Merge branch 'prep-release-3.0.12'

* prep-release-3.0.12: (443 commits) [prep-release-3.0.12] Update changelog for 3.0.12 release. [ticket/11873] Add unit test for large password input. [ticket/11873] Do not hash very large passwords in order to safe resources. [prep-release-3.0.12] Bumping version number for 3.0.12 final. [prep-release-3.0.12] Remove changelog entry for ticket that was not resolved. [prep-release-3.0.12] Update Changelog for 3.0.12-RC3 release. [prep-release-3.0.12] Bumping version number for 3.0.12-RC3. [ticket/11769] Allow using 0 as poster name [ticket/11769] Allow '0' as username [ticket/11769] Allow '0' as username in notification mails [ticket/11769] Fix language issues in the doc blocks [ticket/11769] Correctly supply the post author's username in posting.php [ticket/11802] replace $browser with $user->browser [ticket/11775] Fix doc blocks syntax [ticket/11775] Remove spaces at line ends [ticket/11775] Split test into multiple steps [ticket/11775] Add functional test for moving the last post [ticket/11775] Backport moving of the posting functions to 3.0 [ticket/11775] Fix error when moving the last post to another topic [prep-release-3.0.12] Update Changelog for 3.0.12-RC2 release. ...
[prep-release-3.0.12] Update changelog for 3.0.12 release.
2025-09-14 10:02:07 +02:00 · 2013-09-28 15:40:10 +02:00 · 2013-09-28 03:20:51 +02:00 · 2013-09-28 03:19:24 +02:00 · 2013-09-28 03:14:18 +02:00 · 2013-09-28 03:12:50 +02:00
7 changed files with 27 additions and 6 deletions
--- a/build/build.xml
+++ b/build/build.xml
@@ -2,9 +2,9 @@

 <project name="phpBB" description="The phpBB forum software" default="all" basedir="../">
 	<!-- a few settings for the build -->
-	<property name="newversion" value="3.0.12-RC3" />
+	<property name="newversion" value="3.0.12" />
 	<property name="prevversion" value="3.0.11" />
-	<property name="olderversions" value="3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.7-PL1, 3.0.8, 3.0.9, 3.0.10, 3.0.12-RC1, 3.0.12-RC2" />
+	<property name="olderversions" value="3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.7-PL1, 3.0.8, 3.0.9, 3.0.10, 3.0.12-RC1, 3.0.12-RC2, 3.0.12-RC3" />
 	<!-- no configuration should be needed beyond this point -->

 	<property name="oldversions" value="${olderversions}, ${prevversion}" />
--- a/phpBB/docs/CHANGELOG.html
+++ b/phpBB/docs/CHANGELOG.html
@@ -152,7 +152,6 @@
 <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11265">PHPBB3-11265</a>] - Functional tests do not assert that board installation succeeded</li>
 <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11269">PHPBB3-11269</a>] - Travis functional test case errors</li>
 <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11278">PHPBB3-11278</a>] - Firebird tables are not removed correctly on 3.0.9-rc1 update</li>
-<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11288">PHPBB3-11288</a>] - Search fooled by hyphens</li>
 <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11291">PHPBB3-11291</a>] - &quot;Could not open input file: ../composer.phar&quot; error during phing's create-package</li>
 <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11292">PHPBB3-11292</a>] - Newlines removed in display of PM reports, no clickable links in PM reports</li>
 <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11301">PHPBB3-11301</a>] - &quot;String offset cast occured&quot; error on PHP 5.4</li>
@@ -219,6 +218,7 @@
 <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11368">PHPBB3-11368</a>] - Latest pm reports row count</li>
 <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11583">PHPBB3-11583</a>] - InnoDB supports FULLTEXT index since MySQL 5.6.4.</li>
 <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11740">PHPBB3-11740</a>] - Update link in FAQ to Ideas Centre</li>
+<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11873">PHPBB3-11873</a>] - Prevent expensive hash computation in phpbb_check_hash() by rejecting very long passwords</li>
 </ul>
 <h4>Sub-task</h4>
 <ul>
--- a/phpBB/includes/constants.php
+++ b/phpBB/includes/constants.php
@@ -25,7 +25,7 @@ if (!defined('IN_PHPBB'))
 */

 // phpBB Version
-define('PHPBB_VERSION', '3.0.12-RC3');
+define('PHPBB_VERSION', '3.0.12');

 // QA-related
 // define('PHPBB_QA', 1);
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@@ -502,6 +502,13 @@ function phpbb_hash($password)
 */
 function phpbb_check_hash($password, $hash)
 {
+	if (strlen($password) > 4096)
+	{
+		// If the password is too huge, we will simply reject it
+		// and not let the server try to hash it.
+		return false;
+	}
+
 	$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
 	if (strlen($hash) == 34)
 	{
--- a/phpBB/install/database_update.php
+++ b/phpBB/install/database_update.php
@@ -8,7 +8,7 @@
 *
 */

-define('UPDATES_TO_VERSION', '3.0.12-RC3');
+define('UPDATES_TO_VERSION', '3.0.12');

 // Enter any version to update from to test updates. The version within the db will not be updated.
 define('DEBUG_FROM_VERSION', false);
@@ -1009,6 +1009,8 @@ function database_update_info()
 		'3.0.12-RC1'	=> array(),
 		// No changes from 3.0.12-RC2 to 3.0.12-RC3
 		'3.0.12-RC2'	=> array(),
+		// No changes from 3.0.12-RC3 to 3.0.12
+		'3.0.12-RC3'	=> array(),

 		/** @todo DROP LOGIN_ATTEMPT_TABLE.attempt_id in 3.0.13-RC1 */
 	);
@@ -2248,6 +2250,10 @@ function change_database_data(&$no_updates, $version)
 		// No changes from 3.0.12-RC2 to 3.0.12-RC3
 		case '3.0.12-RC2':
 		break;
+
+		// No changes from 3.0.12-RC3 to 3.0.12
+		case '3.0.12-RC3':
+		break;
 	}
 }

--- a/phpBB/install/schemas/schema_data.sql
+++ b/phpBB/install/schemas/schema_data.sql
@@ -246,7 +246,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('topics_per_page',
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('tpl_allow_php', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_icons_path', 'images/upload_icons');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_path', 'files');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.0.12-RC3');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.0.12');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_expire_days', '90');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_gc', '14400');

--- a/tests/security/hash_test.php
+++ b/tests/security/hash_test.php
@@ -17,5 +17,13 @@ class phpbb_security_hash_test extends phpbb_test_case
 		$this->assertTrue(phpbb_check_hash('test', '$P$9isfrtKXWqrz8PvztXlL3.daw4U0zI1'));
 		$this->assertFalse(phpbb_check_hash('foo', '$H$9isfrtKXWqrz8PvztXlL3.daw4U0zI1'));
 	}
+
+	public function test_check_hash_with_large_input()
+	{
+		// 16 MB password, should be rejected quite fast
+		$start_time = time();
+		$this->assertFalse(phpbb_check_hash(str_repeat('a', 1024 * 1024 * 16), '$H$9isfrtKXWqrz8PvztXlL3.daw4U0zI1'));
+		$this->assertLessThanOrEqual(5, time() - $start_time);
+	}
 }
Author	SHA1	Message	Date
Andreas Fischer	21e55ea6d2	Merge branch 'prep-release-3.0.12' * prep-release-3.0.12: (443 commits) [prep-release-3.0.12] Update changelog for 3.0.12 release. [ticket/11873] Add unit test for large password input. [ticket/11873] Do not hash very large passwords in order to safe resources. [prep-release-3.0.12] Bumping version number for 3.0.12 final. [prep-release-3.0.12] Remove changelog entry for ticket that was not resolved. [prep-release-3.0.12] Update Changelog for 3.0.12-RC3 release. [prep-release-3.0.12] Bumping version number for 3.0.12-RC3. [ticket/11769] Allow using 0 as poster name [ticket/11769] Allow '0' as username [ticket/11769] Allow '0' as username in notification mails [ticket/11769] Fix language issues in the doc blocks [ticket/11769] Correctly supply the post author's username in posting.php [ticket/11802] replace $browser with $user->browser [ticket/11775] Fix doc blocks syntax [ticket/11775] Remove spaces at line ends [ticket/11775] Split test into multiple steps [ticket/11775] Add functional test for moving the last post [ticket/11775] Backport moving of the posting functions to 3.0 [ticket/11775] Fix error when moving the last post to another topic [prep-release-3.0.12] Update Changelog for 3.0.12-RC2 release. ...	2013-09-28 15:40:10 +02:00
Andreas Fischer	446ea9928d	[prep-release-3.0.12] Update changelog for 3.0.12 release.	2013-09-28 03:20:51 +02:00
Andreas Fischer	426994a7f8	Merge branch 'ticket/11873' into prep-release-3.0.12 * ticket/11873: [ticket/11873] Add unit test for large password input. [ticket/11873] Do not hash very large passwords in order to safe resources.	2013-09-28 03:19:24 +02:00
Joas Schilling	c6aefcf555	[ticket/11873] Add unit test for large password input. The password should be rejected quite fast. PHPBB3-11873	2013-09-28 03:14:18 +02:00
Joas Schilling	cba28c39ad	[ticket/11873] Do not hash very large passwords in order to safe resources. PHPBB3-11873	2013-09-28 03:12:50 +02:00
Andreas Fischer	d18bded3ac	[prep-release-3.0.12] Bumping version number for 3.0.12 final.	2013-09-27 01:26:31 +02:00
Andreas Fischer	38afdd792f	[prep-release-3.0.12] Remove changelog entry for ticket that was not resolved. A wrong fix version was assigned to PHPBB3-11288.	2013-09-10 02:17:41 +02:00
Andreas Fischer	7eb16cbbd5	Merge branch 'prep-release-3.0.11' * prep-release-3.0.11: (279 commits) [prep-release-3.0.11] Bumping version number for 3.0.11 final. [prep-release-3.0.11] Update Changelog for 3.0.11-RC2 release. [prep-release-3.0.11] Bumping version number for 3.0.11-RC2. [ticket/10965] Profile data is only grabbed when show_novalue is enabled [ticket/10965] Make sure all profile fields are always grabbed on viewtopic [ticket/10965] Database update was referring to 3.0.5 instead of 3.0.11-RC1 [ticket/10965] Introduce a new profile field option to display no value [ticket/10667] Fix tests under MySQL 5.5 strict mode (once again) [ticket/10950] Fix grammar in comments [ticket/10950] Delete PMs for users that have not yet read the pm [ticket/10950] Fix unit tests to fit the new pm deleting behaviour [ticket/10950] Update undelivered pm counts in batches not 1 by 1 for each user [ticket/10950] Remove deleted entries in tests instead of commenting them out [ticket/10950] Use database count() and group by instead of doing that in php [ticket/10978] Fix typo in prosilver ucp_groups_membership.html [ticket/10950] Check $delete_ids to be not empty [ticket/10950] Recreated the behaviour of phpbb_delete_user_pms() [ticket/10950] Fix unit tests to reflect desired behaviour [ticket/10441] Make CDB linking more consistent [ticket/10937] Update documentation to say which comment styles are removed. ...	2012-08-20 17:09:18 +02:00
Andreas Fischer	2345be38b6	Merge branch 'prep-release-3.0.10' * prep-release-3.0.10: (221 commits) [prep-release-3.0.10] Bumping version number for 3.0.10 final. [prep-release-3.0.10] Update Changelog for 3.0.10-RC3 release. [ticket/10531] Disallow deleting of the last style [ticket/8996] Revert initial fix to keep old behaviour on empty selection Part2 [ticket/8996] Revert initial fix to keep old behaviour on empty selection [ticket/10319] Missing hidden fields in search form [ticket/10504] Revert the changes for widescreen optimisation PHPBB3-6632 [ticket/10504] Revert the changes for widescreen optimisation PHPBB3-10408 [ticket/10504] Revert the changes for widescreen optimisation PHPBB3-10485 [prep-release-3.0.10] Bumping version number for 3.0.10-RC3. [ticket/10480] Add a build target for changelog building. [ticket/10480] Add a build script for exporting the changelog from tracker. [ticket/10502] Fix typo in changelog. 'red' should have been 'read'. [prep-release-3.0.10] Remove duplicate ticket PHPBB3-10490 from changelog. [ticket/10501] Fix description of table prefixes [ticket/10503] Debug error "Invalid arguments" when previewing edits [prep-release-3.0.10] Update Changelog for 3.0.10-RC2 release. [ticket/10497] Fix SQL error when guest visits forum with unread topic [prep-release-3.0.10] Bumping version number for 3.0.10-RC2. [ticket/10461] Add a comment explaining the logic here. ...	2012-01-02 18:53:55 +01:00
Andreas Fischer	c8da5ad9f4	Merge branch 'prep-release-3.0.9' * prep-release-3.0.9: (359 commits) [prep-release-3.0.9] Bumping version number for 3.0.9 final. [prep-release-3.0.9] Update Changelog for 3.0.9-RC4 release. [prep-release-3.0.9] Decreasing version for an RC4 release. [ticket/9859] Changing all phpBB footers to match the new credit line [ticket/9859] New footer copyright line with registered symbol [ticket/10250] The site_logo hash is different depending on imageset & language [ticket/10250] Destroy cached md5 hash of site_logo on refreshing an imageset [ticket/10250] Overwrite the site_logo width&height when the phpbb logo is used [ticket/10247] Remove attempt_id as primary key from database_update.php [ticket/10250] Added the new phpBB Logo with the Registered Trademark Symbol [ticket/10247] Use COUNT(*) instead of COUNT(attempt_id) [prep-release-3.0.9] Update Changelog for 3.0.9 release. [prep-release-3.0.9] Bumping version number for the final 3.0.9 release. [ticket/10247] Removing attempt_id column from the 3.0.8 to 3.0.9-RC1 updater. [ticket/10247] Add a db_tools test for the removal of a primary key column. [ticket/10247] Add empty data section to database update for RC4 [ticket/10247] Remove unecessary attempt_id primary key column [prep-release-3.0.9] Bump database version to RC3 too. [prep-release-3.0.9] Update Changelog for 3.0.9-RC3 release. [prep-release-3.0.9] Bumping version number for 3.0.9-RC3. ...	2011-07-11 00:29:45 +02:00
Nils Adermann	7f21a5f461	Merge commit 'release-3.0.8' * commit 'release-3.0.8': (393 commits) [prep-release-3.0.8] Incrementing version number to 3.0.8 and update changelog [ticket/9903] Script for detecting potentially malicious flash bbcodes [ticket/9904] Update WebPI Parameters.xml to work with WebMatrix. [ticket/9899] Change recaptcha theme from default to 'clean' in the ACP. [ticket/9509] Fix a typo and wrong period placement [ticket/9903] Fix XSS in BBcode-parser's Flash-BBcode. [develop-olympus] Updating changelog for last minute 3.0.8-RC1 fixes. [ticket/9140] Check current board version in incremental update packages [ticket/9891] Updater drops language-selection after database-update [develop-olympus] Updating changelog with latest changes for 3.0.8-RC1 [ticket/9884] Reduce queue interval to 60 seconds, email package size to 20 [ticket/9886] Update fails on PostgreSQL because of an error in _add_module [ticket/9888] Update fails when Bing [Bot] was already added to the users table [develop-olympus] Bumping version number for 3.0.8-RC1. [ticket/9885] Fix extension group name updater. Loop through all languages. [ticket/9847] Fix typo in search synonyms. Use british english for 'judgement'. [ticket/9883] Change an American English spelling to British English. [task/phing-build] Correct the path for update package patch files. [ticket/9880] Change "antibot" to "anti-spambot". [ticket/9696] Surpress is_dir() notice when using SQLite with open_basedir. ...	2010-11-20 17:00:05 +01:00