Merge branch 'prep-release-3.2.10' into 3.2.x

2025-04-14 12:52:08 +02:00 · 2020-08-06 17:19:21 +02:00 · 2020-08-06 17:19:21 +02:00 · f28b1fd178
commit f28b1fd178
parent d3224c420a fdc827e066
24 changed files with 375 additions and 123 deletions
--- a/build/build.xml
+++ b/build/build.xml
@ -3,7 +3,7 @@
 <project name="phpBB" description="The phpBB forum software" default="all" basedir="../">
 	<!-- a few settings for the build -->
 	<property name="newversion" value="3.2.11-dev" />
-	<property name="prevversion" value="3.2.10-RC2" />
+	<property name="prevversion" value="3.2.10" />
 	<property name="olderversions" value="3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0-a1, 3.2.0-a2, 3.2.0-b1, 3.2.0-b2, 3.2.0-RC1, 3.2.0-RC2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9" />
 	<!-- no configuration should be needed beyond this point -->

--- a/phpBB/bin/phpbbcli.php
+++ b/phpBB/bin/phpbbcli.php
@ -84,7 +84,7 @@ $user = $phpbb_container->get('user');
 $user->data['user_id'] = ANONYMOUS;
 $user->ip = '127.0.0.1';

-$application = new \phpbb\console\application('phpBB Console', PHPBB_VERSION, $language);
+$application = new \phpbb\console\application('phpBB Console', PHPBB_VERSION, $language, $config);
 $application->setDispatcher($phpbb_container->get('dispatcher'));
 $application->register_container_commands($phpbb_container->get('console.command_collection'));
 $application->run($input);
--- a/phpBB/cache/.htaccess
+++ b/phpBB/cache/.htaccess
@ -1,4 +1,33 @@
-<Files *>
-	Order Allow,Deny
-	Deny from All
-</Files>
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
--- a/phpBB/config/.htaccess
+++ b/phpBB/config/.htaccess
@ -1,4 +1,33 @@
-<Files *>
-	Order Allow,Deny
-	Deny from All
-</Files>
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
--- a/phpBB/docs/CHANGELOG.html
+++ b/phpBB/docs/CHANGELOG.html
@ -50,6 +50,7 @@
 <ol>
 	<li><a href="#changelog">Changelog</a>
 	<ul>
+		<li><a href="#v3210rc2">Changes since 3.2.10-RC2</a></li>
 		<li><a href="#v3210rc1">Changes since 3.2.10-RC1</a></li>
 		<li><a href="#v329">Changes since 3.2.9</a></li>
 		<li><a href="#v329rc1">Changes since 3.2.9-RC1</a></li>
@ -144,6 +145,28 @@
 		<div class="inner">

 		<div class="content">
+			<a name="v3210rc2"></a><h3>Changes since 3.2.10-RC2</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16417">PHPBB3-16417</a>] - SQL fatal error while updating database from older versions via CLI</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16524">PHPBB3-16524</a>] - General error (SQL ERROR) on adding emoji character to the profile field</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16534">PHPBB3-16534</a>] - Passwords converted from phpBB2 can have invalid hash</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16539">PHPBB3-16539</a>] - General error (SQL error) on posting page in smilies mode</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16550">PHPBB3-16550</a>] - compact(): Undefined variable: url - in PMs</li>
+			</ul>
+			<h4>Improvement</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16554">PHPBB3-16554</a>] - Align all .htaccess files to support Apache 2.4 mod_authz_core directives</li>
+			</ul>
+			<h4>Security Issue</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/SECURITY-259">SECURITY-259</a>] - Server-Side Request Forgery via FastImageSize in s9e textformatter</li>
+			</ul>
+			<h4>Hardening</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/SECURITY-257">SECURITY-257</a>] - Potential RCE via Phar Deserialization through Legacy BBCode Parser</li>
+			</ul>
+
 			<a name="v3210rc1"></a><h3>Changes since 3.2.10-RC1</h3>
 			<h4>Bug</h4>
 			<ul>
--- a/phpBB/files/.htaccess
+++ b/phpBB/files/.htaccess
@ -1,4 +1,33 @@
-<Files *>
-	Order Allow,Deny
-	Deny from All
-</Files>
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
--- a/phpBB/images/avatars/upload/.htaccess
+++ b/phpBB/images/avatars/upload/.htaccess
@ -1,4 +1,33 @@
-<Files *>
-	Order Allow,Deny
-	Deny from All
-</Files>
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
--- a/phpBB/includes/.htaccess
+++ b/phpBB/includes/.htaccess
@ -1,4 +1,33 @@
-<Files *>
-	Order Allow,Deny
-	Deny from All
-</Files>
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
--- a/phpBB/includes/functions_posting.php
+++ b/phpBB/includes/functions_posting.php
@ -118,7 +118,7 @@ function generate_smilies($mode, $forum_id)
 				SMILIES_TABLE => 's',
 			],
 			'GROUP_BY'	=> 's.smiley_url, s.smiley_width, s.smiley_height',
-			'ORDER_BY'	=> 's.min_smiley_order',
+			'ORDER_BY'	=> 'min_smiley_order',
 		];
 	}
 	else
--- a/phpBB/includes/functions_privmsgs.php
+++ b/phpBB/includes/functions_privmsgs.php
@ -2046,6 +2046,8 @@ function message_history($msg_id, $user_id, $message_row, $folder, $in_post_mode
 	while ($row = $db->sql_fetchrow($result));
 	$db->sql_freeresult($result);

+	$url = append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=pm');
+
 	/**
 	* Modify message rows before displaying the history in private messages
 	*
@ -2080,7 +2082,6 @@ function message_history($msg_id, $user_id, $message_row, $folder, $in_post_mode

 	$title = censor_text($title);

-	$url = append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=pm');
 	$next_history_pm = $previous_history_pm = $prev_id = 0;

 	// Re-order rowset to be able to get the next/prev message rows...
--- a/phpBB/includes/message_parser.php
+++ b/phpBB/includes/message_parser.php
@ -390,7 +390,7 @@ class bbcode_firstpass extends bbcode
 		$in = str_replace(' ', '%20', $in);

 		// Checking urls
-		if (!preg_match('#^' . get_preg_expression('url') . '$#iu', $in) && !preg_match('#^' . get_preg_expression('www_url') . '$#iu', $in))
+		if (!preg_match('#^' . get_preg_expression('url_http') . '$#iu', $in) && !preg_match('#^' . get_preg_expression('www_url') . '$#iu', $in))
 		{
 			return '[img]' . $in . '[/img]';
 		}
@ -401,32 +401,6 @@ class bbcode_firstpass extends bbcode
 			$in = 'http://' . $in;
 		}

-		if ($config['max_' . $this->mode . '_img_height'] || $config['max_' . $this->mode . '_img_width'])
-		{
-			$imagesize = new \FastImageSize\FastImageSize();
-			$size_info = $imagesize->getImageSize(htmlspecialchars_decode($in));
-
-			if ($size_info === false)
-			{
-				$error = true;
-				$this->warn_msg[] = $user->lang['UNABLE_GET_IMAGE_SIZE'];
-			}
-			else
-			{
-				if ($config['max_' . $this->mode . '_img_height'] && $config['max_' . $this->mode . '_img_height'] < $size_info['height'])
-				{
-					$error = true;
-					$this->warn_msg[] = $user->lang('MAX_IMG_HEIGHT_EXCEEDED', (int) $config['max_' . $this->mode . '_img_height']);
-				}
-
-				if ($config['max_' . $this->mode . '_img_width'] && $config['max_' . $this->mode . '_img_width'] < $size_info['width'])
-				{
-					$error = true;
-					$this->warn_msg[] = $user->lang('MAX_IMG_WIDTH_EXCEEDED', (int) $config['max_' . $this->mode . '_img_width']);
-				}
-			}
-		}
-
 		if ($error || $this->path_in_domain($in))
 		{
 			return '[img]' . $in . '[/img]';
--- a/phpBB/install/phpbbcli.php
+++ b/phpBB/install/phpbbcli.php
@ -23,7 +23,7 @@ if (php_sapi_name() !== 'cli')
 define('IN_PHPBB', true);
 define('IN_INSTALL', true);
 define('PHPBB_ENVIRONMENT', 'production');
-define('PHPBB_VERSION', '3.2.10-RC2');
+define('PHPBB_VERSION', '3.2.10');
 $phpbb_root_path = __DIR__ . '/../';
 $phpEx = substr(strrchr(__FILE__, '.'), 1);

@ -42,11 +42,14 @@ $phpbb_installer_container->get('request')->enable_super_globals();
 /** @var \phpbb\filesystem\filesystem $phpbb_filesystem */
 $phpbb_filesystem = $phpbb_installer_container->get('filesystem');

+/** @var \phpbb\config\config $config */
+$config = $phpbb_installer_container->get('config');
+
 /** @var \phpbb\language\language $language */
 $language = $phpbb_installer_container->get('language');
 $language->add_lang(array('common', 'acp/common', 'acp/board', 'install', 'posting', 'cli'));

-$application = new \phpbb\console\application('phpBB Installer', PHPBB_VERSION, $language);
+$application = new \phpbb\console\application('phpBB Installer', PHPBB_VERSION, $language, $config);
 $application->setDispatcher($phpbb_installer_container->get('dispatcher'));
 $application->register_container_commands($phpbb_installer_container->get('console.installer.command_collection'));
 $application->run($input);
--- a/phpBB/language/en/acp/board.php
+++ b/phpBB/language/en/acp/board.php
@ -183,10 +183,10 @@ $lang = array_merge($lang, array(
 	'MAX_POLL_OPTIONS'				=> 'Maximum number of poll options',
 	'MAX_POST_FONT_SIZE'			=> 'Maximum font size per post',
 	'MAX_POST_FONT_SIZE_EXPLAIN'	=> 'Maximum font size allowed in a post. Set to 0 for unlimited font size.',
-	'MAX_POST_IMG_HEIGHT'			=> 'Maximum image height per post',
-	'MAX_POST_IMG_HEIGHT_EXPLAIN'	=> 'Maximum height of an image/flash file in postings. Set to 0 for unlimited size.',
-	'MAX_POST_IMG_WIDTH'			=> 'Maximum image width per post',
-	'MAX_POST_IMG_WIDTH_EXPLAIN'	=> 'Maximum width of an image/flash file in postings. Set to 0 for unlimited size.',
+	'MAX_POST_IMG_HEIGHT'			=> 'Maximum flash height per post',
+	'MAX_POST_IMG_HEIGHT_EXPLAIN'	=> 'Maximum height of a flash file in postings. Set to 0 for unlimited size.',
+	'MAX_POST_IMG_WIDTH'			=> 'Maximum flash width per post',
+	'MAX_POST_IMG_WIDTH_EXPLAIN'	=> 'Maximum width of a flash file in postings. Set to 0 for unlimited size.',
 	'MAX_POST_URLS'					=> 'Maximum links per post',
 	'MAX_POST_URLS_EXPLAIN'			=> 'Maximum number of URLs in a post. Set to 0 for unlimited links.',
 	'MIN_CHAR_LIMIT'				=> 'Minimum characters per post/message',
--- a/phpBB/phpbb/console/application.php
+++ b/phpBB/phpbb/console/application.php
@ -27,7 +27,12 @@ class application extends \Symfony\Component\Console\Application
 	protected $in_shell = false;

 	/**
-	* @var \phpbb\language\language User object
+	* @var \phpbb\config\config Config object
+	*/
+	protected $config;
+
+	/**
+	* @var \phpbb\language\language Language object
 	*/
 	protected $language;

@ -35,10 +40,12 @@ class application extends \Symfony\Component\Console\Application
 	* @param string						$name		The name of the application
 	* @param string						$version	The version of the application
 	* @param \phpbb\language\language	$language	The user which runs the application (used for translation)
+	* @param \phpbb\config\config		$config		Config object
 	*/
-	public function __construct($name, $version, \phpbb\language\language $language)
+	public function __construct($name, $version, \phpbb\language\language $language, \phpbb\config\config $config)
 	{
 		$this->language = $language;
+		$this->config = $config;

 		parent::__construct($name, $version);
 	}
@ -97,9 +104,17 @@ class application extends \Symfony\Component\Console\Application
 	*/
 	public function register_container_commands(\phpbb\di\service_collection $command_collection)
 	{
-		foreach ($command_collection as $service_command)
+		$commands_list = array_keys($command_collection->getArrayCopy());
+		foreach ($commands_list as $service_command)
 		{
-			$this->add($service_command);
+			// config_text DB table does not exist in phpBB prior to 3.1
+			// Hence skip cron tasks as they include reparser cron as it uses config_text table
+			if (phpbb_version_compare($this->config['version'], '3.1.0', '<') && strpos($service_command, 'cron') !== false)
+			{
+				continue;
+			}
+			$this->add($command_collection[$service_command]);
+
 		}
 	}

--- a/phpBB/phpbb/db/migration/data/v32x/v3210.php
+++ b/phpBB/phpbb/db/migration/data/v32x/v3210.php
@ -0,0 +1,36 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v32x;
+
+class v3210 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return phpbb_version_compare($this->config['version'], '3.2.10', '>=');
+	}
+
+	static public function depends_on()
+	{
+		return array(
+			'\phpbb\db\migration\data\v32x\v3210rc2',
+		);
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('config.update', array('version', '3.2.10')),
+		);
+	}
+}
--- a/phpBB/phpbb/profilefields/manager.php
+++ b/phpBB/phpbb/profilefields/manager.php
@ -254,6 +254,13 @@ class manager
 			/** @var \phpbb\profilefields\type\type_interface $profile_field */
 			$profile_field = $this->type_collection[$row['field_type']];
 			$cp_data['pf_' . $row['field_ident']] = $profile_field->get_profile_field($row);
+
+			/**
+			 * Replace Emoji and other 4bit UTF-8 chars not allowed by MySQL
+			 * with their Numeric Character Reference's Hexadecimal notation.
+			 */
+			$cp_data['pf_' . $row['field_ident']] = utf8_encode_ucr($cp_data['pf_' . $row['field_ident']]);
+
 			$check_value = $cp_data['pf_' . $row['field_ident']];

 			if (($cp_result = $profile_field->validate_profile_field($check_value, $row)) !== false)
--- a/phpBB/phpbb/textformatter/s9e/factory.php
+++ b/phpBB/phpbb/textformatter/s9e/factory.php
@ -273,8 +273,6 @@ class factory implements \phpbb\textformatter\cache_interface
 			->add('#imageurl', __NAMESPACE__ . '\\parser::filter_img_url')
 			->addParameterByName('urlConfig')
 			->addParameterByName('logger')
-			->addParameterByName('max_img_height')
-			->addParameterByName('max_img_width')
 			->markAsSafeAsURL()
 			->setJS('UrlFilter.filter');

--- a/phpBB/phpbb/textformatter/s9e/parser.php
+++ b/phpBB/phpbb/textformatter/s9e/parser.php
@ -380,11 +380,10 @@ class parser implements \phpbb\textformatter\parser_interface
 	* @param  string  $url        Original URL
 	* @param  array   $url_config Config used by the URL filter
 	* @param  Logger  $logger
-	* @param  integer $max_height Maximum height allowed
-	* @param  integer $max_width  Maximum width allowed
+	*
 	* @return string|bool         Original value if valid, FALSE otherwise
 	*/
-	static public function filter_img_url($url, array $url_config, Logger $logger, $max_height, $max_width)
+	static public function filter_img_url($url, array $url_config, Logger $logger)
 	{
 		// Validate the URL
 		$url = UrlFilter::filter($url, $url_config, $logger);
@ -393,29 +392,6 @@ class parser implements \phpbb\textformatter\parser_interface
 			return false;
 		}

-		if ($max_height || $max_width)
-		{
-			$imagesize = new \FastImageSize\FastImageSize();
-			$size_info = $imagesize->getImageSize($url);
-			if ($size_info === false)
-			{
-				$logger->err('UNABLE_GET_IMAGE_SIZE');
-				return false;
-			}
-
-			if ($max_height && $max_height < $size_info['height'])
-			{
-				$logger->err('MAX_IMG_HEIGHT_EXCEEDED', array('max_height' => $max_height));
-				return false;
-			}
-
-			if ($max_width && $max_width < $size_info['width'])
-			{
-				$logger->err('MAX_IMG_WIDTH_EXCEEDED', array('max_width' => $max_width));
-				return false;
-			}
-		}
-
 		return $url;
 	}

--- a/phpBB/store/.htaccess
+++ b/phpBB/store/.htaccess
@ -1,4 +1,33 @@
-<Files *>
-	Order Allow,Deny
-	Deny from All
-</Files>
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>
--- a/tests/bbcode/parser_test.php
+++ b/tests/bbcode/parser_test.php
@ -120,6 +120,11 @@ class phpbb_bbcode_parser_test extends \phpbb_test_case
 				'[img]https://area51.phpbb.com/images/area51.png[/img]',
 				'[img:]https&#58;//area51&#46;phpbb&#46;com/images/area51&#46;png[/img:]',
 			),
+			array(
+				'Test default bbcodes: img with unsupported protocol',
+				'[img]foo://foo/bar[/img]',
+				'[img]foo://foo/bar[/img]',
+			),
 			array(
 				'Test default bbcodes: simple url',
 				'[url]https://area51.phpbb.com/[/url]',
--- a/tests/functional/smilies_test.php
+++ b/tests/functional/smilies_test.php
@ -0,0 +1,47 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+/**
+* @group functional
+*/
+class phpbb_functional_smilies_test extends phpbb_functional_test_case
+{
+	public function test_smilies_mode()
+	{
+		$this->login();
+
+		// Get smilies data
+		$db = $this->get_db();
+		$sql_ary = [
+			'SELECT'	=> 's.smiley_url, MIN(s.emotion) AS emotion, MIN(s.code) AS code, s.smiley_width, s.smiley_height, MIN(s.smiley_order) AS min_smiley_order',
+			'FROM'		=> [
+				SMILIES_TABLE => 's',
+			],
+			'GROUP_BY'	=> 's.smiley_url, s.smiley_width, s.smiley_height',
+			'ORDER_BY'	=> 'min_smiley_order',
+		];
+		$sql = $db->sql_build_query('SELECT', $sql_ary);
+		$result = $db->sql_query($sql);
+		$smilies = $db->sql_fetchrowset($result);
+		$db->sql_freeresult($result);
+
+		// Visit smilies page
+		$crawler = self::request('GET', 'posting.php?mode=smilies');
+		foreach ($smilies as $index => $smiley)
+		{
+			$this->assertContains($smiley['smiley_url'],
+				$crawler->filter('div[class="inner"] > a > img')->eq($index)->attr('src')
+			);
+		}
+	}
+}
--- a/tests/functional/ucp_profile_test.php
+++ b/tests/functional/ucp_profile_test.php
@ -46,4 +46,23 @@ class phpbb_functional_ucp_profile_test extends phpbb_functional_test_case
 		$this->assertEquals('phpbb_twitter', $form->get('pf_phpbb_twitter')->getValue());
 		$this->assertEquals('phpbb.youtube', $form->get('pf_phpbb_youtube')->getValue());
 	}
+
+	public function test_submitting_emoji()
+	{
+		$this->add_lang('ucp');
+		$this->login();
+
+		$crawler = self::request('GET', 'ucp.php?i=ucp_profile&mode=profile_info');
+		$this->assertContainsLang('UCP_PROFILE_PROFILE_INFO', $crawler->filter('#cp-main h2')->text());
+
+		$form = $crawler->selectButton('Submit')->form([
+			'pf_phpbb_location'	=> '😁', // grinning face with smiling eyes Emoji
+		]);
+		$crawler = self::submit($form);
+		$this->assertContainsLang('PROFILE_UPDATED', $crawler->filter('#message')->text());
+
+		$crawler = self::request('GET', 'ucp.php?i=ucp_profile&mode=profile_info');
+		$form = $crawler->selectButton('Submit')->form();
+		$this->assertEquals('😁', $form->get('pf_phpbb_location')->getValue());
+	}
 }
--- a/tests/text_formatter/s9e/default_formatting_test.php
+++ b/tests/text_formatter/s9e/default_formatting_test.php
@ -132,6 +132,10 @@ class phpbb_textformatter_s9e_default_formatting_test extends phpbb_test_case
 				'[img]https://area51.phpbb.com/images/area51.png[/img]',
 				'<img src="https://area51.phpbb.com/images/area51.png" class="postimage" alt="Image">'
 			),
+			array(
+				'[img]foo://area51.phpbb.com/images/area51.png[/img]',
+				'[img]foo://area51.phpbb.com/images/area51.png[/img]'
+			),
 			array(
 				'[url]https://area51.phpbb.com/[/url]',
 				'<a href="https://area51.phpbb.com/" class="postlink">https://area51.phpbb.com/</a>'
--- a/tests/text_processing/message_parser_test.php
+++ b/tests/text_processing/message_parser_test.php
@ -342,26 +342,6 @@ class phpbb_text_processing_message_parser_test extends phpbb_test_case
 				},
 				array('You may only use fonts up to size 120.')
 			),
-			array(
-				'[img]http://example.org/100x100.png[/img]',
-				'<r>[img]<URL url="http://example.org/100x100.png">http://example.org/100x100.png</URL>[/img]</r>',
-				array(true, true, true, true, true, true, true),
-				function ($phpbb_container)
-				{
-					$phpbb_container->get('config')->set('max_post_img_height', 12);
-				},
-				array('Your images may only be up to 12 pixels high.')
-			),
-			array(
-				'[img]http://example.org/100x100.png[/img]',
-				'<r>[img]<URL url="http://example.org/100x100.png">http://example.org/100x100.png</URL>[/img]</r>',
-				array(true, true, true, true, true, true, true),
-				function ($phpbb_container)
-				{
-					$phpbb_container->get('config')->set('max_post_img_width', 34);
-				},
-				array('Your images may only be up to 34 pixels wide.')
-			),
 			array(
 				'[img]http://example.org/100x100.png[/img]',
 				'<r><IMG src="http://example.org/100x100.png"><s>[img]</s><URL url="http://example.org/100x100.png">http://example.org/100x100.png</URL><e>[/img]</e></IMG></r>',
@ -392,16 +372,6 @@ class phpbb_text_processing_message_parser_test extends phpbb_test_case
 					$phpbb_container->get('config')->set('max_sig_img_width', 34);
 				}
 			),
-			array(
-				'[img]http://example.org/404.png[/img]',
-				'<r>[img]<URL url="http://example.org/404.png">http://example.org/404.png</URL>[/img]</r>',
-				array(true, true, true, true, true, true, true),
-				function ($phpbb_container)
-				{
-					$phpbb_container->get('config')->set('max_post_img_height', 12);
-				},
-				array('It was not possible to determine the dimensions of the image.')
-			),
 			array(
 				'[flash=999,999]http://example.org/foo.swf[/flash]',
 				'<r>[flash=999,999]<URL url="http://example.org/foo.swf">http://example.org/foo.swf</URL>[/flash]</r>',