From 832a87b924c464579d751b550432347aec6aeff3 Mon Sep 17 00:00:00 2001 From: rxu Date: Wed, 19 Oct 2016 00:36:07 +0700 Subject: [PATCH 1/8] [ticket/14830] Fix FORM_INVALID error during AXP search index creation/deletion PHPBB3-14830 --- phpBB/includes/acp/acp_search.php | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/phpBB/includes/acp/acp_search.php b/phpBB/includes/acp/acp_search.php index f15a75e9a1..3bb67e3527 100644 --- a/phpBB/includes/acp/acp_search.php +++ b/phpBB/includes/acp/acp_search.php @@ -253,10 +253,7 @@ class acp_search } $submit = $request->is_set_post('submit', false); - $form_key = 'acp_search'; - add_form_key($form_key); - - if (!check_form_key($form_key) && in_array($action, array('delete', 'create'))) + if (!check_link_hash($request->variable('hash', ''), 'acp_search')) { trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); } @@ -355,7 +352,7 @@ class acp_search $mtime = explode(' ', microtime()); $totaltime = $mtime[0] + $mtime[1] - $starttime; $rows_per_second = $row_count / $totaltime; - meta_refresh(1, append_sid($this->u_action . '&action=delete&skip_rows=' . $post_counter)); + meta_refresh(1, append_sid($this->u_action . '&action=delete&skip_rows=' . $post_counter . '&hash=' . generate_link_hash('acp_search'))); trigger_error($user->lang('SEARCH_INDEX_DELETE_REDIRECT', (int) $row_count, $post_counter, $rows_per_second)); } } @@ -445,7 +442,7 @@ class acp_search $mtime = explode(' ', microtime()); $totaltime = $mtime[0] + $mtime[1] - $starttime; $rows_per_second = $row_count / $totaltime; - meta_refresh(1, append_sid($this->u_action . '&action=create&skip_rows=' . $post_counter)); + meta_refresh(1, append_sid($this->u_action . '&action=create&skip_rows=' . $post_counter . '&hash=' . generate_link_hash('acp_search'))); trigger_error($user->lang('SEARCH_INDEX_CREATE_REDIRECT', (int) $row_count, $post_counter) . $user->lang('SEARCH_INDEX_CREATE_REDIRECT_RATE', $rows_per_second)); } } @@ -524,7 +521,7 @@ class acp_search $template->assign_vars(array( 'S_INDEX' => true, - 'U_ACTION' => $this->u_action, + 'U_ACTION' => $this->u_action . '&hash=' . generate_link_hash('acp_search'), 'U_PROGRESS_BAR' => append_sid("{$phpbb_admin_path}index.$phpEx", "i=$id&mode=$mode&action=progress_bar"), 'UA_PROGRESS_BAR' => addslashes(append_sid("{$phpbb_admin_path}index.$phpEx", "i=$id&mode=$mode&action=progress_bar")), )); @@ -533,7 +530,7 @@ class acp_search { $template->assign_vars(array( 'S_CONTINUE_INDEXING' => $this->state[1], - 'U_CONTINUE_INDEXING' => $this->u_action . '&action=' . $this->state[1], + 'U_CONTINUE_INDEXING' => $this->u_action . '&action=' . $this->state[1] . '&hash=' . generate_link_hash('acp_search'), 'L_CONTINUE' => ($this->state[1] == 'create') ? $user->lang['CONTINUE_INDEXING'] : $user->lang['CONTINUE_DELETING_INDEX'], 'L_CONTINUE_EXPLAIN' => ($this->state[1] == 'create') ? $user->lang['CONTINUE_INDEXING_EXPLAIN'] : $user->lang['CONTINUE_DELETING_INDEX_EXPLAIN']) ); From 8e54c9ef8b44dce40402f191e50a431dd695eef0 Mon Sep 17 00:00:00 2001 From: rxu Date: Wed, 19 Oct 2016 02:19:12 +0700 Subject: [PATCH 2/8] [ticket/14830] Fix link hash checking case PHPBB3-14830 --- phpBB/includes/acp/acp_search.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/acp/acp_search.php b/phpBB/includes/acp/acp_search.php index 3bb67e3527..69ae442fc7 100644 --- a/phpBB/includes/acp/acp_search.php +++ b/phpBB/includes/acp/acp_search.php @@ -253,7 +253,7 @@ class acp_search } $submit = $request->is_set_post('submit', false); - if (!check_link_hash($request->variable('hash', ''), 'acp_search')) + if (!check_link_hash($request->variable('hash', ''), 'acp_search') && in_array($action, array('create', 'delete'))) { trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); } From eca10dc08f157f27b9a399a132dce7b5fca7c927 Mon Sep 17 00:00:00 2001 From: rxu Date: Thu, 20 Oct 2016 00:54:45 +0700 Subject: [PATCH 3/8] [ticket/14830] Fix FORM_INVALID error on search backend changing PHPBB3-14830 --- phpBB/includes/acp/acp_search.php | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/phpBB/includes/acp/acp_search.php b/phpBB/includes/acp/acp_search.php index 69ae442fc7..3a77141d98 100644 --- a/phpBB/includes/acp/acp_search.php +++ b/phpBB/includes/acp/acp_search.php @@ -50,14 +50,12 @@ class acp_search function settings($id, $mode) { - global $db, $user, $auth, $template, $cache; + global $db, $user, $auth, $template, $cache, $request; global $config, $phpbb_root_path, $phpbb_admin_path, $phpEx; $submit = (isset($_POST['submit'])) ? true : false; - $form_key = 'acp_search'; - add_form_key($form_key); - if ($submit && !check_form_key($form_key)) + if ($submit && !check_link_hash($request->variable('hash', ''), 'acp_search')) { trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); } @@ -233,7 +231,7 @@ class acp_search 'S_YES_SEARCH' => (bool) $config['load_search'], 'S_SETTINGS' => true, - 'U_ACTION' => $this->u_action) + 'U_ACTION' => $this->u_action . '&hash=' . generate_link_hash('acp_search')) ); } From 244ff0f969f197c7e816604185ede8ea6f892d9b Mon Sep 17 00:00:00 2001 From: rxu Date: Thu, 20 Oct 2016 01:11:14 +0700 Subject: [PATCH 4/8] [ticket/14830] Fix ACP search control functional tests PHPBB3-14830 --- tests/functional/search/base.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/functional/search/base.php b/tests/functional/search/base.php index d41e3ec925..7c201169df 100644 --- a/tests/functional/search/base.php +++ b/tests/functional/search/base.php @@ -38,7 +38,7 @@ abstract class phpbb_functional_search_base extends phpbb_functional_test_case $post = $this->create_topic(2, 'Test Topic 1 foosubject', 'This is a test topic posted by the barsearch testing framework.'); - $crawler = self::request('GET', 'adm/index.php?i=acp_search&mode=settings&sid=' . $this->sid); + $crawler = self::request('GET', 'adm/index.php?i=acp_search&mode=settings&sid=' . $this->sid . '&hash=' . generate_link_hash('acp_search')); $form = $crawler->selectButton('Submit')->form(); $values = $form->getValues(); @@ -75,11 +75,11 @@ abstract class phpbb_functional_search_base extends phpbb_functional_test_case protected function create_search_index() { $this->add_lang('acp/search'); - $crawler = self::request('GET', 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid); + $crawler = self::request('GET', 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid . '&hash=' . generate_link_hash('acp_search')); $form_values = $crawler->selectButton('Delete index')->form()->getValues(); $crawler = self::request( 'POST', - 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid, + 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid . '&hash=' . generate_link_hash('acp_search'), array( 'search_type' => $this->search_backend, 'action' => 'create', @@ -94,11 +94,11 @@ abstract class phpbb_functional_search_base extends phpbb_functional_test_case protected function delete_search_index() { $this->add_lang('acp/search'); - $crawler = self::request('GET', 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid); + $crawler = self::request('GET', 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid . '&hash=' . generate_link_hash('acp_search')); $form_values = $crawler->selectButton('Delete index')->form()->getValues(); $crawler = self::request( 'POST', - 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid, + 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid . '&hash=' . generate_link_hash('acp_search'), array( 'search_type' => $this->search_backend, 'action' => 'delete', From 8afa9fdf28cec82b8d68ad40b90bc5cc2d214f78 Mon Sep 17 00:00:00 2001 From: rxu Date: Thu, 20 Oct 2016 01:31:15 +0700 Subject: [PATCH 5/8] =?UTF-8?q?[ticket/14830]=20Fix=20FORM=5FINVALID=20err?= =?UTF-8?q?or=20during=20A=D0=A1P=20search=20index=20deletion?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PHPBB3-14830 --- phpBB/includes/acp/acp_search.php | 2 +- tests/functional/search/base.php | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/phpBB/includes/acp/acp_search.php b/phpBB/includes/acp/acp_search.php index 3a77141d98..cc1e5df084 100644 --- a/phpBB/includes/acp/acp_search.php +++ b/phpBB/includes/acp/acp_search.php @@ -305,7 +305,7 @@ class acp_search if (method_exists($this->search, 'delete_index')) { // pass a reference to myself so the $search object can make use of save_state() and attributes - if ($error = $this->search->delete_index($this, append_sid("{$phpbb_admin_path}index.$phpEx", "i=$id&mode=$mode&action=delete", false))) + if ($error = $this->search->delete_index($this, append_sid("{$phpbb_admin_path}index.$phpEx", "i=$id&mode=$mode&action=delete&hash=" . generate_link_hash('acp_search'), false))) { $this->state = array(''); $this->save_state(); diff --git a/tests/functional/search/base.php b/tests/functional/search/base.php index 7c201169df..9b80407b5d 100644 --- a/tests/functional/search/base.php +++ b/tests/functional/search/base.php @@ -38,7 +38,7 @@ abstract class phpbb_functional_search_base extends phpbb_functional_test_case $post = $this->create_topic(2, 'Test Topic 1 foosubject', 'This is a test topic posted by the barsearch testing framework.'); - $crawler = self::request('GET', 'adm/index.php?i=acp_search&mode=settings&sid=' . $this->sid . '&hash=' . generate_link_hash('acp_search')); + $crawler = self::request('GET', 'adm/index.php?i=acp_search&mode=settings&sid=' . $this->sid); $form = $crawler->selectButton('Submit')->form(); $values = $form->getValues(); @@ -75,11 +75,11 @@ abstract class phpbb_functional_search_base extends phpbb_functional_test_case protected function create_search_index() { $this->add_lang('acp/search'); - $crawler = self::request('GET', 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid . '&hash=' . generate_link_hash('acp_search')); - $form_values = $crawler->selectButton('Delete index')->form()->getValues(); + $crawler = self::request('GET', 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid); + $form_values = $crawler->selectButton('Create index')->form()->getValues(); $crawler = self::request( 'POST', - 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid . '&hash=' . generate_link_hash('acp_search'), + 'adm/index.php?i=acp_search&mode=index&hash=' . generate_link_hash('acp_search') . '&sid=' . $this->sid, array( 'search_type' => $this->search_backend, 'action' => 'create', @@ -94,11 +94,11 @@ abstract class phpbb_functional_search_base extends phpbb_functional_test_case protected function delete_search_index() { $this->add_lang('acp/search'); - $crawler = self::request('GET', 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid . '&hash=' . generate_link_hash('acp_search')); + $crawler = self::request('GET', 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid); $form_values = $crawler->selectButton('Delete index')->form()->getValues(); $crawler = self::request( 'POST', - 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid . '&hash=' . generate_link_hash('acp_search'), + 'adm/index.php?i=acp_search&mode=index&hash=' . generate_link_hash('acp_search') . '&sid=' . $this->sid, array( 'search_type' => $this->search_backend, 'action' => 'delete', From cefbd39b82a3e6e425414744ae39fdc1a6e67504 Mon Sep 17 00:00:00 2001 From: rxu Date: Mon, 24 Oct 2016 01:38:27 +0700 Subject: [PATCH 6/8] [ticket/14830] Fix tests PHPBB3-14830 --- tests/functional/search/base.php | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/tests/functional/search/base.php b/tests/functional/search/base.php index 9b80407b5d..f1e9b517d4 100644 --- a/tests/functional/search/base.php +++ b/tests/functional/search/base.php @@ -76,18 +76,16 @@ abstract class phpbb_functional_search_base extends phpbb_functional_test_case { $this->add_lang('acp/search'); $crawler = self::request('GET', 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid); - $form_values = $crawler->selectButton('Create index')->form()->getValues(); - $crawler = self::request( - 'POST', - 'adm/index.php?i=acp_search&mode=index&hash=' . generate_link_hash('acp_search') . '&sid=' . $this->sid, + $form = $crawler->selectButton('Create index')->form(); + $form_values = $form->getValues(); + $form_values = array_merge($form_values, array( 'search_type' => $this->search_backend, 'action' => 'create', - 'submit' => true, - 'form_token' => $form_values['form_token'], - 'creation_time' => $form_values['creation_time'], ) ); + $form->setValues($form_values); + $crawler = self::submit($form); $this->assertContainsLang('SEARCH_INDEX_CREATED', $crawler->text()); } @@ -95,18 +93,16 @@ abstract class phpbb_functional_search_base extends phpbb_functional_test_case { $this->add_lang('acp/search'); $crawler = self::request('GET', 'adm/index.php?i=acp_search&mode=index&sid=' . $this->sid); - $form_values = $crawler->selectButton('Delete index')->form()->getValues(); - $crawler = self::request( - 'POST', - 'adm/index.php?i=acp_search&mode=index&hash=' . generate_link_hash('acp_search') . '&sid=' . $this->sid, + $form = $crawler->selectButton('Delete index')->form(); + $form_values = $form->getValues(); + $form_values = array_merge($form_values, array( 'search_type' => $this->search_backend, 'action' => 'delete', - 'submit' => true, - 'form_token' => $form_values['form_token'], - 'creation_time' => $form_values['creation_time'], ) ); + $form->setValues($form_values); + $crawler = self::submit($form); $this->assertContainsLang('SEARCH_INDEX_REMOVED', $crawler->text()); } } From a41b16d06ad6c4fe555d72165aca7b3e53b2a011 Mon Sep 17 00:00:00 2001 From: rxu Date: Mon, 24 Oct 2016 23:22:00 +0700 Subject: [PATCH 7/8] [ticket/14830] Fix FORM_INVALID error on cpf settings changing PHPBB3-14830 --- phpBB/includes/acp/acp_profile.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/acp/acp_profile.php b/phpBB/includes/acp/acp_profile.php index 485f849f51..f796900bf0 100644 --- a/phpBB/includes/acp/acp_profile.php +++ b/phpBB/includes/acp/acp_profile.php @@ -597,7 +597,7 @@ class acp_profile if (!sizeof($error)) { - if (!check_form_key($form_key)) + if (($submit || $save) && !check_form_key($form_key)) { trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); } From 466bdee8e6652ae5594b503b264ea075204e48b6 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 15 Oct 2016 12:49:51 +0200 Subject: [PATCH 8/8] [ticket/14823] Move check_form_key() inside actual save data step PHPBB3-14823 --- phpBB/includes/acp/acp_profile.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/phpBB/includes/acp/acp_profile.php b/phpBB/includes/acp/acp_profile.php index f796900bf0..2012d3c513 100644 --- a/phpBB/includes/acp/acp_profile.php +++ b/phpBB/includes/acp/acp_profile.php @@ -597,13 +597,13 @@ class acp_profile if (!sizeof($error)) { - if (($submit || $save) && !check_form_key($form_key)) - { - trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); - } - if (($step == 3 && (sizeof($this->lang_defs['iso']) == 1 || $save)) || ($action == 'edit' && $save)) { + if (!check_form_key($form_key)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $this->save_profile_field($cp, $field_type, $action); } }