Merge branch '3.3.x'

2025-05-03 22:27:54 +02:00 · 2021-10-03 15:26:00 +02:00 · 2021-10-03 15:26:00 +02:00 · 46ded2ad94
commit 46ded2ad94
parent 71b8e49b3c 441a5a2175
5 changed files with 61 additions and 2 deletions
--- a/build/build.xml
+++ b/build/build.xml
@ -3,7 +3,7 @@
 <project name="phpBB" description="The phpBB forum software" default="all" basedir="../">
 	<!-- a few settings for the build -->
 	<property name="newversion" value="4.0.0-a1-dev" />
-	<property name="prevversion" value="3.3.5-RC1" />
+	<property name="prevversion" value="3.3.5" />
 	<property name="olderversions" value="3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4" />
 	<!-- no configuration should be needed beyond this point -->

--- a/phpBB/docs/CHANGELOG.html
+++ b/phpBB/docs/CHANGELOG.html
@ -50,6 +50,7 @@
 <ol>
 	<li><a href="#changelog">Changelog</a>
 	<ul>
+		<li><a href="#v335rc1">Changes since 3.3.5-RC1</a></li>
 		<li><a href="#v334">Changes since 3.3.4</a></li>
 		<li><a href="#v334rc1">Changes since 3.3.4-RC1</a></li>
 		<li><a href="#v333">Changes since 3.3.3</a></li>
@ -157,6 +158,16 @@
 		<div class="inner">

 		<div class="content">
+			<a name="v335rc1"></a><h3>Changes since 3.3.5-RC1</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16878">PHPBB3-16878</a>] - Error in password_hash() with ARGON2 + Sodium &amp; threadcount &gt; 1</li>
+			</ul>
+			<h4>Hardening</h4>
+			<ul>
+				<li>[<a href="https://tracker.phpbb.com/browse/SECURITY-254">SECURITY-254</a>] - Disallow whitespace characters that might be invisible</li>
+			</ul>
+
 			<a name="v334"></a><h3>Changes since 3.3.4</h3>
 			<h4>Bug</h4>
 			<ul>
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@ -1751,7 +1751,8 @@ function validate_username($username, $allowed_username = false, $allow_all_name
 	}

 	// ... fast checks first.
-	if (strpos($username, '&quot;') !== false || strpos($username, '"') !== false || empty($clean_username))
+	if (strpos($username, '&quot;') !== false || strpos($username, '"') !== false || empty($clean_username)
+		|| preg_match('/[\x{180E}\x{2005}-\x{200D}\x{202F}\x{205F}\x{2060}\x{FEFF}]/u', $username))
 	{
 		return 'INVALID_CHARS';
 	}
--- a/phpBB/phpbb/db/migration/data/v33x/v335.php
+++ b/phpBB/phpbb/db/migration/data/v33x/v335.php
@ -0,0 +1,36 @@
+<?php
+/**
+ *
+ * This file is part of the phpBB Forum Software package.
+ *
+ * @copyright (c) phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+namespace phpbb\db\migration\data\v33x;
+
+class v335 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return version_compare($this->config['version'], '3.3.5', '>=');
+	}
+
+	public static function depends_on()
+	{
+		return [
+			'\phpbb\db\migration\data\v33x\v335rc1',
+		];
+	}
+
+	public function update_data()
+	{
+		return [
+			['config.update', ['version', '3.3.5']],
+		];
+	}
+}
--- a/tests/functions/validate_username_test.php
+++ b/tests/functions/validate_username_test.php
@ -51,6 +51,7 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case
 				'barfoo_disallow'	=> array('USERNAME_DISALLOWED'),
 				'admin_taken'		=> array('USERNAME_TAKEN'),
 				'group_taken'		=> array('USERNAME_TAKEN'),
+				'a d m i n i ᠎strator' => array('INVALID_CHARS'),
 			)),
 			array('USERNAME_ALPHA_ONLY', array(
 				'foobar_allow'		=> array(),
@ -65,6 +66,7 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case
 				'barfoo_disallow'	=> array('USERNAME_DISALLOWED'),
 				'admin_taken'		=> array('USERNAME_TAKEN'),
 				'group_taken'		=> array('INVALID_CHARS'),
+				'a d m i n i ᠎strator' => array('INVALID_CHARS'),
 			)),
 			array('USERNAME_ALPHA_SPACERS', array(
 				'foobar_allow'		=> array(),
@ -79,6 +81,7 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case
 				'barfoo_disallow'	=> array('USERNAME_DISALLOWED'),
 				'admin_taken'		=> array('USERNAME_TAKEN'),
 				'group_taken'		=> array('USERNAME_TAKEN'),
+				'a d m i n i ᠎strator' => array('INVALID_CHARS'),
 			)),
 			array('USERNAME_LETTER_NUM', array(
 				'foobar_allow'		=> array(),
@ -93,6 +96,7 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case
 				'barfoo_disallow'	=> array('USERNAME_DISALLOWED'),
 				'admin_taken'		=> array('USERNAME_TAKEN'),
 				'group_taken'		=> array('INVALID_CHARS'),
+				'a d m i n i ᠎strator' => array('INVALID_CHARS'),
 			)),
 			array('USERNAME_LETTER_NUM_SPACERS', array(
 				'foobar_allow'		=> array(),
@ -107,6 +111,7 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case
 				'barfoo_disallow'	=> array('USERNAME_DISALLOWED'),
 				'admin_taken'		=> array('USERNAME_TAKEN'),
 				'group_taken'		=> array('USERNAME_TAKEN'),
+				'a d m i n i ᠎strator' => array('INVALID_CHARS'),
 			)),
 			array('USERNAME_ASCII', array(
 				'foobar_allow'		=> array(),
@ -121,6 +126,7 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case
 				'barfoo_disallow'	=> array('USERNAME_DISALLOWED'),
 				'admin_taken'		=> array('USERNAME_TAKEN'),
 				'group_taken'		=> array('USERNAME_TAKEN'),
+				'a d m i n i ᠎strator' => array('INVALID_CHARS'),
 			)),
 		);
 	}
@ -201,6 +207,11 @@ class phpbb_functions_validate_data_test extends phpbb_database_test_case
 				'foobar_group',
 				array('username'),
 			),
+			'a d m i n i ᠎strator' => array(
+				$expected['a d m i n i ᠎strator'],
+				'a d m i n i ᠎strator',
+				array('username'),
+			),
 		));
 	}
 }