Initial ban check against user id, IP and email address
 	//
@ -174,7 +191,7 @@ function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_a
 	}

 	if ( $user_id != ANONYMOUS )
-	{// ( $userdata['user_session_time'] > $expiry_time && $auto_create ) ? $userdata['user_lastvisit'] : ( 
+	{
 		$last_visit = ( $userdata['user_session_time'] > 0 ) ? $userdata['user_session_time'] : $current_time; 

 		if (!$admin)
@ -190,7 +207,41 @@ function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_a

 		$userdata['user_lastvisit'] = $last_visit;

-		$sessiondata['autologinid'] = (!$admin) ? (( $enable_autologin && $sessionmethod == SESSION_METHOD_COOKIE ) ? $auto_login_key : '') : $sessiondata['autologinid'];
+		//
+		// Regenerate the auto-login key
+		//
+		if ($enable_autologin)
+		{
+			list($sec, $usec) = explode(' ', microtime());
+			mt_srand(hexdec(substr($session_id, 0, 8)) + (float) $sec + ((float) $usec * 1000000));
+			$auto_login_key = uniqid(mt_rand(), true);
+			
+			if (isset($sessiondata['autologinid']) && (string) $sessiondata['autologinid'] != '')
+			{
+				$sql = 'UPDATE ' . SESSIONS_KEYS_TABLE . "
+					SET last_ip = '$user_ip', key_id = '" . md5($auto_login_key) . "', last_login = $current_time
+					WHERE key_id = '" . md5($sessiondata['autologinid']) . "'";
+			}
+			else
+			{
+				$sql = 'INSERT INTO ' . SESSIONS_KEYS_TABLE . "(key_id, user_id, last_ip, last_login)
+					VALUES ('" . md5($auto_login_key) . "', $user_id, '$user_ip', $current_time)";
+			}
+
+			if ( !$db->sql_query($sql) )
+			{
+				message_die(CRITICAL_ERROR, 'Error updating session key', '', __LINE__, __FILE__, $sql);
+			}
+			
+			$sessiondata['autologinid'] = $auto_login_key;
+			unset($auto_login_key);
+		}
+		else
+		{
+			$sessiondata['autologinid'] = '';
+		}
+
+//		$sessiondata['autologinid'] = (!$admin) ? (( $enable_autologin && $sessionmethod == SESSION_METHOD_COOKIE ) ? $auto_login_key : '') : $sessiondata['autologinid'];
 		$sessiondata['userid'] = $user_id;
 	}

@ -202,6 +253,7 @@ function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_a
 	$userdata['session_start'] = $current_time;
 	$userdata['session_time'] = $current_time;
 	$userdata['session_admin'] = $admin;
+	$userdata['session_key'] = $sessiondata['autologinid'];

 	setcookie($cookiename . '_data', serialize($sessiondata), $current_time + 31536000, $cookiepath, $cookiedomain, $cookiesecure);
 	setcookie($cookiename . '_sid', $session_id, 0, $cookiepath, $cookiedomain, $cookiesecure);
@ -313,18 +365,7 @@ function session_pagestart($user_ip, $thispage_id)
 						}
 					}

-					//
-					// Delete expired sessions
-					//
-					$expiry_time = $current_time - $board_config['session_length'];
-
-					$sql = "DELETE FROM " . SESSIONS_TABLE . " 
-						WHERE session_time < $expiry_time 
-							AND session_id <> '$session_id'";
-					if ( !$db->sql_query($sql) )
-					{
-						message_die(CRITICAL_ERROR, 'Error clearing sessions table', '', __LINE__, __FILE__, $sql);
-					}
+					session_clean($userdata['session_id']);

 					setcookie($cookiename . '_data', serialize($sessiondata), $current_time + 31536000, $cookiepath, $cookiedomain, $cookiesecure);
 					setcookie($cookiename . '_sid', $session_id, 0, $cookiepath, $cookiedomain, $cookiesecure);
@ -350,14 +391,14 @@ function session_pagestart($user_ip, $thispage_id)

 }

-//
-// session_end closes out a session
-// deleting the corresponding entry
-// in the sessions table
-//
+/**
+* Terminates the specified session
+* It will delete the entry in the sessions table for this session,
+* remove the corresponding auto-login key and reset the cookies
+*/
 function session_end($session_id, $user_id)
 {
-	global $db, $lang, $board_config;
+	global $db, $lang, $board_config, $userdata;
 	global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $SID;

 	$cookiename = $board_config['cookie_name'];
@ -367,20 +408,6 @@ function session_end($session_id, $user_id)

 	$current_time = time();

-	//
-	// Pull cookiedata or grab the URI propagated sid
-	//
-	if ( isset($HTTP_COOKIE_VARS[$cookiename . '_sid']) )
-	{
-		$session_id = isset( $HTTP_COOKIE_VARS[$cookiename . '_sid'] ) ? $HTTP_COOKIE_VARS[$cookiename . '_sid'] : '';
-		$sessionmethod = SESSION_METHOD_COOKIE;
-	}
-	else
-	{
-		$session_id = ( isset($HTTP_GET_VARS['sid']) ) ? $HTTP_GET_VARS['sid'] : '';
-		$sessionmethod = SESSION_METHOD_GET;
-	}
-
 	if (!preg_match('/^[A-Za-z0-9]*$/', $session_id))
 	{
 		return;
@ -389,7 +416,7 @@ function session_end($session_id, $user_id)
 	//
 	// Delete existing session
 	//
-	$sql = "DELETE FROM " . SESSIONS_TABLE . " 
+	$sql = 'DELETE FROM ' . SESSIONS_TABLE . " 
 		WHERE session_id = '$session_id' 
 			AND session_user_id = $user_id";
 	if ( !$db->sql_query($sql) )
@ -397,12 +424,78 @@ function session_end($session_id, $user_id)
 		message_die(CRITICAL_ERROR, 'Error removing user session', '', __LINE__, __FILE__, $sql);
 	}

+	//
+	// Remove this auto-login entry (if applicable)
+	//
+	if ( isset($userdata['session_key']) && $userdata['session_key'] != '' )
+	{
+		$autologin_key = md5($userdata['session_key']);
+		$sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
+			WHERE user_id = ' . (int) $user_id . "
+				AND key_id = '$autologin_key'";
+		if ( !$db->sql_query($sql) )
+		{
+			message_die(CRITICAL_ERROR, 'Error removing auto-login key', '', __LINE__, __FILE__, $sql);
+		}
+	}
+
+	//
+	// We expect that message_die will be called after this function,
+	// but just in case it isn't, reset $userdata to the details for a guest
+	//
+	$sql = 'SELECT *
+		FROM ' . USERS_TABLE . '
+		WHERE user_id = ' . ANONYMOUS;
+	if ( !($result = $db->sql_query($sql)) )
+	{
+		message_die(CRITICAL_ERROR, 'Error obtaining user details', '', __LINE__, __FILE__, $sql);
+	}
+	if ( !($userdata = $db->sql_fetchrow($result)) )
+	{
+		message_die(CRITICAL_ERROR, 'Error obtaining user details', '', __LINE__, __FILE__, $sql);
+	}
+	$db->sql_freeresult($result);
+
+
 	setcookie($cookiename . '_data', '', $current_time - 31536000, $cookiepath, $cookiedomain, $cookiesecure);
 	setcookie($cookiename . '_sid', '', $current_time - 31536000, $cookiepath, $cookiedomain, $cookiesecure);

 	return true;
 }

+/**
+* Removes expired sessions and auto-login keys from the database
+*/
+function session_clean($session_id)
+{
+	global $board_config, $db;
+
+	//
+	// Delete expired sessions
+	//
+	$sql = 'DELETE FROM ' . SESSIONS_TABLE . ' 
+		WHERE session_time < ' . (time() - (int) $board_config['session_length']) . " 
+			AND session_id <> '$session_id'";
+	if ( !$db->sql_query($sql) )
+	{
+		message_die(CRITICAL_ERROR, 'Error clearing sessions table', '', __LINE__, __FILE__, $sql);
+	}
+
+	//
+	// Delete expired auto-login keys
+	// If max_autologin_time is not set then keys will never be deleted
+	// (same behaviour as old 2.0.x session code)
+	//
+	if (!empty($board_config['max_autologin_time']) && $board_config['max_autologin_time'] > 0)
+	{
+		$sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
+			WHERE last_login < ' . (time() - (86400 * (int) $board_config['max_autologin_time']));
+		$db->sql_query($sql);
+	}
+
+	return true;
+}
+
 //
 // Append $SID to a url. Borrowed from phplib and modified. This is an
 // extra routine utilised by the session code above and acts as a wrapper
--- a/phpBB/includes/usercp_avatar.php
+++ b/phpBB/includes/usercp_avatar.php
@ -63,19 +63,26 @@ function user_avatar_delete($avatar_type, $avatar_file)
 	return ", user_avatar = '', user_avatar_type = " . USER_AVATAR_NONE;
 }

-function user_avatar_gallery($mode, &$error, &$error_msg, $avatar_filename)
+function user_avatar_gallery($mode, &$error, &$error_msg, $avatar_filename, $avatar_category)
 {
 	global $board_config;

-	$avatar_filename = str_replace(array('../', '..\\', './', '.\\'), '', $avatar_filename);
-	if ($avatar_filename{0} == '/' || $avatar_filename{0} == "\\")
+	$avatar_filename = phpbb_ltrim(basename($avatar_filename), "'");
+	$avatar_category = phpbb_ltrim(basename($avatar_category), "'");
+	
+	if(!preg_match('/(\.gif$|\.png$|\.jpg|\.jpeg)$/is', $avatar_filename))
 	{
 		return '';
 	}

-	if ( file_exists(@phpbb_realpath($board_config['avatar_gallery_path'] . '/' . $avatar_filename)) && ($mode == 'editprofile') )
+	if ($avatar_filename == "" || $avatar_category == "")
 	{
-		$return = ", user_avatar = '" . str_replace("\'", "''", $avatar_filename) . "', user_avatar_type = " . USER_AVATAR_GALLERY;
+		return '';
+	} 
+
+	if ( file_exists(@phpbb_realpath($board_config['avatar_gallery_path'] . '/' . $avatar_category . '/' . $avatar_filename)) && ($mode == 'editprofile') )
+	{
+		$return = ", user_avatar = '" . str_replace("\'", "''", $avatar_category . '/' . $avatar_filename) . "', user_avatar_type = " . USER_AVATAR_GALLERY;
 	}
 	else
 	{
@ -110,6 +117,9 @@ function user_avatar_upload($mode, $avatar_mode, &$current_avatar, &$current_typ

 	$ini_val = ( @phpversion() >= '4.0.0' ) ? 'ini_get' : 'get_cfg_var';

+	$width = $height = 0;
+	$type = '';
+
 	if ( $avatar_mode == 'remote' && preg_match('/^(http:\/\/)?([\w\-\.]+)\:?([0-9]*)\/(.*)$/', $avatar_filename, $url_ary) )
 	{
 		if ( empty($url_ary[4]) )
@ -167,7 +177,7 @@ function user_avatar_upload($mode, $avatar_mode, &$current_avatar, &$current_typ
 				message_die(GENERAL_ERROR, 'Could not write avatar file to local storage. Please contact the board administrator with this message', '', __LINE__, __FILE__);
 			}

-			list($width, $height) = @getimagesize($tmp_filename);
+			list($width, $height, $type) = @getimagesize($tmp_filename);
 		}
 		else
 		{
@ -193,7 +203,7 @@ function user_avatar_upload($mode, $avatar_mode, &$current_avatar, &$current_typ
 			return;
 		}

-		list($width, $height) = @getimagesize($avatar_filename);
+		list($width, $height, $type) = @getimagesize($avatar_filename);
 	}

 	if ( !($imgtype = check_image_type($avatar_filetype, $error, $error_msg)) )
@ -201,16 +211,51 @@ function user_avatar_upload($mode, $avatar_mode, &$current_avatar, &$current_typ
 		return;
 	}

+	switch ($type)
+	{
+		// GIF
+		case 1:
+			if ($imgtype != '.gif')
+			{
+				@unlink($tmp_filename);
+				message_die(GENERAL_ERROR, 'Unable to upload file', '', __LINE__, __FILE__);
+			}
+		break;
+
+		// JPG, JPC, JP2, JPX, JB2
+		case 2:
+		case 9:
+		case 10:
+		case 11:
+		case 12:
+			if ($imgtype != '.jpg' && $imgtype != '.jpeg')
+			{
+				@unlink($tmp_filename);
+				message_die(GENERAL_ERROR, 'Unable to upload file', '', __LINE__, __FILE__);
+			}
+		break;
+
+		// PNG
+		case 3:
+			if ($imgtype != '.png')
+			{
+				@unlink($tmp_filename);
+				message_die(GENERAL_ERROR, 'Unable to upload file', '', __LINE__, __FILE__);
+			}
+		break;
+
+		default:
+			@unlink($tmp_filename);
+			message_die(GENERAL_ERROR, 'Unable to upload file', '', __LINE__, __FILE__);
+	}
+
 	if ( $width > 0 && $height > 0 && $width <= $board_config['avatar_max_width'] && $height <= $board_config['avatar_max_height'] )
 	{
 		$new_filename = uniqid(rand()) . $imgtype;

 		if ( $mode == 'editprofile' && $current_type == USER_AVATAR_UPLOAD && $current_avatar != '' )
 		{
-			if ( file_exists(@phpbb_realpath('./' . $board_config['avatar_path'] . '/' . $current_avatar)) )
-			{
-				@unlink('./' . $board_config['avatar_path'] . '/' . $current_avatar);
-			}
+			user_avatar_delete($current_type, $current_avatar);
 		}

 		if( $avatar_mode == 'remote' )
@ -276,7 +321,7 @@ function display_avatar_gallery($mode, &$category, &$user_id, &$email, &$current
 			{
 				if( preg_match('/(\.gif$|\.png$|\.jpg|\.jpeg)$/is', $sub_file) )
 				{
-					$avatar_images[$file][$avatar_row_count][$avatar_col_count] = $file . '/' . $sub_file; 
+					$avatar_images[$file][$avatar_row_count][$avatar_col_count] = $sub_file; 
 					$avatar_name[$file][$avatar_row_count][$avatar_col_count] = ucfirst(str_replace("_", " ", preg_replace('/^(.*)\..*$/', '\1', $sub_file)));

 					$avatar_col_count++;
@ -322,7 +367,7 @@ function display_avatar_gallery($mode, &$category, &$user_id, &$email, &$current
 		for($j = 0; $j < count($avatar_images[$category][$i]); $j++)
 		{
 			$template->assign_block_vars('avatar_row.avatar_column', array(
-				"AVATAR_IMAGE" => $board_config['avatar_gallery_path'] . '/' . $avatar_images[$category][$i][$j], 
+				"AVATAR_IMAGE" => $board_config['avatar_gallery_path'] . '/' . $category . '/' . $avatar_images[$category][$i][$j], 
 				"AVATAR_NAME" => $avatar_name[$category][$i][$j])
 			);

@ -334,7 +379,7 @@ function display_avatar_gallery($mode, &$category, &$user_id, &$email, &$current

 	$params = array('coppa', 'user_id', 'username', 'email', 'current_email', 'cur_password', 'new_password', 'password_confirm', 'icq', 'aim', 'msn', 'yim', 'website', 'location', 'occupation', 'interests', 'signature', 'viewemail', 'notifypm', 'popup_pm', 'notifyreply', 'attachsig', 'allowhtml', 'allowbbcode', 'allowsmilies', 'hideonline', 'style', 'language', 'timezone', 'dateformat');

-	$s_hidden_vars = '<input type="hidden" name="sid" value="' . $session_id . '" /><input type="hidden" name="agreed" value="true" />';
+	$s_hidden_vars = '<input type="hidden" name="sid" value="' . $session_id . '" /><input type="hidden" name="agreed" value="true" /><input type="hidden" name="avatarcatname" value="' . $category . '" />';

 	for($i = 0; $i < count($params); $i++)
 	{
--- a/phpBB/index.php
+++ b/phpBB/index.php
@ -119,10 +119,7 @@ if( !($result = $db->sql_query($sql)) )
 }

 $category_rows = array();
-while ($row = $db->sql_fetchrow($result))
-{
-	$category_rows[] = $row;
-}
+while( $category_rows[] = $db->sql_fetchrow($result) );
 $db->sql_freeresult($result);

 if( ( $total_categories = count($category_rows) ) )
@ -186,8 +183,14 @@ if( ( $total_categories = count($category_rows) ) )
 	// Obtain a list of topic ids which contain
 	// posts made since user last visited
 	//
-	if ( $userdata['session_logged_in'] )
+	if ($userdata['session_logged_in'])
 	{
+		// 60 days limit
+		if ($userdata['user_lastvisit'] < (time() - 5184000))
+		{
+			$userdata['user_lastvisit'] = time() - 5184000;
+		}
+
 		$sql = "SELECT t.forum_id, t.topic_id, p.post_time 
 			FROM " . TOPICS_TABLE . " t, " . POSTS_TABLE . " p 
 			WHERE p.post_id = t.topic_last_post_id 
@ -296,19 +299,6 @@ if( ( $total_categories = count($category_rows) ) )
 		'U_MARK_READ' => append_sid("index.$phpEx?mark=forums"))
 	);

-	//
-	// Let's decide which categories we should display
-	//
-	$display_categories = array();
-
-	for ($i = 0; $i < $total_forums; $i++ )
-	{
-		if ($is_auth_ary[$forum_data[$i]['forum_id']]['auth_view'])
-		{
-			$display_categories[$forum_data[$i]['cat_id']] = true;
-		}
-	}
-
 	//
 	// Okay, let's build the index
 	//
@ -316,11 +306,23 @@ if( ( $total_categories = count($category_rows) ) )
 	{
 		$cat_id = $category_rows[$i]['cat_id'];

+		//
+		// Should we display this category/forum set?
+		//
+		$display_forums = false;
+		for($j = 0; $j < $total_forums; $j++)
+		{
+			if ( $is_auth_ary[$forum_data[$j]['forum_id']]['auth_view'] && $forum_data[$j]['cat_id'] == $cat_id )
+			{
+				$display_forums = true;
+			}
+		}
+
 		//
 		// Yes, we should, so first dump out the category
 		// title, then, if appropriate the forum list
 		//
-		if (isset($display_categories[$cat_id]) && $display_categories[$cat_id])
+		if ( $display_forums )
 		{
 			$template->assign_block_vars('catrow', array(
 				'CAT_ID' => $cat_id,
--- a/phpBB/install/schemas/ms_access_primer.zip
+++ b/phpBB/install/schemas/ms_access_primer.zip
--- a/phpBB/install/schemas/mssql_basic.sql
+++ b/phpBB/install/schemas/mssql_basic.sql
@ -42,6 +42,8 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('max_savebox_privms
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('board_email_sig','Thanks, The Management');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('board_email','youraddress@yourdomain.com');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('enable_confirm', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_autologin','1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('max_autologin_time','0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_delivery','0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_host','');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_username','');
@ -69,7 +71,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('record_online_date
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('server_name', 'www.yourdomain.tld');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('server_port', '80');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('script_path', '/phpBB2/');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '.0.17');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '.0.18');

 /*
  -- Categories
--- a/phpBB/install/schemas/mssql_schema.sql
+++ b/phpBB/install/schemas/mssql_schema.sql
@ -195,6 +195,14 @@ CREATE TABLE [phpbb_sessions] (
 ) ON [PRIMARY]
 GO

+CREATE TABLE [phpbb_sessions_keys] (
+  [key_id] [char] (32) NOT NULL ,
+  [user_id] [int] NOT NULL ,
+  [last_ip] [char] (8) NOT NULL ,
+  [last_login] [int] NOT NULL
+) ON [PRIMARY]
+GO
+
 CREATE TABLE [phpbb_smilies] (
 	[smilies_id] [int] IDENTITY (1, 1) NOT NULL ,
 	[code] [varchar] (10) NOT NULL ,
@ -616,6 +624,7 @@ ALTER TABLE [phpbb_users] WITH NOCHECK ADD
 	CONSTRAINT [DF_phpbb_users_user_allow_viewonline] DEFAULT (1) FOR [user_allow_viewonline],
 	CONSTRAINT [DF_phpbb_users_user_notify_pm] DEFAULT (0) FOR [user_notify_pm],
 	CONSTRAINT [DF_phpbb_users_user_popup_pm] DEFAULT (1) FOR [user_popup_pm],
+	CONSTRAINT [DF_phpbb_users_user_dateformat] DEFAULT('d M Y H:i') FOR [user_dateformat],
 	CONSTRAINT [DF_phpbb_users_user_avatar_type] DEFAULT (0) FOR [user_avatar_type]
 GO

@ -667,6 +676,12 @@ GO
 CREATE  INDEX [IX_phpbb_sessions] ON [phpbb_sessions]([session_id], [session_user_id], [session_ip], [session_logged_in]) ON [PRIMARY]
 GO

+ CREATE  INDEX [IX_phpbb_sessions_keys] ON [phpbb_sessions_keys]([key_id], [user_id]) ON [PRIMARY]
+GO
+
+ CREATE  INDEX [IX_phpbb_sessions_keys] ON [phpbb_sessions_keys]([last_login]) ON [PRIMARY]
+GO
+
 CREATE  INDEX [IX_phpbb_topics] ON [phpbb_topics]([forum_id], [topic_type], [topic_first_post_id], [topic_last_post_id]) ON [PRIMARY]
 GO

--- a/phpBB/install/schemas/mysql_basic.sql
+++ b/phpBB/install/schemas/mysql_basic.sql
@ -24,6 +24,8 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_avatar_local
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_avatar_remote','0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_avatar_upload','0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('enable_confirm', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_autologin','1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('max_autologin_time','0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('override_user_style','0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('posts_per_page','15');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('topics_per_page','50');
@ -62,7 +64,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('record_online_date
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('server_name', 'www.myserver.tld');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('server_port', '80');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('script_path', '/phpBB2/');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '.0.17');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '.0.18');


 # -- Categories
--- a/phpBB/install/schemas/mysql_schema.sql
+++ b/phpBB/install/schemas/mysql_schema.sql
@ -311,6 +311,19 @@ CREATE TABLE phpbb_sessions (
   KEY session_id_ip_user_id (session_id, session_ip, session_user_id)
 );

+# --------------------------------------------------------
+#
+# Table structure for table `phpbb_sessions_keys`
+#
+CREATE TABLE phpbb_sessions_keys (
+  key_id varchar(32) DEFAULT '0' NOT NULL,
+  user_id mediumint(8) DEFAULT '0' NOT NULL,
+  last_ip varchar(8) DEFAULT '0' NOT NULL,
+  last_login int(11) DEFAULT '0' NOT NULL,
+  PRIMARY KEY (key_id, user_id),
+  KEY last_login (last_login)
+);
+

 # --------------------------------------------------------
 #
--- a/phpBB/install/schemas/postgres_basic.sql
+++ b/phpBB/install/schemas/postgres_basic.sql
@ -25,6 +25,8 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_avatar_local
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_avatar_remote','0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_avatar_upload','0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('enable_confirm', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_autologin','1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('max_autologin_time','0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('override_user_style','0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('posts_per_page','15');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('topics_per_page','50');
@ -63,7 +65,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('record_online_date
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('server_name', 'www.yourdomain.tld');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('server_port', '80');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('script_path', '/phpBB2/');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '.0.17');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '.0.18');

 -- Categories
 INSERT INTO phpbb_categories (cat_id, cat_title, cat_order) VALUES (1, 'Test category 1', 10);
--- a/phpBB/install/schemas/postgres_schema.sql
+++ b/phpBB/install/schemas/postgres_schema.sql
@ -295,6 +295,17 @@ CREATE TABLE phpbb_sessions (
 CREATE INDEX session_user_id_phpbb_sessions_index ON phpbb_sessions (session_user_id);
 CREATE INDEX session_id_ip_user_id_phpbb_sessions_index ON phpbb_sessions (session_id, session_ip, session_user_id);

+/* --------------------------------------------------------
+  Table structure for table phpbb_sessions_keys
+-------------------------------------------------------- */
+CREATE TABLE phpbb_sessions_keys (
+  key_id char(32) DEFAULT '0' NOT NULL,
+  user_id int4 DEFAULT '0' NOT NULL,
+  last_ip char(8) DEFAULT '0' NOT NULL,
+  last_login int4 DEFAULT '0' NOT NULL,
+  CONSTRAINT phpbb_sessions_keys_pkey PRIMARY KEY (key_id, user_id)
+);
+CREATE INDEX last_login_phpbb_sessions_keys_index ON phpbb_sessions_keys (last_login);

 /* --------------------------------------------------------
  Table structure for table phpbb_smilies
@ -489,10 +500,10 @@ CREATE TABLE phpbb_users (
   user_rank int4 DEFAULT '0',
   user_avatar varchar(100),
   user_avatar_type int2 DEFAULT '0' NOT NULL,
-   user_level int4 DEFAULT '1',
+   user_level int4 DEFAULT '0',
   user_lang varchar(255),
   user_timezone decimal(5) DEFAULT '0' NOT NULL,
-   user_dateformat varchar(14) DEFAULT 'd M Y H:m' NOT NULL,
+   user_dateformat varchar(14) DEFAULT 'd M Y H:i' NOT NULL,
   user_notify_pm int2 DEFAULT '0' NOT NULL,
   user_popup_pm int2 DEFAULT '0' NOT NULL,
   user_notify int2,
--- a/phpBB/install/update_to_latest.php
+++ b/phpBB/install/update_to_latest.php
@ -59,7 +59,7 @@ include($phpbb_root_path . 'includes/db.'.$phpEx);
 //
 //
 //
-$updates_to_version = '.0.17';
+$updates_to_version = '.0.18';
 //
 //
 //
@ -465,7 +465,7 @@ switch ($row['config_value'])
 					AS SELECT group_id, group_name, group_type, group_description, group_moderator, group_single_user 
 						FROM " . GROUPS_TABLE;
 				$sql[] = "DROP TABLE " . GROUPS_TABLE;
-				$sql[] = "CREATE TABLE phpbb_groups (group_id int DEFAULT nextval('" . GROUPS_TABLE . "_id_seq'::text) NOT NULL, group_name varchar(40) NOT NULL, group_type int2 DEFAULT '1' NOT NULL, group_description varchar(255) NOT NULL, group_moderator int4 DEFAULT '0' NOT NULL, group_single_user int2 DEFAULT '0' NOT NULL, CONSTRAINT phpbb_groups_pkey PRIMARY KEY (group_id))";
+				$sql[] = "CREATE TABLE {$table_prefix}groups (group_id int DEFAULT nextval('" . GROUPS_TABLE . "_id_seq'::text) NOT NULL, group_name varchar(40) NOT NULL, group_type int2 DEFAULT '1' NOT NULL, group_description varchar(255) NOT NULL, group_moderator int4 DEFAULT '0' NOT NULL, group_single_user int2 DEFAULT '0' NOT NULL, CONSTRAINT {$table_prefix}groups_pkey PRIMARY KEY (group_id))";
 				$sql[] = "INSERT INTO " . GROUPS_TABLE . " (group_id, group_name, group_type, group_description, group_moderator, group_single_user) 
 					SELECT group_id, group_name, group_type, group_description, group_moderator, group_single_user 
 						FROM tmp_" . GROUPS_TABLE;
@ -511,7 +511,7 @@ switch ($row['config_value'])
 				break;

 			case 'postgresql':
-				$sql[] = 'CREATE TABLE ' . $table_prefix . 'confirm (confirm_id char(32) DEFAULT \'\' NOT NULL,  session_id char(32) DEFAULT \'\' NOT NULL, code char(6) DEFAULT \'\' NOT NULL, CONSTRAINT phpbb_confirm_pkey PRIMARY KEY (session_id, confirm_id))';
+				$sql[] = 'CREATE TABLE ' . $table_prefix . 'confirm (confirm_id char(32) DEFAULT \'\' NOT NULL,  session_id char(32) DEFAULT \'\' NOT NULL, code char(6) DEFAULT \'\' NOT NULL, CONSTRAINT {$table_prefix}confirm_pkey PRIMARY KEY (session_id, confirm_id))';
 				break;
 		}

@ -554,6 +554,36 @@ switch ($row['config_value'])
 				break;
 		}

+	case '.0.15':
+	case '.0.16':
+	case '.0.17':
+		// Add tables for session keys
+		switch (SQL_LAYER)
+		{
+			case 'mysql':
+			case 'mysql4':
+				$sql[] = 'CREATE TABLE ' . $table_prefix . 'sessions_keys (key_id varchar(32) DEFAULT \'0\' NOT NULL, user_id mediumint(8) DEFAULT \'0\' NOT NULL, last_ip varchar(8) DEFAULT \'0\' NOT NULL, last_login int(11) DEFAULT \'0\' NOT NULL, PRIMARY KEY (key_id, user_id), KEY last_login (last_login))';
+				break;
+
+			case 'mssql':
+			case 'mssql-odbc':
+				$sql[] = 'CREATE TABLE [' . $table_prefix . 'sessions_keys] ([key_id] [char] (32) NOT NULL , [user_id] [int] NOT NULL , [last_ip] [char] (8) NOT NULL , [last_login] [int] NOT NULL) ON [PRIMARY]';
+
+				$sql[] = 'CREATE INDEX [IX_' . $table_prefix . 'sessions_keys] ON [' . $table_prefix . 'sessions_keys]([key_id], [user_id]) ON [PRIMARY]';
+				$sql[] = 'CREATE  INDEX [IX_' . $table_prefix . 'sessions_keys] ON [' . $table_prefix . 'sessions_keys]([last_login]) ON [PRIMARY]';
+				break;
+
+			case 'msaccess':
+				$sql[] = 'CREATE TABLE ' . $table_prefix . 'sessions_keys (key_id char(32) NOT NULL, user_id int NOT NULL, last_ip char(8) NOT NULL, last_login int NOT NULL)';
+				$sql[] = 'ALTER TABLE ' . $table_prefix . 'sessions_keys ADD PRIMARY KEY (key_id, user_id)';
+				break;
+
+			case 'postgresql':
+				$sql[] = 'CREATE TABLE ' . $table_prefix . 'sessions_keys (key_id char(32) DEFAULT \'0\' NOT NULL, user_id int4 DEFAULT \'0\' NOT NULL, last_ip char(8) DEFAULT \'0\' NOT NULL, last_login int4 DEFAULT \'0\' NOT NULL, CONSTRAINT ' . $table_prefix . 'sessions_keys_pkey PRIMARY KEY (key_id, user_id))';
+				$sql[] = 'CREATE INDEX last_login_' . $table_prefix . 'sessions_keys_index ON ' . $table_prefix . 'sessions_keys (last_login)';
+				break;
+		}
+
 		break;
 }

@ -954,10 +984,24 @@ switch ($row['config_value'])
 		$sql = 'UPDATE ' . USERS_TABLE . ' SET user_allowhtml = 1 WHERE user_id = ' . ANONYMOUS;
 		_sql($sql, $errored, $error_ary);

+	case '.0.15':
+	case '.0.16':
+	case '.0.17':
+
+		$sql = 'UPDATE ' . USERS_TABLE . ' SET user_active = 0 WHERE user_id = ' . ANONYMOUS;
+		_sql($sql, $errored, $error_ary);
+
+		$sql = 'INSERT INTO ' . CONFIG_TABLE . " (config_name, config_value)
+			VALUES ('allow_autologin', '1')";
+		_sql($sql, $errored, $error_ary);
+
+		$sql = 'INSERT INTO ' . CONFIG_TABLE . " (config_name, config_value)
+			VALUES ('max_autologin_time', '0')";
+		_sql($sql, $errored, $error_ary);
+		
 		// We reset those having autologin enabled and forcing the re-assignment of a session id
 		$sql = 'DELETE FROM ' . SESSIONS_TABLE;
 		_sql($sql, $errored, $error_ary);
-
 		break;

 	default:
--- a/phpBB/language/lang_english/lang_admin.php
+++ b/phpBB/language/lang_english/lang_admin.php
@ -335,6 +335,12 @@ $lang['Session_length'] = 'Session length [ seconds ]';
 $lang['Visual_confirm'] = 'Enable Visual Confirmation';
 $lang['Visual_confirm_explain'] = 'Requires users enter a code defined by an image when registering.';

+// Autologin Keys - added 2.0.18
+$lang['Allow_autologin'] = 'Allow automatic logins';
+$lang['Allow_autologin_explain'] = 'Determines whether users are allowed to select to be automatically logged in when visiting the forum';
+$lang['Autologin_time'] = 'Automatic login key expiry';
+$lang['Autologin_time_explain'] = 'How long a autologin key is valid for in days if the user does not visit the board. Set to zero to disable expiry.';
+
 //
 // Forum Management
 //
--- a/phpBB/login.php
+++ b/phpBB/login.php
@ -131,6 +131,12 @@ if( isset($HTTP_POST_VARS['login']) || isset($HTTP_GET_VARS['login']) || isset($
 	}
 	else if( ( isset($HTTP_GET_VARS['logout']) || isset($HTTP_POST_VARS['logout']) ) && $userdata['session_logged_in'] )
 	{
+		// session id check
+		if ($sid == '' || $sid != $userdata['session_id'])
+		{
+			message_die(GENERAL_ERROR, 'Invalid_session');
+		}
+
 		if( $userdata['session_logged_in'] )
 		{
 			session_end($userdata['session_id'], $userdata['user_id']);
@ -168,6 +174,8 @@ else
 			'body' => 'login_body.tpl')
 		);

+		$forward_page = '';
+
 		if( isset($HTTP_POST_VARS['redirect']) || isset($HTTP_GET_VARS['redirect']) )
 		{
 			$forward_to = $HTTP_SERVER_VARS['QUERY_STRING'];
@ -179,8 +187,6 @@ else

 				if(count($forward_match) > 1)
 				{
-					$forward_page = '';
-
 					for($i = 1; $i < count($forward_match); $i++)
 					{
 						if( !ereg("sid=", $forward_match[$i]) )
@ -200,10 +206,6 @@ else
 				}
 			}
 		}
-		else
-		{
-			$forward_page = '';
-		}

 		$username = ( $userdata['user_id'] != ANONYMOUS ) ? $userdata['username'] : '';

--- a/phpBB/posting.php
+++ b/phpBB/posting.php
@ -59,11 +59,13 @@ while( list($var, $param) = @each($params) )
 }

 $refresh = $preview || $poll_add || $poll_edit || $poll_delete;
+$orig_word = $replacement_word = array();

 //
 // Set topic type
 //
 $topic_type = ( !empty($HTTP_POST_VARS['topictype']) ) ? intval($HTTP_POST_VARS['topictype']) : POST_NORMAL;
+$topic_type = ( in_array($topic_type, array(POST_NORMAL, POST_STICKY, POST_ANNOUNCE)) ) ? $topic_type : POST_NORMAL;

 //
 // If the mode is set to topic review then output
@ -189,7 +191,7 @@ switch ( $mode )
 			message_die(GENERAL_MESSAGE, $lang['No_topic_id']);
 		}

-		$sql = "SELECT f.*, t.topic_status, t.topic_title  
+		$sql = "SELECT f.*, t.topic_status, t.topic_title, t.topic_type  
 			FROM " . FORUMS_TABLE . " f, " . TOPICS_TABLE . " t
 			WHERE t.topic_id = $topic_id
 				AND f.forum_id = t.forum_id";
@ -312,6 +314,10 @@ if ( $result = $db->sql_query($sql) )
 		{
 			$topic_id = $post_info['topic_id'];
 		}
+		if ( $mode == 'newtopic' )
+		{
+			$post_data['topic_type'] = POST_NORMAL;
+		}

 		$post_data['first_post'] = ( $mode == 'newtopic' ) ? true : 0;
 		$post_data['last_post'] = false;
--- a/phpBB/privmsg.php
+++ b/phpBB/privmsg.php
@ -295,7 +295,7 @@ else if ( $mode == 'read' )

 		if ( $sent_info = $db->sql_fetchrow($result) )
 		{
-			if ( $sent_info['sent_items'] >= $board_config['max_sentbox_privmsgs'] )
+			if ($board_config['max_sentbox_privmsgs'] && $sent_info['sent_items'] >= $board_config['max_sentbox_privmsgs'])
 			{
 				$sql = "SELECT privmsgs_id FROM " . PRIVMSGS_TABLE . " 
 					WHERE privmsgs_type = " . PRIVMSGS_SENT_MAIL . " 
@ -911,7 +911,7 @@ else if ( $save && $mark_list && $folder != 'savebox' && $folder != 'outbox' )

 		if ( $saved_info = $db->sql_fetchrow($result) )
 		{
-			if ( $saved_info['savebox_items'] >= $board_config['max_savebox_privmsgs'] )
+			if ($board_config['max_savebox_privmsgs'] && $saved_info['savebox_items'] >= $board_config['max_savebox_privmsgs'] )
 			{
 				$sql = "SELECT privmsgs_id FROM " . PRIVMSGS_TABLE . " 
 					WHERE ( ( privmsgs_to_userid = " . $userdata['user_id'] . " 
@ -1138,6 +1138,27 @@ else if ( $submit || $refresh || $mode != '' )
 		//
 	}

+	if ($submit && $mode == 'edit')
+	{
+		$sql = 'SELECT privmsgs_from_userid
+			FROM ' . PRIVMSGS_TABLE . '
+			WHERE privmsgs_id = ' . (int) $privmsg_id . '
+				AND privmsgs_from_userid = ' . $userdata['user_id'];
+
+		if (!($result = $db->sql_query($sql)))
+		{
+			message_die(GENERAL_ERROR, "Could not obtain message details", "", __LINE__, __FILE__, $sql);
+		}
+
+		if (!($row = $db->sql_fetchrow($result)))
+		{
+			message_die(GENERAL_MESSAGE, $lang['No_such_post']);
+		}
+		$db->sql_freeresult($result);
+
+		unset($row);
+	}
+
 	if ( $submit )
 	{
 		if ( !empty($HTTP_POST_VARS['username']) )
@ -1154,7 +1175,11 @@ else if ( $submit || $refresh || $mode != '' )
 				$error_msg = $lang['No_such_user'];
 			}

-			$to_userdata = $db->sql_fetchrow($result);
+			if (!($to_userdata = $db->sql_fetchrow($result)))
+			{
+				$error = TRUE;
+				$error_msg = $lang['No_such_user'];
+			}
 		}
 		else
 		{
@ -1222,7 +1247,7 @@ else if ( $submit || $refresh || $mode != '' )

 			if ( $inbox_info = $db->sql_fetchrow($result) )
 			{
-				if ( $inbox_info['inbox_items'] >= $board_config['max_inbox_privmsgs'] )
+				if ($board_config['max_inbox_privmsgs'] && $inbox_info['inbox_items'] >= $board_config['max_inbox_privmsgs'])
 				{
 					$sql = "SELECT privmsgs_id FROM " . PRIVMSGS_TABLE . " 
 						WHERE ( privmsgs_type = " . PRIVMSGS_NEW_MAIL . " 
@ -1424,8 +1449,7 @@ else if ( $submit || $refresh || $mode != '' )
 				$to_username = $row['username'];
 			}
 		}
-
-		if ( $mode == 'edit' )
+		else if ( $mode == 'edit' )
 		{
 			$sql = "SELECT pm.*, pmt.privmsgs_bbcode_uid, pmt.privmsgs_text, u.username, u.user_id, u.user_sig 
 				FROM " . PRIVMSGS_TABLE . " pm, " . PRIVMSGS_TEXT_TABLE . " pmt, " . USERS_TABLE . " u
@ -1506,7 +1530,7 @@ else if ( $submit || $refresh || $mode != '' )
 		}
 		else
 		{
-			$privmsg_subject = $privmsg_message = '';
+			$privmsg_subject = $privmsg_message = $to_username = '';
 		}
 	}

@ -1799,7 +1823,6 @@ else if ( $submit || $refresh || $mode != '' )
 		'S_BBCODE_CHECKED' => ( !$bbcode_on ) ? ' checked="checked"' : '', 
 		'S_SMILIES_CHECKED' => ( !$smilies_on ) ? ' checked="checked"' : '', 
 		'S_SIGNATURE_CHECKED' => ( $attach_sig ) ? ' checked="checked"' : '', 
-		'S_NAMES_SELECT' => $user_names_select,
 		'S_HIDDEN_FORM_FIELDS' => $s_hidden_fields,
 		'S_POST_ACTION' => append_sid("privmsg.$phpEx"),
 			
--- a/phpBB/templates/subSilver/admin/board_config_body.tpl
+++ b/phpBB/templates/subSilver/admin/board_config_body.tpl
@ -39,6 +39,14 @@
 		<td class="row1">{L_VISUAL_CONFIRM}<br /><span class="gensmall">{L_VISUAL_CONFIRM_EXPLAIN}</span></td>
 		<td class="row2"><input type="radio" name="enable_confirm" value="1" {CONFIRM_ENABLE} />{L_YES}&nbsp; &nbsp;<input type="radio" name="enable_confirm" value="0" {CONFIRM_DISABLE} />{L_NO}</td>
 	</tr>
+	<tr>
+		<td class="row1">{L_ALLOW_AUTOLOGIN}<br /><span class="gensmall">{L_ALLOW_AUTOLOGIN_EXPLAIN}</span></td>
+		<td class="row2"><input type="radio" name="allow_autologin" value="1" {ALLOW_AUTOLOGIN_YES} />{L_YES}&nbsp; &nbsp;<input type="radio" name="allow_autologin" value="0" {ALLOW_AUTOLOGIN_NO} />{L_NO}</td>
+	</tr>
+	<tr>
+		<td class="row1">{L_AUTOLOGIN_TIME} <br /><span class="gensmall">{L_AUTOLOGIN_TIME_EXPLAIN}</span></td>
+		<td class="row2"><input class="post" type="text" size="3" maxlength="4" name="max_autologin_time" value="{AUTOLOGIN_TIME}" /></td>
+	</tr>
 	<tr>
 		<td class="row1">{L_BOARD_EMAIL_FORM}<br /><span class="gensmall">{L_BOARD_EMAIL_FORM_EXPLAIN}</span></td>
 		<td class="row2"><input type="radio" name="board_email_form" value="1" {BOARD_EMAIL_FORM_ENABLE} /> {L_ENABLED}&nbsp;&nbsp;<input type="radio" name="board_email_form" value="0" {BOARD_EMAIL_FORM_DISABLE} /> {L_DISABLED}</td>
--- a/phpBB/templates/subSilver/index_body.tpl
+++ b/phpBB/templates/subSilver/index_body.tpl
@ -81,8 +81,10 @@
 		<input class="post" type="text" name="username" size="10" />
 		&nbsp;&nbsp;&nbsp;{L_PASSWORD}: 
 		<input class="post" type="password" name="password" size="10" maxlength="32" />
+		<!-- BEGIN switch_allow_autologin -->
 		&nbsp;&nbsp; &nbsp;&nbsp;{L_AUTO_LOGIN} 
 		<input class="text" type="checkbox" name="autologin" />
+		<!-- END switch_allow_autologin -->
 		&nbsp;&nbsp;&nbsp; 
 		<input type="submit" class="mainoption" name="login" value="{L_LOGIN}" />
 		</span> </td>
--- a/phpBB/templates/subSilver/login_body.tpl
+++ b/phpBB/templates/subSilver/login_body.tpl
@ -28,9 +28,11 @@
 			  <input type="password" class="post" name="password" size="25" maxlength="32" />
 			</td>
 		  </tr>
+		  <!-- BEGIN switch_allow_autologin -->
 		  <tr align="center"> 
 			<td colspan="2"><span class="gen">{L_AUTO_LOGIN}: <input type="checkbox" name="autologin" /></span></td>
 		  </tr>
+		  <!-- END switch_allow_autologin -->
 		  <tr align="center"> 
 			<td colspan="2">{S_HIDDEN_FIELDS}<input type="submit" name="login" class="mainoption" value="{L_LOGIN}" /></td>
 		  </tr>