From 55dd22202999030cfbd217bedb13f6dae7d29163 Mon Sep 17 00:00:00 2001 From: David M Date: Tue, 8 Apr 2008 10:07:05 +0000 Subject: [PATCH 01/89] #24955 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8496 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/acp/acp_permissions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/acp/acp_permissions.php b/phpBB/includes/acp/acp_permissions.php index a9e64b74ae..9240db271c 100644 --- a/phpBB/includes/acp/acp_permissions.php +++ b/phpBB/includes/acp/acp_permissions.php @@ -1156,7 +1156,7 @@ class acp_permissions } // Not ideal, due to the filesort, non-use of indexes, etc. - $sql = 'SELECT DISTINCT u.user_id, u.username + $sql = 'SELECT DISTINCT u.user_id, u.username, u.username_clean, u.user_regdate FROM ' . USERS_TABLE . ' u, ' . ACL_USERS_TABLE . " a WHERE u.user_id = a.user_id $sql_forum_id From 44b1572527e92eb7363e1b0ec63e9a18bc5d4d61 Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Tue, 8 Apr 2008 12:15:28 +0000 Subject: [PATCH 02/89] Begone ghost entries - the Ghostbusters are here git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8497 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/acp/acp_attachments.php | 8 +++++++- phpBB/includes/acp/acp_board.php | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/phpBB/includes/acp/acp_attachments.php b/phpBB/includes/acp/acp_attachments.php index c60f453238..9c76459031 100644 --- a/phpBB/includes/acp/acp_attachments.php +++ b/phpBB/includes/acp/acp_attachments.php @@ -277,13 +277,19 @@ class acp_attachments { $l_explain = (isset($user->lang[$vars['lang'] . '_EXPLAIN'])) ? $user->lang[$vars['lang'] . '_EXPLAIN'] : ''; } + + $content = build_cfg_template($type, $config_key, $this->new_config, $config_key, $vars); + if (empty($content)) + { + continue; + } $template->assign_block_vars('options', array( 'KEY' => $config_key, 'TITLE' => $user->lang[$vars['lang']], 'S_EXPLAIN' => $vars['explain'], 'TITLE_EXPLAIN' => $l_explain, - 'CONTENT' => build_cfg_template($type, $config_key, $this->new_config, $config_key, $vars), + 'CONTENT' => $content, ) ); diff --git a/phpBB/includes/acp/acp_board.php b/phpBB/includes/acp/acp_board.php index 1b7ae383cc..4d82926ca2 100644 --- a/phpBB/includes/acp/acp_board.php +++ b/phpBB/includes/acp/acp_board.php @@ -569,7 +569,7 @@ class acp_board 'TITLE' => (isset($user->lang[$vars['lang']])) ? $user->lang[$vars['lang']] : $vars['lang'], 'S_EXPLAIN' => $vars['explain'], 'TITLE_EXPLAIN' => $l_explain, - 'CONTENT' => build_cfg_template($type, $config_key, $this->new_config, $config_key, $vars), + 'CONTENT' => $content, ) ); From 5a13f125a61601f2e47b32a4d94ef9c1e0b9e3db Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Thu, 10 Apr 2008 15:51:09 +0000 Subject: [PATCH 03/89] Remove caching. Ideally, this owuld depend on the current load git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8501 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 1baa7abd9a..b6237020f1 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -3182,7 +3182,7 @@ function obtain_users_online($forum_id = 0) WHERE s.session_time >= ' . ($time - ((int) ($time % 30))) . $reading_sql . ' AND s.session_user_id <> ' . ANONYMOUS; - $result = $db->sql_query($sql, 30); + $result = $db->sql_query($sql); while ($row = $db->sql_fetchrow($result)) { From c1c3b9f9124b42dd37b5d1da582e23b927cbee44 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Fri, 11 Apr 2008 14:14:23 +0000 Subject: [PATCH 04/89] fixing two potential problems - blank style - check for correct role assignment within auth.php (should not happen, but seems like some users are not able to persist from manually messing with the db) git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8502 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 26 +++++++++++++++++--------- phpBB/includes/auth.php | 2 +- phpBB/style.php | 7 +------ 3 files changed, 19 insertions(+), 16 deletions(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index dd4fd3b90a..7596bb76c7 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -53,6 +53,7 @@
  1. Changelog
      +
    1. Changes since 3.0.1
    2. Changes since 3.0.0
    3. Changes since RC-8
    4. Changes since RC-7
      5. @@ -81,7 +82,14 @@
      -

      1.i. Changes since 3.0.0

      +

      1.i. Changes since 3.0.1

      + +
        +
      • [Fix] Ability to set permissions on non-mysql dbms (Bug #24955)
        • +
      • [Fix] Fixed blank style on setups having no username defined within config.php (Bug #25065)
        • +
      + +

      1.ii. Changes since 3.0.0

      • [Change] Validate birthdays (Bug #15004)
        • @@ -152,7 +160,7 @@
      • [Fix] Find and display colliding usernames correctly when converting from one database to another (Bug #23925)
      -

      1.i. Changes since 3.0.RC8

      +

      1.iii. Changes since 3.0.RC8

      • [Fix] Cleaned usernames contain only single spaces, so "a_name" and "a__name" are treated as the same name (Bug #15634)
        • @@ -161,7 +169,7 @@
      • [Fix] Call garbage_collection() within database updater to correctly close connections (affects Oracle for example)
      -

      1.ii. Changes since 3.0.RC7

      +

      1.iv. Changes since 3.0.RC7

      • [Fix] Fixed MSSQL related bug in the update system
        • @@ -196,7 +204,7 @@
      • [Fix] No duplication of active topics (Bug #15474)
      -

      1.iii. Changes since 3.0.RC6

      +

      1.v. Changes since 3.0.RC6

      • [Fix] Submitting language changes using acp_language (Bug #14736)
        • @@ -206,7 +214,7 @@
      • [Fix] Able to request new password (Bug #14743)
      -

      1.iv. Changes since 3.0.RC5

      +

      1.vi. Changes since 3.0.RC5

      • [Feature] Removing constant PHPBB_EMBEDDED in favor of using an exit_handler(); the constant was meant to achive this more or less.
        • @@ -269,7 +277,7 @@
      • [Sec] New password hashing mechanism for storing passwords (#i42)
      -

      1.v. Changes since 3.0.RC4

      +

      1.vii. Changes since 3.0.RC4

      • [Fix] MySQL, PostgreSQL and SQLite related database fixes (Bug #13862)
        • @@ -320,7 +328,7 @@
      • [Fix] odbc_autocommit causing existing result sets to be dropped (Bug #14182)
      -

      1.vi. Changes since 3.0.RC3

      +

      1.viii. Changes since 3.0.RC3

      • [Fix] Fixing some subsilver2 and prosilver style issues
        • @@ -429,7 +437,7 @@
      -

      1.vii. Changes since 3.0.RC2

      +

      1.ix. Changes since 3.0.RC2

      • [Fix] Re-allow searching within the memberlist
        • @@ -475,7 +483,7 @@
      -

      1.viii. Changes since 3.0.RC1

      +

      1.x. Changes since 3.0.RC1

      • [Fix] (X)HTML issues within the templates (Bug #11255, #11255)
        • diff --git a/phpBB/includes/auth.php b/phpBB/includes/auth.php index 8dd15fea64..d0b38b67a3 100644 --- a/phpBB/includes/auth.php +++ b/phpBB/includes/auth.php @@ -800,7 +800,7 @@ class auth { $this->_set_group_hold_ary($hold_ary[$row['forum_id']], $row['auth_option_id'], $row['auth_setting']); } - else + else if (!empty($this->role_cache[$row['auth_role_id']])) { foreach (unserialize($this->role_cache[$row['auth_role_id']]) as $option_id => $setting) { diff --git a/phpBB/style.php b/phpBB/style.php index 9d38128356..599434d087 100644 --- a/phpBB/style.php +++ b/phpBB/style.php @@ -20,7 +20,7 @@ error_reporting(E_ALL ^ E_NOTICE); require($phpbb_root_path . 'config.' . $phpEx); -if (!defined('PHPBB_INSTALLED') || empty($dbms) || !isset($dbhost) || !isset($dbpasswd) || empty($dbuser)) +if (!defined('PHPBB_INSTALLED') || empty($dbms) || empty($acm_type)) { exit; } @@ -57,11 +57,6 @@ if (strspn($sid, 'abcdefABCDEF0123456789') !== strlen($sid)) // server a little if ($id) { - if (empty($acm_type) || empty($dbms)) - { - die('Hacking attempt'); - } - // Include files require($phpbb_root_path . 'includes/acm/acm_' . $acm_type . '.' . $phpEx); require($phpbb_root_path . 'includes/cache.' . $phpEx); From 79c72890e67dbd0a67bb85466886e4dd7e86a6f5 Mon Sep 17 00:00:00 2001 From: David M Date: Sun, 20 Apr 2008 04:39:04 +0000 Subject: [PATCH 05/89] #14429 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8505 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 1 + phpBB/includes/functions_compress.php | 34 +++++++++++++++++++++------ 2 files changed, 28 insertions(+), 7 deletions(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 7596bb76c7..9a5a2cadd2 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -87,6 +87,7 @@
        • [Fix] Ability to set permissions on non-mysql dbms (Bug #24955)
        • [Fix] Fixed blank style on setups having no username defined within config.php (Bug #25065)
          • +
        • [Fix] Made the compress_tar class tolerate archives that do not properly have their archived contents listed (Bug #14429 / thanks to JRSweets for his patch)

        1.ii. Changes since 3.0.0

        diff --git a/phpBB/includes/functions_compress.php b/phpBB/includes/functions_compress.php index 36b7d575d9..852f1c967a 100644 --- a/phpBB/includes/functions_compress.php +++ b/phpBB/includes/functions_compress.php @@ -231,7 +231,7 @@ class compress_zip extends compress } else { - // Some archivers are punks, they don't don't include folders in their archives! + // Some archivers are punks, they don't include folders in their archives! $str = ''; $folders = explode('/', pathinfo($target_filename, PATHINFO_DIRNAME)); @@ -507,12 +507,14 @@ class compress_tar extends compress $tmp = unpack('A12size', substr($buffer, 124, 12)); $filesize = octdec((int) trim($tmp['size'])); + $target_filename = "$dst$filename"; + if ($filetype == 5) { - if (!is_dir("$dst$filename")) + if (!is_dir($target_filename)) { $str = ''; - $folders = explode('/', "$dst$filename"); + $folders = explode('/', $target_filename); // Create and folders and subfolders if they do not exist foreach ($folders as $folder) @@ -529,17 +531,35 @@ class compress_tar extends compress } } } - else if ($filesize != 0 && ($filetype == 0 || $filetype == "\0")) + else if ($filesize >= 0 && ($filetype == 0 || $filetype == "\0")) { + // Some archivers are punks, they don't properly order the folders in their archives! + $str = ''; + $folders = explode('/', pathinfo($target_filename, PATHINFO_DIRNAME)); + + // Create and folders and subfolders if they do not exist + foreach ($folders as $folder) + { + $str = (!empty($str)) ? $str . '/' . $folder : $folder; + if (!is_dir($str)) + { + if (!@mkdir($str, 0777)) + { + trigger_error("Could not create directory $folder"); + } + @chmod($str, 0777); + } + } + // Write out the files - if (!($fp = fopen("$dst$filename", 'wb'))) + if (!($fp = fopen($target_filename, 'wb'))) { trigger_error("Couldn't create file $filename"); } - @chmod("$dst$filename", 0777); + @chmod($target_filename, 0777); // Grab the file contents - fwrite($fp, $fzread($this->fp, ($filesize + 511) &~ 511), $filesize); + fwrite($fp, ($filesize) ? $fzread($this->fp, ($filesize + 511) &~ 511) : '', $filesize); fclose($fp); } } From 3e64e9b8999e6c4c004e1cb0721c76ee6b612d53 Mon Sep 17 00:00:00 2001 From: David M Date: Sun, 20 Apr 2008 04:47:37 +0000 Subject: [PATCH 06/89] #14648 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8506 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 1 + phpBB/includes/functions_admin.php | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 9a5a2cadd2..067a2c88e4 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -88,6 +88,7 @@
      • [Fix] Ability to set permissions on non-mysql dbms (Bug #24955)
      • [Fix] Fixed blank style on setups having no username defined within config.php (Bug #25065)
      • [Fix] Made the compress_tar class tolerate archives that do not properly have their archived contents listed (Bug #14429 / thanks to JRSweets for his patch)
        • +
      • [Fix] Moved topics should not count towards the number of topics in a forum (Bug #14648 / thanks to Schumi for his patch)

      1.ii. Changes since 3.0.0

      diff --git a/phpBB/includes/functions_admin.php b/phpBB/includes/functions_admin.php index afaf165d66..6a4b6008bd 100644 --- a/phpBB/includes/functions_admin.php +++ b/phpBB/includes/functions_admin.php @@ -1545,7 +1545,8 @@ function sync($mode, $where_type = '', $where_ids = '', $resync_parents = false, $sql = 'SELECT SUM(t.topic_replies + 1) AS forum_posts FROM ' . TOPICS_TABLE . ' t WHERE ' . $db->sql_in_set('t.forum_id', $forum_ids) . ' - AND t.topic_approved = 1'; + AND t.topic_approved = 1 + AND t.topic_status <> ' . ITEM_MOVED; } else { @@ -1553,6 +1554,7 @@ function sync($mode, $where_type = '', $where_ids = '', $resync_parents = false, FROM ' . TOPICS_TABLE . ' t WHERE ' . $db->sql_in_set('t.forum_id', $forum_ids) . ' AND t.topic_approved = 1 + AND t.topic_status <> ' . ITEM_MOVED .' GROUP BY t.forum_id'; } From 0bfd3b59e7c0f565516dc5f626f3aead38a6b886 Mon Sep 17 00:00:00 2001 From: David M Date: Sun, 20 Apr 2008 04:57:29 +0000 Subject: [PATCH 07/89] #18775 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8507 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 1 + phpBB/includes/functions_install.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 067a2c88e4..c6143196c2 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -89,6 +89,7 @@
    5. [Fix] Fixed blank style on setups having no username defined within config.php (Bug #25065)
    6. [Fix] Made the compress_tar class tolerate archives that do not properly have their archived contents listed (Bug #14429 / thanks to JRSweets for his patch)
    7. [Fix] Moved topics should not count towards the number of topics in a forum (Bug #14648 / thanks to Schumi for his patch)
      8. +
    8. [Fix] Properly check for invalid characters in MySQL DB prefixes during install (Bug #18775)

      9. 1.ii. Changes since 3.0.0

      diff --git a/phpBB/includes/functions_install.php b/phpBB/includes/functions_install.php index f43ef7c5c7..90459813f1 100644 --- a/phpBB/includes/functions_install.php +++ b/phpBB/includes/functions_install.php @@ -286,7 +286,7 @@ function connect_check_db($error_connect, &$error, $dbms_details, $table_prefix, { case 'mysql': case 'mysqli': - if (strpos($table_prefix, '-') !== false || strpos($table_prefix, '.') !== false) + if (strspn($table_prefix, '-./\\') !== 0) { $error[] = $lang['INST_ERR_PREFIX_INVALID']; return false; From 3cced0db7ee5364ab959bf2261bdbf8a2585928a Mon Sep 17 00:00:00 2001 From: David M Date: Sun, 20 Apr 2008 04:58:29 +0000 Subject: [PATCH 08/89] fix whitespace git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8508 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/functions_admin.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/functions_admin.php b/phpBB/includes/functions_admin.php index 6a4b6008bd..028456c246 100644 --- a/phpBB/includes/functions_admin.php +++ b/phpBB/includes/functions_admin.php @@ -1554,7 +1554,7 @@ function sync($mode, $where_type = '', $where_ids = '', $resync_parents = false, FROM ' . TOPICS_TABLE . ' t WHERE ' . $db->sql_in_set('t.forum_id', $forum_ids) . ' AND t.topic_approved = 1 - AND t.topic_status <> ' . ITEM_MOVED .' + AND t.topic_status <> ' . ITEM_MOVED . ' GROUP BY t.forum_id'; } From 3613ddf523f6e555e8095f1d0f995fa44a99da6f Mon Sep 17 00:00:00 2001 From: David M Date: Sun, 20 Apr 2008 05:13:34 +0000 Subject: [PATCH 09/89] #21255 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8509 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 1 + phpBB/includes/session.php | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index c6143196c2..35b6d45e8d 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -90,6 +90,7 @@
    9. [Fix] Made the compress_tar class tolerate archives that do not properly have their archived contents listed (Bug #14429 / thanks to JRSweets for his patch)
    10. [Fix] Moved topics should not count towards the number of topics in a forum (Bug #14648 / thanks to Schumi for his patch)
    11. [Fix] Properly check for invalid characters in MySQL DB prefixes during install (Bug #18775)
      12. +
    12. [Change] Generalize load check (Bug #21255 / thanks to Xipher)

      13. 1.ii. Changes since 3.0.0

      diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index da54a6c512..08f6512424 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -217,9 +217,9 @@ class session // Load limit check (if applicable) if ($config['limit_load'] || $config['limit_search_load']) { - if ($load = @file_get_contents('/proc/loadavg')) + if ((function_exists('sys_getloadavg') && $load = sys_getloadavg()) || ($load = explode(' ', @file_get_contents('/proc/loadavg')))) { - $this->load = array_slice(explode(' ', $load), 0, 1); + $this->load = array_slice($load, 0, 1); $this->load = floatval($this->load[0]); } else From 29eb7129987e129877529144816f32704eb724f0 Mon Sep 17 00:00:00 2001 From: David M Date: Sun, 20 Apr 2008 05:16:42 +0000 Subject: [PATCH 10/89] #21885 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8510 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 1 + phpBB/includes/utf/utf_tools.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 35b6d45e8d..bdfe15fa87 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -91,6 +91,7 @@
    13. [Fix] Moved topics should not count towards the number of topics in a forum (Bug #14648 / thanks to Schumi for his patch)
    14. [Fix] Properly check for invalid characters in MySQL DB prefixes during install (Bug #18775)
    15. [Change] Generalize load check (Bug #21255 / thanks to Xipher)
      16. +
    16. [Change] Make utf8_htmlspecialchars not pass its argument by reference (Bug #21885)

      17. 1.ii. Changes since 3.0.0

      diff --git a/phpBB/includes/utf/utf_tools.php b/phpBB/includes/utf/utf_tools.php index b30f28aac9..8098176837 100644 --- a/phpBB/includes/utf/utf_tools.php +++ b/phpBB/includes/utf/utf_tools.php @@ -1840,7 +1840,7 @@ function utf8_clean_string($text) /** * A wrapper for htmlspecialchars($value, ENT_COMPAT, 'UTF-8') */ -function utf8_htmlspecialchars(&$value) +function utf8_htmlspecialchars($value) { return htmlspecialchars($value, ENT_COMPAT, 'UTF-8'); } From de998acda29cb0177b5dd8bbaf0973150606a7d7 Mon Sep 17 00:00:00 2001 From: David M Date: Sun, 20 Apr 2008 06:29:00 +0000 Subject: [PATCH 11/89] #22385 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8511 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 2 ++ phpBB/includes/acp/acp_database.php | 27 +++++++++++++++++++++++---- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index bdfe15fa87..fcd18a199c 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -92,6 +92,8 @@
    17. [Fix] Properly check for invalid characters in MySQL DB prefixes during install (Bug #18775)
    18. [Change] Generalize load check (Bug #21255 / thanks to Xipher)
    19. [Change] Make utf8_htmlspecialchars not pass its argument by reference (Bug #21885)
      20. +
    20. [Fix] Bring the PostgreSQL backup system back to working order (Bug #22385)
      21. +
    21. [Change] Sort the tables at the database table backup screen

      22. 1.ii. Changes since 3.0.0

      diff --git a/phpBB/includes/acp/acp_database.php b/phpBB/includes/acp/acp_database.php index 1600aa266d..eaf3145107 100644 --- a/phpBB/includes/acp/acp_database.php +++ b/phpBB/includes/acp/acp_database.php @@ -171,6 +171,7 @@ class acp_database default: include($phpbb_root_path . 'includes/functions_install.' . $phpEx); $tables = get_tables($db); + asort($tables); foreach ($tables as $table_name) { if (strlen($table_prefix) === 0 || stripos($table_name, $table_prefix) === 0) @@ -345,7 +346,25 @@ class acp_database while (($sql = $fgetd($fp, $delim, $read, $seek, $eof)) !== false) { $query = trim($sql); - $db->sql_query($query); + + if (substr($query, 0, 13) == 'CREATE DOMAIN') + { + list(, , $domain) = explode(' ', $query); + $sql = "SELECT domain_name + FROM information_schema.domains + WHERE domain_name = '$domain';"; + $result = $db->sql_query($sql); + if (!$db->sql_fetchrow($result)) + { + $db->sql_query($query); + } + $db->sql_freeresult($result); + } + else + { + $db->sql_query($query); + } + if (substr($query, 0, 4) == 'COPY') { while (($sub = $fgetd($fp, "\n", $read, $seek, $eof)) !== '\.') @@ -1087,7 +1106,7 @@ class postgres_extractor extends base_extractor } $sql_data = '-- Table: ' . $table_name . "\n"; - //$sql_data .= "DROP TABLE $table_name;\n"; + $sql_data .= "DROP TABLE $table_name;\n"; // PGSQL does not "tightly" bind sequences and tables, we must guess... $sql = "SELECT relname FROM pg_class @@ -1156,7 +1175,7 @@ class postgres_extractor extends base_extractor $line .= ')'; } - if (!empty($row['rowdefault'])) + if (isset($row['rowdefault'])) { $line .= ' DEFAULT ' . $row['rowdefault']; } @@ -2279,4 +2298,4 @@ function fgetd_seekless(&$fp, $delim, $read, $seek, $eof, $buffer = 8192) return false; } -?> \ No newline at end of file +?> From 5ca1f737035c492ded45dda81e880d2767a9b502 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Mon, 21 Apr 2008 10:54:12 +0000 Subject: [PATCH 12/89] #25805 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8513 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 1 + phpBB/style.php | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index fcd18a199c..05725557d3 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -94,6 +94,7 @@
    22. [Change] Make utf8_htmlspecialchars not pass its argument by reference (Bug #21885)
    23. [Fix] Bring the PostgreSQL backup system back to working order (Bug #22385)
    24. [Change] Sort the tables at the database table backup screen
      25. +
    25. [Fix] Update correct theme for cached styles in style.php (Bug #25805)

      26. 1.ii. Changes since 3.0.0

      diff --git a/phpBB/style.php b/phpBB/style.php index 599434d087..cb2bcff115 100644 --- a/phpBB/style.php +++ b/phpBB/style.php @@ -95,7 +95,7 @@ if ($id) $user = array('user_id' => ANONYMOUS); } - $sql = 'SELECT s.style_id, c.theme_data, c.theme_path, c.theme_name, c.theme_mtime, i.*, t.template_path + $sql = 'SELECT s.style_id, c.theme_id, c.theme_data, c.theme_path, c.theme_name, c.theme_mtime, i.*, t.template_path FROM ' . STYLES_TABLE . ' s, ' . STYLES_TEMPLATE_TABLE . ' t, ' . STYLES_THEME_TABLE . ' c, ' . STYLES_IMAGESET_TABLE . ' i WHERE s.style_id = ' . $id . ' AND t.template_id = s.template_id @@ -193,7 +193,7 @@ if ($id) ); $sql = 'UPDATE ' . STYLES_THEME_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $sql_ary) . " - WHERE theme_id = $id"; + WHERE theme_id = {$theme['theme_id']}"; $db->sql_query($sql); $cache->destroy('sql', STYLES_THEME_TABLE); From 71d725ae9116972c1135771f04f3fb73251d9bfa Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Mon, 21 Apr 2008 10:54:41 +0000 Subject: [PATCH 13/89] add PHPBB_INSTALLED check to file.php too git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8514 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 1 + phpBB/download/file.php | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 05725557d3..3c03801b23 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -95,6 +95,7 @@
    26. [Fix] Bring the PostgreSQL backup system back to working order (Bug #22385)
    27. [Change] Sort the tables at the database table backup screen
    28. [Fix] Update correct theme for cached styles in style.php (Bug #25805)
      29. +
    29. [Fix] Also add PHPBB_INSTALLED check to download/file.php for inline avatar delivery

      30. 1.ii. Changes since 3.0.0

      diff --git a/phpBB/download/file.php b/phpBB/download/file.php index 9940bf9aa5..1d325a500e 100644 --- a/phpBB/download/file.php +++ b/phpBB/download/file.php @@ -18,6 +18,12 @@ $phpEx = substr(strrchr(__FILE__, '.'), 1); if (isset($_GET['avatar'])) { require($phpbb_root_path . 'config.' . $phpEx); + + if (!defined('PHPBB_INSTALLED') || empty($dbms) || empty($acm_type)) + { + exit; + } + require($phpbb_root_path . 'includes/acm/acm_' . $acm_type . '.' . $phpEx); require($phpbb_root_path . 'includes/cache.' . $phpEx); require($phpbb_root_path . 'includes/db/' . $dbms . '.' . $phpEx); From 0bb09825c8714338d03f861e83fa811c1dd5e4af Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Mon, 21 Apr 2008 11:11:08 +0000 Subject: [PATCH 14/89] #25095 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8516 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 1 + phpBB/includes/functions_jabber.php | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 3c03801b23..11b348949d 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -96,6 +96,7 @@
    30. [Change] Sort the tables at the database table backup screen
    31. [Fix] Update correct theme for cached styles in style.php (Bug #25805)
    32. [Fix] Also add PHPBB_INSTALLED check to download/file.php for inline avatar delivery
      33. +
    33. [Fix] Unable to login to some jabber server, reverted previous change (Bug #25095)

      34. 1.ii. Changes since 3.0.0

      diff --git a/phpBB/includes/functions_jabber.php b/phpBB/includes/functions_jabber.php index 7633c10be9..6cae90d1c2 100644 --- a/phpBB/includes/functions_jabber.php +++ b/phpBB/includes/functions_jabber.php @@ -399,12 +399,13 @@ class jabber $second_time = isset($this->session['id']); $this->session['id'] = $xml['stream:stream'][0]['@']['id']; + /** Currently commented out due to problems with some jabber server - reason unknown if ($second_time) { // If we are here for the second time after TLS, we need to continue logging in $this->login(); return; - } + }*/ // go on with authentication? if (isset($this->features['stream:features'][0]['#']['bind']) || !empty($this->session['tls'])) From 76250ca55a20c49b3ff26424276b5e7cba3b5ec0 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Mon, 21 Apr 2008 12:18:36 +0000 Subject: [PATCH 15/89] #25925 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8517 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 1 + phpBB/includes/functions_posting.php | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 11b348949d..091fcc0d09 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -97,6 +97,7 @@
    34. [Fix] Update correct theme for cached styles in style.php (Bug #25805)
    35. [Fix] Also add PHPBB_INSTALLED check to download/file.php for inline avatar delivery
    36. [Fix] Unable to login to some jabber server, reverted previous change (Bug #25095)
      37. +
    37. [Fix] Do not return BMP as valid image type for GD image manipulation (Bug #25925)

      38. 1.ii. Changes since 3.0.0

      diff --git a/phpBB/includes/functions_posting.php b/phpBB/includes/functions_posting.php index 2f12732e8b..709516a2b0 100644 --- a/phpBB/includes/functions_posting.php +++ b/phpBB/includes/functions_posting.php @@ -524,6 +524,8 @@ function get_supported_image_types($type = false) if ($type !== false) { + // Type is one of the IMAGETYPE constants - it is fetched from getimagesize() + // We do not use the constants here, because some were not available in PHP 4.3.x switch ($type) { // GIF @@ -545,8 +547,7 @@ function get_supported_image_types($type = false) $new_type = ($format & IMG_PNG) ? IMG_PNG : false; break; - // BMP, WBMP - case 6: + // WBMP case 15: $new_type = ($format & IMG_WBMP) ? IMG_WBMP : false; break; From 66de7f903a6f400884d8e9cc103066213cb3caf7 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Mon, 21 Apr 2008 12:19:43 +0000 Subject: [PATCH 16/89] remove duplicate key git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8518 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/functions_user.php | 1 - 1 file changed, 1 deletion(-) diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index 1d1a24389c..e8414d2ae1 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -183,7 +183,6 @@ function user_add($user_row, $cp_data = false) 'user_dateformat' => $config['default_dateformat'], 'user_lang' => $config['default_lang'], 'user_style' => (int) $config['default_style'], - 'user_allow_pm' => 1, 'user_actkey' => '', 'user_ip' => '', 'user_regdate' => time(), From 18e7a58f155446c2efd072dd0934565a33a81e66 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Mon, 21 Apr 2008 13:05:49 +0000 Subject: [PATCH 17/89] did i ever mention that i hate php's handling of buffers (or i simply do not understand them) git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8519 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/functions.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index b6237020f1..67ef220c8d 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -3652,7 +3652,7 @@ function garbage_collection() */ function exit_handler() { - global $phpbb_hook; + global $phpbb_hook, $config; if (!empty($phpbb_hook) && $phpbb_hook->call_hook(__FUNCTION__)) { @@ -3663,7 +3663,7 @@ function exit_handler() } // As a pre-caution... some setups display a blank page if the flush() is not there. - @flush(); + (!$config['gzip_compress']) ? @flush() : @ob_flush(); exit; } From 9640f5b1083e31f57271c4084e09fc5717f185c6 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Mon, 21 Apr 2008 13:17:30 +0000 Subject: [PATCH 18/89] remove the _f_ portion from redirect urls now they no longer exist git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8520 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/mcp/mcp_main.php | 12 ++++++------ phpBB/includes/mcp/mcp_queue.php | 4 ++-- phpBB/includes/mcp/mcp_reports.php | 6 +++--- phpBB/includes/mcp/mcp_topic.php | 4 ++-- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/phpBB/includes/mcp/mcp_main.php b/phpBB/includes/mcp/mcp_main.php index 3332ab04d8..b16bd8d816 100644 --- a/phpBB/includes/mcp/mcp_main.php +++ b/phpBB/includes/mcp/mcp_main.php @@ -235,7 +235,7 @@ function lock_unlock($action, $ids) } unset($orig_ids); - $redirect = request_var('redirect', build_url(array('_f_', 'action', 'quickmod'))); + $redirect = request_var('redirect', build_url(array('action', 'quickmod'))); $s_hidden_fields = build_hidden_fields(array( $sql_id . '_list' => $ids, @@ -321,7 +321,7 @@ function change_topic_type($action, $topic_ids) break; } - $redirect = request_var('redirect', build_url(array('_f_', 'action', 'quickmod'))); + $redirect = request_var('redirect', build_url(array('action', 'quickmod'))); $s_hidden_fields = array( 'topic_id_list' => $topic_ids, @@ -542,7 +542,7 @@ function mcp_move_topic($topic_ids) } $to_forum_id = request_var('to_forum_id', 0); - $redirect = request_var('redirect', build_url(array('_f_', 'action', 'quickmod'))); + $redirect = request_var('redirect', build_url(array('action', 'quickmod'))); $additional_msg = $success_msg = ''; $s_hidden_fields = build_hidden_fields(array( @@ -762,7 +762,7 @@ function mcp_delete_topic($topic_ids) return; } - $redirect = request_var('redirect', build_url(array('_f_', 'action', 'quickmod'))); + $redirect = request_var('redirect', build_url(array('action', 'quickmod'))); $forum_id = request_var('f', 0); $s_hidden_fields = build_hidden_fields(array( @@ -818,7 +818,7 @@ function mcp_delete_post($post_ids) return; } - $redirect = request_var('redirect', build_url(array('_f_', 'action', 'quickmod'))); + $redirect = request_var('redirect', build_url(array('action', 'quickmod'))); $forum_id = request_var('f', 0); $s_hidden_fields = build_hidden_fields(array( @@ -941,7 +941,7 @@ function mcp_fork_topic($topic_ids) $to_forum_id = request_var('to_forum_id', 0); $forum_id = request_var('f', 0); - $redirect = request_var('redirect', build_url(array('_f_', 'action', 'quickmod'))); + $redirect = request_var('redirect', build_url(array('action', 'quickmod'))); $additional_msg = $success_msg = ''; $s_hidden_fields = build_hidden_fields(array( diff --git a/phpBB/includes/mcp/mcp_queue.php b/phpBB/includes/mcp/mcp_queue.php index 6d7f9ffaba..ae7f509d5f 100644 --- a/phpBB/includes/mcp/mcp_queue.php +++ b/phpBB/includes/mcp/mcp_queue.php @@ -459,7 +459,7 @@ function approve_post($post_id_list, $id, $mode) trigger_error('NOT_AUTHORISED'); } - $redirect = request_var('redirect', build_url(array('_f_', 'quickmod'))); + $redirect = request_var('redirect', build_url(array('quickmod'))); $success_msg = ''; $s_hidden_fields = build_hidden_fields(array( @@ -758,7 +758,7 @@ function disapprove_post($post_id_list, $id, $mode) trigger_error('NOT_AUTHORISED'); } - $redirect = request_var('redirect', build_url(array('t', 'mode', '_f_', 'quickmod')) . "&mode=$mode"); + $redirect = request_var('redirect', build_url(array('t', 'mode', 'quickmod')) . "&mode=$mode"); $reason = utf8_normalize_nfc(request_var('reason', '', true)); $reason_id = request_var('reason_id', 0); $success_msg = $additional_msg = ''; diff --git a/phpBB/includes/mcp/mcp_reports.php b/phpBB/includes/mcp/mcp_reports.php index 9419a37ab8..ce55fec7df 100755 --- a/phpBB/includes/mcp/mcp_reports.php +++ b/phpBB/includes/mcp/mcp_reports.php @@ -450,15 +450,15 @@ function close_report($report_id_list, $mode, $action) if ($action == 'delete' && strpos($user->data['session_page'], 'mode=report_details') !== false) { - $redirect = request_var('redirect', build_url(array('mode', '_f_', 'r', 'quickmod')) . '&mode=reports'); + $redirect = request_var('redirect', build_url(array('mode', 'r', 'quickmod')) . '&mode=reports'); } else if ($action == 'close' && !request_var('r', 0)) { - $redirect = request_var('redirect', build_url(array('mode', '_f_', 'p', 'quickmod')) . '&mode=reports'); + $redirect = request_var('redirect', build_url(array('mode', 'p', 'quickmod')) . '&mode=reports'); } else { - $redirect = request_var('redirect', build_url(array('_f_', 'quickmod'))); + $redirect = request_var('redirect', build_url(array('quickmod'))); } $success_msg = ''; $forum_ids = array(); diff --git a/phpBB/includes/mcp/mcp_topic.php b/phpBB/includes/mcp/mcp_topic.php index f8214e4f1b..a468712a25 100644 --- a/phpBB/includes/mcp/mcp_topic.php +++ b/phpBB/includes/mcp/mcp_topic.php @@ -386,7 +386,7 @@ function split_topic($action, $topic_id, $to_forum_id, $subject) return; } - $redirect = request_var('redirect', build_url(array('_f_', 'quickmod'))); + $redirect = request_var('redirect', build_url(array('quickmod'))); $s_hidden_fields = build_hidden_fields(array( 'i' => 'main', @@ -550,7 +550,7 @@ function merge_posts($topic_id, $to_topic_id) return; } - $redirect = request_var('redirect', build_url(array('_f_', 'quickmod'))); + $redirect = request_var('redirect', build_url(array('quickmod'))); $s_hidden_fields = build_hidden_fields(array( 'i' => 'main', From af8cb0674b0faa338a840b4144b1da66be5dad64 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Mon, 21 Apr 2008 13:20:13 +0000 Subject: [PATCH 19/89] #24665 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8521 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 1 + phpBB/includes/functions_privmsgs.php | 21 +++++++++++++++++++++ phpBB/includes/ucp/ucp_pm.php | 19 ++----------------- 3 files changed, 24 insertions(+), 17 deletions(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 091fcc0d09..2c75581b7f 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -98,6 +98,7 @@
    38. [Fix] Also add PHPBB_INSTALLED check to download/file.php for inline avatar delivery
    39. [Fix] Unable to login to some jabber server, reverted previous change (Bug #25095)
    40. [Fix] Do not return BMP as valid image type for GD image manipulation (Bug #25925)
      41. +
    41. [Change] For determining the maximum number of private messages in one box, use the biggest value from all groups the user is a member of (Bug #24665)

      42. 1.ii. Changes since 3.0.0

      diff --git a/phpBB/includes/functions_privmsgs.php b/phpBB/includes/functions_privmsgs.php index bffa64158a..834bcfea51 100644 --- a/phpBB/includes/functions_privmsgs.php +++ b/phpBB/includes/functions_privmsgs.php @@ -1803,4 +1803,25 @@ function message_history($msg_id, $user_id, $message_row, $folder, $in_post_mode return true; } +/** +* Set correct users max messages in PM folder. +* If several group memberships define different amount of messages, the highest will be chosen. +*/ +function set_user_message_limit() +{ + global $user, $db, $config; + + // Get maximum about from user memberships - if it is 0, there is no limit set and we use the maximum value within the config. + $sql = 'SELECT MAX(g.group_message_limit) as max_message_limit + FROM ' . GROUPS_TABLE . ' g, ' . USER_GROUP_TABLE . ' ug + WHERE ug.user_id = ' . $user->data['user_id'] . ' + AND ug.user_pending = 0 + AND ug.group_id = g.group_id'; + $result = $db->sql_query($sql); + $message_limit = (int) $db->sql_fetchfield('max_message_limit'); + $db->sql_freeresult($result); + + $user->data['message_limit'] = (!$message_limit) ? $config['pm_max_msgs'] : $message_limit; +} + ?> \ No newline at end of file diff --git a/phpBB/includes/ucp/ucp_pm.php b/phpBB/includes/ucp/ucp_pm.php index 46b23efb54..b4ac0c11da 100644 --- a/phpBB/includes/ucp/ucp_pm.php +++ b/phpBB/includes/ucp/ucp_pm.php @@ -129,15 +129,7 @@ class ucp_pm break; case 'options': - $sql = 'SELECT group_message_limit - FROM ' . GROUPS_TABLE . ' - WHERE group_id = ' . $user->data['group_id']; - $result = $db->sql_query($sql, 3600); - $message_limit = (int) $db->sql_fetchfield('group_message_limit'); - $db->sql_freeresult($result); - - $user->data['message_limit'] = (!$message_limit) ? $config['pm_max_msgs'] : $message_limit; - + set_user_message_limit(); get_folder($user->data['user_id']); include($phpbb_root_path . 'includes/ucp/ucp_pm_options.' . $phpEx); @@ -168,14 +160,7 @@ class ucp_pm case 'view': - $sql = 'SELECT group_message_limit - FROM ' . GROUPS_TABLE . ' - WHERE group_id = ' . $user->data['group_id']; - $result = $db->sql_query($sql, 3600); - $message_limit = (int) $db->sql_fetchfield('group_message_limit'); - $db->sql_freeresult($result); - - $user->data['message_limit'] = (!$message_limit) ? $config['pm_max_msgs'] : $message_limit; + set_user_message_limit(); if ($folder_specified) { From fa22522236cd608286863faca5412a37e6eeab2c Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Mon, 21 Apr 2008 13:20:41 +0000 Subject: [PATCH 20/89] #23525 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8522 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 1 + phpBB/includes/functions_upload.php | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 2c75581b7f..52d5fc6c3b 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -99,6 +99,7 @@
    42. [Fix] Unable to login to some jabber server, reverted previous change (Bug #25095)
    43. [Fix] Do not return BMP as valid image type for GD image manipulation (Bug #25925)
    44. [Change] For determining the maximum number of private messages in one box, use the biggest value from all groups the user is a member of (Bug #24665)
      45. +
    45. [Fix] Correctly determine safe mode for temp file creation in functions_upload.php (Bug #23525)

      46. 1.ii. Changes since 3.0.0

      diff --git a/phpBB/includes/functions_upload.php b/phpBB/includes/functions_upload.php index ca4f51c12f..50108068cd 100644 --- a/phpBB/includes/functions_upload.php +++ b/phpBB/includes/functions_upload.php @@ -257,7 +257,7 @@ class filespec return false; } - $upload_mode = (@ini_get('open_basedir') || @ini_get('safe_mode')) ? 'move' : 'copy'; + $upload_mode = (@ini_get('open_basedir') || @ini_get('safe_mode') || strtolower(@ini_get('safe_mode')) == 'on') ? 'move' : 'copy'; $upload_mode = ($this->local) ? 'local' : $upload_mode; $this->destination_file = $this->destination_path . '/' . basename($this->realname); @@ -741,7 +741,7 @@ class fileupload return $file; } - $tmp_path = (!@ini_get('safe_mode')) ? false : $phpbb_root_path . 'cache'; + $tmp_path = (!@ini_get('safe_mode') || strtolower(@ini_get('safe_mode')) == 'off') ? false : $phpbb_root_path . 'cache'; $filename = tempnam($tmp_path, unique_id() . '-'); if (!($fp = @fopen($filename, 'wb'))) From 89474a8e3abc4d453b05656faa7048ad10e3320a Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Mon, 21 Apr 2008 13:36:32 +0000 Subject: [PATCH 21/89] we slowly get to it git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8523 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/functions.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 67ef220c8d..600506d08f 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2941,6 +2941,12 @@ function msg_handler($errno, $msg_text, $errfile, $errline) if (strpos($errfile, 'cache') === false && strpos($errfile, 'template.') === false) { // flush the content, else we get a white page if output buffering is on + if (strtolower(@ini_get('output_buffering')) !== 'off') + { + @ob_end_flush(); + } + + // Another quick fix for those having gzip compression enabled if ($config['gzip_compress']) { if (@extension_loaded('zlib') && !headers_sent()) From 2c2da40f1be8e05de37e602f0173feba1cee4373 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Mon, 21 Apr 2008 14:43:03 +0000 Subject: [PATCH 22/89] #24435 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8524 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 1 + phpBB/memberlist.php | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 52d5fc6c3b..47788afd17 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -100,6 +100,7 @@
    46. [Fix] Do not return BMP as valid image type for GD image manipulation (Bug #25925)
    47. [Change] For determining the maximum number of private messages in one box, use the biggest value from all groups the user is a member of (Bug #24665)
    48. [Fix] Correctly determine safe mode for temp file creation in functions_upload.php (Bug #23525)
      49. +
    49. [Fix] Correctly sort by rank in memberlist (Bug #24435)

      50. 1.ii. Changes since 3.0.0

      diff --git a/phpBB/memberlist.php b/phpBB/memberlist.php index a4c6b18f8f..7f7657a3a4 100644 --- a/phpBB/memberlist.php +++ b/phpBB/memberlist.php @@ -896,7 +896,7 @@ switch ($mode) } $sort_key_text['m'] = $user->lang['SORT_RANK']; - $sort_key_sql['m'] = 'u.user_rank DESC, u.user_posts'; + $sort_key_sql['m'] = 'u.user_rank'; $sort_dir_text = array('a' => $user->lang['ASCENDING'], 'd' => $user->lang['DESCENDING']); @@ -1156,6 +1156,12 @@ switch ($mode) $order_by .= $sort_key_sql[$sort_key] . ' ' . (($sort_dir == 'a') ? 'ASC' : 'DESC'); + // Unfortunately we must do this here for sorting by rank, else the sort order is applied wrongly + if ($sort_key == 'm') + { + $order_by .= ', u.user_posts DESC'; + } + // Count the users ... if ($sql_where) { From cc78a5302375747328abae09dda9ccf98e9b9121 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Mon, 21 Apr 2008 15:02:22 +0000 Subject: [PATCH 23/89] #24245 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8525 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 1 + phpBB/includes/acp/acp_database.php | 8 ++++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 47788afd17..9bbc7e893c 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -101,6 +101,7 @@
    50. [Change] For determining the maximum number of private messages in one box, use the biggest value from all groups the user is a member of (Bug #24665)
    51. [Fix] Correctly determine safe mode for temp file creation in functions_upload.php (Bug #23525)
    52. [Fix] Correctly sort by rank in memberlist (Bug #24435)
      53. +
    53. [Fix] Purge cache after database restore (Bug #24245)

      54. 1.ii. Changes since 3.0.0

      diff --git a/phpBB/includes/acp/acp_database.php b/phpBB/includes/acp/acp_database.php index eaf3145107..d626008618 100644 --- a/phpBB/includes/acp/acp_database.php +++ b/phpBB/includes/acp/acp_database.php @@ -25,7 +25,7 @@ class acp_database function main($id, $mode) { - global $db, $user, $auth, $template, $table_prefix; + global $cache, $db, $user, $auth, $template, $table_prefix; global $config, $phpbb_root_path, $phpbb_admin_path, $phpEx; $user->add_lang('acp/database'); @@ -159,12 +159,13 @@ class acp_database $extractor->write_end(); + add_log('admin', 'LOG_DB_BACKUP'); + if ($download == true) { exit; } - add_log('admin', 'LOG_DB_BACKUP'); trigger_error($user->lang['BACKUP_SUCCESS'] . adm_back_link($this->u_action)); break; @@ -399,6 +400,9 @@ class acp_database $close($fp); + // Purge the cache due to updated data + $cache->purge(); + add_log('admin', 'LOG_DB_RESTORE'); trigger_error($user->lang['RESTORE_SUCCESS'] . adm_back_link($this->u_action)); break; From c9d4d3c9558b71bf5c9c79add9b0992bf4836366 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Mon, 28 Apr 2008 14:02:53 +0000 Subject: [PATCH 24/89] bitwise operations on large values (>2GiB) on 32-bit systems (no-no) git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8529 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/acp/acp_attachments.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/phpBB/includes/acp/acp_attachments.php b/phpBB/includes/acp/acp_attachments.php index 9c76459031..0756c14140 100644 --- a/phpBB/includes/acp/acp_attachments.php +++ b/phpBB/includes/acp/acp_attachments.php @@ -156,7 +156,7 @@ class acp_attachments if (in_array($config_name, array('attachment_quota', 'max_filesize', 'max_filesize_pm'))) { $size_var = request_var($config_name, ''); - $this->new_config[$config_name] = $config_value = ($size_var == 'kb') ? ($config_value << 10) : (($size_var == 'mb') ? ($config_value << 20) : $config_value); + $this->new_config[$config_name] = $config_value = ($size_var == 'kb') ? round($config_value * 1024) : (($size_var == 'mb') ? round($config_value * 1048576) : $config_value); } if ($submit) @@ -510,7 +510,7 @@ class acp_attachments $allowed_forums = request_var('allowed_forums', array(0)); $allow_in_pm = (isset($_POST['allow_in_pm'])) ? true : false; $max_filesize = request_var('max_filesize', 0); - $max_filesize = ($size_select == 'kb') ? ($max_filesize << 10) : (($size_select == 'mb') ? ($max_filesize << 20) : $max_filesize); + $max_filesize = ($size_select == 'kb') ? round($max_filesize * 1024) : (($size_select == 'mb') ? round($max_filesize * 1048576) : $max_filesize); $allow_group = (isset($_POST['allow_group'])) ? true : false; if ($max_filesize == $config['max_filesize']) @@ -1443,4 +1443,4 @@ class acp_attachments } -?> \ No newline at end of file +?> From 4e76553c2284237e9024ddfd1a0be8edb0651af7 Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Mon, 28 Apr 2008 17:13:50 +0000 Subject: [PATCH 25/89] Thanks NBBN git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8530 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/acp/acp_styles.php | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/phpBB/includes/acp/acp_styles.php b/phpBB/includes/acp/acp_styles.php index 88850d59b3..dd5255f755 100644 --- a/phpBB/includes/acp/acp_styles.php +++ b/phpBB/includes/acp/acp_styles.php @@ -695,6 +695,15 @@ parse_css_file = {PARSE_CSS_FILE} { trigger_error($user->lang['NO_TEMPLATE'] . adm_back_link($this->u_action), E_USER_WARNING); } + + if ($save_changes && !check_form_key('acp_styles')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + else if (!$save_changes) + { + add_form_key('acp_styles'); + } // save changes to the template if the user submitted any if ($save_changes && $template_file) From b7b79bc5c62189cd6d38c8747b434c87e726d7ec Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Wed, 30 Apr 2008 15:55:44 +0000 Subject: [PATCH 26/89] git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8531 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/acp/acp_attachments.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/acp/acp_attachments.php b/phpBB/includes/acp/acp_attachments.php index 0756c14140..53be176924 100644 --- a/phpBB/includes/acp/acp_attachments.php +++ b/phpBB/includes/acp/acp_attachments.php @@ -1443,4 +1443,4 @@ class acp_attachments } -?> +?> \ No newline at end of file From b78f85febd246691f65a3fb752d1a1ff3c009273 Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Fri, 2 May 2008 14:35:16 +0000 Subject: [PATCH 27/89] #25205 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8533 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/adm/style/acp_forums.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/adm/style/acp_forums.html b/phpBB/adm/style/acp_forums.html index e4662d9280..636d4ded7b 100644 --- a/phpBB/adm/style/acp_forums.html +++ b/phpBB/adm/style/acp_forums.html @@ -96,7 +96,7 @@ « {L_BACK} -

      {L_TITLE} :: {FORUM_NAME}

      +

      {L_TITLE} :: {FORUM_NAME}

      {L_FORUM_EDIT_EXPLAIN}

      From 968cccfb56476d70ce3f6c0c8e84e9df708040bf Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Fri, 2 May 2008 16:36:52 +0000 Subject: [PATCH 28/89] #26605 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8536 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/viewtopic.php | 1 - 1 file changed, 1 deletion(-) diff --git a/phpBB/viewtopic.php b/phpBB/viewtopic.php index daae349401..810f944529 100644 --- a/phpBB/viewtopic.php +++ b/phpBB/viewtopic.php @@ -1003,7 +1003,6 @@ while ($row = $db->sql_fetchrow($result)) 'rank_image' => '', 'rank_image_src' => '', 'sig' => '', - 'posts' => '', 'profile' => '', 'pm' => '', 'email' => '', From 57b5e87b1c7395443f99fc737946af1931a30218 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Sun, 4 May 2008 14:44:28 +0000 Subject: [PATCH 29/89] #14830 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8543 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 1 + phpBB/styles/prosilver/theme/bidi.css | 5 ++--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 9bbc7e893c..222e5f762d 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -102,6 +102,7 @@
    54. [Fix] Correctly determine safe mode for temp file creation in functions_upload.php (Bug #23525)
    55. [Fix] Correctly sort by rank in memberlist (Bug #24435)
    56. [Fix] Purge cache after database restore (Bug #24245)
      57. +
    57. [Fix] Correctly display subforum read/unread icons from RTL in FF3, Konqueror and Safari3+. (thanks arod-1 for the fix, related to Bug #14830)

      58. 1.ii. Changes since 3.0.0

      diff --git a/phpBB/styles/prosilver/theme/bidi.css b/phpBB/styles/prosilver/theme/bidi.css index fc0b306a6c..3cc34f46d7 100644 --- a/phpBB/styles/prosilver/theme/bidi.css +++ b/phpBB/styles/prosilver/theme/bidi.css @@ -253,9 +253,8 @@ } .rtl ul.topiclist li.row dt a.subforum { - padding: 0 0 0 12px; - background-position: 100% 100%; - position: static; + padding-right: 12px; + background-position: right; } .rtl .forum-image { From d3c685c652646eafa050106eff945b3039439d91 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Sun, 4 May 2008 14:44:48 +0000 Subject: [PATCH 30/89] it is indeed no longer required git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8544 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 08f6512424..8239921ba8 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -68,7 +68,7 @@ class session foreach ($args as $key => $argument) { - if (strpos($argument, 'sid=') === 0 || strpos($argument, '_f_=') === 0) + if (strpos($argument, 'sid=') === 0) { continue; } From ae3dd106049e0b7429719862c82250ad2d28ffd7 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Thu, 8 May 2008 17:35:40 +0000 Subject: [PATCH 31/89] just one quick fix to the bidi fix git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8552 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/styles/prosilver/theme/bidi.css | 1 + 1 file changed, 1 insertion(+) diff --git a/phpBB/styles/prosilver/theme/bidi.css b/phpBB/styles/prosilver/theme/bidi.css index 3cc34f46d7..a5327bd0d1 100644 --- a/phpBB/styles/prosilver/theme/bidi.css +++ b/phpBB/styles/prosilver/theme/bidi.css @@ -255,6 +255,7 @@ .rtl ul.topiclist li.row dt a.subforum { padding-right: 12px; background-position: right; + position: static; } .rtl .forum-image { From 9413af5e1a59a9bfc01fb5d3896a2fb5d34055f4 Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Thu, 15 May 2008 13:29:14 +0000 Subject: [PATCH 32/89] So, tighten things up a little further. QA Team, please check this. git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8554 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 2 ++ phpBB/includes/acp/acp_board.php | 11 ++++++ phpBB/includes/constants.php | 5 +++ phpBB/includes/session.php | 50 +++++++++++++++++++++++++-- phpBB/install/database_update.php | 4 +++ phpBB/install/schemas/schema_data.sql | 1 + phpBB/language/en/acp/board.php | 11 +++--- phpBB/language/en/acp/common.php | 1 + 8 files changed, 77 insertions(+), 8 deletions(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 222e5f762d..3e1ae339f9 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -103,6 +103,8 @@
    58. [Fix] Correctly sort by rank in memberlist (Bug #24435)
    59. [Fix] Purge cache after database restore (Bug #24245)
    60. [Fix] Correctly display subforum read/unread icons from RTL in FF3, Konqueror and Safari3+. (thanks arod-1 for the fix, related to Bug #14830)
      61. +
    61. [Feature] Added optional referer validation of POST requests as additional CSRF protection.
      62. +
    62. [Fix] Added missing form token in acp (thanks NBBN).

      63. 1.ii. Changes since 3.0.0

      diff --git a/phpBB/includes/acp/acp_board.php b/phpBB/includes/acp/acp_board.php index 4d82926ca2..4a42f1fd8b 100644 --- a/phpBB/includes/acp/acp_board.php +++ b/phpBB/includes/acp/acp_board.php @@ -323,6 +323,7 @@ class acp_board 'ip_check' => array('lang' => 'IP_VALID', 'validate' => 'int', 'type' => 'custom', 'method' => 'select_ip_check', 'explain' => true), 'browser_check' => array('lang' => 'BROWSER_VALID', 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => true), 'forwarded_for_check' => array('lang' => 'FORWARDED_FOR_VALID', 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => true), + 'referer_validation' => array('lang' => 'REFERER_VALID', 'validate' => 'int:0:3','type' => 'custom', 'method' => 'select_ref_check', 'explain' => true), 'check_dnsbl' => array('lang' => 'CHECK_DNSBL', 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => true), 'email_check_mx' => array('lang' => 'EMAIL_CHECK_MX', 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => true), 'pass_complex' => array('lang' => 'PASSWORD_TYPE', 'validate' => 'string', 'type' => 'select', 'method' => 'select_password_chars', 'explain' => true), @@ -676,7 +677,17 @@ class acp_board return h_radio('config[ip_check]', $radio_ary, $value, $key); } + + /** + * Select referer validation + */ + function select_ref_check($value, $key = '') + { + $radio_ary = array(REFERER_VALIDATE_PATH => 'REF_PATH', REFERER_VALIDATE_HOST => 'REF_HOST', REFERER_VALIDATE_NONE => 'NO_REF_VALIDATION'); + return h_radio('config[referer_validation]', $radio_ary, $value, $key); + } + /** * Select account activation method */ diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php index eb4eb77f22..7c681a4040 100644 --- a/phpBB/includes/constants.php +++ b/phpBB/includes/constants.php @@ -171,6 +171,11 @@ define('FIELD_BOOL', 4); define('FIELD_DROPDOWN', 5); define('FIELD_DATE', 6); +// referer validation +define('REFERER_VALIDATE_NONE', 0); +define('REFERER_VALIDATE_HOST', 1); +define('REFERER_VALIDATE_PATH', 2); + // Additional constants define('VOTE_CONVERTED', 127); diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 8239921ba8..33fce6731b 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -158,6 +158,7 @@ class session $this->cookie_data = array('u' => 0, 'k' => ''); $this->update_session_page = $update_session_page; $this->browser = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : ''; + $this->referer = (!empty($_SERVER['HTTP_REFERER'])) ? htmlspecialchars((string) $_SERVER['HTTP_REFERER']) : ''; $this->forwarded_for = (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) ? (string) $_SERVER['HTTP_X_FORWARDED_FOR'] : ''; $this->host = (!empty($_SERVER['HTTP_HOST'])) ? (string) strtolower($_SERVER['HTTP_HOST']) : ((!empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : getenv('SERVER_NAME')); $this->page = $this->extract_current_page($phpbb_root_path); @@ -263,8 +264,17 @@ class session $s_forwarded_for = ($config['forwarded_for_check']) ? substr($this->data['session_forwarded_for'], 0, 254) : ''; $u_forwarded_for = ($config['forwarded_for_check']) ? substr($this->forwarded_for, 0, 254) : ''; + + // referer checks + $check_referer_path = $config['referer_validation'] == REFERER_VALIDATE_PATH; + $referer_valid = true; + if ($config['referer_validation'] && isset($_SERVER['REQUEST_METHOD']) && strtolower($_SERVER['REQUEST_METHOD']) !== 'get') + { + $referer_valid = $this->validate_referer($check_referer_path); + } + - if ($u_ip === $s_ip && $s_browser === $u_browser && $s_forwarded_for === $u_forwarded_for) + if ($u_ip === $s_ip && $s_browser === $u_browser && $s_forwarded_for === $u_forwarded_for && $referer_valid) { $session_expired = false; @@ -343,7 +353,14 @@ class session // Added logging temporarly to help debug bugs... if (defined('DEBUG_EXTRA') && $this->data['user_id'] != ANONYMOUS) { - add_log('critical', 'LOG_IP_BROWSER_FORWARDED_CHECK', $u_ip, $s_ip, $u_browser, $s_browser, htmlspecialchars($u_forwarded_for), htmlspecialchars($s_forwarded_for)); + if ($referer_valid) + { + add_log('critical', 'LOG_IP_BROWSER_FORWARDED_CHECK', $u_ip, $s_ip, $u_browser, $s_browser, htmlspecialchars($u_forwarded_for), htmlspecialchars($s_forwarded_for)); + } + else + { + add_log('critical', 'LOG_REFERER_INVALID', $this->referer); + } } } } @@ -1279,6 +1296,35 @@ class session $this->set_login_key($user_id); } } + + + /** + * Check if the request originated from the same page. + * @param bool $check_script_path If true, the path will be checked as well + */ + function validate_referer($check_script_path = false) + { + // no referer - nothing to validate, user's fault for turning it off (we only check on POST; so meta can't be the reason) + if (empty($this->referer) || empty($this->host) ) + { + return true; + } + $host = htmlspecialchars($this->host); + $ref = substr($this->referer, strpos($this->referer, '://') + 3); + if (!(stripos($ref , $host) === 0)) + { + return false; + } + else if ($check_script_path && !empty(rtrim($this->page['root_script_path'], '/'))) + { + $ref = substr($ref, strlen($host)); + if (!(stripos(rtrim($ref, '/'), rtrim($this->page['root_script_path'], '/')) === 0)) + { + return false; + } + } + return true; + } } diff --git a/phpBB/install/database_update.php b/phpBB/install/database_update.php index 211bbec8d1..bead1cad93 100644 --- a/phpBB/install/database_update.php +++ b/phpBB/install/database_update.php @@ -1740,6 +1740,10 @@ function change_database_data($version) // TODO: remove all form token min times break; + + case '3.0.1': + + set_config('referer_validation', '1'); } } diff --git a/phpBB/install/schemas/schema_data.sql b/phpBB/install/schemas/schema_data.sql index 43ab04d77e..2d417129ed 100644 --- a/phpBB/install/schemas/schema_data.sql +++ b/phpBB/install/schemas/schema_data.sql @@ -184,6 +184,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('print_pm', '1'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('queue_interval', '600'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('ranks_path', 'images/ranks'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('require_activation', '0'); +INSERT INTO phpbb_config (config_name, config_value) VALUES ('referer_validation', '1'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('script_path', ''); INSERT INTO phpbb_config (config_name, config_value) VALUES ('search_block_size', '250'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('search_gc', '7200'); diff --git a/phpBB/language/en/acp/board.php b/phpBB/language/en/acp/board.php index f328c05882..ae122c54ee 100644 --- a/phpBB/language/en/acp/board.php +++ b/phpBB/language/en/acp/board.php @@ -206,10 +206,6 @@ $lang = array_merge($lang, array( 'ENABLE_COPPA_EXPLAIN' => 'This requires users to declare whether they are 13 or over for compliance with the U.S. COPPA. If this is disabled the COPPA specific groups will no longer be displayed.', 'MAX_CHARS' => 'Max', 'MIN_CHARS' => 'Min', - 'MIN_TIME_REG' => 'Minimum time for registration', - 'MIN_TIME_REG_EXPLAIN' => 'The registration form cannot be submitted before this time has passed.', - 'MIN_TIME_TERMS' => 'Minimum time for accepting terms', - 'MIN_TIME_TERMS_EXPLAIN' => 'The terms page cannot be skipped before this time has passed.', 'NO_AUTH_PLUGIN' => 'No suitable auth plugin found.', 'PASSWORD_LENGTH' => 'Password length', 'PASSWORD_LENGTH_EXPLAIN' => 'Minimum and maximum number of characters in passwords.', @@ -375,8 +371,6 @@ $lang = array_merge($lang, array( 'FORCE_PASS_CHANGE_EXPLAIN' => 'Require user to change their password after a set number of days. Setting this value to 0 disables this behaviour.', 'FORM_TIME_MAX' => 'Maximum time to submit forms', 'FORM_TIME_MAX_EXPLAIN' => 'The time a user has to submit a form. Use -1 to disable. Note that a form might become invalid if the session expires, regardless of this setting.', - 'FORM_TIME_MIN' => 'Minimum time to submit forms', - 'FORM_TIME_MIN_EXPLAIN' => 'Submissions faster than this time are ignored by the board. Use 0 to disable.', 'FORM_SID_GUESTS' => 'Tie forms to guest sessions', 'FORM_SID_GUESTS_EXPLAIN' => 'If enabled, the form token issued to guests will be session-exclusive. This can cause problems with some ISPs.', 'FORWARDED_FOR_VALID' => 'Validated X_FORWARDED_FOR header', @@ -386,12 +380,17 @@ $lang = array_merge($lang, array( 'MAX_LOGIN_ATTEMPTS' => 'Maximum number of login attempts', 'MAX_LOGIN_ATTEMPTS_EXPLAIN' => 'After this number of failed logins the user needs to additionally confirm his login visually (visual confirmation).', 'NO_IP_VALIDATION' => 'None', + 'NO_REF_VALIDATION' => 'None', 'PASSWORD_TYPE' => 'Password complexity', 'PASSWORD_TYPE_EXPLAIN' => 'Determines how complex a password needs to be when set or altered, subsequent options include the previous ones.', 'PASS_TYPE_ALPHA' => 'Must contain letters and numbers', 'PASS_TYPE_ANY' => 'No requirements', 'PASS_TYPE_CASE' => 'Must be mixed case', 'PASS_TYPE_SYMBOL' => 'Must contain symbols', + 'REF_HOST' => 'Only validate host', + 'REF_PATH' => 'Also validate path', + 'REFERER_VALID' => 'Validate Referer', + 'REFERER_VALID_EXPLAIN' => 'If enabled, the referer of POST requests will be checked against the host/script path settings. This may cause issues with boards using several domains and or external logins.', 'TPL_ALLOW_PHP' => 'Allow php in templates', 'TPL_ALLOW_PHP_EXPLAIN' => 'If this option is enabled, PHP and INCLUDEPHP statements will be recognised and parsed in templates.', )); diff --git a/phpBB/language/en/acp/common.php b/phpBB/language/en/acp/common.php index f380b1f570..85c57fb1c3 100644 --- a/phpBB/language/en/acp/common.php +++ b/phpBB/language/en/acp/common.php @@ -608,6 +608,7 @@ $lang = array_merge($lang, array( 'LOG_REASON_REMOVED' => 'Removed report/denial reason
      » %s', 'LOG_REASON_UPDATED' => 'Updated report/denial reason
      » %s', + 'LOG_REFERER_INVALID' => 'Referer validation failed
      »Referer was “%1$s”. The request was rejected and the session killed.', 'LOG_RESET_DATE' => 'Board start date reset', 'LOG_RESET_ONLINE' => 'Most users online reset', 'LOG_RESYNC_POSTCOUNTS' => 'User post counts resynchronised', From fc12c0021961f369090a3ea9fdcd62ef4d51505e Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Thu, 15 May 2008 14:10:11 +0000 Subject: [PATCH 33/89] And more new features for reasonable paranoia. git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8555 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 1 + phpBB/includes/acp/acp_attachments.php | 4 +- phpBB/includes/functions_posting.php | 5 +++ phpBB/includes/functions_upload.php | 59 +++++++++++++++++++++++++- phpBB/includes/functions_user.php | 2 +- phpBB/install/database_update.php | 9 ++-- phpBB/install/schemas/schema_data.sql | 4 +- phpBB/language/en/acp/attachments.php | 2 + phpBB/language/en/common.php | 1 + phpBB/language/en/posting.php | 1 + 10 files changed, 79 insertions(+), 9 deletions(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 3e1ae339f9..ef68d5113d 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -105,6 +105,7 @@
    63. [Fix] Correctly display subforum read/unread icons from RTL in FF3, Konqueror and Safari3+. (thanks arod-1 for the fix, related to Bug #14830)
    64. [Feature] Added optional referer validation of POST requests as additional CSRF protection.
    65. [Fix] Added missing form token in acp (thanks NBBN).
      66. +
    66. [Feature] Added optional stricter upload validation to avoid mime sniffing in addition to the safeguards provided by file.php. (thanks to Nicolas Grekas for compiling the list).

      67. 1.ii. Changes since 3.0.0

      diff --git a/phpBB/includes/acp/acp_attachments.php b/phpBB/includes/acp/acp_attachments.php index 53be176924..4e8a8ef719 100644 --- a/phpBB/includes/acp/acp_attachments.php +++ b/phpBB/includes/acp/acp_attachments.php @@ -117,7 +117,9 @@ class acp_attachments 'max_attachments_pm' => array('lang' => 'MAX_ATTACHMENTS_PM', 'validate' => 'int', 'type' => 'text:3:3', 'explain' => false), 'secure_downloads' => array('lang' => 'SECURE_DOWNLOADS', 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => true), 'secure_allow_deny' => array('lang' => 'SECURE_ALLOW_DENY', 'validate' => 'int', 'type' => 'custom', 'method' => 'select_allow_deny', 'explain' => true), - 'secure_allow_empty_referer' => array('lang' => 'SECURE_EMPTY_REFERRER', 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => true), + 'secure_allow_empty_referer' => array('lang' => 'SECURE_EMPTY_REFERRER', 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => true), + 'check_attachment_content' => array('lang' => 'CHECK_CONTENT', 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => true), + 'legend2' => $l_legend_cat_images, 'img_display_inlined' => array('lang' => 'DISPLAY_INLINED', 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => true), diff --git a/phpBB/includes/functions_posting.php b/phpBB/includes/functions_posting.php index 709516a2b0..a7b9cc5bd5 100644 --- a/phpBB/includes/functions_posting.php +++ b/phpBB/includes/functions_posting.php @@ -358,6 +358,11 @@ function upload_attachment($form_name, $forum_id, $local = false, $local_storage include_once($phpbb_root_path . 'includes/functions_upload.' . $phpEx); $upload = new fileupload(); + if ($config['check_attachment_content']) + { + $upload->set_disallowed_content(explode('|', $config['mime_triggers'])); + } + if (!$local) { $filedata['post_attach'] = ($upload->is_valid($form_name)) ? true : false; diff --git a/phpBB/includes/functions_upload.php b/phpBB/includes/functions_upload.php index 50108068cd..a1374b8d54 100644 --- a/phpBB/includes/functions_upload.php +++ b/phpBB/includes/functions_upload.php @@ -228,6 +228,34 @@ class filespec { return @filesize($filename); } + + + /** + * Check the first 256 bytes for forbidden content + */ + function check_content($disallowed_content) + { + if (empty($disallowed_content)) + { + return true; + } + + $fp = @fopen($this->filename, 'rb'); + + if ($fp !== false) + { + $ie_mime_relevant = fread($fp, 256); + fclose($fp); + foreach ($disallowed_content as $forbidden) + { + if (stripos($ie_mime_relevant, '<' . $forbidden) !== false) + { + return false; + } + } + } + return true; + } /** * Move file to destination folder @@ -427,6 +455,7 @@ class fileerror extends filespec class fileupload { var $allowed_extensions = array(); + var $disallowed_content = array(); var $max_filesize = 0; var $min_width = 0; var $min_height = 0; @@ -446,12 +475,13 @@ class fileupload * @param int $max_height Maximum image height (only checked for images) * */ - function fileupload($error_prefix = '', $allowed_extensions = false, $max_filesize = false, $min_width = false, $min_height = false, $max_width = false, $max_height = false) + function fileupload($error_prefix = '', $allowed_extensions = false, $max_filesize = false, $min_width = false, $min_height = false, $max_width = false, $max_height = false, $disallowed_content = false) { $this->set_allowed_extensions($allowed_extensions); $this->set_max_filesize($max_filesize); $this->set_allowed_dimensions($min_width, $min_height, $max_width, $max_height); $this->set_error_prefix($error_prefix); + $this->set_disallowed_content($disallowed_content); } /** @@ -463,6 +493,7 @@ class fileupload $this->min_width = $this->min_height = $this->max_width = $this->max_height = 0; $this->error_prefix = ''; $this->allowed_extensions = array(); + $this->disallowed_content = array(); } /** @@ -497,6 +528,17 @@ class fileupload $this->max_filesize = (int) $max_filesize; } } + + /** + * Set disallowed strings + */ + function set_disallowed_content($disallowed_content) + { + if ($disallowed_content !== false && is_array($disallowed_content)) + { + $this->disallowed_content = $disallowed_content; + } + } /** * Set error prefix @@ -830,6 +872,12 @@ class fileupload { $file->error[] = sprintf($user->lang[$this->error_prefix . 'DISALLOWED_EXTENSION'], $file->get('extension')); } + + // MIME Sniffing + if (!$this->valid_content($file)) + { + $file->error[] = sprintf($user->lang[$this->error_prefix . 'DISALLOWED_CONTENT']); + } } /** @@ -869,6 +917,15 @@ class fileupload return (isset($_FILES[$form_name]) && $_FILES[$form_name]['name'] != 'none') ? true : false; } + + /** + * Check for allowed extension + */ + function valid_content(&$file) + { + return ($file->check_content($this->disallowed_content)); + } + /** * Return image type/extension mapping */ diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index e8414d2ae1..1d774a8ff4 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -1952,7 +1952,7 @@ function avatar_upload($data, &$error) // Init upload class include_once($phpbb_root_path . 'includes/functions_upload.' . $phpEx); - $upload = new fileupload('AVATAR_', array('jpg', 'jpeg', 'gif', 'png'), $config['avatar_filesize'], $config['avatar_min_width'], $config['avatar_min_height'], $config['avatar_max_width'], $config['avatar_max_height']); + $upload = new fileupload('AVATAR_', array('jpg', 'jpeg', 'gif', 'png'), $config['avatar_filesize'], $config['avatar_min_width'], $config['avatar_min_height'], $config['avatar_max_width'], $config['avatar_max_height'], explode('|', $config['mime_triggers'])); if (!empty($_FILES['uploadfile']['name'])) { diff --git a/phpBB/install/database_update.php b/phpBB/install/database_update.php index bead1cad93..94ccf75ecd 100644 --- a/phpBB/install/database_update.php +++ b/phpBB/install/database_update.php @@ -1736,14 +1736,15 @@ function change_database_data($version) _sql($sql, $errored, $error_ary); } } - - // TODO: remove all form token min times break; - - case '3.0.1': + case '3.0.1': + set_config('referer_validation', '1'); + set_config('check_attachment_content', '1'); + set_config('mime_triggers', 'body|head|html|img|plaintext|a href|pre|script|table|title'); + } } diff --git a/phpBB/install/schemas/schema_data.sql b/phpBB/install/schemas/schema_data.sql index 2d417129ed..f8100e36ca 100644 --- a/phpBB/install/schemas/schema_data.sql +++ b/phpBB/install/schemas/schema_data.sql @@ -64,6 +64,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd', '0'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_foreground_noise', '0'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_x_grid', '25'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_y_grid', '25'); +INSERT INTO phpbb_config (config_name, config_value) VALUES ('check_attachment_content', '1'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('check_dnsbl', '0'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('chg_passforce', '0'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('cookie_domain', ''); @@ -172,8 +173,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('max_sig_urls', '5' INSERT INTO phpbb_config (config_name, config_value) VALUES ('min_name_chars', '3'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('min_pass_chars', '6'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('min_search_author_chars', '3'); -INSERT INTO phpbb_config (config_name, config_value) VALUES ('min_time_reg', '0'); -INSERT INTO phpbb_config (config_name, config_value) VALUES ('min_time_terms', '0'); +INSERT INTO phpbb_config (config_name, config_value) VALUES ('mime_triggers', 'body|head|html|img|plaintext|a href|pre|script|table|title'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('override_user_style', '0'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('pass_complex', 'PASS_TYPE_ANY'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('pm_edit_time', '0'); diff --git a/phpBB/language/en/acp/attachments.php b/phpBB/language/en/acp/attachments.php index 6edae1a4cc..594eb9de33 100644 --- a/phpBB/language/en/acp/attachments.php +++ b/phpBB/language/en/acp/attachments.php @@ -71,6 +71,8 @@ $lang = array_merge($lang, array( 'CAT_QUICKTIME_FILES' => 'Quicktime media files', 'CAT_RM_FILES' => 'RealMedia media files', 'CAT_WM_FILES' => 'Windows Media media files', + 'CHECK_CONTENT' => 'Check attachment files', + 'CHECK_CONTENT_EXPLAIN' => 'Some browsers can be tricked to assume an incorrect mimetype for uploaded files. This option ensures that such files likely to cause this are rejected.', 'CREATE_GROUP' => 'Create new group', 'CREATE_THUMBNAIL' => 'Create thumbnail', 'CREATE_THUMBNAIL_EXPLAIN' => 'Create a thumbnail in all possible situations.', diff --git a/phpBB/language/en/common.php b/phpBB/language/en/common.php index db5f49339a..7739c63521 100644 --- a/phpBB/language/en/common.php +++ b/phpBB/language/en/common.php @@ -78,6 +78,7 @@ $lang = array_merge($lang, array( 'ATTACHED_IMAGE_NOT_IMAGE' => 'The image file you tried to attach is invalid.', 'AUTHOR' => 'Author', 'AUTH_NO_PROFILE_CREATED' => 'The creation of a user profile was unsuccessful.', + 'AVATAR_DISALLOWED_CONTENT' => 'The upload was rejected because the uploaded file was identified as a possible attack vector.', 'AVATAR_DISALLOWED_EXTENSION' => 'This file cannot be displayed because the extension %s is not allowed.', 'AVATAR_EMPTY_REMOTE_DATA' => 'The specified avatar could not be uploaded because the remote data appears to be invalid or corrupted.', 'AVATAR_EMPTY_FILEUPLOAD' => 'The uploaded avatar file is empty.', diff --git a/phpBB/language/en/posting.php b/phpBB/language/en/posting.php index 76878c8f7c..f75837e96f 100644 --- a/phpBB/language/en/posting.php +++ b/phpBB/language/en/posting.php @@ -82,6 +82,7 @@ $lang = array_merge($lang, array( 'DISABLE_BBCODE' => 'Disable BBCode', 'DISABLE_MAGIC_URL' => 'Do not automatically parse URLs', 'DISABLE_SMILIES' => 'Disable smilies', + 'DISALLOWED_CONTENT' => 'The upload was rejected because the uploaded file was identified as a possible attack vector.', 'DISALLOWED_EXTENSION' => 'The extension %s is not allowed.', 'DRAFT_LOADED' => 'Draft loaded into posting area, you may want to finish your post now.
      Your draft will be deleted after submitting this post.', 'DRAFT_LOADED_PM' => 'Draft loaded into message area, you may want to finish your private message now.
      Your draft will be deleted after submitting this private message.', From c5ba29e1faf708dc890fcc2acddf36ca25c321ab Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Thu, 15 May 2008 14:17:17 +0000 Subject: [PATCH 34/89] 27375 - keep it up git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8556 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 33fce6731b..66554f1ab5 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -1315,7 +1315,7 @@ class session { return false; } - else if ($check_script_path && !empty(rtrim($this->page['root_script_path'], '/'))) + else if ($check_script_path && rtrim($this->page['root_script_path'], '/') !== '' ) { $ref = substr($ref, strlen($host)); if (!(stripos(rtrim($ref, '/'), rtrim($this->page['root_script_path'], '/')) === 0)) From 5ea735d3adad4c70aef347dbccb5c533c2ef15d7 Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Fri, 16 May 2008 12:34:39 +0000 Subject: [PATCH 35/89] explanation git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8557 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 1 + 1 file changed, 1 insertion(+) diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 66554f1ab5..e216b3e36a 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -268,6 +268,7 @@ class session // referer checks $check_referer_path = $config['referer_validation'] == REFERER_VALIDATE_PATH; $referer_valid = true; + // we assume HEAD and TRACE to be foul play and thus only whitelist GET if ($config['referer_validation'] && isset($_SERVER['REQUEST_METHOD']) && strtolower($_SERVER['REQUEST_METHOD']) !== 'get') { $referer_valid = $this->validate_referer($check_referer_path); From 2f5297751a4643fae1917e63c620a793d9711ff3 Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Sat, 17 May 2008 12:57:20 +0000 Subject: [PATCH 36/89] Hmmm. Tawny port and stilton git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8558 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index e216b3e36a..43d3b1ea2b 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -1319,6 +1319,11 @@ class session else if ($check_script_path && rtrim($this->page['root_script_path'], '/') !== '' ) { $ref = substr($ref, strlen($host)); + $server_port = (!empty($_SERVER['SERVER_PORT'])) ? (int) $_SERVER['SERVER_PORT'] : (int) getenv('SERVER_PORT'); + if ($server_port !== 80 && $server_port !== 443 && stripos($ref , ":$server_port") === 0) + { + $ref = substr($ref, strlen(":$server_port")); + } if (!(stripos(rtrim($ref, '/'), rtrim($this->page['root_script_path'], '/')) === 0)) { return false; From 2c9ab1ac686c11b3bcc3bbad4e4a8c2446ee4bf5 Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Sat, 17 May 2008 14:34:32 +0000 Subject: [PATCH 37/89] ... git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8559 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 43d3b1ea2b..661d87357f 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -1316,14 +1316,14 @@ class session { return false; } - else if ($check_script_path && rtrim($this->page['root_script_path'], '/') !== '' ) + else if ($check_script_path && rtrim($this->page['root_script_path'], '/') !== '') { $ref = substr($ref, strlen($host)); - $server_port = (!empty($_SERVER['SERVER_PORT'])) ? (int) $_SERVER['SERVER_PORT'] : (int) getenv('SERVER_PORT'); - if ($server_port !== 80 && $server_port !== 443 && stripos($ref , ":$server_port") === 0) - { - $ref = substr($ref, strlen(":$server_port")); - } + $server_port = (!empty($_SERVER['SERVER_PORT'])) ? (int) $_SERVER['SERVER_PORT'] : (int) getenv('SERVER_PORT'); + if ($server_port !== 80 && $server_port !== 443 && stripos($ref , ":$server_port") === 0) + { + $ref = substr($ref, strlen(":$server_port")); + } if (!(stripos(rtrim($ref, '/'), rtrim($this->page['root_script_path'], '/')) === 0)) { return false; From ae060e8aefb7d0bbb276518cb4a78e1e130d1580 Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Sat, 17 May 2008 14:35:23 +0000 Subject: [PATCH 38/89] ... git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8560 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 661d87357f..2eafdc7e80 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -1320,7 +1320,7 @@ class session { $ref = substr($ref, strlen($host)); $server_port = (!empty($_SERVER['SERVER_PORT'])) ? (int) $_SERVER['SERVER_PORT'] : (int) getenv('SERVER_PORT'); - if ($server_port !== 80 && $server_port !== 443 && stripos($ref , ":$server_port") === 0) + if ($server_port !== 80 && $server_port !== 443 && stripos($ref, ":$server_port") === 0) { $ref = substr($ref, strlen(":$server_port")); } From af63e0ee845187db24a137317849c4619c137a3b Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Sun, 18 May 2008 18:57:37 +0000 Subject: [PATCH 39/89] fix for bug #27355 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8561 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 1 + phpBB/includes/functions_content.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index ef68d5113d..9ad93e8fea 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -106,6 +106,7 @@
    67. [Feature] Added optional referer validation of POST requests as additional CSRF protection.
    68. [Fix] Added missing form token in acp (thanks NBBN).
    69. [Feature] Added optional stricter upload validation to avoid mime sniffing in addition to the safeguards provided by file.php. (thanks to Nicolas Grekas for compiling the list).
      70. +
    70. [Fix] Do not remove whitespace in front of url containing the boards url and no relative path appended (Bug #27355)

      71. 1.ii. Changes since 3.0.0

      diff --git a/phpBB/includes/functions_content.php b/phpBB/includes/functions_content.php index 9eab477a8a..79c32c4e08 100644 --- a/phpBB/includes/functions_content.php +++ b/phpBB/includes/functions_content.php @@ -574,7 +574,7 @@ function make_clickable_callback($type, $whitespace, $url, $relative_url, $class // don't touch it and let MAGIC_URL_FULL take care of it. if (!$relative_url) { - return $orig_url . '/'; // slash is taken away by relative url pattern + return $whitespace . $orig_url . '/'; // slash is taken away by relative url pattern } break; From 5828612677cfc62f176d8e32b3027bfc70e76a65 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Sun, 18 May 2008 20:00:46 +0000 Subject: [PATCH 40/89] #26885 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8563 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 1 + phpBB/includes/functions_user.php | 9 ++++++--- phpBB/styles/prosilver/template/mcp_queue.html | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 9ad93e8fea..f145431a5d 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -107,6 +107,7 @@
    71. [Fix] Added missing form token in acp (thanks NBBN).
    72. [Feature] Added optional stricter upload validation to avoid mime sniffing in addition to the safeguards provided by file.php. (thanks to Nicolas Grekas for compiling the list).
    73. [Fix] Do not remove whitespace in front of url containing the boards url and no relative path appended (Bug #27355)
      74. +
    74. [Change] Show email ban reason on registration. Additionally allow custom errors properly returned if using validate_data(). (Bug #26885)

      75. 1.ii. Changes since 3.0.0

      diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index 1d774a8ff4..0ed93d4376 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -1194,6 +1194,8 @@ function user_ipwhois($ip) */ function validate_data($data, $val_ary) { + global $user; + $error = array(); foreach ($val_ary as $var => $val_seq) @@ -1210,7 +1212,8 @@ function validate_data($data, $val_ary) if ($result = call_user_func_array('validate_' . $function, $validate)) { - $error[] = $result . '_' . strtoupper($var); + // Since errors are checked later for their language file existence, we need to make sure custom errors are not adjusted. + $error[] = (empty($user->lang[$result . '_' . strtoupper($var)])) ? $result : $result . '_' . strtoupper($var); } } } @@ -1610,9 +1613,9 @@ function validate_email($email, $allowed_email = false) } } - if ($user->check_ban(false, false, $email, true) == true) + if (($ban_reason = $user->check_ban(false, false, $email, true)) !== false) { - return 'EMAIL_BANNED'; + return ($ban_reason === true) ? 'EMAIL_BANNED' : $ban_reason; } if (!$config['allow_emailreuse']) diff --git a/phpBB/styles/prosilver/template/mcp_queue.html b/phpBB/styles/prosilver/template/mcp_queue.html index e2f140667c..0af3032fcf 100644 --- a/phpBB/styles/prosilver/template/mcp_queue.html +++ b/phpBB/styles/prosilver/template/mcp_queue.html @@ -36,7 +36,7 @@ -

    75. {L_DELETED_TOPIC}

      76. +

    76. {L_DELETED_TOPIC}

    77. From c41388ce8ab2268cd97c1c7d2d2791faddf23ea3 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Sun, 18 May 2008 20:06:15 +0000 Subject: [PATCH 41/89] some adjustements (changes to sessions code need to be backwards-compatible) - henry, do not forget to include this into your merge to 3.2.x too. git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8565 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 2eafdc7e80..435618f7ff 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -264,16 +264,17 @@ class session $s_forwarded_for = ($config['forwarded_for_check']) ? substr($this->data['session_forwarded_for'], 0, 254) : ''; $u_forwarded_for = ($config['forwarded_for_check']) ? substr($this->forwarded_for, 0, 254) : ''; - + // referer checks - $check_referer_path = $config['referer_validation'] == REFERER_VALIDATE_PATH; + // The @ before $config['referer_validation'] suppresses notices present while running the updater + $check_referer_path = (@$config['referer_validation'] == REFERER_VALIDATE_PATH); $referer_valid = true; + // we assume HEAD and TRACE to be foul play and thus only whitelist GET - if ($config['referer_validation'] && isset($_SERVER['REQUEST_METHOD']) && strtolower($_SERVER['REQUEST_METHOD']) !== 'get') + if (@$config['referer_validation'] && isset($_SERVER['REQUEST_METHOD']) && strtolower($_SERVER['REQUEST_METHOD']) !== 'get') { $referer_valid = $this->validate_referer($check_referer_path); } - if ($u_ip === $s_ip && $s_browser === $u_browser && $s_forwarded_for === $u_forwarded_for && $referer_valid) { @@ -1119,7 +1120,7 @@ class session trigger_error($message); } - return ($banned) ? true : false; + return ($banned && $ban_row['ban_give_reason']) ? $ban_row['ban_give_reason'] : $banned; } /** @@ -1297,10 +1298,10 @@ class session $this->set_login_key($user_id); } } - - + + /** - * Check if the request originated from the same page. + * Check if the request originated from the same page. * @param bool $check_script_path If true, the path will be checked as well */ function validate_referer($check_script_path = false) From 54db19aef046fb02525396a921b72941aefd0ab6 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Mon, 26 May 2008 12:00:17 +0000 Subject: [PATCH 42/89] #27855 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8567 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/functions_privmsgs.php | 5 +++++ phpBB/includes/ucp/ucp_pm_viewfolder.php | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/phpBB/includes/functions_privmsgs.php b/phpBB/includes/functions_privmsgs.php index 834bcfea51..d01d89a7e3 100644 --- a/phpBB/includes/functions_privmsgs.php +++ b/phpBB/includes/functions_privmsgs.php @@ -208,6 +208,11 @@ function get_folder($user_id, $folder_id = false) ); } + if ($folder_id !== false && !isset($folder[$folder_id])) + { + trigger_error('UNKNOWN_FOLDER'); + } + return $folder; } diff --git a/phpBB/includes/ucp/ucp_pm_viewfolder.php b/phpBB/includes/ucp/ucp_pm_viewfolder.php index e9c337519a..8c765b1e90 100644 --- a/phpBB/includes/ucp/ucp_pm_viewfolder.php +++ b/phpBB/includes/ucp/ucp_pm_viewfolder.php @@ -493,7 +493,7 @@ function get_pm_from($folder_id, $folder, $user_id) } else { - $pm_count = $folder[$folder_id]['num_messages']; + $pm_count = (!empty($folder[$folder_id]['num_messages'])) ? $folder[$folder_id]['num_messages'] : 0; $sql_limit_time = ''; } From a3368632d0a0f3effec49f4f2b7d3b3323f883b4 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Mon, 26 May 2008 12:00:42 +0000 Subject: [PATCH 43/89] style change git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8568 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/styles/prosilver/template/ucp_pm_history.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/phpBB/styles/prosilver/template/ucp_pm_history.html b/phpBB/styles/prosilver/template/ucp_pm_history.html index cadb44e914..5f2994f145 100644 --- a/phpBB/styles/prosilver/template/ucp_pm_history.html +++ b/phpBB/styles/prosilver/template/ucp_pm_history.html @@ -9,7 +9,7 @@
      -
      +
      • {L_QUOTE} {history_row.MESSAGE_AUTHOR}
        • @@ -19,7 +19,7 @@

        class="current">{history_row.SUBJECT}

        {history_row.MINI_POST_IMG} {L_SENT_AT}: {history_row.SENT_DATE}
        {L_MESSAGE_BY_AUTHOR} {history_row.MESSAGE_AUTHOR_FULL}

        -
        +
        {history_row.MESSAGE}
        From bb8a48817c3808729dfdbb0bae86d642907c37e2 Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Thu, 29 May 2008 13:59:47 +0000 Subject: [PATCH 44/89] What use is a shiny banstick(TM) if nobody finds it? git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8574 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/docs/CHANGELOG.html | 1 + phpBB/includes/mcp/mcp_ban.php | 41 ++++++++++++++++--- phpBB/language/en/memberlist.php | 1 + phpBB/memberlist.php | 2 + phpBB/styles/prosilver/template/mcp_ban.html | 2 +- .../prosilver/template/memberlist_view.html | 1 + 6 files changed, 41 insertions(+), 7 deletions(-) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index f145431a5d..de46bb1232 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -108,6 +108,7 @@
      • [Feature] Added optional stricter upload validation to avoid mime sniffing in addition to the safeguards provided by file.php. (thanks to Nicolas Grekas for compiling the list).
      • [Fix] Do not remove whitespace in front of url containing the boards url and no relative path appended (Bug #27355)
      • [Change] Show email ban reason on registration. Additionally allow custom errors properly returned if using validate_data(). (Bug #26885)
        • +
      • [Feature] Streamlined banning via the MCP by adding a ban link to the user profile. Also pre-fills ban fields as far as possible.

      1.ii. Changes since 3.0.0

      diff --git a/phpBB/includes/mcp/mcp_ban.php b/phpBB/includes/mcp/mcp_ban.php index cb6211abda..5cb1d72a72 100644 --- a/phpBB/includes/mcp/mcp_ban.php +++ b/phpBB/includes/mcp/mcp_ban.php @@ -151,7 +151,7 @@ class mcp_ban 'U_FIND_USERNAME' => append_sid("{$phpbb_root_path}memberlist.$phpEx", 'mode=searchuser&form=mcp_ban&field=ban'), )); - if ($mode != 'user') + if ($mode === 'email' && !$auth->acl_get('a_user')) { return; } @@ -163,11 +163,24 @@ class mcp_ban if ($user_id && $user_id <> ANONYMOUS) { - $sql = 'SELECT username + $sql = 'SELECT username, user_email, user_ip FROM ' . USERS_TABLE . ' WHERE user_id = ' . $user_id; $result = $db->sql_query($sql); - $username = (string) $db->sql_fetchfield('username'); + switch ($mode) + { + case 'user': + $pre_fill = (string) $db->sql_fetchfield('username'); + break; + + case 'ip': + $pre_fill = (string) $db->sql_fetchfield('user_ip'); + break; + + case 'email': + $pre_fill = (string) $db->sql_fetchfield('user_email'); + break; + } $db->sql_freeresult($result); } else if ($post_id) @@ -176,13 +189,29 @@ class mcp_ban if (sizeof($post_info) && !empty($post_info[$post_id])) { - $username = $post_info[$post_id]['username']; + switch ($mode) + { + case 'user': + $pre_fill = $post_info[$post_id]['username']; + break; + + case 'ip': + $pre_fill = $post_info[$post_id]['poster_ip']; + break; + + case 'email': + $pre_fill = $post_info[$post_id]['user_email']; + break; + } + } } - if ($username) + if ($pre_fill) { - $template->assign_var('USERNAMES', $username); + // left for legacy template compatibility + $template->assign_var('USERNAMES', $pre_fill); + $template->assign_var('BAN_QUANTIFIER', $pre_fill); } } } diff --git a/phpBB/language/en/memberlist.php b/phpBB/language/en/memberlist.php index ad4dd83ca4..b5b8434776 100644 --- a/phpBB/language/en/memberlist.php +++ b/phpBB/language/en/memberlist.php @@ -132,6 +132,7 @@ $lang = array_merge($lang, array( 'USERNAME_BEGINS_WITH' => 'Username begins with', 'USER_ADMIN' => 'Administrate user', + 'USER_BAN' => 'Banning', 'USER_FORUM' => 'User statistics', 'USER_ONLINE' => 'Online', 'USER_PRESENCE' => 'Board presence', diff --git a/phpBB/memberlist.php b/phpBB/memberlist.php index 7f7657a3a4..aba14e04b8 100644 --- a/phpBB/memberlist.php +++ b/phpBB/memberlist.php @@ -551,6 +551,8 @@ switch ($mode) 'S_CUSTOM_FIELDS' => (isset($profile_fields['row']) && sizeof($profile_fields['row'])) ? true : false, 'U_USER_ADMIN' => ($auth->acl_get('a_user')) ? append_sid("{$phpbb_root_path}adm/index.$phpEx", 'i=users&mode=overview&u=' . $user_id, true, $user->session_id) : '', + 'U_USER_BAN' => ($auth->acl_get('m_ban')) ? append_sid("{$phpbb_root_path}mcp.$phpEx", 'i=ban&mode=user&u=' . $user_id) : '', + 'U_SWITCH_PERMISSIONS' => ($auth->acl_get('a_switchperm') && $user->data['user_id'] != $user_id) ? append_sid("{$phpbb_root_path}ucp.$phpEx", "mode=switch_perm&u={$user_id}") : '', 'S_ZEBRA' => ($user->data['user_id'] != $user_id && $user->data['is_registered'] && $zebra_enabled) ? true : false, diff --git a/phpBB/styles/prosilver/template/mcp_ban.html b/phpBB/styles/prosilver/template/mcp_ban.html index c803ba253f..460c95e2a1 100644 --- a/phpBB/styles/prosilver/template/mcp_ban.html +++ b/phpBB/styles/prosilver/template/mcp_ban.html @@ -44,7 +44,7 @@
      -
      +
      {L_FIND_USERNAME}
      diff --git a/phpBB/styles/prosilver/template/memberlist_view.html b/phpBB/styles/prosilver/template/memberlist_view.html index 53f516b193..7df3eb6a91 100644 --- a/phpBB/styles/prosilver/template/memberlist_view.html +++ b/phpBB/styles/prosilver/template/memberlist_view.html @@ -19,6 +19,7 @@
      {USERNAME} [ {L_USER_ADMIN} ] + [ {L_USER_BAN} ] [ {L_USE_PERMISSIONS} ]
      From 25a0f42987f850600c5b8c9d8caf44769540d074 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Thu, 29 May 2008 14:30:41 +0000 Subject: [PATCH 45/89] same here, session id. git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8577 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/memberlist.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/memberlist.php b/phpBB/memberlist.php index aba14e04b8..761b328878 100644 --- a/phpBB/memberlist.php +++ b/phpBB/memberlist.php @@ -551,7 +551,7 @@ switch ($mode) 'S_CUSTOM_FIELDS' => (isset($profile_fields['row']) && sizeof($profile_fields['row'])) ? true : false, 'U_USER_ADMIN' => ($auth->acl_get('a_user')) ? append_sid("{$phpbb_root_path}adm/index.$phpEx", 'i=users&mode=overview&u=' . $user_id, true, $user->session_id) : '', - 'U_USER_BAN' => ($auth->acl_get('m_ban')) ? append_sid("{$phpbb_root_path}mcp.$phpEx", 'i=ban&mode=user&u=' . $user_id) : '', + 'U_USER_BAN' => ($auth->acl_get('m_ban')) ? append_sid("{$phpbb_root_path}mcp.$phpEx", 'i=ban&mode=user&u=' . $user_id, true, $user->session_id) : '', 'U_SWITCH_PERMISSIONS' => ($auth->acl_get('a_switchperm') && $user->data['user_id'] != $user_id) ? append_sid("{$phpbb_root_path}ucp.$phpEx", "mode=switch_perm&u={$user_id}") : '', From 25be384d43f046c3b0b9475e8adac0646da2dd58 Mon Sep 17 00:00:00 2001 From: Vic D'Elfant Date: Thu, 29 May 2008 16:18:56 +0000 Subject: [PATCH 46/89] I'm going to get an award for the smallest commit ever. git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8578 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/adm/index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/adm/index.php b/phpBB/adm/index.php index 358e5a4bf2..a4496c14e2 100644 --- a/phpBB/adm/index.php +++ b/phpBB/adm/index.php @@ -45,7 +45,7 @@ define('IN_ADMIN', true); $phpbb_admin_path = (defined('PHPBB_ADMIN_PATH')) ? PHPBB_ADMIN_PATH : './'; // Some oft used variables -$safe_mode = (@ini_get('safe_mode') == '1' || @strtolower(ini_get('safe_mode')) === 'on') ? true : false; +$safe_mode = (@ini_get('safe_mode') == '1' || strtolower(@ini_get('safe_mode')) === 'on') ? true : false; $file_uploads = (@ini_get('file_uploads') == '1' || strtolower(@ini_get('file_uploads')) === 'on') ? true : false; $module_id = request_var('i', ''); $mode = request_var('mode', ''); From 8039c37b5126742c4170a8b17a645021f940f26a Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Mon, 2 Jun 2008 17:10:21 +0000 Subject: [PATCH 47/89] ACP logout git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8580 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/adm/index.php | 1 + phpBB/adm/style/overall_header.html | 4 ++-- phpBB/docs/CHANGELOG.html | 2 ++ phpBB/includes/acp/acp_main.php | 9 +++++++++ phpBB/includes/session.php | 10 ++++++++++ phpBB/language/en/acp/common.php | 3 +++ 6 files changed, 27 insertions(+), 2 deletions(-) diff --git a/phpBB/adm/index.php b/phpBB/adm/index.php index a4496c14e2..c0fa2fdddb 100644 --- a/phpBB/adm/index.php +++ b/phpBB/adm/index.php @@ -116,6 +116,7 @@ function adm_page_header($page_title) 'ROOT_PATH' => $phpbb_admin_path, 'U_LOGOUT' => append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=logout'), + 'U_ADM_LOGOUT' => append_sid("{$phpbb_admin_path}index.$phpEx", 'action=admlogout'), 'U_ADM_INDEX' => append_sid("{$phpbb_admin_path}index.$phpEx"), 'U_INDEX' => append_sid("{$phpbb_root_path}index.$phpEx"), diff --git a/phpBB/adm/style/overall_header.html b/phpBB/adm/style/overall_header.html index e883e66d80..5294a101f9 100644 --- a/phpBB/adm/style/overall_header.html +++ b/phpBB/adm/style/overall_header.html @@ -181,11 +181,11 @@ function switch_menu()
      -
      +
      - +
      Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
      @@ -1364,7 +1368,7 @@ function change_database_data($version) $smileys[$row['smiley_id']] = $row['code']; } $db->sql_freeresult($result); - + foreach ($smileys as $id => $code) { // 2.0 only entitized lt and gt; We need to do something about double quotes. @@ -1699,7 +1703,7 @@ function change_database_data($version) $sql = 'SELECT forum_id, forum_password FROM ' . FORUMS_TABLE; $result = _sql($sql, $errored, $error_ary); - + while ($row = $db->sql_fetchrow($result)) { if (!empty($row['forum_password'])) @@ -1708,7 +1712,7 @@ function change_database_data($version) } } $db->sql_freeresult($result); - + $db->sql_transaction('commit'); break; @@ -1719,7 +1723,7 @@ function change_database_data($version) SET topic_last_view_time = topic_last_post_time WHERE topic_last_view_time = 0"; _sql($sql, $errored, $error_ary); - + // Update smiley sizes $smileys = array('icon_e_surprised.gif', 'icon_eek.gif', 'icon_cool.gif', 'icon_lol.gif', 'icon_mad.gif', 'icon_razz.gif', 'icon_redface.gif', 'icon_cry.gif', 'icon_evil.gif', 'icon_twisted.gif', 'icon_rolleyes.gif', 'icon_exclaim.gif', 'icon_question.gif', 'icon_idea.gif', 'icon_arrow.gif', 'icon_neutral.gif', 'icon_mrgreen.gif', 'icon_e_ugeek.gif'); @@ -1728,23 +1732,25 @@ function change_database_data($version) if (file_exists($phpbb_root_path . 'images/smilies/' . $smiley)) { list($width, $height) = getimagesize($phpbb_root_path . 'images/smilies/' . $smiley); - + $sql = 'UPDATE ' . SMILIES_TABLE . ' SET smiley_width = ' . $width . ', smiley_height = ' . $height . " WHERE smiley_url = '" . $db->sql_escape($smiley) . "'"; - + _sql($sql, $errored, $error_ary); } } break; - case '3.0.1': - + case '3.0.1-RC1': + set_config('referer_validation', '1'); set_config('check_attachment_content', '1'); set_config('mime_triggers', 'body|head|html|img|plaintext|a href|pre|script|table|title'); + break; + } } From 3116f279a16dd8f927c0cb9e2e605afa5a9dfdd7 Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Tue, 3 Jun 2008 16:29:56 +0000 Subject: [PATCH 50/89] a little polish git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8585 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/adm/index.php | 2 +- phpBB/includes/functions.php | 8 ++++---- phpBB/language/en/acp/common.php | 1 + 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/phpBB/adm/index.php b/phpBB/adm/index.php index 83c4044687..00acd1359a 100644 --- a/phpBB/adm/index.php +++ b/phpBB/adm/index.php @@ -34,7 +34,7 @@ if ($user->data['user_id'] != ANONYMOUS && (!isset($user->data['session_admin'] } else if ($user->data['user_id'] == ANONYMOUS) { - login_box(); + login_box(''); } // Is user any type of admin? No, then stop here, each script needs to diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index f45bfa57b3..f000236027 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2420,7 +2420,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa // If we are not within the admin directory we use the page dir... $redirect = ''; - if (!$admin) + if (!$admin && !defined('ADMIN_START')) { $redirect .= ($user->page['page_dir']) ? $user->page['page_dir'] . '/' : ''; } @@ -2453,7 +2453,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa 'U_PRIVACY' => append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=privacy'), 'S_DISPLAY_FULL_LOGIN' => ($s_display) ? true : false, - 'S_LOGIN_ACTION' => (!$admin) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=login') : append_sid("index.$phpEx", false, true, $user->session_id), // Needs to stay index.$phpEx because we are within the admin directory + 'S_LOGIN_ACTION' => (!$admin && !defined('ADMIN_START')) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=login') : append_sid("index.$phpEx", false, true, $user->session_id), // Needs to stay index.$phpEx because we are within the admin directory 'S_HIDDEN_FIELDS' => $s_hidden_fields, 'S_ADMIN_AUTH' => $admin, @@ -3095,7 +3095,7 @@ function msg_handler($errno, $msg_text, $errfile, $errline) if (!defined('HEADER_INC')) { - if (defined('IN_ADMIN') && isset($user->data['session_admin']) && $user->data['session_admin']) + if (defined('ADMIN_START') || (defined('IN_ADMIN') && isset($user->data['session_admin']) && $user->data['session_admin'])) { adm_page_header($msg_title); } @@ -3119,7 +3119,7 @@ function msg_handler($errno, $msg_text, $errfile, $errline) // We do not want the cron script to be called on error messages define('IN_CRON', true); - if (defined('IN_ADMIN') && isset($user->data['session_admin']) && $user->data['session_admin']) + if (defined('ADMIN_START') || (defined('IN_ADMIN') && isset($user->data['session_admin']) && $user->data['session_admin'])) { adm_page_footer(); } diff --git a/phpBB/language/en/acp/common.php b/phpBB/language/en/acp/common.php index 9ed92bfcfb..41ade70855 100644 --- a/phpBB/language/en/acp/common.php +++ b/phpBB/language/en/acp/common.php @@ -239,6 +239,7 @@ $lang = array_merge($lang, array( 'LOOK_UP_FORUM' => 'Select a forum', 'LOOK_UP_FORUMS_EXPLAIN'=> 'You are able to select more than one forum.', + 'LOGIN_REDIRECT' => 'You have been successfully logged in.', 'MANAGE' => 'Manage', 'MENU_TOGGLE' => 'Hide or display the side menu', 'MOVE_DOWN' => 'Move down', From d46b1392b7ff3676978125b415389f99a98c2370 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Wed, 4 Jun 2008 11:11:48 +0000 Subject: [PATCH 51/89] initialize $pre_fill git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8589 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/mcp/mcp_ban.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/mcp/mcp_ban.php b/phpBB/includes/mcp/mcp_ban.php index 5cb1d72a72..d9f5eb8f22 100644 --- a/phpBB/includes/mcp/mcp_ban.php +++ b/phpBB/includes/mcp/mcp_ban.php @@ -159,7 +159,7 @@ class mcp_ban // As a "service" we will check if any post id is specified and populate the username of the poster id if given $post_id = request_var('p', 0); $user_id = request_var('u', 0); - $username = false; + $username = $pre_fill = false; if ($user_id && $user_id <> ANONYMOUS) { From 80f123acb32eaf4c7a0766ddca916f42f4b01bbe Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Wed, 4 Jun 2008 11:40:53 +0000 Subject: [PATCH 52/89] Too much for a minor; sorry git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8591 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/adm/index.php | 11 +----- phpBB/adm/style/acp_login.html | 46 ---------------------- phpBB/adm/style/overall_header.html | 2 - phpBB/docs/CHANGELOG.html | 1 - phpBB/includes/functions.php | 59 +++++++---------------------- phpBB/language/en/acp/common.php | 1 - 6 files changed, 15 insertions(+), 105 deletions(-) delete mode 100755 phpBB/adm/style/acp_login.html diff --git a/phpBB/adm/index.php b/phpBB/adm/index.php index 00acd1359a..c0fa2fdddb 100644 --- a/phpBB/adm/index.php +++ b/phpBB/adm/index.php @@ -28,14 +28,10 @@ $user->setup('acp/common'); // End session management // Have they authenticated (again) as an admin for this session? -if ($user->data['user_id'] != ANONYMOUS && (!isset($user->data['session_admin']) || !$user->data['session_admin'])) +if (!isset($user->data['session_admin']) || !$user->data['session_admin']) { login_box('', $user->lang['LOGIN_ADMIN_CONFIRM'], $user->lang['LOGIN_ADMIN_SUCCESS'], true, false); } -else if ($user->data['user_id'] == ANONYMOUS) -{ - login_box(''); -} // Is user any type of admin? No, then stop here, each script needs to // check specific permissions but this is a catchall @@ -112,7 +108,7 @@ function adm_page_header($page_title) $template->assign_vars(array( 'PAGE_TITLE' => $page_title, - 'USERNAME' => ($user->data['user_id'] != ANONYMOUS) ? $user->data['username'] : '', + 'USERNAME' => $user->data['username'], 'SID' => $SID, '_SID' => $_SID, @@ -124,9 +120,6 @@ function adm_page_header($page_title) 'U_ADM_INDEX' => append_sid("{$phpbb_admin_path}index.$phpEx"), 'U_INDEX' => append_sid("{$phpbb_root_path}index.$phpEx"), - 'S_USER_ADMIN' => $user->data['session_admin'], - 'S_USER_LOGGED_IN' => ($user->data['user_id'] != ANONYMOUS && !$user->data['is_bot']), - 'T_IMAGES_PATH' => "{$phpbb_root_path}images/", 'T_SMILIES_PATH' => "{$phpbb_root_path}{$config['smilies_path']}/", 'T_AVATAR_PATH' => "{$phpbb_root_path}{$config['avatar_path']}/", diff --git a/phpBB/adm/style/acp_login.html b/phpBB/adm/style/acp_login.html deleted file mode 100755 index 015f3ec908..0000000000 --- a/phpBB/adm/style/acp_login.html +++ /dev/null @@ -1,46 +0,0 @@ - -

      {PAGE_TITLE}

      -

      {LOGIN_EXPLAIN}{L_LOGIN}

      - - -
      -

      {L_WARNING}

      -

      {LOGIN_ERROR}

      -
      - -
      - -
      -
      -
      -
      -
      -
      -
      -
      - -
      {L_FORGOT_PASS}
      -
      {L_RESEND_ACTIVATION}
      - -
      - - -
      -

      {L_CONFIRM_CODE_EXPLAIN}
      -
      {CONFIRM_IMAGE}
      -
      -
      - - -

      - - - - -   - {S_HIDDEN_FIELDS} -

      -
      -
      - - diff --git a/phpBB/adm/style/overall_header.html b/phpBB/adm/style/overall_header.html index adafc0aa6d..5294a101f9 100644 --- a/phpBB/adm/style/overall_header.html +++ b/phpBB/adm/style/overall_header.html @@ -186,7 +186,6 @@ function switch_menu()
      diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 52e983c1e1..e0fb51610b 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -110,7 +110,6 @@
    78. [Change] Show email ban reason on registration. Additionally allow custom errors properly returned if using validate_data(). (Bug #26885)
    79. [Feature] Streamlined banning via the MCP by adding a ban link to the user profile. Also pre-fills ban fields as far as possible.
    80. [Feature] Added ACP logout to reset an admin session.
      81. -
    81. [Feature] Handle ACP logins with admin style
      82. diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index f000236027..600506d08f 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2234,7 +2234,7 @@ function confirm_box($check, $title = '', $hidden = '', $html_body = 'confirm_bo */ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = false, $s_display = true) { - global $db, $user, $template, $auth, $phpEx, $phpbb_root_path, $phpbb_admin_path, $config; + global $db, $user, $template, $auth, $phpEx, $phpbb_root_path, $config; $err = ''; @@ -2243,16 +2243,6 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa { $user->setup(); } - - if (defined('ADMIN_START')) - { - // Set custom template for admin area - $template->set_custom_template($phpbb_admin_path . 'style', 'admin'); - $template->assign_var('T_TEMPLATE_PATH', $phpbb_admin_path . 'style'); - - // the acp template is never stored in the database - $user->theme['template_storedb'] = false; - } // Print out error if user tries to authenticate as an administrator without having the privileges... if ($admin && !$auth->acl_get('a_')) @@ -2420,7 +2410,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa // If we are not within the admin directory we use the page dir... $redirect = ''; - if (!$admin && !defined('ADMIN_START')) + if (!$admin) { $redirect .= ($user->page['page_dir']) ? $user->page['page_dir'] . '/' : ''; } @@ -2453,47 +2443,24 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa 'U_PRIVACY' => append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=privacy'), 'S_DISPLAY_FULL_LOGIN' => ($s_display) ? true : false, - 'S_LOGIN_ACTION' => (!$admin && !defined('ADMIN_START')) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=login') : append_sid("index.$phpEx", false, true, $user->session_id), // Needs to stay index.$phpEx because we are within the admin directory + 'S_LOGIN_ACTION' => (!$admin) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=login') : append_sid("index.$phpEx", false, true, $user->session_id), // Needs to stay index.$phpEx because we are within the admin directory 'S_HIDDEN_FIELDS' => $s_hidden_fields, 'S_ADMIN_AUTH' => $admin, - 'S_ACP_LOGIN' => defined('ADMIN_START'), 'USERNAME' => ($admin) ? $user->data['username'] : '', 'USERNAME_CREDENTIAL' => 'username', 'PASSWORD_CREDENTIAL' => ($admin) ? 'password_' . $credential : 'password', )); - - if (defined('ADMIN_START')) - { - $template->set_filenames(array( - 'body' => 'acp_login.html') - ); - $template->assign_block_vars('t_block1', array( - 'L_TITLE' => $user->lang['LOGIN'], - 'S_SELECTED' => true, - 'U_TITLE' => '', - )); - adm_page_header($user->lang['LOGIN'], false); - } - else - { - $template->set_filenames(array( - 'body' => 'login_body.html') - ); - page_header($user->lang['LOGIN'], false); - } - + + page_header($user->lang['LOGIN'], false); + + $template->set_filenames(array( + 'body' => 'login_body.html') + ); make_jumpbox(append_sid("{$phpbb_root_path}viewforum.$phpEx")); - if (defined('ADMIN_START') && isset($user->data['session_admin']) && $user->data['session_admin']) - { - adm_page_footer(); - } - else - { - page_footer(); - } - + + page_footer(); } /** @@ -3095,7 +3062,7 @@ function msg_handler($errno, $msg_text, $errfile, $errline) if (!defined('HEADER_INC')) { - if (defined('ADMIN_START') || (defined('IN_ADMIN') && isset($user->data['session_admin']) && $user->data['session_admin'])) + if (defined('IN_ADMIN') && isset($user->data['session_admin']) && $user->data['session_admin']) { adm_page_header($msg_title); } @@ -3119,7 +3086,7 @@ function msg_handler($errno, $msg_text, $errfile, $errline) // We do not want the cron script to be called on error messages define('IN_CRON', true); - if (defined('ADMIN_START') || (defined('IN_ADMIN') && isset($user->data['session_admin']) && $user->data['session_admin'])) + if (defined('IN_ADMIN') && isset($user->data['session_admin']) && $user->data['session_admin']) { adm_page_footer(); } diff --git a/phpBB/language/en/acp/common.php b/phpBB/language/en/acp/common.php index 41ade70855..9ed92bfcfb 100644 --- a/phpBB/language/en/acp/common.php +++ b/phpBB/language/en/acp/common.php @@ -239,7 +239,6 @@ $lang = array_merge($lang, array( 'LOOK_UP_FORUM' => 'Select a forum', 'LOOK_UP_FORUMS_EXPLAIN'=> 'You are able to select more than one forum.', - 'LOGIN_REDIRECT' => 'You have been successfully logged in.', 'MANAGE' => 'Manage', 'MENU_TOGGLE' => 'Hide or display the side menu', 'MOVE_DOWN' => 'Move down', From 298d0fe258018369d90b356a6a8659a23e4b846c Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Wed, 4 Jun 2008 11:45:05 +0000 Subject: [PATCH 53/89] That as well git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8592 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/adm/style/overall_header.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/adm/style/overall_header.html b/phpBB/adm/style/overall_header.html index 5294a101f9..6fd34ac678 100644 --- a/phpBB/adm/style/overall_header.html +++ b/phpBB/adm/style/overall_header.html @@ -185,7 +185,7 @@ function switch_menu()