From d34ffda9c1a8ac4354e6fd6cb05124de66d87f71 Mon Sep 17 00:00:00 2001 From: Tristan Darricau Date: Fri, 5 Feb 2016 20:30:02 +0100 Subject: [PATCH 1/7] [ticket/14457] Uses a random placeholder to inject css and js PHPBB3-14457 --- phpBB/phpbb/template/twig/definition.php | 5 +-- phpBB/phpbb/template/twig/environment.php | 38 ++++++++++------------- 2 files changed, 17 insertions(+), 26 deletions(-) diff --git a/phpBB/phpbb/template/twig/definition.php b/phpBB/phpbb/template/twig/definition.php index 205f0e68ee..cb3c953692 100644 --- a/phpBB/phpbb/template/twig/definition.php +++ b/phpBB/phpbb/template/twig/definition.php @@ -19,10 +19,7 @@ namespace phpbb\template\twig; class definition { /** @var array **/ - protected $definitions = array( - 'SCRIPTS' => '__SCRIPTS_PLACEHOLDER__', - 'STYLESHEETS' => '__STYLESHEETS_PLACEHOLDER__' - ); + protected $definitions = array(); /** * Get a DEFINE'd variable diff --git a/phpBB/phpbb/template/twig/environment.php b/phpBB/phpbb/template/twig/environment.php index 5660ddc3a4..8b35497122 100644 --- a/phpBB/phpbb/template/twig/environment.php +++ b/phpBB/phpbb/template/twig/environment.php @@ -195,9 +195,7 @@ class environment extends \Twig_Environment */ public function render($name, array $context = []) { - $output = parent::render($name, $context); - - return $this->inject_assets($output); + return $this->display_with_assets($name, $context); } /** @@ -205,26 +203,22 @@ class environment extends \Twig_Environment */ public function display($name, array $context = []) { - $level = ob_get_level(); - ob_start(); + echo $this->display_with_assets($name, $context); + } - try - { - parent::display($name, $context); - } - catch (\Exception $e) - { - while (ob_get_level() > $level) - { - ob_end_clean(); - } + /** + * {@inheritdoc} + */ + private function display_with_assets($name, array $context = []) + { + $placeholder_salt = unique_id(); - throw $e; - } + $context['definition']->set('SCRIPTS', '__SCRIPTS_'.$placeholder_salt.'__'); + $context['definition']->set('STYLESHEETS', '__STYLESHEETS_'.$placeholder_salt.'__'); - $output = ob_get_clean(); + $output = parent::render($name, $context); - echo $this->inject_assets($output); + return $this->inject_assets($output, $placeholder_salt); } /** @@ -234,10 +228,10 @@ class environment extends \Twig_Environment * * @return string */ - private function inject_assets($output) + private function inject_assets($output, $placeholder_salt) { - $output = str_replace('__STYLESHEETS_PLACEHOLDER__', $this->assets_bag->get_stylesheets_content(), $output); - $output = str_replace('__SCRIPTS_PLACEHOLDER__', $this->assets_bag->get_scripts_content(), $output); + $output = str_replace('__SCRIPTS_'.$placeholder_salt.'__', $this->assets_bag->get_stylesheets_content(), $output); + $output = str_replace('__STYLESHEETS_'.$placeholder_salt.'__', $this->assets_bag->get_scripts_content(), $output); return $output; } From f253a853b8381a343f98c29bb399c8128695b696 Mon Sep 17 00:00:00 2001 From: Tristan Darricau Date: Fri, 5 Feb 2016 21:21:41 +0100 Subject: [PATCH 2/7] [ticket/14457] Fix twig/twig::assign_display PHPBB3-14457 --- phpBB/phpbb/template/twig/twig.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/phpbb/template/twig/twig.php b/phpBB/phpbb/template/twig/twig.php index 6b3cf32bc8..f322778eda 100644 --- a/phpBB/phpbb/template/twig/twig.php +++ b/phpBB/phpbb/template/twig/twig.php @@ -335,7 +335,7 @@ class twig extends \phpbb\template\base return $this->twig->render($this->get_filename_from_handle($handle), $this->get_template_vars()); } - $this->assign_var($template_var, $this->twig->render($this->get_filename_from_handle($handle, $this->get_template_vars()))); + $this->assign_var($template_var, $this->twig->render($this->get_filename_from_handle($handle), $this->get_template_vars())); return $this; } From f7c5098c60688ab8553732d5129680c959355e15 Mon Sep 17 00:00:00 2001 From: Tristan Darricau Date: Sun, 7 Feb 2016 12:23:21 +0100 Subject: [PATCH 3/7] [ticket/14457] CS PHPBB3-14457 --- phpBB/phpbb/template/twig/environment.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/phpBB/phpbb/template/twig/environment.php b/phpBB/phpbb/template/twig/environment.php index 8b35497122..27a475f046 100644 --- a/phpBB/phpbb/template/twig/environment.php +++ b/phpBB/phpbb/template/twig/environment.php @@ -213,8 +213,8 @@ class environment extends \Twig_Environment { $placeholder_salt = unique_id(); - $context['definition']->set('SCRIPTS', '__SCRIPTS_'.$placeholder_salt.'__'); - $context['definition']->set('STYLESHEETS', '__STYLESHEETS_'.$placeholder_salt.'__'); + $context['definition']->set('SCRIPTS', '__SCRIPTS_' . $placeholder_salt . '__'); + $context['definition']->set('STYLESHEETS', '__STYLESHEETS_' . $placeholder_salt . '__'); $output = parent::render($name, $context); @@ -230,8 +230,8 @@ class environment extends \Twig_Environment */ private function inject_assets($output, $placeholder_salt) { - $output = str_replace('__SCRIPTS_'.$placeholder_salt.'__', $this->assets_bag->get_stylesheets_content(), $output); - $output = str_replace('__STYLESHEETS_'.$placeholder_salt.'__', $this->assets_bag->get_scripts_content(), $output); + $output = str_replace('__SCRIPTS_' . $placeholder_salt . '__', $this->assets_bag->get_stylesheets_content(), $output); + $output = str_replace('__STYLESHEETS_' . $placeholder_salt . '__', $this->assets_bag->get_scripts_content(), $output); return $output; } From 99ace63e62fddc934eded20afc6a7aebbc05e13b Mon Sep 17 00:00:00 2001 From: Tristan Darricau Date: Sun, 7 Feb 2016 12:49:00 +0100 Subject: [PATCH 4/7] [ticket/14457] Don't set CSS to JS and JS to CSS PHPBB3-14457 --- phpBB/phpbb/template/twig/environment.php | 4 ++-- tests/template/template_test_case.php | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/phpBB/phpbb/template/twig/environment.php b/phpBB/phpbb/template/twig/environment.php index 27a475f046..65f1af5d9e 100644 --- a/phpBB/phpbb/template/twig/environment.php +++ b/phpBB/phpbb/template/twig/environment.php @@ -230,8 +230,8 @@ class environment extends \Twig_Environment */ private function inject_assets($output, $placeholder_salt) { - $output = str_replace('__SCRIPTS_' . $placeholder_salt . '__', $this->assets_bag->get_stylesheets_content(), $output); - $output = str_replace('__STYLESHEETS_' . $placeholder_salt . '__', $this->assets_bag->get_scripts_content(), $output); + $output = str_replace('__STYLESHEETS_' . $placeholder_salt . '__', $this->assets_bag->get_stylesheets_content(), $output); + $output = str_replace('__SCRIPTS_' . $placeholder_salt . '__', $this->assets_bag->get_scripts_content(), $output); return $output; } diff --git a/tests/template/template_test_case.php b/tests/template/template_test_case.php index 62eea0d361..3c97d30edc 100644 --- a/tests/template/template_test_case.php +++ b/tests/template/template_test_case.php @@ -172,6 +172,7 @@ class phpbb_template_template_test_case extends phpbb_test_case $expected = str_replace(array("\n", "\r", "\t"), '', $expected); $output = str_replace(array("\n", "\r", "\t"), '', $this->display('test')); + $this->assertEquals($expected, $output, "Testing $file"); } } From 97bbf2d2b8b5b7689432ad8a35e96c38fd869dd7 Mon Sep 17 00:00:00 2001 From: Tristan Darricau Date: Sun, 7 Feb 2016 14:35:42 +0100 Subject: [PATCH 5/7] [ticket/14457] Handle the case where there isn't any 'definition' bag PHPBB3-14457 --- phpBB/phpbb/template/twig/environment.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/phpBB/phpbb/template/twig/environment.php b/phpBB/phpbb/template/twig/environment.php index 65f1af5d9e..56c85c8d71 100644 --- a/phpBB/phpbb/template/twig/environment.php +++ b/phpBB/phpbb/template/twig/environment.php @@ -213,8 +213,11 @@ class environment extends \Twig_Environment { $placeholder_salt = unique_id(); - $context['definition']->set('SCRIPTS', '__SCRIPTS_' . $placeholder_salt . '__'); - $context['definition']->set('STYLESHEETS', '__STYLESHEETS_' . $placeholder_salt . '__'); + if (array_key_exists('definition', $context)) + { + $context['definition']->set('SCRIPTS', '__SCRIPTS_' . $placeholder_salt . '__'); + $context['definition']->set('STYLESHEETS', '__STYLESHEETS_' . $placeholder_salt . '__'); + } $output = parent::render($name, $context); From 08a11dbe32031e4cb2b79b6634e50edd115488d7 Mon Sep 17 00:00:00 2001 From: Tristan Darricau Date: Sun, 7 Feb 2016 18:59:44 +0100 Subject: [PATCH 6/7] [ticket/14457] Set the config values related to the RNG in the installer config PHPBB3-14457 --- phpBB/config/installer/container/services.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/phpBB/config/installer/container/services.yml b/phpBB/config/installer/container/services.yml index 16782dec10..20d790e9a6 100644 --- a/phpBB/config/installer/container/services.yml +++ b/phpBB/config/installer/container/services.yml @@ -17,7 +17,9 @@ services: config: class: phpbb\config\config arguments: - - [] + - + rand_seed: 'installer_seed' + rand_seed_last_update: 0 controller.resolver: class: phpbb\controller\resolver From 58359b158716d6dc752c6a50b05b8dea7d5dfff4 Mon Sep 17 00:00:00 2001 From: Tristan Darricau Date: Wed, 17 Feb 2016 22:10:09 +0100 Subject: [PATCH 7/7] [ticket/14457] Replaces unique_id implementation by random_bytes() PHPBB3-14457 --- build/build.xml | 7 +++++ phpBB/composer.json | 1 + phpBB/composer.lock | 52 ++++++++++++++++++++++++++++++++++-- phpBB/includes/functions.php | 19 ++----------- 4 files changed, 60 insertions(+), 19 deletions(-) diff --git a/build/build.xml b/build/build.xml index 6d5b652b0a..b47b5f6eff 100644 --- a/build/build.xml +++ b/build/build.xml @@ -355,6 +355,13 @@ + + + + + + + diff --git a/phpBB/composer.json b/phpBB/composer.json index 88df2bfa3d..b0c9b57cb6 100644 --- a/phpBB/composer.json +++ b/phpBB/composer.json @@ -31,6 +31,7 @@ "guzzlehttp/guzzle": "~5.3", "lusitanian/oauth": "^0.8.1", "marc1706/fast-image-size": "1.1.*", + "paragonie/random_compat": "^1.2", "patchwork/utf8": "1.1.*", "s9e/text-formatter": "^0.4.2", "symfony/config": "2.8.*", diff --git a/phpBB/composer.lock b/phpBB/composer.lock index 7cb6c160ce..d10c94a75f 100644 --- a/phpBB/composer.lock +++ b/phpBB/composer.lock @@ -4,8 +4,8 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], - "hash": "2de20b0ffe0ca05fb62a7c685a25ca79", - "content-hash": "6e427257e82c0d33fc94040d9685f516", + "hash": "9cbb41222e71eb86e0ef9118baafc691", + "content-hash": "03a990fa2d088c89afe4824d2d53e873", "packages": [ { "name": "bantu/ini-get-wrapper", @@ -401,6 +401,54 @@ ], "time": "2015-08-21 11:40:30" }, + { + "name": "paragonie/random_compat", + "version": "v1.2.0", + "source": { + "type": "git", + "url": "https://github.com/paragonie/random_compat.git", + "reference": "b0e69d10852716b2ccbdff69c75c477637220790" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/paragonie/random_compat/zipball/b0e69d10852716b2ccbdff69c75c477637220790", + "reference": "b0e69d10852716b2ccbdff69c75c477637220790", + "shasum": "" + }, + "require": { + "php": ">=5.2.0" + }, + "require-dev": { + "phpunit/phpunit": "4.*|5.*" + }, + "suggest": { + "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes." + }, + "type": "library", + "autoload": { + "files": [ + "lib/random.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Paragon Initiative Enterprises", + "email": "security@paragonie.com", + "homepage": "https://paragonie.com" + } + ], + "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7", + "keywords": [ + "csprng", + "pseudorandom", + "random" + ], + "time": "2016-02-06 03:52:05" + }, { "name": "patchwork/utf8", "version": "v1.1.31", diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 54ff51dda5..5125a601d6 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -93,25 +93,10 @@ function gen_rand_string_friendly($num_chars = 8) /** * Return unique id -* @param string $extra additional entropy */ -function unique_id($extra = 'c') +function unique_id() { - static $dss_seeded = false; - global $config; - - $val = $config['rand_seed'] . microtime(); - $val = md5($val); - $config['rand_seed'] = md5($config['rand_seed'] . $val . $extra); - - if ($dss_seeded !== true && ($config['rand_seed_last_update'] < time() - rand(1,10))) - { - $config->set('rand_seed_last_update', time(), false); - $config->set('rand_seed', $config['rand_seed'], false); - $dss_seeded = true; - } - - return substr($val, 4, 16); + return bin2hex(random_bytes(6)); } /**