- fix htmlspecialchars handling in search (search backends get specialchared input, and should return specialchared output), current backends strip entities anyway [includes Bug #8156]

- allow cancelling search index creation/removal - custom CSS class name input too short [Bug #8328] - give an error message if a password wasn't convertable (special characters in non-standard encoding) - moved still_on_time to functions.php, used by acp_search and converter, might be useful for MODs (or complex cron scripts) - do not allow empty passwords on login - add sids to local URLs in posts (this was a really terrible bug to fix ;-)) [Bug #7892] - ignore invalid HTTP_X_FORWARDED_FOR headers (just use REMOTE_ADDR if invalid) [Bug #8314] - changed forum listing code on search page and acp_attachments [Bug #6658] - search indexing uses still_on_time(), smaller batch size (1000) and meta_refresh() instead of redirect(), this should solve a few problems [Bugs #8034, #8270] - made password requirement language strings clearer - ALPHA is not meant to be alphanumric [Bug #7764] - display bug in firefox on linux making the pagination wrap on search results page (caused by  ) git-svn-id: file:///svn/phpbb/trunk@7076 89ea8834-ac86-4346-8a33-228a782c2dd0
2025-06-27 21:58:52 +00:00 · 2007-02-25 22:09:53 +00:00 · 2007-02-25 22:09:53 +00:00 · b66e0fcd34
commit b66e0fcd34
parent 424a520d0e
16 changed files with 281 additions and 195 deletions
--- a/phpBB/adm/style/acp_search.html
+++ b/phpBB/adm/style/acp_search.html
@ -80,14 +80,20 @@
 	<h1>{L_ACP_SEARCH_INDEX}</h1>
 	<p>{L_ACP_SEARCH_INDEX_EXPLAIN}</p>
 	<!-- IF S_CONTINUE_INDEXING -->
 		<a href="{U_CONTINUE_INDEXING}" onclick="popup_progress_bar('{S_CONTINUE_INDEXING}');">{L_CONTINUE}</a>
 		<p>{L_CONTINUE_EXPLAIN}</p>
 		<form id="acp_search_continue" method="post" action="{U_CONTINUE_INDEXING}">
 			<fieldset class="submit-buttons">
 				<legend>{L_SUBMIT}</legend>
 				<input class="button1" type="submit" id="continue" name="continue" value="{L_CONTINUE}" onclick="popup_progress_bar('{S_CONTINUE_INDEXING}');" />&nbsp;
 				<input class="button2" type="submit" id="cancel" name="cancel" value="{L_CANCEL}" />
 			</fieldset>
 		</form>
 	<!-- ELSE -->
 		<p>{L_ACP_SEARCH_INDEX_EXPLAIN}</p>
 		<!-- BEGIN backend -->
 			<!-- IF backend.S_STATS -->
--- a/phpBB/adm/style/acp_styles.html
+++ b/phpBB/adm/style/acp_styles.html
@ -367,7 +367,7 @@
 			<legend>{L_CUSTOM_CLASS}</legend>
 		<dl>
 			<dt><label for="custom_class">{L_CSS_CLASS_NAME}:</label></dt>
-			<dd><input id="custom_class" name="custom_class" type="text" value="" maxlength="40" size="40" /></dd>
+			<dd><input id="custom_class" name="custom_class" type="text" value="" maxlength="200" size="40" /></dd>
 		</dl>
 		<p class="quick">
--- a/phpBB/includes/acp/acp_attachments.php
+++ b/phpBB/includes/acp/acp_attachments.php
@ -766,6 +766,8 @@ class acp_attachments
 							if ($row['left_id'] > $cat_right)
 							{
 								// make sure we don't forget anything
 								$s_forum_id_options .= $holding;
 								$holding = '';
 							}
@ -781,6 +783,12 @@ class acp_attachments
 								$holding = '';
 							}
 						}
 						if ($holding)
 						{
 							$s_forum_id_options .= $holding;
 						}
 						$db->sql_freeresult($result);
 						unset($padding_store);
--- a/phpBB/includes/acp/acp_search.php
+++ b/phpBB/includes/acp/acp_search.php
@ -8,6 +8,16 @@
 *
 */
 /**
 * @ignore
 */
 if (!defined('IN_PHPBB'))
 {
 	exit;
 }
 // make sure, a start time is saved
 still_on_time();
 /**
 * @package acp
 */
@ -17,7 +27,7 @@ class acp_search
 	var $state;
 	var $search;
 	var $max_post_id;
-	var $batch_size = 5000;
+	var $batch_size = 1000;
 	function main($id, $mode)
 	{
@ -143,7 +153,7 @@ class acp_search
 						if (!method_exists($search, 'init') || !($error = $search->init()))
 						{
 							set_config('search_type', $cfg_array['search_type']);
-		
+
 							if (!$updated)
 							{
 								add_log('admin', 'LOG_CONFIG_SEARCH');
@ -210,6 +220,13 @@ class acp_search
 		}
 		$this->state = explode(',', $config['search_indexing_state']);
 		if (isset($_POST['cancel']))
 		{
 			$action = '';
 			$this->state = array();
 			$this->save_state();
 		}
 		if ($action)
 		{
 			switch ($action)
@ -218,15 +235,15 @@ class acp_search
 					$type = request_var('type', '');
 					$this->display_progress_bar($type);
 				break;
-	
+
 				case 'delete':
 					$this->state[1] = 'delete';
 				break;
-	
+
 				case 'create':
 					$this->state[1] = 'create';
 				break;
-	
+
 				default:
 					trigger_error('NO_ACTION', E_USER_ERROR);
 				break;
@ -243,10 +260,8 @@ class acp_search
 			{
 				trigger_error($error . adm_back_link($this->u_action), E_USER_WARNING);
 			}
 			$action = &$this->state[1];
-			@set_time_limit(0);
+			$action = &$this->state[1];
 			$this->max_post_id = $this->get_max_post_id();
@ -254,116 +269,126 @@ class acp_search
 			$this->state[2] = &$post_counter;
 			$this->save_state();
-			if ($action == 'delete')
+			switch ($action)
 			{
-				if (method_exists($this->search, 'delete_index'))
+				case 'delete':
-				{
+					if (method_exists($this->search, 'delete_index'))
 					// pass a reference to myself so the $search object can make use of save_state() and attributes
 					if ($error = $this->search->delete_index($this, append_sid("{$phpbb_admin_path}index.$phpEx", "i=$id&mode=$mode&action=delete", false)))
 					{
-						$this->state = array('');
+						// pass a reference to myself so the $search object can make use of save_state() and attributes
-						$this->save_state();
+						if ($error = $this->search->delete_index($this, append_sid("{$phpbb_admin_path}index.$phpEx", "i=$id&mode=$mode&action=delete", false)))
 						trigger_error($error . adm_back_link($this->u_action) . $this->close_popup_js(), E_USER_WARNING);
 					}
 				}
 				else
 				{
 					$sql = 'SELECT post_id, poster_id, forum_id
 						FROM ' . POSTS_TABLE . '
 						WHERE post_id >= ' . (int) ($post_counter + 1) . '
 							AND post_id < ' . (int) ($post_counter + $this->batch_size);
 					$result = $db->sql_query($sql);
 					$ids = $posters = array();
 					while ($row = $db->sql_fetchrow($result))
 					{
 						$ids[] = $row['post_id'];
 						$posters[] = $row['poster_id'];
 						$forum_ids[] = $row['forum_id'];
 					}
 					$db->sql_freeresult($result);
 					if (sizeof($ids))
 					{
 						$this->search->index_remove($ids, $posters, $forum_ids);
 					}
 					$post_counter += $this->batch_size;
 					// save the current state
 					$this->save_state();
 					if ($post_counter <= $this->max_post_id)
 					{
 						redirect($this->u_action . '&amp;action=delete');
 					}
 				}
 				$this->search->tidy();
 				$this->state = array('');
 				$this->save_state();
 				trigger_error($user->lang['SEARCH_INDEX_REMOVED'] . adm_back_link($this->u_action) . $this->close_popup_js());
 			}
 			else
 			{
 				if (method_exists($this->search, 'create_index'))
 				{
 					// pass a reference to myself so the $search object can make use of save_state() and attributes
 					if ($error = $this->search->create_index($this, append_sid("{$phpbb_admin_path}index.$phpEx", "i=$id&mode=$mode&action=create", false)))
 					{
 						$this->state = array('');
 						$this->save_state();
 						trigger_error($error . adm_back_link($this->u_action) . $this->close_popup_js(), E_USER_WARNING);
 					}
 				}
 				else
 				{
 					$sql = 'SELECT forum_id, enable_indexing
 						FROM ' . FORUMS_TABLE;
 					$result = $db->sql_query($sql, 3600);
 					while ($row = $db->sql_fetchrow($result))
 					{
 						$forums[$row['forum_id']] = (bool) $row['enable_indexing'];
 					}
 					$db->sql_freeresult($result);
 					$sql = 'SELECT post_id, post_subject, post_text, poster_id, forum_id
 						FROM ' . POSTS_TABLE . '
 						WHERE post_id >= ' . (int) ($post_counter + 1) . '
 							AND post_id < ' . (int) ($post_counter + $this->batch_size);
 					$result = $db->sql_query($sql);
 					while ($row = $db->sql_fetchrow($result))
 					{
 						// Indexing enabled for this forum or global announcement?
 						// Global announcements get indexed by default.
 						if (!$row['forum_id'] || (isset($forums[$row['forum_id']]) && $forums[$row['forum_id']]))
 						{
-							$this->search->index('post', $row['post_id'], $row['post_text'], $row['post_subject'], $row['poster_id'], $row['forum_id']);
+							$this->state = array('');
 							$this->save_state();
 							trigger_error($error . adm_back_link($this->u_action) . $this->close_popup_js(), E_USER_WARNING);
 						}
 					}
-					$db->sql_freeresult($result);
+					else
 					$post_counter += $this->batch_size;
 					// save the current state
 					$this->save_state();
 					if ($post_counter <= $this->max_post_id)
 					{
-						redirect($this->u_action . '&amp;action=create');
+						while (still_on_time() && $post_counter <= $this->max_post_id)
-					}
+						{
-				}
+							$sql = 'SELECT post_id, poster_id, forum_id
-	
+								FROM ' . POSTS_TABLE . '
-				$this->search->tidy();
+								WHERE post_id >= ' . (int) ($post_counter + 1) . '
-	
+									AND post_id < ' . (int) ($post_counter + $this->batch_size);
-				$this->state = array('');
+							$result = $db->sql_query($sql);
 				$this->save_state();
-				trigger_error($user->lang['SEARCH_INDEX_CREATED'] . adm_back_link($this->u_action) . $this->close_popup_js());
+							$ids = $posters = $forum_ids = array();
 							while ($row = $db->sql_fetchrow($result))
 							{
 								$ids[] = $row['post_id'];
 								$posters[] = $row['poster_id'];
 								$forum_ids[] = $row['forum_id'];
 							}
 							$db->sql_freeresult($result);
 							if (sizeof($ids))
 							{
 								$this->search->index_remove($ids, $posters, $forum_ids);
 							}
 							$post_counter += $this->batch_size;
 							// save the current state
 							$this->save_state();
 						}
 						if ($post_counter <= $this->max_post_id)
 						{
 							meta_refresh(1, $this->u_action . '&amp;action=delete&amp;skip_rows=' . $post_counter);
 							trigger_error(sprintf($user->lang['SEARCH_INDEX_DELETE_REDIRECT'], $post_counter));
 						}
 					}
 					$this->search->tidy();
 					$this->state = array('');
 					$this->save_state();
 					trigger_error($user->lang['SEARCH_INDEX_REMOVED'] . adm_back_link($this->u_action) . $this->close_popup_js());
 				break;
 				case 'create':
 					if (method_exists($this->search, 'create_index'))
 					{
 						// pass a reference to acp_search so the $search object can make use of save_state() and attributes
 						if ($error = $this->search->create_index($this, append_sid("{$phpbb_admin_path}index.$phpEx", "i=$id&mode=$mode&action=create", false)))
 						{
 							$this->state = array('');
 							$this->save_state();
 							trigger_error($error . adm_back_link($this->u_action) . $this->close_popup_js(), E_USER_WARNING);
 						}
 					}
 					else
 					{
 						$sql = 'SELECT forum_id, enable_indexing
 							FROM ' . FORUMS_TABLE;
 						$result = $db->sql_query($sql, 3600);
 						while ($row = $db->sql_fetchrow($result))
 						{
 							$forums[$row['forum_id']] = (bool) $row['enable_indexing'];
 						}
 						$db->sql_freeresult($result);
 						while (still_on_time() && $post_counter <= $this->max_post_id)
 						{
 							$sql = 'SELECT post_id, post_subject, post_text, poster_id, forum_id
 								FROM ' . POSTS_TABLE . '
 								WHERE post_id >= ' . (int) ($post_counter + 1) . '
 									AND post_id < ' . (int) ($post_counter + $this->batch_size);
 							$result = $db->sql_query($sql);
 							while ($row = $db->sql_fetchrow($result))
 							{
 								// Indexing enabled for this forum or global announcement?
 								// Global announcements get indexed by default.
 								if (!$row['forum_id'] || (isset($forums[$row['forum_id']]) && $forums[$row['forum_id']]))
 								{
 									$this->search->index('post', $row['post_id'], $row['post_text'], $row['post_subject'], $row['poster_id'], $row['forum_id']);
 								}
 							}
 							$db->sql_freeresult($result);
 							$post_counter += $this->batch_size;
 							// save the current state
 							$this->save_state();
 						}
 						if ($post_counter <= $this->max_post_id)
 						{
 							meta_refresh(1, $this->u_action . '&amp;action=create&amp;skip_rows=' . $post_counter);
 							trigger_error(sprintf($user->lang['SEARCH_INDEX_CREATE_REDIRECT'], $post_counter));
 						}
 					}
 					$this->search->tidy();
 					$this->state = array('');
 					$this->save_state();
 					trigger_error($user->lang['SEARCH_INDEX_CREATED'] . adm_back_link($this->u_action) . $this->close_popup_js());
 				break;
 			}
 		}
@ -469,14 +494,11 @@ class acp_search
 	function close_popup_js()
 	{
-		/**
+		return "<script type=\"text/javascript\">\n" .
-		* @todo remove Javascript
+			"<!--\n" .
-		*/
+			"	close_waitscreen = 1;\n" .
-		return '<script type="text/javascript">
+			"//-->\n" .
-	<!--
+			"</script>\n";
 		close_waitscreen = 1;
 	//-->
 	</script>';
 	}
 	function get_search_types()
--- a/phpBB/includes/auth/auth_db.php
+++ b/phpBB/includes/auth/auth_db.php
@ -103,19 +103,44 @@ function login_db(&$username, &$password)
 		$password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format;
 		$password_new_format = '';
-		set_var($password_new_format, $password_old_format, 'string');
+		set_var($password_new_format, stripslashes($password_old_format), 'string');
-		if ($password == $password_new_format && md5($password_old_format) == $row['user_password'])
+		if ($password == $password_new_format)
 		{
-			// Update the password in the users table to the new format and remove user_pass_convert flag
+			if (!function_exists('utf8_to_cp1252'))
-			$sql = 'UPDATE ' . USERS_TABLE . '
+			{
-				SET user_password = \'' . $db->sql_escape(md5($password_new_format)) . '\',
+				global $phpbb_root_path, $phpEx;
-					user_pass_convert = 0
+				include($phpbb_root_path . 'includes/utf/data/recode_basic.' . $phpEx);
-				WHERE user_id = ' . $row['user_id'];
+			}
 			$db->sql_query($sql);
-			$row['user_pass_convert'] = 0;
+			// cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding
-			$row['user_password'] = md5($password_new_format);
+			if (md5($password_old_format) == $row['user_password'] || utf8_to_cp1252(md5($password_old_format)) == $row['user_password'])
 			{
 				// Update the password in the users table to the new format and remove user_pass_convert flag
 				$sql = 'UPDATE ' . USERS_TABLE . '
 					SET user_password = \'' . $db->sql_escape(md5($password_new_format)) . '\',
 						user_pass_convert = 0
 					WHERE user_id = ' . $row['user_id'];
 				$db->sql_query($sql);
 				$row['user_pass_convert'] = 0;
 				$row['user_password'] = md5($password_new_format);
 			}
 			else if (preg_match('/[\x80-\xFF]/', $password_old_format))
 			{
 				// Although we weren't able to convert this password we have to
 				// increase login attempt count to make sure this cannot be exploited
 				$sql = 'UPDATE ' . USERS_TABLE . '
 					SET user_login_attempts = user_login_attempts + 1
 					WHERE user_id = ' . $row['user_id'];
 				$db->sql_query($sql);
 				return array(
 					'status'		=> LOGIN_ERROR_PASSWORD_CONVERT,
 					'error_msg'		=> 'LOGIN_ERROR_PASSWORD_CONVERT',
 					'user_row'		=> $row,
 				);
 			}
 		}
 	}
--- a/phpBB/includes/constants.php
+++ b/phpBB/includes/constants.php
@ -48,6 +48,7 @@ define('LOGIN_ERROR_PASSWORD', 11);
 define('LOGIN_ERROR_ACTIVE', 12);
 define('LOGIN_ERROR_ATTEMPTS', 13);
 define('LOGIN_ERROR_EXTERNAL_AUTH', 14);
 define('LOGIN_ERROR_PASSWORD_CONVERT', 15);
 // Group settings
 define('GROUP_OPEN', 0);
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@ -174,6 +174,41 @@ function unique_id($extra = 'c')
 	return substr($val, 4, 16);
 }
 /**
 * Determine whether we are approaching the maximum execution time. Should be called once
 * at the beginning of the script in which it's used.
 * @return	bool	Either true if the maximum execution time is nearly reached, or false
 *					if some time is still left.
 */
 function still_on_time()
 {
 	static $max_execution_time, $start_time;
 	$time = explode(' ', microtime());
 	$current_time = $time[0] + $time[1];
 	if (empty($max_execution_time))
 	{
 		$max_execution_time = (function_exists('ini_get')) ? (int) ini_get('max_execution_time') : (int) get_cfg_var('max_execution_time');
 		// If zero, then set to something higher to not let the user catch the ten seconds barrier.
 		if ($max_execution_time === 0)
 		{
 			$max_execution_time = 65;
 		}
 		$max_execution_time = min(max(10, ($max_execution_time - 15)), 50);
 		// For debugging purposes
 		// $max_execution_time = 10;
 		global $starttime;
 		$start_time = (empty($starttime)) ? $current_time : $starttime;
 	}
 	return (ceil($current_time - $start_time) < $max_execution_time) ? true : false;
 }
 /**
 * Generate sort selection fields
 */
@ -1868,6 +1903,12 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 			trigger_error('NO_AUTH_ADMIN_USER_DIFFER');
 		}
 		// do not allow empty password
 		if (!$password)
 		{
 			trigger_error('NO_PASSWORD_SUPPLIED');
 		}
 		// If authentication is successful we redirect user to previous page
 		$result = $auth->login($username, $password, $autologin, $viewonline, $admin);
@ -1955,6 +1996,16 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 			break;
 			case LOGIN_ERROR_PASSWORD_CONVERT:
 				$err = sprintf(
 					$user->lang[$result['error_msg']],
 					($config['email_enable']) ? '<a href="' . append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=sendpassword') . '">' : '',
 					($config['email_enable']) ? '</a>' : '',
 					($config['board_contact']) ? '<a href="mailto:' . htmlspecialchars($config['board_contact']) . '">' : '',
 					($config['board_contact']) ? '</a>' : ''
 				);
 			break;
 			// Username, password, etc...
 			default:
 				$err = $user->lang[$result['error_msg']];
@ -1964,6 +2015,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 				{
 					$err = (!$config['board_contact']) ? sprintf($user->lang[$result['error_msg']], '', '') : sprintf($user->lang[$result['error_msg']], '<a href="mailto:' . htmlspecialchars($config['board_contact']) . '">', '</a>');
 				}
 			break;
 		}
 	}
@ -2254,7 +2306,7 @@ function decode_message(&$message, $bbcode_uid = '')
 	$message = str_replace($match, $replace, $message);
 	$match = get_preg_expression('bbcode_htm');
-	$replace = array('\1', '\2', '\1', '', '');
+	$replace = array('\1', '\1', '\2', '\1', '', '');
 	$message = preg_replace($match, $replace, $message);
 }
@ -2272,7 +2324,7 @@ function strip_bbcode(&$text, $uid = '')
 	$text = preg_replace("#\[\/?[a-z0-9\*\+\-]+(?:=.*?)?(?::[a-z])?(\:?$uid)\]#", ' ', $text);
 	$match = get_preg_expression('bbcode_htm');
-	$replace = array('\1', '\2', '\1', '', '');
+	$replace = array('\1', '\1', '\2', '\1', '', '');
 	$text = preg_replace($match, $replace, $text);
 }
@ -2399,7 +2451,7 @@ function make_clickable($text, $server_url = false)
 		// relative urls for this board
 		$magic_url_match[] = '#(^|[\n\t (])(' . preg_quote($server_url, '#') . ')/(' . get_preg_expression('relative_url_inline') . ')#ie';
-		$magic_url_replace[] = "'\$1<!-- l --><a href=\"\$2/' . preg_replace('/(&amp;|\?)sid=[0-9a-f]{32}/', '\\\\1', '\$3') . '\">' . ((strlen('\$3')) ? preg_replace('/(&amp;|\?)sid=[0-9a-f]{32}/', '\\\\1', '\$3') : '\$2/') . '</a><!-- l -->'";
+		$magic_url_replace[] = "'\$1<!-- l --><a href=\"' . append_sid('\$2/' . preg_replace('/(&amp;|\?)sid=[0-9a-f]{32}$/', '', preg_replace('/(&amp;|\?)sid=[0-9a-f]{32}&amp;/', '\\\\1', '\$3'))) . '\">' . ((strlen('\$3')) ? preg_replace('/(&amp;|\?)sid=[0-9a-f]{32}$/', '', preg_replace('/(&amp;|\?)sid=[0-9a-f]{32}&amp;/', '\\\\1', '\$3')) : '\$2/') . '</a><!-- l -->'";
 		// matches a xxxx://aaaaa.bbb.cccc. ...
 		$magic_url_match[] = '#(^|[\n\t (])(' . get_preg_expression('url_inline') . ')#ie';
@ -3027,7 +3079,8 @@ function get_preg_expression($mode)
 		case 'bbcode_htm':
 			return array(
 				'#<!\-\- e \-\-><a href="mailto:(.*?)">.*?</a><!\-\- e \-\->#',
-				'#<!\-\- ([lmw]) \-\-><a href="(.*?)">.*?</a><!\-\- \1 \-\->#',
+				'#<!\-\- l \-\-><a href="(.*?)(?:(&amp;|\?)sid=[0-9a-f]{32})?">.*?</a><!\-\- l \-\->#',
 				'#<!\-\- ([mw]) \-\-><a href="(.*?)">.*?</a><!\-\- \1 \-\->#',
 				'#<!\-\- s(.*?) \-\-><img src="\{SMILIES_PATH\}\/.*? \/><!\-\- s\1 \-\->#',
 				'#<!\-\- .*? \-\->#s',
 				'#<.*?>#s',
--- a/phpBB/includes/functions_convert.php
+++ b/phpBB/includes/functions_convert.php
@ -17,38 +17,6 @@ define('DEFAULT_AVATAR_Y', 80);
 // Global functions - all functions can be used by convertors
 /**
 * Determine whether we are approaching the maximum execution time
 */
 function still_on_time()
 {
 	static $max_execution_time, $start_time;
 	$time = explode(' ', microtime());
 	$current_time = $time[0] + $time[1];
 	if (empty($max_execution_time))
 	{
 		$max_execution_time = (function_exists('ini_get')) ? (int) ini_get('max_execution_time') : (int) get_cfg_var('max_execution_time');
 		// If zero, then set to something higher to not let the user catch the ten seconds barrier.
 		if ($max_execution_time === 0)
 		{
 			$max_execution_time = 65;
 		}
 		$max_execution_time = min(max(10, ($max_execution_time - 15)), 50);
 		// For debugging purposes
 		// $max_execution_time = 10;
 		global $starttime;
 		$start_time = (empty($starttime)) ? $current_time : $starttime;
 	}
 	return (ceil($current_time - $start_time) < $max_execution_time) ? true : false;
 }
 // SIMPLE FUNCTIONS
 /**
--- a/phpBB/includes/message_parser.php
+++ b/phpBB/includes/message_parser.php
@ -366,9 +366,9 @@ class bbcode_firstpass extends bbcode
 		// Additionally, magic url parsing should go after parsing bbcodes, but for safety those are stripped out too...
 		$htm_match = get_preg_expression('bbcode_htm');
 //		$htm_match[3] = '/&#([0-9]+);/';
-		unset($htm_match[3], $htm_match[4]);
+		unset($htm_match[4], $htm_match[5]);
-		$htm_replace = array('\1', '\2', '\1'); //, '&amp;#\1;');
+		$htm_replace = array('\1', '\1', '\2', '\1'); //, '&amp;#\1;');
 		$out = '';
@ -848,7 +848,9 @@ class bbcode_firstpass extends bbcode
 			// Is this a link to somewhere inside this board? If so then remove the session id from the url
 			if (strpos($url, generate_board_url()) !== false && strpos($url, 'sid=') !== false)
 			{
-				$url = preg_replace('/(&amp;|\?)sid=[0-9a-f]{32}/', '\1', $url);
+				$url = preg_replace('/(&amp;|\?)sid=[0-9a-f]{32}&amp;/', '\1', $url);
 				$url = preg_replace('/(&amp;|\?)sid=[0-9a-f]{32}$/', '', $url);
 				$url = append_sid($url);
 			}
 			return ($var1) ? '[url=' . $this->bbcode_specialchars($url) . ':' . $this->bbcode_uid . ']' . $var2 . '[/url:' . $this->bbcode_uid . ']' : '[url:' . $this->bbcode_uid . ']' . $this->bbcode_specialchars($url) . '[/url:' . $this->bbcode_uid . ']'; 
--- a/phpBB/includes/session.php
+++ b/phpBB/includes/session.php
@ -168,14 +168,9 @@ class session
 				// check IPv4 first, the IPv6 is hopefully only going to be used very seldomly
 				if (!empty($ip) && !preg_match($ipv4, $ip) && !preg_match($ipv6, $ip))
 				{
-					if (!defined('DEBUG_EXTRA'))
+					// contains invalid data, don't use the forwarded for header
-					{
+					$this->forwarded_for = '';
-						trigger_error('Hacking attempt!');
+					break;
 					}
 					else
 					{
 						trigger_error('Invalid HTTP_X_FORWARDED_FOR header detected: ' . htmlspecialchars($this->forwarded_for));
 					}
 				}
 			}
 		}
--- a/phpBB/language/en/acp/board.php
+++ b/phpBB/language/en/acp/board.php
@ -203,8 +203,8 @@ $lang = array_merge($lang, array(
 	'PASSWORD_LENGTH_EXPLAIN'	=> 'Minimum and maximum number of characters in passwords.',
 	'REG_LIMIT'					=> 'Registration attempts',
 	'REG_LIMIT_EXPLAIN'			=> 'Number of attempts users can make at the confirmation code before being locked out that session.',
-	'USERNAME_ALPHA_ONLY'		=> 'Alphanumeric only',
+	'USERNAME_ALPHA_ONLY'		=> 'Letters only',
-	'USERNAME_ALPHA_SPACERS'	=> 'Alphanumeric and spacers',
+	'USERNAME_ALPHA_SPACERS'	=> 'Letters and spacers',
 	'USERNAME_ASCII'			=> 'ASCII (no international unicode)',
 	'USERNAME_LETTER_NUM'		=> 'Any letter and number',
 	'USERNAME_LETTER_NUM_SPACERS'	=> 'Any letter, number, and spacer',
--- a/phpBB/language/en/acp/search.php
+++ b/phpBB/language/en/acp/search.php
@ -37,10 +37,10 @@ $lang = array_merge($lang, array(
 	'COMMON_WORD_THRESHOLD'					=> 'Common word threshold',
 	'COMMON_WORD_THRESHOLD_EXPLAIN'			=> 'Words which are contained in a greater percentage of all posts will be regarded as common. Common words are ignored in search queries. Set to zero to disable. Only takes effect if there are more than 100 posts.',
 	'CONFIRM_SEARCH_BACKEND'				=> 'Are you sure you wish to switch to a different search backend? After changing the search backend you will have to create an index for the new search backend. If you don’t plan on switching back to the old search backend you can also delete the old backend’s index in order to free system resources.',
-	'CONTINUE_DELETING_INDEX'				=> 'Continue previous index deleting process',
+	'CONTINUE_DELETING_INDEX'				=> 'Continue previous index removal process',
-	'CONTINUE_DELETING_INDEX_EXPLAIN'		=> 'An index deleting process has been started. In order to access the search index page again you need to complete it first.',
+	'CONTINUE_DELETING_INDEX_EXPLAIN'		=> 'An index removal process has been started. In order to access the search index page you will have to complete it or cancel it.',
 	'CONTINUE_INDEXING'						=> 'Continue previous indexing process',
-	'CONTINUE_INDEXING_EXPLAIN'				=> 'An indexing process has been started. In order to access the search index page again you need to complete it first.',
+	'CONTINUE_INDEXING_EXPLAIN'				=> 'An indexing process has been started. In order to access the search index page you will have to complete it or cancel it.',
 	'CREATE_INDEX'							=> 'Create index',
 	'DELETE_INDEX'							=> 'Delete index',
@ -76,6 +76,8 @@ $lang = array_merge($lang, array(
 	'SEARCH_GUEST_INTERVAL'					=> 'Guest search flood interval',
 	'SEARCH_GUEST_INTERVAL_EXPLAIN'			=> 'Number of seconds guests must wait between searches. If one guest searches all others have to wait until the time interval passed.',
 	'SEARCH_INDEX_CREATE_REDIRECT'			=> 'All posts up to post id %d have been indexed.<br />Indexing in progress ...',
 	'SEARCH_INDEX_DELETE_REDIRECT'			=> 'All posts up to post id %d have been removed from the search index.<br /> Deleting in progress ...',
 	'SEARCH_INDEX_CREATED'					=> 'Successfully indexed all posts in the board database.',
 	'SEARCH_INDEX_REMOVED'					=> 'Successfully deleted the search index for this backend.',
 	'SEARCH_INTERVAL'						=> 'User search flood interval',
--- a/phpBB/language/en/common.php
+++ b/phpBB/language/en/common.php
@ -276,6 +276,7 @@ $lang = array_merge($lang, array(
 	'LOGIN_ERROR_ATTEMPTS'				=> 'You exceeded the maximum allowed number of login attempts. In addition to your username and password you now also have to enter the confirm code from the image you see below.',
 	'LOGIN_ERROR_EXTERNAL_AUTH_APACHE'	=> 'You have not been authenticated by Apache.',
 	'LOGIN_ERROR_PASSWORD'				=> 'You have specified an incorrect password. Please check your password and try again. If you continue to have problems please contact the %sBoard Administrator%s.',
 	'LOGIN_ERROR_PASSWORD_CONVERT'		=> 'It was not possible to convert your password when updating this bulletin board’s software. Please %srequest a new password%s. If you continue to have problems please contact the %sBoard Administrator%s.',
 	'LOGIN_ERROR_USERNAME'				=> 'You have specified an incorrect username. Please check your username and try again. If you continue to have problems please contact the %sBoard Administrator%s.',
 	'LOGIN_FORUM'						=> 'To view or post in this forum you must enter its password.',
 	'LOGIN_INFO'						=> 'In order to login you must be registered. Registering takes only a few seconds but gives you increased capabilities. The board administrator may also grant additional permissions to registered users. Before you login please ensure you are familiar with our terms of use and related policies. Please ensure you read any forum rules as you navigate around the board.',
--- a/phpBB/language/en/ucp.php
+++ b/phpBB/language/en/ucp.php
@ -293,6 +293,7 @@ $lang = array_merge($lang, array(
 	'NO_NEW_FOLDER_NAME'		=> 'You have to specify a new folder name',
 	'NO_NEWER_PM'				=> 'No newer messages',
 	'NO_OLDER_PM'				=> 'No older messages',
 	'NO_PASSWORD_SUPPLIED'		=> 'You cannot login without a password.',
 	'NO_RECIPIENT'				=> 'No recipient defined',
 	'NO_RULES_DEFINED'			=> 'No rules defined',
 	'NO_SAVED_DRAFTS'			=> 'No drafts saved',
@ -300,10 +301,10 @@ $lang = array_merge($lang, array(
 	'NO_WATCHED_FORUMS'			=> 'You are not watching any forums.',
 	'NO_WATCHED_TOPICS'			=> 'You are not watching any topics.',
-	'PASS_TYPE_ALPHA_EXPLAIN'	=> 'Password must be between %1$d and %2$d chars long and must contain alphanumerics',
+	'PASS_TYPE_ALPHA_EXPLAIN'	=> 'Password must be between %1$d and %2$d chars long, must be mixed case and must contain numbers',
 	'PASS_TYPE_ANY_EXPLAIN'		=> 'Must be between %1$d and %2$d characters.',
 	'PASS_TYPE_CASE_EXPLAIN'	=> 'Password must be between %1$d and %2$d chars long and must be mixed case',
-	'PASS_TYPE_SYMBOL_EXPLAIN'	=> 'Password must be between %1$d and %2$d chars long and must contain symbols',
+	'PASS_TYPE_SYMBOL_EXPLAIN'	=> 'Password must be between %1$d and %2$d chars long, must be mixed case, must contain numbers and must contain symbols',
 	'PASSWORD'					=> 'Password',
 	'PASSWORD_ACTIVATED'		=> 'Your new password has been activated',
 	'PASSWORD_UPDATED'			=> 'Your password has been sent successfully to your original email address.',
--- a/phpBB/search.php
+++ b/phpBB/search.php
@ -234,7 +234,7 @@ if ($keywords || $author || $author_id || $search_id || $submit)
 		$correct_query = $search->split_keywords($keywords, $search_terms);
 		if (!$correct_query || (empty($search->search_query) && !sizeof($author_id_ary) && !$search_id))
 		{
-			$ignored = (sizeof($search->common_words)) ? sprintf($user->lang['IGNORED_TERMS_EXPLAIN'], htmlspecialchars(implode(' ', $search->common_words), ENT_COMPAT, 'UTF-8')) . '<br />' : '';
+			$ignored = (sizeof($search->common_words)) ? sprintf($user->lang['IGNORED_TERMS_EXPLAIN'], implode(' ', $search->common_words)) . '<br />' : '';
 			trigger_error($ignored . sprintf($user->lang['NO_KEYWORDS'], $search->word_length['min'], $search->word_length['max']));
 		}
 	}
@ -453,8 +453,8 @@ if ($keywords || $author || $author_id || $search_id || $submit)
 	}
 	// define some vars for urls
-	$hilit = htmlspecialchars(implode('|', explode(' ', preg_replace('#\s+#u', ' ', str_replace(array('+', '-', '|', '(', ')'), ' ', $keywords)))));
+	$hilit = implode('|', explode(' ', preg_replace('#\s+#u', ' ', str_replace(array('+', '-', '|', '(', ')'), ' ', $keywords))));
-	$u_hilit = urlencode($keywords);
+	$u_hilit = urlencode(htmlspecialchars_decode($keywords));
 	$u_show_results = ($show_results != 'posts') ? '&amp;sr=' . $show_results : '';
 	$u_search_forum = implode('&amp;fid%5B%5D=', $search_forum);
@ -472,8 +472,8 @@ if ($keywords || $author || $author_id || $search_id || $submit)
 	$template->assign_vars(array(
 		'SEARCH_TITLE'		=> $l_search_title,
 		'SEARCH_MATCHES'	=> $l_search_matches,
-		'SEARCH_WORDS'		=> preg_replace('#&amp;(\#[0-9]+;)#', '&$1', htmlspecialchars($search->search_query)),
+		'SEARCH_WORDS'		=> $search->search_query,
-		'IGNORED_WORDS'		=> (sizeof($search->common_words)) ? htmlspecialchars(implode(' ', $search->common_words)) : '',
+		'IGNORED_WORDS'		=> (sizeof($search->common_words)) ? implode(' ', $search->common_words) : '',
 		'PAGINATION'		=> generate_pagination($u_search, $total_match_count, $per_page, $start),
 		'PAGE_NUMBER'		=> on_page($total_match_count, $per_page, $start),
 		'TOTAL_MATCHES'		=> $total_match_count,
@ -960,6 +960,8 @@ while ($row = $db->sql_fetchrow($result))
 	if ($row['left_id'] > $cat_right)
 	{
 		// make sure we don't forget anything
 		$s_forums .= $holding;
 		$holding = '';
 	}
@ -1040,7 +1042,7 @@ $result = $db->sql_query_limit($sql, 5);
 while ($row = $db->sql_fetchrow($result))
 {
-	$keywords = htmlspecialchars($row['search_keywords'], ENT_COMPAT, 'UTF-8');
+	$keywords = $row['search_keywords'];
 	$template->assign_block_vars('recentsearch', array(
 		'KEYWORDS'	=> $keywords,
--- a/phpBB/styles/subSilver/template/pagination.html
+++ b/phpBB/styles/subSilver/template/pagination.html
@ -1 +1 @@
-<!-- IF PAGINATION --><b><a href="#" onclick="jumpto(); return false;" title="{L_JUMP_TO_PAGE}">{L_GOTO_PAGE}</a> <!-- IF PREVIOUS_PAGE --><a href="{PREVIOUS_PAGE}">{L_PREVIOUS}</a>&nbsp;&nbsp;<!-- ENDIF -->{PAGINATION}<!-- IF NEXT_PAGE -->&nbsp;&nbsp;<a href="{NEXT_PAGE}">{L_NEXT}</a><!-- ENDIF --></b><!-- ENDIF -->
+<!-- IF PAGINATION --><b><a href="#" onclick="jumpto(); return false;" title="{L_JUMP_TO_PAGE}">{L_GOTO_PAGE}</a> <!-- IF PREVIOUS_PAGE --><a href="{PREVIOUS_PAGE}">{L_PREVIOUS}</a>&nbsp;&nbsp;<!-- ENDIF -->{PAGINATION}<!-- IF NEXT_PAGE --> &nbsp;<a href="{NEXT_PAGE}">{L_NEXT}</a><!-- ENDIF --></b><!-- ENDIF -->
		`@ -1 +1 @@`
			`<!-- IF PAGINATION --><b><a href="#" onclick="jumpto(); return false;" title="{L_JUMP_TO_PAGE}">{L_GOTO_PAGE}</a> <!-- IF PREVIOUS_PAGE --><a href="{PREVIOUS_PAGE}">{L_PREVIOUS}</a>  <!-- ENDIF -->{PAGINATION}<!-- IF NEXT_PAGE -->  <a href="{NEXT_PAGE}">{L_NEXT}</a><!-- ENDIF --></b><!-- ENDIF -->`				`<!-- IF PAGINATION --><b><a href="#" onclick="jumpto(); return false;" title="{L_JUMP_TO_PAGE}">{L_GOTO_PAGE}</a> <!-- IF PREVIOUS_PAGE --><a href="{PREVIOUS_PAGE}">{L_PREVIOUS}</a>  <!-- ENDIF -->{PAGINATION}<!-- IF NEXT_PAGE -->  <a href="{NEXT_PAGE}">{L_NEXT}</a><!-- ENDIF --></b><!-- ENDIF -->`