When a non-fatal error occurs at the beginning of the script before any custom
error handler is set one of two situations can be encountered:
1) if the ini option output buffer is disabled:
- headers are sent to the http client
- the error message is output
2) if the ini option output_buffer is enabled or the script
is run within an ob_start()/ob_end() wrapper:
- the error message is written to the output buffer
Once the script reaches page_header() phpbb starts gzip compression if enabled.
This is done through ob_start with a ob_gzhandler as a callback. The
compression is skipped if headers have already been sent. In situation 1) the
error message sent in plain text comes with headers and this gzip compression
is skipped. The client receives a plaintext version of the page. However in
situation 2) headers have not been sent yet and the rest of the page will be
compressed. The result is a plaintext error message followed by compressed
output. The client does not understand this output resulting in either an
error message or simply a blank page in the browser.
In addition to the above situation this problem occurs with errors that are
triggered after the custom error handler is loaded. The problem has been
noticed before, and a workaround was found. The error handler would call
ob_flush() for particular configuration settings before outputting the error
message. This resulted in headers being sent when output buffering was enabled
thus disabling gzip compression for the rest of the page. The constraints under
which ob_flush() was called were lessened over time whenever a new case was
found that would trigger this problem. Eventually ob_flush() would be called
even when code causing an E_NOTICE was simply run within an ob_start/ob_end.
This makes it impossible to use output buffering to retrieve the content of an
error message without prohibiting the page from setting headers afterwards.
This commit removes all flushing in msg_handler completely and instead fixes
the problem for both errors before and after the error handler is registered.
GZIP compression is only enabled if there is at most one level of output
buffering (e.g. the output_buffer php.ini option is enabled) and if there has
not yet been any output in this buffer. This should avoid any partial output
compression.
PHPBB3-10188
* naderman/ticket/7057:
[ticket/7057] Use GET for quicksearch and add session id to hidden fields
[ticket/7057] Remove trailing whitespace in functions.php
* ticket/bantu/10042:
[ticket/10042] GD CAPTCHA: Call phpbb_mt_rand() where required.
[ticket/10042] GD CAPTCHA: Round offset to the next pixel.
[ticket/10042] Add mt_rand() wrapper which allows swapping $min and $max.
Calling flush() when output buffering is enabled causes output to be
duplicated. Besides phpBB enabling output buffering for gzip compression,
output buffering may be enabled externally to phpBB via output_handler
or output_buffering directives in php.ini.
Use ob_get_level to determine whether output buffering is active and
call ob_flush in that case.
PHPBB3-10191
Output buffering may be enabled via various approaches, among them:
* output_buffering in php.ini;
* output_handler in php.ini enables output_buffering;
* ob_start call.
ob_get_level allows us to query php runtime for the actual output buffering
status.
PHPBB3-10188
phpass (the hashing library we use) adds a hash identifier to every
hash. By default this identifier is '$P$'. For some reason we have
changed it to '$H$'.
This patch allows both of them to be used for authentication, so that a
third party system could create users with '$P$' hashes.
PHPBB3-10101
Update $config['rand_seed_last_update'] before updating $config['rand_seed'] in
unique_id() to mitigate a race condition and unnecessary updates on heavily
busy boards.
PHPBB3-10100
* ticket/bantu/9859:
[ticket/9859] Remove the years from the copyright statements in docs files.
[ticket/9859] Remove the year from the copyright meta tag in docs/*.html
[ticket/9859] Remove the meta copyright tag as well.
[ticket/9859] Remove the credit line comment from all html files.
[ticket/9859] Remove years in credit line from some more files.
Rename $unicode to $unicode_support, pass in $use_unicode defaulting to true.
In unit tests we can now pass in $use_unicode as false and also test the code
path that is taken when PCRE does not support unicode.
PHPBB3-9933
Since unread posts search can produce a high server load in certain
circumstances, we implement a switch for ACP "Load settings" to have an option
to disable this type of search.
PHPBB3-9613
style.php takes a session ID to ensure it gets the right language for a user,
but that session ID is always passed in GET. This allows change allows the SID
to be read from the cookie, and theoretically makes it friendlier for caching
engines like Varnish.
PHPBB3-9629
