From ae967d16f1ad584d7e03b4466e6cc3d1d067dea6 Mon Sep 17 00:00:00 2001 From: Josh Woody Date: Mon, 5 Jul 2010 22:22:25 -0500 Subject: [PATCH 1/5] [ticket/9650] Do not allow banning the anonymous user by username Banning anonymous can result in bad things, like not being able to log in. However, it was possible until now. PHPBB3-9650 --- phpBB/includes/acp/acp_users.php | 5 +++++ phpBB/includes/functions_user.php | 7 ++++--- phpBB/language/en/acp/users.php | 1 + 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/phpBB/includes/acp/acp_users.php b/phpBB/includes/acp/acp_users.php index 7914edd056..2843480c04 100644 --- a/phpBB/includes/acp/acp_users.php +++ b/phpBB/includes/acp/acp_users.php @@ -231,6 +231,11 @@ class acp_users trigger_error($user->lang['CANNOT_BAN_YOURSELF'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); } + if ($user_id == ANONYMOUS) + { + trigger_error($user->lang['CANNOT_BAN_ANONYMOUS'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); + } + if ($user_row['user_type'] == USER_FOUNDER) { trigger_error($user->lang['CANNOT_BAN_FOUNDER'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index 271542efdd..8d2fa14a4b 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -837,14 +837,15 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas FROM ' . USERS_TABLE . ' WHERE ' . $db->sql_in_set('username_clean', $sql_usernames); - // Do not allow banning yourself + // Do not allow banning yourself, the guest account, or founders. + $non_bannable = array($user->data['user_id'], ANONYMOUS); if (sizeof($founder)) { - $sql .= ' AND ' . $db->sql_in_set('user_id', array_merge(array_keys($founder), array($user->data['user_id'])), true); + $sql .= ' AND ' . $db->sql_in_set('user_id', array_merge(array_keys($founder), $non_bannable), true); } else { - $sql .= ' AND user_id <> ' . $user->data['user_id']; + $sql .= ' AND ' . $db->sql_in_set('user_id', $non_bannable, true); } $result = $db->sql_query($sql); diff --git a/phpBB/language/en/acp/users.php b/phpBB/language/en/acp/users.php index 8d9bf0d486..eda9659795 100644 --- a/phpBB/language/en/acp/users.php +++ b/phpBB/language/en/acp/users.php @@ -42,6 +42,7 @@ $lang = array_merge($lang, array( 'BAN_ALREADY_ENTERED' => 'The ban had been previously entered successfully. The ban list has not been updated.', 'BAN_SUCCESSFUL' => 'Ban entered successfully.', + 'CANNOT_BAN_ANONYMOUS' => 'You are not allowed to ban the anonymous account. Permissions for anonymous users can be set under the Permissions tab.', 'CANNOT_BAN_FOUNDER' => 'You are not allowed to ban founder accounts.', 'CANNOT_BAN_YOURSELF' => 'You are not allowed to ban yourself.', 'CANNOT_DEACTIVATE_BOT' => 'You are not allowed to deactivate bot accounts. Please deactivate the bot within the bots page instead.', From fc89d5d7db46dc4a25a0443f38c37710542e5923 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Thu, 8 Jul 2010 21:13:17 +0200 Subject: [PATCH 2/5] [ticket/9677] Subsilver2 is missing the bbcode-helpline for inline-attachments. PHPBB3-9677 --- phpBB/styles/subsilver2/template/posting_buttons.html | 1 + 1 file changed, 1 insertion(+) diff --git a/phpBB/styles/subsilver2/template/posting_buttons.html b/phpBB/styles/subsilver2/template/posting_buttons.html index 0aab79b7aa..2fff9c1991 100644 --- a/phpBB/styles/subsilver2/template/posting_buttons.html +++ b/phpBB/styles/subsilver2/template/posting_buttons.html @@ -19,6 +19,7 @@ o: '{LA_BBCODE_O_HELP}', p: '{LA_BBCODE_P_HELP}', w: '{LA_BBCODE_W_HELP}', + a: '{LA_BBCODE_A_HELP}', s: '{LA_BBCODE_S_HELP}', f: '{LA_BBCODE_F_HELP}', e: '{LA_BBCODE_E_HELP}', From df99bdbd53d29b97012e04ac32fa815620e426ed Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Thu, 8 Jul 2010 21:22:54 +0200 Subject: [PATCH 3/5] [ticket/9678] Flash attachments are not displayed in subsilver2. PHPBB3-9678 --- phpBB/styles/subsilver2/template/attachment.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/phpBB/styles/subsilver2/template/attachment.html b/phpBB/styles/subsilver2/template/attachment.html index d54994fe67..833bd4d55f 100644 --- a/phpBB/styles/subsilver2/template/attachment.html +++ b/phpBB/styles/subsilver2/template/attachment.html @@ -58,13 +58,13 @@ - + - + From c40b2c76015094283aa87f6b3c6ddea283bf3e42 Mon Sep 17 00:00:00 2001 From: Josh Woody Date: Sun, 30 May 2010 12:24:56 -0500 Subject: [PATCH 4/5] [ticket/9629] Allow style.php to retrieve its session ID from cookies style.php takes a session ID to ensure it gets the right language for a user, but that session ID is always passed in GET. This allows change allows the SID to be read from the cookie, and theoretically makes it friendlier for caching engines like Varnish. PHPBB3-9629 --- phpBB/includes/functions.php | 2 +- phpBB/style.php | 21 ++++++++++++++------- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 3f097f171f..9c74a524ee 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -4318,7 +4318,7 @@ function page_header($page_title = '', $display_online_list = true, $item_id = 0 'T_ICONS_PATH' => "{$web_path}{$config['icons_path']}/", 'T_RANKS_PATH' => "{$web_path}{$config['ranks_path']}/", 'T_UPLOAD_PATH' => "{$web_path}{$config['upload_path']}/", - 'T_STYLESHEET_LINK' => (!$user->theme['theme_storedb']) ? "{$web_path}styles/" . $user->theme['theme_path'] . '/theme/stylesheet.css' : append_sid("{$phpbb_root_path}style.$phpEx", 'id=' . $user->theme['style_id'] . '&lang=' . $user->data['user_lang'], true, $user->session_id), + 'T_STYLESHEET_LINK' => (!$user->theme['theme_storedb']) ? "{$web_path}styles/" . $user->theme['theme_path'] . '/theme/stylesheet.css' : append_sid("{$phpbb_root_path}style.$phpEx", 'id=' . $user->theme['style_id'] . '&lang=' . $user->data['user_lang']), 'T_STYLESHEET_NAME' => $user->theme['theme_name'], 'T_THEME_NAME' => $user->theme['theme_path'], diff --git a/phpBB/style.php b/phpBB/style.php index fa77815670..8ca1751391 100644 --- a/phpBB/style.php +++ b/phpBB/style.php @@ -45,15 +45,8 @@ if (!empty($load_extensions) && function_exists('dl')) } } - -$sid = (isset($_GET['sid']) && !is_array($_GET['sid'])) ? htmlspecialchars($_GET['sid']) : ''; $id = (isset($_GET['id'])) ? intval($_GET['id']) : 0; -if (strspn($sid, 'abcdefABCDEF0123456789') !== strlen($sid)) -{ - $sid = ''; -} - // This is a simple script to grab and output the requested CSS data stored in the DB // We include a session_id check to try and limit 3rd party linking ... unless they // happen to have a current session it will output nothing. We will also cache the @@ -81,6 +74,20 @@ if ($id) $config = $cache->obtain_config(); $user = false; + // try to get a session ID from REQUEST array + $sid = request_var('sid', ''); + + if (!$sid) + { + // if that failed, then look in the cookies + $sid = request_var($config['cookie_name'] . '_sid', '', false, true); + } + + if (strspn($sid, 'abcdefABCDEF0123456789') !== strlen($sid)) + { + $sid = ''; + } + if ($sid) { $sql = 'SELECT u.user_id, u.user_lang From 9c61455d264d92194f66549d244ec68cdb3c9ead Mon Sep 17 00:00:00 2001 From: Josh Woody Date: Sun, 6 Jun 2010 08:42:27 -0500 Subject: [PATCH 5/5] [ticket/9637] Do not cache SQL server version in all cases Because the existing cache is global, there is no way to differentiate between each of two databases which may be two different DBAL objects pointing to servers with wildly different versions of an RDBMS. phpBB only has this situation in the UCF, thus only one file changed outside the DBAL. I have added a second optional parameter, $use_cache to each of the implementations of dbal::sql_server_info() PHPBB3-9637 --- phpBB/includes/db/firebird.php | 11 ++++++++++- phpBB/includes/db/mssql.php | 7 ++++--- phpBB/includes/db/mssql_odbc.php | 7 ++++--- phpBB/includes/db/mssqlnative.php | 7 ++++--- phpBB/includes/db/mysql.php | 7 ++++--- phpBB/includes/db/mysqli.php | 8 ++++---- phpBB/includes/db/oracle.php | 10 +++++++++- phpBB/includes/db/postgres.php | 7 ++++--- phpBB/includes/db/sqlite.php | 11 ++++++++--- phpBB/install/install_convert.php | 2 +- 10 files changed, 52 insertions(+), 25 deletions(-) diff --git a/phpBB/includes/db/firebird.php b/phpBB/includes/db/firebird.php index e554b0f2fb..6f60dd5dad 100644 --- a/phpBB/includes/db/firebird.php +++ b/phpBB/includes/db/firebird.php @@ -63,10 +63,19 @@ class dbal_firebird extends dbal /** * Version information about used database * @param bool $raw if true, only return the fetched sql_server_version + * @param bool $use_cache forced to false for Interbase * @return string sql server version */ - function sql_server_info($raw = false) + function sql_server_info($raw = false, $use_cache = true) { + /** + * force $use_cache false. I didn't research why the caching code there is no caching code + * but I assume its because the IB extension provides a direct method to access it + * without a query. + */ + + $use_cache = false; + if ($this->service_handle !== false && function_exists('ibase_server_info')) { return @ibase_server_info($this->service_handle, IBASE_SVC_SERVER_VERSION); diff --git a/phpBB/includes/db/mssql.php b/phpBB/includes/db/mssql.php index 7134574691..6899a73902 100644 --- a/phpBB/includes/db/mssql.php +++ b/phpBB/includes/db/mssql.php @@ -65,13 +65,14 @@ class dbal_mssql extends dbal /** * Version information about used database * @param bool $raw if true, only return the fetched sql_server_version + * @param bool $use_cache If true, it is safe to retrieve the value from the cache * @return string sql server version */ - function sql_server_info($raw = false) + function sql_server_info($raw = false, $use_cache = true) { global $cache; - if (empty($cache) || ($this->sql_server_version = $cache->get('mssql_version')) === false) + if (!$use_cache || empty($cache) || ($this->sql_server_version = $cache->get('mssql_version')) === false) { $result_id = @mssql_query("SELECT SERVERPROPERTY('productversion'), SERVERPROPERTY('productlevel'), SERVERPROPERTY('edition')", $this->db_connect_id); @@ -84,7 +85,7 @@ class dbal_mssql extends dbal $this->sql_server_version = ($row) ? trim(implode(' ', $row)) : 0; - if (!empty($cache)) + if (!empty($cache) && $use_cache) { $cache->put('mssql_version', $this->sql_server_version); } diff --git a/phpBB/includes/db/mssql_odbc.php b/phpBB/includes/db/mssql_odbc.php index 14c4831010..75a080b1b7 100644 --- a/phpBB/includes/db/mssql_odbc.php +++ b/phpBB/includes/db/mssql_odbc.php @@ -76,13 +76,14 @@ class dbal_mssql_odbc extends dbal /** * Version information about used database * @param bool $raw if true, only return the fetched sql_server_version + * @param bool $use_cache If true, it is safe to retrieve the value from the cache * @return string sql server version */ - function sql_server_info($raw = false) + function sql_server_info($raw = false, $use_cache = true) { global $cache; - if (empty($cache) || ($this->sql_server_version = $cache->get('mssqlodbc_version')) === false) + if (!$use_cache || empty($cache) || ($this->sql_server_version = $cache->get('mssqlodbc_version')) === false) { $result_id = @odbc_exec($this->db_connect_id, "SELECT SERVERPROPERTY('productversion'), SERVERPROPERTY('productlevel'), SERVERPROPERTY('edition')"); @@ -95,7 +96,7 @@ class dbal_mssql_odbc extends dbal $this->sql_server_version = ($row) ? trim(implode(' ', $row)) : 0; - if (!empty($cache)) + if (!empty($cache) && $use_cache) { $cache->put('mssqlodbc_version', $this->sql_server_version); } diff --git a/phpBB/includes/db/mssqlnative.php b/phpBB/includes/db/mssqlnative.php index 08ee70907c..98e22d4412 100644 --- a/phpBB/includes/db/mssqlnative.php +++ b/phpBB/includes/db/mssqlnative.php @@ -232,18 +232,19 @@ class dbal_mssqlnative extends dbal /** * Version information about used database * @param bool $raw if true, only return the fetched sql_server_version + * @param bool $use_cache If true, it is safe to retrieve the value from the cache * @return string sql server version */ - function sql_server_info($raw = false) + function sql_server_info($raw = false, $use_cache = true) { global $cache; - if (empty($cache) || ($this->sql_server_version = $cache->get('mssql_version')) === false) + if (!$use_cache || empty($cache) || ($this->sql_server_version = $cache->get('mssql_version')) === false) { $arr_server_info = sqlsrv_server_info($this->db_connect_id); $this->sql_server_version = $arr_server_info['SQLServerVersion']; - if (!empty($cache)) + if (!empty($cache) && $use_cache) { $cache->put('mssql_version', $this->sql_server_version); } diff --git a/phpBB/includes/db/mysql.php b/phpBB/includes/db/mysql.php index 0487dfa6d2..1e24c79577 100644 --- a/phpBB/includes/db/mysql.php +++ b/phpBB/includes/db/mysql.php @@ -96,13 +96,14 @@ class dbal_mysql extends dbal /** * Version information about used database * @param bool $raw if true, only return the fetched sql_server_version + * @param bool $use_cache If true, it is safe to retrieve the value from the cache * @return string sql server version */ - function sql_server_info($raw = false) + function sql_server_info($raw = false, $use_cache = true) { global $cache; - if (empty($cache) || ($this->sql_server_version = $cache->get('mysql_version')) === false) + if (!$use_cache || empty($cache) || ($this->sql_server_version = $cache->get('mysql_version')) === false) { $result = @mysql_query('SELECT VERSION() AS version', $this->db_connect_id); $row = @mysql_fetch_assoc($result); @@ -110,7 +111,7 @@ class dbal_mysql extends dbal $this->sql_server_version = $row['version']; - if (!empty($cache)) + if (!empty($cache) && $use_cache) { $cache->put('mysql_version', $this->sql_server_version); } diff --git a/phpBB/includes/db/mysqli.php b/phpBB/includes/db/mysqli.php index f0e58fd148..862d62f4ba 100644 --- a/phpBB/includes/db/mysqli.php +++ b/phpBB/includes/db/mysqli.php @@ -80,14 +80,14 @@ class dbal_mysqli extends dbal /** * Version information about used database - * @param bool $raw if true, only return the fetched sql_server_version + * @param bool $use_cache If true, it is safe to retrieve the value from the cache * @return string sql server version */ - function sql_server_info($raw = false) + function sql_server_info($raw = false, $use_cache = true) { global $cache; - if (empty($cache) || ($this->sql_server_version = $cache->get('mysqli_version')) === false) + if (!$use_cache || empty($cache) || ($this->sql_server_version = $cache->get('mysqli_version')) === false) { $result = @mysqli_query($this->db_connect_id, 'SELECT VERSION() AS version'); $row = @mysqli_fetch_assoc($result); @@ -95,7 +95,7 @@ class dbal_mysqli extends dbal $this->sql_server_version = $row['version']; - if (!empty($cache)) + if (!empty($cache) && $use_cache) { $cache->put('mysqli_version', $this->sql_server_version); } diff --git a/phpBB/includes/db/oracle.php b/phpBB/includes/db/oracle.php index 55b3599800..25df029ea3 100644 --- a/phpBB/includes/db/oracle.php +++ b/phpBB/includes/db/oracle.php @@ -56,10 +56,18 @@ class dbal_oracle extends dbal /** * Version information about used database * @param bool $raw if true, only return the fetched sql_server_version + * @param bool $use_cache forced to false for Oracle * @return string sql server version */ - function sql_server_info($raw = false) + function sql_server_info($raw = false, $use_cache = true) { + /** + * force $use_cache false. I didn't research why the caching code below is commented out + * but I assume its because the Oracle extension provides a direct method to access it + * without a query. + */ + + $use_cache = false; /* global $cache; diff --git a/phpBB/includes/db/postgres.php b/phpBB/includes/db/postgres.php index b3139b3d79..079419ff20 100644 --- a/phpBB/includes/db/postgres.php +++ b/phpBB/includes/db/postgres.php @@ -105,13 +105,14 @@ class dbal_postgres extends dbal /** * Version information about used database * @param bool $raw if true, only return the fetched sql_server_version + * @param bool $use_cache If true, it is safe to retrieve the value from the cache * @return string sql server version */ - function sql_server_info($raw = false) + function sql_server_info($raw = false, $use_cache = true) { global $cache; - if (empty($cache) || ($this->sql_server_version = $cache->get('pgsql_version')) === false) + if (!$use_cache || empty($cache) || ($this->sql_server_version = $cache->get('pgsql_version')) === false) { $query_id = @pg_query($this->db_connect_id, 'SELECT VERSION() AS version'); $row = @pg_fetch_assoc($query_id, null); @@ -119,7 +120,7 @@ class dbal_postgres extends dbal $this->sql_server_version = (!empty($row['version'])) ? trim(substr($row['version'], 10)) : 0; - if (!empty($cache)) + if (!empty($cache) && $use_cache) { $cache->put('pgsql_version', $this->sql_server_version); } diff --git a/phpBB/includes/db/sqlite.php b/phpBB/includes/db/sqlite.php index 288f6e0992..8de72fd394 100644 --- a/phpBB/includes/db/sqlite.php +++ b/phpBB/includes/db/sqlite.php @@ -50,19 +50,24 @@ class dbal_sqlite extends dbal /** * Version information about used database * @param bool $raw if true, only return the fetched sql_server_version + * @param bool $use_cache if true, it is safe to retrieve the stored value from the cache * @return string sql server version */ - function sql_server_info($raw = false) + function sql_server_info($raw = false, $use_cache = true) { global $cache; - if (empty($cache) || ($this->sql_server_version = $cache->get('sqlite_version')) === false) + if (!$use_cache || empty($cache) || ($this->sql_server_version = $cache->get('sqlite_version')) === false) { $result = @sqlite_query('SELECT sqlite_version() AS version', $this->db_connect_id); $row = @sqlite_fetch_array($result, SQLITE_ASSOC); $this->sql_server_version = (!empty($row['version'])) ? $row['version'] : 0; - $cache->put('sqlite_version', $this->sql_server_version); + + if (!empty($cache) && $use_cache) + { + $cache->put('sqlite_version', $this->sql_server_version); + } } return ($raw) ? $this->sql_server_version : 'SQLite ' . $this->sql_server_version; diff --git a/phpBB/install/install_convert.php b/phpBB/install/install_convert.php index 06c3a8b4a6..8c3ffd61a8 100644 --- a/phpBB/install/install_convert.php +++ b/phpBB/install/install_convert.php @@ -685,7 +685,7 @@ class install_convert extends module // Thanks MySQL, for silently converting... case 'mysql': case 'mysql4': - if (version_compare($src_db->sql_server_info(true), '4.1.3', '>=')) + if (version_compare($src_db->sql_server_info(true, false), '4.1.3', '>=')) { $convert->mysql_convert = true; }