1.i. Changes since 3.0.11
+Changes since 3.0.13-PL1
+ +Security
+-
+
- [SECURITY-180] - An insufficient check allowed users of the Google Chrome browser to be redirected to external domains (e.g. on login) +
Bug
+-
+
- [PHPBB3-13348] - sql_freeresult() should be called in feed base class +
- [PHPBB3-13414] - download/file.php sends Content-Length header even when issuing 304 Not Modified +
- [PHPBB3-13555] - Poll options preview rendered incorrectly by <br /> collision +
- [PHPBB3-13568] - Imagick path validated as relative path although ACP asks for absolute path +
- [PHPBB3-13617] - Bot session continuation with invalid f= query parameter causes SQL error +
- [PHPBB3-13738] - Sami still refers to develop-* branches +
Improvement
+-
+
- [PHPBB3-12089] - Make HTTP status code assertion failure messages more informative +
- [PHPBB3-13765] - Verify that SERVER_PROTOCOL has the expected format +
Task
+-
+
- [PHPBB3-11539] - Add unit tests for several functions in functions.php +
- [PHPBB3-13572] - Upgrade composer to 1.0.0-alpha9 +
- [PHPBB3-13599] - Remove PHP 5.2 Travis environment +
- [PHPBB3-13634] - Update README to show new branch names +
- [PHPBB3-13723] - Update docs/AUTHORS for 3.0.14-RC1 / 3.1.4-RC1 +
Changes since 3.0.13
+ +Bug
+-
+
- [PHPBB3-12933] - The search operator for partial matches does not work +
- [PHPBB3-13549] - Compare ORIG_PATH_INFO with SCRIPT_NAME for checking trailing paths +
- [PHPBB3-13554] - Advertisement of feature release in red indicates a problem +
Changes since 3.0.12
+ +Security
+-
+
- [PHPBB3-13531] - Disallow trailing paths (e.g. using the PATH_INFO feature) to prevent path-relative CSS injection +
- [PHPBB3-13526] - Correctly validate ucp_pm_options form key +
Bug
+-
+
- [PHPBB3-6703] - Problem with russian letter while converting from 2.0.x +
- [PHPBB3-8960] - Allow changing allow_avatar_remote when images/avatars/upload is not writable +
- [PHPBB3-9420] - BBCode - Unable to use a proper URI token +
- [PHPBB3-9724] - Wrong return "Return to ACP" +
- [PHPBB3-9725] - MSSQL Schema is not azure compatible +
- [PHPBB3-10023] - Password change requirement notification in UCP is not noticable +
- [PHPBB3-10423] - Searching for the term "test *" will highlight nearly every word and displays htmlspecialchars as htmlentities. +
- [PHPBB3-10442] - XHTML is invalid when a forum link without redirect counter is present +
- [PHPBB3-10687] - UNABLE_GET_IMAGE_SIZE text misleading for remote avatars +
- [PHPBB3-10729] - Post editor information is not updated when user being deleted with posts +
- [PHPBB3-10776] - Grammar errors in docs/README.html +
- [PHPBB3-10796] - SQL Azure does not allow SELECT FROM sysfiles +
- [PHPBB3-10851] - HTML files containing certain tags being rejected as possible attack vectors with "Check attachment file" set to "No" +
- [PHPBB3-10863] - Permission mask does not accurately show some forum permissions if user has MOD parmissions +
- [PHPBB3-10917] - Updater notice "Update files are out of date..." when updating to unreleased version +
- [PHPBB3-10985] - Error bbcode.html not found when updating with custom style inheriting from prosilver +
- [PHPBB3-11062] - In Automatic Update, new language strings from install.php are only loaded from English +
- [PHPBB3-11224] - SQL cache destroy does not destroy queries to tables joined +
- [PHPBB3-11288] - "Fulltext native" search fooled by hyphens +
- [PHPBB3-11480] - Prevent Private Message system from returning "Unknown folder" when inbox folder is full +
- [PHPBB3-11613] - Cookies do not work for netbios domain +
- [PHPBB3-11686] - Not checking for phpBB Debug errors on functional tests +
- [PHPBB3-11699] - PHP Lint Test should exclude selected subdirectories of the build directory. +
- [PHPBB3-11726] - Don't run lint tests on Travis on postgres +
- [PHPBB3-11762] - generate_text_for_display() treats "0" as an empty string +
- [PHPBB3-11789] - Inline css with color value in subsilver2 +
- [PHPBB3-11794] - Coding Guidelines document says to place a comma after every array element, but fails to do so itself +
- [PHPBB3-11799] - Anti Abuse Headers missing for sendpassword +
- [PHPBB3-11811] - Chrome 30 adds outline to focused elements +
- [PHPBB3-11821] - Wrong comma usage "You are receiving this notification" +
- [PHPBB3-11823] - Travis-CI webserver not matching PHP files with anything after the .php +
- [PHPBB3-11829] - Closed reports may seem open in detailed view +
- [PHPBB3-11860] - .htaccess not working for Apache 2.4 +
- [PHPBB3-11864] - Do not call exit after display_progress_bar in acp_forums +
- [PHPBB3-11879] - Compatibility error in forum_fn.js: .live should be replaced with .on +
- [PHPBB3-11968] - Travis Image are broken due to repository rename +
- [PHPBB3-12037] - acp_inactive.html has hard-coded text +
- [PHPBB3-12048] - Custom BBCodes Fail to Render Language Strings with a Number +
- [PHPBB3-12061] - Keyboard shortcut alt+h doesn't work properly in firefox +
- [PHPBB3-12072] - Missing word "send" in comment in schema_data.sql +
- [PHPBB3-12093] - IE 11 javascript selection is no longer supported +
- [PHPBB3-12118] - Add noindex meta tag to subsilver2 pm/topic view-print template +
- [PHPBB3-12119] - Remove keywords and description meta tags from prosilver view-print templates +
- [PHPBB3-12120] - Update docs/AUTHORS for 3.0.13-RC1 +
- [PHPBB3-12140] - Avoid endless loop in build script +
- [PHPBB3-12161] - build/save directories are no longer created +
- [PHPBB3-12162] - Binary files missing from update packages +
- [PHPBB3-12176] - No error shown when attempting to delete a founder +
- [PHPBB3-12186] - MCP should open "Reported posts" instead of PM Reports +
- [PHPBB3-12188] - Add php 5.6 to travis tests +
- [PHPBB3-12202] - Variables read from style.cfg etc. should be htmlspecialchared +
- [PHPBB3-12205] - Custom Profile Field display bug +
- [PHPBB3-12210] - dbtools::sql_create_table incorrectly throws error related to auto-increment length on non auto-increment fields +
- [PHPBB3-12310] - SMTP username and password should not autocomplete during install +
- [PHPBB3-12316] - develop-ascraeus build status missing from "Automated Testing" section in README.md +
- [PHPBB3-12353] - User attachments in ACP are not displaying every attachment +
- [PHPBB3-12359] - Day and Month of Birthday Misaligned When Editing +
- [PHPBB3-12381] - Broken error message when selecting invalid DB driver +
- [PHPBB3-12397] - db_tools::sql_unique_index_exists() has wrong doc block +
- [PHPBB3-12429] - Update phpunit to 3.8+ +
- [PHPBB3-12467] - Add config_*.php and tests_config_*.php to .gitignore +
- [PHPBB3-12472] - Set fast finish for .travis.yml +
- [PHPBB3-12485] - Broken tests due to absolute exclude +
- [PHPBB3-12492] - DB_TEST: Special chars are not supported. +
- [PHPBB3-12540] - WRONG_FILESIZE contains broken placeholders +
- [PHPBB3-12660] - Undefined offset error when phpinfo() disabled and debug enabled +
- [PHPBB3-12695] - Undefined index: MISSING_INLINE_ATTACHMENT notice given when viewing post details +
- [PHPBB3-12720] - Git commit hook should not require commit message to start with a capital letter +
- [PHPBB3-12741] - Functional tests on Travis fail since php update last night +
- [PHPBB3-12755] - Remote upload stuck in infinite loop if server sends keep-alive +
- [PHPBB3-13086] - Update ACP_MASS_EMAIL_EXPLAIN language key +
- [PHPBB3-13096] - ldap_escape() added to PHP 5.6.0 +
- [PHPBB3-13138] - Banned users cause infinite recursion +
- [PHPBB3-13168] - Warning displayed in PHP 5.6 for mbstring.http_input +
- [PHPBB3-13234] - Remember me cookie gets unset by admin reauthentication +
- [PHPBB3-13341] - Tests fail when generating coverage report +
- [PHPBB3-13376] - deregister_globals() does not work correctly when $_COOKIE['GLOBALS'] - is specified +
- [PHPBB3-13519] - Correctly validate imagick path as path and not string +
- [PHPBB3-13523] - PHP 5.2 Unit Tests no longer work due to deprecated PHPUnit PEAR channel +
- [PHPBB3-13527] - Escape information received from version server +
Improvement
+-
+
- [PHPBB3-10037] - Add Smiley Buttons in Signature Editor +
- [PHPBB3-10174] - Rename "Ban usernames" to "Ban users" in ACP +
- [PHPBB3-10549] - Languages variables should be used, not hardcoded +
- [PHPBB3-10555] - Copyright notice in overall_header.html is not translatable +
- [PHPBB3-10945] - Show entered search query in the search box when no results are found. +
- [PHPBB3-11254] - Check CRLF line endings in the test suite +
- [PHPBB3-11295] - Drop tables for postgres in the test suite +
- [PHPBB3-11297] - Running tests doc should mention dbunit dependency +
- [PHPBB3-11704] - phing build script does not include vendor folder, even if there are dependencies +
- [PHPBB3-11766] - Remove Quote and Edit button when topic is lock +
- [PHPBB3-11801] - missing semi colons in css +
- [PHPBB3-11814] - Topic reply notification email text change +
- [PHPBB3-12035] - Add a link to user's posts in the ACP user overview page +
- [PHPBB3-12106] - Document exceptions to "Disable Board" in ACP. +
- [PHPBB3-12146] - Add color demo when editing a group from the UCP +
- [PHPBB3-12247] - include poster's username in email notifications of posts that get approved by moderators +
- [PHPBB3-12259] - Too many redundant tests are run on Travis +
- [PHPBB3-12468] - Allow mbstring.http_input='' besides 'pass' for PHP 5.6 compatibility +
Task
+-
+
- [PHPBB3-10839] - Remove phpunit.xml.functional and always include functional tests +
- [PHPBB3-11509] - Travis should check commit message format +
- [PHPBB3-11876] - Upgrade package checksums from MD5 to SHA256 +
- [PHPBB3-11877] - Create package download links and checksums for announcement via script +
- [PHPBB3-11920] - Add MariaDB tests to Travis-CI +
- [PHPBB3-11951] - Add MariaDB to supported RDBMS list +
- [PHPBB3-11970] - Use 'set -x' in Travis CI setup scripts +
- [PHPBB3-12046] - Use PHP_BINARY environment variable in lint unit test +
- [PHPBB3-12056] - Make sure each unit test runs on its own +
- [PHPBB3-12147] - Remove Travis CI notification configuration +
- [PHPBB3-12302] - Upgrade composer.phar to 1.0.0-alpha8 +
- [PHPBB3-12318] - Correctly setup HHVM functional tests on Travis CI +
- [PHPBB3-12319] - Backport Travis CI HHVM environment enabling to develop-olympus. +
- [PHPBB3-12320] - No longer allow Travis CI HHVM environment to fail +
- [PHPBB3-12341] - Add tests for get_username_string() +
- [PHPBB3-12384] - Run Travis CI HHVM tests against MySQLi instead of MySQL +
- [PHPBB3-12417] - hhvm-nightly 2014.04.16~precise breaks tests +
- [PHPBB3-12495] - Add Sami to composer dependencies and build script +
- [PHPBB3-12582] - Strip away copyrighted ICC profile from images +
- [PHPBB3-12917] - Move commit check and file executable checks to 5.3.3 build on travis +
- [PHPBB3-13324] - Composer no longer downloads sami/sami and fabpot/goutte +
Changes since 3.0.11
Bug
-
@@ -248,7 +425,7 @@
- [PHPBB3-11753] - Upgrade mysql_upgrader.php schema data.
Task
1.ii. Changes since 3.0.10
+Changes since 3.0.10
Bug
-
@@ -373,7 +550,7 @@
- [PHPBB3-10909] - Update Travis Test Configuration: Travis no longer supports PHP 5.3.2
Task
1.iii. Changes since 3.0.9
+Changes since 3.0.9
Bug
-
@@ -509,7 +686,7 @@
- [PHPBB3-10480] - Automate changelog building
Task
1.iv. Changes since 3.0.8
+Changes since 3.0.8
Bug
@@ -574,7 +751,7 @@Bug
Bug
Bug
Bug
Improvement
-
@@ -814,7 +991,7 @@
- [PHPBB3-10186] - UCP signature panel displays when not authed for signatures
Improvement
New Feature
-
@@ -825,7 +1002,7 @@
- [PHPBB3-10110] - Redis caching module
New Feature
Task
-
@@ -864,7 +1041,7 @@
- [PHPBB3-10107] - Improve docs for non-apache webserver configuration
Task
Sub-task
-
@@ -877,7 +1054,7 @@
Sub-task
1.v. Changes since 3.0.7-PL1
+Changes since 3.0.7-PL1
Security
-
@@ -1335,13 +1512,13 @@
Sub-task
1.vi. Changes since 3.0.7
+Changes since 3.0.7
- [Sec] Do not expose forum content of forums with ACL entries but no actual permission in ATOM Feeds. (Bug #58595)
1.vii. Changes since 3.0.6
+Changes since 3.0.6
- [Fix] Allow ban reason and length to be selected and copied in ACP and subsilver2 MCP. (Bug #51095) @@ -1445,7 +1622,7 @@
Sub-task
1.viii. Changes since 3.0.5
+Changes since 3.0.5
- [Fix] Allow whitespaces in avatar gallery names. (Bug #44955) @@ -1667,7 +1844,7 @@
- [Feature] Send anonymous statistical information to phpBB on installation and update (optional).
Sub-task
1.ix. Changes since 3.0.4
+Changes since 3.0.4
- [Fix] Delete user entry from ban list table upon user deletion (Bug #40015 - Patch by TerraFrost) @@ -1756,7 +1933,7 @@
- [Sec] Only use forum id supplied for posting if global announcement detected. (Reported by nickvergessen)
Sub-task
1.x. Changes since 3.0.3
+Changes since 3.0.3
- [Fix] Allow mixed-case template directories to be inherited (Bug #36725) @@ -1788,7 +1965,7 @@
- [Sec] Ask for forum password if post within passworded forum quoted in private message. (Reported by nickvergessen)
Sub-task
1.xi. Changes since 3.0.2
+Changes since 3.0.2
- [Fix] Correctly set topic starter if first post in topic removed (Bug #30575 - Patch by blueray2048) @@ -1887,7 +2064,7 @@
- [Sec Precaution] Stricter validation of the HTTP_HOST header (Thanks to Techie-Micheal et al for pointing out possible issues in derived code)
Sub-task
1.xii. Changes since 3.0.1
+Changes since 3.0.1
- [Fix] Ability to set permissions on non-mysql dbms (Bug #24955) @@ -1935,7 +2112,7 @@
- [Sec] Only allow urls gone through redirect() being used within login_box(). (thanks nookieman)
Sub-task
1.xiii Changes since 3.0.0
+Changes since 3.0.0
- [Change] Validate birthdays (Bug #15004) @@ -2006,7 +2183,7 @@
- [Fix] Find and display colliding usernames correctly when converting from one database to another (Bug #23925)
Sub-task
1.xiv. Changes since 3.0.RC8
+Changes since 3.0.RC8
- [Fix] Cleaned usernames contain only single spaces, so "a_name" and "a__name" are treated as the same name (Bug #15634) @@ -2015,7 +2192,7 @@
- [Fix] Call garbage_collection() within database updater to correctly close connections (affects Oracle for example)
Sub-task
1.xv. Changes since 3.0.RC7
+Changes since 3.0.RC7
- [Fix] Fixed MSSQL related bug in the update system @@ -2050,7 +2227,7 @@
- [Fix] No duplication of active topics (Bug #15474)
Sub-task
1.xvi. Changes since 3.0.RC6
+Changes since 3.0.RC6
- [Fix] Submitting language changes using acp_language (Bug #14736) @@ -2060,7 +2237,7 @@
- [Fix] Able to request new password (Bug #14743)
Sub-task
1.xvii. Changes since 3.0.RC5
+Changes since 3.0.RC5
- [Feature] Removing constant PHPBB_EMBEDDED in favor of using an exit_handler(); the constant was meant to achive this more or less. @@ -2123,7 +2300,7 @@
- [Sec] New password hashing mechanism for storing passwords (#i42)
Sub-task
1.xviii. Changes since 3.0.RC4
+Changes since 3.0.RC4
- [Fix] MySQL, PostgreSQL and SQLite related database fixes (Bug #13862) @@ -2174,7 +2351,7 @@
- [Fix] odbc_autocommit causing existing result sets to be dropped (Bug #14182)
Sub-task
1.xix. Changes since 3.0.RC3
+Changes since 3.0.RC3
- [Fix] Fixing some subsilver2 and prosilver style issues @@ -2283,7 +2460,7 @@
Sub-task
1.xx. Changes since 3.0.RC2
+Changes since 3.0.RC2
- [Fix] Re-allow searching within the memberlist @@ -2329,7 +2506,7 @@
Sub-task
1.xxi. Changes since 3.0.RC1
+Changes since 3.0.RC1
- [Fix] (X)HTML issues within the templates (Bug #11255, #11255) diff --git a/premod/root/docs/INSTALL.html b/premod/root/docs/INSTALL.html index 3fa0597..aedb07c 100644 --- a/premod/root/docs/INSTALL.html +++ b/premod/root/docs/INSTALL.html @@ -139,6 +139,7 @@
- A SQL database system, one of:
- MySQL 3.23 or above (MySQLi supported) +
- MariaDB 5.1 or above
- PostgreSQL 7.3+
- SQLite 2.8.2+ (SQLite 3 is not supported)
- Firebird 2.1+ @@ -275,7 +276,7 @@
Advanced settings
This package is meant for those wanting to only replace the files that were changed between a previous version and the latest version.
-This package contains a number of archives, each contains the files changed from a given release to the latest version. You should select the appropriate archive for your current version, e.g. if you currently have 3.0.11 you should select the appropriate
+phpBB-3.0.12-files.zip/tar.bz2file.This package contains a number of archives, each contains the files changed from a given release to the latest version. You should select the appropriate archive for your current version, e.g. if you currently have 3.0.13 you should select the appropriate
phpBB-3.0.14-files.zip/tar.bz2file.The directory structure has been preserved, enabling you (if you wish) to simply upload the uncompressed contents of the archive to the appropriate location on your server, i.e. simply overwrite the existing files with the new versions. Do not forget that if you have installed any modifications (MODs) these files will overwrite the originals, possibly destroying them in the process. You will need to re-add MODs to any affected file before uploading.
@@ -287,7 +288,7 @@Advanced settings
The patch file is one solution for those with many Modifications (MODs) or other changes and do not want to re-add them back to all the changed files. To use this you will need command line access to a standard UNIX type patch application. If you do not have access to such an application, but still want to use this update approach, we strongly recommend the Automatic update package explained below. It is also the recommended update method.
-A number of patch files are provided to allow you to update from previous stable releases. Select the correct patch, e.g. if your current version is 3.0.11, you need the
+phpBB-3.0.12-patch.zip/tar.bz2file. Place the correct patch in the parent directory containing the phpBB core files (i.e. index.php, viewforum.php, etc.). With this done you should run the following command:patch -cl -d [PHPBB DIRECTORY] -p1 < [PATCH NAME](where PHPBB DIRECTORY is the directory name your phpBB Installation resides in, for example phpBB, and where PATCH NAME is the relevant filename of the selected patch file). This should complete quickly, hopefully without any HUNK FAILED comments.A number of patch files are provided to allow you to update from previous stable releases. Select the correct patch, e.g. if your current version is 3.0.13, you need the
phpBB-3.0.14-patch.zip/tar.bz2file. Place the correct patch in the parent directory containing the phpBB core files (i.e. index.php, viewforum.php, etc.). With this done you should run the following command:patch -cl -d [PHPBB DIRECTORY] -p1 < [PATCH NAME](where PHPBB DIRECTORY is the directory name your phpBB Installation resides in, for example phpBB, and where PATCH NAME is the relevant filename of the selected patch file). This should complete quickly, hopefully without any HUNK FAILED comments.If you do get failures, you should look at using the Changed Files package to replace the files which failed to patch. Please note that you will need to manually re-add any MODs to these particular files. Alternatively, if you know how, you can examine the .rej files to determine what failed where and make manual adjustments to the relevant source.
@@ -297,7 +298,7 @@Advanced settings
This update method is the recommended method for updating. This package detects changed files automatically and merges in changes if needed.
-The automatic update package will update the board from a given version to the latest version. A number of automatic update files are available, and you should choose the one that corresponds to the version of the board that you are currently running. For example, if your current version is 3.0.11, you need the
+phpBB-3.0.11_to_3.0.12.zip/tar.bz2file.The automatic update package will update the board from a given version to the latest version. A number of automatic update files are available, and you should choose the one that corresponds to the version of the board that you are currently running. For example, if your current version is 3.0.13, you need the
phpBB-3.0.13_to_3.0.14.zip/tar.bz2file.To perform the update, either follow the instructions from the Administration Control Panel->System Tab - this should point out that you are running an outdated version and will guide you through the update - or follow the instructions listed below.
diff --git a/premod/root/docs/README.html b/premod/root/docs/README.html index 89f573d..d54c58e 100644 --- a/premod/root/docs/README.html +++ b/premod/root/docs/README.html @@ -329,7 +329,7 @@Readme
Please remember that running any application on a development (unstable, e.g. a beta release) version of PHP can lead to strange/unexpected results which may appear to be bugs in the application. Therefore, we recommend you upgrade to the newest stable version of PHP before running phpBB3. If you are running a development version of PHP please check any bugs you find on a system running a stable release before submitting.
-This board has been developed and tested under Linux and Windows (amongst others) running Apache using MySQL 3.23, 4.x, 5.x, MSSQL Server 2000, PostgreSQL 7.x, Oracle 8, SQLite 2 and Firebird. Versions of PHP used range from 4.3.3 to 5.4.x without problem.
+This board has been developed and tested under Linux and Windows (amongst others) running Apache using MySQL 3.23, 4.x, 5.x, MariaDB 5.x, MSSQL Server 2000, PostgreSQL 7.x, Oracle 8, SQLite 2 and Firebird. Versions of PHP used range from 4.3.3 to 5.4.x without problem.
7.i. Notice on PHP security issues
diff --git a/premod/root/docs/coding-guidelines.html b/premod/root/docs/coding-guidelines.html index a541fe8..f3d1615 100644 --- a/premod/root/docs/coding-guidelines.html +++ b/premod/root/docs/coding-guidelines.html @@ -728,7 +728,7 @@sql_build_array():
$sql_ary = array( 'somedata' => $my_string, 'otherdata' => $an_int, - 'moredata' => $another_int + 'moredata' => $another_int, ); $db->sql_query('INSERT INTO ' . SOME_TABLE . ' ' . $db->sql_build_array('INSERT', $sql_ary)); @@ -740,7 +740,7 @@sql_build_array():
$sql_ary = array( 'somedata' => $my_string, 'otherdata' => $an_int, - 'moredata' => $another_int + 'moredata' => $another_int, ); $sql = 'UPDATE ' . SOME_TABLE . ' @@ -833,20 +833,20 @@sql_build_query():
'FROM' => array( FORUMS_WATCH_TABLE => 'fw', - FORUMS_TABLE => 'f' + FORUMS_TABLE => 'f', ), 'LEFT_JOIN' => array( array( 'FROM' => array(FORUMS_TRACK_TABLE => 'ft'), - 'ON' => 'ft.user_id = ' . $user->data['user_id'] . ' AND ft.forum_id = f.forum_id' - ) + 'ON' => 'ft.user_id = ' . $user->data['user_id'] . ' AND ft.forum_id = f.forum_id', + ), ), 'WHERE' => 'fw.user_id = ' . $user->data['user_id'] . ' AND f.forum_id = fw.forum_id', - 'ORDER_BY' => 'left_id' + 'ORDER_BY' => 'left_id', ); $sql = $db->sql_build_query('SELECT', $sql_array); @@ -860,13 +860,13 @@sql_build_query():
'FROM' => array( FORUMS_WATCH_TABLE => 'fw', - FORUMS_TABLE => 'f' + FORUMS_TABLE => 'f', ), 'WHERE' => 'fw.user_id = ' . $user->data['user_id'] . ' AND f.forum_id = fw.forum_id', - 'ORDER_BY' => 'left_id' + 'ORDER_BY' => 'left_id', ); if ($config['load_db_lastread']) @@ -874,8 +874,8 @@sql_build_query():
$sql_array['LEFT_JOIN'] = array( array( 'FROM' => array(FORUMS_TRACK_TABLE => 'ft'), - 'ON' => 'ft.user_id = ' . $user->data['user_id'] . ' AND ft.forum_id = f.forum_id' - ) + 'ON' => 'ft.user_id = ' . $user->data['user_id'] . ' AND ft.forum_id = f.forum_id', + ), ); $sql_array['SELECT'] .= ', ft.mark_time '; diff --git a/premod/root/download/file.php b/premod/root/download/file.php index 3005338..7c1cef9 100644 --- a/premod/root/download/file.php +++ b/premod/root/download/file.php @@ -533,16 +533,18 @@ function send_file_to_browser($attachment, $upload_dir, $category) } } - if ($size) - { - header("Content-Length: $size"); - } // Close the db connection before sending the file $db->sql_close(); if (!set_modified_headers($attachment['filetime'], $user->browser)) { + // Send Content-Length only if set_modified_headers() does not send + // status 304 - Not Modified + if ($size) + { + header("Content-Length: $size"); + } // Try to deliver in chunks @set_time_limit(0); diff --git a/premod/root/feed.php b/premod/root/feed.php index 9816f0f..e65da87 100644 --- a/premod/root/feed.php +++ b/premod/root/feed.php @@ -463,7 +463,10 @@ class phpbb_feed_base * Separator for the statistics row (Posted by, post date, replies, etc.) */ var $separator_stats = "\xE2\x80\x94"; // — - + + /** @var mixed Query result handle */ + var $result; + /** * Constructor */ @@ -617,10 +620,9 @@ function get_passworded_forums() function get_item() { - global $db, $cache; - static $result; + global $db; - if (!isset($result)) + if (!isset($this->result)) { if (!$this->get_sql()) { @@ -629,10 +631,10 @@ function get_item() // Query database $sql = $db->sql_build_query('SELECT', $this->sql); - $result = $db->sql_query_limit($sql, $this->num_items); + $this->result = $db->sql_query_limit($sql, $this->num_items); } - return $db->sql_fetchrow($result); + return $db->sql_fetchrow($this->result); } function user_viewprofile($row) diff --git a/premod/root/includes/acp/acp_attachments.php b/premod/root/includes/acp/acp_attachments.php index fc5f44e..bffe6f7 100644 --- a/premod/root/includes/acp/acp_attachments.php +++ b/premod/root/includes/acp/acp_attachments.php @@ -127,7 +127,7 @@ function main($id, $mode) 'img_create_thumbnail' => array('lang' => 'CREATE_THUMBNAIL', 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => true), 'img_max_thumb_width' => array('lang' => 'MAX_THUMB_WIDTH', 'validate' => 'int', 'type' => 'text:7:15', 'explain' => true, 'append' => ' ' . $user->lang['PIXEL']), 'img_min_thumb_filesize' => array('lang' => 'MIN_THUMB_FILESIZE', 'validate' => 'int', 'type' => 'text:7:15', 'explain' => true, 'append' => ' ' . $user->lang['BYTES']), - 'img_imagick' => array('lang' => 'IMAGICK_PATH', 'validate' => 'string', 'type' => 'text:20:200', 'explain' => true, 'append' => ' [ ' . $user->lang['SEARCH_IMAGICK'] . ' ]'), + 'img_imagick' => array('lang' => 'IMAGICK_PATH', 'validate' => 'absolute_path', 'type' => 'text:20:200', 'explain' => true, 'append' => ' [ ' . $user->lang['SEARCH_IMAGICK'] . ' ]'), 'img_max' => array('lang' => 'MAX_IMAGE_SIZE', 'validate' => 'int', 'type' => 'dimension:3:4', 'explain' => true, 'append' => ' ' . $user->lang['PIXEL']), 'img_link' => array('lang' => 'IMAGE_LINK_SIZE', 'validate' => 'int', 'type' => 'dimension:3:4', 'explain' => true, 'append' => ' ' . $user->lang['PIXEL']), ) diff --git a/premod/root/includes/constants.php b/premod/root/includes/constants.php index 6e1f079..a2a43c2 100644 --- a/premod/root/includes/constants.php +++ b/premod/root/includes/constants.php @@ -25,7 +25,7 @@ */ // phpBB Version -define('PHPBB_VERSION', '3.0.12'); +define('PHPBB_VERSION', '3.0.15-dev'); // QA-related // define('PHPBB_SEO_QA', 1); diff --git a/premod/root/includes/functions.php b/premod/root/includes/functions.php index 511fdec..0c3e061 100644 --- a/premod/root/includes/functions.php +++ b/premod/root/includes/functions.php @@ -2553,7 +2553,7 @@ function redirect($url, $return = false, $disable_cd_check = false) // Attention: only able to redirect within the same domain if $disable_cd_check is false (yourdomain.com -> www.yourdomain.com will not work) if (!$disable_cd_check && $url_parts['host'] !== $user->host) { - $url = generate_board_url(); + trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR); } } else if ($url[0] == '/') @@ -2639,6 +2639,12 @@ function redirect($url, $return = false, $disable_cd_check = false) } } } + + // Make sure we don't redirect to external URLs + if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0) + { + trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR); + } // Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2 if (strpos(urldecode($url), "\n") !== false || strpos(urldecode($url), "\r") !== false || strpos($url, ';') !== false) @@ -2843,7 +2849,7 @@ function send_status_line($code, $message) } else { - if (!empty($_SERVER['SERVER_PROTOCOL'])) + if (!empty($_SERVER['SERVER_PROTOCOL']) && is_string($_SERVER['SERVER_PROTOCOL']) && preg_match('#^HTTP/[0-9]\.[0-9]$#', $_SERVER['SERVER_PROTOCOL'])) { $version = $_SERVER['SERVER_PROTOCOL']; } diff --git a/premod/root/includes/session.php b/premod/root/includes/session.php index a2a54ce..e278533 100644 --- a/premod/root/includes/session.php +++ b/premod/root/includes/session.php @@ -120,6 +120,8 @@ function extract_current_page($root_path) $script_path .= (substr($script_path, -1, 1) == '/') ? '' : '/'; $root_script_path .= (substr($root_script_path, -1, 1) == '/') ? '' : '/'; + + $forum_id = (isset($_REQUEST['f']) && $_REQUEST['f'] > 0 && $_REQUEST['f'] < 16777215) ? (int) $_REQUEST['f'] : 0; $page_array += array( 'page_name' => $page_name, @@ -130,7 +132,7 @@ function extract_current_page($root_path) 'root_script_path' => str_replace(' ', '%20', htmlspecialchars($root_script_path)), 'page' => $page, - 'forum' => (isset($_REQUEST['f']) && $_REQUEST['f'] > 0) ? (int) $_REQUEST['f'] : 0, + 'forum' => $forum_id, ); return $page_array; diff --git a/premod/root/includes/startup.php b/premod/root/includes/startup.php index cf216a6..9531faf 100644 --- a/premod/root/includes/startup.php +++ b/premod/root/includes/startup.php @@ -113,6 +113,54 @@ function deregister_globals() unset($input); } +/** + * Check if requested page uses a trailing path + * + * @param string $phpEx PHP extension + * + * @return bool True if trailing path is used, false if not + */ +function phpbb_has_trailing_path($phpEx) +{ + // Check if path_info is being used + if (!empty($_SERVER['PATH_INFO']) || (!empty($_SERVER['ORIG_PATH_INFO']) && $_SERVER['SCRIPT_NAME'] != $_SERVER['ORIG_PATH_INFO'])) + { + return true; + } + + // Match any trailing path appended to a php script in the REQUEST_URI. + // It is assumed that only actual PHP scripts use names like foo.php. Due + // to this, any phpBB board inside a directory that has the php extension + // appended to its name will stop working, i.e. if the board is at + // example.com/phpBB/test.php/ or example.com/test.php/ + if (preg_match('#^[^?]+\.' . preg_quote($phpEx, '#') . '/#', $_SERVER['REQUEST_URI'])) + { + return true; + } + + return false; +} + +// Check if trailing path is used +if (phpbb_has_trailing_path($phpEx = substr(strrchr(__FILE__, '.'), 1))) +{ + if (substr(strtolower(@php_sapi_name()), 0, 3) === 'cgi') + { + $prefix = 'Status:'; + } + else if (!empty($_SERVER['SERVER_PROTOCOL']) && is_string($_SERVER['SERVER_PROTOCOL']) && preg_match('#^HTTP/[0-9]\.[0-9]$#', $_SERVER['SERVER_PROTOCOL'])) + { + $prefix = $_SERVER['SERVER_PROTOCOL']; + } + else + { + $prefix = 'HTTP/1.0'; + } + header("$prefix 404 Not Found", true, 404); + echo 'Trailing paths and PATH_INFO is not supported by phpBB 3.0'; + exit; +} + // Register globals and magic quotes have been dropped in PHP 5.4 if (version_compare(PHP_VERSION, '5.4.0-dev', '>=')) { diff --git a/premod/root/includes/ucp/ucp_pm_compose.php b/premod/root/includes/ucp/ucp_pm_compose.php index d7509a1..11ac052 100644 --- a/premod/root/includes/ucp/ucp_pm_compose.php +++ b/premod/root/includes/ucp/ucp_pm_compose.php @@ -57,7 +57,7 @@ function compose_pm($id, $mode, $action, $user_folders = array()) $address_list = array(); } - $submit = (isset($_POST['post'])) ? true : false; + $preview = (isset($_POST['preview'])) ? true : false; $save = (isset($_POST['save'])) ? true : false; $load = (isset($_POST['load'])) ? true : false; @@ -71,7 +71,7 @@ function compose_pm($id, $mode, $action, $user_folders = array()) $refresh = isset($_POST['add_file']) || isset($_POST['delete_file']) || $save || $load || $remove_u || $remove_g || $add_to || $add_bcc; - + $submit = isset($_POST['post']) && !$refresh && !$preview; $action = ($delete && !$preview && !$refresh && $submit) ? 'delete' : $action; $select_single = ($config['allow_mass_pm'] && $auth->acl_get('u_masspm')) ? false : true; diff --git a/premod/root/includes/utf/utf_normalizer.php b/premod/root/includes/utf/utf_normalizer.php index a779524..71508f8 100644 --- a/premod/root/includes/utf/utf_normalizer.php +++ b/premod/root/includes/utf/utf_normalizer.php @@ -15,6 +15,11 @@ exit; } +/** + * Modifications: + * + */ + /** * Some Unicode characters encoded in UTF-8 * diff --git a/premod/root/includes/utf/utf_tools.php b/premod/root/includes/utf/utf_tools.php index 31ad502..f1e2aa3 100644 --- a/premod/root/includes/utf/utf_tools.php +++ b/premod/root/includes/utf/utf_tools.php @@ -15,6 +15,11 @@ exit; } +/** + * Modifications: + * + */ + // Enforce ASCII only string handling setlocale(LC_CTYPE, 'C'); @@ -930,7 +935,7 @@ function utf8_recode($string, $encoding) return gb2312($string); } - // Trigger an error?! Fow now just give bad data :-( + // Trigger an error?! Fow now just gives bad data :-( trigger_error('Unknown encoding: ' . $encoding, E_USER_ERROR); //return $string; // use utf_normalizer::cleanup() ? } @@ -1680,10 +1685,19 @@ function utf8_case_fold_nfkc($text, $option = 'full') { global $phpbb_root_path, $phpEx; include($phpbb_root_path . 'includes/utf/utf_normalizer.' . $phpEx); + $utf_normalizer = new utf_normalizer(); } - + if (version_compare(PHP_VERSION, '5.4.0-dev', '>=') && !isset($utf_normalizer)) + { + $utf_normalizer = new utf_normalizer(); + } + elseif( !is_object($utf_normalizer)) + { + $utf_normalizer = new utf_normalizer(); + } + // convert to NFKC - utf_normalizer::nfkc($text); + $utf_normalizer->nfkc($text); // FC_NFKC_Closure, http://www.unicode.org/Public/5.0.0/ucd/DerivedNormalizationProps.txt $text = strtr($text, $fc_nfkc_closure); @@ -1798,10 +1812,20 @@ function utf8_normalize_nfc($strings) global $phpbb_root_path, $phpEx; include($phpbb_root_path . 'includes/utf/utf_normalizer.' . $phpEx); } - + + if(!isset($utf_normalizer)) + { + $utf_normalizer = new utf_normalizer(); + } + + if(!is_object($utf_normalizer)) + { + $utf_normalizer = new utf_normalizer(); + } + if (!is_array($strings)) { - utf_normalizer::nfc($strings); + $utf_normalizer->nfc($strings); } else if (is_array($strings)) { @@ -1811,12 +1835,12 @@ function utf8_normalize_nfc($strings) { foreach ($string as $_key => $_string) { - utf_normalizer::nfc($strings[$key][$_key]); + $utf_normalizer->nfc($strings[$key][$_key]); } } else { - utf_normalizer::nfc($strings[$key]); + $utf_normalizer->nfc($strings[$key]); } } } diff --git a/premod/root/install/convertors/convert_phpbb20.php b/premod/root/install/convertors/convert_phpbb20.php index f1127da..e726695 100644 --- a/premod/root/install/convertors/convert_phpbb20.php +++ b/premod/root/install/convertors/convert_phpbb20.php @@ -32,7 +32,7 @@ $convertor_data = array( 'forum_name' => 'phpBB 2.0.x', 'version' => '1.0.3', - 'phpbb_version' => '3.0.12', + 'phpbb_version' => '3.0.14', 'author' => 'phpBB Group', 'dbms' => $dbms, 'dbhost' => $dbhost, diff --git a/premod/root/install/database_update.php b/premod/root/install/database_update.php index 6eadb22..8190294 100644 --- a/premod/root/install/database_update.php +++ b/premod/root/install/database_update.php @@ -8,7 +8,7 @@ * */ -define('UPDATES_TO_VERSION', '3.0.12'); +define('UPDATES_TO_VERSION', '3.0.15-dev'); // Enter any version to update from to test updates. The version within the db will not be updated. define('DEBUG_FROM_VERSION', false); @@ -436,7 +436,7 @@ function phpbb_require_updated($path, $optional = false) WHERE config_name = 'version'"; _sql($sql, $errored, $error_ary); // SEO premod - set_config('seo_premod_version', '3.0.12'); + set_config('seo_premod_version', '3.0.13-PL1'); } // Reset permissions @@ -964,7 +964,7 @@ function database_update_info() // this column was removed from the database updater // after 3.0.9-RC3 was released. It might still exist // in 3.0.9-RCX installations and has to be dropped in - // 3.0.13 after the db_tools class is capable of properly + // 3.0.15 after the db_tools class is capable of properly // removing a primary key. // 'attempt_id' => array('UINT', NULL, 'auto_increment'), 'attempt_ip' => array('VCHAR:40', ''), @@ -1026,8 +1026,16 @@ function database_update_info() '3.0.12-RC2' => array(), // No changes from 3.0.12-RC3 to 3.0.12 '3.0.12-RC3' => array(), - - /** @todo DROP LOGIN_ATTEMPT_TABLE.attempt_id in 3.0.13-RC1 */ + // No changes from 3.0.12 to 3.0.13-RC1 + '3.0.12' => array(), + // No changes from 3.0.13-RC1 to 3.0.13 + '3.0.13-RC1' => array(), + // No changes from 3.0.13 to 3.0.13-PL1 + '3.0.13' => array(), + // No changes from 3.0.13-PL1 to 3.0.14-RC1 + '3.0.13-PL1' => array(), + + /** @todo DROP LOGIN_ATTEMPT_TABLE.attempt_id in 3.0.15-RC1 */ ); } @@ -2277,6 +2285,22 @@ function change_database_data(&$no_updates, $version) // No changes from 3.0.12-RC3 to 3.0.12 case '3.0.12-RC3': break; + + // No changes from 3.0.12 to 3.0.13-RC1 + case '3.0.12': + break; + + // No changes from 3.0.13-RC1 to 3.0.13 + case '3.0.13-RC1': + break; + + // No changes from 3.0.13 to 3.0.13-PL1 + case '3.0.13': + break; + + // No changes from 3.0.13-PL1 to 3.0.14-RC1 + case '3.0.13-PL1': + break; } } diff --git a/premod/root/install/schemas/schema_data.sql b/premod/root/install/schemas/schema_data.sql index 6eae984..d88665f 100644 --- a/premod/root/install/schemas/schema_data.sql +++ b/premod/root/install/schemas/schema_data.sql @@ -246,7 +246,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('topics_per_page', INSERT INTO phpbb_config (config_name, config_value) VALUES ('tpl_allow_php', '0'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_icons_path', 'images/upload_icons'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_path', 'files'); -INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.0.12'); +INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.0.15-dev'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_expire_days', '90'); INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_gc', '14400'); diff --git a/premod/root/posting.php b/premod/root/posting.php index 83f9cac..87ce592 100644 --- a/premod/root/posting.php +++ b/premod/root/posting.php @@ -32,7 +32,7 @@ $draft_id = request_var('d', 0); $lastclick = request_var('lastclick', 0); -$submit = (isset($_POST['post'])) ? true : false; + $preview = (isset($_POST['preview'])) ? true : false; $save = (isset($_POST['save'])) ? true : false; $load = (isset($_POST['load'])) ? true : false; @@ -40,6 +40,7 @@ $cancel = (isset($_POST['cancel']) && !isset($_POST['save'])) ? true : false; $refresh = (isset($_POST['add_file']) || isset($_POST['delete_file']) || isset($_POST['full_editor']) || isset($_POST['cancel_unglobalise']) || $save || $load) ? true : false; +$submit = isset($_POST['post']) && !$refresh && !$preview; $mode = ($delete && !$preview && !$refresh && $submit) ? 'delete' : request_var('mode', ''); $error = $post_data = array();