diff --git a/phpBB/includes/acp/acp_users.php b/phpBB/includes/acp/acp_users.php index 3a405da825..1f10893781 100644 --- a/phpBB/includes/acp/acp_users.php +++ b/phpBB/includes/acp/acp_users.php @@ -231,6 +231,11 @@ class acp_users trigger_error($user->lang['CANNOT_BAN_YOURSELF'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); } + if ($user_id == ANONYMOUS) + { + trigger_error($user->lang['CANNOT_BAN_ANONYMOUS'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); + } + if ($user_row['user_type'] == USER_FOUNDER) { trigger_error($user->lang['CANNOT_BAN_FOUNDER'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); diff --git a/phpBB/includes/db/firebird.php b/phpBB/includes/db/firebird.php index e554b0f2fb..6f60dd5dad 100644 --- a/phpBB/includes/db/firebird.php +++ b/phpBB/includes/db/firebird.php @@ -63,10 +63,19 @@ class dbal_firebird extends dbal /** * Version information about used database * @param bool $raw if true, only return the fetched sql_server_version + * @param bool $use_cache forced to false for Interbase * @return string sql server version */ - function sql_server_info($raw = false) + function sql_server_info($raw = false, $use_cache = true) { + /** + * force $use_cache false. I didn't research why the caching code there is no caching code + * but I assume its because the IB extension provides a direct method to access it + * without a query. + */ + + $use_cache = false; + if ($this->service_handle !== false && function_exists('ibase_server_info')) { return @ibase_server_info($this->service_handle, IBASE_SVC_SERVER_VERSION); diff --git a/phpBB/includes/db/mssql.php b/phpBB/includes/db/mssql.php index 7134574691..6899a73902 100644 --- a/phpBB/includes/db/mssql.php +++ b/phpBB/includes/db/mssql.php @@ -65,13 +65,14 @@ class dbal_mssql extends dbal /** * Version information about used database * @param bool $raw if true, only return the fetched sql_server_version + * @param bool $use_cache If true, it is safe to retrieve the value from the cache * @return string sql server version */ - function sql_server_info($raw = false) + function sql_server_info($raw = false, $use_cache = true) { global $cache; - if (empty($cache) || ($this->sql_server_version = $cache->get('mssql_version')) === false) + if (!$use_cache || empty($cache) || ($this->sql_server_version = $cache->get('mssql_version')) === false) { $result_id = @mssql_query("SELECT SERVERPROPERTY('productversion'), SERVERPROPERTY('productlevel'), SERVERPROPERTY('edition')", $this->db_connect_id); @@ -84,7 +85,7 @@ class dbal_mssql extends dbal $this->sql_server_version = ($row) ? trim(implode(' ', $row)) : 0; - if (!empty($cache)) + if (!empty($cache) && $use_cache) { $cache->put('mssql_version', $this->sql_server_version); } diff --git a/phpBB/includes/db/mssql_odbc.php b/phpBB/includes/db/mssql_odbc.php index 14c4831010..75a080b1b7 100644 --- a/phpBB/includes/db/mssql_odbc.php +++ b/phpBB/includes/db/mssql_odbc.php @@ -76,13 +76,14 @@ class dbal_mssql_odbc extends dbal /** * Version information about used database * @param bool $raw if true, only return the fetched sql_server_version + * @param bool $use_cache If true, it is safe to retrieve the value from the cache * @return string sql server version */ - function sql_server_info($raw = false) + function sql_server_info($raw = false, $use_cache = true) { global $cache; - if (empty($cache) || ($this->sql_server_version = $cache->get('mssqlodbc_version')) === false) + if (!$use_cache || empty($cache) || ($this->sql_server_version = $cache->get('mssqlodbc_version')) === false) { $result_id = @odbc_exec($this->db_connect_id, "SELECT SERVERPROPERTY('productversion'), SERVERPROPERTY('productlevel'), SERVERPROPERTY('edition')"); @@ -95,7 +96,7 @@ class dbal_mssql_odbc extends dbal $this->sql_server_version = ($row) ? trim(implode(' ', $row)) : 0; - if (!empty($cache)) + if (!empty($cache) && $use_cache) { $cache->put('mssqlodbc_version', $this->sql_server_version); } diff --git a/phpBB/includes/db/mssqlnative.php b/phpBB/includes/db/mssqlnative.php index 08ee70907c..98e22d4412 100644 --- a/phpBB/includes/db/mssqlnative.php +++ b/phpBB/includes/db/mssqlnative.php @@ -232,18 +232,19 @@ class dbal_mssqlnative extends dbal /** * Version information about used database * @param bool $raw if true, only return the fetched sql_server_version + * @param bool $use_cache If true, it is safe to retrieve the value from the cache * @return string sql server version */ - function sql_server_info($raw = false) + function sql_server_info($raw = false, $use_cache = true) { global $cache; - if (empty($cache) || ($this->sql_server_version = $cache->get('mssql_version')) === false) + if (!$use_cache || empty($cache) || ($this->sql_server_version = $cache->get('mssql_version')) === false) { $arr_server_info = sqlsrv_server_info($this->db_connect_id); $this->sql_server_version = $arr_server_info['SQLServerVersion']; - if (!empty($cache)) + if (!empty($cache) && $use_cache) { $cache->put('mssql_version', $this->sql_server_version); } diff --git a/phpBB/includes/db/mysql.php b/phpBB/includes/db/mysql.php index 0487dfa6d2..1e24c79577 100644 --- a/phpBB/includes/db/mysql.php +++ b/phpBB/includes/db/mysql.php @@ -96,13 +96,14 @@ class dbal_mysql extends dbal /** * Version information about used database * @param bool $raw if true, only return the fetched sql_server_version + * @param bool $use_cache If true, it is safe to retrieve the value from the cache * @return string sql server version */ - function sql_server_info($raw = false) + function sql_server_info($raw = false, $use_cache = true) { global $cache; - if (empty($cache) || ($this->sql_server_version = $cache->get('mysql_version')) === false) + if (!$use_cache || empty($cache) || ($this->sql_server_version = $cache->get('mysql_version')) === false) { $result = @mysql_query('SELECT VERSION() AS version', $this->db_connect_id); $row = @mysql_fetch_assoc($result); @@ -110,7 +111,7 @@ class dbal_mysql extends dbal $this->sql_server_version = $row['version']; - if (!empty($cache)) + if (!empty($cache) && $use_cache) { $cache->put('mysql_version', $this->sql_server_version); } diff --git a/phpBB/includes/db/mysqli.php b/phpBB/includes/db/mysqli.php index f0e58fd148..862d62f4ba 100644 --- a/phpBB/includes/db/mysqli.php +++ b/phpBB/includes/db/mysqli.php @@ -80,14 +80,14 @@ class dbal_mysqli extends dbal /** * Version information about used database - * @param bool $raw if true, only return the fetched sql_server_version + * @param bool $use_cache If true, it is safe to retrieve the value from the cache * @return string sql server version */ - function sql_server_info($raw = false) + function sql_server_info($raw = false, $use_cache = true) { global $cache; - if (empty($cache) || ($this->sql_server_version = $cache->get('mysqli_version')) === false) + if (!$use_cache || empty($cache) || ($this->sql_server_version = $cache->get('mysqli_version')) === false) { $result = @mysqli_query($this->db_connect_id, 'SELECT VERSION() AS version'); $row = @mysqli_fetch_assoc($result); @@ -95,7 +95,7 @@ class dbal_mysqli extends dbal $this->sql_server_version = $row['version']; - if (!empty($cache)) + if (!empty($cache) && $use_cache) { $cache->put('mysqli_version', $this->sql_server_version); } diff --git a/phpBB/includes/db/oracle.php b/phpBB/includes/db/oracle.php index 5a9b18abf0..c8a9a5f604 100644 --- a/phpBB/includes/db/oracle.php +++ b/phpBB/includes/db/oracle.php @@ -56,10 +56,18 @@ class dbal_oracle extends dbal /** * Version information about used database * @param bool $raw if true, only return the fetched sql_server_version + * @param bool $use_cache forced to false for Oracle * @return string sql server version */ - function sql_server_info($raw = false) + function sql_server_info($raw = false, $use_cache = true) { + /** + * force $use_cache false. I didn't research why the caching code below is commented out + * but I assume its because the Oracle extension provides a direct method to access it + * without a query. + */ + + $use_cache = false; /* global $cache; diff --git a/phpBB/includes/db/postgres.php b/phpBB/includes/db/postgres.php index 2a885f1d04..4360c790a1 100644 --- a/phpBB/includes/db/postgres.php +++ b/phpBB/includes/db/postgres.php @@ -108,13 +108,14 @@ class dbal_postgres extends dbal /** * Version information about used database * @param bool $raw if true, only return the fetched sql_server_version + * @param bool $use_cache If true, it is safe to retrieve the value from the cache * @return string sql server version */ - function sql_server_info($raw = false) + function sql_server_info($raw = false, $use_cache = true) { global $cache; - if (empty($cache) || ($this->sql_server_version = $cache->get('pgsql_version')) === false) + if (!$use_cache || empty($cache) || ($this->sql_server_version = $cache->get('pgsql_version')) === false) { $query_id = @pg_query($this->db_connect_id, 'SELECT VERSION() AS version'); $row = @pg_fetch_assoc($query_id, null); @@ -122,7 +123,7 @@ class dbal_postgres extends dbal $this->sql_server_version = (!empty($row['version'])) ? trim(substr($row['version'], 10)) : 0; - if (!empty($cache)) + if (!empty($cache) && $use_cache) { $cache->put('pgsql_version', $this->sql_server_version); } diff --git a/phpBB/includes/db/sqlite.php b/phpBB/includes/db/sqlite.php index 288f6e0992..8de72fd394 100644 --- a/phpBB/includes/db/sqlite.php +++ b/phpBB/includes/db/sqlite.php @@ -50,19 +50,24 @@ class dbal_sqlite extends dbal /** * Version information about used database * @param bool $raw if true, only return the fetched sql_server_version + * @param bool $use_cache if true, it is safe to retrieve the stored value from the cache * @return string sql server version */ - function sql_server_info($raw = false) + function sql_server_info($raw = false, $use_cache = true) { global $cache; - if (empty($cache) || ($this->sql_server_version = $cache->get('sqlite_version')) === false) + if (!$use_cache || empty($cache) || ($this->sql_server_version = $cache->get('sqlite_version')) === false) { $result = @sqlite_query('SELECT sqlite_version() AS version', $this->db_connect_id); $row = @sqlite_fetch_array($result, SQLITE_ASSOC); $this->sql_server_version = (!empty($row['version'])) ? $row['version'] : 0; - $cache->put('sqlite_version', $this->sql_server_version); + + if (!empty($cache) && $use_cache) + { + $cache->put('sqlite_version', $this->sql_server_version); + } } return ($raw) ? $this->sql_server_version : 'SQLite ' . $this->sql_server_version; diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index d88960ff1d..fe80880789 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -4318,7 +4318,7 @@ function page_header($page_title = '', $display_online_list = true, $item_id = 0 'T_ICONS_PATH' => "{$web_path}{$config['icons_path']}/", 'T_RANKS_PATH' => "{$web_path}{$config['ranks_path']}/", 'T_UPLOAD_PATH' => "{$web_path}{$config['upload_path']}/", - 'T_STYLESHEET_LINK' => (!$user->theme['theme_storedb']) ? "{$web_path}styles/" . $user->theme['theme_path'] . '/theme/stylesheet.css' : append_sid("{$phpbb_root_path}style.$phpEx", 'id=' . $user->theme['style_id'] . '&lang=' . $user->data['user_lang'], true, $user->session_id), + 'T_STYLESHEET_LINK' => (!$user->theme['theme_storedb']) ? "{$web_path}styles/" . $user->theme['theme_path'] . '/theme/stylesheet.css' : append_sid("{$phpbb_root_path}style.$phpEx", 'id=' . $user->theme['style_id'] . '&lang=' . $user->data['user_lang']), 'T_STYLESHEET_NAME' => $user->theme['theme_name'], 'T_THEME_NAME' => $user->theme['theme_path'], diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index bb99314ced..6f6d7526b7 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -837,14 +837,15 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas FROM ' . USERS_TABLE . ' WHERE ' . $db->sql_in_set('username_clean', $sql_usernames); - // Do not allow banning yourself + // Do not allow banning yourself, the guest account, or founders. + $non_bannable = array($user->data['user_id'], ANONYMOUS); if (sizeof($founder)) { - $sql .= ' AND ' . $db->sql_in_set('user_id', array_merge(array_keys($founder), array($user->data['user_id'])), true); + $sql .= ' AND ' . $db->sql_in_set('user_id', array_merge(array_keys($founder), $non_bannable), true); } else { - $sql .= ' AND user_id <> ' . $user->data['user_id']; + $sql .= ' AND ' . $db->sql_in_set('user_id', $non_bannable, true); } $result = $db->sql_query($sql); diff --git a/phpBB/install/install_convert.php b/phpBB/install/install_convert.php index 06c3a8b4a6..8c3ffd61a8 100644 --- a/phpBB/install/install_convert.php +++ b/phpBB/install/install_convert.php @@ -685,7 +685,7 @@ class install_convert extends module // Thanks MySQL, for silently converting... case 'mysql': case 'mysql4': - if (version_compare($src_db->sql_server_info(true), '4.1.3', '>=')) + if (version_compare($src_db->sql_server_info(true, false), '4.1.3', '>=')) { $convert->mysql_convert = true; } diff --git a/phpBB/language/en/acp/users.php b/phpBB/language/en/acp/users.php index 8d9bf0d486..eda9659795 100644 --- a/phpBB/language/en/acp/users.php +++ b/phpBB/language/en/acp/users.php @@ -42,6 +42,7 @@ $lang = array_merge($lang, array( 'BAN_ALREADY_ENTERED' => 'The ban had been previously entered successfully. The ban list has not been updated.', 'BAN_SUCCESSFUL' => 'Ban entered successfully.', + 'CANNOT_BAN_ANONYMOUS' => 'You are not allowed to ban the anonymous account. Permissions for anonymous users can be set under the Permissions tab.', 'CANNOT_BAN_FOUNDER' => 'You are not allowed to ban founder accounts.', 'CANNOT_BAN_YOURSELF' => 'You are not allowed to ban yourself.', 'CANNOT_DEACTIVATE_BOT' => 'You are not allowed to deactivate bot accounts. Please deactivate the bot within the bots page instead.', diff --git a/phpBB/style.php b/phpBB/style.php index fa77815670..8ca1751391 100644 --- a/phpBB/style.php +++ b/phpBB/style.php @@ -45,15 +45,8 @@ if (!empty($load_extensions) && function_exists('dl')) } } - -$sid = (isset($_GET['sid']) && !is_array($_GET['sid'])) ? htmlspecialchars($_GET['sid']) : ''; $id = (isset($_GET['id'])) ? intval($_GET['id']) : 0; -if (strspn($sid, 'abcdefABCDEF0123456789') !== strlen($sid)) -{ - $sid = ''; -} - // This is a simple script to grab and output the requested CSS data stored in the DB // We include a session_id check to try and limit 3rd party linking ... unless they // happen to have a current session it will output nothing. We will also cache the @@ -81,6 +74,20 @@ if ($id) $config = $cache->obtain_config(); $user = false; + // try to get a session ID from REQUEST array + $sid = request_var('sid', ''); + + if (!$sid) + { + // if that failed, then look in the cookies + $sid = request_var($config['cookie_name'] . '_sid', '', false, true); + } + + if (strspn($sid, 'abcdefABCDEF0123456789') !== strlen($sid)) + { + $sid = ''; + } + if ($sid) { $sql = 'SELECT u.user_id, u.user_lang