From 3ecd2f150d488debf10747df19af10a41646c0e1 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 2 May 2020 14:24:06 +0200 Subject: [PATCH 01/16] [ticket/security/257] Enforce http(s) for URLs in image BBCode SECURITY-257 --- phpBB/includes/message_parser.php | 2 +- tests/bbcode/parser_test.php | 5 +++++ tests/text_formatter/s9e/default_formatting_test.php | 4 ++++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/phpBB/includes/message_parser.php b/phpBB/includes/message_parser.php index e1c28223dc..2c55d7b260 100644 --- a/phpBB/includes/message_parser.php +++ b/phpBB/includes/message_parser.php @@ -390,7 +390,7 @@ class bbcode_firstpass extends bbcode $in = str_replace(' ', '%20', $in); // Checking urls - if (!preg_match('#^' . get_preg_expression('url') . '$#iu', $in) && !preg_match('#^' . get_preg_expression('www_url') . '$#iu', $in)) + if (!preg_match('#^' . get_preg_expression('url_http') . '$#iu', $in) && !preg_match('#^' . get_preg_expression('www_url') . '$#iu', $in)) { return '[img]' . $in . '[/img]'; } diff --git a/tests/bbcode/parser_test.php b/tests/bbcode/parser_test.php index b569d371f1..ecd946c59f 100644 --- a/tests/bbcode/parser_test.php +++ b/tests/bbcode/parser_test.php @@ -120,6 +120,11 @@ class phpbb_bbcode_parser_test extends \phpbb_test_case '[img]https://area51.phpbb.com/images/area51.png[/img]', '[img:]https://area51.phpbb.com/images/area51.png[/img:]', ), + array( + 'Test default bbcodes: img with unsupported protocol', + '[img]foo://foo/bar[/img]', + '[img]foo://foo/bar[/img]', + ), array( 'Test default bbcodes: simple url', '[url]https://area51.phpbb.com/[/url]', diff --git a/tests/text_formatter/s9e/default_formatting_test.php b/tests/text_formatter/s9e/default_formatting_test.php index ce15a52adc..80c06196ca 100644 --- a/tests/text_formatter/s9e/default_formatting_test.php +++ b/tests/text_formatter/s9e/default_formatting_test.php @@ -132,6 +132,10 @@ class phpbb_textformatter_s9e_default_formatting_test extends phpbb_test_case '[img]https://area51.phpbb.com/images/area51.png[/img]', 'Image' ), + array( + '[img]foo://area51.phpbb.com/images/area51.png[/img]', + '[img]foo://area51.phpbb.com/images/area51.png[/img]' + ), array( '[url]https://area51.phpbb.com/[/url]', 'https://area51.phpbb.com/' From d0e2023a63d7a158f275a79a57356f769c54ee01 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 25 Jun 2020 22:20:58 +0200 Subject: [PATCH 02/16] [ticket/security-259] Stop checking image size of images in img bbcode SECURITY-259 --- phpBB/includes/message_parser.php | 26 ---------------- phpBB/phpbb/textformatter/s9e/factory.php | 2 -- phpBB/phpbb/textformatter/s9e/parser.php | 28 ++--------------- tests/text_processing/message_parser_test.php | 30 ------------------- 4 files changed, 2 insertions(+), 84 deletions(-) diff --git a/phpBB/includes/message_parser.php b/phpBB/includes/message_parser.php index e1c28223dc..7bd444b4a3 100644 --- a/phpBB/includes/message_parser.php +++ b/phpBB/includes/message_parser.php @@ -401,32 +401,6 @@ class bbcode_firstpass extends bbcode $in = 'http://' . $in; } - if ($config['max_' . $this->mode . '_img_height'] || $config['max_' . $this->mode . '_img_width']) - { - $imagesize = new \FastImageSize\FastImageSize(); - $size_info = $imagesize->getImageSize(htmlspecialchars_decode($in)); - - if ($size_info === false) - { - $error = true; - $this->warn_msg[] = $user->lang['UNABLE_GET_IMAGE_SIZE']; - } - else - { - if ($config['max_' . $this->mode . '_img_height'] && $config['max_' . $this->mode . '_img_height'] < $size_info['height']) - { - $error = true; - $this->warn_msg[] = $user->lang('MAX_IMG_HEIGHT_EXCEEDED', (int) $config['max_' . $this->mode . '_img_height']); - } - - if ($config['max_' . $this->mode . '_img_width'] && $config['max_' . $this->mode . '_img_width'] < $size_info['width']) - { - $error = true; - $this->warn_msg[] = $user->lang('MAX_IMG_WIDTH_EXCEEDED', (int) $config['max_' . $this->mode . '_img_width']); - } - } - } - if ($error || $this->path_in_domain($in)) { return '[img]' . $in . '[/img]'; diff --git a/phpBB/phpbb/textformatter/s9e/factory.php b/phpBB/phpbb/textformatter/s9e/factory.php index 725844e2d3..7b79405f7e 100644 --- a/phpBB/phpbb/textformatter/s9e/factory.php +++ b/phpBB/phpbb/textformatter/s9e/factory.php @@ -273,8 +273,6 @@ class factory implements \phpbb\textformatter\cache_interface ->add('#imageurl', __NAMESPACE__ . '\\parser::filter_img_url') ->addParameterByName('urlConfig') ->addParameterByName('logger') - ->addParameterByName('max_img_height') - ->addParameterByName('max_img_width') ->markAsSafeAsURL() ->setJS('UrlFilter.filter'); diff --git a/phpBB/phpbb/textformatter/s9e/parser.php b/phpBB/phpbb/textformatter/s9e/parser.php index 1151f09898..590afc0ebc 100644 --- a/phpBB/phpbb/textformatter/s9e/parser.php +++ b/phpBB/phpbb/textformatter/s9e/parser.php @@ -380,11 +380,10 @@ class parser implements \phpbb\textformatter\parser_interface * @param string $url Original URL * @param array $url_config Config used by the URL filter * @param Logger $logger - * @param integer $max_height Maximum height allowed - * @param integer $max_width Maximum width allowed + * * @return string|bool Original value if valid, FALSE otherwise */ - static public function filter_img_url($url, array $url_config, Logger $logger, $max_height, $max_width) + static public function filter_img_url($url, array $url_config, Logger $logger) { // Validate the URL $url = UrlFilter::filter($url, $url_config, $logger); @@ -393,29 +392,6 @@ class parser implements \phpbb\textformatter\parser_interface return false; } - if ($max_height || $max_width) - { - $imagesize = new \FastImageSize\FastImageSize(); - $size_info = $imagesize->getImageSize($url); - if ($size_info === false) - { - $logger->err('UNABLE_GET_IMAGE_SIZE'); - return false; - } - - if ($max_height && $max_height < $size_info['height']) - { - $logger->err('MAX_IMG_HEIGHT_EXCEEDED', array('max_height' => $max_height)); - return false; - } - - if ($max_width && $max_width < $size_info['width']) - { - $logger->err('MAX_IMG_WIDTH_EXCEEDED', array('max_width' => $max_width)); - return false; - } - } - return $url; } diff --git a/tests/text_processing/message_parser_test.php b/tests/text_processing/message_parser_test.php index a3dbf644f6..d302ee9504 100644 --- a/tests/text_processing/message_parser_test.php +++ b/tests/text_processing/message_parser_test.php @@ -342,26 +342,6 @@ class phpbb_text_processing_message_parser_test extends phpbb_test_case }, array('You may only use fonts up to size 120.') ), - array( - '[img]http://example.org/100x100.png[/img]', - '[img]http://example.org/100x100.png[/img]', - array(true, true, true, true, true, true, true), - function ($phpbb_container) - { - $phpbb_container->get('config')->set('max_post_img_height', 12); - }, - array('Your images may only be up to 12 pixels high.') - ), - array( - '[img]http://example.org/100x100.png[/img]', - '[img]http://example.org/100x100.png[/img]', - array(true, true, true, true, true, true, true), - function ($phpbb_container) - { - $phpbb_container->get('config')->set('max_post_img_width', 34); - }, - array('Your images may only be up to 34 pixels wide.') - ), array( '[img]http://example.org/100x100.png[/img]', '[img]http://example.org/100x100.png[/img]', @@ -392,16 +372,6 @@ class phpbb_text_processing_message_parser_test extends phpbb_test_case $phpbb_container->get('config')->set('max_sig_img_width', 34); } ), - array( - '[img]http://example.org/404.png[/img]', - '[img]http://example.org/404.png[/img]', - array(true, true, true, true, true, true, true), - function ($phpbb_container) - { - $phpbb_container->get('config')->set('max_post_img_height', 12); - }, - array('It was not possible to determine the dimensions of the image.') - ), array( '[flash=999,999]http://example.org/foo.swf[/flash]', '[flash=999,999]http://example.org/foo.swf[/flash]', From b0b78ee144fa2aaf1378d1b01f4fa58721ea91a9 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 25 Jun 2020 22:28:03 +0200 Subject: [PATCH 03/16] [ticket/security-259] Adjust wording of setting in ACP SECURITY-259 --- phpBB/language/en/acp/board.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/phpBB/language/en/acp/board.php b/phpBB/language/en/acp/board.php index e237446dde..61a3fa5e29 100644 --- a/phpBB/language/en/acp/board.php +++ b/phpBB/language/en/acp/board.php @@ -183,10 +183,10 @@ $lang = array_merge($lang, array( 'MAX_POLL_OPTIONS' => 'Maximum number of poll options', 'MAX_POST_FONT_SIZE' => 'Maximum font size per post', 'MAX_POST_FONT_SIZE_EXPLAIN' => 'Maximum font size allowed in a post. Set to 0 for unlimited font size.', - 'MAX_POST_IMG_HEIGHT' => 'Maximum image height per post', - 'MAX_POST_IMG_HEIGHT_EXPLAIN' => 'Maximum height of an image/flash file in postings. Set to 0 for unlimited size.', - 'MAX_POST_IMG_WIDTH' => 'Maximum image width per post', - 'MAX_POST_IMG_WIDTH_EXPLAIN' => 'Maximum width of an image/flash file in postings. Set to 0 for unlimited size.', + 'MAX_POST_IMG_HEIGHT' => 'Maximum flash height per post', + 'MAX_POST_IMG_HEIGHT_EXPLAIN' => 'Maximum height of a flash file in postings. Set to 0 for unlimited size.', + 'MAX_POST_IMG_WIDTH' => 'Maximum flash width per post', + 'MAX_POST_IMG_WIDTH_EXPLAIN' => 'Maximum width of a flash file in postings. Set to 0 for unlimited size.', 'MAX_POST_URLS' => 'Maximum links per post', 'MAX_POST_URLS_EXPLAIN' => 'Maximum number of URLs in a post. Set to 0 for unlimited links.', 'MIN_CHAR_LIMIT' => 'Minimum characters per post/message', From 70c289fef0f80f12418df326678000119e228d95 Mon Sep 17 00:00:00 2001 From: 3D-I <480857+3D-I@users.noreply.github.com> Date: Tue, 21 Jul 2020 01:59:19 +0200 Subject: [PATCH 04/16] [ticket/16550] Fix undefined variable url in PMs [3.2.x] PHPBB3-16550 --- phpBB/includes/functions_privmsgs.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/phpBB/includes/functions_privmsgs.php b/phpBB/includes/functions_privmsgs.php index bd42f93a39..0aceeb90e1 100644 --- a/phpBB/includes/functions_privmsgs.php +++ b/phpBB/includes/functions_privmsgs.php @@ -2046,6 +2046,8 @@ function message_history($msg_id, $user_id, $message_row, $folder, $in_post_mode while ($row = $db->sql_fetchrow($result)); $db->sql_freeresult($result); + $url = append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=pm'); + /** * Modify message rows before displaying the history in private messages * @@ -2080,7 +2082,6 @@ function message_history($msg_id, $user_id, $message_row, $folder, $in_post_mode $title = censor_text($title); - $url = append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=pm'); $next_history_pm = $previous_history_pm = $prev_id = 0; // Re-order rowset to be able to get the next/prev message rows... From d0197a94fb4e61855bd11053398a4250aa2dfbcb Mon Sep 17 00:00:00 2001 From: rxu Date: Sat, 27 Jun 2020 20:26:12 +0700 Subject: [PATCH 05/16] [ticket/16539] Fix general SQL error for smilies mode on posting PHPBB3-16539 --- phpBB/includes/functions_posting.php | 2 +- tests/functional/smilies_test.php | 47 ++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 tests/functional/smilies_test.php diff --git a/phpBB/includes/functions_posting.php b/phpBB/includes/functions_posting.php index 39fc52c29c..4f70a9932d 100644 --- a/phpBB/includes/functions_posting.php +++ b/phpBB/includes/functions_posting.php @@ -118,7 +118,7 @@ function generate_smilies($mode, $forum_id) SMILIES_TABLE => 's', ], 'GROUP_BY' => 's.smiley_url, s.smiley_width, s.smiley_height', - 'ORDER_BY' => 's.min_smiley_order', + 'ORDER_BY' => 'min_smiley_order', ]; } else diff --git a/tests/functional/smilies_test.php b/tests/functional/smilies_test.php new file mode 100644 index 0000000000..f17171bd1f --- /dev/null +++ b/tests/functional/smilies_test.php @@ -0,0 +1,47 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +/** +* @group functional +*/ +class phpbb_functional_smilies_test extends phpbb_functional_test_case +{ + public function test_smilies_mode() + { + $this->login(); + + // Get smilies data + $db = $this->get_db(); + $sql_ary = [ + 'SELECT' => 's.smiley_url, MIN(s.emotion) AS emotion, MIN(s.code) AS code, s.smiley_width, s.smiley_height, MIN(s.smiley_order) AS min_smiley_order', + 'FROM' => [ + SMILIES_TABLE => 's', + ], + 'GROUP_BY' => 's.smiley_url, s.smiley_width, s.smiley_height', + 'ORDER_BY' => 'min_smiley_order', + ]; + $sql = $db->sql_build_query('SELECT', $sql_ary); + $result = $db->sql_query($sql); + $smilies = $db->sql_fetchrowset($result); + $db->sql_freeresult($result); + + // Visit smilies page + $crawler = self::request('GET', 'posting.php?mode=smilies'); + foreach ($smilies as $index => $smiley) + { + $this->assertContains($smiley['smiley_url'], + $crawler->filter('div[class="inner"] > a > img')->eq($index)->attr('src') + ); + } + } +} From acd824d4324c4bee00e8aa1c2cb4c0c7123ed900 Mon Sep 17 00:00:00 2001 From: rxu Date: Wed, 10 Jun 2020 17:41:59 +0700 Subject: [PATCH 06/16] [ticket/16524] Filter out-of-bounds UTF8 characters for profile fields PHPBB3-16524 --- .../container/services_profilefield.yml | 3 +++ phpBB/phpbb/profilefields/manager.php | 11 ++++++++++ .../phpbb/profilefields/type/type_string.php | 21 ++++++++++++++++++- phpBB/phpbb/profilefields/type/type_text.php | 21 ++++++++++++++++++- tests/profilefields/type_string_test.php | 2 ++ tests/profilefields/type_url_test.php | 2 ++ 6 files changed, 58 insertions(+), 2 deletions(-) diff --git a/phpBB/config/default/container/services_profilefield.yml b/phpBB/config/default/container/services_profilefield.yml index ebbd3fbf8e..c0ef5ec7e4 100644 --- a/phpBB/config/default/container/services_profilefield.yml +++ b/phpBB/config/default/container/services_profilefield.yml @@ -82,6 +82,7 @@ services: profilefields.type.string: class: phpbb\profilefields\type\type_string arguments: + - '@auth' - '@request' - '@template' - '@user' @@ -91,6 +92,7 @@ services: profilefields.type.text: class: phpbb\profilefields\type\type_text arguments: + - '@auth' - '@request' - '@template' - '@user' @@ -100,6 +102,7 @@ services: profilefields.type.url: class: phpbb\profilefields\type\type_url arguments: + - '@auth' - '@request' - '@template' - '@user' diff --git a/phpBB/phpbb/profilefields/manager.php b/phpBB/phpbb/profilefields/manager.php index 5daa61076c..5784a1212a 100644 --- a/phpBB/phpbb/profilefields/manager.php +++ b/phpBB/phpbb/profilefields/manager.php @@ -254,6 +254,17 @@ class manager /** @var \phpbb\profilefields\type\type_interface $profile_field */ $profile_field = $this->type_collection[$row['field_type']]; $cp_data['pf_' . $row['field_ident']] = $profile_field->get_profile_field($row); + + /** + * Replace Emojis and other 4bit UTF-8 chars not allowed by MySQL with UCR/NCR + * using their Numeric Character Reference's Hexadecimal notation. + * Check the permissions for using Emojis first. + */ + if ($this->auth->acl_get('u_emoji')) + { + $cp_data['pf_' . $row['field_ident']] = utf8_encode_ucr($cp_data['pf_' . $row['field_ident']]); + } + $check_value = $cp_data['pf_' . $row['field_ident']]; if (($cp_result = $profile_field->validate_profile_field($check_value, $row)) !== false) diff --git a/phpBB/phpbb/profilefields/type/type_string.php b/phpBB/phpbb/profilefields/type/type_string.php index 8710c8c603..289d78228a 100644 --- a/phpBB/phpbb/profilefields/type/type_string.php +++ b/phpBB/phpbb/profilefields/type/type_string.php @@ -15,6 +15,12 @@ namespace phpbb\profilefields\type; class type_string extends type_string_common { + /** + * Auth object + * @var \phpbb\auth\auth + */ + protected $auth; + /** * Request object * @var \phpbb\request\request @@ -36,12 +42,14 @@ class type_string extends type_string_common /** * Construct * + * @param \phpbb\auth\auth $auth Auth object * @param \phpbb\request\request $request Request object * @param \phpbb\template\template $template Template object * @param \phpbb\user $user User object */ - public function __construct(\phpbb\request\request $request, \phpbb\template\template $template, \phpbb\user $user) + public function __construct(\phpbb\auth\auth $auth, \phpbb\request\request $request, \phpbb\template\template $template, \phpbb\user $user) { + $this->auth = $auth; $this->request = $request; $this->template = $template; $this->user = $user; @@ -99,6 +107,17 @@ class type_string extends type_string_common */ public function validate_profile_field(&$field_value, $field_data) { + /** + * Check for out-of-bounds characters that are currently + * not supported by utf8_bin in MySQL if Emoji is not allowed + */ + if (!$this->auth->acl_get('u_emoji')) + { + if (preg_match_all('/[\x{10000}-\x{10FFFF}]/u', $field_value)) + { + return $this->user->lang('FIELD_INVALID_CHARS_INVALID', $this->get_field_name($field_data['lang_name'])); + } + } return $this->validate_string_profile_field('string', $field_value, $field_data); } diff --git a/phpBB/phpbb/profilefields/type/type_text.php b/phpBB/phpbb/profilefields/type/type_text.php index 79ee82351a..a2e2167ac5 100644 --- a/phpBB/phpbb/profilefields/type/type_text.php +++ b/phpBB/phpbb/profilefields/type/type_text.php @@ -15,6 +15,12 @@ namespace phpbb\profilefields\type; class type_text extends type_string_common { + /** + * Auth object + * @var \phpbb\auth\auth + */ + protected $auth; + /** * Request object * @var \phpbb\request\request @@ -36,12 +42,14 @@ class type_text extends type_string_common /** * Construct * + * @param \phpbb\auth\auth $auth Auth object * @param \phpbb\request\request $request Request object * @param \phpbb\template\template $template Template object * @param \phpbb\user $user User object */ - public function __construct(\phpbb\request\request $request, \phpbb\template\template $template, \phpbb\user $user) + public function __construct(\phpbb\auth\auth $auth, \phpbb\request\request $request, \phpbb\template\template $template, \phpbb\user $user) { + $this->auth = $auth; $this->request = $request; $this->template = $template; $this->user = $user; @@ -99,6 +107,17 @@ class type_text extends type_string_common */ public function validate_profile_field(&$field_value, $field_data) { + /** + * Check for out-of-bounds characters that are currently + * not supported by utf8_bin in MySQL if Emoji is not allowed + */ + if (!$this->auth->acl_get('u_emoji')) + { + if (preg_match_all('/[\x{10000}-\x{10FFFF}]/u', $field_value)) + { + return $this->user->lang('FIELD_INVALID_CHARS_INVALID', $this->get_field_name($field_data['lang_name'])); + } + } return $this->validate_string_profile_field('text', $field_value, $field_data); } diff --git a/tests/profilefields/type_string_test.php b/tests/profilefields/type_string_test.php index 54bb406838..d7ad16895d 100644 --- a/tests/profilefields/type_string_test.php +++ b/tests/profilefields/type_string_test.php @@ -26,6 +26,7 @@ class phpbb_profilefield_type_string_test extends phpbb_test_case { global $config, $request, $user, $cache, $phpbb_root_path, $phpEx; + $auth = new \phpbb\auth\auth(); $user = $this->getMock('\phpbb\user', array(), array( new \phpbb\language\language(new \phpbb\language\language_file_loader($phpbb_root_path, $phpEx)), '\phpbb\datetime' @@ -40,6 +41,7 @@ class phpbb_profilefield_type_string_test extends phpbb_test_case $template = $this->getMock('\phpbb\template\template'); $this->cp = new \phpbb\profilefields\type\type_string( + $auth, $request, $template, $user diff --git a/tests/profilefields/type_url_test.php b/tests/profilefields/type_url_test.php index 3bb5d52899..f592d1099d 100644 --- a/tests/profilefields/type_url_test.php +++ b/tests/profilefields/type_url_test.php @@ -30,6 +30,7 @@ class phpbb_profilefield_type_url_test extends phpbb_test_case { global $config, $request, $user, $cache, $phpbb_root_path, $phpEx; + $auth = new \phpbb\auth\auth(); $config = new \phpbb\config\config([]); $cache = new phpbb_mock_cache; $user = $this->getMock('\phpbb\user', array(), array( @@ -44,6 +45,7 @@ class phpbb_profilefield_type_url_test extends phpbb_test_case $template = $this->getMock('\phpbb\template\template'); $this->cp = new \phpbb\profilefields\type\type_url( + $auth, $request, $template, $user From ab3d8ade7235968eb2e56dd47cc9b2af49948e36 Mon Sep 17 00:00:00 2001 From: rxu Date: Wed, 10 Jun 2020 18:37:13 +0700 Subject: [PATCH 07/16] [ticket/16524] Add test PHPBB3-16524 --- tests/functional/ucp_profile_test.php | 85 +++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) diff --git a/tests/functional/ucp_profile_test.php b/tests/functional/ucp_profile_test.php index e7abba9255..c9f335a052 100644 --- a/tests/functional/ucp_profile_test.php +++ b/tests/functional/ucp_profile_test.php @@ -46,4 +46,89 @@ class phpbb_functional_ucp_profile_test extends phpbb_functional_test_case $this->assertEquals('phpbb_twitter', $form->get('pf_phpbb_twitter')->getValue()); $this->assertEquals('phpbb.youtube', $form->get('pf_phpbb_youtube')->getValue()); } + + public function test_submitting_emoji_allowed() + { + $this->add_lang('ucp'); + $this->login(); + + $crawler = self::request('GET', 'ucp.php?i=ucp_profile&mode=profile_info'); + $this->assertContainsLang('UCP_PROFILE_PROFILE_INFO', $crawler->filter('#cp-main h2')->text()); + + $form = $crawler->selectButton('Submit')->form([ + 'pf_phpbb_location' => '๐Ÿ˜', // grinning face with smiling eyes Emoji + ]); + $crawler = self::submit($form); + $this->assertContainsLang('PROFILE_UPDATED', $crawler->filter('#message')->text()); + + $crawler = self::request('GET', 'ucp.php?i=ucp_profile&mode=profile_info'); + $form = $crawler->selectButton('Submit')->form(); + $this->assertEquals('๐Ÿ˜', $form->get('pf_phpbb_location')->getValue()); + } + + public function test_submitting_emoji_disallowed() + { + $this->add_lang(['ucp', 'acp/permissions']); + $this->login(); + $this->admin_login(); + + // Group global permissions + $crawler = self::request('GET', 'adm/index.php?i=acp_permissions&icat=16&mode=setting_group_global&sid=' . $this->sid); + $this->assertContainsLang('ACP_GROUPS_PERMISSIONS_EXPLAIN', $this->get_content()); + + // Select Registered users group + $form = $crawler->selectButton($this->lang('SUBMIT'))->form(['group_id' => [2]]); + $crawler = self::submit($form); + $this->assertContainsLang('ACL_SET', $crawler->filter('h1')->eq(1)->text()); + + // Globals for \phpbb\auth\auth + global $db, $cache; + $db = $this->get_db(); + $cache = new phpbb_mock_null_cache; + + $auth = new \phpbb\auth\auth; + // Hardcoded user_id + $user_data = $auth->obtain_user_data(2); + $auth->acl($user_data); + $this->assertEquals(1, $auth->acl_get('u_emoji')); + + // Set u_emoji to never + $form = $crawler->selectButton($this->lang('APPLY_PERMISSIONS'))->form(['setting[2][0][u_emoji]' => '0']); + $crawler = self::submit($form); + $this->assertContainsLang('AUTH_UPDATED', $crawler->text()); + + // check acl again + $auth = new \phpbb\auth\auth; + $user_data = $auth->obtain_user_data(2); + $auth->acl($user_data); + $this->assertEquals(0, $auth->acl_get('u_emoji')); + + $crawler = self::request('GET', 'ucp.php?i=ucp_profile&mode=profile_info'); + $this->assertContainsLang('UCP_PROFILE_PROFILE_INFO', $crawler->filter('#cp-main h2')->text()); + + $form = $crawler->selectButton('Submit')->form([ + 'pf_phpbb_location' => '๐Ÿ˜', // grinning face with smiling eyes Emoji + ]); + + $crawler = self::submit($form); + $this->assertContains('The field โ€œLocationโ€ has invalid characters.', $crawler->filter('p[class="error"]')->text()); + + // Set u_emoji back to Yes + $crawler = self::request('GET', 'adm/index.php?i=acp_permissions&icat=16&mode=setting_group_global&sid=' . $this->sid); + $this->assertContainsLang('ACP_GROUPS_PERMISSIONS_EXPLAIN', $this->get_content()); + // Select Registered users group + $form = $crawler->selectButton($this->lang('SUBMIT'))->form(['group_id' => [2]]); + $crawler = self::submit($form); + $this->assertContainsLang('ACL_SET', $crawler->filter('h1')->eq(1)->text()); + // Set u_emoji to never + $form = $crawler->selectButton($this->lang('APPLY_PERMISSIONS'))->form(["setting[2][0][u_emoji]" => '1']); + $crawler = self::submit($form); + $this->assertContainsLang('AUTH_UPDATED', $crawler->text()); + + // check acl again + $auth = new \phpbb\auth\auth; + $user_data = $auth->obtain_user_data(2); + $auth->acl($user_data); + $this->assertEquals(1, $auth->acl_get('u_emoji')); + } } From 0ba0a9cbd310bfbf00fc5571c47119b725dd952c Mon Sep 17 00:00:00 2001 From: rxu Date: Wed, 10 Jun 2020 22:08:29 +0700 Subject: [PATCH 08/16] [ticket/16524] Adjust u_emoji permission language entry PHPBB3-16524 --- phpBB/language/en/acp/permissions_phpbb.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/language/en/acp/permissions_phpbb.php b/phpBB/language/en/acp/permissions_phpbb.php index ab8939932b..395a2d7c7f 100644 --- a/phpBB/language/en/acp/permissions_phpbb.php +++ b/phpBB/language/en/acp/permissions_phpbb.php @@ -79,7 +79,7 @@ $lang = array_merge($lang, array( 'ACL_U_SAVEDRAFTS' => 'Can save drafts', 'ACL_U_CHGCENSORS' => 'Can disable word censors', 'ACL_U_SIG' => 'Can use signature', - 'ACL_U_EMOJI' => 'Can use emoji and rich text characters in topic title', + 'ACL_U_EMOJI' => 'Can use emoji and rich text characters in topic title
This setting also affects profile fields.', 'ACL_U_SENDPM' => 'Can send private messages', 'ACL_U_MASSPM' => 'Can send private messages to multiple users', From b1c6b3bc9424ffb876b35b9f89d5789daa2efa7f Mon Sep 17 00:00:00 2001 From: rxu Date: Wed, 10 Jun 2020 23:23:59 +0700 Subject: [PATCH 09/16] [ticket/16524] Minor code adjustments PHPBB3-16524 --- phpBB/language/en/acp/permissions_phpbb.php | 2 +- phpBB/phpbb/profilefields/type/type_string.php | 2 +- phpBB/phpbb/profilefields/type/type_text.php | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/phpBB/language/en/acp/permissions_phpbb.php b/phpBB/language/en/acp/permissions_phpbb.php index 395a2d7c7f..27c4c7e9ef 100644 --- a/phpBB/language/en/acp/permissions_phpbb.php +++ b/phpBB/language/en/acp/permissions_phpbb.php @@ -79,7 +79,7 @@ $lang = array_merge($lang, array( 'ACL_U_SAVEDRAFTS' => 'Can save drafts', 'ACL_U_CHGCENSORS' => 'Can disable word censors', 'ACL_U_SIG' => 'Can use signature', - 'ACL_U_EMOJI' => 'Can use emoji and rich text characters in topic title
This setting also affects profile fields.', + 'ACL_U_EMOJI' => 'Can use emoji and rich text characters in topic title
This setting also affects profile fields.', 'ACL_U_SENDPM' => 'Can send private messages', 'ACL_U_MASSPM' => 'Can send private messages to multiple users', diff --git a/phpBB/phpbb/profilefields/type/type_string.php b/phpBB/phpbb/profilefields/type/type_string.php index 289d78228a..382f66c12a 100644 --- a/phpBB/phpbb/profilefields/type/type_string.php +++ b/phpBB/phpbb/profilefields/type/type_string.php @@ -109,7 +109,7 @@ class type_string extends type_string_common { /** * Check for out-of-bounds characters that are currently - * not supported by utf8_bin in MySQL if Emoji is not allowed + * not supported by utf8_bin in MySQL if Emoji are not allowed */ if (!$this->auth->acl_get('u_emoji')) { diff --git a/phpBB/phpbb/profilefields/type/type_text.php b/phpBB/phpbb/profilefields/type/type_text.php index a2e2167ac5..3b58d6b3e5 100644 --- a/phpBB/phpbb/profilefields/type/type_text.php +++ b/phpBB/phpbb/profilefields/type/type_text.php @@ -109,7 +109,7 @@ class type_text extends type_string_common { /** * Check for out-of-bounds characters that are currently - * not supported by utf8_bin in MySQL if Emoji is not allowed + * not supported by utf8_bin in MySQL if Emoji are not allowed */ if (!$this->auth->acl_get('u_emoji')) { From befab4f3c10bc7899d4bd039777b0365a0782434 Mon Sep 17 00:00:00 2001 From: rxu Date: Fri, 19 Jun 2020 17:22:34 +0700 Subject: [PATCH 10/16] [ticket/16524] Remove u_emoji permission checks PHPBB3-16524 --- .../container/services_profilefield.yml | 3 - phpBB/language/en/acp/permissions_phpbb.php | 2 +- phpBB/phpbb/profilefields/manager.php | 10 +-- .../phpbb/profilefields/type/type_string.php | 21 +----- phpBB/phpbb/profilefields/type/type_text.php | 21 +----- tests/functional/ucp_profile_test.php | 68 +------------------ tests/profilefields/type_string_test.php | 2 - tests/profilefields/type_url_test.php | 2 - 8 files changed, 7 insertions(+), 122 deletions(-) diff --git a/phpBB/config/default/container/services_profilefield.yml b/phpBB/config/default/container/services_profilefield.yml index c0ef5ec7e4..ebbd3fbf8e 100644 --- a/phpBB/config/default/container/services_profilefield.yml +++ b/phpBB/config/default/container/services_profilefield.yml @@ -82,7 +82,6 @@ services: profilefields.type.string: class: phpbb\profilefields\type\type_string arguments: - - '@auth' - '@request' - '@template' - '@user' @@ -92,7 +91,6 @@ services: profilefields.type.text: class: phpbb\profilefields\type\type_text arguments: - - '@auth' - '@request' - '@template' - '@user' @@ -102,7 +100,6 @@ services: profilefields.type.url: class: phpbb\profilefields\type\type_url arguments: - - '@auth' - '@request' - '@template' - '@user' diff --git a/phpBB/language/en/acp/permissions_phpbb.php b/phpBB/language/en/acp/permissions_phpbb.php index 27c4c7e9ef..ab8939932b 100644 --- a/phpBB/language/en/acp/permissions_phpbb.php +++ b/phpBB/language/en/acp/permissions_phpbb.php @@ -79,7 +79,7 @@ $lang = array_merge($lang, array( 'ACL_U_SAVEDRAFTS' => 'Can save drafts', 'ACL_U_CHGCENSORS' => 'Can disable word censors', 'ACL_U_SIG' => 'Can use signature', - 'ACL_U_EMOJI' => 'Can use emoji and rich text characters in topic title
This setting also affects profile fields.', + 'ACL_U_EMOJI' => 'Can use emoji and rich text characters in topic title', 'ACL_U_SENDPM' => 'Can send private messages', 'ACL_U_MASSPM' => 'Can send private messages to multiple users', diff --git a/phpBB/phpbb/profilefields/manager.php b/phpBB/phpbb/profilefields/manager.php index 5784a1212a..8af2fe12ad 100644 --- a/phpBB/phpbb/profilefields/manager.php +++ b/phpBB/phpbb/profilefields/manager.php @@ -256,14 +256,10 @@ class manager $cp_data['pf_' . $row['field_ident']] = $profile_field->get_profile_field($row); /** - * Replace Emojis and other 4bit UTF-8 chars not allowed by MySQL with UCR/NCR - * using their Numeric Character Reference's Hexadecimal notation. - * Check the permissions for using Emojis first. + * Replace Emoji and other 4bit UTF-8 chars not allowed by MySQL + * with their Numeric Character Reference's Hexadecimal notation. */ - if ($this->auth->acl_get('u_emoji')) - { - $cp_data['pf_' . $row['field_ident']] = utf8_encode_ucr($cp_data['pf_' . $row['field_ident']]); - } + $cp_data['pf_' . $row['field_ident']] = utf8_encode_ucr($cp_data['pf_' . $row['field_ident']]); $check_value = $cp_data['pf_' . $row['field_ident']]; diff --git a/phpBB/phpbb/profilefields/type/type_string.php b/phpBB/phpbb/profilefields/type/type_string.php index 382f66c12a..8710c8c603 100644 --- a/phpBB/phpbb/profilefields/type/type_string.php +++ b/phpBB/phpbb/profilefields/type/type_string.php @@ -15,12 +15,6 @@ namespace phpbb\profilefields\type; class type_string extends type_string_common { - /** - * Auth object - * @var \phpbb\auth\auth - */ - protected $auth; - /** * Request object * @var \phpbb\request\request @@ -42,14 +36,12 @@ class type_string extends type_string_common /** * Construct * - * @param \phpbb\auth\auth $auth Auth object * @param \phpbb\request\request $request Request object * @param \phpbb\template\template $template Template object * @param \phpbb\user $user User object */ - public function __construct(\phpbb\auth\auth $auth, \phpbb\request\request $request, \phpbb\template\template $template, \phpbb\user $user) + public function __construct(\phpbb\request\request $request, \phpbb\template\template $template, \phpbb\user $user) { - $this->auth = $auth; $this->request = $request; $this->template = $template; $this->user = $user; @@ -107,17 +99,6 @@ class type_string extends type_string_common */ public function validate_profile_field(&$field_value, $field_data) { - /** - * Check for out-of-bounds characters that are currently - * not supported by utf8_bin in MySQL if Emoji are not allowed - */ - if (!$this->auth->acl_get('u_emoji')) - { - if (preg_match_all('/[\x{10000}-\x{10FFFF}]/u', $field_value)) - { - return $this->user->lang('FIELD_INVALID_CHARS_INVALID', $this->get_field_name($field_data['lang_name'])); - } - } return $this->validate_string_profile_field('string', $field_value, $field_data); } diff --git a/phpBB/phpbb/profilefields/type/type_text.php b/phpBB/phpbb/profilefields/type/type_text.php index 3b58d6b3e5..79ee82351a 100644 --- a/phpBB/phpbb/profilefields/type/type_text.php +++ b/phpBB/phpbb/profilefields/type/type_text.php @@ -15,12 +15,6 @@ namespace phpbb\profilefields\type; class type_text extends type_string_common { - /** - * Auth object - * @var \phpbb\auth\auth - */ - protected $auth; - /** * Request object * @var \phpbb\request\request @@ -42,14 +36,12 @@ class type_text extends type_string_common /** * Construct * - * @param \phpbb\auth\auth $auth Auth object * @param \phpbb\request\request $request Request object * @param \phpbb\template\template $template Template object * @param \phpbb\user $user User object */ - public function __construct(\phpbb\auth\auth $auth, \phpbb\request\request $request, \phpbb\template\template $template, \phpbb\user $user) + public function __construct(\phpbb\request\request $request, \phpbb\template\template $template, \phpbb\user $user) { - $this->auth = $auth; $this->request = $request; $this->template = $template; $this->user = $user; @@ -107,17 +99,6 @@ class type_text extends type_string_common */ public function validate_profile_field(&$field_value, $field_data) { - /** - * Check for out-of-bounds characters that are currently - * not supported by utf8_bin in MySQL if Emoji are not allowed - */ - if (!$this->auth->acl_get('u_emoji')) - { - if (preg_match_all('/[\x{10000}-\x{10FFFF}]/u', $field_value)) - { - return $this->user->lang('FIELD_INVALID_CHARS_INVALID', $this->get_field_name($field_data['lang_name'])); - } - } return $this->validate_string_profile_field('text', $field_value, $field_data); } diff --git a/tests/functional/ucp_profile_test.php b/tests/functional/ucp_profile_test.php index c9f335a052..60e455e980 100644 --- a/tests/functional/ucp_profile_test.php +++ b/tests/functional/ucp_profile_test.php @@ -47,7 +47,7 @@ class phpbb_functional_ucp_profile_test extends phpbb_functional_test_case $this->assertEquals('phpbb.youtube', $form->get('pf_phpbb_youtube')->getValue()); } - public function test_submitting_emoji_allowed() + public function test_submitting_emoji() { $this->add_lang('ucp'); $this->login(); @@ -65,70 +65,4 @@ class phpbb_functional_ucp_profile_test extends phpbb_functional_test_case $form = $crawler->selectButton('Submit')->form(); $this->assertEquals('๐Ÿ˜', $form->get('pf_phpbb_location')->getValue()); } - - public function test_submitting_emoji_disallowed() - { - $this->add_lang(['ucp', 'acp/permissions']); - $this->login(); - $this->admin_login(); - - // Group global permissions - $crawler = self::request('GET', 'adm/index.php?i=acp_permissions&icat=16&mode=setting_group_global&sid=' . $this->sid); - $this->assertContainsLang('ACP_GROUPS_PERMISSIONS_EXPLAIN', $this->get_content()); - - // Select Registered users group - $form = $crawler->selectButton($this->lang('SUBMIT'))->form(['group_id' => [2]]); - $crawler = self::submit($form); - $this->assertContainsLang('ACL_SET', $crawler->filter('h1')->eq(1)->text()); - - // Globals for \phpbb\auth\auth - global $db, $cache; - $db = $this->get_db(); - $cache = new phpbb_mock_null_cache; - - $auth = new \phpbb\auth\auth; - // Hardcoded user_id - $user_data = $auth->obtain_user_data(2); - $auth->acl($user_data); - $this->assertEquals(1, $auth->acl_get('u_emoji')); - - // Set u_emoji to never - $form = $crawler->selectButton($this->lang('APPLY_PERMISSIONS'))->form(['setting[2][0][u_emoji]' => '0']); - $crawler = self::submit($form); - $this->assertContainsLang('AUTH_UPDATED', $crawler->text()); - - // check acl again - $auth = new \phpbb\auth\auth; - $user_data = $auth->obtain_user_data(2); - $auth->acl($user_data); - $this->assertEquals(0, $auth->acl_get('u_emoji')); - - $crawler = self::request('GET', 'ucp.php?i=ucp_profile&mode=profile_info'); - $this->assertContainsLang('UCP_PROFILE_PROFILE_INFO', $crawler->filter('#cp-main h2')->text()); - - $form = $crawler->selectButton('Submit')->form([ - 'pf_phpbb_location' => '๐Ÿ˜', // grinning face with smiling eyes Emoji - ]); - - $crawler = self::submit($form); - $this->assertContains('The field โ€œLocationโ€ has invalid characters.', $crawler->filter('p[class="error"]')->text()); - - // Set u_emoji back to Yes - $crawler = self::request('GET', 'adm/index.php?i=acp_permissions&icat=16&mode=setting_group_global&sid=' . $this->sid); - $this->assertContainsLang('ACP_GROUPS_PERMISSIONS_EXPLAIN', $this->get_content()); - // Select Registered users group - $form = $crawler->selectButton($this->lang('SUBMIT'))->form(['group_id' => [2]]); - $crawler = self::submit($form); - $this->assertContainsLang('ACL_SET', $crawler->filter('h1')->eq(1)->text()); - // Set u_emoji to never - $form = $crawler->selectButton($this->lang('APPLY_PERMISSIONS'))->form(["setting[2][0][u_emoji]" => '1']); - $crawler = self::submit($form); - $this->assertContainsLang('AUTH_UPDATED', $crawler->text()); - - // check acl again - $auth = new \phpbb\auth\auth; - $user_data = $auth->obtain_user_data(2); - $auth->acl($user_data); - $this->assertEquals(1, $auth->acl_get('u_emoji')); - } } diff --git a/tests/profilefields/type_string_test.php b/tests/profilefields/type_string_test.php index d7ad16895d..54bb406838 100644 --- a/tests/profilefields/type_string_test.php +++ b/tests/profilefields/type_string_test.php @@ -26,7 +26,6 @@ class phpbb_profilefield_type_string_test extends phpbb_test_case { global $config, $request, $user, $cache, $phpbb_root_path, $phpEx; - $auth = new \phpbb\auth\auth(); $user = $this->getMock('\phpbb\user', array(), array( new \phpbb\language\language(new \phpbb\language\language_file_loader($phpbb_root_path, $phpEx)), '\phpbb\datetime' @@ -41,7 +40,6 @@ class phpbb_profilefield_type_string_test extends phpbb_test_case $template = $this->getMock('\phpbb\template\template'); $this->cp = new \phpbb\profilefields\type\type_string( - $auth, $request, $template, $user diff --git a/tests/profilefields/type_url_test.php b/tests/profilefields/type_url_test.php index f592d1099d..3bb5d52899 100644 --- a/tests/profilefields/type_url_test.php +++ b/tests/profilefields/type_url_test.php @@ -30,7 +30,6 @@ class phpbb_profilefield_type_url_test extends phpbb_test_case { global $config, $request, $user, $cache, $phpbb_root_path, $phpEx; - $auth = new \phpbb\auth\auth(); $config = new \phpbb\config\config([]); $cache = new phpbb_mock_cache; $user = $this->getMock('\phpbb\user', array(), array( @@ -45,7 +44,6 @@ class phpbb_profilefield_type_url_test extends phpbb_test_case $template = $this->getMock('\phpbb\template\template'); $this->cp = new \phpbb\profilefields\type\type_url( - $auth, $request, $template, $user From bd4887f660a8509d0331ddc39273e4e53966c692 Mon Sep 17 00:00:00 2001 From: MichaIng Date: Fri, 17 Jul 2020 23:03:34 +0200 Subject: [PATCH 11/16] [ticket/16554] Align all .htaccess files to support Apache 2.4 directives While the main .htaccess as well as the ones in phpbb/db/migration/data/vXYZ/ do already support the Apache 2.4 mod_authz_core directive "Require all denied", all others still use only the deprecated "Deny from All". To not force modern system to use the mod_access_compat module, the modern directives should be supported in every case. For this, the method of phpbb/db/migration/data/vXYZ/.htaccess is copied to update and align all .htaccess files across the source code. PHPBB3-16554 Signed-off-by: MichaIng --- phpBB/cache/.htaccess | 37 ++++++++++++++++++++++++--- phpBB/config/.htaccess | 37 ++++++++++++++++++++++++--- phpBB/files/.htaccess | 37 ++++++++++++++++++++++++--- phpBB/images/avatars/upload/.htaccess | 37 ++++++++++++++++++++++++--- phpBB/includes/.htaccess | 37 ++++++++++++++++++++++++--- phpBB/store/.htaccess | 37 ++++++++++++++++++++++++--- 6 files changed, 198 insertions(+), 24 deletions(-) diff --git a/phpBB/cache/.htaccess b/phpBB/cache/.htaccess index aa5afc1640..44242b5418 100644 --- a/phpBB/cache/.htaccess +++ b/phpBB/cache/.htaccess @@ -1,4 +1,33 @@ - - Order Allow,Deny - Deny from All - \ No newline at end of file +# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from +# module mod_authz_host to a new module called mod_access_compat (which may be +# disabled) and a new "Require" syntax has been introduced to mod_authz_host. +# We could just conditionally provide both versions, but unfortunately Apache +# does not explicitly tell us its version if the module mod_version is not +# available. In this case, we check for the availability of module +# mod_authz_core (which should be on 2.4 or higher only) as a best guess. + + + + Order Allow,Deny + Deny from All + + + = 2.4> + + Require all denied + + + + + + + Order Allow,Deny + Deny from All + + + + + Require all denied + + + diff --git a/phpBB/config/.htaccess b/phpBB/config/.htaccess index 4128d345ab..163ddd802f 100644 --- a/phpBB/config/.htaccess +++ b/phpBB/config/.htaccess @@ -1,4 +1,33 @@ - - Order Allow,Deny - Deny from All - +# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from +# module mod_authz_host to a new module called mod_access_compat (which may be +# disabled) and a new "Require" syntax has been introduced to mod_authz_host. +# We could just conditionally provide both versions, but unfortunately Apache +# does not explicitly tell us its version if the module mod_version is not +# available. In this case, we check for the availability of module +# mod_authz_core (which should be on 2.4 or higher only) as a best guess. + + + + Order Allow,Deny + Deny from All + + + = 2.4> + + Require all denied + + + + + + + Order Allow,Deny + Deny from All + + + + + Require all denied + + + \ No newline at end of file diff --git a/phpBB/files/.htaccess b/phpBB/files/.htaccess index aa5afc1640..163ddd802f 100644 --- a/phpBB/files/.htaccess +++ b/phpBB/files/.htaccess @@ -1,4 +1,33 @@ - - Order Allow,Deny - Deny from All - \ No newline at end of file +# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from +# module mod_authz_host to a new module called mod_access_compat (which may be +# disabled) and a new "Require" syntax has been introduced to mod_authz_host. +# We could just conditionally provide both versions, but unfortunately Apache +# does not explicitly tell us its version if the module mod_version is not +# available. In this case, we check for the availability of module +# mod_authz_core (which should be on 2.4 or higher only) as a best guess. + + + + Order Allow,Deny + Deny from All + + + = 2.4> + + Require all denied + + + + + + + Order Allow,Deny + Deny from All + + + + + Require all denied + + + \ No newline at end of file diff --git a/phpBB/images/avatars/upload/.htaccess b/phpBB/images/avatars/upload/.htaccess index aa5afc1640..163ddd802f 100644 --- a/phpBB/images/avatars/upload/.htaccess +++ b/phpBB/images/avatars/upload/.htaccess @@ -1,4 +1,33 @@ - - Order Allow,Deny - Deny from All - \ No newline at end of file +# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from +# module mod_authz_host to a new module called mod_access_compat (which may be +# disabled) and a new "Require" syntax has been introduced to mod_authz_host. +# We could just conditionally provide both versions, but unfortunately Apache +# does not explicitly tell us its version if the module mod_version is not +# available. In this case, we check for the availability of module +# mod_authz_core (which should be on 2.4 or higher only) as a best guess. + + + + Order Allow,Deny + Deny from All + + + = 2.4> + + Require all denied + + + + + + + Order Allow,Deny + Deny from All + + + + + Require all denied + + + \ No newline at end of file diff --git a/phpBB/includes/.htaccess b/phpBB/includes/.htaccess index 4128d345ab..163ddd802f 100644 --- a/phpBB/includes/.htaccess +++ b/phpBB/includes/.htaccess @@ -1,4 +1,33 @@ - - Order Allow,Deny - Deny from All - +# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from +# module mod_authz_host to a new module called mod_access_compat (which may be +# disabled) and a new "Require" syntax has been introduced to mod_authz_host. +# We could just conditionally provide both versions, but unfortunately Apache +# does not explicitly tell us its version if the module mod_version is not +# available. In this case, we check for the availability of module +# mod_authz_core (which should be on 2.4 or higher only) as a best guess. + + + + Order Allow,Deny + Deny from All + + + = 2.4> + + Require all denied + + + + + + + Order Allow,Deny + Deny from All + + + + + Require all denied + + + \ No newline at end of file diff --git a/phpBB/store/.htaccess b/phpBB/store/.htaccess index aa5afc1640..163ddd802f 100644 --- a/phpBB/store/.htaccess +++ b/phpBB/store/.htaccess @@ -1,4 +1,33 @@ - - Order Allow,Deny - Deny from All - \ No newline at end of file +# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from +# module mod_authz_host to a new module called mod_access_compat (which may be +# disabled) and a new "Require" syntax has been introduced to mod_authz_host. +# We could just conditionally provide both versions, but unfortunately Apache +# does not explicitly tell us its version if the module mod_version is not +# available. In this case, we check for the availability of module +# mod_authz_core (which should be on 2.4 or higher only) as a best guess. + + + + Order Allow,Deny + Deny from All + + + = 2.4> + + Require all denied + + + + + + + Order Allow,Deny + Deny from All + + + + + Require all denied + + + \ No newline at end of file From f3093a3740fd2f72ba3c4d30b12e62ac08bb9cd6 Mon Sep 17 00:00:00 2001 From: rxu Date: Sun, 29 Mar 2020 02:22:47 +0700 Subject: [PATCH 12/16] [ticket/16417] Fix CLI database migration for phpBB 3.0.x PHPBB3-16417 --- phpBB/bin/phpbbcli.php | 2 +- phpBB/install/phpbbcli.php | 5 ++++- phpBB/phpbb/console/application.php | 23 +++++++++++++++++++---- 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/phpBB/bin/phpbbcli.php b/phpBB/bin/phpbbcli.php index 5ae18334d9..bee58f2bb9 100755 --- a/phpBB/bin/phpbbcli.php +++ b/phpBB/bin/phpbbcli.php @@ -84,7 +84,7 @@ $user = $phpbb_container->get('user'); $user->data['user_id'] = ANONYMOUS; $user->ip = '127.0.0.1'; -$application = new \phpbb\console\application('phpBB Console', PHPBB_VERSION, $language); +$application = new \phpbb\console\application('phpBB Console', PHPBB_VERSION, $language, $config); $application->setDispatcher($phpbb_container->get('dispatcher')); $application->register_container_commands($phpbb_container->get('console.command_collection')); $application->run($input); diff --git a/phpBB/install/phpbbcli.php b/phpBB/install/phpbbcli.php index 2afe776f85..857070c795 100755 --- a/phpBB/install/phpbbcli.php +++ b/phpBB/install/phpbbcli.php @@ -42,11 +42,14 @@ $phpbb_installer_container->get('request')->enable_super_globals(); /** @var \phpbb\filesystem\filesystem $phpbb_filesystem */ $phpbb_filesystem = $phpbb_installer_container->get('filesystem'); +/** @var \phpbb\config\config $config */ +$config = $phpbb_installer_container->get('config'); + /** @var \phpbb\language\language $language */ $language = $phpbb_installer_container->get('language'); $language->add_lang(array('common', 'acp/common', 'acp/board', 'install', 'posting', 'cli')); -$application = new \phpbb\console\application('phpBB Installer', PHPBB_VERSION, $language); +$application = new \phpbb\console\application('phpBB Installer', PHPBB_VERSION, $language, $config); $application->setDispatcher($phpbb_installer_container->get('dispatcher')); $application->register_container_commands($phpbb_installer_container->get('console.installer.command_collection')); $application->run($input); diff --git a/phpBB/phpbb/console/application.php b/phpBB/phpbb/console/application.php index dc9b8016b2..830ed1b2c1 100644 --- a/phpBB/phpbb/console/application.php +++ b/phpBB/phpbb/console/application.php @@ -27,7 +27,12 @@ class application extends \Symfony\Component\Console\Application protected $in_shell = false; /** - * @var \phpbb\language\language User object + * @var \phpbb\config\config Config object + */ + protected $config; + + /** + * @var \phpbb\language\language Language object */ protected $language; @@ -35,10 +40,12 @@ class application extends \Symfony\Component\Console\Application * @param string $name The name of the application * @param string $version The version of the application * @param \phpbb\language\language $language The user which runs the application (used for translation) + * @param \phpbb\config\config $config Config object */ - public function __construct($name, $version, \phpbb\language\language $language) + public function __construct($name, $version, \phpbb\language\language $language, \phpbb\config\config $config) { $this->language = $language; + $this->config = $config; parent::__construct($name, $version); } @@ -97,9 +104,17 @@ class application extends \Symfony\Component\Console\Application */ public function register_container_commands(\phpbb\di\service_collection $command_collection) { - foreach ($command_collection as $service_command) + $commands_list = array_keys($command_collection->getArrayCopy()); + foreach ($commands_list as $service_command) { - $this->add($service_command); + // config_text DB table does not exist in phpBB prior to 3.1 + // Hence skip cron tasks as they include reparser cron as it uses config_text table + if (phpbb_version_compare($this->config['version'], '3.1.0', '<') && strpos($service_command, 'cron') !== false) + { + continue; + } + $this->add($command_collection[$service_command]); + } } From ad43169065e8116832fd1f4e59cb79b3e15de2bf Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 25 Jul 2020 11:25:39 +0200 Subject: [PATCH 13/16] [prep-release-3.2.10] Update version numbers to 3.2.10 --- build/build.xml | 6 +++--- phpBB/includes/constants.php | 2 +- phpBB/install/phpbbcli.php | 2 +- phpBB/install/schemas/schema_data.sql | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/build/build.xml b/build/build.xml index 93711ebe9c..06ac74eac4 100644 --- a/build/build.xml +++ b/build/build.xml @@ -2,9 +2,9 @@ - - - + + + diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php index 7722ddc82a..0777f33922 100644 --- a/phpBB/includes/constants.php +++ b/phpBB/includes/constants.php @@ -28,7 +28,7 @@ if (!defined('IN_PHPBB')) */ // phpBB Version -@define('PHPBB_VERSION', '3.2.10-RC2'); +@define('PHPBB_VERSION', '3.2.10'); // QA-related // define('PHPBB_QA', 1); diff --git a/phpBB/install/phpbbcli.php b/phpBB/install/phpbbcli.php index 857070c795..de1f20411a 100755 --- a/phpBB/install/phpbbcli.php +++ b/phpBB/install/phpbbcli.php @@ -23,7 +23,7 @@ if (php_sapi_name() !== 'cli') define('IN_PHPBB', true); define('IN_INSTALL', true); define('PHPBB_ENVIRONMENT', 'production'); -define('PHPBB_VERSION', '3.2.10-RC2'); +define('PHPBB_VERSION', '3.2.10'); $phpbb_root_path = __DIR__ . '/../'; $phpEx = substr(strrchr(__FILE__, '.'), 1); diff --git a/phpBB/install/schemas/schema_data.sql b/phpBB/install/schemas/schema_data.sql index 7564613af1..c47604dbc1 100644 --- a/phpBB/install/schemas/schema_data.sql +++ b/phpBB/install/schemas/schema_data.sql @@ -306,7 +306,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('update_hashes_lock INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_icons_path', 'images/upload_icons'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_path', 'files'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('use_system_cron', '0'); -INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.2.10-RC2'); +INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.2.10'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_expire_days', '90'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_gc', '14400'); From 0766a10ad3c8ad5bb0044e377425974f521a6b9a Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 25 Jul 2020 11:27:02 +0200 Subject: [PATCH 14/16] [prep-release-3.2.10] Add migration for 3.2.10 --- phpBB/phpbb/db/migration/data/v32x/v3210.php | 36 ++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 phpBB/phpbb/db/migration/data/v32x/v3210.php diff --git a/phpBB/phpbb/db/migration/data/v32x/v3210.php b/phpBB/phpbb/db/migration/data/v32x/v3210.php new file mode 100644 index 0000000000..2817158639 --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v32x/v3210.php @@ -0,0 +1,36 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\db\migration\data\v32x; + +class v3210 extends \phpbb\db\migration\migration +{ + public function effectively_installed() + { + return phpbb_version_compare($this->config['version'], '3.2.10', '>='); + } + + static public function depends_on() + { + return array( + '\phpbb\db\migration\data\v32x\v3210rc2', + ); + } + + public function update_data() + { + return array( + array('config.update', array('version', '3.2.10')), + ); + } +} From 40027e054c72da38d09c3afa5108acc96836d91f Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 27 Jul 2020 20:41:29 +0200 Subject: [PATCH 15/16] [prep-release-3.2.10] Fix incorrect version constrainst for packaging --- build/build.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/build.xml b/build/build.xml index 06ac74eac4..f089a3037f 100644 --- a/build/build.xml +++ b/build/build.xml @@ -4,7 +4,7 @@ - + From fdc827e06657418695441625704907a4ce89d8cd Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 27 Jul 2020 20:41:50 +0200 Subject: [PATCH 16/16] [prep-release-3.2.10] Update Changelog for 3.2.10 --- phpBB/docs/CHANGELOG.html | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 9185ec6a55..62e954f2d8 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -50,6 +50,7 @@
  1. Changelog