[prep-release-3.0.14] Add security relevant changes to CHANGELOG.html.

* phpbb-security/ticket/security-180:
  [ticket/security-180] Add tests for redirecting to main URL
  [ticket/security-180] Always fail when redirecting to an insecure URL
  [ticket/security-180] Make sure that redirect goes to full URL plus slash
  [ticket/security-180] Check if redirect URL contains board URL

build/build.xml

@@ -2,9 +2,9 @@
 
 <project name="phpBB" description="The phpBB forum software" default="all" basedir="../">
 	<!-- a few settings for the build -->
-	<property name="newversion" value="3.0.14-dev" />
-	<property name="prevversion" value="3.0.13-PL1" />
-	<property name="olderversions" value="3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.7-PL1, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13" />
+	<property name="newversion" value="3.0.14" />
+	<property name="prevversion" value="3.0.14-RC1" />
+	<property name="olderversions" value="3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.7-PL1, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.13-PL1" />
 	<!-- no configuration should be needed beyond this point -->
 
 	<property name="oldversions" value="${olderversions}, ${prevversion}" />

phpBB/docs/CHANGELOG.html

@@ -53,6 +53,7 @@
 <ol>
 	<li><a href="#changelog">Changelog</a>
 	<ul>
+		<li><a href="#v3013-PL1">Changes since 3.0.13-PL1</a></li>
 		<li><a href="#v3013">Changes since 3.0.13</a></li>
 		<li><a href="#v3012">Changes since 3.0.12</a></li>
 		<li><a href="#v3011">Changes since 3.0.11</a></li>
@@ -95,6 +96,35 @@
 
 		<div class="content">
 
+	<a name="v3013-PL1"></a><h3>Changes since 3.0.13-PL1</h3>
+
+<h4>Security</h4>
+<ul>
+<li>[SECURITY-180] - An insufficient check allowed users of the Google Chrome browser to be redirected to external domains (e.g. on login)</li>
+</ul>
+<h4>Bug</h4>
+<ul>
+<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13348">PHPBB3-13348</a>] - sql_freeresult() should be called in feed base class</li>
+<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13414">PHPBB3-13414</a>] - download/file.php sends Content-Length header even when issuing 304 Not Modified</li>
+<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13555">PHPBB3-13555</a>] - Poll options preview rendered incorrectly by &lt;br /&gt; collision</li>
+<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13568">PHPBB3-13568</a>] - Imagick path validated as relative path although ACP asks for absolute path</li>
+<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13617">PHPBB3-13617</a>] - Bot session continuation with invalid f= query parameter causes SQL error</li>
+<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13738">PHPBB3-13738</a>] - Sami still refers to develop-* branches</li>
+</ul>
+<h4>Improvement</h4>
+<ul>
+<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-12089">PHPBB3-12089</a>] - Make HTTP status code assertion failure messages more informative</li>
+<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13765">PHPBB3-13765</a>] - Verify that SERVER_PROTOCOL has the expected format</li>
+</ul>
+<h4>Task</h4>
+<ul>
+<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11539">PHPBB3-11539</a>] - Add unit tests for several functions in functions.php</li>
+<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13572">PHPBB3-13572</a>] - Upgrade composer to 1.0.0-alpha9</li>
+<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13599">PHPBB3-13599</a>] - Remove PHP 5.2 Travis environment</li>
+<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13634">PHPBB3-13634</a>] - Update README to show new branch names</li>
+<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13723">PHPBB3-13723</a>] - Update docs/AUTHORS for 3.0.14-RC1 / 3.1.4-RC1</li>
+</ul>
+
 	<a name="v3013"></a><h3>Changes since 3.0.13</h3>
 
 <h4>Bug</h4>

phpBB/docs/INSTALL.html

@@ -276,7 +276,7 @@
 
 	<p>This package is meant for those wanting to only replace the files that were changed between a previous version and the latest version.</p>
 
-	<p>This package contains a number of archives, each contains the files changed from a given release to the latest version. You should select the appropriate archive for your current version, e.g. if you currently have <strong>3.0.12</strong> you should select the appropriate <code>phpBB-3.0.13-PL1-files.zip/tar.bz2</code> file.</p>
+	<p>This package contains a number of archives, each contains the files changed from a given release to the latest version. You should select the appropriate archive for your current version, e.g. if you currently have <strong>3.0.13</strong> you should select the appropriate <code>phpBB-3.0.14-files.zip/tar.bz2</code> file.</p>
 
 	<p>The directory structure has been preserved, enabling you (if you wish) to simply upload the uncompressed contents of the archive to the appropriate location on your server, i.e. simply overwrite the existing files with the new versions. Do not forget that if you have installed any modifications (MODs) these files will overwrite the originals, possibly destroying them in the process. You will need to re-add MODs to any affected file before uploading.</p>
 
@@ -288,7 +288,7 @@
 
 	<p>The patch file is one solution for those with many Modifications (MODs) or other changes and do not want to re-add them back to all the changed files. To use this you will need command line access to a standard UNIX type <strong>patch</strong> application. If you do not have access to such an application, but still want to use this update approach, we strongly recommend the <a href="#update_auto">Automatic update package</a> explained below. It is also the recommended update method.</p>
 
-	<p>A number of patch files are provided to allow you to update from previous stable releases. Select the correct patch, e.g. if your current version is <strong>3.0.12</strong>, you need the <code>phpBB-3.0.13-PL1-patch.zip/tar.bz2</code> file. Place the correct patch in the parent directory containing the phpBB core files (i.e. index.php, viewforum.php, etc.). With this done you should run the following command: <code>patch -cl -d [PHPBB DIRECTORY] -p1 &lt; [PATCH NAME]</code> (where PHPBB DIRECTORY is the directory name your phpBB Installation resides in, for example phpBB, and where PATCH NAME is the relevant filename of the selected patch file). This should complete quickly, hopefully without any HUNK FAILED comments.</p>
+	<p>A number of patch files are provided to allow you to update from previous stable releases. Select the correct patch, e.g. if your current version is <strong>3.0.13</strong>, you need the <code>phpBB-3.0.14-patch.zip/tar.bz2</code> file. Place the correct patch in the parent directory containing the phpBB core files (i.e. index.php, viewforum.php, etc.). With this done you should run the following command: <code>patch -cl -d [PHPBB DIRECTORY] -p1 &lt; [PATCH NAME]</code> (where PHPBB DIRECTORY is the directory name your phpBB Installation resides in, for example phpBB, and where PATCH NAME is the relevant filename of the selected patch file). This should complete quickly, hopefully without any HUNK FAILED comments.</p>
 
 	<p>If you do get failures, you should look at using the <a href="#update_files">Changed Files</a> package to replace the files which failed to patch. Please note that you will need to manually re-add any MODs to these particular files. Alternatively, if you know how, you can examine the .rej files to determine what failed where and make manual adjustments to the relevant source.</p>
 
@@ -298,7 +298,7 @@
 
 	<p>This update method is the recommended method for updating. This package detects changed files automatically and merges in changes if needed.</p>
 
-	<p>The automatic update package will update the board from a given version to the latest version. A number of automatic update files are available, and you should choose the one that corresponds to the version of the board that you are currently running. For example, if your current version is <strong>3.0.12</strong>, you need the <code>phpBB-3.0.12_to_3.0.13-PL1.zip/tar.bz2</code> file.</p>
+	<p>The automatic update package will update the board from a given version to the latest version. A number of automatic update files are available, and you should choose the one that corresponds to the version of the board that you are currently running. For example, if your current version is <strong>3.0.13</strong>, you need the <code>phpBB-3.0.13_to_3.0.14.zip/tar.bz2</code> file.</p>
 
 	<p>To perform the update, either follow the instructions from the <strong>Administration Control Panel-&gt;System</strong> Tab - this should point out that you are running an outdated version and will guide you through the update - or follow the instructions listed below.</p>
 

phpBB/includes/constants.php

@@ -25,7 +25,7 @@ if (!defined('IN_PHPBB'))
 */
 
 // phpBB Version
-define('PHPBB_VERSION', '3.0.14-dev');
+define('PHPBB_VERSION', '3.0.14');
 
 // QA-related
 // define('PHPBB_QA', 1);

phpBB/includes/functions.php

@@ -2492,7 +2492,7 @@ function redirect($url, $return = false, $disable_cd_check = false)
 		// Attention: only able to redirect within the same domain if $disable_cd_check is false (yourdomain.com -> www.yourdomain.com will not work)
 		if (!$disable_cd_check && $url_parts['host'] !== $user->host)
 		{
-			$url = generate_board_url();
+			trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR);
 		}
 	}
 	else if ($url[0] == '/')
@@ -2579,6 +2579,12 @@ function redirect($url, $return = false, $disable_cd_check = false)
 		}
 	}
 
+	// Make sure we don't redirect to external URLs
+	if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0)
+	{
+		trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR);
+	}
+
 	// Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2
 	if (strpos(urldecode($url), "\n") !== false || strpos(urldecode($url), "\r") !== false || strpos($url, ';') !== false)
 	{
@@ -2782,7 +2788,7 @@ function send_status_line($code, $message)
 	}
 	else
 	{
-		if (!empty($_SERVER['SERVER_PROTOCOL']))
+		if (!empty($_SERVER['SERVER_PROTOCOL']) && is_string($_SERVER['SERVER_PROTOCOL']) && preg_match('#^HTTP/[0-9]\.[0-9]$#', $_SERVER['SERVER_PROTOCOL']))
 		{
 			$version = $_SERVER['SERVER_PROTOCOL'];
 		}

phpBB/includes/startup.php

@@ -130,7 +130,7 @@ if (phpbb_has_trailing_path($phpEx))
 	{
 		$prefix = 'Status:';
 	}
-	else if (!empty($_SERVER['SERVER_PROTOCOL']))
+	else if (!empty($_SERVER['SERVER_PROTOCOL']) && is_string($_SERVER['SERVER_PROTOCOL']) && preg_match('#^HTTP/[0-9]\.[0-9]$#', $_SERVER['SERVER_PROTOCOL']))
 	{
 		$prefix = $_SERVER['SERVER_PROTOCOL'];
 	}

phpBB/install/convertors/convert_phpbb20.php

@@ -32,7 +32,7 @@ unset($dbpasswd);
 $convertor_data = array(
 	'forum_name'	=> 'phpBB 2.0.x',
 	'version'		=> '1.0.3',
-	'phpbb_version'	=> '3.0.13',
+	'phpbb_version'	=> '3.0.14',
 	'author'		=> '<a href="https://www.phpbb.com/">phpBB Group</a>',
 	'dbms'			=> $dbms,
 	'dbhost'		=> $dbhost,

phpBB/install/database_update.php

@@ -8,7 +8,7 @@
 *
 */
 
-define('UPDATES_TO_VERSION', '3.0.14-dev');
+define('UPDATES_TO_VERSION', '3.0.14');
 
 // Enter any version to update from to test updates. The version within the db will not be updated.
 define('DEBUG_FROM_VERSION', false);
@@ -949,7 +949,7 @@ function database_update_info()
 						// this column was removed from the database updater
 						// after 3.0.9-RC3 was released. It might still exist
 						// in 3.0.9-RCX installations and has to be dropped in
-						// 3.0.14 after the db_tools class is capable of properly
+						// 3.0.15 after the db_tools class is capable of properly
 						// removing a primary key.
 						// 'attempt_id'			=> array('UINT', NULL, 'auto_increment'),
 						'attempt_ip'			=> array('VCHAR:40', ''),
@@ -1014,9 +1014,15 @@ function database_update_info()
 		// No changes from 3.0.12 to 3.0.13-RC1
 		'3.0.12'		=> array(),
 		// No changes from 3.0.13-RC1 to 3.0.13
-		'3.0.13-RC1'		=> array(),
+		'3.0.13-RC1'	=> array(),
+		// No changes from 3.0.13 to 3.0.13-PL1
+		'3.0.13'		=> array(),
+		// No changes from 3.0.13-PL1 to 3.0.14-RC1
+		'3.0.13-PL1'	=> array(),
+		// No changes from 3.0.14-RC1 to 3.0.14
+		'3.0.14-RC1'	=> array(),
 
-		/** @todo DROP LOGIN_ATTEMPT_TABLE.attempt_id in 3.0.14-RC1 */
+		/** @todo DROP LOGIN_ATTEMPT_TABLE.attempt_id in 3.0.15-RC1 */
 	);
 }
 
@@ -2266,6 +2272,18 @@ function change_database_data(&$no_updates, $version)
 		// No changes from 3.0.13-RC1 to 3.0.13
 		case '3.0.13-RC1':
 		break;
+
+		// No changes from 3.0.13 to 3.0.13-PL1
+		case '3.0.13':
+		break;
+
+		// No changes from 3.0.13-PL1 to 3.0.14-RC1
+		case '3.0.13-PL1':
+		break;
+
+		// No changes from 3.0.14-RC1 to 3.0.14
+		case '3.0.14-RC1':
+		break;
 	}
 }
 

phpBB/install/schemas/schema_data.sql

@@ -246,7 +246,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('topics_per_page',
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('tpl_allow_php', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_icons_path', 'images/upload_icons');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_path', 'files');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.0.14-dev');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.0.14');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_expire_days', '90');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_gc', '14400');
 

phpBB/styles/prosilver/imageset/imageset.cfg

@@ -19,7 +19,7 @@
 # General Information about this style
 name = prosilver
 copyright = © phpBB Group, 2007
-version = 3.0.13
+version = 3.0.14
 
 # Images
 img_site_logo = site_logo.gif*52*139

phpBB/styles/prosilver/style.cfg

@@ -19,4 +19,4 @@
 # General Information about this style
 name = prosilver
 copyright = © phpBB Group, 2007
-version = 3.0.13
+version = 3.0.14

phpBB/styles/prosilver/template/template.cfg

@@ -19,7 +19,7 @@
 # General Information about this template
 name = prosilver
 copyright = © phpBB Group, 2007
-version = 3.0.13
+version = 3.0.14
 
 # Defining a different template bitfield
 template_bitfield = lNg=

phpBB/styles/prosilver/theme/theme.cfg

@@ -21,7 +21,7 @@
 # General Information about this theme
 name = prosilver
 copyright = © phpBB Group, 2007
-version = 3.0.13
+version = 3.0.14
 
 # Some configuration options
 

phpBB/styles/subsilver2/imageset/imageset.cfg

@@ -19,7 +19,7 @@
 # General Information about this style
 name = subsilver2
 copyright = © phpBB Group, 2003
-version = 3.0.13
+version = 3.0.14
 
 # Images
 img_site_logo = site_logo.gif*94*170

phpBB/styles/subsilver2/style.cfg

@@ -19,4 +19,4 @@
 # General Information about this style
 name = subsilver2
 copyright = © 2005 phpBB Group
-version = 3.0.13
+version = 3.0.14

phpBB/styles/subsilver2/template/template.cfg

@@ -19,7 +19,7 @@
 # General Information about this template
 name = subsilver2
 copyright = © phpBB Group, 2003
-version = 3.0.13
+version = 3.0.14
 
 # Template inheritance
 # See http://blog.phpbb.com/2008/07/31/templating-just-got-easier/

phpBB/styles/subsilver2/theme/theme.cfg

@@ -21,7 +21,7 @@
 # General Information about this theme
 name = subsilver2
 copyright = © phpBB Group, 2003
-version = 3.0.13
+version = 3.0.14
 
 # Some configuration options
 

tests/security/redirect_test.php

@@ -18,12 +18,17 @@ class phpbb_security_redirect_test extends phpbb_security_test_base
 	{
 		// array(Input -> redirect(), expected triggered error (else false), expected returned result url (else false))
 		return array(
-			array('data://x', false, 'http://localhost/phpBB'),
+			array('data://x', 'Tried to redirect to potentially insecure url.', false),
 			array('bad://localhost/phpBB/index.php', 'Tried to redirect to potentially insecure url.', false),
-			array('http://www.otherdomain.com/somescript.php', false, 'http://localhost/phpBB'),
+			array('http://www.otherdomain.com/somescript.php', 'Tried to redirect to potentially insecure url.', false),
 			array("http://localhost/phpBB/memberlist.php\n\rConnection: close", 'Tried to redirect to potentially insecure url.', false),
 			array('javascript:test', false, 'http://localhost/phpBB/../javascript:test'),
 			array('http://localhost/phpBB/index.php;url=', 'Tried to redirect to potentially insecure url.', false),
+			array('https://foobar.com\@http://localhost/phpBB', 'Tried to redirect to potentially insecure url.', false),
+			array('https://foobar.com\@localhost/troll/http://localhost/', 'Tried to redirect to potentially insecure url.', false),
+			array('http://localhost.foobar.com\@localhost/troll/http://localhost/', 'Tried to redirect to potentially insecure url.', false),
+			array('http://localhost/phpBB', false, 'http://localhost/phpBB'),
+			array('http://localhost/phpBB/', false, 'http://localhost/phpBB/'),
 		);
 	}