Merge branch '3.2.x'

2025-07-30 21:40:43 +02:00 · 2017-07-16 21:42:30 +02:00
parent 8514e8be73 1d523531b5
commit f101532c09
30 changed files with 644 additions and 82 deletions
--- a/phpBB/phpbb/avatar/driver/remote.php
+++ b/phpBB/phpbb/avatar/driver/remote.php
@@ -85,8 +85,11 @@ class remote extends \phpbb\avatar\driver\driver
 		}

 		// Check if this url looks alright
-		// This isn't perfect, but it's what phpBB 3.0 did, and might as well make sure everything is compatible
-		if (!preg_match('#^(http|https|ftp)://(?:(.*?\.)*?[a-z0-9\-]+?\.[a-z]{2,4}|(?:\d{1,3}\.){3,5}\d{1,3}):?([0-9]*?).*?\.('. implode('|', $this->allowed_extensions) . ')$#i', $url))
+		// Do not allow specifying the port (see RFC 3986) or IP addresses
+		if (!preg_match('#^(http|https|ftp)://(?:(.*?\.)*?[a-z0-9\-]+?\.[a-z]{2,4}|(?:\d{1,3}\.){3,5}\d{1,3}):?([0-9]*?).*?\.('. implode('|', $this->allowed_extensions) . ')$#i', $url) ||
+			preg_match('@^(http|https|ftp)://[^/:?#]+:[0-9]+[/:?#]@i', $url) ||
+			preg_match('#^(http|https|ftp)://(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])#i', $url) ||
+			preg_match('#^(http|https|ftp)://(?:(?:(?:[\dA-F]{1,4}:){6}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:::(?:[\dA-F]{1,4}:){0,5}(?:[\dA-F]{1,4}(?::[\dA-F]{1,4})?|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:):(?:[\dA-F]{1,4}:){4}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,2}:(?:[\dA-F]{1,4}:){3}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,3}:(?:[\dA-F]{1,4}:){2}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,4}:(?:[\dA-F]{1,4}:)(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,5}:(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,6}:[\dA-F]{1,4})|(?:(?:[\dA-F]{1,4}:){1,7}:)|(?:::))#i', $url))
 		{
 			$error[] = 'AVATAR_URL_INVALID';
 			return false;
--- a/phpBB/phpbb/avatar/driver/upload.php
+++ b/phpBB/phpbb/avatar/driver/upload.php
@@ -146,6 +146,16 @@ class upload extends \phpbb\avatar\driver\driver
 				return false;
 			}

+			// Do not allow specifying the port (see RFC 3986) or IP addresses
+			// remote_upload() will do its own check for allowed filetypes
+			if (preg_match('@^(http|https|ftp)://[^/:?#]+:[0-9]+[/:?#]@i', $url) ||
+				preg_match('#^(http|https|ftp)://(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])#i', $url) ||
+				preg_match('#^(http|https|ftp)://(?:(?:(?:[\dA-F]{1,4}:){6}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:::(?:[\dA-F]{1,4}:){0,5}(?:[\dA-F]{1,4}(?::[\dA-F]{1,4})?|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:):(?:[\dA-F]{1,4}:){4}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,2}:(?:[\dA-F]{1,4}:){3}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,3}:(?:[\dA-F]{1,4}:){2}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,4}:(?:[\dA-F]{1,4}:)(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,5}:(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,6}:[\dA-F]{1,4})|(?:(?:[\dA-F]{1,4}:){1,7}:)|(?:::))#i', $url))
+			{
+				$error[] = 'AVATAR_URL_INVALID';
+				return false;
+			}
+
 			$file = $upload->handle_upload('files.types.remote', $url);
 		}
 		else
--- a/phpBB/phpbb/db/migration/data/v30x/.htaccess
+++ b/phpBB/phpbb/db/migration/data/v30x/.htaccess
@@ -0,0 +1,33 @@
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
--- a/phpBB/phpbb/db/migration/data/v310/.htaccess
+++ b/phpBB/phpbb/db/migration/data/v310/.htaccess
@@ -0,0 +1,33 @@
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
--- a/phpBB/phpbb/db/migration/data/v31x/.htaccess
+++ b/phpBB/phpbb/db/migration/data/v31x/.htaccess
@@ -0,0 +1,33 @@
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
--- a/phpBB/phpbb/db/migration/data/v31x/v3111.php
+++ b/phpBB/phpbb/db/migration/data/v31x/v3111.php
@@ -0,0 +1,36 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v31x;
+
+class v3111 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return phpbb_version_compare($this->config['version'], '3.1.11', '>=');
+	}
+
+	static public function depends_on()
+	{
+		return array(
+			'\phpbb\db\migration\data\v31x\v3111rc1',
+		);
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('config.update', array('version', '3.1.11')),
+		);
+	}
+}
--- a/phpBB/phpbb/db/migration/data/v320/.htaccess
+++ b/phpBB/phpbb/db/migration/data/v320/.htaccess
@@ -0,0 +1,33 @@
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
--- a/phpBB/phpbb/db/migration/data/v32x/.htaccess
+++ b/phpBB/phpbb/db/migration/data/v32x/.htaccess
@@ -0,0 +1,33 @@
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
--- a/phpBB/phpbb/db/migration/data/v32x/v321.php
+++ b/phpBB/phpbb/db/migration/data/v32x/v321.php
@@ -0,0 +1,37 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v32x;
+
+class v321 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return phpbb_version_compare($this->config['version'], '3.2.1', '>=');
+	}
+
+	static public function depends_on()
+	{
+		return array(
+			'\phpbb\db\migration\data\v32x\v321rc1',
+		);
+
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('config.update', array('version', '3.2.1')),
+		);
+	}
+}
--- a/phpBB/phpbb/db/tools/tools.php
+++ b/phpBB/phpbb/db/tools/tools.php
@@ -941,29 +941,19 @@ class tools implements tools_interface
 				continue;
 			}

-			// These DBMS prefix index name with the table name
 			switch ($this->sql_layer)
 			{
+				// These DBMS prefix index name with the table name
 				case 'oracle':
 				case 'sqlite3':
-					$index_name = $this->check_index_name_length($table_name, $table_name . '_' . $index_name, false);
-					$table_prefix = substr(CONFIG_TABLE, 0, -6); // strlen(config)
-
-					if (strpos($index_name , $table_name) === false)
-					{
-						if (strpos($index_name, $table_prefix) !== false)
-						{
-							$row[$col] = substr($row[$col], strlen($table_prefix) + 1);
-						}
-						else
-						{
-							$row[$col] = substr($row[$col], strlen($table_name) + 1);
-						}
-					}
+					$new_index_name = $this->check_index_name_length($table_name, $table_name . '_' . $index_name, false);
+				break;
+				default:
+					$new_index_name = $this->check_index_name_length($table_name, $index_name, false);
 				break;
 			}

-			if (strtolower($row[$col]) == strtolower($index_name))
+			if (strtolower($row[$col]) == strtolower($new_index_name))
 			{
 				$this->db->sql_freeresult($result);
 				return true;
@@ -1577,15 +1567,17 @@ class tools implements tools_interface
 			$table_prefix = substr(CONFIG_TABLE, 0, -6); // strlen(config)
 			if (strpos($index_name, $table_prefix) === 0)
 			{
-				$index_name = substr($index_name, strlen($table_prefix) + 1);
-				return $this->check_index_name_length($table_name, $index_name);
+				$index_name = substr($index_name, strlen($table_prefix));
+				return $this->check_index_name_length($table_name, $index_name, $throw_error);
 			}

-			// Try removing the table name then
-			if (strpos($index_name, $table_name) === 0)
+			// Try removing the remaining suffix part of table name then
+			$table_suffix = substr($table_name, strlen($table_prefix));
+			if (strpos($index_name, $table_suffix) === 0)
 			{
-				$index_name = substr($index_name, strlen($table_name) + 1);
-				return $this->check_index_name_length($table_name, $index_name);
+				// Remove the suffix and underscore separator between table_name and index_name
+				$index_name = substr($index_name, strlen($table_suffix) + 1);
+				return $this->check_index_name_length($table_name, $index_name, $throw_error);
 			}

 			if ($throw_error)
--- a/phpBB/phpbb/search/fulltext_mysql.php
+++ b/phpBB/phpbb/search/fulltext_mysql.php
@@ -272,6 +272,27 @@ class fulltext_mysql extends \phpbb\search\base

 		foreach ($this->split_words as $i => $word)
 		{
+			// Check for not allowed search queries for InnoDB.
+			// We assume similar restrictions for MyISAM, which is usually even
+			// slower but not as restrictive as InnoDB.
+			// InnoDB full-text search does not support the use of a leading
+			// plus sign with wildcard ('+*'), a plus and minus sign
+			// combination ('+-'), or leading a plus and minus sign combination.
+			// InnoDB full-text search only supports leading plus or minus signs.
+			// For example, InnoDB supports '+apple' but does not support 'apple+'.
+			// Specifying a trailing plus or minus sign causes InnoDB to report
+			// a syntax error. InnoDB full-text search does not support the use
+			// of multiple operators on a single search word, as in this example:
+			// '++apple'. Use of multiple operators on a single search word
+			// returns a syntax error to standard out.
+			// Also, ensure that the wildcard character is only used at the
+			// end of the line as it's intended by MySQL.
+			if (preg_match('#^(\+[+-]|\+\*|.+[+-]$|.+\*(?!$))#', $word))
+			{
+				unset($this->split_words[$i]);
+				continue;
+			}
+
 			$clean_word = preg_replace('#^[+\-|"]#', '', $word);

 			// check word length
--- a/phpBB/phpbb/textformatter/s9e/renderer.php
+++ b/phpBB/phpbb/textformatter/s9e/renderer.php
@@ -247,14 +247,12 @@ class renderer implements \phpbb\textformatter\renderer_interface
 		$vars = array('renderer', 'xml');
 		extract($this->dispatcher->trigger_event('core.text_formatter_s9e_render_before', compact($vars)));

+		$html = $this->renderer->render($xml);
 		if (isset($this->censor) && $this->viewcensors)
 		{
-			// NOTE: censorHtml() is XML-safe
-			$xml = $this->censor->censorHtml($xml, true);
+			$html = $this->censor->censorHtml($html, true);
 		}

-		$html = $this->renderer->render($xml);
-
 		/**
 		* Modify a rendered text
 		*
--- a/phpBB/phpbb/version_helper.php
+++ b/phpBB/phpbb/version_helper.php
@@ -60,6 +60,23 @@ class version_helper
 	/** @var \phpbb\file_downloader */
 	protected $file_downloader;

+	protected $version_schema = array(
+		'stable' => array(
+			'current'		=> 'version',
+			'download'		=> 'url',
+			'announcement'	=> 'url',
+			'eol'			=> 'url',
+			'security'		=> 'bool',
+		),
+		'unstable' => array(
+			'current'		=> 'version',
+			'download'		=> 'url',
+			'announcement'	=> 'url',
+			'eol'			=> 'url',
+			'security'		=> 'bool',
+		),
+	);
+
 	/**
 	 * Constructor
 	 *
@@ -392,9 +409,101 @@ class version_helper
 			$info['stable'] = (empty($info['stable'])) ? array() : $info['stable'];
 			$info['unstable'] = (empty($info['unstable'])) ? $info['stable'] : $info['unstable'];

+			$info = $this->validate_versions($info);
+
 			$this->cache->put($cache_file, $info, 86400); // 24 hours
 		}

 		return $info;
 	}
+
+	/**
+	 * Validate versions info input
+	 *
+	 * @param array $versions_info Decoded json data array. Will be modified
+	 *		and cleaned by this method
+	 *
+	 * @return array Versions info array
+	 * @throws version_check_exception
+	 */
+	public function validate_versions($versions_info)
+	{
+		$array_diff = array_diff_key($versions_info, array($this->version_schema));
+
+		// Remove excessive data
+		if (count($array_diff) > 0)
+		{
+			$old_versions_info = $versions_info;
+			$versions_info = array(
+				'stable'	=> !empty($old_versions_info['stable']) ? $old_versions_info['stable'] : array(),
+				'unstable'	=> !empty($old_versions_info['unstable']) ? $old_versions_info['unstable'] : array(),
+			);
+			unset($old_versions_info);
+		}
+
+		foreach ($versions_info as $stability_type => &$versions_data)
+		{
+			foreach ($versions_data as $branch => &$version_data)
+			{
+				if (!preg_match('/^[0-9a-z\-\.]+$/i', $branch))
+				{
+					unset($versions_data[$branch]);
+					continue;
+				}
+
+				$stability_diff = array_diff_key($version_data, $this->version_schema[$stability_type]);
+
+				if (count($stability_diff) > 0)
+				{
+					$old_version_data = $version_data;
+					$version_data = array();
+					foreach ($this->version_schema[$stability_type] as $key => $value)
+					{
+						if (isset($old_version_data[$key]))
+						{
+							$version_data[$key] = $old_version_data[$key];
+						}
+					}
+					unset($old_version_data);
+				}
+
+				foreach ($version_data as $key => &$value)
+				{
+					if (!isset($this->version_schema[$stability_type][$key]))
+					{
+						unset($version_data[$key]);
+						throw new version_check_exception('VERSIONCHECK_INVALID_ENTRY');
+					}
+
+					switch ($this->version_schema[$stability_type][$key])
+					{
+						case 'bool':
+							$value = (bool) $value;
+						break;
+
+						case 'url':
+							if (!empty($value) && !preg_match('#^' . get_preg_expression('url') . '$#iu', $value) &&
+								!preg_match('#^' . get_preg_expression('www_url') . '$#iu', $value))
+							{
+								throw new version_check_exception('VERSIONCHECK_INVALID_URL');
+							}
+						break;
+
+						case 'version':
+							if (!empty($value) && !preg_match(get_preg_expression('semantic_version'), $value))
+							{
+								throw new version_check_exception('VERSIONCHECK_INVALID_VERSION');
+							}
+						break;
+
+						default:
+							// Shouldn't be possible to trigger this
+							throw new version_check_exception('VERSIONCHECK_INVALID_ENTRY');
+					}
+				}
+			}
+		}
+
+		return $versions_info;
+	}
 }