Merge branch 'prep-release-3.0.8' into develop-olympus

* prep-release-3.0.8: [prep-release-3.0.8] Incrementing version number to 3.0.8 and update changelog [ticket/9903] Script for detecting potentially malicious flash bbcodes [ticket/9904] Update WebPI Parameters.xml to work with WebMatrix. [ticket/9903] Fix XSS in BBcode-parser's Flash-BBcode. Conflicts: phpBB/includes/constants.php phpBB/install/database_update.php phpBB/install/schemas/schema_data.sql
2025-02-24 12:03:21 +01:00 · 2010-11-20 17:55:56 +01:00 · 2010-11-20 17:55:56 +01:00 · d2778e67ea
commit d2778e67ea
parent fbca4e9c7b af4c2a3eb1
7 changed files with 266 additions and 46 deletions
--- a/build/build.xml
+++ b/build/build.xml
@ -2,9 +2,9 @@

 <project name="phpBB" description="The phpBB forum software" default="all" basedir="../">
 	<!-- a few settings for the build -->
-	<property name="newversion" value="3.0.8-RC1" />
-	<property name="prevversion" value="3.0.7-PL1" />
-	<property name="olderversions" value="3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6" />
+	<property name="newversion" value="3.0.8" />
+	<property name="prevversion" value="3.0.8-RC1" />
+	<property name="olderversions" value="3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7-PL1" />
 	<!-- no configuration should be needed beyond this point -->

 	<property name="oldversions" value="${olderversions}, ${prevversion}" />
--- a/build/webpi/parameters.xml
+++ b/build/webpi/parameters.xml
@ -9,7 +9,7 @@
 			scope="iisapp"
 			match="phpBB3" />
 	</parameter>
-	
+	<!--ACLs-->
 	<parameter
 		name="aclCache"
 		description="Sets the ACL on the cache/ folder"
@ -19,7 +19,7 @@
 		<parameterEntry
 			type="ProviderPath"
 			scope="setAcl"
-			match="phpBB3/cache" />
+			match="phpBB3/cache$" />
 	</parameter>

 	<parameter
@ -31,7 +31,7 @@
 		<parameterEntry
 			type="ProviderPath"
 			scope="setAcl"
-			match="phpBB3/files" />
+			match="phpBB3/files$" />
 	</parameter>

 	<parameter
@ -43,7 +43,7 @@
 		<parameterEntry
 			type="ProviderPath"
 			scope="setAcl"
-			match="phpBB3/store" />
+			match="phpBB3/store$" />
 	</parameter>

 	<parameter
@ -55,7 +55,7 @@
 		<parameterEntry
 			type="ProviderPath"
 			scope="setAcl"
-			match="phpBB3/images/avatars/upload" />
+			match="phpBB3/images/avatars/upload$" />
 	</parameter>

 	<parameter
@ -67,43 +67,44 @@
 		<parameterEntry
 			type="ProviderPath"
 			scope="setAcl"
-			match="phpBB3/config.php" />
+			match="phpBB3/config.php$" />
+	</parameter>
+
+	<!-- SQL parameters -->
+	<parameter  name="SQL Database Server"  description="Enter the database server (usually machine name ) "  defaultValue="."  tags="SQL">
+	</parameter>
+
+	<parameter name="SQL DatabaseServer Instance" description="Enter the database instance name" defaultValue="SQLExpress" tags="SQL">
+	</parameter>
+	<!-- Read database server from config.php . Update 'dbhost' in config.php on publish -->
+	<parameter name="SQL Automatic DatabaseServer" defaultValue="dbhost = '{SQL Database Server}\\{SQL DatabaseServer Instance}';" tags="Hidden,SQL">
+		<parameterEntry kind="TextFile" scope="\\config\.php$" match="dbhost\s*=\s*'([^']*)'\s*;" />
+	</parameter>
+	<parameter
+		name="SQL DatabaseName" description="Database name for your application." defaultValue="phpbb" tags="SQL, dbName">
+
+		<parameterEntry type="TextFile" scope="install/mssql.sql" match="PlaceHolderForDb" />   
+	</parameter>
+	<!-- Read database name from config.php . Update 'dbname' in config.php on publish -->
+	<parameter name="SQL Automatic DatabaseName" defaultValue="dbname = '{SQL DatabaseName}';" tags="Hidden,SQL">
+		<parameterEntry kind="TextFile" scope="\\config\.php$" match="dbname\s*=\s*'([^']*)'\s*;" />
 	</parameter>
  
 	<parameter
-		name="DatabaseServer"
-		description="Enter the database server"
-		defaultValue=".\SQLExpress"
-		tags="SQL, dbServer" >
-	</parameter>
-
-	<parameter
-		name="DatabaseName"
-		description="Database name for your application."
-		defaultValue="phpbb"
-		tags="SQL, dbName">
-
-		<parameterEntry
-			type="TextFile"
-			scope="install/mssql.sql"
-			match="PlaceHolderForDb" />  
-	</parameter>
-  
-	<parameter
-		name="DatabaseAdministrator"
+		name="SQL DatabaseAdministrator"
 		description="Database server administartor username."
 		defaultValue="sa"
 		tags="SQL, DbAdminUsername" >
 	</parameter>

 	<parameter
-		name="DatabaseAdministratorPassword"
+		name="SQL DatabaseAdministratorPassword"
 		description="Database server administrator password."
 		tags="Password,SQL,DbAdminPassword">
 	</parameter>

 	<parameter
-		name="Database Username"
+		name="SQL Database Username"
 		description="Username to access your database."
 		defaultValue="phpbb"
 		tags="SQL, DbUsername">
@ -113,9 +114,13 @@
 			scope="install/mssql.sql"
 			match="PlaceHolderForUser" />
 	</parameter>
+	<!-- Read database user from config.php . Update 'dbuser' in config.php on publish -->
+	<parameter name="SQL Automatic Database User" defaultValue="dbuser = '{SQL Database Username}';" tags="Hidden,SQL">
+		<parameterEntry kind="TextFile" scope="\\config\.php$" match="dbuser\s*=\s*'([^']*)'\s*;" />
+	</parameter>
  
 	<parameter
-		name="Database Password"
+		name="SQL Database Password"
 		description="Password for your phpBB database. (Must be at least 8 characters, contain at least one lower case letter, one upper case letter and one digit)"
 		tags="New, Password,SQL,  DbUserPassword">

@ -129,10 +134,16 @@
 			match="PlaceHolderForPassword" />
 	</parameter>

+	<!-- Read database user password from config.php . Update 'dbpasswd' in config.php on publish -->
+	<parameter name="SQL Automatic Database Password" defaultValue="dbpasswd = '{SQL Database Password}';" tags="Hidden,SQL">
+		<parameterEntry kind="TextFile" scope="\\config\.php$" match="dbpasswd\s*=\s*'([^']*)'\s*;" />
+	</parameter>
+
+	<!-- SQL Connection string -->
 	<parameter
-		name="ConnectionString"
+		name="SQL ConnectionString"
 		description="Automatically sets the connection string for the connection request."
-		defaultValue="Server={DatabaseServer};Database={DatabaseName};uid={DatabaseAdministrator};Pwd={DatabaseAdministratorPassword};"
+		defaultValue="Server={SQL Database Server}\{SQL DatabaseServer Instance};Database={SQL DatabaseName};uid={SQL DatabaseAdministrator};Pwd={SQL DatabaseAdministratorPassword};"
 		tags="Hidden,SQLConnectionString,Validate">

 		<parameterEntry
@ -148,6 +159,7 @@
 		tags="SQL,Hidden">
 	</parameter>

+	<!-- MYSQL parameters -->
 	<parameter
 		name="MySQL Database Server"
 		description="Enter the hostname"
@ -160,8 +172,13 @@
 			match="PlaceHolderForServer" />
 	</parameter>

+	<!-- Read database server from config.php . Update 'dbhost' in config.php on publish -->
+	<parameter name="Automatic MySQL DatabaseServer" defaultValue="dbhost = '{MySQL Database Server}';" tags="Hidden,MySQL">
+		<parameterEntry kind="TextFile" scope="\\config\.php$" match="dbhost\s*=\s*'([^']*)'\s*;" />
+	</parameter>
+  
 	<parameter
-		name="Application Database Name"
+		name="MySQL Database Name"
 		description="Database Name for your application."
 		defaultValue="phpbb"
 		tags="MySQL, dbName">
@ -171,22 +188,13 @@
 			scope="install/mysql.sql"
 			match="PlaceHolderForDb"  />
 	</parameter>
-
-	<parameter
-		name="MySQL Database Administrator"
-		description="Database administrator username."
-		defaultValue="root"
-		tags="MySQL, DbAdminUsername" >
+	<!-- Read database name from config.php . Update 'dbname' in config.php on publish -->
+	<parameter name="Automatic MySQL Database Name" defaultValue="dbname = '{MySQL Database Name}';" tags="Hidden,MySQL">
+		<parameterEntry kind="TextFile" scope="\\config\.php$" match="dbname\s*=\s*'([^']*)'\s*;" />
 	</parameter>

 	<parameter
-		name="MySQL Database Administrator Password"
-		description="Database administrator password."
-		tags="Password,MySQL,DbAdminPassword" >
-	</parameter>
-
-	<parameter
-		name="phpBB Database Username"
+		name="MySQL Database Username"
 		description="Username to access your phpBB database."
 		defaultValue="phpbb"
 		tags="MySQL, DbUsername">
@ -196,6 +204,10 @@
 			scope="install/mysql.sql"
 			match="PlaceHolderForUser" />
 	</parameter>
+	<!-- Read database user from config.php . Update 'dbuser' in config.php on publish -->
+	<parameter name="Automatic MySQL Database User" defaultValue="dbuser = '{MySQL Database Username}';" tags="Hidden,MySQL">
+		<parameterEntry kind="TextFile" scope="\\config\.php$" match="dbuser\s*=\s*'([^']*)'\s*;" />
+	</parameter>

 	<parameter
 		name="MySQL Database Password"
@ -211,11 +223,29 @@
 			scope="install/mysql.sql"
 			match="PlaceHolderForPassword" />
 		</parameter>
+		<!-- Read database password from config.php . Update 'dbpasswd' in config.php on publish -->
+		<parameter name="MySQL Automatic Database Password" defaultValue="dbpasswd = '{MySQL Database Password}';" tags="Hidden,MySQL">
+			<parameterEntry kind="TextFile" scope="\\config\.php$" match="dbpasswd\s*=\s*'([^']*)'\s*;" />
+		</parameter>

+	<!-- MySQL admin credentials -->
+	<parameter
+		name="MySQL Database Administrator"
+		description="Database administrator username."
+		defaultValue="root"
+		tags="MySQL, DbAdminUsername" >
+	</parameter>
+	<parameter
+		name="MySQL Database Administrator Password"
+		description="Database administrator password."
+		tags="Password,MySQL,DbAdminPassword" >
+	</parameter>
+
+	<!-- MySQL Connectionstring -->
 	<parameter
 		name="MySQLConnectionString"
 		description="Automatically sets the connection string for the connection request."
-		defaultValue="Server={MySQL Database Server};Database={Application Database Name};uid={MySQL Database Administrator};Pwd={MySQL Database Administrator Password};"
+		defaultValue="Server={MySQL Database Server};Database={MySQL Database Name};uid={MySQL Database Administrator};Pwd={MySQL Database Administrator Password};"
 		tags="Hidden,MySQLConnectionString,Validate">

 		<parameterEntry
--- a/phpBB/develop/check_flash_bbcodes.php
+++ b/phpBB/develop/check_flash_bbcodes.php
@ -0,0 +1,163 @@
+<?php
+/**
+*
+* @package phpBB3
+* @version $Id$
+* @copyright (c) 2009, 2010 phpBB Group
+* @license http://opensource.org/licenses/gpl-license.php GNU Public License
+*
+*/
+
+/**
+* This script will check your database for potentially dangerous flash BBCode tags
+*/
+
+//
+// Security message:
+//
+// This script is potentially dangerous.
+// Remove or comment the next line (die(".... ) to enable this script.
+// Do NOT FORGET to either remove this script or disable it after you have used it.
+//
+die("Please read the first lines of this script for instructions on how to enable it\n");
+
+/**
+*/
+define('IN_PHPBB', true);
+$phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './';
+$phpEx = substr(strrchr(__FILE__, '.'), 1);
+include($phpbb_root_path . 'common.' . $phpEx);
+
+if (php_sapi_name() != 'cli')
+{
+	header('Content-Type: text/plain');
+}
+
+check_table_flash_bbcodes(POSTS_TABLE, 'post_id', 'post_text', 'bbcode_uid', 'bbcode_bitfield');
+check_table_flash_bbcodes(PRIVMSGS_TABLE, 'msg_id', 'message_text', 'bbcode_uid', 'bbcode_bitfield');
+check_table_flash_bbcodes(USERS_TABLE, 'user_id', 'user_sig', 'user_sig_bbcode_uid', 'user_sig_bbcode_bitfield');
+check_table_flash_bbcodes(FORUMS_TABLE, 'forum_id', 'forum_desc', 'forum_desc_uid', 'forum_desc_bitfield');
+check_table_flash_bbcodes(FORUMS_TABLE, 'forum_id', 'forum_rules', 'forum_rules_uid', 'forum_rules_bitfield');
+check_table_flash_bbcodes(GROUPS_TABLE, 'group_id', 'group_desc', 'group_desc_uid', 'group_desc_bitfield');
+
+echo "If potentially dangerous flash bbcodes were found, please reparse the posts using the Support Toolkit (http://www.phpbb.com/support/stk/) and/or file a ticket in the Incident Tracker (http://www.phpbb.com/incidents/).\n";
+
+function check_table_flash_bbcodes($table_name, $id_field, $content_field, $uid_field, $bitfield_field)
+{
+	echo "Checking $content_field on $table_name\n";
+
+	$ids = get_table_flash_bbcode_pkids($table_name, $id_field, $content_field, $uid_field, $bitfield_field);
+
+	$size = sizeof($ids);
+	if ($size)
+	{
+		echo "Found $size potentially dangerous flash bbcodes.\n";
+		echo "$id_field: " . implode(', ', $ids) . "\n";
+	}
+	else
+	{
+		echo "No potentially dangerous flash bbcodes found.\n";
+	}
+
+	echo "\n";
+}
+
+function get_table_flash_bbcode_pkids($table_name, $id_field, $content_field, $uid_field, $bitfield_field)
+{
+	global $db;
+
+	$ids = array();
+
+	$sql = "SELECT $id_field, $content_field, $uid_field, $bitfield_field
+		FROM $table_name
+		WHERE $content_field LIKE '%[/flash:%'
+			AND $bitfield_field <> ''";
+
+	$result = $db->sql_query($sql);
+	while ($row = $db->sql_fetchrow($result))
+	{
+		$uid = $row[$uid_field];
+
+		// thanks support toolkit
+		$content = html_entity_decode_utf8($row[$content_field]);
+		set_var($content, $content, 'string', true);
+		$content = utf8_normalize_nfc($content);
+
+		$bitfield_data = $row[$bitfield_field];
+
+		if (!is_valid_flash_bbcode($content, $uid) && has_flash_enabled($bitfield_data))
+		{
+			$ids[] = (int) $row[$id_field];
+		}
+	}
+	$db->sql_freeresult($result);
+
+	return $ids;
+}
+
+function get_flash_regex($uid)
+{
+	return "#\[flash=([0-9]+),([0-9]+):$uid\](.*?)\[/flash:$uid\]#";
+}
+
+// extract all valid flash bbcodes
+// check if the bbcode content is a valid URL for each match
+function is_valid_flash_bbcode($cleaned_content, $uid)
+{
+	$regex = get_flash_regex($uid);
+
+	$url_regex = get_preg_expression('url');
+	$www_url_regex = get_preg_expression('www_url');
+
+	if (preg_match_all($regex, $cleaned_content, $matches))
+	{
+		foreach ($matches[3] as $flash_url)
+		{
+			if (!preg_match("#^($url_regex|$www_url_regex)$#i", $flash_url))
+			{
+				return false;
+			}
+		}
+	}
+
+	return true;
+}
+
+// check if a bitfield includes flash
+// 11 = flash bit
+function has_flash_enabled($bitfield_data)
+{
+	$bitfield = new bitfield($bitfield_data);
+	return $bitfield->get(11);
+}
+
+// taken from support toolkit
+function html_entity_decode_utf8($string)
+{
+	static $trans_tbl;
+
+	// replace numeric entities
+	$string = preg_replace('~&#x([0-9a-f]+);~ei', 'code2utf8(hexdec("\\1"))', $string);
+	$string = preg_replace('~&#([0-9]+);~e', 'code2utf8(\\1)', $string);
+
+	// replace literal entities
+	if (!isset($trans_tbl))
+	{
+		$trans_tbl = array();
+
+		foreach (get_html_translation_table(HTML_ENTITIES) as $val=>$key)
+			$trans_tbl[$key] = utf8_encode($val);
+	}
+	return strtr($string, $trans_tbl);
+}
+
+// taken from support toolkit
+// Returns the utf string corresponding to the unicode value (from php.net, courtesy - romans@void.lv)
+function code2utf8($num)
+{
+	if ($num < 128) return chr($num);
+	if ($num < 2048) return chr(($num >> 6) + 192) . chr(($num & 63) + 128);
+	if ($num < 65536) return chr(($num >> 12) + 224) . chr((($num >> 6) & 63) + 128) . chr(($num & 63) + 128);
+	if ($num < 2097152) return chr(($num >> 18) + 240) . chr((($num >> 12) & 63) + 128) . chr((($num >> 6) & 63) + 128) . chr(($num & 63) + 128);
+	return '';
+}
--- a/phpBB/docs/CHANGELOG.html
+++ b/phpBB/docs/CHANGELOG.html
@ -90,6 +90,12 @@
 		<div class="content">

 	<a name="v307-PL1"></a><h3>1.i. Changes since 3.0.7-PL1</h3>
+<h4>        Security
+</h4>
+<ul>
+<li>[<a href='http://tracker.phpbb.com/browse/PHPBB3-9903'>PHPBB3-9903</a>] -         Execute javascript in [flash=] BBCode
+</li>
+</ul>

 <h4>        Bug
 </h4>
@ -404,6 +410,8 @@
 </li>
 <li>[<a href='http://tracker.phpbb.com/browse/PHPBB3-9891'>PHPBB3-9891</a>] -         Updater drops language-selection after database-update
 </li>
+<li>[<a href='http://tracker.phpbb.com/browse/PHPBB3-9509'>PHPBB3-9509</a>] -         phpBB Coding Guidelines state subversion as the version control system for phpBB
+</li>
 </ul>

 <h4>        Improvement
@ -467,6 +475,8 @@
 </li>
 <li>[<a href='http://tracker.phpbb.com/browse/PHPBB3-9880'>PHPBB3-9880</a>] -         Rename all mentions of CAPTCHA or visual confirmation to anti-bot
 </li>
+<li>[<a href='http://tracker.phpbb.com/browse/PHPBB3-9899'>PHPBB3-9899</a>] -         Change the style in the ACP for the recaptcha to match that displayed on prosilver
+</li>
 </ul>

 <h4>        New Feature
@ -509,6 +519,8 @@
 </li>
 <li>[<a href='http://tracker.phpbb.com/browse/PHPBB3-9868'>PHPBB3-9868</a>] -         Make the test suite run and pass using the mssqlnative driver
 </li>
+<li>[<a href='http://tracker.phpbb.com/browse/PHPBB3-9904'>PHPBB3-9904</a>] -         Update WebPI Parameters.xml
+</li>
 </ul>

 <h4>        Sub-task
--- a/phpBB/includes/message_parser.php
+++ b/phpBB/includes/message_parser.php
@ -352,6 +352,15 @@ class bbcode_firstpass extends bbcode
 			return '[flash=' . $width . ',' . $height . ']' . $in . '[/flash]';
 		}

+		$in = str_replace(' ', '%20', $in);
+
+		// Make sure $in is a URL.
+		if (!preg_match('#^' . get_preg_expression('url') . '$#i', $in) &&
+			!preg_match('#^' . get_preg_expression('www_url') . '$#i', $in))
+		{
+			return '[flash=' . $width . ',' . $height . ']' . $in . '[/flash]';
+		}
+
 		// Apply the same size checks on flash files as on images
 		if ($config['max_' . $this->mode . '_img_height'] || $config['max_' . $this->mode . '_img_width'])
 		{
--- a/phpBB/install/database_update.php
+++ b/phpBB/install/database_update.php
@ -914,6 +914,8 @@ function database_update_info()
 		'3.0.7'		=> array(),
 		// No changes from 3.0.7-PL1 to 3.0.8-RC1
 		'3.0.7-PL1'		=> array(),
+		// No changes from 3.0.8-RC1 to 3.0.8
+		'3.0.8-RC1'		=> array(),
 	);
 }

@ -1852,6 +1854,10 @@ function change_database_data(&$no_updates, $version)

 			$no_updates = false;
 		break;
+
+		// No changes from 3.0.8-RC1 to 3.0.8
+		case '3.0.8-RC1':
+		break;
 	}
 }