diff --git a/build/build.xml b/build/build.xml index 38c0502777..9f233f78b7 100644 --- a/build/build.xml +++ b/build/build.xml @@ -4,7 +4,7 @@ - + diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 641c6a4846..59621ce429 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -57,6 +57,7 @@
  • Changes since 3.3.0-b2
  • Changes since 3.3.0-b1
  • Changes since 3.2.x
    • +
  • Changes since 3.2.10
  • Changes since 3.2.10-RC2
  • Changes since 3.2.10-RC1
  • Changes since 3.2.9
    • @@ -581,6 +582,16 @@
  • [PHPBB3-16185] - Use Xenial build environment on travis-ci
    • +

    Changes since 3.2.10

    +

    Security Issue

    +
      +
    • [SECURITY-264] - Invalid conversion of HTML entities when stripping BBCode
      • +
    +

    Hardening

    +
      +
    • [SECURITY-265] - Reduce verbosity of jabber output in ACP
      • +
    +

    Changes since 3.2.10-RC2

    Bug

      diff --git a/phpBB/includes/functions_jabber.php b/phpBB/includes/functions_jabber.php index cf0865e608..43df61c396 100644 --- a/phpBB/includes/functions_jabber.php +++ b/phpBB/includes/functions_jabber.php @@ -207,7 +207,7 @@ class jabber */ function login() { - if (!count($this->features)) + if (empty($this->features)) { $this->add_to_log('Error: No feature information from server available.'); return false; @@ -227,7 +227,6 @@ class jabber if ($this->connected()) { $xml = trim($xml); - $this->add_to_log('SEND: '. $xml); return fwrite($this->connection, $xml); } else @@ -338,7 +337,6 @@ class jabber if ($data != '') { - $this->add_to_log('RECV: '. $data); return $this->xmlize($data); } else @@ -419,7 +417,7 @@ class jabber { // or even multiple elements of the same type? // array('message' => array(0 => ..., 1 => ...)) - if (count(reset($xml)) > 1) + if (is_array(reset($xml)) && count(reset($xml)) > 1) { foreach (reset($xml) as $value) { @@ -445,7 +443,7 @@ class jabber } $second_time = isset($this->session['id']); - $this->session['id'] = $xml['stream:stream'][0]['@']['id']; + $this->session['id'] = isset($xml['stream:stream'][0]['@']['id']) ? $xml['stream:stream'][0]['@']['id'] : ''; if ($second_time) { @@ -701,7 +699,7 @@ class jabber default: // hm...don't know this response - $this->add_to_log('Notice: Unknown server response (' . key($xml) . ')'); + $this->add_to_log('Notice: Unknown server response'); return false; break; } diff --git a/phpBB/phpbb/db/migration/data/v32x/v3211.php b/phpBB/phpbb/db/migration/data/v32x/v3211.php new file mode 100644 index 0000000000..0fad02ab28 --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v32x/v3211.php @@ -0,0 +1,36 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\db\migration\data\v32x; + +class v3211 extends \phpbb\db\migration\migration +{ + public function effectively_installed() + { + return phpbb_version_compare($this->config['version'], '3.2.11', '>='); + } + + static public function depends_on() + { + return array( + '\phpbb\db\migration\data\v32x\v3210', + ); + } + + public function update_data() + { + return array( + array('config.update', array('version', '3.2.11')), + ); + } +} diff --git a/phpBB/phpbb/textformatter/s9e/utils.php b/phpBB/phpbb/textformatter/s9e/utils.php index a9a6d4b892..d81424e913 100644 --- a/phpBB/phpbb/textformatter/s9e/utils.php +++ b/phpBB/phpbb/textformatter/s9e/utils.php @@ -31,7 +31,7 @@ class utils implements \phpbb\textformatter\utils_interface // Insert a space before and then remove formatting $xml = preg_replace('#<[es]>#', ' $0', $xml); - return \s9e\TextFormatter\Utils::removeFormatting($xml); + return utf8_htmlspecialchars(\s9e\TextFormatter\Utils::removeFormatting($xml)); } /** diff --git a/tests/text_processing/strip_bbcode_test.php b/tests/text_processing/strip_bbcode_test.php index 9acedc2872..6eae1aa0dd 100644 --- a/tests/text_processing/strip_bbcode_test.php +++ b/tests/text_processing/strip_bbcode_test.php @@ -13,27 +13,26 @@ class phpbb_text_processing_strip_bbcode_test extends phpbb_test_case { - public function test_legacy() + + public function data_strip_bbcode() { - $original = '[b:20m4ill1]bold[/b:20m4ill1]'; - $expected = ' bold '; - - $actual = $original; - strip_bbcode($actual); - - $this->assertSame($expected, $actual, '20m4ill1'); + return [ + ['[b:20m4ill1]bold[/b:20m4ill1]', ' bold '], + ['[b]bold[/b]', ' bold '], + ['[b:20m4ill1]bo & ld[/b:20m4ill1]', ' bo & ld '], + ['[b]bo & ld[/b]', ' bo & ld '] + ]; } - public function test_s9e() + /** + * @dataProvider data_strip_bbcode + */ + public function test_strip_bbcode($input, $expected) { $phpbb_container = $this->get_test_case_helpers()->set_s9e_services(); - $original = '[b]bold[/b]'; - $expected = ' bold '; + strip_bbcode($input); - $actual = $original; - strip_bbcode($actual); - - $this->assertSame($expected, $actual); + $this->assertSame($expected, $input); } }