Merge branch 'prep-release-3.2.11' into 3.2.x

[ticket/security-265] Reduce verbosity of jabber error return

build/build.xml

@@ -2,9 +2,9 @@
 
 <project name="phpBB" description="The phpBB forum software" default="all" basedir="../">
 	<!-- a few settings for the build -->
-	<property name="newversion" value="3.2.10-RC1" />
-	<property name="prevversion" value="3.2.9" />
-	<property name="olderversions" value="3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0-a1, 3.2.0-a2, 3.2.0-b1, 3.2.0-b2, 3.2.0-RC1, 3.2.0-RC2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8" />
+	<property name="newversion" value="3.2.11" />
+	<property name="prevversion" value="3.2.10" />
+	<property name="olderversions" value="3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0-a1, 3.2.0-a2, 3.2.0-b1, 3.2.0-b2, 3.2.0-RC1, 3.2.0-RC2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9" />
 	<!-- no configuration should be needed beyond this point -->
 
 	<property name="oldversions" value="${olderversions}, ${prevversion}" />

build/sami-all.conf.php

@@ -26,8 +26,6 @@ $config['versions'] = Sami\Version\GitVersionCollection::create(__DIR__ . '/../'
 	->add('3.0.x')
 	->add('3.1.x')
 	->add('3.2.x')
-	->add('3.3.x')
-	->add('master')
 ;
 
 return new Sami\Sami($iterator, $config);

phpBB/bin/phpbbcli.php

@@ -84,7 +84,7 @@ $user = $phpbb_container->get('user');
 $user->data['user_id'] = ANONYMOUS;
 $user->ip = '127.0.0.1';
 
-$application = new \phpbb\console\application('phpBB Console', PHPBB_VERSION, $language);
+$application = new \phpbb\console\application('phpBB Console', PHPBB_VERSION, $language, $config);
 $application->setDispatcher($phpbb_container->get('dispatcher'));
 $application->register_container_commands($phpbb_container->get('console.command_collection'));
 $application->run($input);

phpBB/cache/.htaccess

@@ -1,4 +1,33 @@
-<Files *>
-	Order Allow,Deny
-	Deny from All
-</Files>
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>

phpBB/config/.htaccess

@@ -1,4 +1,33 @@
-<Files *>
-	Order Allow,Deny
-	Deny from All
-</Files>
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>

phpBB/docs/CHANGELOG.html

@@ -50,6 +50,9 @@
 <ol>
 	<li><a href="#changelog">Changelog</a>
 	<ul>
+		<li><a href="#v3210">Changes since 3.2.10</a></li>
+		<li><a href="#v3210rc2">Changes since 3.2.10-RC2</a></li>
+		<li><a href="#v3210rc1">Changes since 3.2.10-RC1</a></li>
 		<li><a href="#v329">Changes since 3.2.9</a></li>
 		<li><a href="#v329rc1">Changes since 3.2.9-RC1</a></li>
 		<li><a href="#v328">Changes since 3.2.8</a></li>
@@ -143,6 +146,48 @@
 		<div class="inner">
 
 		<div class="content">
+			<a name="v3210"></a><h3>Changes since 3.2.10</h3>
+			<h4>Security Issue</h4>
+			<ul>
+				<li>[SECURITY-264] - Invalid conversion of HTML entities when stripping BBCode</li>
+			</ul>
+			<h4>Hardening</h4>
+			<ul>
+				<li>[SECURITY-265] - Reduce verbosity of jabber output in ACP</li>
+			</ul>
+
+			<a name="v3210rc2"></a><h3>Changes since 3.2.10-RC2</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16417">PHPBB3-16417</a>] - SQL fatal error while updating database from older versions via CLI</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16524">PHPBB3-16524</a>] - General error (SQL ERROR) on adding emoji character to the profile field</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16534">PHPBB3-16534</a>] - Passwords converted from phpBB2 can have invalid hash</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16539">PHPBB3-16539</a>] - General error (SQL error) on posting page in smilies mode</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16550">PHPBB3-16550</a>] - compact(): Undefined variable: url - in PMs</li>
+			</ul>
+			<h4>Improvement</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16554">PHPBB3-16554</a>] - Align all .htaccess files to support Apache 2.4 mod_authz_core directives</li>
+			</ul>
+			<h4>Security Issue</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/SECURITY-259">SECURITY-259</a>] - Server-Side Request Forgery via FastImageSize in s9e textformatter</li>
+			</ul>
+			<h4>Hardening</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/SECURITY-257">SECURITY-257</a>] - Potential RCE via Phar Deserialization through Legacy BBCode Parser</li>
+			</ul>
+
+			<a name="v3210rc1"></a><h3>Changes since 3.2.10-RC1</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16505">PHPBB3-16505</a>] - PHP debug warning while using \phpbb\language\language\lang_array() function</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16507">PHPBB3-16507</a>] - White page when searching users' posts</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16508">PHPBB3-16508</a>] - Whois not working for IPv6 addresses</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16510">PHPBB3-16510</a>] - Missing rows in config table on new install</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16511">PHPBB3-16511</a>] - Fatal error when deleting user in ACP</li>
+			</ul>
+
 			<a name="v329"></a><h3>Changes since 3.2.9</h3>
 			<h4>Bug</h4>
 			<ul>

phpBB/files/.htaccess

@@ -1,4 +1,33 @@
-<Files *>
-	Order Allow,Deny
-	Deny from All
-</Files>
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>

phpBB/images/avatars/upload/.htaccess

@@ -1,4 +1,33 @@
-<Files *>
-	Order Allow,Deny
-	Deny from All
-</Files>
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>

phpBB/includes/.htaccess

@@ -1,4 +1,33 @@
-<Files *>
-	Order Allow,Deny
-	Deny from All
-</Files>
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>

phpBB/includes/constants.php

@@ -28,7 +28,7 @@ if (!defined('IN_PHPBB'))
 */
 
 // phpBB Version
-@define('PHPBB_VERSION', '3.2.10-RC1');
+@define('PHPBB_VERSION', '3.2.11');
 
 // QA-related
 // define('PHPBB_QA', 1);

phpBB/includes/functions_jabber.php

@@ -207,7 +207,7 @@ class jabber
 	*/
 	function login()
 	{
-		if (!count($this->features))
+		if (empty($this->features))
 		{
 			$this->add_to_log('Error: No feature information from server available.');
 			return false;
@@ -227,7 +227,6 @@ class jabber
 		if ($this->connected())
 		{
 			$xml = trim($xml);
-			$this->add_to_log('SEND: '. $xml);
 			return fwrite($this->connection, $xml);
 		}
 		else
@@ -338,7 +337,6 @@ class jabber
 
 		if ($data != '')
 		{
-			$this->add_to_log('RECV: '. $data);
 			return $this->xmlize($data);
 		}
 		else
@@ -419,7 +417,7 @@ class jabber
 		{
 			// or even multiple elements of the same type?
 			// array('message' => array(0 => ..., 1 => ...))
-			if (count(reset($xml)) > 1)
+			if (is_array(reset($xml)) && count(reset($xml)) > 1)
 			{
 				foreach (reset($xml) as $value)
 				{
@@ -445,7 +443,7 @@ class jabber
 				}
 
 				$second_time = isset($this->session['id']);
-				$this->session['id'] = $xml['stream:stream'][0]['@']['id'];
+				$this->session['id'] = isset($xml['stream:stream'][0]['@']['id']) ? $xml['stream:stream'][0]['@']['id'] : '';
 
 				if ($second_time)
 				{
@@ -701,7 +699,7 @@ class jabber
 
 			default:
 				// hm...don't know this response
-				$this->add_to_log('Notice: Unknown server response (' . key($xml) . ')');
+				$this->add_to_log('Notice: Unknown server response');
 				return false;
 			break;
 		}

phpBB/includes/functions_posting.php

@@ -118,7 +118,7 @@ function generate_smilies($mode, $forum_id)
 				SMILIES_TABLE => 's',
 			],
 			'GROUP_BY'	=> 's.smiley_url, s.smiley_width, s.smiley_height',
-			'ORDER_BY'	=> 's.min_smiley_order',
+			'ORDER_BY'	=> 'min_smiley_order',
 		];
 	}
 	else

phpBB/includes/functions_privmsgs.php

@@ -2046,6 +2046,8 @@ function message_history($msg_id, $user_id, $message_row, $folder, $in_post_mode
 	while ($row = $db->sql_fetchrow($result));
 	$db->sql_freeresult($result);
 
+	$url = append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=pm');
+
 	/**
 	* Modify message rows before displaying the history in private messages
 	*
@@ -2080,7 +2082,6 @@ function message_history($msg_id, $user_id, $message_row, $folder, $in_post_mode
 
 	$title = censor_text($title);
 
-	$url = append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=pm');
 	$next_history_pm = $previous_history_pm = $prev_id = 0;
 
 	// Re-order rowset to be able to get the next/prev message rows...

phpBB/includes/functions_user.php

@@ -760,7 +760,7 @@ function user_delete($mode, $user_ids, $retain_username = true)
 	$db->sql_query($sql);
 
 	// Clean the private messages tables from the user
-	if (!function_exists('phpbb_delete_user_pms'))
+	if (!function_exists('phpbb_delete_users_pms'))
 	{
 		include($phpbb_root_path . 'includes/functions_privmsgs.' . $phpEx);
 	}
@@ -1470,13 +1470,11 @@ function user_ipwhois($ip)
 
 	$ipwhois = '';
 
-	// Limit the query to all possible flags (whois.arin.net)
-	$ip = 'z ' . $ip;
-
 	if (($fsk = @fsockopen($whois_host, 43)))
 	{
 		// CRLF as per RFC3912
-		fputs($fsk, "$ip\r\n");
+		// Z to limit the query to all possible flags (whois.arin.net)
+		fputs($fsk, "z $ip\r\n");
 		while (!feof($fsk))
 		{
 			$ipwhois .= fgets($fsk, 1024);

phpBB/includes/message_parser.php

@@ -390,7 +390,7 @@ class bbcode_firstpass extends bbcode
 		$in = str_replace(' ', '%20', $in);
 
 		// Checking urls
-		if (!preg_match('#^' . get_preg_expression('url') . '$#iu', $in) && !preg_match('#^' . get_preg_expression('www_url') . '$#iu', $in))
+		if (!preg_match('#^' . get_preg_expression('url_http') . '$#iu', $in) && !preg_match('#^' . get_preg_expression('www_url') . '$#iu', $in))
 		{
 			return '[img]' . $in . '[/img]';
 		}
@@ -401,32 +401,6 @@ class bbcode_firstpass extends bbcode
 			$in = 'http://' . $in;
 		}
 
-		if ($config['max_' . $this->mode . '_img_height'] || $config['max_' . $this->mode . '_img_width'])
-		{
-			$imagesize = new \FastImageSize\FastImageSize();
-			$size_info = $imagesize->getImageSize(htmlspecialchars_decode($in));
-
-			if ($size_info === false)
-			{
-				$error = true;
-				$this->warn_msg[] = $user->lang['UNABLE_GET_IMAGE_SIZE'];
-			}
-			else
-			{
-				if ($config['max_' . $this->mode . '_img_height'] && $config['max_' . $this->mode . '_img_height'] < $size_info['height'])
-				{
-					$error = true;
-					$this->warn_msg[] = $user->lang('MAX_IMG_HEIGHT_EXCEEDED', (int) $config['max_' . $this->mode . '_img_height']);
-				}
-
-				if ($config['max_' . $this->mode . '_img_width'] && $config['max_' . $this->mode . '_img_width'] < $size_info['width'])
-				{
-					$error = true;
-					$this->warn_msg[] = $user->lang('MAX_IMG_WIDTH_EXCEEDED', (int) $config['max_' . $this->mode . '_img_width']);
-				}
-			}
-		}
-
 		if ($error || $this->path_in_domain($in))
 		{
 			return '[img]' . $in . '[/img]';

phpBB/install/convertors/convert_phpbb20.php

@@ -38,7 +38,7 @@ $dbms = $phpbb_config_php_file->convert_30_dbms_to_31($dbms);
 $convertor_data = array(
 	'forum_name'	=> 'phpBB 2.0.x',
 	'version'		=> '1.0.3',
-	'phpbb_version'	=> '3.2.10',
+	'phpbb_version'	=> '3.2.11',
 	'author'		=> '<a href="https://www.phpbb.com/">phpBB Limited</a>',
 	'dbms'			=> $dbms,
 	'dbhost'		=> $dbhost,

phpBB/install/phpbbcli.php

@@ -23,7 +23,7 @@ if (php_sapi_name() !== 'cli')
 define('IN_PHPBB', true);
 define('IN_INSTALL', true);
 define('PHPBB_ENVIRONMENT', 'production');
-define('PHPBB_VERSION', '3.2.10-RC1');
+define('PHPBB_VERSION', '3.2.11');
 $phpbb_root_path = __DIR__ . '/../';
 $phpEx = substr(strrchr(__FILE__, '.'), 1);
 
@@ -42,11 +42,14 @@ $phpbb_installer_container->get('request')->enable_super_globals();
 /** @var \phpbb\filesystem\filesystem $phpbb_filesystem */
 $phpbb_filesystem = $phpbb_installer_container->get('filesystem');
 
+/** @var \phpbb\config\config $config */
+$config = $phpbb_installer_container->get('config');
+
 /** @var \phpbb\language\language $language */
 $language = $phpbb_installer_container->get('language');
 $language->add_lang(array('common', 'acp/common', 'acp/board', 'install', 'posting', 'cli'));
 
-$application = new \phpbb\console\application('phpBB Installer', PHPBB_VERSION, $language);
+$application = new \phpbb\console\application('phpBB Installer', PHPBB_VERSION, $language, $config);
 $application->setDispatcher($phpbb_installer_container->get('dispatcher'));
 $application->register_container_commands($phpbb_installer_container->get('console.installer.command_collection'));
 $application->run($input);

phpBB/install/schemas/schema_data.sql

@@ -12,20 +12,21 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_avatar', '1'
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_avatar_gravatar', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_avatar_local', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_avatar_remote', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_avatar_upload', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_avatar_remote_upload', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_avatar_upload', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_bbcode', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_birthdays', '1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_board_notifications', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_bookmarks', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_cdn', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_emailreuse', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_password_reset', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_forum_notify', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_live_searches', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_mass_pm', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_name_chars', 'USERNAME_CHARS_ANY');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_namechange', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_nocensors', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_password_reset', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_pm_attach', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_pm_report', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_post_flash', '1');
@@ -71,21 +72,22 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('browser_check', '1
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('bump_interval', '10');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('bump_type', 'd');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('cache_gc', '7200');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_plugin', 'core.captcha.plugins.nogd');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_foreground_noise', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_x_grid', '25');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_y_grid', '25');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_wave', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_3d_noise', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_fonts', '1');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('confirm_refresh', '1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_foreground_noise', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_wave', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_x_grid', '25');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_y_grid', '25');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_plugin', 'core.captcha.plugins.nogd');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('check_attachment_content', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('check_dnsbl', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('chg_passforce', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('confirm_refresh', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('contact_admin_form_enable', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('cookie_domain', '');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('cookie_name', 'phpbb3');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('cookie_notice', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('cookie_path', '/');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('cookie_secure', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('coppa_enable', '0');
@@ -95,12 +97,11 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('database_gc', '604
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('dbms_version', '');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('default_dateformat', 'D M d, Y g:i a');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('default_style', '1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('delete_time', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('display_last_edited', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('display_last_subject', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('display_order', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('edit_time', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('extension_force_unstable', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('delete_time', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('email_check_mx', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('email_enable', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('email_force_sender', '0');
@@ -109,20 +110,26 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('email_package_size
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('enable_accurate_pm_button', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('enable_confirm', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('enable_mod_rewrite', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('allow_board_notifications', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('enable_pm_icons', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('enable_post_confirm', '1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('enable_queue_trigger', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('enable_update_hashes', '1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('extension_force_unstable', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('feed_enable', '1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('feed_forum', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('feed_http_auth', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('feed_item_statistics', '1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('feed_limit', '10');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('feed_limit_post', '15');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('feed_limit_topic', '10');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('feed_overall_forums', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('feed_overall', '1');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('feed_forum', '1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('feed_overall_forums', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('feed_overall_forums_limit', '15');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('feed_overall_topics', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('feed_overall_topics_limit', '15');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('feed_topic', '1');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('feed_topics_new', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('feed_topics_active', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('feed_item_statistics', '1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('feed_topics_new', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('flood_interval', '15');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('force_server_vars', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('form_token_lifetime', '7200');
@@ -161,13 +168,16 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('ip_check', '3');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('ip_login_limit_max', '50');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('ip_login_limit_time', '21600');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('ip_login_limit_use_forwarded', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('jab_allow_self_signed', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('jab_enable', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('jab_host', '');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('jab_password', '');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('jab_package_size', '20');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('jab_password', '');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('jab_port', '5222');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('jab_use_ssl', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('jab_username', '');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('jab_verify_peer', '1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('jab_verify_peer_name', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('ldap_base_dn', '');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('ldap_email', '');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('ldap_password', '');
@@ -187,6 +197,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('load_cpf_viewprofi
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('load_cpf_viewtopic', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('load_db_lastread', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('load_db_track', '1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('load_font_awesome_url', 'https://maxcdn.bootstrapcdn.com/font-awesome/4.4.0/css/font-awesome.min.css');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('load_jquery_url', '//ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('load_jumpbox', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('load_moderators', '1');
@@ -224,13 +235,13 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('max_sig_img_height
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('max_sig_img_width', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('max_sig_smilies', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('max_sig_urls', '5');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('mime_triggers', 'body|head|html|img|plaintext|a href|pre|script|table|title');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('min_name_chars', '3');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('min_pass_chars', '6');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('min_post_chars', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('min_search_author_chars', '3');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('mime_triggers', 'body|head|html|img|plaintext|a href|pre|script|table|title');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('new_member_post_limit', '3');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('new_member_group_default', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('new_member_post_limit', '3');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('override_user_style', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('pass_complex', 'PASS_TYPE_ANY');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('plupload_salt', 'phpbb_plupload');
@@ -241,19 +252,20 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('pm_max_recipients'
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('posts_per_page', '10');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('print_pm', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('queue_interval', '60');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('queue_trigger_posts', '3');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('ranks_path', 'images/ranks');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('read_notification_expire_days', '30');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('read_notification_gc', '86400');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('referer_validation', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('remote_upload_verify', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('require_activation', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('referer_validation', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('script_path', '');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('search_anonymous_interval', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('search_block_size', '250');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('search_gc', '7200');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('search_interval', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('search_anonymous_interval', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('search_type', '\phpbb\search\fulltext_native');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('search_store_results', '1800');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('search_type', '\phpbb\search\fulltext_native');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('secure_allow_deny', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('secure_allow_empty_referer', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('secure_downloads', '0');
@@ -263,25 +275,38 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('server_protocol',
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('session_gc', '3600');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('session_length', '3600');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('site_desc', '{L_CONFIG_SITE_DESC}');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('site_home_url', '');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('site_home_text', '');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('site_home_url', '');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('sitename', '{L_CONFIG_SITENAME}');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('smilies_path', 'images/smilies');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('smilies_per_page', '50');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_allow_self_signed', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_auth_method', 'PLAIN');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_delivery', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_host', '');
-INSERT INTO phpbb_config (config_name, config_value, is_dynamic) VALUES ('smtp_password', '', 1);
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_port', '25');
-INSERT INTO phpbb_config (config_name, config_value, is_dynamic) VALUES ('smtp_username', '', 1);
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('teampage_memberships', '1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_verify_peer', '1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_verify_peer_name', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('teampage_forums', '1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('teampage_memberships', '1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('text_reparser.pm_text_cron_interval', '10');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('text_reparser.pm_text_last_cron', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('text_reparser.poll_option_cron_interval', '10');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('text_reparser.poll_option_last_cron', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('text_reparser.poll_title_cron_interval', '10');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('text_reparser.poll_title_last_cron', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('text_reparser.post_text_cron_interval', '10');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('text_reparser.post_text_last_cron', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('text_reparser.user_signature_cron_interval', '10');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('text_reparser.user_signature_last_cron', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('topics_per_page', '25');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('tpl_allow_php', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('update_hashes_last_cron', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('update_hashes_lock', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_icons_path', 'images/upload_icons');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_path', 'files');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('use_system_cron', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.2.10-RC1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.2.11');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_expire_days', '90');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_gc', '14400');
 
@@ -302,9 +327,12 @@ INSERT INTO phpbb_config (config_name, config_value, is_dynamic) VALUES ('rand_s
 INSERT INTO phpbb_config (config_name, config_value, is_dynamic) VALUES ('read_notification_last_gc', '0', 1);
 INSERT INTO phpbb_config (config_name, config_value, is_dynamic) VALUES ('record_online_date', '0', 1);
 INSERT INTO phpbb_config (config_name, config_value, is_dynamic) VALUES ('record_online_users', '0', 1);
+INSERT INTO phpbb_config (config_name, config_value, is_dynamic) VALUES ('reparse_lock', '0', 1);
 INSERT INTO phpbb_config (config_name, config_value, is_dynamic) VALUES ('search_indexing_state', '', 1);
 INSERT INTO phpbb_config (config_name, config_value, is_dynamic) VALUES ('search_last_gc', '0', 1);
 INSERT INTO phpbb_config (config_name, config_value, is_dynamic) VALUES ('session_last_gc', '0', 1);
+INSERT INTO phpbb_config (config_name, config_value, is_dynamic) VALUES ('smtp_password', '', 1);
+INSERT INTO phpbb_config (config_name, config_value, is_dynamic) VALUES ('smtp_username', '', 1);
 INSERT INTO phpbb_config (config_name, config_value, is_dynamic) VALUES ('upload_dir_size', '0', 1);
 INSERT INTO phpbb_config (config_name, config_value, is_dynamic) VALUES ('warnings_last_gc', '0', 1);
 

phpBB/language/en/acp/board.php

@@ -183,10 +183,10 @@ $lang = array_merge($lang, array(
 	'MAX_POLL_OPTIONS'				=> 'Maximum number of poll options',
 	'MAX_POST_FONT_SIZE'			=> 'Maximum font size per post',
 	'MAX_POST_FONT_SIZE_EXPLAIN'	=> 'Maximum font size allowed in a post. Set to 0 for unlimited font size.',
-	'MAX_POST_IMG_HEIGHT'			=> 'Maximum image height per post',
-	'MAX_POST_IMG_HEIGHT_EXPLAIN'	=> 'Maximum height of an image/flash file in postings. Set to 0 for unlimited size.',
-	'MAX_POST_IMG_WIDTH'			=> 'Maximum image width per post',
-	'MAX_POST_IMG_WIDTH_EXPLAIN'	=> 'Maximum width of an image/flash file in postings. Set to 0 for unlimited size.',
+	'MAX_POST_IMG_HEIGHT'			=> 'Maximum flash height per post',
+	'MAX_POST_IMG_HEIGHT_EXPLAIN'	=> 'Maximum height of a flash file in postings. Set to 0 for unlimited size.',
+	'MAX_POST_IMG_WIDTH'			=> 'Maximum flash width per post',
+	'MAX_POST_IMG_WIDTH_EXPLAIN'	=> 'Maximum width of a flash file in postings. Set to 0 for unlimited size.',
 	'MAX_POST_URLS'					=> 'Maximum links per post',
 	'MAX_POST_URLS_EXPLAIN'			=> 'Maximum number of URLs in a post. Set to 0 for unlimited links.',
 	'MIN_CHAR_LIMIT'				=> 'Minimum characters per post/message',

phpBB/phpbb/console/application.php

@@ -27,7 +27,12 @@ class application extends \Symfony\Component\Console\Application
 	protected $in_shell = false;
 
 	/**
-	* @var \phpbb\language\language User object
+	* @var \phpbb\config\config Config object
+	*/
+	protected $config;
+
+	/**
+	* @var \phpbb\language\language Language object
 	*/
 	protected $language;
 
@@ -35,10 +40,12 @@ class application extends \Symfony\Component\Console\Application
 	* @param string						$name		The name of the application
 	* @param string						$version	The version of the application
 	* @param \phpbb\language\language	$language	The user which runs the application (used for translation)
+	* @param \phpbb\config\config		$config		Config object
 	*/
-	public function __construct($name, $version, \phpbb\language\language $language)
+	public function __construct($name, $version, \phpbb\language\language $language, \phpbb\config\config $config)
 	{
 		$this->language = $language;
+		$this->config = $config;
 
 		parent::__construct($name, $version);
 	}
@@ -97,9 +104,17 @@ class application extends \Symfony\Component\Console\Application
 	*/
 	public function register_container_commands(\phpbb\di\service_collection $command_collection)
 	{
-		foreach ($command_collection as $service_command)
+		$commands_list = array_keys($command_collection->getArrayCopy());
+		foreach ($commands_list as $service_command)
 		{
-			$this->add($service_command);
+			// config_text DB table does not exist in phpBB prior to 3.1
+			// Hence skip cron tasks as they include reparser cron as it uses config_text table
+			if (phpbb_version_compare($this->config['version'], '3.1.0', '<') && strpos($service_command, 'cron') !== false)
+			{
+				continue;
+			}
+			$this->add($command_collection[$service_command]);
+
 		}
 	}
 

phpBB/phpbb/db/migration/data/v310/passwords_convert_p1.php

@@ -27,6 +27,12 @@ class passwords_convert_p1 extends \phpbb\db\migration\migration
 		);
 	}
 
+	/**
+	 * Update passwords with convert flag to have $CP$ prefix
+	 *
+	 * @param int $start Limit start value
+	 * @return int|void Null if conversion is finished, next start value if not
+	 */
 	public function update_passwords($start)
 	{
 		// Nothing to do if user_pass_convert column doesn't exist
@@ -51,8 +57,8 @@ class passwords_convert_p1 extends \phpbb\db\migration\migration
 			$converted_users++;
 
 			$user_id = (int) $row['user_id'];
-			// Only prefix passwords without proper prefix
-			if (!isset($update_users[$user_id]) && !preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $row['user_password']))
+			// Prefix all passwords that need to be converted
+			if (!isset($update_users[$user_id]))
 			{
 				// Use $CP$ prefix for passwords that need to
 				// be converted and set pass convert to false.

phpBB/phpbb/db/migration/data/v32x/add_missing_config.php

@@ -0,0 +1,64 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v32x;
+
+use phpbb\db\migration\migration_interface;
+use phpbb\db\migrator;
+
+class add_missing_config extends \phpbb\db\migration\container_aware_migration
+{
+	static public function depends_on()
+	{
+		return [
+			'\phpbb\db\migration\data\v32x\v329',
+		];
+	}
+
+	public function update_data()
+	{
+		$migration_classes = [
+			'\phpbb\db\migration\data\v30x\release_3_0_3_rc1',
+			'\phpbb\db\migration\data\v30x\release_3_0_6_rc1',
+			'\phpbb\db\migration\data\v31x\add_jabber_ssl_context_config_options',
+			'\phpbb\db\migration\data\v31x\add_smtp_ssl_context_config_options',
+			'\phpbb\db\migration\data\v31x\update_hashes',
+			'\phpbb\db\migration\data\v320\font_awesome_update',
+			'\phpbb\db\migration\data\v320\text_reparser',
+			'\phpbb\db\migration\data\v32x\cookie_notice_p2',
+		];
+
+		/** @var migrator $migrator */
+		$migrator = $this->container->get('migrator');
+
+		$update_data = [];
+
+		foreach ($migration_classes as $migration_class)
+		{
+			/** @var migration_interface $migration */
+			$migration = $migrator->get_migration($migration_class);
+
+			$migration_update_data = $migration->update_data();
+
+			foreach ($migration_update_data as $entry)
+			{
+				if ($entry[0] == 'config.add')
+				{
+					$update_data[] = $entry;
+				}
+			}
+		}
+
+		return $update_data;
+	}
+}

phpBB/phpbb/db/migration/data/v32x/font_awesome_update_cdn.php

@@ -23,7 +23,7 @@ class font_awesome_update_cdn extends \phpbb\db\migration\migration
 	static public function depends_on()
 	{
 		return [
-			'\phpbb\db\migration\data\v32x\v329',
+			'\phpbb\db\migration\data\v32x\add_missing_config',
 		];
 	}
 

phpBB/phpbb/db/migration/data/v32x/font_awesome_update_cdn_fix_depends_on.php

@@ -0,0 +1,44 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v32x;
+
+class font_awesome_update_cdn_fix_depends_on extends \phpbb\db\migration\migration
+{
+	static public function depends_on()
+	{
+		return [
+			'\phpbb\db\migration\data\v32x\font_awesome_update_cdn',
+			'\phpbb\db\migration\data\v32x\add_missing_config',
+		];
+	}
+
+	public function update_data()
+	{
+		return [
+			['custom', [[$this, 'fix_depends_on']]],
+		];
+	}
+
+	public function fix_depends_on()
+	{
+		$migration_class = '\phpbb\db\migration\data\v32x\font_awesome_update_cdn';
+		$migration_depends_on = $migration_class::depends_on();
+
+		$sql = 'UPDATE ' . $this->table_prefix . "migrations
+			SET migration_depends_on = '" . $this->db->sql_escape(serialize($migration_depends_on)) . "'
+			WHERE migration_name = ' . $migration_class . '";
+
+		$this->db->sql_query($sql);
+	}
+}

phpBB/phpbb/db/migration/data/v32x/v3210.php

@@ -0,0 +1,36 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v32x;
+
+class v3210 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return phpbb_version_compare($this->config['version'], '3.2.10', '>=');
+	}
+
+	static public function depends_on()
+	{
+		return array(
+			'\phpbb\db\migration\data\v32x\v3210rc2',
+		);
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('config.update', array('version', '3.2.10')),
+		);
+	}
+}

phpBB/phpbb/db/migration/data/v32x/v3210rc2.php

@@ -0,0 +1,37 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v32x;
+
+class v3210rc2 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return phpbb_version_compare($this->config['version'], '3.2.10-RC2', '>=');
+	}
+
+	static public function depends_on()
+	{
+		return array(
+			'\phpbb\db\migration\data\v32x\font_awesome_update_cdn_fix_depends_on',
+			'\phpbb\db\migration\data\v32x\v3210rc1',
+		);
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('config.update', array('version', '3.2.10-RC2')),
+		);
+	}
+}

phpBB/phpbb/db/migration/data/v32x/v3211.php

@@ -0,0 +1,36 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v32x;
+
+class v3211 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return phpbb_version_compare($this->config['version'], '3.2.11', '>=');
+	}
+
+	static public function depends_on()
+	{
+		return array(
+			'\phpbb\db\migration\data\v32x\v3210',
+		);
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('config.update', array('version', '3.2.11')),
+		);
+	}
+}

phpBB/phpbb/db/migrator.php

@@ -948,7 +948,7 @@ class migrator
 	* @param string $name Name of the migration
 	* @return \phpbb\db\migration\migration
 	*/
-	protected function get_migration($name)
+	public function get_migration($name)
 	{
 		$migration = new $name($this->config, $this->db, $this->db_tools, $this->phpbb_root_path, $this->php_ext, $this->table_prefix);
 

phpBB/phpbb/language/language.php

@@ -292,7 +292,7 @@ class language
 	 *
 	 * @return string
 	 */
-	public function lang_array($key, $args = array())
+	public function lang_array($key, array $args = [])
 	{
 		$lang = $this->lang_raw($key);
 

phpBB/phpbb/profilefields/manager.php

@@ -254,6 +254,13 @@ class manager
 			/** @var \phpbb\profilefields\type\type_interface $profile_field */
 			$profile_field = $this->type_collection[$row['field_type']];
 			$cp_data['pf_' . $row['field_ident']] = $profile_field->get_profile_field($row);
+
+			/**
+			 * Replace Emoji and other 4bit UTF-8 chars not allowed by MySQL
+			 * with their Numeric Character Reference's Hexadecimal notation.
+			 */
+			$cp_data['pf_' . $row['field_ident']] = utf8_encode_ucr($cp_data['pf_' . $row['field_ident']]);
+
 			$check_value = $cp_data['pf_' . $row['field_ident']];
 
 			if (($cp_result = $profile_field->validate_profile_field($check_value, $row)) !== false)

phpBB/phpbb/search/fulltext_sphinx.php

@@ -711,7 +711,7 @@ class fulltext_sphinx
 		$this->sphinx->SetFilter('deleted', array(0));
 
 		$this->sphinx->SetLimits((int) $start, (int) $per_page, max(SPHINX_MAX_MATCHES, (int) $start + $per_page));
-		$result = $this->sphinx->Query($search_query_prefix . $this->sphinx->sphinx_clean_search_string(str_replace('"', '"', $this->search_query)), $this->indexes);
+		$result = $this->sphinx->Query($search_query_prefix . $this->sphinx_clean_search_string(str_replace('"', '"', $this->search_query)), $this->indexes);
 
 		// Could be connection to localhost:9312 failed (errno=111,
 		// msg=Connection refused) during rotate, retry if so
@@ -719,7 +719,7 @@ class fulltext_sphinx
 		while (!$result && (strpos($this->sphinx->GetLastError(), "errno=111,") !== false) && $retries--)
 		{
 			usleep(SPHINX_CONNECT_WAIT_TIME);
-			$result = $this->sphinx->Query($search_query_prefix . $this->sphinx->sphinx_clean_search_string(str_replace('"', '"', $this->search_query)), $this->indexes);
+			$result = $this->sphinx->Query($search_query_prefix . $this->sphinx_clean_search_string(str_replace('"', '"', $this->search_query)), $this->indexes);
 		}
 
 		if ($this->sphinx->GetLastError())
@@ -742,7 +742,7 @@ class fulltext_sphinx
 			$start = floor(($result_count - 1) / $per_page) * $per_page;
 
 			$this->sphinx->SetLimits((int) $start, (int) $per_page, max(SPHINX_MAX_MATCHES, (int) $start + $per_page));
-			$result = $this->sphinx->Query($search_query_prefix . $this->sphinx->sphinx_clean_search_string(str_replace('"', '"', $this->search_query)), $this->indexes);
+			$result = $this->sphinx->Query($search_query_prefix . $this->sphinx_clean_search_string(str_replace('"', '"', $this->search_query)), $this->indexes);
 
 			// Could be connection to localhost:9312 failed (errno=111,
 			// msg=Connection refused) during rotate, retry if so
@@ -750,7 +750,7 @@ class fulltext_sphinx
 			while (!$result && (strpos($this->sphinx->GetLastError(), "errno=111,") !== false) && $retries--)
 			{
 				usleep(SPHINX_CONNECT_WAIT_TIME);
-				$result = $this->sphinx->Query($search_query_prefix . $this->sphinx->sphinx_clean_search_string(str_replace('"', '"', $this->search_query)), $this->indexes);
+				$result = $this->sphinx->Query($search_query_prefix . $this->sphinx_clean_search_string(str_replace('"', '"', $this->search_query)), $this->indexes);
 			}
 		}
 

phpBB/phpbb/textformatter/s9e/factory.php

@@ -273,8 +273,6 @@ class factory implements \phpbb\textformatter\cache_interface
 			->add('#imageurl', __NAMESPACE__ . '\\parser::filter_img_url')
 			->addParameterByName('urlConfig')
 			->addParameterByName('logger')
-			->addParameterByName('max_img_height')
-			->addParameterByName('max_img_width')
 			->markAsSafeAsURL()
 			->setJS('UrlFilter.filter');
 

phpBB/phpbb/textformatter/s9e/parser.php

@@ -380,11 +380,10 @@ class parser implements \phpbb\textformatter\parser_interface
 	* @param  string  $url        Original URL
 	* @param  array   $url_config Config used by the URL filter
 	* @param  Logger  $logger
-	* @param  integer $max_height Maximum height allowed
-	* @param  integer $max_width  Maximum width allowed
+	*
 	* @return string|bool         Original value if valid, FALSE otherwise
 	*/
-	static public function filter_img_url($url, array $url_config, Logger $logger, $max_height, $max_width)
+	static public function filter_img_url($url, array $url_config, Logger $logger)
 	{
 		// Validate the URL
 		$url = UrlFilter::filter($url, $url_config, $logger);
@@ -393,29 +392,6 @@ class parser implements \phpbb\textformatter\parser_interface
 			return false;
 		}
 
-		if ($max_height || $max_width)
-		{
-			$imagesize = new \FastImageSize\FastImageSize();
-			$size_info = $imagesize->getImageSize($url);
-			if ($size_info === false)
-			{
-				$logger->err('UNABLE_GET_IMAGE_SIZE');
-				return false;
-			}
-
-			if ($max_height && $max_height < $size_info['height'])
-			{
-				$logger->err('MAX_IMG_HEIGHT_EXCEEDED', array('max_height' => $max_height));
-				return false;
-			}
-
-			if ($max_width && $max_width < $size_info['width'])
-			{
-				$logger->err('MAX_IMG_WIDTH_EXCEEDED', array('max_width' => $max_width));
-				return false;
-			}
-		}
-
 		return $url;
 	}
 

phpBB/phpbb/textformatter/s9e/utils.php

@@ -31,7 +31,7 @@ class utils implements \phpbb\textformatter\utils_interface
 		// Insert a space before <s> and <e> then remove formatting
 		$xml = preg_replace('#<[es]>#', ' $0', $xml);
 
-		return \s9e\TextFormatter\Utils::removeFormatting($xml);
+		return utf8_htmlspecialchars(\s9e\TextFormatter\Utils::removeFormatting($xml));
 	}
 
 	/**

phpBB/store/.htaccess

@@ -1,4 +1,33 @@
-<Files *>
-	Order Allow,Deny
-	Deny from All
-</Files>
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfVersion>
+	<IfVersion >= 2.4>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		<Files "*">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		<Files "*">
+			Require all denied
+		</Files>
+	</IfModule>
+</IfModule>

phpBB/styles/prosilver/style.cfg

@@ -21,8 +21,8 @@
 # General Information about this style
 name = prosilver
 copyright = © phpBB Limited, 2007
-style_version = 3.2.10
-phpbb_version = 3.2.10
+style_version = 3.2.11
+phpbb_version = 3.2.11
 
 # Defining a different template bitfield
 # template_bitfield = //g=

tests/bbcode/parser_test.php

@@ -120,6 +120,11 @@ class phpbb_bbcode_parser_test extends \phpbb_test_case
 				'[img]https://area51.phpbb.com/images/area51.png[/img]',
 				'[img:]https://area51.phpbb.com/images/area51.png[/img:]',
 			),
+			array(
+				'Test default bbcodes: img with unsupported protocol',
+				'[img]foo://foo/bar[/img]',
+				'[img]foo://foo/bar[/img]',
+			),
 			array(
 				'Test default bbcodes: simple url',
 				'[url]https://area51.phpbb.com/[/url]',

tests/functional/smilies_test.php

@@ -0,0 +1,47 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+/**
+* @group functional
+*/
+class phpbb_functional_smilies_test extends phpbb_functional_test_case
+{
+	public function test_smilies_mode()
+	{
+		$this->login();
+
+		// Get smilies data
+		$db = $this->get_db();
+		$sql_ary = [
+			'SELECT'	=> 's.smiley_url, MIN(s.emotion) AS emotion, MIN(s.code) AS code, s.smiley_width, s.smiley_height, MIN(s.smiley_order) AS min_smiley_order',
+			'FROM'		=> [
+				SMILIES_TABLE => 's',
+			],
+			'GROUP_BY'	=> 's.smiley_url, s.smiley_width, s.smiley_height',
+			'ORDER_BY'	=> 'min_smiley_order',
+		];
+		$sql = $db->sql_build_query('SELECT', $sql_ary);
+		$result = $db->sql_query($sql);
+		$smilies = $db->sql_fetchrowset($result);
+		$db->sql_freeresult($result);
+
+		// Visit smilies page
+		$crawler = self::request('GET', 'posting.php?mode=smilies');
+		foreach ($smilies as $index => $smiley)
+		{
+			$this->assertContains($smiley['smiley_url'],
+				$crawler->filter('div[class="inner"] > a > img')->eq($index)->attr('src')
+			);
+		}
+	}
+}

tests/functional/ucp_profile_test.php

@@ -46,4 +46,23 @@ class phpbb_functional_ucp_profile_test extends phpbb_functional_test_case
 		$this->assertEquals('phpbb_twitter', $form->get('pf_phpbb_twitter')->getValue());
 		$this->assertEquals('phpbb.youtube', $form->get('pf_phpbb_youtube')->getValue());
 	}
+
+	public function test_submitting_emoji()
+	{
+		$this->add_lang('ucp');
+		$this->login();
+
+		$crawler = self::request('GET', 'ucp.php?i=ucp_profile&mode=profile_info');
+		$this->assertContainsLang('UCP_PROFILE_PROFILE_INFO', $crawler->filter('#cp-main h2')->text());
+
+		$form = $crawler->selectButton('Submit')->form([
+			'pf_phpbb_location'	=> '😁', // grinning face with smiling eyes Emoji
+		]);
+		$crawler = self::submit($form);
+		$this->assertContainsLang('PROFILE_UPDATED', $crawler->filter('#message')->text());
+
+		$crawler = self::request('GET', 'ucp.php?i=ucp_profile&mode=profile_info');
+		$form = $crawler->selectButton('Submit')->form();
+		$this->assertEquals('😁', $form->get('pf_phpbb_location')->getValue());
+	}
 }

tests/text_formatter/s9e/default_formatting_test.php

@@ -132,6 +132,10 @@ class phpbb_textformatter_s9e_default_formatting_test extends phpbb_test_case
 				'[img]https://area51.phpbb.com/images/area51.png[/img]',
 				'<img src="https://area51.phpbb.com/images/area51.png" class="postimage" alt="Image">'
 			),
+			array(
+				'[img]foo://area51.phpbb.com/images/area51.png[/img]',
+				'[img]foo://area51.phpbb.com/images/area51.png[/img]'
+			),
 			array(
 				'[url]https://area51.phpbb.com/[/url]',
 				'<a href="https://area51.phpbb.com/" class="postlink">https://area51.phpbb.com/</a>'

tests/text_processing/message_parser_test.php

@@ -342,26 +342,6 @@ class phpbb_text_processing_message_parser_test extends phpbb_test_case
 				},
 				array('You may only use fonts up to size 120.')
 			),
-			array(
-				'[img]http://example.org/100x100.png[/img]',
-				'<r>[img]<URL url="http://example.org/100x100.png">http://example.org/100x100.png</URL>[/img]</r>',
-				array(true, true, true, true, true, true, true),
-				function ($phpbb_container)
-				{
-					$phpbb_container->get('config')->set('max_post_img_height', 12);
-				},
-				array('Your images may only be up to 12 pixels high.')
-			),
-			array(
-				'[img]http://example.org/100x100.png[/img]',
-				'<r>[img]<URL url="http://example.org/100x100.png">http://example.org/100x100.png</URL>[/img]</r>',
-				array(true, true, true, true, true, true, true),
-				function ($phpbb_container)
-				{
-					$phpbb_container->get('config')->set('max_post_img_width', 34);
-				},
-				array('Your images may only be up to 34 pixels wide.')
-			),
 			array(
 				'[img]http://example.org/100x100.png[/img]',
 				'<r><IMG src="http://example.org/100x100.png"><s>[img]</s><URL url="http://example.org/100x100.png">http://example.org/100x100.png</URL><e>[/img]</e></IMG></r>',
@@ -392,16 +372,6 @@ class phpbb_text_processing_message_parser_test extends phpbb_test_case
 					$phpbb_container->get('config')->set('max_sig_img_width', 34);
 				}
 			),
-			array(
-				'[img]http://example.org/404.png[/img]',
-				'<r>[img]<URL url="http://example.org/404.png">http://example.org/404.png</URL>[/img]</r>',
-				array(true, true, true, true, true, true, true),
-				function ($phpbb_container)
-				{
-					$phpbb_container->get('config')->set('max_post_img_height', 12);
-				},
-				array('It was not possible to determine the dimensions of the image.')
-			),
 			array(
 				'[flash=999,999]http://example.org/foo.swf[/flash]',
 				'<r>[flash=999,999]<URL url="http://example.org/foo.swf">http://example.org/foo.swf</URL>[/flash]</r>',

tests/text_processing/strip_bbcode_test.php

@@ -13,27 +13,26 @@
 
 class phpbb_text_processing_strip_bbcode_test extends phpbb_test_case
 {
-	public function test_legacy()
+
+	public function data_strip_bbcode()
 	{
-		$original = '[b:20m4ill1]bold[/b:20m4ill1]';
-		$expected = ' bold ';
-
-		$actual = $original;
-		strip_bbcode($actual);
-
-		$this->assertSame($expected, $actual, '20m4ill1');
+		return [
+			['[b:20m4ill1]bold[/b:20m4ill1]', ' bold '],
+			['<r><B><s>[b]</s>bold<e>[/b]</e></B></r>', ' bold '],
+			['[b:20m4ill1]bo &amp; ld[/b:20m4ill1]', ' bo &amp; ld '],
+			['<r><B><s>[b]</s>bo &amp; ld<e>[/b]</e></B></r>', ' bo &amp; ld ']
+		];
 	}
 
-	public function test_s9e()
+	/**
+	 * @dataProvider data_strip_bbcode
+	 */
+	public function test_strip_bbcode($input, $expected)
 	{
 		$phpbb_container = $this->get_test_case_helpers()->set_s9e_services();
 
-		$original = '<r><B><s>[b]</s>bold<e>[/b]</e></B></r>';
-		$expected = ' bold ';
+		strip_bbcode($input);
 
-		$actual = $original;
-		strip_bbcode($actual);
-
-		$this->assertSame($expected, $actual);
+		$this->assertSame($expected, $input);
 	}
 }