From 61683f895cff778d722175a8e5ddd2a5facbc42f Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sun, 13 Nov 2016 11:43:17 +0100
Subject: [PATCH 01/21] [ticket/security-181] Deny access to migrations folders

SECURITY-181
---
 phpBB/phpbb/db/migration/data/v30x/.htaccess | 33 ++++++++++++++++++++
 phpBB/phpbb/db/migration/data/v310/.htaccess | 33 ++++++++++++++++++++
 phpBB/phpbb/db/migration/data/v31x/.htaccess | 33 ++++++++++++++++++++
 3 files changed, 99 insertions(+)
 create mode 100644 phpBB/phpbb/db/migration/data/v30x/.htaccess
 create mode 100644 phpBB/phpbb/db/migration/data/v310/.htaccess
 create mode 100644 phpBB/phpbb/db/migration/data/v31x/.htaccess

diff --git a/phpBB/phpbb/db/migration/data/v30x/.htaccess b/phpBB/phpbb/db/migration/data/v30x/.htaccess
new file mode 100644
index 0000000000..44242b5418
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v30x/.htaccess
@@ -0,0 +1,33 @@
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
diff --git a/phpBB/phpbb/db/migration/data/v310/.htaccess b/phpBB/phpbb/db/migration/data/v310/.htaccess
new file mode 100644
index 0000000000..44242b5418
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v310/.htaccess
@@ -0,0 +1,33 @@
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
diff --git a/phpBB/phpbb/db/migration/data/v31x/.htaccess b/phpBB/phpbb/db/migration/data/v31x/.htaccess
new file mode 100644
index 0000000000..44242b5418
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v31x/.htaccess
@@ -0,0 +1,33 @@
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>

From 7ba9b06881ddd70bd3b10e2785b91908e851cdaa Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sun, 13 Nov 2016 11:50:23 +0100
Subject: [PATCH 02/21] [ticket/security-181] Port .htaccess changes to other
 webserver types

SECURITY-181
---
 phpBB/docs/lighttpd.sample.conf | 2 +-
 phpBB/docs/nginx.sample.conf    | 2 +-
 phpBB/web.config                | 3 +++
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/phpBB/docs/lighttpd.sample.conf b/phpBB/docs/lighttpd.sample.conf
index 5b04122267..f5b509e002 100644
--- a/phpBB/docs/lighttpd.sample.conf
+++ b/phpBB/docs/lighttpd.sample.conf
@@ -37,7 +37,7 @@ $HTTP["host"] == "www.myforums.com" {
 	accesslog.filename		= "/var/log/lighttpd/access-www.myforums.com.log"
 	
 	# Deny access to internal phpbb files.	
-	$HTTP["url"] =~ "^/(config\.php|common\.php|includes|cache|files|store|images/avatars/upload)" {
+	$HTTP["url"] =~ "^/(config\.php|common\.php|cache|files|images/avatars/upload|includes|phpbb|store|vendor)" {
 		url.access-deny = ( "" )
 	}
 
diff --git a/phpBB/docs/nginx.sample.conf b/phpBB/docs/nginx.sample.conf
index 2ead3552fd..bf33f4e73d 100644
--- a/phpBB/docs/nginx.sample.conf
+++ b/phpBB/docs/nginx.sample.conf
@@ -72,7 +72,7 @@ http {
         }
 
         # Deny access to internal phpbb files.
-        location ~ /(config\.php|common\.php|includes|cache|files|store|images/avatars/upload) {
+        location ~ /(config\.php|common\.php|cache|files|images/avatars/upload|includes|phpbb|store|vendor) {
             deny all;
             # deny was ignored before 0.8.40 for connections over IPv6.
             # Use internal directive to prohibit access on older versions.
diff --git a/phpBB/web.config b/phpBB/web.config
index 99a1fe6023..d0a3cb33fe 100644
--- a/phpBB/web.config
+++ b/phpBB/web.config
@@ -18,7 +18,10 @@
 				<hiddenSegments>
 					<add segment="cache" />
 					<add segment="files" />
+					<add segment="includes" />
+					<add segment="phpbb" />
 					<add segment="store" />
+					<add segment="vendor" />
 					<add segment="config.php" />
 					<add segment="common.php" />
 				</hiddenSegments>

From 44dd1ef9842c83f7ba4a37bf4a17489d5fe73991 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sun, 13 Nov 2016 12:26:35 +0100
Subject: [PATCH 03/21] [ticket/security-181] Update INSTALL.html to ask for
 more secure apache config

SECURITY-181
---
 phpBB/docs/INSTALL.html              | 18 +++++++++++++++---
 phpBB/docs/assets/css/stylesheet.css | 11 +++++++++++
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/phpBB/docs/INSTALL.html b/phpBB/docs/INSTALL.html
index 9f8bbe74b8..53c18da733 100644
--- a/phpBB/docs/INSTALL.html
+++ b/phpBB/docs/INSTALL.html
@@ -148,7 +148,7 @@
 			<li>Oracle</li>
 		</ul>
 		</li>
-		<li><strong>PHP 5.3.3+</strong> and <strong>PHP < 7.0</strong> with support for the database you intend to use.</li>
+		<li><strong>PHP 5.3.3+</strong> and <strong>PHP &lt; 7.0</strong> with support for the database you intend to use.</li>
 		<li>The following PHP modules are required:
 		<ul>
 			<li>json</li>
@@ -455,9 +455,21 @@
 
 <a name="webserver_configuration"></a><h3>6.ii. Webserver configuration</h3>
 
-	<p>Depending on your web server, you may have to configure your server to deny web access to the <code>cache/</code>, <code>files/</code>, <code>store/</code> and other directories. This is to prevent users from accessing sensitive files.</p>
+	<p>Depending on your web server, you may have to configure your server to deny web access to the <code>cache/</code>, <code>files/</code>, <code>includes</code>, <code>phpbb</code>, <code>store/</code>, and <code>vendor</code> directories. This is to prevent users from accessing sensitive files.</p>
 
-	<p>For <strong>Apache</strong> there are <code>.htaccess</code> files already in place to do this for you. Similarly, for <strong>Windows</strong> based servers using <strong>IIS</strong> there are <code>web.config</code> files already in place to do this for you. For other webservers, you will have to adjust the configuration yourself. Sample files for <strong>nginx</strong> and <strong>lighttpd</strong> to help you get started may be found in <code>docs/</code> directory.</p>
+	<p>
+		For <strong>Apache</strong> there are <code>.htaccess</code> files already in place to do this for the most sensitive files and folders. We do however recommend to completely deny all access to the aforementioned folders and their respective subfolders in your Apache configuration.<br />
+		On Apache 2.4, denying access to the <code>phpbb</code> folder in a phpBB instance located at <code>/var/www/html/</code> would work like this:
+		<pre>
+&lt;Directory /var/www/html/phpbb/*&gt;
+	Require all denied
+&lt;/Directory&gt;
+&lt;Directory /var/www/html/phpbb>
+	Require all denied
+&lt;/Directory&gt;</pre>
+		<br />
+	<p>The same settings can be applied to the other mentioned directories by replacing <code>phpbb</code> by the respective directory name. Please pay attention to the difference in syntax between Apache version <a href="https://httpd.apache.org/docs/2.2/howto/access.html">2.2</a> and <a href="https://httpd.apache.org/docs/2.4/howto/access.html">2.4</a>.</p>
+	<p>For <strong>Windows</strong> based servers using <strong>IIS</strong> there are <code>web.config</code> files already in place to do this for you. For other webservers, you will have to adjust the configuration yourself. Sample files for <strong>nginx</strong> and <strong>lighttpd</strong> to help you get started may be found in <code>docs/</code> directory.</p>
 
 		</div>
 
diff --git a/phpBB/docs/assets/css/stylesheet.css b/phpBB/docs/assets/css/stylesheet.css
index 192a6f9f79..c090ab7e07 100644
--- a/phpBB/docs/assets/css/stylesheet.css
+++ b/phpBB/docs/assets/css/stylesheet.css
@@ -115,6 +115,17 @@ code {
 	padding: 0 4px;
 }
 
+pre {
+	color: #006600;
+	font-weight: normal;
+	font-family: 'Courier New', monospace;
+	border-color: #D1D7DC;
+	border-width: 1px;
+	border-style: solid;
+	background-color: #FAFAFA;
+	padding: 0 4px
+}
+
 #wrap {
 	padding: 0 20px;
 	min-width: 650px;

From 78c2e31ec2cab20f5fc0555706b27b63ad7d9437 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sun, 13 Nov 2016 11:45:42 +0100
Subject: [PATCH 04/21] [ticket/security-181] Add .htaccess to 3.2.x migrations

SECURITY-181
---
 phpBB/phpbb/db/migration/data/v320/.htaccess | 33 ++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 phpBB/phpbb/db/migration/data/v320/.htaccess

diff --git a/phpBB/phpbb/db/migration/data/v320/.htaccess b/phpBB/phpbb/db/migration/data/v320/.htaccess
new file mode 100644
index 0000000000..44242b5418
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v320/.htaccess
@@ -0,0 +1,33 @@
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>

From 658820654f5789a786a5537c1b43991744b83d2c Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Mon, 26 Dec 2016 22:01:51 +0100
Subject: [PATCH 05/21] [ticket/security-203] Fully validate version check data
 in version helper

This will also take care of SECURITY-204 as it's the same underlying issue.
Admins still need to ensure they don't visit malicious sites for URLs
provided by extensions.

SECURITY-203
---
 phpBB/includes/functions.php                 |   5 +
 phpBB/language/en/acp/common.php             |  13 ++-
 phpBB/phpbb/version_helper.php               | 107 +++++++++++++++++++
 tests/version/version_helper_remote_test.php | 100 +++++++++++------
 4 files changed, 185 insertions(+), 40 deletions(-)

diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php
index ba448f3125..84178f74e4 100644
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@@ -3442,6 +3442,11 @@ function get_preg_expression($mode)
 		case 'path_remove_dot_trailing_slash':
 			return '#^(?:(\.)?)+(?:(.+)?)+(?:([\\/\\\])$)#';
 		break;
+
+		case 'semantic_version':
+			// Regular expression to match semantic versions by http://rgxdb.com/
+			return '/(?<=^[Vv]|^)(?:(?<major>(?:0|[1-9](?:(?:0|[1-9])+)*))[.](?<minor>(?:0|[1-9](?:(?:0|[1-9])+)*))[.](?<patch>(?:0|[1-9](?:(?:0|[1-9])+)*))(?:-(?<prerelease>(?:(?:(?:[A-Za-z]|-)(?:(?:(?:0|[1-9])|(?:[A-Za-z]|-))+)?|(?:(?:(?:0|[1-9])|(?:[A-Za-z]|-))+)(?:[A-Za-z]|-)(?:(?:(?:0|[1-9])|(?:[A-Za-z]|-))+)?)|(?:0|[1-9](?:(?:0|[1-9])+)*))(?:[.](?:(?:(?:[A-Za-z]|-)(?:(?:(?:0|[1-9])|(?:[A-Za-z]|-))+)?|(?:(?:(?:0|[1-9])|(?:[A-Za-z]|-))+)(?:[A-Za-z]|-)(?:(?:(?:0|[1-9])|(?:[A-Za-z]|-))+)?)|(?:0|[1-9](?:(?:0|[1-9])+)*)))*))?(?:[+](?<build>(?:(?:(?:[A-Za-z]|-)(?:(?:(?:0|[1-9])|(?:[A-Za-z]|-))+)?|(?:(?:(?:0|[1-9])|(?:[A-Za-z]|-))+)(?:[A-Za-z]|-)(?:(?:(?:0|[1-9])|(?:[A-Za-z]|-))+)?)|(?:(?:0|[1-9])+))(?:[.](?:(?:(?:[A-Za-z]|-)(?:(?:(?:0|[1-9])|(?:[A-Za-z]|-))+)?|(?:(?:(?:0|[1-9])|(?:[A-Za-z]|-))+)(?:[A-Za-z]|-)(?:(?:(?:0|[1-9])|(?:[A-Za-z]|-))+)?)|(?:(?:0|[1-9])+)))*))?)$/';
+		break;
 	}
 
 	return '';
diff --git a/phpBB/language/en/acp/common.php b/phpBB/language/en/acp/common.php
index 88e60d00a3..9d2723ceb3 100644
--- a/phpBB/language/en/acp/common.php
+++ b/phpBB/language/en/acp/common.php
@@ -417,11 +417,14 @@ $lang = array_merge($lang, array(
 	'UPLOAD_DIR_SIZE'	=> 'Size of posted attachments',
 	'USERS_PER_DAY'		=> 'Users per day',
 
-	'VALUE'						=> 'Value',
-	'VERSIONCHECK_FAIL'			=> 'Failed to obtain latest version information.',
-	'VERSIONCHECK_FORCE_UPDATE'	=> 'Re-Check version',
-	'VIEW_ADMIN_LOG'			=> 'View administrator log',
-	'VIEW_INACTIVE_USERS'		=> 'View inactive users',
+	'VALUE'							=> 'Value',
+	'VERSIONCHECK_FAIL'				=> 'Failed to obtain latest version information.',
+	'VERSIONCHECK_FORCE_UPDATE'		=> 'Re-Check version',
+	'VERSIONCHECK_INVALID_ENTRY'	=> 'Latest version information contains an unsupported entry.',
+	'VERSIONCHECK_INVALID_URL'		=> 'Latest version information contains invalid URL.',
+	'VERSIONCHECK_INVALID_VERSION'	=> 'Latest version information contains an invalid version.',
+	'VIEW_ADMIN_LOG'				=> 'View administrator log',
+	'VIEW_INACTIVE_USERS'			=> 'View inactive users',
 
 	'WELCOME_PHPBB'			=> 'Welcome to phpBB',
 	'WRITABLE_CONFIG'		=> 'Your config file (config.php) is currently world-writable. We strongly encourage you to change the permissions to 640 or at least to 644 (for example: <a href="http://en.wikipedia.org/wiki/Chmod" rel="external">chmod</a> 640 config.php).',
diff --git a/phpBB/phpbb/version_helper.php b/phpBB/phpbb/version_helper.php
index a1e66ba8fe..dc95f6d001 100644
--- a/phpBB/phpbb/version_helper.php
+++ b/phpBB/phpbb/version_helper.php
@@ -61,6 +61,23 @@ class version_helper
 	/** @var \phpbb\user */
 	protected $user;
 
+	protected $version_schema = array(
+		'stable' => array(
+			'current'		=> 'version',
+			'download'		=> 'url',
+			'announcement'	=> 'url',
+			'eol'			=> 'url',
+			'security'		=> 'bool',
+		),
+		'unstable' => array(
+			'current'		=> 'version',
+			'download'		=> 'url',
+			'announcement'	=> 'url',
+			'eol'			=> 'url',
+			'security'		=> 'bool',
+		),
+	);
+
 	/**
 	 * Constructor
 	 *
@@ -298,9 +315,99 @@ class version_helper
 			$info['stable'] = (empty($info['stable'])) ? array() : $info['stable'];
 			$info['unstable'] = (empty($info['unstable'])) ? $info['stable'] : $info['unstable'];
 
+			$this->validate_versions($info);
+
 			$this->cache->put($cache_file, $info, 86400); // 24 hours
 		}
 
 		return $info;
 	}
+
+	/**
+	 * Validate versions info input
+	 *
+	 * @param array $versions_info Decoded json data array. Will be modified
+	 *		and cleaned by this method
+	 */
+	public function validate_versions(&$versions_info)
+	{
+		$array_diff = array_diff_key($versions_info, array($this->version_schema));
+
+		// Remove excessive data
+		if (count($array_diff) > 0)
+		{
+			$old_versions_info = $versions_info;
+			$versions_info = array(
+				'stable'	=> !empty($old_versions_info['stable']) ? $old_versions_info['stable'] : array(),
+				'unstable'	=> !empty($old_versions_info['unstable']) ? $old_versions_info['unstable'] : array(),
+			);
+			unset($old_versions_info);
+		}
+
+		foreach ($versions_info as $stability_type => &$versions_data)
+		{
+			foreach ($versions_data as $branch => &$version_data)
+			{
+				if (!preg_match('/^[0-9]+\.[0-9]+$/', $branch))
+				{
+					unset($versions_data[$branch]);
+					continue;
+				}
+
+				$stability_diff = array_diff_key($version_data, $this->version_schema[$stability_type]);
+
+				if (count($stability_diff) > 0)
+				{
+					$old_version_data = $version_data;
+					$version_data = array();
+					foreach ($this->version_schema[$stability_type] as $key => $value)
+					{
+						if (isset($old_version_data[$key]) || $old_version_data[$key] === null)
+						{
+							$version_data[$key] = $old_version_data[$key];
+						}
+					}
+					unset($old_version_data);
+				}
+
+				foreach ($version_data as $key => &$value)
+				{
+					if (!isset($this->version_schema[$stability_type][$key]))
+					{
+						unset($version_data[$key]);
+						throw new \RuntimeException($this->user->lang('VERSIONCHECK_INVALID_ENTRY'));
+					}
+
+					switch ($this->version_schema[$stability_type][$key])
+					{
+						case 'bool':
+							$value = (bool) $value;
+						break;
+
+						case 'url':
+							if (!empty($value) && !preg_match('#^' . get_preg_expression('url') . '$#iu', $value) &&
+								!preg_match('#^' . get_preg_expression('www_url') . '$#iu', $value))
+							{
+								$value = '';
+								throw new \RuntimeException($this->user->lang('VERSIONCHECK_INVALID_URL'));
+							}
+						break;
+
+						case 'version':
+							$value = $value ?: '';
+							if (!preg_match(get_preg_expression('semantic_version'), $value))
+							{
+								$value = '';
+								throw new \RuntimeException($this->user->lang('VERSIONCHECK_INVALID_VERSION'));
+							}
+						break;
+
+						default:
+							// Shouldn't be possible to trigger this
+							throw new \RuntimeException($this->user->lang('VERSIONCHECK_INVALID_ENTRY'));
+					}
+				}
+			}
+		}
+	}
 }
diff --git a/tests/version/version_helper_remote_test.php b/tests/version/version_helper_remote_test.php
index 65ae7646b9..596b7194de 100644
--- a/tests/version/version_helper_remote_test.php
+++ b/tests/version/version_helper_remote_test.php
@@ -37,21 +37,21 @@ class version_helper_remote_test extends \phpbb_test_case
 			->will($this->returnValue(false));
 		$this->file_downloader = new phpbb_mock_file_downloader();
 
+		$this->user = new \phpbb\user('\phpbb\datetime');
+		$this->user->add_lang('acp/common');
 		$this->version_helper = new \phpbb\version_helper(
 			$this->cache,
 			$config,
 			$this->file_downloader,
-			new \phpbb\user('\phpbb\datetime')
+			$this->user
 		);
-		$this->user = new \phpbb\user('\phpbb\datetime');
-		$this->user->add_lang('acp/common');
 	}
 
 	public function provider_get_versions()
 	{
 		return array(
-			array('', false),
-			array('foobar', false),
+			array('', false, '', 'VERSIONCHECK_FAIL'),
+			array('foobar', false, '', 'VERSIONCHECK_FAIL'),
 			array('{
     "stable": {
         "1.0": {
@@ -92,7 +92,7 @@ class version_helper_remote_test extends \phpbb_test_case
             "security": false
         }
     }
-}', false),
+}', false, '', 'VERSIONCHECK_FAIL'),
 			array('{
     "stable": {
         "1.0": {
@@ -103,26 +103,7 @@ class version_helper_remote_test extends \phpbb_test_case
             "security": "<script>alert(\'foo\');</script>"
         }
     }
-}', true, array (
-				'stable' => array (
-					'1.0' => array (
-						'current' => '1.0.1&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'download' => 'https://www.phpbb.com/customise/db/download/104136&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'eol' => '&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'security' => '&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-					),
-				),
-				'unstable' => array (
-					'1.0' => array (
-						'current' => '1.0.1&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'download' => 'https://www.phpbb.com/customise/db/download/104136&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'eol' => '&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'security' => '&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-					),
-				),
-			)),
+}', false, null, 'VERSIONCHECK_INVALID_VERSION'),
 			array('{
     "unstable": {
         "1.0": {
@@ -133,25 +114,74 @@ class version_helper_remote_test extends \phpbb_test_case
             "security": "<script>alert(\'foo\');</script>"
         }
     }
+}', false, null, 'VERSIONCHECK_INVALID_VERSION'),
+			array('{
+    "unstable": {
+        "1.0<script>alert(\'foo\');</script>": {
+            "current": "1.0.1",
+            "download": "https://www.phpbb.com/customise/db/download/104136",
+            "announcement": "https://www.phpbb.com/customise/db/extension/boardrules/",
+            "eol": "",
+            "security": ""
+        }
+    }
+}', false, array('stable' => array(), 'unstable' => array()), 'VERSIONCHECK_INVALID_VERSION'),
+			array('{
+	"\"\n<script>alert(\'foo\');</script>\n": "test",
+    "stable": {
+        "1.0": {
+            "current": "1.0.1",
+            "download": "https://www.phpbb.com/customise/db/download/104136",
+            "announcement": "https://www.phpbb.com/customise/db/extension/boardrules/",
+            "eol": null,
+            "security": false
+        }
+    }
 }', true, array (
-				'unstable' => array (
+				'stable' => array (
 					'1.0' => array (
-						'current' => '1.0.1&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'download' => 'https://www.phpbb.com/customise/db/download/104136&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'eol' => '&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'security' => '&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
+						'current' => '1.0.1',
+						'download' => 'https://www.phpbb.com/customise/db/download/104136',
+						'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/',
+						'eol' => NULL,
+						'security' => false,
+					),
+				),
+				'unstable' => array (
+					'1.0' => array (
+						'current' => '1.0.1',
+						'download' => 'https://www.phpbb.com/customise/db/download/104136',
+						'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/',
+						'eol' => NULL,
+						'security' => false,
 					),
 				),
-				'stable' => array(),
 			)),
+			array('{
+    "unstable": {
+        "1.0": {
+            "current": "1.0.1",
+            "download": "https://www.phpbb.com/customise/db/download/104136",
+            "announcement": "https://www.phpbb.com/customise/db/extension/boardrules/",
+            "eol": null,
+            "security": false,
+            "foobar": "<script>alert(\'test\');<script>"
+        }
+    }
+}', true, array('stable' => array(), 'unstable' => array('1.0' => array(
+				'current' => '1.0.1',
+				'download'	=> 'https://www.phpbb.com/customise/db/download/104136',
+				'announcement'	=> 'https://www.phpbb.com/customise/db/extension/boardrules/',
+				'eol'		=> null,
+				'security'	=> false,
+			))), 'VERSIONCHECK_INVALID_ENTRY'),
 		);
 	}
 
 	/**
 	 * @dataProvider provider_get_versions
 	 */
-	public function test_get_versions($input, $valid_data, $expected_return = '')
+	public function test_get_versions($input, $valid_data, $expected_return = '', $expected_exception = '')
 	{
 		$this->file_downloader->set($input);
 
@@ -160,7 +190,7 @@ class version_helper_remote_test extends \phpbb_test_case
 			try {
 				$return = $this->version_helper->get_versions();
 			} catch (\RuntimeException $e) {
-				$this->assertEquals((string)$e->getMessage(), $this->user->lang('VERSIONCHECK_FAIL'));
+				$this->assertEquals((string)$e->getMessage(), $this->user->lang($expected_exception));
 			}
 		}
 		else

From ad251e4590744b0927019ae935c92c7101aa7678 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Tue, 27 Dec 2016 18:11:31 +0100
Subject: [PATCH 06/21] [ticket/security-203] Do not add null values to
 versions info

Also stopped using reference for validate_versions() method argument.

SECURTIY-203
---
 phpBB/phpbb/version_helper.php               | 15 ++++++++-------
 tests/version/version_helper_remote_test.php | 15 ++++++++++++++-
 2 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/phpBB/phpbb/version_helper.php b/phpBB/phpbb/version_helper.php
index dc95f6d001..e2d90af04a 100644
--- a/phpBB/phpbb/version_helper.php
+++ b/phpBB/phpbb/version_helper.php
@@ -315,7 +315,7 @@ class version_helper
 			$info['stable'] = (empty($info['stable'])) ? array() : $info['stable'];
 			$info['unstable'] = (empty($info['unstable'])) ? $info['stable'] : $info['unstable'];
 
-			$this->validate_versions($info);
+			$info = $this->validate_versions($info);
 
 			$this->cache->put($cache_file, $info, 86400); // 24 hours
 		}
@@ -328,8 +328,10 @@ class version_helper
 	 *
 	 * @param array $versions_info Decoded json data array. Will be modified
 	 *		and cleaned by this method
+	 *
+	 * @return array Versions info array
 	 */
-	public function validate_versions(&$versions_info)
+	public function validate_versions($versions_info)
 	{
 		$array_diff = array_diff_key($versions_info, array($this->version_schema));
 
@@ -362,7 +364,7 @@ class version_helper
 					$version_data = array();
 					foreach ($this->version_schema[$stability_type] as $key => $value)
 					{
-						if (isset($old_version_data[$key]) || $old_version_data[$key] === null)
+						if (isset($old_version_data[$key]))
 						{
 							$version_data[$key] = $old_version_data[$key];
 						}
@@ -388,16 +390,13 @@ class version_helper
 							if (!empty($value) && !preg_match('#^' . get_preg_expression('url') . '$#iu', $value) &&
 								!preg_match('#^' . get_preg_expression('www_url') . '$#iu', $value))
 							{
-								$value = '';
 								throw new \RuntimeException($this->user->lang('VERSIONCHECK_INVALID_URL'));
 							}
 						break;
 
 						case 'version':
-							$value = $value ?: '';
-							if (!preg_match(get_preg_expression('semantic_version'), $value))
+							if (!empty($value) && !preg_match(get_preg_expression('semantic_version'), $value))
 							{
-								$value = '';
 								throw new \RuntimeException($this->user->lang('VERSIONCHECK_INVALID_VERSION'));
 							}
 						break;
@@ -409,5 +408,7 @@ class version_helper
 				}
 			}
 		}
+
+		return $versions_info;
 	}
 }
diff --git a/tests/version/version_helper_remote_test.php b/tests/version/version_helper_remote_test.php
index 596b7194de..b2d497b72a 100644
--- a/tests/version/version_helper_remote_test.php
+++ b/tests/version/version_helper_remote_test.php
@@ -172,7 +172,20 @@ class version_helper_remote_test extends \phpbb_test_case
 				'current' => '1.0.1',
 				'download'	=> 'https://www.phpbb.com/customise/db/download/104136',
 				'announcement'	=> 'https://www.phpbb.com/customise/db/extension/boardrules/',
-				'eol'		=> null,
+				'security'	=> false,
+			))), 'VERSIONCHECK_INVALID_ENTRY'),
+			array('{
+    "unstable": {
+        "1.0": {
+            "current<script>alert(\'foo\');</script>": "1.0.1",
+            "download2": "https://www.phpbb.com/customise/db/download/104136",
+            "bannouncement": "https://www.phpbb.com/customise/db/extension/boardrules/",
+            "eol": null,
+            "security": false,
+            "foobar": "<script>alert(\'test\');<script>"
+        }
+    }
+}', true, array('stable' => array(), 'unstable' => array('1.0' => array(
 				'security'	=> false,
 			))), 'VERSIONCHECK_INVALID_ENTRY'),
 		);

From 90a77ba9d3e97718e9da7d1ee95ece4e756d26b7 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Tue, 27 Dec 2016 18:18:20 +0100
Subject: [PATCH 07/21] [ticket/security-203] Allow more characters for branch
 names

SECURITY-203
---
 phpBB/phpbb/version_helper.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/phpBB/phpbb/version_helper.php b/phpBB/phpbb/version_helper.php
index e2d90af04a..70a009ed3d 100644
--- a/phpBB/phpbb/version_helper.php
+++ b/phpBB/phpbb/version_helper.php
@@ -243,7 +243,7 @@ class version_helper
 	*
 	* @param bool $force_update Ignores cached data. Defaults to false.
 	* @param bool $force_cache Force the use of the cache. Override $force_update.
-	* @return string Version info
+	* @return array Version info
 	* @throws \RuntimeException
 	*/
 	public function get_versions_matching_stability($force_update = false, $force_cache = false)
@@ -350,7 +350,7 @@ class version_helper
 		{
 			foreach ($versions_data as $branch => &$version_data)
 			{
-				if (!preg_match('/^[0-9]+\.[0-9]+$/', $branch))
+				if (!preg_match('/^[0-9a-z\-\.]+$/i', $branch))
 				{
 					unset($versions_data[$branch]);
 					continue;

From 1dea4625d0f958787c6357bef84a6d7a5453fe5f Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Fri, 6 Jan 2017 12:27:38 +0100
Subject: [PATCH 08/21] [ticket/security-181] Update wording in INSTALL.html

SECURITY-181
---
 phpBB/docs/INSTALL.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/phpBB/docs/INSTALL.html b/phpBB/docs/INSTALL.html
index 53c18da733..19644327c2 100644
--- a/phpBB/docs/INSTALL.html
+++ b/phpBB/docs/INSTALL.html
@@ -459,7 +459,7 @@
 
 	<p>
 		For <strong>Apache</strong> there are <code>.htaccess</code> files already in place to do this for the most sensitive files and folders. We do however recommend to completely deny all access to the aforementioned folders and their respective subfolders in your Apache configuration.<br />
-		On Apache 2.4, denying access to the <code>phpbb</code> folder in a phpBB instance located at <code>/var/www/html/</code> would work like this:
+		On Apache 2.4, denying access to the <code>phpbb</code> folder in a phpBB instance located at <code>/var/www/html/</code> would be accomplished by adding the following access rules to the Apache configuration file (typically apache.conf):
 		<pre>
 &lt;Directory /var/www/html/phpbb/*&gt;
 	Require all denied
@@ -468,8 +468,8 @@
 	Require all denied
 &lt;/Directory&gt;</pre>
 		<br />
-	<p>The same settings can be applied to the other mentioned directories by replacing <code>phpbb</code> by the respective directory name. Please pay attention to the difference in syntax between Apache version <a href="https://httpd.apache.org/docs/2.2/howto/access.html">2.2</a> and <a href="https://httpd.apache.org/docs/2.4/howto/access.html">2.4</a>.</p>
-	<p>For <strong>Windows</strong> based servers using <strong>IIS</strong> there are <code>web.config</code> files already in place to do this for you. For other webservers, you will have to adjust the configuration yourself. Sample files for <strong>nginx</strong> and <strong>lighttpd</strong> to help you get started may be found in <code>docs/</code> directory.</p>
+	<p>The same settings can be applied to the other mentioned directories by replacing <code>phpbb</code> by the respective directory name. Please note that there are differences in syntax between Apache version <a href="https://httpd.apache.org/docs/2.2/howto/access.html">2.2</a> and <a href="https://httpd.apache.org/docs/2.4/howto/access.html">2.4</a>.</p>
+	<p>For <strong>Windows</strong> based servers using <strong>IIS</strong> there are <code>web.config</code> files already in place to do this for you. For other webservers, you will have to adjust the configuration yourself. Sample files for <strong>nginx</strong> and <strong>lighttpd</strong> to help you get started may be found in the <code>docs/</code> directory.</p>
 
 		</div>
 

From 4303ae9ae6910d848af92a50bf51c4e43accae73 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sun, 18 Jun 2017 12:15:46 +0200
Subject: [PATCH 09/21] [ticket/security/124] Filter out disallowed search
 query items

SECURITY-124
---
 phpBB/phpbb/search/fulltext_mysql.php | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/phpBB/phpbb/search/fulltext_mysql.php b/phpBB/phpbb/search/fulltext_mysql.php
index f8bda9ae81..64a63e83e0 100644
--- a/phpBB/phpbb/search/fulltext_mysql.php
+++ b/phpBB/phpbb/search/fulltext_mysql.php
@@ -272,6 +272,27 @@ class fulltext_mysql extends \phpbb\search\base
 
 		foreach ($this->split_words as $i => $word)
 		{
+			// Check for not allowed search queries for InnoDB.
+			// We assume similar restrictions for MyISAM, which is usually even
+			// slower but not as restrictive as InnoDB.
+			// InnoDB full-text search does not support the use of a leading
+			// plus sign with wildcard ('+*'), a plus and minus sign
+			// combination ('+-'), or leading a plus and minus sign combination.
+			// InnoDB full-text search only supports leading plus or minus signs.
+			// For example, InnoDB supports '+apple' but does not support 'apple+'.
+			// Specifying a trailing plus or minus sign causes InnoDB to report
+			// a syntax error. InnoDB full-text search does not support the use
+			// of multiple operators on a single search word, as in this example:
+			// '++apple'. Use of multiple operators on a single search word
+			// returns a syntax error to standard out.
+			// Also, ensure that the wildcard character is only used at the
+			// end of the line as it's intended by MySQL.
+			if (preg_match('#^(\+[+-]|\+\*|.+[+-]$|.+\*(?!$))#', $word))
+			{
+				unset($this->split_words[$i]);
+				continue;
+			}
+
 			$clean_word = preg_replace('#^[+\-|"]#', '', $word);
 
 			// check word length

From 41df4d3c4c2d387a5382c132219115891d78ed60 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sun, 18 Jun 2017 17:39:16 +0200
Subject: [PATCH 10/21] [ticket/security/208] Add form key to password reset
 form

SECURITY-208
---
 phpBB/includes/ucp/ucp_remind.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/phpBB/includes/ucp/ucp_remind.php b/phpBB/includes/ucp/ucp_remind.php
index 29d4199528..497bf6a2c4 100644
--- a/phpBB/includes/ucp/ucp_remind.php
+++ b/phpBB/includes/ucp/ucp_remind.php
@@ -41,8 +41,15 @@ class ucp_remind
 		$email		= strtolower(request_var('email', ''));
 		$submit		= (isset($_POST['submit'])) ? true : false;
 
+		add_form_key('ucp_remind');
+
 		if ($submit)
 		{
+			if (!check_form_key('ucp_remind'))
+			{
+				trigger_error('FORM_INVALID');
+			}
+
 			$sql_array = array(
 				'SELECT'	=> 'user_id, username, user_permissions, user_email, user_jabber, user_notify_type, user_type, user_lang, user_inactive_reason',
 				'FROM'		=> array(USERS_TABLE => 'u'),

From b7ce395fbe6e2087a400487cb2431dc9ea66b8a9 Mon Sep 17 00:00:00 2001
From: lavigor <lavigor@users.noreply.github.com>
Date: Sat, 1 Jul 2017 22:59:25 +0300
Subject: [PATCH 11/21] [ticket/15259] Fatal error on SQLite/Oracle database
 update

PHPBB3-15259
---
 phpBB/phpbb/db/tools/tools.php | 36 +++++++++++++---------------------
 1 file changed, 14 insertions(+), 22 deletions(-)

diff --git a/phpBB/phpbb/db/tools/tools.php b/phpBB/phpbb/db/tools/tools.php
index 76036554d2..2f891e43d5 100644
--- a/phpBB/phpbb/db/tools/tools.php
+++ b/phpBB/phpbb/db/tools/tools.php
@@ -941,29 +941,19 @@ class tools implements tools_interface
 				continue;
 			}
 
-			// These DBMS prefix index name with the table name
 			switch ($this->sql_layer)
 			{
+				// These DBMS prefix index name with the table name
 				case 'oracle':
 				case 'sqlite3':
-					$index_name = $this->check_index_name_length($table_name, $table_name . '_' . $index_name, false);
-					$table_prefix = substr(CONFIG_TABLE, 0, -6); // strlen(config)
-
-					if (strpos($index_name , $table_name) === false)
-					{
-						if (strpos($index_name, $table_prefix) !== false)
-						{
-							$row[$col] = substr($row[$col], strlen($table_prefix) + 1);
-						}
-						else
-						{
-							$row[$col] = substr($row[$col], strlen($table_name) + 1);
-						}
-					}
+					$new_index_name = $this->check_index_name_length($table_name, $table_name . '_' . $index_name, false);
+				break;
+				default:
+					$new_index_name = $this->check_index_name_length($table_name, $index_name, false);
 				break;
 			}
 
-			if (strtolower($row[$col]) == strtolower($index_name))
+			if (strtolower($row[$col]) == strtolower($new_index_name))
 			{
 				$this->db->sql_freeresult($result);
 				return true;
@@ -1577,15 +1567,17 @@ class tools implements tools_interface
 			$table_prefix = substr(CONFIG_TABLE, 0, -6); // strlen(config)
 			if (strpos($index_name, $table_prefix) === 0)
 			{
-				$index_name = substr($index_name, strlen($table_prefix) + 1);
-				return $this->check_index_name_length($table_name, $index_name);
+				$index_name = substr($index_name, strlen($table_prefix));
+				return $this->check_index_name_length($table_name, $index_name, $throw_error);
 			}
 
-			// Try removing the table name then
-			if (strpos($index_name, $table_name) === 0)
+			// Try removing the remaining suffix part of table name then
+			$table_suffix = substr($table_name, strlen($table_prefix));
+			if (strpos($index_name, $table_suffix) === 0)
 			{
-				$index_name = substr($index_name, strlen($table_name) + 1);
-				return $this->check_index_name_length($table_name, $index_name);
+				// Remove the suffix and underscore separator between table_name and index_name
+				$index_name = substr($index_name, strlen($table_suffix) + 1);
+				return $this->check_index_name_length($table_name, $index_name, $throw_error);
 			}
 
 			if ($throw_error)

From 329e5c5e052588b0f22c9046b9fbc19c9e551c81 Mon Sep 17 00:00:00 2001
From: JoshyPHP <s9e.dev@gmail.com>
Date: Mon, 3 Jul 2017 16:06:50 +0200
Subject: [PATCH 12/21] [ticket/15261] Fix censoring HTML tags

PHPBB3-15261
---
 phpBB/composer.json                            |  2 +-
 phpBB/composer.lock                            | 18 ++++++++----------
 phpBB/phpbb/textformatter/s9e/renderer.php     |  6 ++----
 .../tickets_data/PHPBB3-15261.html             |  1 +
 .../tickets_data/PHPBB3-15261.txt              |  1 +
 .../tickets_data/PHPBB3-15261.xml              | 14 ++++++++++++++
 6 files changed, 27 insertions(+), 15 deletions(-)
 create mode 100644 tests/text_processing/tickets_data/PHPBB3-15261.html
 create mode 100644 tests/text_processing/tickets_data/PHPBB3-15261.txt
 create mode 100644 tests/text_processing/tickets_data/PHPBB3-15261.xml

diff --git a/phpBB/composer.json b/phpBB/composer.json
index 52217a7540..1b8de72710 100644
--- a/phpBB/composer.json
+++ b/phpBB/composer.json
@@ -33,7 +33,7 @@
 		"marc1706/fast-image-size": "^1.1",
 		"paragonie/random_compat": "^1.4",
 		"patchwork/utf8": "^1.1",
-		"s9e/text-formatter": "~0.9.0",
+		"s9e/text-formatter": "~0.10.0",
 		"symfony/config": "^2.8",
 		"symfony/console": "^2.8",
 		"symfony/debug": "^2.8",
diff --git a/phpBB/composer.lock b/phpBB/composer.lock
index 2cce1156f0..d460c6db58 100644
--- a/phpBB/composer.lock
+++ b/phpBB/composer.lock
@@ -4,8 +4,8 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
         "This file is @generated automatically"
     ],
-    "hash": "a66e58446c273c4b92f8e5f227180be8",
-    "content-hash": "d3646acce6058e89ebcf76debb7f72ea",
+    "hash": "3b947e5d38012be6ef86609c709c7b4b",
+    "content-hash": "447fa8ed870502dc3089b0a0ffa08ef0",
     "packages": [
         {
             "name": "bantu/ini-get-wrapper",
@@ -660,16 +660,16 @@
         },
         {
             "name": "s9e/text-formatter",
-            "version": "0.9.6",
+            "version": "0.10.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/s9e/TextFormatter.git",
-                "reference": "077c510109f3011dec68a5bcbaeb93a1f9138128"
+                "reference": "9380fd3d3e3289d7e966bab7769ca2aae5d23f67"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/s9e/TextFormatter/zipball/077c510109f3011dec68a5bcbaeb93a1f9138128",
-                "reference": "077c510109f3011dec68a5bcbaeb93a1f9138128",
+                "url": "https://api.github.com/repos/s9e/TextFormatter/zipball/9380fd3d3e3289d7e966bab7769ca2aae5d23f67",
+                "reference": "9380fd3d3e3289d7e966bab7769ca2aae5d23f67",
                 "shasum": ""
             },
             "require": {
@@ -721,7 +721,7 @@
                 "parser",
                 "shortcodes"
             ],
-            "time": "2017-05-10 19:37:30"
+            "time": "2017-07-03 13:55:54"
         },
         {
             "name": "symfony/config",
@@ -2825,9 +2825,7 @@
             "authors": [
                 {
                     "name": "Fabien Potencier",
-                    "email": "fabien@symfony.com",
-                    "homepage": "http://fabien.potencier.org",
-                    "role": "Lead Developer"
+                    "email": "fabien@symfony.com"
                 }
             ],
             "description": "Pimple is a simple Dependency Injection Container for PHP 5.3",
diff --git a/phpBB/phpbb/textformatter/s9e/renderer.php b/phpBB/phpbb/textformatter/s9e/renderer.php
index 9be20b7f53..6fcd2b0a98 100644
--- a/phpBB/phpbb/textformatter/s9e/renderer.php
+++ b/phpBB/phpbb/textformatter/s9e/renderer.php
@@ -247,14 +247,12 @@ class renderer implements \phpbb\textformatter\renderer_interface
 		$vars = array('renderer', 'xml');
 		extract($this->dispatcher->trigger_event('core.text_formatter_s9e_render_before', compact($vars)));
 
+		$html = $this->renderer->render($xml);
 		if (isset($this->censor) && $this->viewcensors)
 		{
-			// NOTE: censorHtml() is XML-safe
-			$xml = $this->censor->censorHtml($xml, true);
+			$html = $this->censor->censorHtml($html, true);
 		}
 
-		$html = $this->renderer->render($xml);
-
 		/**
 		* Modify a rendered text
 		*
diff --git a/tests/text_processing/tickets_data/PHPBB3-15261.html b/tests/text_processing/tickets_data/PHPBB3-15261.html
new file mode 100644
index 0000000000..b563052b47
--- /dev/null
+++ b/tests/text_processing/tickets_data/PHPBB3-15261.html
@@ -0,0 +1 @@
+foo **** baz
\ No newline at end of file
diff --git a/tests/text_processing/tickets_data/PHPBB3-15261.txt b/tests/text_processing/tickets_data/PHPBB3-15261.txt
new file mode 100644
index 0000000000..a8c4a05c10
--- /dev/null
+++ b/tests/text_processing/tickets_data/PHPBB3-15261.txt
@@ -0,0 +1 @@
+foo <bar> baz
\ No newline at end of file
diff --git a/tests/text_processing/tickets_data/PHPBB3-15261.xml b/tests/text_processing/tickets_data/PHPBB3-15261.xml
new file mode 100644
index 0000000000..c0d0f395a1
--- /dev/null
+++ b/tests/text_processing/tickets_data/PHPBB3-15261.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<dataset>
+	<table name="phpbb_words">
+		<column>word_id</column>
+		<column>word</column>
+		<column>replacement</column>
+
+		<row>
+			<value>1</value>
+			<value>&lt;*&gt;</value>
+			<value>****</value>
+		</row>
+	</table>
+</dataset>

From 24bde10028a1a7d8d479e2a381bec047485b4273 Mon Sep 17 00:00:00 2001
From: lavigor <lavigor@users.noreply.github.com>
Date: Thu, 6 Jul 2017 02:37:35 +0300
Subject: [PATCH 13/21] [ticket/15259] Fatal error on SQLite/Oracle database
 update

Add a test.

PHPBB3-15259
---
 tests/dbal/db_tools_test.php | 37 ++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/tests/dbal/db_tools_test.php b/tests/dbal/db_tools_test.php
index b884b4ab95..f9243e7266 100644
--- a/tests/dbal/db_tools_test.php
+++ b/tests/dbal/db_tools_test.php
@@ -421,4 +421,41 @@ class phpbb_dbal_db_tools_test extends phpbb_database_test_case
 		$this->assertTrue($this->tools->sql_column_add('prefix_table_name', 'c_bug_13282', array('TINT:2')));
 		$this->assertTrue($this->tools->sql_column_exists('prefix_table_name', 'c_bug_13282'));
 	}
+
+	public function test_create_index_with_long_name()
+	{
+		// This constant is being used for checking table prefix.
+		$table_prefix = substr(CONFIG_TABLE, 0, -6); // strlen(config)
+
+		if (strlen($table_prefix) > 20)
+		{
+			$this->markTestIncomplete('The table prefix length is too long for proper testing of index shortening function.');
+		}
+
+		$table_suffix = str_repeat('a', 25 - strlen($table_prefix));
+		$table_name = $table_prefix . $table_suffix;
+
+		$this->tools->sql_create_table($table_name, $this->table_data);
+
+		// Index name and table suffix and table prefix have > 30 chars in total.
+		// Index name and table suffix have <= 30 chars in total.
+		$long_index_name = str_repeat('i', 30 - strlen($table_suffix));
+		$this->assertFalse($this->tools->sql_index_exists($table_name, $long_index_name));
+		$this->assertTrue($this->tools->sql_create_index($table_name, $long_index_name, array('c_timestamp')));
+		$this->assertTrue($this->tools->sql_index_exists($table_name, $long_index_name));
+
+		// Index name and table suffix have > 30 chars in total.
+		$very_long_index_name = str_repeat('i', 30);
+		$this->assertFalse($this->tools->sql_index_exists($table_name, $very_long_index_name));
+		$this->assertTrue($this->tools->sql_create_index($table_name, $very_long_index_name, array('c_timestamp')));
+		$this->assertTrue($this->tools->sql_index_exists($table_name, $very_long_index_name));
+
+		$this->tools->sql_table_drop($table_name);
+
+		// Index name has > 30 chars - that should not be possible.
+		$too_long_index_name = str_repeat('i', 31);
+		$this->assertFalse($this->tools->sql_index_exists('prefix_table_name', $too_long_index_name));
+		$this->setExpectedTriggerError(E_USER_ERROR);
+		$this->tools->sql_create_index('prefix_table_name', $too_long_index_name, array('c_timestamp'));
+	}
 }

From a281d526dc6cf48011c1d9e04399848f7c0c08c2 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sun, 9 Jul 2017 15:38:18 +0200
Subject: [PATCH 14/21] [ticket/security/210] Prevent using IP addresses or
 ports for remote avatar

SECURITY-210
---
 phpBB/phpbb/avatar/driver/remote.php |  7 ++--
 phpBB/phpbb/avatar/driver/upload.php | 10 ++++++
 tests/avatar/manager_test.php        | 52 ++++++++++++++++++++++++++++
 3 files changed, 67 insertions(+), 2 deletions(-)

diff --git a/phpBB/phpbb/avatar/driver/remote.php b/phpBB/phpbb/avatar/driver/remote.php
index bec54897b2..32f450d6f0 100644
--- a/phpBB/phpbb/avatar/driver/remote.php
+++ b/phpBB/phpbb/avatar/driver/remote.php
@@ -85,8 +85,11 @@ class remote extends \phpbb\avatar\driver\driver
 		}
 
 		// Check if this url looks alright
-		// This isn't perfect, but it's what phpBB 3.0 did, and might as well make sure everything is compatible
-		if (!preg_match('#^(http|https|ftp)://(?:(.*?\.)*?[a-z0-9\-]+?\.[a-z]{2,4}|(?:\d{1,3}\.){3,5}\d{1,3}):?([0-9]*?).*?\.('. implode('|', $this->allowed_extensions) . ')$#i', $url))
+		// Do not allow specifying the port (see RFC 3986) or IP addresses
+		if (!preg_match('#^(http|https|ftp)://(?:(.*?\.)*?[a-z0-9\-]+?\.[a-z]{2,4}|(?:\d{1,3}\.){3,5}\d{1,3}):?([0-9]*?).*?\.('. implode('|', $this->allowed_extensions) . ')$#i', $url) ||
+			preg_match('@^(http|https|ftp)://[^/:?#]+:[0-9]+[/:?#]@i', $url) ||
+			preg_match('#(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])#i', $url) ||
+			preg_match('#(?:(?:(?:[\dA-F]{1,4}:){6}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:::(?:[\dA-F]{1,4}:){0,5}(?:[\dA-F]{1,4}(?::[\dA-F]{1,4})?|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:):(?:[\dA-F]{1,4}:){4}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,2}:(?:[\dA-F]{1,4}:){3}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,3}:(?:[\dA-F]{1,4}:){2}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,4}:(?:[\dA-F]{1,4}:)(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,5}:(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,6}:[\dA-F]{1,4})|(?:(?:[\dA-F]{1,4}:){1,7}:)|(?:::))#i', $url))
 		{
 			$error[] = 'AVATAR_URL_INVALID';
 			return false;
diff --git a/phpBB/phpbb/avatar/driver/upload.php b/phpBB/phpbb/avatar/driver/upload.php
index cb8dfcad4f..abfe8a7f0f 100644
--- a/phpBB/phpbb/avatar/driver/upload.php
+++ b/phpBB/phpbb/avatar/driver/upload.php
@@ -134,6 +134,16 @@ class upload extends \phpbb\avatar\driver\driver
 				return false;
 			}
 
+			// Do not allow specifying the port (see RFC 3986) or IP addresses
+			// remote_upload() will do its own check for allowed filetypes
+			if (preg_match('@^(http|https|ftp)://[^/:?#]+:[0-9]+[/:?#]@i', $url) ||
+				preg_match('#(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])#i', $url) ||
+				preg_match('#(?:(?:(?:[\dA-F]{1,4}:){6}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:::(?:[\dA-F]{1,4}:){0,5}(?:[\dA-F]{1,4}(?::[\dA-F]{1,4})?|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:):(?:[\dA-F]{1,4}:){4}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,2}:(?:[\dA-F]{1,4}:){3}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,3}:(?:[\dA-F]{1,4}:){2}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,4}:(?:[\dA-F]{1,4}:)(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,5}:(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,6}:[\dA-F]{1,4})|(?:(?:[\dA-F]{1,4}:){1,7}:)|(?:::))#i', $url))
+			{
+				$error[] = 'AVATAR_URL_INVALID';
+				return false;
+			}
+
 			$file = $upload->remote_upload($url, $this->mimetype_guesser);
 		}
 		else
diff --git a/tests/avatar/manager_test.php b/tests/avatar/manager_test.php
index 344eef38ff..8016d75dfb 100644
--- a/tests/avatar/manager_test.php
+++ b/tests/avatar/manager_test.php
@@ -372,4 +372,56 @@ class phpbb_avatar_manager_test extends \phpbb_database_test_case
 			'avatar_height'	=> 0,
 		), $row);
 	}
+
+	public function data_remote_avatar_url()
+	{
+		return array(
+			array('127.0.0.1:91?foo.jpg', 80, 80, array('AVATAR_URL_INVALID')),
+			array(gethostbyname('secure.gravatar.com') . '/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80),
+			array('secure.gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80),
+			array(gethostbyname('secure.gravatar.com') . ':120/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')),
+			array('secure.gravatar.com:80/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')),
+			array('secure.gravatar.com:80?55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')),
+			array('secure.gravatar.com?55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')), // should be a 404
+		);
+	}
+
+	/**
+	 * @dataProvider data_remote_avatar_url
+	 */
+	public function test_remote_avatar_url($url, $width, $height, $expected_error = array())
+	{
+		global $phpbb_root_path, $phpEx;
+
+		if (!function_exists('get_preg_expression'))
+		{
+			require($phpbb_root_path . 'includes/functions.' . $phpEx);
+		}
+
+		$this->config['server_name'] = 'foobar.com';
+
+		/** @var \phpbb\avatar\driver\remote $remote_avatar */
+		$remote_avatar = $this->manager->get_driver('avatar.driver.remote', false);
+
+		$request = new phpbb_mock_request(array(), array(
+			'avatar_remote_url'		=> $url,
+			'avatar_remote_width'	=> $width,
+			'avatar_remote_height'	=> $height,
+		));
+
+		$user = new \phpbb\user('\phpbb\datetime');
+		$row = array();
+		$error = array();
+
+		$return = $remote_avatar->process_form($request, null, $user, $row, $error);
+		if (count($expected_error) > 0)
+		{
+			$this->assertFalse($return);
+		}
+		else
+		{
+			$this->assertNotEquals(false, $return);
+		}
+		$this->assertSame($expected_error, $error);
+	}
 }

From fa631947f15754a50379598d83cb237bbfac2cca Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Mon, 10 Jul 2017 21:17:52 +0200
Subject: [PATCH 15/21] [ticket/security/210] Adjust regex and add tests for
 IPv6

SECURITY-210
---
 phpBB/phpbb/avatar/driver/remote.php | 4 ++--
 phpBB/phpbb/avatar/driver/upload.php | 4 ++--
 tests/avatar/manager_test.php        | 5 ++++-
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/phpBB/phpbb/avatar/driver/remote.php b/phpBB/phpbb/avatar/driver/remote.php
index 32f450d6f0..2811cc2389 100644
--- a/phpBB/phpbb/avatar/driver/remote.php
+++ b/phpBB/phpbb/avatar/driver/remote.php
@@ -88,8 +88,8 @@ class remote extends \phpbb\avatar\driver\driver
 		// Do not allow specifying the port (see RFC 3986) or IP addresses
 		if (!preg_match('#^(http|https|ftp)://(?:(.*?\.)*?[a-z0-9\-]+?\.[a-z]{2,4}|(?:\d{1,3}\.){3,5}\d{1,3}):?([0-9]*?).*?\.('. implode('|', $this->allowed_extensions) . ')$#i', $url) ||
 			preg_match('@^(http|https|ftp)://[^/:?#]+:[0-9]+[/:?#]@i', $url) ||
-			preg_match('#(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])#i', $url) ||
-			preg_match('#(?:(?:(?:[\dA-F]{1,4}:){6}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:::(?:[\dA-F]{1,4}:){0,5}(?:[\dA-F]{1,4}(?::[\dA-F]{1,4})?|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:):(?:[\dA-F]{1,4}:){4}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,2}:(?:[\dA-F]{1,4}:){3}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,3}:(?:[\dA-F]{1,4}:){2}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,4}:(?:[\dA-F]{1,4}:)(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,5}:(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,6}:[\dA-F]{1,4})|(?:(?:[\dA-F]{1,4}:){1,7}:)|(?:::))#i', $url))
+			preg_match('#^(http|https|ftp)://(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])#i', $url) ||
+			preg_match('#^(http|https|ftp)://(?:(?:(?:[\dA-F]{1,4}:){6}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:::(?:[\dA-F]{1,4}:){0,5}(?:[\dA-F]{1,4}(?::[\dA-F]{1,4})?|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:):(?:[\dA-F]{1,4}:){4}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,2}:(?:[\dA-F]{1,4}:){3}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,3}:(?:[\dA-F]{1,4}:){2}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,4}:(?:[\dA-F]{1,4}:)(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,5}:(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,6}:[\dA-F]{1,4})|(?:(?:[\dA-F]{1,4}:){1,7}:)|(?:::))#i', $url))
 		{
 			$error[] = 'AVATAR_URL_INVALID';
 			return false;
diff --git a/phpBB/phpbb/avatar/driver/upload.php b/phpBB/phpbb/avatar/driver/upload.php
index abfe8a7f0f..0dae5607f6 100644
--- a/phpBB/phpbb/avatar/driver/upload.php
+++ b/phpBB/phpbb/avatar/driver/upload.php
@@ -137,8 +137,8 @@ class upload extends \phpbb\avatar\driver\driver
 			// Do not allow specifying the port (see RFC 3986) or IP addresses
 			// remote_upload() will do its own check for allowed filetypes
 			if (preg_match('@^(http|https|ftp)://[^/:?#]+:[0-9]+[/:?#]@i', $url) ||
-				preg_match('#(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])#i', $url) ||
-				preg_match('#(?:(?:(?:[\dA-F]{1,4}:){6}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:::(?:[\dA-F]{1,4}:){0,5}(?:[\dA-F]{1,4}(?::[\dA-F]{1,4})?|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:):(?:[\dA-F]{1,4}:){4}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,2}:(?:[\dA-F]{1,4}:){3}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,3}:(?:[\dA-F]{1,4}:){2}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,4}:(?:[\dA-F]{1,4}:)(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,5}:(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,6}:[\dA-F]{1,4})|(?:(?:[\dA-F]{1,4}:){1,7}:)|(?:::))#i', $url))
+				preg_match('#^(http|https|ftp)://(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])#i', $url) ||
+				preg_match('#^(http|https|ftp)://(?:(?:(?:[\dA-F]{1,4}:){6}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:::(?:[\dA-F]{1,4}:){0,5}(?:[\dA-F]{1,4}(?::[\dA-F]{1,4})?|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:):(?:[\dA-F]{1,4}:){4}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,2}:(?:[\dA-F]{1,4}:){3}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,3}:(?:[\dA-F]{1,4}:){2}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,4}:(?:[\dA-F]{1,4}:)(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,5}:(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,6}:[\dA-F]{1,4})|(?:(?:[\dA-F]{1,4}:){1,7}:)|(?:::))#i', $url))
 			{
 				$error[] = 'AVATAR_URL_INVALID';
 				return false;
diff --git a/tests/avatar/manager_test.php b/tests/avatar/manager_test.php
index 8016d75dfb..802e71939d 100644
--- a/tests/avatar/manager_test.php
+++ b/tests/avatar/manager_test.php
@@ -377,12 +377,15 @@ class phpbb_avatar_manager_test extends \phpbb_database_test_case
 	{
 		return array(
 			array('127.0.0.1:91?foo.jpg', 80, 80, array('AVATAR_URL_INVALID')),
-			array(gethostbyname('secure.gravatar.com') . '/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80),
+			array(gethostbyname('secure.gravatar.com') . '/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')),
 			array('secure.gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80),
 			array(gethostbyname('secure.gravatar.com') . ':120/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')),
 			array('secure.gravatar.com:80/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')),
 			array('secure.gravatar.com:80?55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')),
 			array('secure.gravatar.com?55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')), // should be a 404
+			array('2001:db8:0:0:0:0:2:1/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')),
+			array('secure.gravatar.com/2001:db8:0:0:0:0:2:1/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')),
+			array('secure.gravatar.com/127.0.0.1:80/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')),
 		);
 	}
 

From 3df3cb87c5066b6913619c18f8f612677c3e6ec4 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sun, 16 Jul 2017 11:54:37 +0200
Subject: [PATCH 16/21] [prep-release-3.1.11] Update version numbers to 3.1.11

---
 build/build.xml                       | 4 ++--
 phpBB/includes/constants.php          | 2 +-
 phpBB/install/schemas/schema_data.sql | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/build/build.xml b/build/build.xml
index 3a73e09410..20ecfefc61 100644
--- a/build/build.xml
+++ b/build/build.xml
@@ -2,9 +2,9 @@
 
 <project name="phpBB" description="The phpBB forum software" default="all" basedir="../">
 	<!-- a few settings for the build -->
-	<property name="newversion" value="3.1.11-RC1" />
+	<property name="newversion" value="3.1.11" />
 	<property name="prevversion" value="3.1.10" />
-	<property name="olderversions" value="3.0.14, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9" />
+	<property name="olderversions" value="3.0.14, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.11-RC1" />
 	<!-- no configuration should be needed beyond this point -->
 
 	<property name="oldversions" value="${olderversions}, ${prevversion}" />
diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php
index 79f5a6f30f..a24ebaf9de 100644
--- a/phpBB/includes/constants.php
+++ b/phpBB/includes/constants.php
@@ -28,7 +28,7 @@ if (!defined('IN_PHPBB'))
 */
 
 // phpBB Version
-define('PHPBB_VERSION', '3.1.11-RC1');
+define('PHPBB_VERSION', '3.1.11');
 
 // QA-related
 // define('PHPBB_QA', 1);
diff --git a/phpBB/install/schemas/schema_data.sql b/phpBB/install/schemas/schema_data.sql
index 22a539e186..1a62ea6f84 100644
--- a/phpBB/install/schemas/schema_data.sql
+++ b/phpBB/install/schemas/schema_data.sql
@@ -273,7 +273,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('tpl_allow_php', '0
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_icons_path', 'images/upload_icons');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_path', 'files');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('use_system_cron', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.1.11-RC1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.1.11');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_expire_days', '90');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_gc', '14400');
 

From 149375253685b3a38996f63015a74b7a0f53aa14 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sun, 16 Jul 2017 12:18:50 +0200
Subject: [PATCH 17/21] [prep-release-3.1.11] Add migration for 3.1.11

---
 phpBB/phpbb/db/migration/data/v31x/v3111.php | 36 ++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 phpBB/phpbb/db/migration/data/v31x/v3111.php

diff --git a/phpBB/phpbb/db/migration/data/v31x/v3111.php b/phpBB/phpbb/db/migration/data/v31x/v3111.php
new file mode 100644
index 0000000000..f01bbc2bff
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v31x/v3111.php
@@ -0,0 +1,36 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v31x;
+
+class v3111 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return phpbb_version_compare($this->config['version'], '3.1.11', '>=');
+	}
+
+	static public function depends_on()
+	{
+		return array(
+			'\phpbb\db\migration\data\v31x\v3111rc1',
+		);
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('config.update', array('version', '3.1.11')),
+		);
+	}
+}

From 5b21903e66731d85e12632fe38651301a34a8240 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sun, 16 Jul 2017 17:09:06 +0200
Subject: [PATCH 18/21] [ticket/security/210] Fix tests for 3.2.x

SECURITY-210
---
 tests/avatar/manager_test.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/tests/avatar/manager_test.php b/tests/avatar/manager_test.php
index 3c872a7683..9e826a3a59 100644
--- a/tests/avatar/manager_test.php
+++ b/tests/avatar/manager_test.php
@@ -424,11 +424,10 @@ class phpbb_avatar_manager_test extends \phpbb_database_test_case
 			'avatar_remote_height'	=> $height,
 		));
 
-		$user = new \phpbb\user('\phpbb\datetime');
 		$row = array();
 		$error = array();
 
-		$return = $remote_avatar->process_form($request, null, $user, $row, $error);
+		$return = $remote_avatar->process_form($request, null, $this->user, $row, $error);
 		if (count($expected_error) > 0)
 		{
 			$this->assertFalse($return);

From 0e505c6fc7f0a5440eaeaf43f493077b02356b02 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sun, 16 Jul 2017 17:10:46 +0200
Subject: [PATCH 19/21] [prep-release-3.2.1] Update versions for 3.2.1

---
 build/build.xml                       | 4 ++--
 phpBB/includes/constants.php          | 2 +-
 phpBB/install/schemas/schema_data.sql | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/build/build.xml b/build/build.xml
index 01698bf027..bca4cc0ca1 100644
--- a/build/build.xml
+++ b/build/build.xml
@@ -2,9 +2,9 @@
 
 <project name="phpBB" description="The phpBB forum software" default="all" basedir="../">
 	<!-- a few settings for the build -->
-	<property name="newversion" value="3.2.1-RC1" />
+	<property name="newversion" value="3.2.1" />
 	<property name="prevversion" value="3.2.0" />
-	<property name="olderversions" value="3.0.14, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11-RC1, 3.2.0-a1, 3.2.0-a2, 3.2.0-b1, 3.2.0-b2, 3.2.0-RC1, 3.2.0-RC2" />
+	<property name="olderversions" value="3.0.14, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.2.0-a1, 3.2.0-a2, 3.2.0-b1, 3.2.0-b2, 3.2.0-RC1, 3.2.0-RC2, 3.2.1-RC1" />
 	<!-- no configuration should be needed beyond this point -->
 
 	<property name="oldversions" value="${olderversions}, ${prevversion}" />
diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php
index c5e04802fc..6ad0dcb4b8 100644
--- a/phpBB/includes/constants.php
+++ b/phpBB/includes/constants.php
@@ -28,7 +28,7 @@ if (!defined('IN_PHPBB'))
 */
 
 // phpBB Version
-@define('PHPBB_VERSION', '3.2.1-RC1');
+@define('PHPBB_VERSION', '3.2.1');
 
 // QA-related
 // define('PHPBB_QA', 1);
diff --git a/phpBB/install/schemas/schema_data.sql b/phpBB/install/schemas/schema_data.sql
index b862a77260..a6514cfde8 100644
--- a/phpBB/install/schemas/schema_data.sql
+++ b/phpBB/install/schemas/schema_data.sql
@@ -279,7 +279,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('tpl_allow_php', '0
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_icons_path', 'images/upload_icons');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_path', 'files');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('use_system_cron', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.2.1-RC1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.2.1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_expire_days', '90');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_gc', '14400');
 

From 4b733426698760801ff2b8ce3ce077c16732d4ef Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sun, 16 Jul 2017 17:12:01 +0200
Subject: [PATCH 20/21] [prep-release-3.2.1] Add migration for 3.2.1

---
 phpBB/phpbb/db/migration/data/v32x/v321.php | 37 +++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 phpBB/phpbb/db/migration/data/v32x/v321.php

diff --git a/phpBB/phpbb/db/migration/data/v32x/v321.php b/phpBB/phpbb/db/migration/data/v32x/v321.php
new file mode 100644
index 0000000000..268f978b4b
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v32x/v321.php
@@ -0,0 +1,37 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v32x;
+
+class v321 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return phpbb_version_compare($this->config['version'], '3.2.1', '>=');
+	}
+
+	static public function depends_on()
+	{
+		return array(
+			'\phpbb\db\migration\data\v32x\v321rc1',
+		);
+
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('config.update', array('version', '3.2.1')),
+		);
+	}
+}

From 5216bf44838f8395d27b3df4ec1641a6407cb466 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sun, 16 Jul 2017 20:07:13 +0200
Subject: [PATCH 21/21] [prep-release-3.2.1] Add missing .htaccess file

---
 phpBB/phpbb/db/migration/data/v32x/.htaccess | 33 ++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 phpBB/phpbb/db/migration/data/v32x/.htaccess

diff --git a/phpBB/phpbb/db/migration/data/v32x/.htaccess b/phpBB/phpbb/db/migration/data/v32x/.htaccess
new file mode 100644
index 0000000000..44242b5418
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v32x/.htaccess
@@ -0,0 +1,33 @@
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>