[prep-release-3.2.9] Update changelog for 3.2.9

[ticket/security-250] Check form key when approving group membership

.appveyor.yml

@@ -39,7 +39,8 @@ init:
 before_test:
   - ps: |
       Set-Service wuauserv -StartupType Manual
-      cinst -y php --version ((choco search php --exact --all-versions -r | select-string -pattern $env:php | sort { [version]($_ -split '\|' | select -last 1) } -Descending | Select-Object -first 1) -replace '[php|]','')
+      choco install chocolatey -y --version 0.10.13 --allow-downgrade
+      choco install php -y --version ((choco search php --exact --all-versions -r | select-string -pattern $env:php | sort { [version]($_ -split '\|' | select -last 1) } -Descending | Select-Object -first 1) -replace '[php|]','')
       Get-ChildItem -Path "c:\tools\php$($env:php -replace '([0-9])[.]([0-9])[.]?([0-9]+)?','$1$2')" -Recurse |
           Move-Item -destination "c:\tools\php"
       cd c:\tools\php
@@ -98,7 +99,7 @@ before_test:
         $data = "<?php`n`n`$dbms = 'phpbb\\db\\driver\\postgres';`n`$dbhost = 'localhost';`n`$dbport = '';`n`$dbname = 'phpbb_test';`n`$dbuser = 'postgres';`n`$dbpasswd = 'Password12!';`n`$phpbb_functional_url = 'http://phpbb.test/';"; $data | Out-File -Encoding "Default" "c:\\projects\\phpbb\\tests\\test_config.php"
       }
       elseif ($env:db -eq "mariadb") {
-        appveyor-retry cinst -y --force mariadb
+        appveyor-retry choco install mariadb -y --force
         $env:MYSQL_PWD=""
         $cmd = '"C:\Program Files\MariaDB 10.2\bin\mysql" -e "create database phpbb_test;" --user=root'
         iex "& $cmd"
@@ -106,13 +107,13 @@ before_test:
       }
       elseif ($env:db -eq "sqlite") {
         # install sqlite
-        appveyor-retry cinst -y sqlite
+        appveyor-retry choco install sqlite -y
         sqlite3 c:\projects\test.db "create table aTable(field1 int); drop table aTable;"
         $data = "<?php`n`n`$dbms = 'phpbb\\db\\driver\\sqlite3';`n`$dbhost = 'c:\\projects\\test.db';`n`$dbport = '';`n`$dbname = '';`n`$dbuser = '';`n`$dbpasswd = '';`n`$phpbb_functional_url = 'http://phpbb.test/';"; $data | Out-File -Encoding "Default" "c:\\projects\\phpbb\\tests\\test_config.php"
       }
 
       # Install PhantomJS
-      cinst -y phantomjs
+      choco install phantomjs -y
       Start-Process "phantomjs" "--webdriver=8910" | Out-Null
   - ps: |
       cd c:\projects\phpbb\phpBB
@@ -120,7 +121,7 @@ before_test:
       (Get-Content c:\projects\phpbb\phpBB\web.config).replace("`t</system.webServer>", "`t`t<httpErrors errorMode=`"Detailed`" />`n`t</system.webServer>") | Set-Content c:\projects\phpbb\phpBB\web.config
   - cd c:\projects\phpbb\phpBB
   - php ..\composer.phar install
-  - choco install -y urlrewrite
+  - choco install urlrewrite -y
   - ps: New-WebSite -Name 'phpBBTest' -PhysicalPath 'c:\projects\phpbb\phpBB' -Force
   - ps: Import-Module WebAdministration; Set-ItemProperty 'IIS:\Sites\phpBBTest' -name Bindings -value @{protocol='http';bindingInformation='*:80:phpbb.test'}
   - echo Change default anonymous user AUTH to ApplicationPool
@@ -141,3 +142,4 @@ before_test:
 test_script:
   - cd c:\projects\phpbb
   - php -e phpBB\vendor\phpunit\phpunit\phpunit --verbose
+

.travis.yml

@@ -1,6 +1,5 @@
 language: php
-sudo: required
-dist: precise
+dist: trusty
 
 matrix:
   include:

README.md

@@ -31,9 +31,11 @@ Read our [Vagrant documentation](phpBB/docs/vagrant.md) to find out how to use V
 
 We have unit and functional tests in order to prevent regressions. You can view the bamboo continuous integration [here](https://bamboo.phpbb.com) or check our travis builds below:
 
-* [![Build Status](https://travis-ci.org/phpbb/phpbb.svg?branch=master)](http://travis-ci.org/phpbb/phpbb)[![Build status](https://ci.appveyor.com/api/projects/status/8g98ybngd2f3axy1/branch/master?svg=true)](https://ci.appveyor.com/project/phpBB/phpbb/branch/master) **master** - Latest development version
-* [![Build Status](https://travis-ci.org/phpbb/phpbb.svg?branch=3.2.x)](http://travis-ci.org/phpbb/phpbb)[![Build status](https://ci.appveyor.com/api/projects/status/8g98ybngd2f3axy1/branch/3.2.x?svg=true)](https://ci.appveyor.com/project/phpBB/phpbb/branch/3.2.x) **3.2.x** - Development of version 3.2.x
-* [![Build Status](https://travis-ci.org/phpbb/phpbb.svg?branch=3.1.x)](http://travis-ci.org/phpbb/phpbb) **3.1.x** - Development of version 3.1.x
+Travis CI  | AppVeyor | Branch  | Description
+---------- | -------- | ------- | -----------
+[![Build Status](https://travis-ci.org/phpbb/phpbb.svg?branch=master)](http://travis-ci.org/phpbb/phpbb) | [![Build status](https://ci.appveyor.com/api/projects/status/8g98ybngd2f3axy1/branch/master?svg=true)](https://ci.appveyor.com/project/phpBB/phpbb/branch/master) | **master** | Latest development version
+[![Build Status](https://travis-ci.org/phpbb/phpbb.svg?branch=3.3.x)](http://travis-ci.org/phpbb/phpbb) | [![Build status](https://ci.appveyor.com/api/projects/status/8g98ybngd2f3axy1/branch/3.3.x?svg=true)](https://ci.appveyor.com/project/phpBB/phpbb/branch/3.3.x) | **3.3.x** | Development of version 3.3.x
+[![Build Status](https://travis-ci.org/phpbb/phpbb.svg?branch=3.2.x)](http://travis-ci.org/phpbb/phpbb) | [![Build status](https://ci.appveyor.com/api/projects/status/8g98ybngd2f3axy1/branch/3.2.x?svg=true)](https://ci.appveyor.com/project/phpBB/phpbb/branch/3.2.x) | **3.2.x** | Development of version 3.2.x
 
 ## LICENSE
 

build/build.xml

@@ -2,9 +2,9 @@
 
 <project name="phpBB" description="The phpBB forum software" default="all" basedir="../">
 	<!-- a few settings for the build -->
-	<property name="newversion" value="3.2.4-RC1" />
-	<property name="prevversion" value="3.2.3" />
-	<property name="olderversions" value="3.0.14, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0-a1, 3.2.0-a2, 3.2.0-b1, 3.2.0-b2, 3.2.0-RC1, 3.2.0-RC2, 3.2.0, 3.2.1, 3.2.2" />
+	<property name="newversion" value="3.2.9" />
+	<property name="prevversion" value="3.2.8" />
+	<property name="olderversions" value="3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0-a1, 3.2.0-a2, 3.2.0-b1, 3.2.0-b2, 3.2.0-RC1, 3.2.0-RC2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.9-RC1" />
 	<!-- no configuration should be needed beyond this point -->
 
 	<property name="oldversions" value="${olderversions}, ${prevversion}" />

build/generate_package_json.php

@@ -0,0 +1,127 @@
+#!/usr/bin/env php
+<?php
+/**
+ *
+ * This file is part of the phpBB Forum Software package.
+ *
+ * @copyright (c) phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+if (version_compare(PHP_VERSION, '7.0-dev', '<'))
+{
+	die('generate_package_json.php requires at least PHP 7.0.');
+}
+
+define('IN_PHPBB', true);
+include_once('../phpBB/includes/functions.php');
+
+$json_data = new \stdClass();
+$json_data->metadata = new stdClass();
+
+$json_data->metadata->current_version_date = '';
+$json_data->metadata->current_version = '';
+$json_data->metadata->download_path = '';
+$json_data->metadata->show_update_package = true;
+$json_data->metadata->historic = false;
+
+$json_data->package = [];
+
+// Open build.xml
+$build_xml = simplexml_load_file('build.xml');
+$current_version = (string) $build_xml->xpath('/project/property[@name=\'newversion\']/@value')[0]->value;
+$previous_version = (string) $build_xml->xpath('/project/property[@name=\'prevversion\']/@value')[0]->value;
+$older_verions = explode(', ', (string) $build_xml->xpath('/project/property[@name=\'olderversions\']/@value')[0]->value);
+
+// Clean and sort version info
+$older_verions[] = $previous_version;
+$older_verions = array_filter($older_verions, function($version) {
+	preg_match(get_preg_expression('semantic_version'), $version, $matches);
+	return empty($matches['prerelease']) || strpos($matches['prerelease'], 'pl') !== false;
+});
+usort($older_verions, function($version_a, $version_b)
+{
+	return phpbb_version_compare($version_b, $version_a);
+});
+
+// Set metadata
+$json_data->metadata->current_version = $current_version;
+$json_data->metadata->current_version_date = date('Y-m-d');
+$json_data->metadata->download_path = 'https://download.phpbb.com/pub/release/' . preg_replace('#([0-9]+\.[0-9]+)(\..+)#', '$1', $current_version) . '/' . $current_version . '/';
+
+// Add package, patch files, and changed files
+phpbb_add_package_file(
+	$json_data->package,
+	'phpBB ' . $current_version,
+	'phpBB-' . $current_version,
+	'full',
+	''
+);
+phpbb_add_package_file(
+	$json_data->package,
+	'phpBB ' . $current_version . ' Patch Files',
+	'phpBB-' . $current_version . '-patch',
+	'update',
+	'patch'
+);
+phpbb_add_package_file(
+	$json_data->package,
+	'phpBB ' . $current_version . ' Changed Files',
+	'phpBB-' . $current_version . '-files',
+	'update',
+	'files'
+);
+
+// Loop through packages and assign to packages array
+foreach ($older_verions as $version)
+{
+	phpbb_add_package_file(
+		$json_data->package,
+		'phpBB ' . $version . ' to ' . $current_version . ' Update Package',
+		'phpBB-' . $version . '_to_' . $current_version,
+		'update',
+		'update',
+		$version
+	);
+}
+
+echo(json_encode($json_data, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "\n");
+
+function phpbb_add_package_file(array &$package_list, $name, $file_name, $type, $subtype, $from = '')
+{
+	if (!file_exists(__DIR__ . '/new_version/release_files/' . $file_name . '.zip'))
+	{
+		trigger_error('File does not exist: ' . __DIR__ . '/new_version/release_files/' . $file_name . '.zip');
+		return;
+	}
+
+	$package_file = new stdClass();
+	$package_file->name = $name;
+	$package_file->filename = $file_name;
+	$package_file->type = $type;
+	if (!empty($subtype))
+	{
+		$package_file->subtype = $subtype;
+	}
+	if (!empty($from))
+	{
+		$package_file->from = $from;
+	}
+	$package_file->files = [];
+
+	foreach (['zip', 'tar.bz2'] as $extension)
+	{
+		$file_path = 'new_version/release_files/' . $file_name  . '.' . $extension;
+		$filedata = new stdClass();
+		$filedata->filesize = filesize($file_path);
+		$filedata->checksum = trim(preg_replace('/(^\w+)(.+)/', '$1', file_get_contents($file_path . '.sha256')));
+		$filedata->filetype = $extension;
+		$package_file->files[] = $filedata;
+	}
+
+	$package_list[] = $package_file;
+}

phpBB/adm/style/acp_attachments.html

@@ -37,12 +37,6 @@
 
 <!-- IF S_ATTACHMENT_SETTINGS -->
 
-	<!-- IF not S_THUMBNAIL_SUPPORT -->
-		<div class="errorbox">
-			<p>{L_NO_THUMBNAIL_SUPPORT}</p>
-		</div>
-	<!-- ENDIF -->
-
 	<form id="attachsettings" method="post" action="{U_ACTION}">
 	<!-- BEGIN options -->
 		<!-- IF options.S_LEGEND -->
@@ -116,7 +110,7 @@
 <!-- ELSEIF S_EXTENSION_GROUPS -->
 
 	<!-- IF S_EDIT_GROUP -->
-		<script type="text/javascript" defer="defer">
+		<script>
 		// <![CDATA[
 			function update_image(newimage)
 			{
@@ -427,17 +421,25 @@
 	</tr>
 	</thead>
 	<tbody>
-	<!-- BEGIN attachments -->
+	{% for attachments in attachments %}
 		<tr>
 			<td>
-				<!-- IF attachments.S_IN_MESSAGE -->{L_EXTENSION_GROUP}{L_COLON} <strong><!-- IF attachments.EXT_GROUP_NAME -->{attachments.EXT_GROUP_NAME}<!-- ELSE -->{L_NO_EXT_GROUP}<!-- ENDIF --></strong><br />{attachments.L_DOWNLOAD_COUNT}<br />{L_IN} {L_PRIVATE_MESSAGE}
-				<!-- ELSE --><a href="{attachments.U_FILE}" style="font-weight: bold;">{attachments.REAL_FILENAME}</a><br /><!-- IF attachments.COMMENT -->{attachments.COMMENT}<br /><!-- ENDIF -->{attachments.L_DOWNLOAD_COUNT}<br />{L_TOPIC}{L_COLON} <a href="{attachments.U_VIEW_TOPIC}">{attachments.TOPIC_TITLE}</a><!-- ENDIF -->
+				{{ lang('EXTENSION_GROUP') ~ lang('COLON') }} <strong>{{ attachments.EXT_GROUP_NAME }}</strong>
+				{% if attachments.S_IN_MESSAGE %}
+					<br>{{ attachments.L_DOWNLOAD_COUNT }}
+					<br>{{ lang('IN') }} {{ lang('PRIVATE_MESSAGE') }}
+				{% else %}
+					<br><a href="{{ attachments.U_FILE }}"><strong>{{ attachments.REAL_FILENAME }}</strong></a>
+					{% if attachments.COMMENT %}<br>{{ attachments.COMMENT }}{% endif %}
+					<br>{{ attachments.L_DOWNLOAD_COUNT }}
+					<br>{{ lang('TOPIC') ~ lang('COLON') }} <a href="{{ attachments.U_VIEW_TOPIC }}">{{ attachments.TOPIC_TITLE }}</a>
+				{% endif %}
 			</td>
-			<td>{attachments.FILETIME}<br />{L_POST_BY_AUTHOR} {attachments.ATTACHMENT_POSTER}</td>
-			<td class="centered-text">{attachments.FILESIZE}</td>
-			<td class="centered-text"><input type="checkbox" class="radio" name="delete[{attachments.ATTACH_ID}]" /></td>
+			<td>{{ attachments.FILETIME }}<br>{{ lang('POST_BY_AUTHOR') }} {{ attachments.ATTACHMENT_POSTER }}</td>
+			<td class="centered-text">{{ attachments.FILESIZE }}</td>
+			<td class="centered-text"><input type="checkbox" class="radio" name="delete[{{ attachments.ATTACH_ID }}]" /></td>
 		</tr>
-	<!-- END attachments -->
+	{% endfor %}
 	</tbody>
 	</table>
 <!-- ELSE -->

phpBB/adm/style/acp_ban.html

@@ -8,7 +8,7 @@
 
 <p>{L_EXPLAIN}</p>
 
-<script type="text/javascript">
+<script>
 // <![CDATA[
 
 	var ban_length = new Array();

phpBB/adm/style/acp_contact.html

@@ -1,6 +1,6 @@
 <!-- INCLUDE overall_header.html -->
 
-<script type="text/javascript">
+<script>
 // <![CDATA[
 
 	var form_name = 'acp_contact';

phpBB/adm/style/acp_database.html

@@ -20,7 +20,6 @@
 	<p class="submit-buttons">
 		<input class="button1" type="submit" id="submit" name="submit" value="{L_START_RESTORE}" />&nbsp;
 		<input class="button2" type="submit" id="delete" name="delete" value="{L_DELETE_BACKUP}" />&nbsp;
-		<input class="button2" type="submit" id="download" name="download" value="{L_DOWNLOAD_BACKUP}" />
 	</p>
 	{S_FORM_TOKEN}
 	</fieldset>
@@ -36,7 +35,7 @@
 
 	<p>{L_ACP_BACKUP_EXPLAIN}</p>
 
-	<script type="text/javascript">
+	<script>
 	// <![CDATA[
 
 		function selector(bool)
@@ -68,13 +67,6 @@
 		<label><input name="method"<!-- IF methods.S_FIRST_ROW --> id="method" checked="checked"<!-- ENDIF --> type="radio" class="radio" value="{methods.TYPE}" /> {methods.TYPE}</label>
 		<!-- END methods --></dd>
 	</dl>
-	<dl>
-		<dt><label for="where">{L_ACTION}{L_COLON}</label></dt>
-		<dd>
-			<label><input id="where" type="radio" class="radio" name="where" value="store" checked="checked" /> {L_STORE_LOCAL}</label>
-			<label><input type="radio" class="radio" name="where" value="download" /> {L_DOWNLOAD}</label>
-		</dd>
-	</dl>
 	<dl>
 		<dt><label for="table">{L_TABLE_SELECT}{L_COLON}</label></dt>
 		<dd><select id="table" name="table[]" size="10" multiple="multiple">

phpBB/adm/style/acp_forums.html

@@ -4,7 +4,7 @@
 
 <!-- IF S_EDIT_FORUM -->
 
-	<script type="text/javascript">
+	<script>
 	// <![CDATA[
 		/**
 		* Handle displaying/hiding several options based on the forum type
@@ -405,7 +405,7 @@
 
 <!-- ELSEIF S_CONTINUE_SYNC -->
 
-	<script type="text/javascript">
+	<script>
 	// <![CDATA[
 		var close_waitscreen = 0;
 		// no scrollbars...
@@ -421,7 +421,7 @@
 
 <!-- ELSE -->
 
-	<script type="text/javascript">
+	<script>
 	// <![CDATA[
 		/**
 		* Popup search progress bar
@@ -447,7 +447,7 @@
 	<!-- ENDIF -->
 
 	<!-- IF S_RESYNCED -->
-		<script type="text/javascript">
+		<script>
 		// <![CDATA[
 			var close_waitscreen = 1;
 		// ]]>

phpBB/adm/style/acp_groups.html

@@ -36,10 +36,12 @@
 		<dl>
 			<dt><label for="group_type">{L_GROUP_TYPE}{L_COLON}</label><br /><span>{L_GROUP_TYPE_EXPLAIN}</span></dt>
 			<dd>
+				{% EVENT acp_group_types_prepend %}
 				<label><input name="group_type" type="radio" class="radio" id="group_type" value="{GROUP_TYPE_FREE}"{GROUP_FREE} /> {L_GROUP_OPEN}</label>
 				<label><input name="group_type" type="radio" class="radio" value="{GROUP_TYPE_OPEN}"{GROUP_OPEN} /> {L_GROUP_REQUEST}</label>
 				<label><input name="group_type" type="radio" class="radio" value="{GROUP_TYPE_CLOSED}"{GROUP_CLOSED} /> {L_GROUP_CLOSED}</label>
 				<label><input name="group_type" type="radio" class="radio" value="{GROUP_TYPE_HIDDEN}"{GROUP_HIDDEN} /> {L_GROUP_HIDDEN}</label>
+				{% EVENT acp_group_types_append %}
 			</dd>
 		</dl>
 	<!-- ELSE -->

phpBB/adm/style/acp_icons.html

@@ -4,7 +4,7 @@
 
 <!-- IF S_EDIT -->
 
-	<script type="text/javascript" defer="defer">
+	<script>
 	// <![CDATA[
 	<!-- IF S_ADD_CODE -->
 

phpBB/adm/style/acp_modules.html

@@ -4,7 +4,7 @@
 
 <!-- IF S_EDIT_MODULE -->
 
-	<script type="text/javascript">
+	<script>
 	// <![CDATA[
 		function display_options(value)
 		{

phpBB/adm/style/acp_permission_roles.html

@@ -4,7 +4,7 @@
 
 <!-- IF S_EDIT -->
 
-	<script type="text/javascript">
+	<script>
 	// <![CDATA[
 		var active_pmask = '0';
 		var active_fmask = '0';
@@ -20,7 +20,7 @@
 	// ]]>
 	</script>
 
-	<script type="text/javascript" src="style/permissions.js"></script>
+	<script src="style/permissions.js"></script>
 
 	<a href="{U_BACK}" style="float: {S_CONTENT_FLOW_END};">&laquo; {L_BACK}</a>
 

phpBB/adm/style/acp_posting_buttons.html

@@ -1,31 +1,10 @@
-<script type="text/javascript">
+<script>
 // <![CDATA[
 
 	// Define the bbCode tags
 	var bbcode = new Array();
 	var bbtags = new Array('[b]','[/b]','[i]','[/i]','[u]','[/u]','[quote]','[/quote]','[code]','[/code]','[list]','[/list]','[list=]','[/list]','[img]','[/img]','[url]','[/url]','[flash=]', '[/flash]','[size=]','[/size]'<!-- BEGIN custom_tags -->, {custom_tags.BBCODE_NAME}<!-- END custom_tags -->);
 
-	// Helpline messages
-	var help_line = {
-		b: '{LA_BBCODE_B_HELP}',
-		i: '{LA_BBCODE_I_HELP}',
-		u: '{LA_BBCODE_U_HELP}',
-		q: '{LA_BBCODE_Q_HELP}',
-		c: '{LA_BBCODE_C_HELP}',
-		l: '{LA_BBCODE_L_HELP}',
-		o: '{LA_BBCODE_O_HELP}',
-		p: '{LA_BBCODE_P_HELP}',
-		w: '{LA_BBCODE_W_HELP}',
-		a: '{LA_BBCODE_A_HELP}',
-		s: '{LA_BBCODE_S_HELP}',
-		f: '{LA_BBCODE_F_HELP}',
-		y: '{LA_BBCODE_Y_HELP}',
-		d: '{LA_BBCODE_D_HELP}'
-		<!-- BEGIN custom_tags -->
-			,cb_{custom_tags.BBCODE_ID}{L_COLON} '{custom_tags.A_BBCODE_HELPLINE}'
-		<!-- END custom_tags -->
-	}
-
 // ]]>
 </script>
 
@@ -65,7 +44,7 @@
 	</select>
 	<!-- EVENT acp_posting_buttons_custom_tags_before -->
 	<!-- BEGIN custom_tags -->
-	<input type="button" class="button2" name="addbbcode{custom_tags.BBCODE_ID}" value="{custom_tags.BBCODE_TAG}" onclick="bbstyle({custom_tags.BBCODE_ID})" title="{custom_tags.BBCODE_HELPLINE}" />
+	<input type="button" class="button2" name="addbbcode{custom_tags.BBCODE_ID}" value="{custom_tags.BBCODE_TAG}" onclick="bbstyle({custom_tags.BBCODE_ID})" title="{{ custom_tags.BBCODE_HELPLINE|e('html_attr') }}" />
 	<!-- END custom_tags -->
 </div>
 <!-- EVENT acp_posting_buttons_after -->

phpBB/adm/style/acp_ranks.html

@@ -6,7 +6,7 @@
 
 	<a href="{U_BACK}" style="float: {S_CONTENT_FLOW_END};">&laquo; {L_BACK}</a>
 
-	<script type="text/javascript">
+	<script>
 	// <![CDATA[
 		function update_image(newimage)
 		{

phpBB/adm/style/acp_search.html

@@ -69,7 +69,7 @@
 
 <!-- ELSEIF S_INDEX -->
 
-	<script type="text/javascript">
+	<script>
 	// <![CDATA[
 		/**
 		* Popup search progress bar

phpBB/adm/style/acp_styles.html

@@ -146,7 +146,9 @@
 		{styles_list.EXTRA}
 		<td class="{$ROW_CLASS} mark" width="20">
 			<!-- IF styles_list.STYLE_ID -->
-				<input class="checkbox" type="checkbox" name="ids[]" value="{styles_list.STYLE_ID}" />
+				{% if styles_list.STYLE_NAME !== 'prosilver' %}
+					<input class="checkbox" type="checkbox" name="ids[]" value="{styles_list.STYLE_ID}" />
+				{% endif %}
 			<!-- ELSE -->
 				<!-- IF styles_list.COMMENT != '' -->
 					&nbsp;

phpBB/adm/style/acp_users_overview.html

@@ -79,7 +79,7 @@
 
 <!-- IF not S_USER_FOUNDER or S_FOUNDER -->
 
-	<script type="text/javascript">
+	<script>
 	// <![CDATA[
 
 		function display_reason(option)

phpBB/adm/style/acp_users_prefs.html

@@ -1,4 +1,4 @@
-<script type="text/javascript">
+<script>
 // <![CDATA[
 	var default_dateformat = '{A_DEFAULT_DATEFORMAT}';
 // ]]>
@@ -33,7 +33,7 @@
 		<dt><label for="notifymethod">{L_NOTIFY_METHOD}{L_COLON}</label><br /><span>{L_NOTIFY_METHOD_EXPLAIN}</span></dt>
 		<dd><label><input type="radio" class="radio" name="notifymethod" value="0"<!-- IF NOTIFY_EMAIL --> id="notifymethod" checked="checked"<!-- ENDIF --> /> {L_NOTIFY_METHOD_EMAIL}</label>
 			<label><input type="radio" class="radio" name="notifymethod" value="1"<!-- IF NOTIFY_IM --> id="notifymethod" checked="checked"<!-- ENDIF --><!-- IF S_JABBER_DISABLED --> disabled="disabled"<!-- ENDIF --> /> {L_NOTIFY_METHOD_IM}</label>
-			<label><input type="radio" class="radio" name="notifymethod" value="2"<!-- IF NOTIFY_BOTH --> id="notifymethod" checked="checked"<!-- ENDIF --> /> {L_NOTIFY_METHOD_BOTH}</label></dd>
+			<label><input type="radio" class="radio" name="notifymethod" value="2"<!-- IF NOTIFY_BOTH --> id="notifymethod" checked="checked"<!-- ENDIF --><!-- IF S_JABBER_DISABLED --> disabled="disabled"<!-- ENDIF --> /> {L_NOTIFY_METHOD_BOTH}</label></dd>
 	</dl>
 	<dl> 
 		<dt><label for="notifypm">{L_NOTIFY_ON_PM}{L_COLON}</label></dt>

phpBB/adm/style/acp_users_signature.html

@@ -1,4 +1,4 @@
-<script type="text/javascript">
+<script>
 // <![CDATA[
 
 	var form_name = 'user_signature';

phpBB/adm/style/installer_footer.html

@@ -6,12 +6,14 @@
 
 	<div id="page-footer">
 		<div class="copyright">
-			Powered by <a href="https://www.phpbb.com/">phpBB</a>&reg; Forum Software &copy; phpBB Limited
+			{% if S_COPYRIGHT_HTML %}
+				{{ CREDIT_LINE }}
+			{% endif %}
 		</div>
 	</div>
 </div>
 
-<script type="text/javascript">
+<script>
 <!--
 installLang = {
 	title: '{LA_TIMEOUT_DETECTED_TITLE}',
@@ -20,9 +22,9 @@ installLang = {
 //-->
 </script>
 
-<script type="text/javascript" src="{T_JQUERY_LINK}"></script>
-<!-- IF S_ALLOW_CDN --><script type="text/javascript">window.jQuery || document.write('\x3Cscript src="{T_ASSETS_PATH}/javascript/jquery.min.js">\x3C/script>');</script><!-- ENDIF -->
-<script type="text/javascript" src="{T_ASSETS_PATH}/javascript/core.js?assets_version={T_ASSETS_VERSION}"></script>
+<script src="{T_JQUERY_LINK}"></script>
+<!-- IF S_ALLOW_CDN --><script>window.jQuery || document.write('\x3Cscript src="{T_ASSETS_PATH}/javascript/jquery.min.js">\x3C/script>');</script><!-- ENDIF -->
+<script src="{T_ASSETS_PATH}/javascript/core.js?assets_version={T_ASSETS_VERSION}"></script>
 <!-- INCLUDEJS admin.js -->
 {$SCRIPTS}
 

phpBB/adm/style/overall_footer.html

@@ -33,9 +33,9 @@
 	</div>
 </div>
 
-<script type="text/javascript" src="{T_JQUERY_LINK}"></script>
-<!-- IF S_ALLOW_CDN --><script type="text/javascript">window.jQuery || document.write('\x3Cscript src="{T_ASSETS_PATH}/javascript/jquery.min.js?assets_version={T_ASSETS_VERSION}">\x3C/script>');</script><!-- ENDIF -->
-<script type="text/javascript" src="{T_ASSETS_PATH}/javascript/core.js?assets_version={T_ASSETS_VERSION}"></script>
+<script src="{T_JQUERY_LINK}"></script>
+<!-- IF S_ALLOW_CDN --><script>window.jQuery || document.write('\x3Cscript src="{T_ASSETS_PATH}/javascript/jquery.min.js?assets_version={T_ASSETS_VERSION}">\x3C/script>');</script><!-- ENDIF -->
+<script src="{T_ASSETS_PATH}/javascript/core.js?assets_version={T_ASSETS_VERSION}"></script>
 <!-- INCLUDEJS ajax.js -->
 <!-- INCLUDEJS admin.js -->
 

phpBB/adm/style/overall_header.html

@@ -10,7 +10,7 @@
 <link href="{T_FONT_AWESOME_LINK}" rel="stylesheet">
 <link href="style/admin.css?assets_version={T_ASSETS_VERSION}" rel="stylesheet" type="text/css" media="screen" />
 
-<script type="text/javascript">
+<script>
 // <![CDATA[
 var jump_page = '{LA_JUMP_PAGE}{L_COLON}';
 var on_page = '{CURRENT_PAGE}';

phpBB/adm/style/permission_mask.html

@@ -1,5 +1,5 @@
 
-<script type="text/javascript">
+<script>
 // <![CDATA[
 	var active_pmask = '0';
 	var active_fmask = '0';
@@ -9,12 +9,14 @@
 
 	var role_options = new Array();
 
+	var no_role_assigned = "{LA_NO_ROLE_ASSIGNED}";
+
 	<!-- IF S_ROLE_JS_ARRAY -->
 		{S_ROLE_JS_ARRAY}
 	<!-- ENDIF -->
 // ]]>
 </script>
-<script type="text/javascript" src="style/permissions.js"></script>
+<script src="style/permissions.js"></script>
 
 <!-- BEGIN p_mask -->
 <div class="clearfix"></div>

phpBB/adm/style/permissions.js

@@ -279,6 +279,10 @@ function reset_role(id) {
 	}
 
 	t.options[0].selected = true;
+
+	var parent = t.parentNode;
+	parent.querySelector('span.dropdown-trigger').innerText = no_role_assigned;
+	parent.querySelector('input[data-name^=role]').value = '0';
 }
 
 /**

phpBB/adm/style/progress_bar.html

@@ -1,6 +1,6 @@
 <!-- INCLUDE simple_header.html -->
 
-<script type="text/javascript">
+<script>
 // <![CDATA[
 	/**
 	* Close previously opened popup
@@ -31,7 +31,7 @@
 	<p>{L_PROGRESS_EXPLAIN}</p>
 </div>
 
-<script type="text/javascript">
+<script>
 // <![CDATA[
 	close_popup();
 // ]]>

phpBB/adm/style/simple_footer.html

@@ -16,9 +16,9 @@
 
 </div>
 
-<script type="text/javascript" src="{T_JQUERY_LINK}"></script>
-<!-- IF S_ALLOW_CDN --><script type="text/javascript">window.jQuery || document.write('\x3Cscript src="{T_ASSETS_PATH}/javascript/jquery.min.js?assets_version={T_ASSETS_VERSION}">\x3C/script>');</script><!-- ENDIF -->
-<script type="text/javascript" src="{T_ASSETS_PATH}/javascript/core.js?assets_version={T_ASSETS_VERSION}"></script>
+<script src="{T_JQUERY_LINK}"></script>
+<!-- IF S_ALLOW_CDN --><script>window.jQuery || document.write('\x3Cscript src="{T_ASSETS_PATH}/javascript/jquery.min.js?assets_version={T_ASSETS_VERSION}">\x3C/script>');</script><!-- ENDIF -->
+<script src="{T_ASSETS_PATH}/javascript/core.js?assets_version={T_ASSETS_VERSION}"></script>
 
 <!-- EVENT acp_simple_footer_after -->
 {$SCRIPTS}

phpBB/adm/style/simple_header.html

@@ -9,7 +9,7 @@
 
 <link href="style/admin.css?assets_version={T_ASSETS_VERSION}" rel="stylesheet" type="text/css" media="screen" />
 
-<script type="text/javascript">
+<script>
 // <![CDATA[
 var jump_page = '{LA_JUMP_PAGE}{L_COLON}';
 var on_page = '{CURRENT_PAGE}';

phpBB/assets/javascript/core.js

@@ -20,6 +20,13 @@ var phpbbAlertTimer = null;
 
 phpbb.isTouch = (window && typeof window.ontouchstart !== 'undefined');
 
+// Add ajax pre-filter to prevent cross-domain script execution
+$.ajaxPrefilter(function(s) {
+	if (s.crossDomain) {
+		s.contents.script = false;
+	}
+});
+
 /**
  * Display a loading screen
  *

phpBB/assets/javascript/editor.js

@@ -17,17 +17,10 @@ var is_ie = ((clientPC.indexOf('msie') !== -1) && (clientPC.indexOf('opera') ===
 var is_win = ((clientPC.indexOf('win') !== -1) || (clientPC.indexOf('16bit') !== -1));
 var baseHeight;
 
-/**
-* Shows the help messages in the helpline window
-*/
-function helpline(help) {
-	document.forms[form_name].helpbox.value = help_line[help];
-}
-
 /**
 * Fix a bug involving the TextRange object. From
 * http://www.frostjedi.com/terra/scripts/demo/caretBug.html
-*/ 
+*/
 function initInsertions() {
 	var doc;
 
@@ -104,8 +97,8 @@ function bbfontstyle(bbopen, bbclose) {
 	}
 	// IE
 	else if (document.selection) {
-		var range = textarea.createTextRange(); 
-		range.move("character", new_pos); 
+		var range = textarea.createTextRange();
+		range.move("character", new_pos);
 		range.select();
 		storeCaret(textarea);
 	}

phpBB/assets/javascript/plupload.js

@@ -21,7 +21,9 @@ phpbb.plupload.initialize = function() {
 	// Only execute if Plupload initialized successfully.
 	phpbb.plupload.uploader.bind('Init', function() {
 		phpbb.plupload.form = $(phpbb.plupload.config.form_hook)[0];
-		phpbb.plupload.rowTpl = $('#attach-row-tpl')[0].outerHTML;
+		let $attachRowTemplate = $('#attach-row-tpl');
+		$attachRowTemplate.removeClass('attach-row-tpl');
+		phpbb.plupload.rowTpl = $attachRowTemplate[0].outerHTML;
 
 		// Hide the basic upload panel and remove the attach row template.
 		$('#attach-row-tpl, #attach-panel-basic').remove();
@@ -88,6 +90,12 @@ phpbb.plupload.getSerializedData = function() {
 			obj['attachment_data[' + i + '][' + key + ']'] = datum[key];
 		}
 	}
+
+	// Insert form data
+	var $pluploadForm = $(phpbb.plupload.config.form_hook).first();
+	obj.creation_time = $pluploadForm.find('input[type=hidden][name="creation_time"]').val();
+	obj.form_token = $pluploadForm.find('input[type=hidden][name="form_token"]').val();
+
 	return obj;
 };
 
@@ -262,6 +270,17 @@ phpbb.plupload.deleteFile = function(row, attachId) {
 
 			return;
 		}
+
+		// Handle errors while deleting file
+		if (typeof response.error !== 'undefined') {
+			phpbb.alert(phpbb.plupload.lang.ERROR, response.error.message);
+
+			// We will have to assume that the deletion failed. So leave the file status as uploaded.
+			row.find('.file-status').toggleClass('file-uploaded');
+
+			return;
+		}
+
 		phpbb.plupload.update(response, 'removal', index);
 		// Check if the user can upload files now if he had reached the max files limit.
 		phpbb.plupload.handleMaxFilesReached();
@@ -444,6 +463,44 @@ phpbb.plupload.fileError = function(file, error) {
 phpbb.plupload.uploader = new plupload.Uploader(phpbb.plupload.config);
 phpbb.plupload.initialize();
 
+/**
+ * Add a file filter to check for max file sizes per mime type.
+ */
+plupload.addFileFilter('mime_types_max_file_size', function(types, file, callback) {
+	if (file.size !== 'undefined') {
+		$(types).each(function(i, type) {
+			let extensions = [],
+				extsArray = type.extensions.split(',');
+
+			$(extsArray).each(function(i, extension) {
+				/^\s*\*\s*$/.test(extension) ? extensions.push("\\.*") : extensions.push("\\." + extension.replace(new RegExp("[" + "/^$.*+?|()[]{}\\".replace(/./g, "\\$&") + "]", "g"), "\\$&"));
+			});
+
+			let regex = new RegExp("(" + extensions.join("|") + ")$", "i");
+
+			if (regex.test(file.name)) {
+				if (type.max_file_size !== 'undefined' && type.max_file_size) {
+					if (file.size > type.max_file_size) {
+						phpbb.plupload.uploader.trigger('Error', {
+							code: plupload.FILE_SIZE_ERROR,
+							message: plupload.translate('File size error.'),
+							file: file
+						});
+
+						callback(false);
+					} else {
+						callback(true);
+					}
+				} else {
+					callback(true);
+				}
+
+				return false;
+			}
+		});
+	}
+});
+
 var $fileList = $('#file-list');
 
 /**

phpBB/composer.json

@@ -31,9 +31,9 @@
 		"guzzlehttp/guzzle": "~5.3",
 		"lusitanian/oauth": "^0.8.1",
 		"marc1706/fast-image-size": "^1.1",
-		"paragonie/random_compat": "^1.4",
+		"paragonie/random_compat": "^2.0",
 		"patchwork/utf8": "^1.1",
-		"s9e/text-formatter": "~0.13.0",
+		"s9e/text-formatter": "^1.3",
 		"symfony/config": "^2.8",
 		"symfony/console": "^2.8",
 		"symfony/debug": "^2.8",

phpBB/config/default/container/services.yml

@@ -122,7 +122,13 @@ services:
     group_helper:
         class: phpbb\group\helper
         arguments:
+            - '@auth'
+            - '@cache'
+            - '@config'
             - '@language'
+            - '@dispatcher'
+            - '@path_helper'
+            - '@user'
 
     log:
         class: phpbb\log\log

phpBB/config/default/container/services_console.yml

@@ -208,6 +208,7 @@ services:
     console.command.thumbnail.delete:
         class: phpbb\console\command\thumbnail\delete
         arguments:
+            - '@config'
             - '@user'
             - '@dbal.conn'
             - '%core.root_path%'
@@ -217,6 +218,7 @@ services:
     console.command.thumbnail.generate:
         class: phpbb\console\command\thumbnail\generate
         arguments:
+            - '@config'
             - '@user'
             - '@dbal.conn'
             - '@cache'

phpBB/config/default/container/services_content.yml

@@ -35,6 +35,7 @@ services:
             - '@config_text'
             - '@dbal.conn'
             - '@user'
+            - '@dispatcher'
             - '%core.root_path%'
             - '%core.php_ext%'
 

phpBB/config/installer/container/services_install_obtain_data.yml

@@ -33,13 +33,6 @@ services:
         tags:
             - { name: install_obtain_data, order: 40 }
 
-    installer.obtain_data.obtain_imagick_path:
-        class: phpbb\install\module\obtain_data\task\obtain_imagick_path
-        arguments:
-            - '@installer.helper.config'
-        tags:
-            - { name: install_obtain_data, order: 60 }
-
     installer.obtain_data.obtain_server_data:
         class: phpbb\install\module\obtain_data\task\obtain_server_data
         arguments:

phpBB/develop/add_permissions.php

@@ -156,6 +156,7 @@ $u_permissions = array(
 	'u_download'	=> array(0, 1),
 	'u_attach'		=> array(0, 1),
 	'u_sig'			=> array(0, 1),
+	'u_emoji'		=> array(0, 1),
 	'u_pm_attach'	=> array(0, 1),
 	'u_pm_bbcode'	=> array(0, 1),
 	'u_pm_smilies'	=> array(0, 1),

phpBB/docs/CHANGELOG.html

@@ -50,6 +50,16 @@
 <ol>
 	<li><a href="#changelog">Changelog</a>
 	<ul>
+		<li><a href="#v329rc1">Changes since 3.2.9-RC1</a></li>
+		<li><a href="#v328">Changes since 3.2.8</a></li>
+		<li><a href="#v328rc1">Changes since 3.2.8-RC1</a></li>
+		<li><a href="#v327">Changes since 3.2.7</a></li>
+		<li><a href="#v326">Changes since 3.2.6</a></li>
+		<li><a href="#v326rc1">Changes since 3.2.6-RC1</a></li>
+		<li><a href="#v325">Changes since 3.2.5</a></li>
+		<li><a href="#v325rc1">Changes since 3.2.5-RC1</a></li>
+		<li><a href="#v324">Changes since 3.2.4</a></li>
+		<li><a href="#v324rc1">Changes since 3.2.4-RC1</a></li>
 		<li><a href="#v323">Changes since 3.2.3</a></li>
 		<li><a href="#v323rc2">Changes since 3.2.3-RC2</a></li>
 		<li><a href="#v323rc1">Changes since 3.2.3-RC1</a></li>
@@ -132,6 +142,322 @@
 		<div class="inner">
 
 		<div class="content">
+			<a name="v329rc1"></a><h3>Changes since 3.2.9-RC1</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15592">PHPBB3-15592</a>] - &quot;Place inline&quot; button appears when BBcode is disabled (Post settings)</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16269">PHPBB3-16269</a>] - Sphinx backend indexes HTML markup as keywords</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16282">PHPBB3-16282</a>] - Default jQuery CDN URL is outdated on new installs</li>
+			</ul>
+			<h4>Improvement</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16271">PHPBB3-16271</a>] - Add support for 3.3.x API documentation</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16279">PHPBB3-16279</a>] - Add permission for Emojii in topic title</li>
+			</ul>
+			<h4>Security</h4>
+			<ul>
+				<li>[SECURITY-249] - Group avatar overwrite on invalid submit</li>
+				<li>[SECURITY-250] - Group leader can be tricked into approving user</li>
+			</ul>
+			<h4>Hardening</h4>
+			<ul>
+				<li>[SECURITY-251] - Unwanted move of PMs to folders</li>
+				<li>[SECURITY-252] - PMs of unsuspecting users can be marked as important</li>
+				<li>[SECURITY-253] - PM export without proper validation</li>
+			</ul>
+
+			<a name="v328"></a><h3>Changes since 3.2.8</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-14815">PHPBB3-14815</a>] - The facebook page link is not displayed properly in memberlist.php</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15643">PHPBB3-15643</a>] - $phpbb_filesystem-&gt;resolve_path() may trigger open_basedir restriction</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15902">PHPBB3-15902</a>] - Out of range error with Sphinx search</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16056">PHPBB3-16056</a>] - JPEG dimensions undetectable for some kind of jpeg files</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16076">PHPBB3-16076</a>] - Limit attachment size by extension group</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16141">PHPBB3-16141</a>] - plupload chunk_size calculation incorrect when one or more settings are 'unlimited'</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16150">PHPBB3-16150</a>] - Post title link urls not reliable when shared</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16156">PHPBB3-16156</a>] - Bots see both register and logout links in the navbar</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16157">PHPBB3-16157</a>] - Incorrect FORM_INVALID error message while sending email form</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16181">PHPBB3-16181</a>] - OAuth provider id needs to be quoted</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16184">PHPBB3-16184</a>] - Mark read button only works once</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16199">PHPBB3-16199</a>] - Guest posting CAPTCHA is being generated with no guest posting auth</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16209">PHPBB3-16209</a>] - Nginx example configuration file blocks an image in the ACP</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16210">PHPBB3-16210</a>] - Terms of use should not be skippable</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16211">PHPBB3-16211</a>] - COPPA should not be skippable</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16216">PHPBB3-16216</a>] - Disable xdebug in travis builds</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16217">PHPBB3-16217</a>] - Enable opcache in travis CI builds</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16228">PHPBB3-16228</a>] - BBCode definitions with an optional attribute and a non-TEXT content are not merged correctly</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16242">PHPBB3-16242</a>] - Redirect loop when install folder doesn't exist</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16252">PHPBB3-16252</a>] - Ignore non-BBCodes when looking for unauthorized markup</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16257">PHPBB3-16257</a>] - Typo in Email Settings section</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16258">PHPBB3-16258</a>] - Sample Sphinx configuration file causes delta index to only include the most recent post</li>
+			</ul>
+			<h4>Improvement</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16084">PHPBB3-16084</a>] - Pointless radio button for database backup in 3.2.7 </li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16139">PHPBB3-16139</a>] - Add core.viewtopic_modify_quick_reply_template_vars</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16140">PHPBB3-16140</a>] - Add new event to UCP Edit Profile Page</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16143">PHPBB3-16143</a>] - Add core events for move topics</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16144">PHPBB3-16144</a>] - NO_STYLE_DATA - Provide extra fallback to board's default style for $user.</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16146">PHPBB3-16146</a>] - Add core event for after move the forum</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16148">PHPBB3-16148</a>] - Add template events to acp_groups.html</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16151">PHPBB3-16151</a>] - Enable Emojis and rich text in forum name</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16153">PHPBB3-16153</a>] - Enable Emojis and rich text in topic title</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16159">PHPBB3-16159</a>] - Wrap post times in html time tag</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16174">PHPBB3-16174</a>] - Event for disabling cookie creation</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16182">PHPBB3-16182</a>] - Add core.generate_smilies_modify_rowset</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16183">PHPBB3-16183</a>] - Add core.generate_smilies_count_sql_before</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16203">PHPBB3-16203</a>] - Enable Emojis and rich text in sent Emails</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16247">PHPBB3-16247</a>] - Quote PM has no identifier</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16251">PHPBB3-16251</a>] - Shortened link text shouldn't override custom plugins</li>
+			</ul>
+			<h4>Task</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15422">PHPBB3-15422</a>] - Remove the unnecessary helpline function and help_line variable</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16147">PHPBB3-16147</a>] - Updated tokens legend in BBCodes ACP</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16160">PHPBB3-16160</a>] - Add script for generating package json file</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16172">PHPBB3-16172</a>] - Add &quot;Rank:&quot; or &quot;Group rank:&quot; in the memberlist</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16224">PHPBB3-16224</a>] - Update composer dependencies</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16246">PHPBB3-16246</a>] - Prettify and update README Automated Testing section</li>
+			</ul>
+
+			<a name="v328rc1"></a><h3>Changes since 3.2.8-RC1</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15467">PHPBB3-15467</a>] - Permission settings do not take affect when set using All YES/NO/NEVER</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16123">PHPBB3-16123</a>] - PHP error (Array to string conversion) on new user registration if email address is banned and &quot; Reason shown to the banned&quot; is empty</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16136">PHPBB3-16136</a>] - Missing word in 'AUTH_PROVIDER_OAUTH_ERROR_ALREADY_LINKED' </li>
+			</ul>
+			<h4>Improvement</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16134">PHPBB3-16134</a>] - Exclude group leaders on group member purge</li>
+			</ul>
+			<h4>Security Issue</h4>
+			<ul>
+				<li>[SECURITY-243] - CSS injection via BBCode tag</li>
+				<li>[SECURITY-244] - Missing form token check when handling attachments</li>
+				<li>[SECURITY-246] - Missing form token check when managing BBCodes</li>
+			</ul>
+			<h4>Hardening</h4>
+			<ul>
+				<li>[SECURITY-247] - Disable MySQLi local infile to prevent local file inclusion</li>
+			</ul>
+
+			<a name="v327"></a><h3>Changes since 3.2.7</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-13175">PHPBB3-13175</a>] - External accounts can be linked to more than one local account</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-14459">PHPBB3-14459</a>] - Check language input for group</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15211">PHPBB3-15211</a>] - Emoji characters in forum name causing SQL errors</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15885">PHPBB3-15885</a>] - Group rank not displaying on memberlist_body</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15897">PHPBB3-15897</a>] - Unicode Characters in Attachment Comment Causes mySQL Error </li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15932">PHPBB3-15932</a>] - Users can delete their attachments in the UCP, even if the post is locked</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15961">PHPBB3-15961</a>] - SMTP support for TLS is forcing use of deprecated TLS 1.0</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15974">PHPBB3-15974</a>] - The link &quot;Back to previous page&quot; can redirect to another page, not the previous one</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15976">PHPBB3-15976</a>] - Changing account settings without changing password resets user_passchg</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15982">PHPBB3-15982</a>] - Q&amp;A captcha plug-in still throws PHP 7.2.x countable warning</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16003">PHPBB3-16003</a>] - Post count not updated when deleting only post in topic</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16021">PHPBB3-16021</a>] - Recognize number of Template Event instances in events.md file</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16040">PHPBB3-16040</a>] - Topic Icon with space in filename isn't displayed by viewforum_body.html</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16048">PHPBB3-16048</a>] - Unable to restore any backup from ACP</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16050">PHPBB3-16050</a>] - PHP warning in MCP banning tab on PHP 7.2+</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16053">PHPBB3-16053</a>] - BBCodes using {TEXT} in HTML tags no longer work</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16054">PHPBB3-16054</a>] - Style templates no longer able to login &quot;from any page.&quot;</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16055">PHPBB3-16055</a>] - Unable to login using Oauth via Forums, topics or posts</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16061">PHPBB3-16061</a>] - Migrator never drops unique indexes</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16063">PHPBB3-16063</a>] - board_dst config value is not removed from config table after conversion</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16066">PHPBB3-16066</a>] - Banned or suspended user receives &quot;The submitted form was invalid. Try submitting again.&quot;</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16071">PHPBB3-16071</a>] - Undefined index for custom attachments groups</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16073">PHPBB3-16073</a>] - Fix warning in ACP version check</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16074">PHPBB3-16074</a>] - Twemoji -fe0f sequence not rendering</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16075">PHPBB3-16075</a>] - PM filter “sent to my default usergroup” triggers array to string conversion warning</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16080">PHPBB3-16080</a>] - Warnings When a Style exists on database but not on FTP</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16093">PHPBB3-16093</a>] - Attach row template always gets displayed with JS disabled</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16096">PHPBB3-16096</a>] - MySQL full text search always uses MyISAM limits</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16124">PHPBB3-16124</a>] - Incorrect users search by last visit time in memberlist.php</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16126">PHPBB3-16126</a>] - AppVeyor builds fail due to chocolatey being unable to install PHP</li>
+			</ul>
+			<h4>Improvement</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15745">PHPBB3-15745</a>] - Hardcoded lang in credit line</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15886">PHPBB3-15886</a>] - Group helper functions</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15946">PHPBB3-15946</a>] - Add event - core.posting_modify_row_data</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15967">PHPBB3-15967</a>] - Unambiguous wording in user activation request email to Admin/Moderator</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15984">PHPBB3-15984</a>] - Use of 'Cache-Control: public' for serving files</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16000">PHPBB3-16000</a>] - Provide link to PHP Date Function in both ACP and UCP</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16013">PHPBB3-16013</a>] - Do not prevent username changes in ACP</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16019">PHPBB3-16019</a>] - Deny prosilver's uninstallation</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16024">PHPBB3-16024</a>] - Add core.topic_review_modify_sql_ary</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16025">PHPBB3-16025</a>] - Add 2 template events *_author_username_{append/prepend}</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16047">PHPBB3-16047</a>] - ACP Private Messages: Wording could be better</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16058">PHPBB3-16058</a>] - Remove sudo required from travis config</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16065">PHPBB3-16065</a>] - Undefined index: user_ip in oauth.php</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16068">PHPBB3-16068</a>] - Incorrect docblock parameter types</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16070">PHPBB3-16070</a>] - Remove support for WebSTAR and Xitami</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16078">PHPBB3-16078</a>] - Use chrome webdriver for UI tests</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16089">PHPBB3-16089</a>] - Add core.confirm_box_ajax_before</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16097">PHPBB3-16097</a>] - Add core.viewtopic_gen_sort_selects_before</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16102">PHPBB3-16102</a>] - Add core.posting_modify_post_subject</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16103">PHPBB3-16103</a>] - Add core.pm_modify_message_subject</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16106">PHPBB3-16106</a>] - Add core.mcp_main_before</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16107">PHPBB3-16107</a>] - Add mcp_move_destination_forum_before|after</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16108">PHPBB3-16108</a>] - Add topiclist_row_topic_by_author_before|after</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16109">PHPBB3-16109</a>] - Custom Profile Field visibility is incorrectly explained</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16111">PHPBB3-16111</a>] - Add core.message_history_modify_sql_ary</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16113">PHPBB3-16113</a>] - Add core.mcp_topic_modify_sql_ary</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16114">PHPBB3-16114</a>] - Add 2 mcp_topic_post_author_full_{append/prepend}</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16127">PHPBB3-16127</a>] - Add UI for Mass email $max_chunk_size</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16129">PHPBB3-16129</a>] - The attachment's ALT tag is supposed to describe the image, not the file.</li>
+			</ul>
+			<h4>Task</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16067">PHPBB3-16067</a>] - Define trusty build environment for travis builds</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16112">PHPBB3-16112</a>] - Update composer dependencies to latest</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16119">PHPBB3-16119</a>] - The text input for poll question has a too high maxlength attribute</li>
+			</ul>
+			<h4>Hardening</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16101">PHPBB3-16101</a>] - Add Referrer-Policy header</li>
+			</ul>
+
+			<a name="v326"></a><h3>Changes since 3.2.6</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16034">PHPBB3-16034</a>] - Links created with [url=] - are sometimes incorrectly shortened</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16036">PHPBB3-16036</a>] - Cannot login with 3.2.6</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16037">PHPBB3-16037</a>] - Private message ViewFolder Broken</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16039">PHPBB3-16039</a>] - Unable to change announcement to standard topic due to missing global</li>
+			</ul>
+			<h4>Improvement</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16042">PHPBB3-16042</a>] - Use S_LOGIN_REDIRECT to output login form token</li>
+			</ul>
+
+			<a name="v326rc1"></a><h3>Changes since 3.2.6-RC1</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16027">PHPBB3-16027</a>] - Appveyor builds fail on PHP 7.0</li>
+			</ul>
+			<h4>Security Issue</h4>
+			<ul>
+				<li>[SECURITY-231] - Remote avatar functionality allows checking for files and ports on local network</li>
+				<li>[SECURITY-235] - Fulltext native search can be used to cause long execution times</li>
+			</ul>
+			<h4>Hardening</h4>
+			<ul>
+				<li>[SECURITY-228] - Require form token in login_box</li>
+				<li>[SECURITY-233] - SMTP auth data shouldn't be cached</li>
+				<li>[SECURITY-234] - Main website URL in Admin Control Panel should not support JS URLs</li>
+			</ul>
+
+			<a name="v325"></a><h3>Changes since 3.2.5</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15509">PHPBB3-15509</a>] - Update database: info message is to scary</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15869">PHPBB3-15869</a>] - Cookies Problem with domains with special chars</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15876">PHPBB3-15876</a>] - Mysql 5.7 support Q&amp;A plugin</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15883">PHPBB3-15883</a>] - No error for invalid usernames on bulk add to usergroup</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15904">PHPBB3-15904</a>] - PHP warning when accessing modules in ACP System tab</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15917">PHPBB3-15917</a>] - Unapproved posts count towards forum post count</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15918">PHPBB3-15918</a>] - Ban reason messages show backslash (\) before apostrophe -- ex. (don\'t).</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15919">PHPBB3-15919</a>] - Lint test throws PHP warnings due to node modules folder</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15931">PHPBB3-15931</a>] - Issues in PM report emails</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15954">PHPBB3-15954</a>] - Some calls to include() don't have a safeguard</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15957">PHPBB3-15957</a>] - User preferences show notification method &quot;both&quot; with disabled Jabber in ACP</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15959">PHPBB3-15959</a>] - Travis Network Test is Failing for news.cnet.com</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15965">PHPBB3-15965</a>] - Console command to handle thumbnails have files directory hardcoded</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15975">PHPBB3-15975</a>] - Delete or prune an user doesn't remove its entries in the user_notifications table</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15986">PHPBB3-15986</a>] - Add missing language key for posting.php</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15996">PHPBB3-15996</a>] - Invalid data provider function name in migrator_tool_permission_test</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16006">PHPBB3-16006</a>] - Duplicate form IDs in UCP oauth form</li>
+			</ul>
+			<h4>Improvement</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15884">PHPBB3-15884</a>] - Add memberlist_body_* events</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15889">PHPBB3-15889</a>] - Add core.memberlist_modify_memberrow_sql</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15890">PHPBB3-15890</a>] - Add core.memberlist_modify_viewprofile_sql</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15891">PHPBB3-15891</a>] - Add core.memberlist_modify_view_profile_template_vars</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15898">PHPBB3-15898</a>] - Add core.ucp_pm_compose_template</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15899">PHPBB3-15899</a>] - Add core.modify_attachment_sql_ary_on_* events</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15901">PHPBB3-15901</a>] - Add mcp_post_* template events</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15910">PHPBB3-15910</a>] - Pass object arguments by reference implicitly</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15914">PHPBB3-15914</a>] - Add core.modify_memberlist_viewprofile_group_sql and core.modify_memberlist_viewprofile_group_data</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15915">PHPBB3-15915</a>] - Add template events to posting_attach_body.html</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15924">PHPBB3-15924</a>] - Move from precise to trusty builds</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15926">PHPBB3-15926</a>] - Deny installs on PHP &gt;= 7.3@dev - Increase min. req. to 5.4.7</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15928">PHPBB3-15928</a>] - Remove support for backup download</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15939">PHPBB3-15939</a>] - Pagination docblocks</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15941">PHPBB3-15941</a>] - Replace MAX SQL in functions_posting.php</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15942">PHPBB3-15942</a>] - Array to string conversion when permanently deleting a post</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15948">PHPBB3-15948</a>] - Add core.mcp_change_topic_type_after/before</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15949">PHPBB3-15949</a>] - [Template] - ucp_profile_signature_posting_editor_options_prepend</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15950">PHPBB3-15950</a>] - Add SQL transactions to mcp_main.php</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15960">PHPBB3-15960</a>] - Add SQL transactions to functions_admin.php</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15970">PHPBB3-15970</a>] - Add core.message_admin_form_submit_before</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15972">PHPBB3-15972</a>] - Add core.markread_after</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15992">PHPBB3-15992</a>] - Fix breadcrumb schema</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15995">PHPBB3-15995</a>] - Add core.memberlist_modify_sort_pagination_params</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15997">PHPBB3-15997</a>] - Increase webdriver timeout for UI tests</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16001">PHPBB3-16001</a>] - Append data to the OAuth's redirect URL</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16009">PHPBB3-16009</a>] - Display OAuth login's buttons in a row.</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16010">PHPBB3-16010</a>] - Automatically check order of events in events.md file</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16018">PHPBB3-16018</a>] - Update composer and dependencies for 3.2.6</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16020">PHPBB3-16020</a>] - Fix placement of event viewforum_body_topic_author_username_append</li>
+			</ul>
+			<h4>New Feature</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15944">PHPBB3-15944</a>] - Add core.posting_modify_quote_attributes</li>
+			</ul>
+			<h4>Task</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15921">PHPBB3-15921</a>] - Update TextFormatter to 1.3.2</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15953">PHPBB3-15953</a>] - pm reported missing border color</li>
+			</ul>
+
+			<a name="v325rc1"></a><h3>Changes since 3.2.5-RC1</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15888">PHPBB3-15888</a>] - Update link to user guide</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15893">PHPBB3-15893</a>] - Call to undefined $user in phpbb_format_quote() when BBCodes are disabled</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15911">PHPBB3-15911</a>] - SQL general error on DB update from 3.0 branch</li>
+			</ul>
+			<h4>Hardening</h4>
+			<ul>
+				<li>[SECURITY-229] - Update to latest version of jQuery 1.x and add ajax prefilter</li>
+			</ul>
+
+			<a name="v324"></a><h3>Changes since 3.2.4</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15665">PHPBB3-15665</a>] - MSSQL implementation crashes when upload directory &gt; 2GB</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15858">PHPBB3-15858</a>] - Unapproved User(s) appearing as Guest in Team Page.</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15867">PHPBB3-15867</a>] - Contact form without class</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15871">PHPBB3-15871</a>] - PHP 7.1+ warning in ACP extensions module</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15875">PHPBB3-15875</a>] - BBCode parsing error (PHP fatal error)</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15881">PHPBB3-15881</a>] - Login keys are not reset after password update in some cases</li>
+			</ul>
+			<h4>Improvement</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15542">PHPBB3-15542</a>] - Some JS files being called without assets version</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15859">PHPBB3-15859</a>] - Modify the topic ordering if needed</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15863">PHPBB3-15863</a>] - Modify the topic sort ordering from the beginning</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15870">PHPBB3-15870</a>] - Modify the forum ID to handle the correct display of viewtopic if needed</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15872">PHPBB3-15872</a>] - Add show_user_activity to display_user_activity_modify_actives</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15873">PHPBB3-15873</a>] - Event to add/modify MCP report details template data.</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15878">PHPBB3-15878</a>] - Add attachment to core.ucp_pm_view_message</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15879">PHPBB3-15879</a>] - Modify attachment's poster_id for get_submitted_attachment_data</li>
+			</ul>
+
+			<a name="v324rc1"></a><h3>Changes since 3.2.4-RC1</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15860">PHPBB3-15860</a>] - Backups filenames arent saved in the expected format</li>
+			</ul>
+			<h4>Security Issue</h4>
+			<ul>
+				<li>[SECURITY-227] - Phar deserialization in ACP leads to Remote Code Execution</li>
+			</ul>
+
 			<a name="v323"></a><h3>Changes since 3.2.3</h3>
 			<h4>Bug</h4>
 			<ul>

phpBB/docs/CREDITS.txt

@@ -1,7 +1,7 @@
 /**
 *
-* phpBB © Copyright phpBB Limited 2003-2016
-* http://www.phpbb.com
+* phpBB © Copyright phpBB Limited 2003-2019
+* https://www.phpbb.com
 *
 * phpBB is free software. You can redistribute it and/or modify it
 * under the terms of the GNU General Public License, version 2 (GPL-2.0)
@@ -27,7 +27,6 @@ phpBB Developers:        bantu (Andreas Fischer)
                          Derky (Derk Ruitenbeek)
                          Elsensee (Oliver Schramm)
                          Hanakin (Michael Miday)
-                         MichaelC (Michael Cullum)
                          Nicofuma (Tristan Darricau)
                          rubencm (Rubén Calvo)
 
@@ -63,6 +62,7 @@ phpBB Developers:        A_Jelly_Doughnut (Josh Woody) [01/2010 - 11/2010]
                          igorw (Igor Wiedler)          [08/2010 - 02/2013]
                          imkingdavid (David King)      [11/2012 - 06/2014]
                          kellanved (Henry Sudhof)      [04/2007 - 03/2011]
+                         MichaelC (Michael Cullum)     [11/2017 - 09/2019]
                          nickvergessen (Joas Schilling)[04/2010 - 12/2015]
                          Oleg (Oleg Pudeyev)           [01/2011 - 05/2013]
                          prototech (Cesar Gallegos)    [01/2014 - 12/2016]
@@ -104,3 +104,6 @@ Text_Diff-0.2.1 http://pear.php.net/package/Text_Diff
 MIT licenced:
 Symfony2 (c) 2004-2011 Fabien Potencier, https://symfony.com/
 Cookie Consent (c) 2015 Silktide Ltd, https://cookieconsent.insites.com
+
+Emoji by:
+Twemoji (c) 2018 Twitter, Inc, https://twemoji.twitter.com/

phpBB/docs/INSTALL.html

@@ -147,7 +147,7 @@
 			<li>Oracle</li>
 		</ul>
 		</li>
-		<li><strong>PHP 5.4.7+</strong> with support for the database you intend to use.</li>
+		<li><strong>PHP 5.4.7+</strong> but less than <strong>PHP 7.3</strong> with support for the database you intend to use.</li>
 		<li>The following PHP modules are required:
 		<ul>
 			<li>json</li>
@@ -159,7 +159,6 @@
 			<li>zlib Compression support</li>
 			<li>Remote FTP support</li>
 			<li>XML support</li>
-			<li>ImageMagick support</li>
 			<li>GD Support</li>
 		</ul>
 		</li>

phpBB/docs/nginx.sample.conf

@@ -70,7 +70,7 @@ http {
         }
 
         # Deny access to internal phpbb files.
-        location ~ /(config\.php|common\.php|cache|files|images/avatars/upload|includes|(?<!ext/)phpbb|store|vendor) {
+        location ~ /(config\.php|common\.php|cache|files|images/avatars/upload|includes|(?<!ext/)phpbb(?!\w+)|store|vendor) {
             deny all;
             # deny was ignored before 0.8.40 for connections over IPv6.
             # Use internal directive to prohibit access on older versions.
@@ -93,7 +93,7 @@ http {
         # Correctly pass scripts for installer
         location /install/ {
             # phpBB uses index.htm
-            try_files $uri $uri/ @rewrite_installapp;
+            try_files $uri $uri/ @rewrite_installapp =404;
 
             # Pass the php scripts to fastcgi server specified in upstream declaration.
             location ~ \.php(/|$) {
@@ -104,7 +104,7 @@ http {
                 fastcgi_param PATH_INFO $fastcgi_path_info;
                 fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
                 fastcgi_param DOCUMENT_ROOT $realpath_root;
-                try_files $uri $uri/ /install/app.php$is_args$args;
+                try_files $uri $uri/ /install/app.php$is_args$args =404;
                 fastcgi_pass php;
             }
         }

phpBB/docs/sphinx.sample.conf

@@ -41,7 +41,7 @@ source source_phpbb_{SPHINX_ID}_main
 }
 source source_phpbb_{SPHINX_ID}_delta : source_phpbb_{SPHINX_ID}_main
 {
-	sql_query_pre =
+	sql_query_pre = SET NAMES 'utf8'
 	sql_query_range =
 	sql_range_step =
 	sql_query = SELECT \
@@ -61,7 +61,7 @@ source source_phpbb_{SPHINX_ID}_delta : source_phpbb_{SPHINX_ID}_main
 						WHERE \
 							p.topic_id = t.topic_id \
 							AND p.post_id >= ( SELECT max_doc_id FROM phpbb_sphinx WHERE counter_id=1 )
-	sql_query_pre =
+	sql_query_post_index =
 }
 index index_phpbb_{SPHINX_ID}_main
 {
@@ -74,6 +74,7 @@ index index_phpbb_{SPHINX_ID}_main
 	charset_table = U+FF10..U+FF19->0..9, 0..9, U+FF41..U+FF5A->a..z, U+FF21..U+FF3A->a..z, A..Z->a..z, a..z, U+0149, U+017F, U+0138, U+00DF, U+00FF, U+00C0..U+00D6->U+00E0..U+00F6, U+00E0..U+00F6, U+00D8..U+00DE->U+00F8..U+00FE, U+00F8..U+00FE, U+0100->U+0101, U+0101, U+0102->U+0103, U+0103, U+0104->U+0105, U+0105, U+0106->U+0107, U+0107, U+0108->U+0109, U+0109, U+010A->U+010B, U+010B, U+010C->U+010D, U+010D, U+010E->U+010F, U+010F, U+0110->U+0111, U+0111, U+0112->U+0113, U+0113, U+0114->U+0115, U+0115, U+0116->U+0117, U+0117, U+0118->U+0119, U+0119, U+011A->U+011B, U+011B, U+011C->U+011D, U+011D, U+011E->U+011F, U+011F, U+0130->U+0131, U+0131, U+0132->U+0133, U+0133, U+0134->U+0135, U+0135, U+0136->U+0137, U+0137, U+0139->U+013A, U+013A, U+013B->U+013C, U+013C, U+013D->U+013E, U+013E, U+013F->U+0140, U+0140, U+0141->U+0142, U+0142, U+0143->U+0144, U+0144, U+0145->U+0146, U+0146, U+0147->U+0148, U+0148, U+014A->U+014B, U+014B, U+014C->U+014D, U+014D, U+014E->U+014F, U+014F, U+0150->U+0151, U+0151, U+0152->U+0153, U+0153, U+0154->U+0155, U+0155, U+0156->U+0157, U+0157, U+0158->U+0159, U+0159, U+015A->U+015B, U+015B, U+015C->U+015D, U+015D, U+015E->U+015F, U+015F, U+0160->U+0161, U+0161, U+0162->U+0163, U+0163, U+0164->U+0165, U+0165, U+0166->U+0167, U+0167, U+0168->U+0169, U+0169, U+016A->U+016B, U+016B, U+016C->U+016D, U+016D, U+016E->U+016F, U+016F, U+0170->U+0171, U+0171, U+0172->U+0173, U+0173, U+0174->U+0175, U+0175, U+0176->U+0177, U+0177, U+0178->U+00FF, U+00FF, U+0179->U+017A, U+017A, U+017B->U+017C, U+017C, U+017D->U+017E, U+017E, U+0410..U+042F->U+0430..U+044F, U+0430..U+044F, U+4E00..U+9FFF
 	min_prefix_len = 0
 	min_infix_len = 0
+	html_strip = 1
 }
 index index_phpbb_{SPHINX_ID}_delta : index_phpbb_{SPHINX_ID}_main
 {

phpBB/includes/acp/acp_attachments.php

@@ -27,6 +27,9 @@ class acp_attachments
 	/** @var \phpbb\config\config */
 	protected $config;
 
+	/** @var \phpbb\language\language */
+	protected $language;
+
 	/** @var ContainerBuilder */
 	protected $phpbb_container;
 
@@ -54,6 +57,7 @@ class acp_attachments
 		$this->id = $id;
 		$this->db = $db;
 		$this->config = $config;
+		$this->language = $phpbb_container->get('language');
 		$this->template = $template;
 		$this->user = $user;
 		$this->phpbb_container = $phpbb_container;
@@ -128,7 +132,7 @@ class acp_attachments
 				$s_assigned_groups = array();
 				while ($row = $db->sql_fetchrow($result))
 				{
-					$row['group_name'] = (isset($user->lang['EXT_GROUP_' . $row['group_name']])) ? $user->lang['EXT_GROUP_' . $row['group_name']] : $row['group_name'];
+					$row['group_name'] = $this->language->is_set('EXT_GROUP_' . utf8_strtoupper($row['group_name'])) ? $this->language->lang('EXT_GROUP_' . utf8_strtoupper($row['group_name'])) : $row['group_name'];
 					$s_assigned_groups[$row['cat_id']][] = $row['group_name'];
 				}
 				$db->sql_freeresult($result);
@@ -164,7 +168,6 @@ class acp_attachments
 						'img_create_thumbnail'		=> array('lang' => 'CREATE_THUMBNAIL',		'validate' => 'bool',	'type' => 'radio:yes_no', 'explain' => true),
 						'img_max_thumb_width'		=> array('lang' => 'MAX_THUMB_WIDTH',		'validate' => 'int:0:999999999999999',	'type' => 'number:0:999999999999999', 'explain' => true, 'append' => ' ' . $user->lang['PIXEL']),
 						'img_min_thumb_filesize'	=> array('lang' => 'MIN_THUMB_FILESIZE',	'validate' => 'int:0:999999999999999',	'type' => 'number:0:999999999999999', 'explain' => true, 'append' => ' ' . $user->lang['BYTES']),
-						'img_imagick'				=> array('lang' => 'IMAGICK_PATH',			'validate' => 'absolute_path',	'type' => 'text:20:200', 'explain' => true, 'append' => '&nbsp;&nbsp;<span>[ <a href="' . $this->u_action . '&amp;action=imgmagick">' . $user->lang['SEARCH_IMAGICK'] . '</a> ]</span>'),
 						'img_max'					=> array('lang' => 'MAX_IMAGE_SIZE',		'validate' => 'int:0:9999',	'type' => 'dimension:0:9999', 'explain' => true, 'append' => ' ' . $user->lang['PIXEL']),
 						'img_link'					=> array('lang' => 'IMAGE_LINK_SIZE',		'validate' => 'int:0:9999',	'type' => 'dimension:0:9999', 'explain' => true, 'append' => ' ' . $user->lang['PIXEL']),
 					)
@@ -234,38 +237,6 @@ class acp_attachments
 
 				$template->assign_var('S_ATTACHMENT_SETTINGS', true);
 
-				if ($action == 'imgmagick')
-				{
-					$this->new_config['img_imagick'] = $this->search_imagemagick();
-				}
-
-				// We strip eventually manual added convert program, we only want the patch
-				if ($this->new_config['img_imagick'])
-				{
-					// Change path separator
-					$this->new_config['img_imagick'] = str_replace('\\', '/', $this->new_config['img_imagick']);
-					$this->new_config['img_imagick'] = str_replace(array('convert', '.exe'), array('', ''), $this->new_config['img_imagick']);
-
-					// Check for trailing slash
-					if (substr($this->new_config['img_imagick'], -1) !== '/')
-					{
-						$this->new_config['img_imagick'] .= '/';
-					}
-				}
-
-				$supported_types = get_supported_image_types();
-
-				// Check Thumbnail Support
-				if (!$this->new_config['img_imagick'] && (!isset($supported_types['format']) || !count($supported_types['format'])))
-				{
-					$this->new_config['img_create_thumbnail'] = 0;
-				}
-
-				$template->assign_vars(array(
-					'U_SEARCH_IMAGICK'		=> $this->u_action . '&amp;action=imgmagick',
-					'S_THUMBNAIL_SUPPORT'	=> (!$this->new_config['img_imagick'] && (!isset($supported_types['format']) || !count($supported_types['format']))) ? false : true)
-				);
-
 				// Secure Download Options - Same procedure as with banning
 				$allow_deny = ($this->new_config['secure_allow_deny']) ? 'ALLOWED' : 'DISALLOWED';
 
@@ -606,7 +577,7 @@ class acp_attachments
 							$group_id = $db->sql_nextid();
 						}
 
-						$group_name = (isset($user->lang['EXT_GROUP_' . $group_name])) ? $user->lang['EXT_GROUP_' . $group_name] : $group_name;
+						$group_name = $this->language->is_set('EXT_GROUP_' . utf8_strtoupper($group_name)) ? $this->language->lang('EXT_GROUP_' . utf8_strtoupper($group_name)) : $group_name;
 						$phpbb_log->add('admin', $user->data['user_id'], $user->ip, 'LOG_ATTACH_EXTGROUP_' . strtoupper($action), false, array($group_name));
 					}
 
@@ -908,7 +879,7 @@ class acp_attachments
 						'U_EDIT'		=> $this->u_action . "&amp;action=edit&amp;g={$row['group_id']}",
 						'U_DELETE'		=> $this->u_action . "&amp;action=delete&amp;g={$row['group_id']}",
 
-						'GROUP_NAME'	=> (isset($user->lang['EXT_GROUP_' . $row['group_name']])) ? $user->lang['EXT_GROUP_' . $row['group_name']] : $row['group_name'],
+						'GROUP_NAME'	=> $this->language->is_set('EXT_GROUP_' . utf8_strtoupper($row['group_name'])) ? $this->language->lang('EXT_GROUP_' . utf8_strtoupper($row['group_name'])) : $row['group_name'],
 						'CATEGORY'		=> $cat_lang[$row['cat_id']],
 						)
 					);
@@ -1277,15 +1248,11 @@ class acp_attachments
 						'ATTACHMENT_POSTER'	=> get_username_string('full', (int) $row['poster_id'], (string) $row['username'], (string) $row['user_colour'], (string) $row['username']),
 						'FILESIZE'			=> get_formatted_filesize((int) $row['filesize']),
 						'FILETIME'			=> $user->format_date((int) $row['filetime']),
-						'REAL_FILENAME'		=> (!$row['in_message']) ? utf8_basename((string) $row['real_filename']) : '',
-						'PHYSICAL_FILENAME'	=> utf8_basename((string) $row['physical_filename']),
-						'EXT_GROUP_NAME'	=> (!empty($extensions[$row['extension']]['group_name'])) ? $user->lang['EXT_GROUP_' . $extensions[$row['extension']]['group_name']] : '',
+						'REAL_FILENAME'		=> utf8_basename((string) $row['real_filename']),
+						'EXT_GROUP_NAME'	=> $this->language->is_set('EXT_GROUP_' . utf8_strtoupper($extensions[$row['extension']]['group_name'])) ?  $this->language->lang('EXT_GROUP_' . utf8_strtoupper($extensions[$row['extension']]['group_name'])) : $extensions[$row['extension']]['group_name'],
 						'COMMENT'			=> $comment,
 						'TOPIC_TITLE'		=> (!$row['in_message']) ? (string) $row['topic_title'] : '',
 						'ATTACH_ID'			=> (int) $row['attach_id'],
-						'POST_ID'			=> (int) $row['post_msg_id'],
-						'TOPIC_ID'			=> (int) $row['topic_id'],
-						'POST_IDS'			=> (!empty($post_ids[$row['attach_id']])) ? (int) $post_ids[$row['attach_id']] : '',
 
 						'L_DOWNLOAD_COUNT'	=> $user->lang($l_downloaded_viewed, (int) $row['download_count']),
 
@@ -1467,7 +1434,7 @@ class acp_attachments
 		$group_name = array();
 		while ($row = $db->sql_fetchrow($result))
 		{
-			$row['group_name'] = (isset($user->lang['EXT_GROUP_' . $row['group_name']])) ? $user->lang['EXT_GROUP_' . $row['group_name']] : $row['group_name'];
+			$row['group_name'] = $this->language->is_set('EXT_GROUP_' . utf8_strtoupper($row['group_name'])) ? $this->language->lang('EXT_GROUP_' . utf8_strtoupper($row['group_name'])) : $row['group_name'];
 			$group_name[] = $row;
 		}
 		$db->sql_freeresult($result);
@@ -1495,47 +1462,6 @@ class acp_attachments
 		return $group_select;
 	}
 
-	/**
-	* Search Imagick
-	*/
-	function search_imagemagick()
-	{
-		$imagick = '';
-
-		$exe = ((defined('PHP_OS')) && (preg_match('#^win#i', PHP_OS))) ? '.exe' : '';
-
-		$magic_home = getenv('MAGICK_HOME');
-
-		if (empty($magic_home))
-		{
-			$locations = array('C:/WINDOWS/', 'C:/WINNT/', 'C:/WINDOWS/SYSTEM/', 'C:/WINNT/SYSTEM/', 'C:/WINDOWS/SYSTEM32/', 'C:/WINNT/SYSTEM32/', '/usr/bin/', '/usr/sbin/', '/usr/local/bin/', '/usr/local/sbin/', '/opt/', '/usr/imagemagick/', '/usr/bin/imagemagick/');
-			$path_locations = str_replace('\\', '/', (explode(($exe) ? ';' : ':', getenv('PATH'))));
-
-			$locations = array_merge($path_locations, $locations);
-
-			foreach ($locations as $location)
-			{
-				// The path might not end properly, fudge it
-				if (substr($location, -1) !== '/')
-				{
-					$location .= '/';
-				}
-
-				if (@file_exists($location) && @is_readable($location . 'mogrify' . $exe) && @filesize($location . 'mogrify' . $exe) > 3000)
-				{
-					$imagick = str_replace('\\', '/', $location);
-					continue;
-				}
-			}
-		}
-		else
-		{
-			$imagick = str_replace('\\', '/', $magic_home);
-		}
-
-		return $imagick;
-	}
-
 	/**
 	* Test Settings
 	*/

phpBB/includes/acp/acp_bbcodes.php

@@ -33,7 +33,6 @@ class acp_bbcodes
 		// Set up general vars
 		$action	= $request->variable('action', '');
 		$bbcode_id = $request->variable('bbcode', 0);
-		$submit = $request->is_set_post('submit');
 
 		$this->tpl_name = 'acp_bbcodes';
 		$this->page_title = 'ACP_BBCODES';
@@ -41,11 +40,6 @@ class acp_bbcodes
 
 		add_form_key($form_key);
 
-		if ($submit && !check_form_key($form_key))
-		{
-			trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
-		}
-
 		// Set up mode-specific vars
 		switch ($action)
 		{
@@ -179,6 +173,12 @@ class acp_bbcodes
 				extract($phpbb_dispatcher->trigger_event('core.acp_bbcodes_modify_create', compact($vars)));
 
 				$warn_text = preg_match('%<[^>]*\{text[\d]*\}[^>]*>%i', $bbcode_tpl);
+
+				if (!$warn_text && !check_form_key($form_key))
+				{
+					trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
+				}
+
 				if (!$warn_text || confirm_box(true))
 				{
 					$data = $this->build_regexp($bbcode_match, $bbcode_tpl);
@@ -211,11 +211,6 @@ class acp_bbcodes
 						$test = $data['bbcode_tag'];
 					}
 
-					if (!preg_match('%\\[' . $test . '[^]]*].*?\\[/' . $test . ']%s', $bbcode_match))
-					{
-						trigger_error($user->lang['BBCODE_OPEN_ENDED_TAG'] . adm_back_link($this->u_action), E_USER_WARNING);
-					}
-
 					if (strlen($data['bbcode_tag']) > 16)
 					{
 						trigger_error($user->lang['BBCODE_TAG_TOO_LONG'] . adm_back_link($this->u_action), E_USER_WARNING);

phpBB/includes/acp/acp_board.php

@@ -30,10 +30,13 @@ class acp_board
 
 	function main($id, $mode)
 	{
-		global $user, $template, $request;
+		global $user, $template, $request, $language;
 		global $config, $phpbb_root_path, $phpEx;
 		global $cache, $phpbb_container, $phpbb_dispatcher, $phpbb_log;
 
+		/** @var \phpbb\language\language $language Language object */
+		$language = $phpbb_container->get('language');
+
 		$user->add_lang('acp/board');
 
 		$submit = (isset($_POST['submit']) || isset($_POST['allow_quick_reply_enable'])) ? true : false;
@@ -56,7 +59,7 @@ class acp_board
 						'legend1'				=> 'ACP_BOARD_SETTINGS',
 						'sitename'				=> array('lang' => 'SITE_NAME',				'validate' => 'string',	'type' => 'text:40:255', 'explain' => false),
 						'site_desc'				=> array('lang' => 'SITE_DESC',				'validate' => 'string',	'type' => 'text:40:255', 'explain' => false),
-						'site_home_url'			=> array('lang' => 'SITE_HOME_URL',			'validate' => 'string',	'type' => 'url:40:255', 'explain' => true),
+						'site_home_url'			=> array('lang' => 'SITE_HOME_URL',			'validate' => 'url',	'type' => 'url:40:255', 'explain' => true),
 						'site_home_text'		=> array('lang' => 'SITE_HOME_TEXT',		'validate' => 'string',	'type' => 'text:40:255', 'explain' => true),
 						'board_index_text'		=> array('lang' => 'BOARD_INDEX_TEXT',		'validate' => 'string',	'type' => 'text:40:255', 'explain' => true),
 						'board_disable'			=> array('lang' => 'DISABLE_BOARD',			'validate' => 'bool',	'type' => 'custom', 'method' => 'board_disable', 'explain' => true),
@@ -122,6 +125,7 @@ class acp_board
 				$avatar_vars = array();
 				foreach ($avatar_drivers as $current_driver)
 				{
+					/** @var \phpbb\avatar\driver\driver_interface $driver */
 					$driver = $phpbb_avatar_manager->get_driver($current_driver, false);
 
 					/*
@@ -446,6 +450,7 @@ class acp_board
 						'email_enable'			=> array('lang' => 'ENABLE_EMAIL',			'validate' => 'bool',	'type' => 'radio:enabled_disabled', 'explain' => true),
 						'board_email_form'		=> array('lang' => 'BOARD_EMAIL_FORM',		'validate' => 'bool',	'type' => 'radio:enabled_disabled', 'explain' => true),
 						'email_package_size'	=> array('lang' => 'EMAIL_PACKAGE_SIZE',	'validate' => 'int:0',	'type' => 'number:0:99999', 'explain' => true),
+						'email_max_chunk_size'	=> array('lang' => 'EMAIL_MAX_CHUNK_SIZE',	'validate' => 'int:1:99999',	'type' => 'number:1:99999', 'explain' => true),
 						'board_contact'			=> array('lang' => 'CONTACT_EMAIL',			'validate' => 'email',	'type' => 'email:25:100', 'explain' => true),
 						'board_contact_name'	=> array('lang' => 'CONTACT_EMAIL_NAME',	'validate' => 'string',	'type' => 'text:25:50', 'explain' => true),
 						'board_email'			=> array('lang' => 'ADMIN_EMAIL',			'validate' => 'email',	'type' => 'email:25:100', 'explain' => true),
@@ -730,7 +735,7 @@ class acp_board
 			$template->assign_block_vars('options', array(
 				'KEY'			=> $config_key,
 				'TITLE'			=> (isset($user->lang[$vars['lang']])) ? $user->lang[$vars['lang']] : $vars['lang'],
-				'S_EXPLAIN'		=> $vars['explain'],
+				'S_EXPLAIN'		=> $vars['explain'] && !empty($l_explain),
 				'TITLE_EXPLAIN'	=> $l_explain,
 				'CONTENT'		=> $content,
 				)

phpBB/includes/acp/acp_database.php

@@ -23,6 +23,7 @@ class acp_database
 {
 	var $db_tools;
 	var $u_action;
+	public $page_title;
 
 	function main($id, $mode)
 	{
@@ -57,7 +58,6 @@ class acp_database
 						$type	= $request->variable('type', '');
 						$table	= array_intersect($this->db_tools->sql_list_tables(), $request->variable('table', array('')));
 						$format	= $request->variable('method', '');
-						$where	= $request->variable('where', '');
 
 						if (!count($table))
 						{
@@ -69,17 +69,9 @@ class acp_database
 							trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
 						}
 
-						$store = $download = $structure = $schema_data = false;
-
-						if ($where == 'store_and_download' || $where == 'store')
-						{
-							$store = true;
-						}
-
-						if ($where == 'store_and_download' || $where == 'download')
-						{
-							$download = true;
-						}
+						$store = true;
+						$structure = false;
+						$schema_data = false;
 
 						if ($type == 'full' || $type == 'structure')
 						{
@@ -98,8 +90,9 @@ class acp_database
 
 						$filename = 'backup_' . $time . '_' . unique_id();
 
+						/** @var phpbb\db\extractor\extractor_interface $extractor Database extractor */
 						$extractor = $phpbb_container->get('dbal.extractor');
-						$extractor->init_extractor($format, $filename, $time, $download, $store);
+						$extractor->init_extractor($format, $filename, $time, false, $store);
 
 						$extractor->write_start($table_prefix);
 
@@ -145,11 +138,6 @@ class acp_database
 
 						$phpbb_log->add('admin', $user->data['user_id'], $user->ip, 'LOG_DB_BACKUP');
 
-						if ($download == true)
-						{
-							exit;
-						}
-
 						trigger_error($user->lang['BACKUP_SUCCESS'] . adm_back_link($this->u_action));
 					break;
 
@@ -201,16 +189,10 @@ class acp_database
 					case 'submit':
 						$delete = $request->variable('delete', '');
 						$file = $request->variable('file', '');
-						$download = $request->variable('download', '');
 
-						if (!preg_match('#^backup_\d{10,}_[a-z\d]{16}\.(sql(?:\.(?:gz|bz2))?)$#', $file, $matches))
-						{
-							trigger_error($user->lang['BACKUP_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
-						}
+						$backup_info = $this->get_backup_file($phpbb_root_path . 'store/', $file);
 
-						$file_name = $phpbb_root_path . 'store/' . $matches[0];
-
-						if (!file_exists($file_name) || !is_readable($file_name))
+						if (empty($backup_info) || !is_readable($backup_info['file_name']))
 						{
 							trigger_error($user->lang['BACKUP_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
 						}
@@ -219,7 +201,7 @@ class acp_database
 						{
 							if (confirm_box(true))
 							{
-								unlink($file_name);
+								unlink($backup_info['file_name']);
 								$phpbb_log->add('admin', $user->data['user_id'], $user->ip, 'LOG_DB_DELETE');
 								trigger_error($user->lang['BACKUP_DELETE'] . adm_back_link($this->u_action));
 							}
@@ -228,50 +210,12 @@ class acp_database
 								confirm_box(false, $user->lang['DELETE_SELECTED_BACKUP'], build_hidden_fields(array('delete' => $delete, 'file' => $file)));
 							}
 						}
-						else if ($download || confirm_box(true))
+						else if (confirm_box(true))
 						{
-							if ($download)
-							{
-								$name = $matches[0];
-
-								switch ($matches[1])
-								{
-									case 'sql':
-										$mimetype = 'text/x-sql';
-									break;
-									case 'sql.bz2':
-										$mimetype = 'application/x-bzip2';
-									break;
-									case 'sql.gz':
-										$mimetype = 'application/x-gzip';
-									break;
-								}
-
-								header('Cache-Control: private, no-cache');
-								header("Content-Type: $mimetype; name=\"$name\"");
-								header("Content-disposition: attachment; filename=$name");
-
-								@set_time_limit(0);
-
-								$fp = @fopen($file_name, 'rb');
-
-								if ($fp !== false)
-								{
-									while (!feof($fp))
-									{
-										echo fread($fp, 8192);
-									}
-									fclose($fp);
-								}
-
-								flush();
-								exit;
-							}
-
-							switch ($matches[1])
+							switch ($backup_info['extension'])
 							{
 								case 'sql':
-									$fp = fopen($file_name, 'rb');
+									$fp = fopen($backup_info['file_name'], 'rb');
 									$read = 'fread';
 									$seek = 'fseek';
 									$eof = 'feof';
@@ -280,7 +224,7 @@ class acp_database
 								break;
 
 								case 'sql.bz2':
-									$fp = bzopen($file_name, 'r');
+									$fp = bzopen($backup_info['file_name'], 'r');
 									$read = 'bzread';
 									$seek = '';
 									$eof = 'feof';
@@ -289,13 +233,17 @@ class acp_database
 								break;
 
 								case 'sql.gz':
-									$fp = gzopen($file_name, 'rb');
+									$fp = gzopen($backup_info['file_name'], 'rb');
 									$read = 'gzread';
 									$seek = 'gzseek';
 									$eof = 'gzeof';
 									$close = 'gzclose';
 									$fgetd = 'fgetd';
 								break;
+
+								default:
+									trigger_error($user->lang['BACKUP_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
+									return;
 							}
 
 							switch ($db->get_sql_layer())
@@ -375,43 +323,13 @@ class acp_database
 							trigger_error($user->lang['RESTORE_SUCCESS'] . adm_back_link($this->u_action));
 							break;
 						}
-						else if (!$download)
+						else
 						{
 							confirm_box(false, $user->lang['RESTORE_SELECTED_BACKUP'], build_hidden_fields(array('file' => $file)));
 						}
 
 					default:
-						$methods = array('sql');
-						$available_methods = array('sql.gz' => 'zlib', 'sql.bz2' => 'bz2');
-
-						foreach ($available_methods as $type => $module)
-						{
-							if (!@extension_loaded($module))
-							{
-								continue;
-							}
-							$methods[] = $type;
-						}
-
-						$dir = $phpbb_root_path . 'store/';
-						$dh = @opendir($dir);
-
-						$backup_files = array();
-
-						if ($dh)
-						{
-							while (($file = readdir($dh)) !== false)
-							{
-								if (preg_match('#^backup_(\d{10,})_[a-z\d]{16}\.(sql(?:\.(?:gz|bz2))?)$#', $file, $matches))
-								{
-									if (in_array($matches[2], $methods))
-									{
-										$backup_files[(int) $matches[1]] = $file;
-									}
-								}
-							}
-							closedir($dh);
-						}
+						$backup_files = $this->get_file_list($phpbb_root_path . 'store/');
 
 						if (!empty($backup_files))
 						{
@@ -420,8 +338,8 @@ class acp_database
 							foreach ($backup_files as $name => $file)
 							{
 								$template->assign_block_vars('files', array(
-									'FILE'		=> $file,
-									'NAME'		=> $user->format_date($name, 'd-m-Y H:i:s', true),
+									'FILE'		=> sha1($file),
+									'NAME'		=> $user->format_date($name, 'd-m-Y H:i', true),
 									'SUPPORTED'	=> true,
 								));
 							}
@@ -435,6 +353,92 @@ class acp_database
 			break;
 		}
 	}
+
+	/**
+	 * Get backup file from file hash
+	 *
+	 * @param string $directory Relative path to directory
+	 * @param string $file_hash Hash of selected file
+	 *
+	 * @return array Backup file data or empty array if unable to find file
+	 */
+	protected function get_backup_file($directory, $file_hash)
+	{
+		$backup_data = [];
+
+		$file_list = $this->get_file_list($directory);
+		$supported_extensions = $this->get_supported_extensions();
+
+		foreach ($file_list as $file)
+		{
+			preg_match('#^backup_(\d{10,})_(?:[a-z\d]{16}|[a-z\d]{32})\.(sql(?:\.(?:gz|bz2))?)$#i', $file, $matches);
+			if (sha1($file) === $file_hash && in_array($matches[2], $supported_extensions))
+			{
+				$backup_data = [
+					'file_name' => $directory . $file,
+					'extension' => $matches[2],
+				];
+				break;
+			}
+		}
+
+		return $backup_data;
+	}
+
+	/**
+	 * Get backup file list for directory
+	 *
+	 * @param string $directory Relative path to backup directory
+	 *
+	 * @return array List of backup files in specified directory
+	 */
+	protected function get_file_list($directory)
+	{
+		$supported_extensions = $this->get_supported_extensions();
+
+		$dh = @opendir($directory);
+
+		$backup_files = [];
+
+		if ($dh)
+		{
+			while (($file = readdir($dh)) !== false)
+			{
+				if (preg_match('#^backup_(\d{10,})_(?:[a-z\d]{16}|[a-z\d]{32})\.(sql(?:\.(?:gz|bz2))?)$#i', $file, $matches))
+				{
+					if (in_array($matches[2], $supported_extensions))
+					{
+						$backup_files[(int) $matches[1]] = $file;
+					}
+				}
+			}
+			closedir($dh);
+		}
+
+		return $backup_files;
+	}
+
+	/**
+	 * Get supported extensions for backup
+	 *
+	 * @return array List of supported extensions
+	 */
+	protected function get_supported_extensions()
+	{
+		$extensions = ['sql'];
+		$available_methods = ['sql.gz' => 'zlib', 'sql.bz2' => 'bz2'];
+
+		foreach ($available_methods as $type => $module)
+		{
+			if (!@extension_loaded($module))
+			{
+				continue;
+			}
+			$extensions[] = $type;
+		}
+
+		return $extensions;
+	}
 }
 
 // get how much space we allow for a chunk of data, very similar to phpMyAdmin's way of doing things ;-) (hey, we only do this for MySQL anyway :P)

phpBB/includes/acp/acp_extensions.php

@@ -35,11 +35,13 @@ class acp_extensions
 	private $request;
 	private $phpbb_dispatcher;
 	private $ext_manager;
+	private $phpbb_container;
+	private $php_ini;
 
 	function main()
 	{
 		// Start the page
-		global $config, $user, $template, $request, $phpbb_extension_manager, $phpbb_root_path, $phpbb_log, $phpbb_dispatcher;
+		global $config, $user, $template, $request, $phpbb_extension_manager, $phpbb_root_path, $phpbb_log, $phpbb_dispatcher, $phpbb_container;
 
 		$this->config = $config;
 		$this->template = $template;
@@ -48,6 +50,8 @@ class acp_extensions
 		$this->log = $phpbb_log;
 		$this->phpbb_dispatcher = $phpbb_dispatcher;
 		$this->ext_manager = $phpbb_extension_manager;
+		$this->phpbb_container = $phpbb_container;
+		$this->php_ini = $this->phpbb_container->get('php_ini');
 
 		$this->user->add_lang(array('install', 'acp/extensions', 'migrator'));
 
@@ -57,7 +61,7 @@ class acp_extensions
 		$ext_name = $this->request->variable('ext_name', '');
 
 		// What is a safe limit of execution time? Half the max execution time should be safe.
-		$safe_time_limit = (ini_get('max_execution_time') / 2);
+		$safe_time_limit = ($this->php_ini->getNumeric('max_execution_time') / 2);
 		$start_time = time();
 
 		// Cancel action

phpBB/includes/acp/acp_forums.php

@@ -986,6 +986,23 @@ class acp_forums
 			$errors[] = $user->lang['FORUM_NAME_EMPTY'];
 		}
 
+		/**
+		 * Replace Emojis and other 4bit UTF-8 chars not allowed by MySql to UCR / NCR.
+		 * Using their Numeric Character Reference's Hexadecimal notation.
+		 */
+		$forum_data_ary['forum_name'] = utf8_encode_ucr($forum_data_ary['forum_name']);
+
+		/**
+		 * This should never happen again.
+		 * Leaving the fallback here just in case there will be the need of it.
+		 */
+		if (preg_match_all('/[\x{10000}-\x{10FFFF}]/u', $forum_data_ary['forum_name'], $matches))
+		{
+			$character_list = implode('<br>', $matches[0]);
+
+			$errors[] = $user->lang('FORUM_NAME_EMOJI', $character_list);
+		}
+
 		if (utf8_strlen($forum_data_ary['forum_desc']) > 4000)
 		{
 			$errors[] = $user->lang['FORUM_DESC_TOO_LONG'];
@@ -1416,8 +1433,8 @@ class acp_forums
 		* This event may be triggered, when a forum is deleted
 		*
 		* @event core.acp_manage_forums_move_children
-		* @var	int		from_id		If of the current parent forum
-		* @var	int		to_id		If of the new parent forum
+		* @var	int		from_id		Id of the current parent forum
+		* @var	int		to_id		Id of the new parent forum
 		* @var	array	errors		Array of errors, should be strings and not
 		*							language key.
 		* @since 3.1.0-a1
@@ -1522,8 +1539,8 @@ class acp_forums
 		* Event when we move content from one forum to another
 		*
 		* @event core.acp_manage_forums_move_content
-		* @var	int		from_id		If of the current parent forum
-		* @var	int		to_id		If of the new parent forum
+		* @var	int		from_id		Id of the current parent forum
+		* @var	int		to_id		Id of the new parent forum
 		* @var	bool	sync		Shall we sync the "to"-forum's data
 		* @var	array	errors		Array of errors, should be strings and not
 		*							language key. If this array is not empty,
@@ -1569,6 +1586,19 @@ class acp_forums
 			$db->sql_query($sql);
 		}
 
+		/**
+		 * Event when content has been moved from one forum to another
+		 *
+		 * @event core.acp_manage_forums_move_content_after
+		 * @var	int		from_id		Id of the current parent forum
+		 * @var	int		to_id		Id of the new parent forum
+		 * @var	bool	sync		Shall we sync the "to"-forum's data
+		 *
+		 * @since 3.2.9-RC1
+		 */
+		$vars = array('from_id', 'to_id', 'sync');
+		extract($phpbb_dispatcher->trigger_event('core.acp_manage_forums_move_content_after', compact($vars)));
+
 		if ($sync)
 		{
 			// Delete ghost topics that link back to the same forum then resync counters

phpBB/includes/acp/acp_groups.php

@@ -29,6 +29,9 @@ class acp_groups
 		global $phpbb_root_path, $phpbb_admin_path, $phpEx;
 		global $request, $phpbb_container, $phpbb_dispatcher;
 
+		/** @var \phpbb\language\language $language Language object */
+		$language = $phpbb_container->get('language');
+
 		$user->add_lang('acp/groups');
 		$this->tpl_name = 'acp_groups';
 		$this->page_title = 'ACP_GROUPS_MANAGE';
@@ -293,7 +296,19 @@ class acp_groups
 				// Add user/s to group
 				if ($error = group_user_add($group_id, false, $name_ary, $group_name, $default, $leader, 0, $group_row))
 				{
-					trigger_error($user->lang[$error] . adm_back_link($this->u_action . '&action=list&g=' . $group_id), E_USER_WARNING);
+					$display_message = $language->lang($error);
+
+					if ($error == 'GROUP_USERS_INVALID')
+					{
+						// Find which users don't exist
+						$actual_name_ary = $name_ary;
+						$actual_user_id_ary = [];
+						user_get_id_name($actual_user_id_ary, $actual_name_ary, false, true);
+
+						$display_message = $language->lang('GROUP_USERS_INVALID', implode($language->lang('COMMA_SEPARATOR'), array_udiff($name_ary, $actual_name_ary, 'strcasecmp')));
+					}
+
+					trigger_error($display_message . adm_back_link($this->u_action . '&action=list&g=' . $group_id), E_USER_WARNING);
 				}
 
 				$message = ($leader) ? 'GROUP_MODS_ADDED' : 'GROUP_USERS_ADDED';

phpBB/includes/acp/acp_inactive.php

@@ -24,9 +24,9 @@ class acp_inactive
 	var $u_action;
 	var $p_master;
 
-	function __construct(&$p_master)
+	function __construct($p_master)
 	{
-		$this->p_master = &$p_master;
+		$this->p_master = $p_master;
 	}
 
 	function main($id, $mode)

phpBB/includes/acp/acp_permissions.php

@@ -676,7 +676,7 @@ class acp_permissions
 	/**
 	* Apply permissions
 	*/
-	function set_permissions($mode, $permission_type, &$auth_admin, &$user_id, &$group_id)
+	function set_permissions($mode, $permission_type, $auth_admin, &$user_id, &$group_id)
 	{
 		global $db, $cache, $user, $auth;
 		global $request;
@@ -765,7 +765,7 @@ class acp_permissions
 	/**
 	* Apply all permissions
 	*/
-	function set_all_permissions($mode, $permission_type, &$auth_admin, &$user_id, &$group_id)
+	function set_all_permissions($mode, $permission_type, $auth_admin, &$user_id, &$group_id)
 	{
 		global $db, $cache, $user, $auth;
 		global $request;
@@ -881,7 +881,7 @@ class acp_permissions
 	/**
 	* Remove permissions
 	*/
-	function remove_permissions($mode, $permission_type, &$auth_admin, &$user_id, &$group_id, &$forum_id)
+	function remove_permissions($mode, $permission_type, $auth_admin, &$user_id, &$group_id, &$forum_id)
 	{
 		global $user, $db, $cache, $auth;
 

phpBB/includes/acp/acp_profile.php

@@ -845,7 +845,7 @@ class acp_profile
 	/**
 	* Build all Language specific options
 	*/
-	function build_language_options(&$cp, $field_type, $action = 'create')
+	function build_language_options($cp, $field_type, $action = 'create')
 	{
 		global $user, $config, $db, $request;
 
@@ -942,7 +942,7 @@ class acp_profile
 	/**
 	* Save Profile Field
 	*/
-	function save_profile_field(&$cp, $field_type, $action = 'create')
+	function save_profile_field($cp, $field_type, $action = 'create')
 	{
 		global $db, $config, $user, $phpbb_container, $phpbb_log, $request, $phpbb_dispatcher;
 

phpBB/includes/acp/acp_prune.php

@@ -537,6 +537,7 @@ class acp_prune
 					AND ug.user_id <> ' . ANONYMOUS . '
 					AND u.user_type <> ' . USER_FOUNDER . '
 					AND ug.user_pending = 0
+					AND ug.group_leader = 0
 					AND u.user_id = ug.user_id
 					' . (!empty($user_ids) ? ' AND ' . $db->sql_in_set('ug.user_id', $user_ids) : '');
 			$result = $db->sql_query($sql);

phpBB/includes/acp/acp_styles.php

@@ -259,6 +259,19 @@ class acp_styles
 		// Get list of styles to uninstall
 		$ids = $this->request_vars('id', 0, true);
 
+		// Don't remove prosilver, you can still deactivate it.
+		$sql = 'SELECT style_id
+			FROM ' . STYLES_TABLE . "
+			WHERE style_name = '" . $this->db->sql_escape('prosilver') . "'";
+		$result = $this->db->sql_query($sql);
+		$prosilver_id = (int) $this->db->sql_fetchfield('style_id');
+		$this->db->sql_freeresult($result);
+
+		if ($prosilver_id && in_array($prosilver_id, $ids))
+		{
+			trigger_error($this->user->lang('UNINSTALL_PROSILVER') . adm_back_link($this->u_action), E_USER_WARNING);
+		}
+
 		// Check if confirmation box was submitted
 		if (confirm_box(true))
 		{
@@ -998,11 +1011,14 @@ class acp_styles
 				'L_ACTION'	=> $this->user->lang['EXPORT']
 			); */
 
-			// Uninstall
-			$actions[] = array(
-				'U_ACTION'	=> $this->u_action . '&action=uninstall&hash=' . generate_link_hash('uninstall') . '&id=' . $style['style_id'],
-				'L_ACTION'	=> $this->user->lang['STYLE_UNINSTALL']
-			);
+			if ($style['style_name'] !== 'prosilver')
+			{
+				// Uninstall
+				$actions[] = array(
+					'U_ACTION'	=> $this->u_action . '&action=uninstall&hash=' . generate_link_hash('uninstall') . '&id=' . $style['style_id'],
+					'L_ACTION'	=> $this->user->lang['STYLE_UNINSTALL']
+				);
+			}
 
 			// Preview
 			$actions[] = array(
@@ -1123,7 +1139,14 @@ class acp_styles
 	*/
 	protected function read_style_cfg($dir)
 	{
+		// This should never happen, we give them a red warning because of its relevance.
+		if (!file_exists($this->styles_path . $dir . '/style.cfg'))
+		{
+			trigger_error($this->user->lang('NO_STYLE_CFG', $dir), E_USER_WARNING);
+		}
+
 		static $required = array('name', 'phpbb_version', 'copyright');
+
 		$cfg = parse_cfg_file($this->styles_path . $dir . '/style.cfg');
 
 		// Check if it is a valid file

phpBB/includes/acp/acp_update.php

@@ -59,17 +59,19 @@ class acp_update
 
 		$update_link = $phpbb_root_path . 'install/app.' . $phpEx;
 
-		$template->assign_vars(array(
-			'S_UP_TO_DATE'			=> empty($updates_available),
-			'U_ACTION'				=> $this->u_action,
-			'U_VERSIONCHECK_FORCE'	=> append_sid($this->u_action . '&versioncheck_force=1'),
+		$template_ary = [
+			'S_UP_TO_DATE'				=> empty($updates_available),
+			'U_ACTION'					=> $this->u_action,
+			'U_VERSIONCHECK_FORCE'		=> append_sid($this->u_action . '&versioncheck_force=1'),
 
-			'CURRENT_VERSION'		=> $config['version'],
+			'CURRENT_VERSION'			=> $config['version'],
 
-			'UPDATE_INSTRUCTIONS'	=> sprintf($user->lang['UPDATE_INSTRUCTIONS'], $update_link),
+			'UPDATE_INSTRUCTIONS'		=> $user->lang('UPDATE_INSTRUCTIONS', $update_link),
 			'S_VERSION_UPGRADEABLE'		=> !empty($upgrades_available),
 			'UPGRADE_INSTRUCTIONS'		=> !empty($upgrades_available) ? $user->lang('UPGRADE_INSTRUCTIONS', $upgrades_available['current'], $upgrades_available['announcement']) : false,
-		));
+		];
+
+		$template->assign_vars($template_ary);
 
 		// Incomplete update?
 		if (phpbb_version_compare($config['version'], PHPBB_VERSION, '<'))

phpBB/includes/acp/acp_users.php

@@ -24,9 +24,9 @@ class acp_users
 	var $u_action;
 	var $p_master;
 
-	function __construct(&$p_master)
+	function __construct($p_master)
 	{
-		$this->p_master = &$p_master;
+		$this->p_master = $p_master;
 	}
 
 	function main($id, $mode)
@@ -855,7 +855,7 @@ class acp_users
 						$check_ary += array(
 							'username'			=> array(
 								array('string', false, $config['min_name_chars'], $config['max_name_chars']),
-								array('username', $user_row['username'])
+								array('username', $user_row['username'], true)
 							),
 						);
 					}

phpBB/includes/bbcode.php

@@ -35,9 +35,18 @@ class bbcode
 
 	/**
 	* Constructor
-	* Init bbcode cache entries if bitfield is specified
 	*/
 	function __construct($bitfield = '')
+	{
+		$this->bbcode_set_bitfield($bitfield);
+	}
+
+	/**
+	* Init bbcode cache entries if bitfield is specified
+	*
+	* @param	string	$bbcode_bitfield	The bbcode bitfield
+	*/
+	function bbcode_set_bitfield($bitfield = '')
 	{
 		if ($bitfield)
 		{

phpBB/includes/compatibility_globals.php

@@ -29,7 +29,7 @@ function register_compatibility_globals()
 {
 	global $phpbb_container;
 
-	global $cache, $phpbb_dispatcher, $request, $user, $auth, $db, $config, $phpbb_log;
+	global $cache, $phpbb_dispatcher, $request, $user, $auth, $db, $config, $language, $phpbb_log;
 	global $symfony_request, $phpbb_filesystem, $phpbb_path_helper, $phpbb_extension_manager, $template;
 
 	// set up caching
@@ -48,6 +48,9 @@ function register_compatibility_globals()
 	/* @var $user \phpbb\user */
 	$user = $phpbb_container->get('user');
 
+	/* @var \phpbb\language\language $language */
+	$language = $phpbb_container->get('language');
+
 	/* @var $auth \phpbb\auth\auth */
 	$auth = $phpbb_container->get('auth');
 

phpBB/includes/constants.php

@@ -28,7 +28,7 @@ if (!defined('IN_PHPBB'))
 */
 
 // phpBB Version
-@define('PHPBB_VERSION', '3.2.4-RC1');
+@define('PHPBB_VERSION', '3.2.9');
 
 // QA-related
 // define('PHPBB_QA', 1);

phpBB/includes/functions.php

@@ -115,7 +115,7 @@ function gen_rand_string_friendly($num_chars = 8)
 */
 function unique_id()
 {
-	return gen_rand_string(32);
+	return strtolower(gen_rand_string(16));
 }
 
 /**
@@ -680,8 +680,6 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $
 				}
 			}
 		}
-
-		return;
 	}
 	else if ($mode == 'topics')
 	{
@@ -808,8 +806,6 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $
 
 			unset($tracking);
 		}
-
-		return;
 	}
 	else if ($mode == 'topic')
 	{
@@ -923,8 +919,6 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $
 			$user->set_cookie('track', tracking_serialize($tracking), $post_time + 31536000);
 			$request->overwrite($config['cookie_name'] . '_track', tracking_serialize($tracking), \phpbb\request\request_interface::COOKIE);
 		}
-
-		return;
 	}
 	else if ($mode == 'post')
 	{
@@ -949,9 +943,28 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $
 
 			$db->sql_return_on_error(false);
 		}
-
-		return;
 	}
+
+	/**
+	 * This event is used for performing actions directly after forums,
+	 * topics or posts have been marked as read.
+	 *
+	 * @event core.markread_after
+	 * @var	string		mode				Variable containing marking mode value
+	 * @var	mixed		forum_id			Variable containing forum id, or false
+	 * @var	mixed		topic_id			Variable containing topic id, or false
+	 * @var	int			post_time			Variable containing post time
+	 * @var	int			user_id				Variable containing the user id
+	 * @since 3.2.6-RC1
+	 */
+	$vars = array(
+		'mode',
+		'forum_id',
+		'topic_id',
+		'post_time',
+		'user_id',
+	);
+	extract($phpbb_dispatcher->trigger_event('core.markread_after', compact($vars)));
 }
 
 /**
@@ -1830,27 +1843,6 @@ function redirect($url, $return = false, $disable_cd_check = false)
 		garbage_collection();
 	}
 
-	// Redirect via an HTML form for PITA webservers
-	if (@preg_match('#WebSTAR|Xitami#', getenv('SERVER_SOFTWARE')))
-	{
-		header('Refresh: 0; URL=' . $url);
-
-		echo '<!DOCTYPE html>';
-		echo '<html dir="' . $user->lang['DIRECTION'] . '" lang="' . $user->lang['USER_LANG'] . '">';
-		echo '<head>';
-		echo '<meta charset="utf-8">';
-		echo '<meta http-equiv="X-UA-Compatible" content="IE=edge">';
-		echo '<meta http-equiv="refresh" content="0; url=' . str_replace('&', '&amp;', $url) . '" />';
-		echo '<title>' . $user->lang['REDIRECT'] . '</title>';
-		echo '</head>';
-		echo '<body>';
-		echo '<div style="text-align: center;">' . sprintf($user->lang['URL_REDIRECT'], '<a href="' . str_replace('&', '&amp;', $url) . '">', '</a>') . '</div>';
-		echo '</body>';
-		echo '</html>';
-
-		exit;
-	}
-
 	// Behave as per HTTP/1.1 spec for others
 	header('Location: ' . $url);
 	exit;
@@ -2130,25 +2122,29 @@ function check_form_key($form_name, $timespan = false)
 /**
 * Build Confirm box
 * @param boolean $check True for checking if confirmed (without any additional parameters) and false for displaying the confirm box
-* @param string $title Title/Message used for confirm box.
+* @param string|array $title Title/Message used for confirm box.
 *		message text is _CONFIRM appended to title.
 *		If title cannot be found in user->lang a default one is displayed
 *		If title_CONFIRM cannot be found in user->lang the text given is used.
+*       If title is an array, the first array value is used as explained per above,
+*       all other array values are sent as parameters to the language function.
 * @param string $hidden Hidden variables
 * @param string $html_body Template used for confirm box
 * @param string $u_action Custom form action
+*
+* @return bool True if confirmation was successful, false if not
 */
 function confirm_box($check, $title = '', $hidden = '', $html_body = 'confirm_body.html', $u_action = '')
 {
 	global $user, $template, $db, $request;
-	global $config, $phpbb_path_helper;
+	global $config, $language, $phpbb_path_helper, $phpbb_dispatcher;
 
 	if (isset($_POST['cancel']))
 	{
 		return false;
 	}
 
-	$confirm = ($user->lang['YES'] === $request->variable('confirm', '', true, \phpbb\request\request_interface::POST));
+	$confirm = ($language->lang('YES') === $request->variable('confirm', '', true, \phpbb\request\request_interface::POST));
 
 	if ($check && $confirm)
 	{
@@ -2182,13 +2178,27 @@ function confirm_box($check, $title = '', $hidden = '', $html_body = 'confirm_bo
 	// generate activation key
 	$confirm_key = gen_rand_string(10);
 
-	if (defined('IN_ADMIN') && isset($user->data['session_admin']) && $user->data['session_admin'])
+	// generate language strings
+	if (is_array($title))
 	{
-		adm_page_header((!isset($user->lang[$title])) ? $user->lang['CONFIRM'] : $user->lang[$title]);
+		$key = array_shift($title);
+		$count = array_shift($title);
+		$confirm_title =  $language->is_set($key) ? $language->lang($key, $count, $title) : $language->lang('CONFIRM');
+		$confirm_text = $language->is_set($key . '_CONFIRM') ? $language->lang($key . '_CONFIRM', $count, $title) : $key;
 	}
 	else
 	{
-		page_header((!isset($user->lang[$title])) ? $user->lang['CONFIRM'] : $user->lang[$title]);
+		$confirm_title = $language->is_set($title) ? $language->lang($title) : $language->lang('CONFIRM');
+		$confirm_text = $language->is_set($title . '_CONFIRM') ? $language->lang($title . '_CONFIRM') : $title;
+	}
+
+	if (defined('IN_ADMIN') && isset($user->data['session_admin']) && $user->data['session_admin'])
+	{
+		adm_page_header($confirm_title);
+	}
+	else
+	{
+		page_header($confirm_title);
 	}
 
 	$template->set_filenames(array(
@@ -2208,10 +2218,10 @@ function confirm_box($check, $title = '', $hidden = '', $html_body = 'confirm_bo
 	$u_action .= ((strpos($u_action, '?') === false) ? '?' : '&amp;') . 'confirm_key=' . $confirm_key;
 
 	$template->assign_vars(array(
-		'MESSAGE_TITLE'		=> (!isset($user->lang[$title])) ? $user->lang['CONFIRM'] : $user->lang($title, 1),
-		'MESSAGE_TEXT'		=> (!isset($user->lang[$title . '_CONFIRM'])) ? $title : $user->lang[$title . '_CONFIRM'],
+		'MESSAGE_TITLE'		=> $confirm_title,
+		'MESSAGE_TEXT'		=> $confirm_text,
 
-		'YES_VALUE'			=> $user->lang['YES'],
+		'YES_VALUE'			=> $language->lang('YES'),
 		'S_CONFIRM_ACTION'	=> $u_action,
 		'S_HIDDEN_FIELDS'	=> $hidden . $s_hidden_fields,
 		'S_AJAX_REQUEST'	=> $request->is_ajax(),
@@ -2224,16 +2234,36 @@ function confirm_box($check, $title = '', $hidden = '', $html_body = 'confirm_bo
 	if ($request->is_ajax())
 	{
 		$u_action .= '&confirm_uid=' . $user->data['user_id'] . '&sess=' . $user->session_id . '&sid=' . $user->session_id;
-		$json_response = new \phpbb\json_response;
-		$json_response->send(array(
+		$data = array(
 			'MESSAGE_BODY'		=> $template->assign_display('body'),
-			'MESSAGE_TITLE'		=> (!isset($user->lang[$title])) ? $user->lang['CONFIRM'] : $user->lang[$title],
-			'MESSAGE_TEXT'		=> (!isset($user->lang[$title . '_CONFIRM'])) ? $title : $user->lang[$title . '_CONFIRM'],
+			'MESSAGE_TITLE'		=> $confirm_title,
+			'MESSAGE_TEXT'		=> $confirm_text,
 
-			'YES_VALUE'			=> $user->lang['YES'],
+			'YES_VALUE'			=> $language->lang('YES'),
 			'S_CONFIRM_ACTION'	=> str_replace('&amp;', '&', $u_action), //inefficient, rewrite whole function
 			'S_HIDDEN_FIELDS'	=> $hidden . $s_hidden_fields
-		));
+		);
+
+		/**
+		 * This event allows an extension to modify the ajax output of confirm box.
+		 *
+		 * @event core.confirm_box_ajax_before
+		 * @var string	u_action		Action of the form
+		 * @var array	data			Data to be sent
+		 * @var string	hidden			Hidden fields generated by caller
+		 * @var string	s_hidden_fields	Hidden fields generated by this function
+		 * @since 3.2.8-RC1
+		 */
+		$vars = array(
+			'u_action',
+			'data',
+			'hidden',
+			's_hidden_fields',
+		);
+		extract($phpbb_dispatcher->trigger_event('core.confirm_box_ajax_before', compact($vars)));
+
+		$json_response = new \phpbb\json_response;
+		$json_response->send($data);
 	}
 
 	if (defined('IN_ADMIN') && isset($user->data['session_admin']) && $user->data['session_admin'])
@@ -2244,6 +2274,8 @@ function confirm_box($check, $title = '', $hidden = '', $html_body = 'confirm_bo
 	{
 		page_footer();
 	}
+
+	exit; // unreachable, page_footer() above will call exit()
 }
 
 /**
@@ -2255,6 +2287,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 	global $request, $phpbb_container, $phpbb_dispatcher, $phpbb_log;
 
 	$err = '';
+	$form_name = 'login';
 
 	// Make sure user->setup() has been called
 	if (!$user->is_setup())
@@ -2330,8 +2363,19 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 			trigger_error('NO_AUTH_ADMIN_USER_DIFFER');
 		}
 
-		// If authentication is successful we redirect user to previous page
-		$result = $auth->login($username, $password, $autologin, $viewonline, $admin);
+		// Check form key
+		if ($password && !defined('IN_CHECK_BAN') && !check_form_key($form_name))
+		{
+			$result = array(
+				'status' => false,
+				'error_msg' => 'FORM_INVALID',
+			);
+		}
+		else
+		{
+			// If authentication is successful we redirect user to previous page
+			$result = $auth->login($username, $password, $autologin, $viewonline, $admin);
+		}
 
 		// If admin authentication and login, we will log if it was a success or not...
 		// We also break the operation on the first non-success login - it could be argued that the user already knows
@@ -4081,9 +4125,9 @@ function phpbb_get_user_avatar($user_row, $alt = 'USER_AVATAR', $ignore_config =
 *
 * @return string Avatar html
 */
-function phpbb_get_group_avatar($user_row, $alt = 'GROUP_AVATAR', $ignore_config = false, $lazy = false)
+function phpbb_get_group_avatar($group_row, $alt = 'GROUP_AVATAR', $ignore_config = false, $lazy = false)
 {
-	$row = \phpbb\avatar\manager::clean_row($user_row, 'group');
+	$row = \phpbb\avatar\manager::clean_row($group_row, 'group');
 	return phpbb_get_avatar($row, $alt, $ignore_config, $lazy);
 }
 
@@ -4388,6 +4432,23 @@ function page_header($page_title = '', $display_online_list = false, $item_id =
 	$controller_helper = $phpbb_container->get('controller.helper');
 	$notification_mark_hash = generate_link_hash('mark_all_notifications_read');
 
+	$s_login_redirect = build_hidden_fields(array('redirect' => $phpbb_path_helper->remove_web_root_path(build_url())));
+
+	// Add form token for login box, in case page is presenting a login form.
+	add_form_key('login', '_LOGIN');
+
+	/**
+	 * Workaround for missing template variable in pre phpBB 3.2.6 styles.
+	 * @deprecated 3.2.7 (To be removed: 3.3.0-a1)
+	 */
+	$form_token_login = $template->retrieve_var('S_FORM_TOKEN_LOGIN');
+	if (!empty($form_token_login))
+	{
+		$s_login_redirect .= $form_token_login;
+		// Remove S_FORM_TOKEN_LOGIN as it's already appended to S_LOGIN_REDIRECT
+		$template->assign_var('S_FORM_TOKEN_LOGIN', '');
+	}
+
 	// The following assigns all _common_ variables that may be used at any point in a template.
 	$template->assign_vars(array(
 		'SITENAME'						=> $config['sitename'],
@@ -4477,7 +4538,7 @@ function page_header($page_title = '', $display_online_list = false, $item_id =
 		'S_TOPIC_ID'			=> $topic_id,
 
 		'S_LOGIN_ACTION'		=> ((!defined('ADMIN_START')) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=login') : append_sid("{$phpbb_admin_path}index.$phpEx", false, true, $user->session_id)),
-		'S_LOGIN_REDIRECT'		=> build_hidden_fields(array('redirect' => $phpbb_path_helper->remove_web_root_path(build_url()))),
+		'S_LOGIN_REDIRECT'		=> $s_login_redirect,
 
 		'S_ENABLE_FEEDS'			=> ($config['feed_enable']) ? true : false,
 		'S_ENABLE_FEEDS_OVERALL'	=> ($config['feed_overall']) ? true : false,
@@ -4528,12 +4589,13 @@ function page_header($page_title = '', $display_online_list = false, $item_id =
 
 	if ($send_headers)
 	{
-		// An array of http headers that phpbb will set. The following event may override these.
+		// An array of http headers that phpBB will set. The following event may override these.
 		$http_headers += array(
 			// application/xhtml+xml not used because of IE
 			'Content-type' => 'text/html; charset=UTF-8',
 			'Cache-Control' => 'private, no-cache="set-cookie"',
 			'Expires' => gmdate('D, d M Y H:i:s', time()) . ' GMT',
+			'Referrer-Policy' => 'strict-origin-when-cross-origin',
 		);
 		if (!empty($user->data['is_bot']))
 		{

phpBB/includes/functions_acp.php

@@ -112,12 +112,13 @@ function adm_page_header($page_title)
 		'CONTAINER_EXCEPTION'	=> $phpbb_container->hasParameter('container_exception') ? $phpbb_container->getParameter('container_exception') : false,
 	));
 
-	// An array of http headers that phpbb will set. The following event may override these.
+	// An array of http headers that phpBB will set. The following event may override these.
 	$http_headers = array(
 		// application/xhtml+xml not used because of IE
 		'Content-type' => 'text/html; charset=UTF-8',
 		'Cache-Control' => 'private, no-cache="set-cookie"',
 		'Expires' => gmdate('D, d M Y H:i:s', time()) . ' GMT',
+		'Referrer-Policy' => 'strict-origin-when-cross-origin',
 	);
 
 	/**
@@ -419,7 +420,7 @@ function build_cfg_template($tpl_type, $key, &$new_ary, $config_key, $vars)
 */
 function validate_config_vars($config_vars, &$cfg_array, &$error)
 {
-	global $phpbb_root_path, $user, $phpbb_dispatcher, $phpbb_filesystem;
+	global $phpbb_root_path, $user, $phpbb_dispatcher, $phpbb_filesystem, $language;
 
 	$type	= 0;
 	$min	= 1;
@@ -442,6 +443,16 @@ function validate_config_vars($config_vars, &$cfg_array, &$error)
 		// Validate a bit. ;) (0 = type, 1 = min, 2= max)
 		switch ($validator[$type])
 		{
+			case 'url':
+				$cfg_array[$config_name] = trim($cfg_array[$config_name]);
+
+				if (!empty($cfg_array[$config_name]) && !preg_match('#^' . get_preg_expression('url') . '$#iu', $cfg_array[$config_name]))
+				{
+					$error[] = $language->lang('URL_INVALID', $language->lang($config_definition['lang']));
+				}
+
+			// no break here
+
 			case 'string':
 				$length = utf8_strlen($cfg_array[$config_name]);
 
@@ -564,9 +575,6 @@ function validate_config_vars($config_vars, &$cfg_array, &$error)
 
 				$cfg_array[$config_name] = trim($destination);
 
-			// Absolute file path
-			case 'absolute_path':
-			case 'absolute_path_writable':
 			// Path being relative (still prefixed by phpbb_root_path), but with the ability to escape the root dir...
 			case 'path':
 			case 'wpath':
@@ -585,7 +593,7 @@ function validate_config_vars($config_vars, &$cfg_array, &$error)
 					break;
 				}
 
-				$path = in_array($config_definition['validate'], array('wpath', 'path', 'rpath', 'rwpath')) ? $phpbb_root_path . $cfg_array[$config_name] : $cfg_array[$config_name];
+				$path = $phpbb_root_path . $cfg_array[$config_name];
 
 				if (!file_exists($path))
 				{
@@ -598,7 +606,7 @@ function validate_config_vars($config_vars, &$cfg_array, &$error)
 				}
 
 				// Check if the path is writable
-				if ($config_definition['validate'] == 'wpath' || $config_definition['validate'] == 'rwpath' || $config_definition['validate'] === 'absolute_path_writable')
+				if ($config_definition['validate'] == 'wpath' || $config_definition['validate'] == 'rwpath')
 				{
 					if (file_exists($path) && !$phpbb_filesystem->is_writable($path))
 					{

phpBB/includes/functions_admin.php

@@ -543,6 +543,20 @@ function move_topics($topic_ids, $forum_id, $auto_sync = true)
 		$topic_ids = array($topic_ids);
 	}
 
+	/**
+	 * Perform additional actions before topics move
+	 *
+	 * @event core.move_topics_before
+	 * @var	array	topic_ids	Array of the moved topic ids
+	 * @var	string	forum_id	The forum id from where the topics are moved
+	 * @since 3.2.9-RC1
+	 */
+	$vars = array(
+		'topic_ids',
+		'forum_id',
+	);
+	extract($phpbb_dispatcher->trigger_event('core.move_topics_before', compact($vars)));
+
 	$sql = 'DELETE FROM ' . TOPICS_TABLE . '
 		WHERE ' . $db->sql_in_set('topic_moved_id', $topic_ids) . '
 			AND forum_id = ' . $forum_id;
@@ -593,6 +607,22 @@ function move_topics($topic_ids, $forum_id, $auto_sync = true)
 	}
 	unset($table_ary);
 
+	/**
+	 * Perform additional actions after topics move
+	 *
+	 * @event core.move_topics_after
+	 * @var	array	topic_ids	Array of the moved topic ids
+	 * @var	string	forum_id	The forum id from where the topics were moved
+	 * @var	array	forum_ids	Array of the forums where the topics were moved (includes also forum_id)
+	 * @since 3.2.9-RC1
+	 */
+	$vars = array(
+		'topic_ids',
+		'forum_id',
+		'forum_ids',
+	);
+	extract($phpbb_dispatcher->trigger_event('core.move_topics_after', compact($vars)));
+
 	if ($auto_sync)
 	{
 		sync('forum', 'forum_id', $forum_ids, true, true);
@@ -3042,6 +3072,8 @@ function tidy_database()
 	}
 	$db->sql_freeresult($result);
 
+	$db->sql_transaction('begin');
+
 	// Delete those rows from the acl tables not having listed the forums above
 	$sql = 'DELETE FROM ' . ACL_GROUPS_TABLE . '
 		WHERE ' . $db->sql_in_set('forum_id', $forum_ids, true);
@@ -3051,6 +3083,8 @@ function tidy_database()
 		WHERE ' . $db->sql_in_set('forum_id', $forum_ids, true);
 	$db->sql_query($sql);
 
+	$db->sql_transaction('commit');
+
 	$config->set('database_last_gc', time(), false);
 }
 

phpBB/includes/functions_compatibility.php

@@ -391,7 +391,7 @@ function request_var($var_name, $default, $multibyte = false, $cookie = false, $
  *
  * @deprecated 3.1.0 (To be removed: 3.3.0)
  */
-function get_tables(&$db)
+function get_tables($db)
 {
 	$db_tools_factory = new \phpbb\db\tools\factory();
 	$db_tools = $db_tools_factory->get($db);

phpBB/includes/functions_content.php

@@ -627,7 +627,7 @@ function generate_text_for_display($text, $uid, $bitfield, $flags, $censor_text
 			}
 			else
 			{
-				$bbcode->bbcode($bitfield);
+				$bbcode->bbcode_set_bitfield($bitfield);
 			}
 
 			$bbcode->bbcode_second_pass($text, $uid);
@@ -1482,6 +1482,8 @@ function truncate_string($string, $max_length = 60, $max_store_length = 255, $al
 * Get username details for placing into templates.
 * This function caches all modes on first call, except for no_profile and anonymous user - determined by $user_id.
 *
+* @html Username spans and links
+*
 * @param string $mode Can be profile (for getting an url to the profile), username (for obtaining the username), colour (for obtaining the user colour), full (for obtaining a html string representing a coloured link to the users profile) or no_profile (the same as full but forcing no profile link)
 * @param int $user_id The users id
 * @param string $username The users name
@@ -1501,6 +1503,7 @@ function get_username_string($mode, $user_id, $username, $username_colour = '',
 	{
 		global $phpbb_root_path, $phpEx;
 
+		/** @html Username spans and links for usage in the template */
 		$_profile_cache['base_url'] = append_sid("{$phpbb_root_path}memberlist.$phpEx", 'mode=viewprofile&u={USER_ID}');
 		$_profile_cache['tpl_noprofile'] = '<span class="username">{USERNAME}</span>';
 		$_profile_cache['tpl_noprofile_colour'] = '<span style="color: {USERNAME_COLOUR};" class="username-coloured">{USERNAME}</span>';
@@ -1762,13 +1765,14 @@ class bitfield
 /**
  * Formats the quote according to the given BBCode status setting
  *
- * @param bool 						$bbcode_status The status of the BBCode setting
- * @param array 					$quote_attributes The attributes of the quoted post
- * @param phpbb\textformatter\utils $text_formatter_utils Text formatter utilities
- * @param parse_message 			$message_parser Message parser class
- * @param string 					$message_link Link of the original quoted post
+ * @param phpbb\language\language				$language Language class
+ * @param parse_message 						$message_parser Message parser class
+ * @param phpbb\textformatter\utils_interface	$text_formatter_utils Text formatter utilities
+ * @param bool 									$bbcode_status The status of the BBCode setting
+ * @param array 								$quote_attributes The attributes of the quoted post
+ * @param string 								$message_link Link of the original quoted post
  */
-function phpbb_format_quote($bbcode_status, $quote_attributes, $text_formatter_utils, $message_parser, $message_link = '')
+function phpbb_format_quote($language, $message_parser, $text_formatter_utils, $bbcode_status, $quote_attributes, $message_link = '')
 {
 	if ($bbcode_status)
 	{
@@ -1794,7 +1798,7 @@ function phpbb_format_quote($bbcode_status, $quote_attributes, $text_formatter_u
 		$message = $quote_string . $message;
 		$message = str_replace("\n", "\n" . $quote_string, $message);
 
-		$message_parser->message = $quote_attributes['author'] . " " . $user->lang['WROTE'] . ":\n" . $message . "\n";
+		$message_parser->message = $quote_attributes['author'] . " " . $language->lang('WROTE') . ":\n" . $message . "\n";
 	}
 
 	if ($message_link)

phpBB/includes/functions_display.php

@@ -70,7 +70,7 @@ function display_forums($root_data = '', $display_moderators = true, $return_mod
 				$data = array(
 					'NO_UNREAD_POSTS'	=> $user->lang['NO_UNREAD_POSTS'],
 					'UNREAD_POSTS'		=> $user->lang['UNREAD_POSTS'],
-					'U_MARK_FORUMS'		=> ($user->data['is_registered'] || $config['load_anon_lastread']) ? append_sid("{$phpbb_root_path}index.$phpEx", 'hash=' . generate_link_hash('global') . '&mark=forums&mark_time=' . time()) : '',
+					'U_MARK_FORUMS'		=> ($user->data['is_registered'] || $config['load_anon_lastread']) ? append_sid("{$phpbb_root_path}index.$phpEx", 'hash=' . generate_link_hash('global') . '&mark=forums&mark_time=' . time(), false) : '',
 					'MESSAGE_TITLE'		=> $user->lang['INFORMATION'],
 					'MESSAGE_TEXT'		=> $user->lang['FORUMS_MARKED']
 				);
@@ -355,7 +355,7 @@ function display_forums($root_data = '', $display_moderators = true, $return_mod
 				$data = array(
 					'NO_UNREAD_POSTS'	=> $user->lang['NO_UNREAD_POSTS'],
 					'UNREAD_POSTS'		=> $user->lang['UNREAD_POSTS'],
-					'U_MARK_FORUMS'		=> ($user->data['is_registered'] || $config['load_anon_lastread']) ? append_sid("{$phpbb_root_path}viewforum.$phpEx", 'hash=' . generate_link_hash('global') . '&f=' . $root_data['forum_id'] . '&mark=forums&mark_time=' . time()) : '',
+					'U_MARK_FORUMS'		=> ($user->data['is_registered'] || $config['load_anon_lastread']) ? append_sid("{$phpbb_root_path}viewforum.$phpEx", 'hash=' . generate_link_hash('global') . '&f=' . $root_data['forum_id'] . '&mark=forums&mark_time=' . time(), false) : '',
 					'MESSAGE_TITLE'		=> $user->lang['INFORMATION'],
 					'MESSAGE_TEXT'		=> $user->lang['FORUMS_MARKED']
 				);
@@ -539,7 +539,8 @@ function display_forums($root_data = '', $display_moderators = true, $return_mod
 		{
 			if ($row['forum_password_last_post'] === '' && $auth->acl_gets('f_read', 'f_list_topics', $row['forum_id_last_post']))
 			{
-				$last_post_subject = censor_text($row['forum_last_post_subject']);
+				$last_post_subject = utf8_decode_ncr(censor_text($row['forum_last_post_subject']));
+
 				$last_post_subject_truncated = truncate_string($last_post_subject, 30, 255, false, $user->lang['ELLIPSIS']);
 			}
 			else
@@ -547,11 +548,12 @@ function display_forums($root_data = '', $display_moderators = true, $return_mod
 				$last_post_subject = $last_post_subject_truncated = '';
 			}
 			$last_post_time = $user->format_date($row['forum_last_post_time']);
+			$last_post_time_rfc3339 = gmdate(DATE_RFC3339, $row['forum_last_post_time']);
 			$last_post_url = append_sid("{$phpbb_root_path}viewtopic.$phpEx", 'f=' . $row['forum_id_last_post'] . '&p=' . $row['forum_last_post_id']) . '#p' . $row['forum_last_post_id'];
 		}
 		else
 		{
-			$last_post_subject = $last_post_time = $last_post_url = $last_post_subject_truncated = '';
+			$last_post_subject = $last_post_time = $last_post_time_rfc3339 = $last_post_url = $last_post_subject_truncated = '';
 		}
 
 		// Output moderator listing ... if applicable
@@ -622,6 +624,7 @@ function display_forums($root_data = '', $display_moderators = true, $return_mod
 			'LAST_POST_SUBJECT'		=> $last_post_subject,
 			'LAST_POST_SUBJECT_TRUNCATED'	=> $last_post_subject_truncated,
 			'LAST_POST_TIME'		=> $last_post_time,
+			'LAST_POST_TIME_RFC3339'=> $last_post_time_rfc3339,
 			'LAST_POSTER'			=> get_username_string('username', $row['forum_last_poster_id'], $row['forum_last_poster_name'], $row['forum_last_poster_colour']),
 			'LAST_POSTER_COLOUR'	=> get_username_string('colour', $row['forum_last_poster_id'], $row['forum_last_poster_name'], $row['forum_last_poster_colour']),
 			'LAST_POSTER_FULL'		=> get_username_string('full', $row['forum_last_poster_id'], $row['forum_last_poster_name'], $row['forum_last_poster_colour']),
@@ -1117,7 +1120,6 @@ function display_custom_bbcodes()
 			'BBCODE_TAG'		=> $row['bbcode_tag'],
 			'BBCODE_TAG_CLEAN'	=> str_replace('=', '-', $row['bbcode_tag']),
 			'BBCODE_HELPLINE'	=> $row['bbcode_helpline'],
-			'A_BBCODE_HELPLINE'	=> str_replace(array('&amp;', '&quot;', "'", '&lt;', '&gt;'), array('&', '"', "\'", '<', '>'), $row['bbcode_helpline']),
 		);
 
 		/**
@@ -1241,6 +1243,7 @@ function display_user_activity(&$userdata_ary)
 	}
 
 	$userdata = $userdata_ary;
+	$show_user_activity = true;
 	/**
 	* Alter list of forums and topics to display as active
 	*
@@ -1248,9 +1251,11 @@ function display_user_activity(&$userdata_ary)
 	* @var	array	userdata						User's data
 	* @var	array	active_f_row					List of active forums
 	* @var	array	active_t_row					List of active posts
+	* @var	bool	show_user_activity				Show user forum and topic activity
 	* @since 3.1.0-RC3
+	* @changed 3.2.5-RC1 Added show_user_activity into event
 	*/
-	$vars = array('userdata', 'active_f_row', 'active_t_row');
+	$vars = array('userdata', 'active_f_row', 'active_t_row', 'show_user_activity');
 	extract($phpbb_dispatcher->trigger_event('core.display_user_activity_modify_actives', compact($vars)));
 	$userdata_ary = $userdata;
 	unset($userdata);
@@ -1287,7 +1292,7 @@ function display_user_activity(&$userdata_ary)
 		'ACTIVE_TOPIC_PCT'		=> sprintf($l_active_pct, $active_t_pct),
 		'U_ACTIVE_FORUM'		=> append_sid("{$phpbb_root_path}viewforum.$phpEx", 'f=' . $active_f_id),
 		'U_ACTIVE_TOPIC'		=> append_sid("{$phpbb_root_path}viewtopic.$phpEx", 't=' . $active_t_id),
-		'S_SHOW_ACTIVITY'		=> true)
+		'S_SHOW_ACTIVITY'		=> $show_user_activity)
 	);
 }
 

phpBB/includes/functions_download.php

@@ -196,7 +196,7 @@ function send_file_to_browser($attachment, $upload_dir, $category)
 	}
 
 	// Now the tricky part... let's dance
-	header('Cache-Control: public');
+	header('Cache-Control: private');
 
 	// Send out the Headers. Do not set Content-Disposition to inline please, it is a security measure for users using the Internet Explorer.
 	header('Content-Type: ' . $attachment['mimetype']);
@@ -451,7 +451,7 @@ function set_modified_headers($stamp, $browser)
 		{
 			send_status_line(304, 'Not Modified');
 			// seems that we need those too ... browsers
-			header('Cache-Control: public');
+			header('Cache-Control: private');
 			header('Expires: ' . gmdate('D, d M Y H:i:s', time() + 31536000) . ' GMT');
 			return true;
 		}

phpBB/includes/functions_mcp.php

@@ -22,12 +22,12 @@ if (!defined('IN_PHPBB'))
 /**
 * Functions used to generate additional URL paramters
 */
-function phpbb_module__url($mode, &$module_row)
+function phpbb_module__url($mode, $module_row)
 {
 	return phpbb_extra_url();
 }
 
-function phpbb_module_notes_url($mode, &$module_row)
+function phpbb_module_notes_url($mode, $module_row)
 {
 	if ($mode == 'front')
 	{
@@ -38,7 +38,7 @@ function phpbb_module_notes_url($mode, &$module_row)
 	return ($user_id) ? "&u=$user_id" : '';
 }
 
-function phpbb_module_warn_url($mode, &$module_row)
+function phpbb_module_warn_url($mode, $module_row)
 {
 	if ($mode == 'front' || $mode == 'list')
 	{
@@ -64,27 +64,27 @@ function phpbb_module_warn_url($mode, &$module_row)
 	}
 }
 
-function phpbb_module_main_url($mode, &$module_row)
+function phpbb_module_main_url($mode, $module_row)
 {
 	return phpbb_extra_url();
 }
 
-function phpbb_module_logs_url($mode, &$module_row)
+function phpbb_module_logs_url($mode, $module_row)
 {
 	return phpbb_extra_url();
 }
 
-function phpbb_module_ban_url($mode, &$module_row)
+function phpbb_module_ban_url($mode, $module_row)
 {
 	return phpbb_extra_url();
 }
 
-function phpbb_module_queue_url($mode, &$module_row)
+function phpbb_module_queue_url($mode, $module_row)
 {
 	return phpbb_extra_url();
 }
 
-function phpbb_module_reports_url($mode, &$module_row)
+function phpbb_module_reports_url($mode, $module_row)
 {
 	return phpbb_extra_url();
 }

phpBB/includes/functions_messenger.php

@@ -181,10 +181,9 @@ class messenger
 	/**
 	* Adds X-AntiAbuse headers
 	*
-	* @param array $config		Configuration array
-	* @param user $user			A user object
-	*
-	* @return null
+	* @param \phpbb\config\config	$config		Config object
+	* @param \phpbb\user			$user		User object
+	* @return void
 	*/
 	function anti_abuse_headers($config, $user)
 	{
@@ -1582,6 +1581,14 @@ class smtp_class
 	*/
 	protected function starttls()
 	{
+		global $config;
+
+		// allow SMTPS (what was used by phpBB 3.0) if hostname is prefixed with tls:// or ssl://
+		if (strpos($config['smtp_host'], 'tls://') === 0 || strpos($config['smtp_host'], 'ssl://') === 0)
+		{
+			return true;
+		}
+
 		if (!function_exists('stream_socket_enable_crypto'))
 		{
 			return false;
@@ -1604,7 +1611,9 @@ class smtp_class
 
 		if (socket_set_blocking($this->socket, 1))
 		{
-			$result = stream_socket_enable_crypto($this->socket, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);
+			// https://secure.php.net/manual/en/function.stream-socket-enable-crypto.php#119122
+			$crypto = (phpbb_version_compare(PHP_VERSION, '5.6.7', '<')) ? STREAM_CRYPTO_METHOD_TLS_CLIENT : STREAM_CRYPTO_METHOD_SSLv23_CLIENT;
+			$result = stream_socket_enable_crypto($this->socket, true, $crypto);
 			socket_set_blocking($this->socket, (int) $stream_meta['blocked']);
 		}
 
@@ -1884,14 +1893,21 @@ function mail_encode($str, $eol = "\r\n")
 }
 
 /**
-* Wrapper for sending out emails with the PHP's mail function
-*/
+ * Wrapper for sending out emails with the PHP's mail function
+ */
 function phpbb_mail($to, $subject, $msg, $headers, $eol, &$err_msg)
 {
 	global $config, $phpbb_root_path, $phpEx;
 
-	// We use the EOL character for the OS here because the PHP mail function does not correctly transform line endings. On Windows SMTP is used (SMTP is \r\n), on UNIX a command is used...
-	// Reference: http://bugs.php.net/bug.php?id=15841
+	// Convert Numeric Character References to UTF-8 chars (ie. Emojis)
+	$subject = utf8_decode_ncr($subject);
+	$msg = utf8_decode_ncr($msg);
+
+	/**
+	 * We use the EOL character for the OS here because the PHP mail function does not correctly transform line endings.
+	 * On Windows SMTP is used (SMTP is \r\n), on UNIX a command is used...
+	 * Reference: http://bugs.php.net/bug.php?id=15841
+	 */
 	$headers = implode($eol, $headers);
 
 	if (!class_exists('\phpbb\error_collector'))
@@ -1902,10 +1918,14 @@ function phpbb_mail($to, $subject, $msg, $headers, $eol, &$err_msg)
 	$collector = new \phpbb\error_collector;
 	$collector->install();
 
-	// On some PHP Versions mail() *may* fail if there are newlines within the subject.
-	// Newlines are used as a delimiter for lines in mail_encode() according to RFC 2045 section 6.8.
-	// Because PHP can't decide what is wanted we revert back to the non-RFC-compliant way of separating by one space (Use '' as parameter to mail_encode() results in SPACE used)
+	/**
+	 * On some PHP Versions mail() *may* fail if there are newlines within the subject.
+	 * Newlines are used as a delimiter for lines in mail_encode() according to RFC 2045 section 6.8.
+	 * Because PHP can't decide what is wanted we revert back to the non-RFC-compliant way of separating by one space
+	 * (Use '' as parameter to mail_encode() results in SPACE used)
+	 */
 	$additional_parameters = $config['email_force_sender'] ? '-f' . $config['board_email'] : '';
+
 	$result = mail($to, mail_encode($subject, ''), wordwrap(utf8_wordwrap($msg), 997, "\n", true), $headers, $additional_parameters);
 
 	$collector->uninstall();

phpBB/includes/functions_posting.php

@@ -52,9 +52,29 @@ function generate_smilies($mode, $forum_id)
 
 		page_header($user->lang['SMILIES']);
 
-		$sql = 'SELECT COUNT(smiley_id) AS item_count
-			FROM ' . SMILIES_TABLE . '
-			GROUP BY smiley_url';
+		$sql_ary = [
+			'SELECT'	=> 'COUNT(s.smiley_id) AS item_count',
+			'FROM'		=> [
+				SMILIES_TABLE => 's',
+			],
+			'GROUP_BY'	=> 's.smiley_url',
+		];
+
+		/**
+		* Modify SQL query that fetches the total number of smilies in window mode
+		*
+		* @event core.generate_smilies_count_sql_before
+		* @var int		forum_id	Forum where smilies are generated
+		* @var array	sql_ary		Array with the SQL query
+		* @since 3.2.9-RC1
+		*/
+		$vars = [
+			'forum_id',
+			'sql_ary',
+		];
+		extract($phpbb_dispatcher->trigger_event('core.generate_smilies_count_sql_before', compact($vars)));
+
+		$sql = $db->sql_build_query('SELECT', $sql_ary);
 		$result = $db->sql_query($sql, 3600);
 
 		$smiley_count = 0;
@@ -114,6 +134,22 @@ function generate_smilies($mode, $forum_id)
 	}
 	$db->sql_freeresult($result);
 
+	/**
+	* Modify smilies before they are assigned to the template
+	*
+	* @event core.generate_smilies_modify_rowset
+	* @var string	mode		Smiley mode, either window or inline
+	* @var int		forum_id	Forum where smilies are generated
+	* @var array	smilies		Smiley rows fetched from the database
+	* @since 3.2.9-RC1
+	*/
+	$vars = [
+		'mode',
+		'forum_id',
+		'smilies',
+	];
+	extract($phpbb_dispatcher->trigger_event('core.generate_smilies_modify_rowset', compact($vars)));
+
 	if (count($smilies))
 	{
 		$root_path = (defined('PHPBB_USE_BOARD_URL_PATH') && PHPBB_USE_BOARD_URL_PATH) ? generate_board_url() . '/' : $phpbb_path_helper->get_web_root_path();
@@ -202,11 +238,13 @@ function update_post_information($type, $ids, $return_update_sql = false)
 
 	if (count($ids) == 1)
 	{
-		$sql = 'SELECT MAX(p.post_id) as last_post_id
+		$sql = 'SELECT p.post_id as last_post_id
 			FROM ' . POSTS_TABLE . " p $topic_join
 			WHERE " . $db->sql_in_set('p.' . $type . '_id', $ids) . "
 				$topic_condition
-				AND p.post_visibility = " . ITEM_APPROVED;
+				AND p.post_visibility = " . ITEM_APPROVED . "
+			ORDER BY p.post_id DESC";
+		$result = $db->sql_query_limit($sql, 1);
 	}
 	else
 	{
@@ -216,8 +254,8 @@ function update_post_information($type, $ids, $return_update_sql = false)
 				$topic_condition
 				AND p.post_visibility = " . ITEM_APPROVED . "
 			GROUP BY p.{$type}_id";
+		$result = $db->sql_query($sql);
 	}
-	$result = $db->sql_query($sql);
 
 	$last_post_ids = array();
 	while ($row = $db->sql_fetchrow($result))
@@ -519,7 +557,7 @@ function get_supported_image_types($type = false)
 */
 function create_thumbnail($source, $destination, $mimetype)
 {
-	global $config, $phpbb_filesystem;
+	global $config, $phpbb_filesystem, $phpbb_dispatcher;
 
 	$min_filesize = (int) $config['img_min_thumb_filesize'];
 	$img_filesize = (file_exists($source)) ? @filesize($source) : false;
@@ -551,25 +589,31 @@ function create_thumbnail($source, $destination, $mimetype)
 		return false;
 	}
 
-	$used_imagick = false;
+	$thumbnail_created = false;
 
-	// Only use ImageMagick if defined and the passthru function not disabled
-	if ($config['img_imagick'] && function_exists('passthru'))
-	{
-		if (substr($config['img_imagick'], -1) !== '/')
-		{
-			$config['img_imagick'] .= '/';
-		}
+	/**
+	 * Create thumbnail event to replace GD thumbnail creation with for example ImageMagick
+	 *
+	 * @event core.thumbnail_create_before
+	 * @var	string	source				Image source path
+	 * @var	string	destination			Thumbnail destination path
+	 * @var	string	mimetype			Image mime type
+	 * @var	float	new_width			Calculated thumbnail width
+	 * @var	float	new_height			Calculated thumbnail height
+	 * @var	bool	thumbnail_created	Set to true to skip default GD thumbnail creation
+	 * @since 3.2.4
+	 */
+	$vars = array(
+		'source',
+		'destination',
+		'mimetype',
+		'new_width',
+		'new_height',
+		'thumbnail_created',
+	);
+	extract($phpbb_dispatcher->trigger_event('core.thumbnail_create_before', compact($vars)));
 
-		@passthru(escapeshellcmd($config['img_imagick']) . 'convert' . ((defined('PHP_OS') && preg_match('#^win#i', PHP_OS)) ? '.exe' : '') . ' -quality 85 -geometry ' . $new_width . 'x' . $new_height . ' "' . str_replace('\\', '/', $source) . '" "' . str_replace('\\', '/', $destination) . '"');
-
-		if (file_exists($destination))
-		{
-			$used_imagick = true;
-		}
-	}
-
-	if (!$used_imagick)
+	if (!$thumbnail_created)
 	{
 		$type = get_supported_image_types($type);
 
@@ -970,6 +1014,30 @@ function topic_review($topic_id, $forum_id, $mode = 'topic_review', $cur_post_id
 			AND u.user_id = p.poster_id',
 	);
 
+	/**
+	* Event to modify the SQL query for topic reviews
+	*
+	* @event core.topic_review_modify_sql_ary
+	* @var	int		topic_id			The topic ID that is being reviewed
+	* @var	int		forum_id			The topic's forum ID
+	* @var	string	mode				The topic review mode
+	* @var	int		cur_post_id			Post offset ID
+	* @var	bool	show_quote_button	Flag indicating if the quote button should be displayed
+	* @var	array	post_list			Array with the post IDs
+	* @var	array	sql_ary				Array with the SQL query
+	* @since 3.2.8-RC1
+	*/
+	$vars = array(
+		'topic_id',
+		'forum_id',
+		'mode',
+		'cur_post_id',
+		'show_quote_button',
+		'post_list',
+		'sql_ary',
+	);
+	extract($phpbb_dispatcher->trigger_event('core.topic_review_modify_sql_ary', compact($vars)));
+
 	$sql = $db->sql_build_query('SELECT', $sql_ary);
 	$result = $db->sql_query($sql);
 
@@ -1276,6 +1344,7 @@ function delete_post($forum_id, $topic_id, $post_id, &$data, $is_soft = false, $
 				delete_topics('topic_id', array($topic_id), false);
 
 				$phpbb_content_visibility->remove_topic_from_statistic($data, $sql_data);
+				$config->increment('num_posts', -1, false);
 
 				$update_sql = update_post_information('forum', $forum_id, true);
 				if (count($update_sql))
@@ -2046,6 +2115,11 @@ function submit_post($mode, $subject, $username, $topic_type, &$poll_ary, &$data
 				continue;
 			}
 
+			if (preg_match('/[\x{10000}-\x{10FFFF}]/u', $attach_row['attach_comment']))
+			{
+				trigger_error('ATTACH_COMMENT_NO_EMOJIS');
+			}
+
 			if (!$attach_row['is_orphan'])
 			{
 				// update entry in db if attachment already stored in db and filespace

phpBB/includes/functions_privmsgs.php

@@ -490,7 +490,7 @@ function place_pm_into_folder(&$global_privmsgs_rules, $release = false)
 				'bcc'				=> explode(':', $row['bcc_address']),
 				'friend'			=> (isset($zebra[$row['author_id']])) ? $zebra[$row['author_id']]['friend'] : 0,
 				'foe'				=> (isset($zebra[$row['author_id']])) ? $zebra[$row['author_id']]['foe'] : 0,
-				'user_in_group'		=> array($user->data['group_id']),
+				'user_in_group'		=> $user->data['group_id'],
 				'author_in_group'	=> array())
 			);
 
@@ -1966,7 +1966,7 @@ function submit_pm($mode, $subject, &$data_ary, $put_in_outbox = true)
 */
 function message_history($msg_id, $user_id, $message_row, $folder, $in_post_mode = false)
 {
-	global $db, $user, $template, $phpbb_root_path, $phpEx, $auth;
+	global $db, $user, $template, $phpbb_root_path, $phpEx, $auth, $phpbb_dispatcher;
 
 	// Select all receipts and the author from the pm we currently view, to only display their pm-history
 	$sql = 'SELECT author_id, user_id
@@ -1985,9 +1985,7 @@ function message_history($msg_id, $user_id, $message_row, $folder, $in_post_mode
 	$recipients = array_unique($recipients);
 
 	// Get History Messages (could be newer)
-	$sql = 'SELECT t.*, p.*, u.*
-		FROM ' . PRIVMSGS_TABLE . ' p, ' . PRIVMSGS_TO_TABLE . ' t, ' . USERS_TABLE . ' u
-		WHERE t.msg_id = p.msg_id
+	$sql_where = 't.msg_id = p.msg_id
 			AND p.author_id = u.user_id
 			AND t.folder_id NOT IN (' . PRIVMSGS_NO_BOX . ', ' . PRIVMSGS_HOLD_BOX . ')
 			AND ' . $db->sql_in_set('t.author_id', $recipients, false, true) . "
@@ -1998,13 +1996,37 @@ function message_history($msg_id, $user_id, $message_row, $folder, $in_post_mode
 
 	if (!$message_row['root_level'])
 	{
-		$sql .= " AND (p.root_level = $msg_id OR (p.root_level = 0 AND p.msg_id = $msg_id))";
+		$sql_where .= " AND (p.root_level = $msg_id OR (p.root_level = 0 AND p.msg_id = $msg_id))";
 	}
 	else
 	{
-		$sql .= " AND (p.root_level = " . $message_row['root_level'] . ' OR p.msg_id = ' . $message_row['root_level'] . ')';
+		$sql_where .= " AND (p.root_level = " . $message_row['root_level'] . ' OR p.msg_id = ' . $message_row['root_level'] . ')';
 	}
-	$sql .= ' ORDER BY p.message_time DESC';
+
+	$sql_ary = array(
+		'SELECT'	=> 't.*, p.*, u.*',
+		'FROM'		=> array(
+			PRIVMSGS_TABLE		=> 'p',
+			PRIVMSGS_TO_TABLE	=> 't',
+			USERS_TABLE			=> 'u'
+		),
+		'LEFT_JOIN'	=> array(),
+		'WHERE'		=> $sql_where,
+		'ORDER_BY'	=> 'p.message_time DESC',
+	);
+
+	/**
+	* Event to modify the SQL query before the message history in private message is queried
+	*
+	* @event core.message_history_modify_sql_ary
+	* @var	array	sql_ary		The SQL array to get the data of the message history in private message
+	* @since 3.2.8-RC1
+	*/
+	$vars = array('sql_ary');
+	extract($phpbb_dispatcher->trigger_event('core.message_history_modify_sql_ary', compact($vars)));
+
+	$sql = $db->sql_build_query('SELECT', $sql_ary);
+	unset($sql_ary);
 
 	$result = $db->sql_query($sql);
 	$row = $db->sql_fetchrow($result);
@@ -2087,7 +2109,7 @@ function message_history($msg_id, $user_id, $message_row, $folder, $in_post_mode
 			$previous_history_pm = $prev_id;
 		}
 
-		$template->assign_block_vars('history_row', array(
+		$template_vars = array(
 			'MESSAGE_AUTHOR_QUOTE'		=> (($decoded_message) ? addslashes(get_username_string('username', $author_id, $row['username'], $row['user_colour'], $row['username'])) : ''),
 			'MESSAGE_AUTHOR_FULL'		=> get_username_string('full', $author_id, $row['username'], $row['user_colour'], $row['username']),
 			'MESSAGE_AUTHOR_COLOUR'		=> get_username_string('colour', $author_id, $row['username'], $row['user_colour'], $row['username']),
@@ -2109,8 +2131,25 @@ function message_history($msg_id, $user_id, $message_row, $folder, $in_post_mode
 			'USER_ID'			=> $row['user_id'],
 			'U_VIEW_MESSAGE'	=> "$url&f=$folder_id&p=" . $row['msg_id'],
 			'U_QUOTE'			=> (!$in_post_mode && $auth->acl_get('u_sendpm') && $author_id != ANONYMOUS) ? "$url&mode=compose&action=quote&f=" . $folder_id . "&p=" . $row['msg_id'] : '',
-			'U_POST_REPLY_PM'	=> ($author_id != $user->data['user_id'] && $author_id != ANONYMOUS && $auth->acl_get('u_sendpm')) ? "$url&mode=compose&action=reply&f=$folder_id&p=" . $row['msg_id'] : '')
+			'U_POST_REPLY_PM'	=> ($author_id != $user->data['user_id'] && $author_id != ANONYMOUS && $auth->acl_get('u_sendpm')) ? "$url&mode=compose&action=reply&f=$folder_id&p=" . $row['msg_id'] : ''
 		);
+
+		/**
+		* Modify the template vars for displaying the message history in private message
+		*
+		* @event core.message_history_modify_template_vars
+		* @var array	template_vars		Array containing the query
+		* @var array	row					Array containing the action user row
+		* @since 3.2.8-RC1
+		*/
+		$vars = array(
+			'template_vars',
+			'row',
+		);
+		extract($phpbb_dispatcher->trigger_event('core.message_history_modify_template_vars', compact($vars)));
+
+		$template->assign_block_vars('history_row', $template_vars);
+
 		unset($rowset[$i]);
 		$prev_id = $id;
 	}

phpBB/includes/functions_user.php

@@ -26,8 +26,10 @@ if (!defined('IN_PHPBB'))
 * @param array &$user_id_ary The user ids to check or empty if usernames used
 * @param array &$username_ary The usernames to check or empty if user ids used
 * @param mixed $user_type Array of user types to check, false if not restricting by user type
+* @param boolean $update_references If false, the supplied array is unset and appears unchanged from where it was called
+* @return boolean|string Returns false on success, error string on failure
 */
-function user_get_id_name(&$user_id_ary, &$username_ary, $user_type = false)
+function user_get_id_name(&$user_id_ary, &$username_ary, $user_type = false, $update_references = false)
 {
 	global $db;
 
@@ -50,7 +52,13 @@ function user_get_id_name(&$user_id_ary, &$username_ary, $user_type = false)
 	}
 
 	$sql_in = ($which_ary == 'user_id_ary') ? array_map('intval', ${$which_ary}) : array_map('utf8_clean_string', ${$which_ary});
-	unset(${$which_ary});
+
+	// By unsetting the array here, the values passed in at the point user_get_id_name() was called will be retained.
+	// Otherwise, if we don't unset (as the array was passed by reference) the original array will be updated below.
+	if ($update_references === false)
+	{
+		unset(${$which_ary});
+	}
 
 	$user_id_ary = $username_ary = array();
 
@@ -666,8 +674,30 @@ function user_delete($mode, $user_ids, $retain_username = true)
 		delete_posts('poster_id', $user_ids);
 	}
 
-	$table_ary = array(USERS_TABLE, USER_GROUP_TABLE, TOPICS_WATCH_TABLE, FORUMS_WATCH_TABLE, ACL_USERS_TABLE, TOPICS_TRACK_TABLE, TOPICS_POSTED_TABLE, FORUMS_TRACK_TABLE, PROFILE_FIELDS_DATA_TABLE, MODERATOR_CACHE_TABLE, DRAFTS_TABLE, BOOKMARKS_TABLE, SESSIONS_KEYS_TABLE, PRIVMSGS_FOLDER_TABLE, PRIVMSGS_RULES_TABLE, $phpbb_container->getParameter('tables.auth_provider_oauth_token_storage'), $phpbb_container->getParameter('tables.auth_provider_oauth_states'), $phpbb_container->getParameter('tables.auth_provider_oauth_account_assoc'));
+	$table_ary = [
+		USERS_TABLE,
+		USER_GROUP_TABLE,
+		TOPICS_WATCH_TABLE,
+		FORUMS_WATCH_TABLE,
+		ACL_USERS_TABLE,
+		TOPICS_TRACK_TABLE,
+		TOPICS_POSTED_TABLE,
+		FORUMS_TRACK_TABLE,
+		PROFILE_FIELDS_DATA_TABLE,
+		MODERATOR_CACHE_TABLE,
+		DRAFTS_TABLE,
+		BOOKMARKS_TABLE,
+		SESSIONS_KEYS_TABLE,
+		PRIVMSGS_FOLDER_TABLE,
+		PRIVMSGS_RULES_TABLE,
+		$phpbb_container->getParameter('tables.auth_provider_oauth_token_storage'),
+		$phpbb_container->getParameter('tables.auth_provider_oauth_states'),
+		$phpbb_container->getParameter('tables.auth_provider_oauth_account_assoc'),
+		$phpbb_container->getParameter('tables.user_notifications')
+	];
 
+	// Ignore errors on deleting from non-existent tables, e.g. when migrating
+	$db->sql_return_on_error(true);
 	// Delete the miscellaneous (non-post) data for the user
 	foreach ($table_ary as $table)
 	{
@@ -675,6 +705,7 @@ function user_delete($mode, $user_ids, $retain_username = true)
 			WHERE " . $user_id_sql;
 		$db->sql_query($sql);
 	}
+	$db->sql_return_on_error();
 
 	$cache->destroy('sql', MODERATOR_CACHE_TABLE);
 
@@ -1687,17 +1718,21 @@ function phpbb_validate_timezone($timezone)
 	return (in_array($timezone, phpbb_get_timezone_identifiers($timezone))) ? false : 'TIMEZONE_INVALID';
 }
 
-/**
-* Check to see if the username has been taken, or if it is disallowed.
-* Also checks if it includes the " character, which we don't allow in usernames.
-* Used for registering, changing names, and posting anonymously with a username
-*
-* @param string $username The username to check
-* @param string $allowed_username An allowed username, default being $user->data['username']
-*
-* @return	mixed	Either false if validation succeeded or a string which will be used as the error message (with the variable name appended)
-*/
-function validate_username($username, $allowed_username = false)
+/***
+ * Validate Username
+ *
+ * Check to see if the username has been taken, or if it is disallowed.
+ * Also checks if it includes the " character or the 4-bytes Unicode ones
+ * (aka emojis) which we don't allow in usernames.
+ * Used for registering, changing names, and posting anonymously with a username
+ *
+ * @param string	$username				The username to check
+ * @param string	$allowed_username		An allowed username, default being $user->data['username']
+ *
+ * @return mixed							Either false if validation succeeded or a string which will be
+ *											used as the error message (with the variable name appended)
+ */
+function validate_username($username, $allowed_username = false, $allow_all_names = false)
 {
 	global $config, $db, $user, $cache;
 
@@ -1709,6 +1744,14 @@ function validate_username($username, $allowed_username = false)
 		return false;
 	}
 
+	// The very first check is for
+	// out-of-bounds characters that are currently
+	// not supported by utf8_bin in MySQL
+	if (preg_match('/[\x{10000}-\x{10FFFF}]/u', $username))
+	{
+		return 'INVALID_EMOJIS';
+	}
+
 	// ... fast checks first.
 	if (strpos($username, '"') !== false || strpos($username, '"') !== false || empty($clean_username))
 	{
@@ -1772,13 +1815,16 @@ function validate_username($username, $allowed_username = false)
 		return 'USERNAME_TAKEN';
 	}
 
-	$bad_usernames = $cache->obtain_disallowed_usernames();
-
-	foreach ($bad_usernames as $bad_username)
+	if (!$allow_all_names)
 	{
-		if (preg_match('#^' . $bad_username . '$#', $clean_username))
+		$bad_usernames = $cache->obtain_disallowed_usernames();
+
+		foreach ($bad_usernames as $bad_username)
 		{
-			return 'USERNAME_DISALLOWED';
+			if (preg_match('#^' . $bad_username . '$#', $clean_username))
+			{
+				return 'USERNAME_DISALLOWED';
+			}
 		}
 	}
 
@@ -1899,9 +1945,10 @@ function validate_user_email($email, $allowed_email = false)
 		return $validate_email;
 	}
 
-	if (($ban_reason = $user->check_ban(false, false, $email, true)) !== false)
+	$ban = $user->check_ban(false, false, $email, true);
+	if (!empty($ban))
 	{
-		return ($ban_reason === true) ? 'EMAIL_BANNED' : $ban_reason;
+		return !empty($ban['ban_give_reason']) ? $ban['ban_give_reason'] : 'EMAIL_BANNED';
 	}
 
 	if (!$config['allow_emailreuse'])
@@ -2676,6 +2723,13 @@ function group_user_add($group_id, $user_id_ary = false, $username_ary = false,
 		return 'NO_USER';
 	}
 
+	// Because the item that gets passed into the previous function is unset, the reference is lost and our original
+	// array is retained - so we know there's a problem if there's a different number of ids to usernames now.
+	if (count($user_id_ary) != count($username_ary))
+	{
+		return 'GROUP_USERS_INVALID';
+	}
+
 	// Remove users who are already members of this group
 	$sql = 'SELECT user_id, group_leader
 		FROM ' . USER_GROUP_TABLE . '

phpBB/includes/mcp/mcp_ban.php

@@ -34,7 +34,10 @@ class mcp_ban
 		}
 
 		// Include the admin banning interface...
-		include($phpbb_root_path . 'includes/acp/acp_ban.' . $phpEx);
+		if (!class_exists('acp_ban'))
+		{
+			include($phpbb_root_path . 'includes/acp/acp_ban.' . $phpEx);
+		}
 
 		$bansubmit		= $request->is_set_post('bansubmit');
 		$unbansubmit	= $request->is_set_post('unbansubmit');
@@ -266,7 +269,7 @@ class mcp_ban
 		}
 		else if ($post_id)
 		{
-			$post_info = phpbb_get_post_data($post_id, 'm_ban');
+			$post_info = phpbb_get_post_data(array($post_id), 'm_ban');
 
 			if (count($post_info) && !empty($post_info[$post_id]))
 			{

phpBB/includes/mcp/mcp_front.php

@@ -290,7 +290,10 @@ function mcp_front_view($id, $mode, $action)
 
 		if ($total)
 		{
-			include($phpbb_root_path . 'includes/functions_privmsgs.' . $phpEx);
+			if (!function_exists('get_recipient_strings'))
+			{
+				include($phpbb_root_path . 'includes/functions_privmsgs.' . $phpEx);
+			}
 
 			$sql_ary = array(
 				'SELECT'	=> 'r.report_id, r.report_time, p.msg_id, p.message_subject, p.message_time, p.to_address, p.bcc_address, p.message_attachment, u.username, u.username_clean, u.user_colour, u.user_id, u2.username as author_name, u2.username_clean as author_name_clean, u2.user_colour as author_colour, u2.user_id as author_id',

phpBB/includes/mcp/mcp_logs.php

@@ -28,9 +28,9 @@ class mcp_logs
 	var $u_action;
 	var $p_master;
 
-	function __construct(&$p_master)
+	function __construct($p_master)
 	{
-		$this->p_master = &$p_master;
+		$this->p_master = $p_master;
 	}
 
 	function main($id, $mode)

phpBB/includes/mcp/mcp_main.php

@@ -28,9 +28,9 @@ class mcp_main
 	var $p_master;
 	var $u_action;
 
-	function __construct(&$p_master)
+	function __construct($p_master)
 	{
-		$this->p_master = &$p_master;
+		$this->p_master = $p_master;
 	}
 
 	function main($id, $mode)
@@ -41,6 +41,22 @@ class mcp_main
 
 		$quickmod = ($mode == 'quickmod') ? true : false;
 
+		/**
+		* Event to perform additional actions before an MCP action is executed.
+		*
+		* @event core.mcp_main_before
+		* @var	string	action				The action that is about to be performed
+		* @var	string	mode				The mode in which the MCP is accessed, e.g. front, forum_view, topic_view, post_details, quickmod
+		* @var	boolean	quickmod			Whether or not the action is performed via QuickMod
+		* @since 3.2.8-RC1
+		*/
+		$vars = [
+			'action',
+			'mode',
+			'quickmod',
+		];
+		extract($phpbb_dispatcher->trigger_event('core.mcp_main_before', compact($vars)));
+
 		switch ($action)
 		{
 			case 'lock':
@@ -174,7 +190,10 @@ class mcp_main
 		switch ($mode)
 		{
 			case 'front':
-				include($phpbb_root_path . 'includes/mcp/mcp_front.' . $phpEx);
+				if (!function_exists('mcp_front_view'))
+				{
+					include($phpbb_root_path . 'includes/mcp/mcp_front.' . $phpEx);
+				}
 
 				$user->add_lang('acp/common');
 
@@ -185,7 +204,10 @@ class mcp_main
 			break;
 
 			case 'forum_view':
-				include($phpbb_root_path . 'includes/mcp/mcp_forum.' . $phpEx);
+				if (!function_exists('mcp_forum_view'))
+				{
+					include($phpbb_root_path . 'includes/mcp/mcp_forum.' . $phpEx);
+				}
 
 				$user->add_lang('viewforum');
 
@@ -208,7 +230,10 @@ class mcp_main
 			break;
 
 			case 'topic_view':
-				include($phpbb_root_path . 'includes/mcp/mcp_topic.' . $phpEx);
+				if (!function_exists('mcp_topic_view'))
+				{
+					include($phpbb_root_path . 'includes/mcp/mcp_topic.' . $phpEx);
+				}
 
 				mcp_topic_view($id, $mode, $action);
 
@@ -217,7 +242,10 @@ class mcp_main
 			break;
 
 			case 'post_details':
-				include($phpbb_root_path . 'includes/mcp/mcp_post.' . $phpEx);
+				if (!function_exists('mcp_post_details'))
+				{
+					include($phpbb_root_path . 'includes/mcp/mcp_post.' . $phpEx);
+				}
 
 				mcp_post_details($id, $mode, $action);
 
@@ -366,7 +394,7 @@ function lock_unlock($action, $ids)
 */
 function change_topic_type($action, $topic_ids)
 {
-	global $user, $db, $request, $phpbb_log;
+	global $user, $db, $request, $phpbb_log, $phpbb_dispatcher;
 
 	switch ($action)
 	{
@@ -414,6 +442,25 @@ function change_topic_type($action, $topic_ids)
 
 	if (confirm_box(true))
 	{
+
+		/**
+		 * Perform additional actions before changing topic(s) type
+		 *
+		 * @event core.mcp_change_topic_type_before
+		 * @var	int		new_topic_type		The candidated topic type.
+		 * @var	int		forum_id			The forum ID for the topic ID(s).
+		 * @var	array	topic_ids			Array containing the topic ID(s) that will be changed
+		 * @since 3.2.6-RC1
+		 */
+		$vars = array(
+			'new_topic_type',
+			'forum_id',
+			'topic_ids',
+		);
+		extract($phpbb_dispatcher->trigger_event('core.mcp_change_topic_type_before', compact($vars)));
+
+		$db->sql_transaction('begin');
+
 		$sql = 'UPDATE ' . TOPICS_TABLE . "
 			SET topic_type = $new_topic_type
 			WHERE " . $db->sql_in_set('topic_id', $topic_ids);
@@ -425,13 +472,10 @@ function change_topic_type($action, $topic_ids)
 			$sql = 'DELETE FROM ' . TOPICS_TABLE . '
 				WHERE ' . $db->sql_in_set('topic_moved_id', $topic_ids);
 			$db->sql_query($sql);
-
-			$sql = 'UPDATE ' . TOPICS_TABLE . "
-				SET topic_type = $new_topic_type
-					WHERE " . $db->sql_in_set('topic_id', $topic_ids);
-			$db->sql_query($sql);
 		}
 
+		$db->sql_transaction('commit');
+
 		$success_msg = (count($topic_ids) == 1) ? 'TOPIC_TYPE_CHANGED' : 'TOPICS_TYPE_CHANGED';
 
 		if (count($topic_ids))
@@ -448,6 +492,22 @@ function change_topic_type($action, $topic_ids)
 			}
 		}
 
+		/**
+		 * Perform additional actions after changing topic types
+		 *
+		 * @event core.mcp_change_topic_type_after
+		 * @var	int		new_topic_type		The newly changed topic type.
+		 * @var	int		forum_id			The forum ID where the newly changed topic type belongs to.
+		 * @var	array	topic_ids			Array containing the topic IDs that have been changed
+		 * @since 3.2.6-RC1
+		 */
+		$vars = array(
+			'new_topic_type',
+			'forum_id',
+			'topic_ids',
+		);
+		extract($phpbb_dispatcher->trigger_event('core.mcp_change_topic_type_after', compact($vars)));
+
 		meta_refresh(2, $redirect);
 		$message = $user->lang[$success_msg];
 
@@ -930,10 +990,11 @@ function mcp_delete_topic($topic_ids, $is_soft = false, $soft_delete_reason = ''
 			'DELETE_TOPIC_PERMANENTLY_EXPLAIN'	=> $user->lang('DELETE_TOPIC_PERMANENTLY', count($topic_ids)),
 		));
 
-		$l_confirm = (count($topic_ids) == 1) ? 'DELETE_TOPIC' : 'DELETE_TOPICS';
+		$count = count($topic_ids);
+		$l_confirm = $count === 1 ? 'DELETE_TOPIC' : 'DELETE_TOPICS';
 		if ($only_softdeleted)
 		{
-			$l_confirm .= '_PERMANENTLY';
+			$l_confirm = array($l_confirm . '_PERMANENTLY', $count);
 			$s_hidden_fields['delete_permanent'] = '1';
 		}
 		else if ($only_shadow || !$auth->acl_get('m_softdelete', $forum_id))
@@ -1184,10 +1245,11 @@ function mcp_delete_post($post_ids, $is_soft = false, $soft_delete_reason = '',
 			'DELETE_POST_PERMANENTLY_EXPLAIN'	=> $user->lang('DELETE_POST_PERMANENTLY', count($post_ids)),
 		));
 
-		$l_confirm = (count($post_ids) == 1) ? 'DELETE_POST' : 'DELETE_POSTS';
+		$count = count($post_ids);
+		$l_confirm = $count === 1 ? 'DELETE_POST' : 'DELETE_POSTS';
 		if ($only_softdeleted)
 		{
-			$l_confirm .= '_PERMANENTLY';
+			$l_confirm = array($l_confirm . '_PERMANENTLY', $count);
 			$s_hidden_fields['delete_permanent'] = '1';
 		}
 		else if (!$auth->acl_get('m_softdelete', $forum_id))

phpBB/includes/mcp/mcp_notes.php

@@ -28,9 +28,9 @@ class mcp_notes
 	var $p_master;
 	var $u_action;
 
-	function __construct(&$p_master)
+	function __construct($p_master)
 	{
-		$this->p_master = &$p_master;
+		$this->p_master = $p_master;
 	}
 
 	function main($id, $mode)

phpBB/includes/mcp/mcp_pm_reports.php

@@ -28,9 +28,9 @@ class mcp_pm_reports
 	var $p_master;
 	var $u_action;
 
-	function __construct(&$p_master)
+	function __construct($p_master)
 	{
-		$this->p_master = &$p_master;
+		$this->p_master = $p_master;
 	}
 
 	function main($id, $mode)

phpBB/includes/mcp/mcp_queue.php

@@ -28,9 +28,9 @@ class mcp_queue
 	var $p_master;
 	var $u_action;
 
-	public function __construct(&$p_master)
+	public function __construct($p_master)
 	{
-		$this->p_master = &$p_master;
+		$this->p_master = $p_master;
 	}
 
 	public function main($id, $mode)

phpBB/includes/mcp/mcp_reports.php

@@ -28,9 +28,9 @@ class mcp_reports
 	var $p_master;
 	var $u_action;
 
-	function __construct(&$p_master)
+	function __construct($p_master)
 	{
-		$this->p_master = &$p_master;
+		$this->p_master = $p_master;
 	}
 
 	function main($id, $mode)
@@ -246,7 +246,10 @@ class mcp_reports
 				$parse_flags = ($post_info['user_sig_bbcode_bitfield'] ? OPTION_FLAG_BBCODE : 0) | OPTION_FLAG_SMILIES;
 				$post_info['user_sig'] = generate_text_for_display($post_info['user_sig'], $post_info['user_sig_bbcode_uid'], $post_info['user_sig_bbcode_bitfield'], $parse_flags, true);
 
-				$template->assign_vars(array(
+				$topic_id = (int) $post_info['topic_id'];
+
+				// So it can be sent through the event below.
+				$report_template = array(
 					'S_MCP_REPORT'			=> true,
 					'S_CLOSE_ACTION'		=> append_sid("{$phpbb_root_path}mcp.$phpEx", 'i=reports&mode=report_details&f=' . $post_info['forum_id'] . '&p=' . $post_id),
 					'S_CAN_VIEWIP'			=> $auth->acl_get('m_info', $post_info['forum_id']),
@@ -298,7 +301,33 @@ class mcp_reports
 					'SIGNATURE'				=> $post_info['user_sig'],
 
 					'U_LOOKUP_IP'			=> ($auth->acl_get('m_info', $post_info['forum_id'])) ? $this->u_action . '&r=' . $report_id . '&p=' . $post_id . '&f=' . $forum_id . '&lookup=' . $post_info['poster_ip'] . '#ip' : '',
-				));
+				);
+
+				/**
+				 * Event to add/modify MCP report details template data.
+				 *
+				 * @event core.mcp_report_template_data
+				 * @var int		forum_id					The forum_id, the number in the f GET parameter
+				 * @var int		topic_id					The topic_id of the report being viewed
+				 * @var int		post_id						The post_id of the report being viewed (if 0, it is meaningless)
+				 * @var int		report_id					The report_id of the report being viewed
+				 * @var array	report						Array with the report data
+				 * @var	array	report_template				Array with the report template data
+				 * @var array	post_info					Array with the reported post data
+				 * @since 3.2.5-RC1
+				 */
+				$vars = array(
+					'forum_id',
+					'topic_id',
+					'post_id',
+					'report_id',
+					'report',
+					'report_template',
+					'post_info',
+				);
+				extract($phpbb_dispatcher->trigger_event('core.mcp_report_template_data', compact($vars)));
+
+				$template->assign_vars($report_template);
 
 				$this->tpl_name = 'mcp_post';
 

phpBB/includes/mcp/mcp_topic.php

@@ -93,7 +93,11 @@ function mcp_topic_view($id, $mode, $action)
 	// Restore or pprove posts?
 	if (($action == 'restore' || $action == 'approve') && $auth->acl_get('m_approve', $topic_info['forum_id']))
 	{
-		include($phpbb_root_path . 'includes/mcp/mcp_queue.' . $phpEx);
+		if (!class_exists('mcp_queue'))
+		{
+			include($phpbb_root_path . 'includes/mcp/mcp_queue.' . $phpEx);
+		}
+
 		include_once($phpbb_root_path . 'includes/functions_posting.' . $phpEx);
 		include_once($phpbb_root_path . 'includes/functions_messenger.' . $phpEx);
 
@@ -138,14 +142,36 @@ function mcp_topic_view($id, $mode, $action)
 	}
 	$start = $pagination->validate_start($start, $posts_per_page, $total);
 
-	$sql = 'SELECT u.username, u.username_clean, u.user_colour, p.*
-		FROM ' . POSTS_TABLE . ' p, ' . USERS_TABLE . ' u
-		WHERE ' . (($action == 'reports') ? 'p.post_reported = 1 AND ' : '') . '
+	$sql_where = (($action == 'reports') ? 'p.post_reported = 1 AND ' : '') . '
 			p.topic_id = ' . $topic_id . '
 			AND ' .	$phpbb_content_visibility->get_visibility_sql('post', $topic_info['forum_id'], 'p.') . '
 			AND p.poster_id = u.user_id ' .
-			$limit_time_sql . '
-		ORDER BY ' . $sort_order_sql;
+			$limit_time_sql;
+
+	$sql_ary = array(
+		'SELECT'	=> 'u.username, u.username_clean, u.user_colour, p.*',
+		'FROM'		=> array(
+			POSTS_TABLE		=> 'p',
+			USERS_TABLE		=> 'u'
+		),
+		'LEFT_JOIN'	=> array(),
+		'WHERE'		=> $sql_where,
+		'ORDER_BY'	=> $sort_order_sql,
+	);
+
+	/**
+	* Event to modify the SQL query before the MCP topic review posts is queried
+	*
+	* @event core.mcp_topic_modify_sql_ary
+	* @var	array	sql_ary		The SQL array to get the data of the MCP topic review posts
+	* @since 3.2.8-RC1
+	*/
+	$vars = array('sql_ary');
+	extract($phpbb_dispatcher->trigger_event('core.mcp_topic_modify_sql_ary', compact($vars)));
+
+	$sql = $db->sql_build_query('SELECT', $sql_ary);
+	unset($sql_ary);
+
 	$result = $db->sql_query_limit($sql, $posts_per_page, $start);
 
 	$rowset = $post_id_list = array();

phpBB/includes/mcp/mcp_warn.php

@@ -28,9 +28,9 @@ class mcp_warn
 	var $p_master;
 	var $u_action;
 
-	function __construct(&$p_master)
+	function __construct($p_master)
 	{
-		$this->p_master = &$p_master;
+		$this->p_master = $p_master;
 	}
 
 	function main($id, $mode)

phpBB/includes/message_parser.php

@@ -1524,6 +1524,35 @@ class parse_message extends bbcode_firstpass
 		}
 	}
 
+	/**
+	 * Check attachment form token depending on submit type
+	 *
+	 * @param \phpbb\language\language $language Language
+	 * @param \phpbb\request\request_interface $request Request
+	 * @param string $form_name Form name for checking form key
+	 *
+	 * @return bool True if form token is not needed or valid, false if needed and invalid
+	 */
+	function check_attachment_form_token(\phpbb\language\language $language, \phpbb\request\request_interface $request, $form_name)
+	{
+		$add_file = $request->is_set_post('add_file');
+		$delete_file = $request->is_set_post('delete_file');
+
+		if (($add_file || $delete_file) && !check_form_key($form_name))
+		{
+			$this->warn_msg[] = $language->lang('FORM_INVALID');
+
+			if ($request->is_ajax() && $this->plupload)
+			{
+				$this->plupload->emit_error(-400, 'FORM_INVALID');
+			}
+
+			return false;
+		}
+
+		return true;
+	}
+
 	/**
 	* Parse Attachments
 	*/
@@ -1587,6 +1616,16 @@ class parse_message extends bbcode_firstpass
 						'poster_id'			=> $user->data['user_id'],
 					);
 
+					/**
+					* Modify attachment sql array on submit
+					*
+					* @event core.modify_attachment_sql_ary_on_submit
+					* @var	array	sql_ary		Array containing SQL data
+					* @since 3.2.6-RC1
+					*/
+					$vars = array('sql_ary');
+					extract($phpbb_dispatcher->trigger_event('core.modify_attachment_sql_ary_on_submit', compact($vars)));
+
 					$db->sql_query('INSERT INTO ' . ATTACHMENTS_TABLE . ' ' . $db->sql_build_array('INSERT', $sql_ary));
 
 					$new_entry = array(
@@ -1722,6 +1761,16 @@ class parse_message extends bbcode_firstpass
 							'poster_id'			=> $user->data['user_id'],
 						);
 
+						/**
+						* Modify attachment sql array on upload
+						*
+						* @event core.modify_attachment_sql_ary_on_upload
+						* @var	array	sql_ary		Array containing SQL data
+						* @since 3.2.6-RC1
+						*/
+						$vars = array('sql_ary');
+						extract($phpbb_dispatcher->trigger_event('core.modify_attachment_sql_ary_on_upload', compact($vars)));
+
 						$db->sql_query('INSERT INTO ' . ATTACHMENTS_TABLE . ' ' . $db->sql_build_array('INSERT', $sql_ary));
 
 						$new_entry = array(

phpBB/includes/questionnaire/questionnaire.php

@@ -369,7 +369,6 @@ class phpbb_questionnaire_phpbb_data_provider
 			'hot_threshold' => true,
 			'img_create_thumbnail' => true,
 			'img_display_inlined' => true,
-			'img_imagick' => true,
 			'img_link_height' => true,
 			'img_link_width' => true,
 			'img_max_height' => true,

phpBB/includes/ucp/ucp_activate.php

@@ -87,6 +87,8 @@ class ucp_activate
 				WHERE user_id = ' . $user_row['user_id'];
 			$db->sql_query($sql);
 
+			$user->reset_login_keys($user_row['user_id']);
+
 			$phpbb_log->add('user', $user->data['user_id'], $user->ip, 'LOG_USER_NEW_PASSWORD', false, array(
 				'reportee_id' => $user_row['user_id'],
 				$user_row['username']

phpBB/includes/ucp/ucp_attachments.php

@@ -29,7 +29,7 @@ class ucp_attachments
 
 	function main($id, $mode)
 	{
-		global $template, $user, $db, $config, $phpEx, $phpbb_root_path, $phpbb_container, $request;
+		global $template, $user, $db, $config, $phpEx, $phpbb_root_path, $phpbb_container, $request, $auth;
 
 		$start		= $request->variable('start', 0);
 		$sort_key	= $request->variable('sk', 'a');
@@ -41,16 +41,27 @@ class ucp_attachments
 		if ($delete && count($delete_ids))
 		{
 			// Validate $delete_ids...
-			$sql = 'SELECT attach_id
-				FROM ' . ATTACHMENTS_TABLE . '
-				WHERE poster_id = ' . $user->data['user_id'] . '
-					AND is_orphan = 0
-					AND ' . $db->sql_in_set('attach_id', $delete_ids);
+			$sql = 'SELECT a.attach_id, p.post_edit_locked, t.topic_status, f.forum_id, f.forum_status
+				FROM ' . ATTACHMENTS_TABLE . ' a
+				LEFT JOIN ' . POSTS_TABLE . ' p
+					ON (a.post_msg_id = p.post_id AND a.in_message = 0)
+				LEFT JOIN ' . TOPICS_TABLE . ' t
+					ON (t.topic_id = p.topic_id AND a.in_message = 0)
+				LEFT JOIN ' . FORUMS_TABLE . ' f
+					ON (f.forum_id = t.forum_id AND a.in_message = 0)
+				WHERE a.poster_id = ' . $user->data['user_id'] . '
+					AND a.is_orphan = 0
+					AND ' . $db->sql_in_set('a.attach_id', $delete_ids);
 			$result = $db->sql_query($sql);
 
 			$delete_ids = array();
 			while ($row = $db->sql_fetchrow($result))
 			{
+				if (!$auth->acl_get('m_edit', $row['forum_id']) && ($row['forum_status'] == ITEM_LOCKED || $row['topic_status'] == ITEM_LOCKED || $row['post_edit_locked']))
+				{
+					continue;
+				}
+
 				$delete_ids[] = $row['attach_id'];
 			}
 			$db->sql_freeresult($result);
@@ -124,10 +135,12 @@ class ucp_attachments
 		$pagination = $phpbb_container->get('pagination');
 		$start = $pagination->validate_start($start, $config['topics_per_page'], $num_attachments);
 
-		$sql = 'SELECT a.*, t.topic_title, p.message_subject as message_title
+		$sql = 'SELECT a.*, t.topic_title, pr.message_subject as message_title, p.post_edit_locked, t.topic_status, f.forum_id, f.forum_status
 			FROM ' . ATTACHMENTS_TABLE . ' a
+				LEFT JOIN ' . POSTS_TABLE . ' p ON (a.post_msg_id = p.post_id AND a.in_message = 0)
 				LEFT JOIN ' . TOPICS_TABLE . ' t ON (a.topic_id = t.topic_id AND a.in_message = 0)
-				LEFT JOIN ' . PRIVMSGS_TABLE . ' p ON (a.post_msg_id = p.msg_id AND a.in_message = 1)
+				LEFT JOIN ' . FORUMS_TABLE . ' f ON (f.forum_id = t.forum_id AND a.in_message = 0)
+				LEFT JOIN ' . PRIVMSGS_TABLE . ' pr ON (a.post_msg_id = pr.msg_id AND a.in_message = 1)
 			WHERE a.poster_id = ' . $user->data['user_id'] . "
 				AND a.is_orphan = 0
 			ORDER BY $order_by";
@@ -164,6 +177,7 @@ class ucp_attachments
 					'TOPIC_ID'			=> $row['topic_id'],
 
 					'S_IN_MESSAGE'		=> $row['in_message'],
+					'S_LOCKED'			=> !$row['in_message'] && !$auth->acl_get('m_edit', $row['forum_id']) && ($row['forum_status'] == ITEM_LOCKED || $row['topic_status'] == ITEM_LOCKED || $row['post_edit_locked']),
 
 					'U_VIEW_ATTACHMENT'	=> append_sid("{$phpbb_root_path}download/file.$phpEx", 'id=' . $row['attach_id']),
 					'U_VIEW_TOPIC'		=> $view_topic)

phpBB/includes/ucp/ucp_groups.php

@@ -32,6 +32,9 @@ class ucp_groups
 		global $db, $user, $auth, $cache, $template;
 		global $request, $phpbb_container, $phpbb_log;
 
+		/** @var \phpbb\language\language $language Language object */
+		$language = $phpbb_container->get('language');
+
 		$user->add_lang('groups');
 
 		$return_page = '<br /><br />' . sprintf($user->lang['RETURN_PAGE'], '<a href="' . $this->u_action . '">', '</a>');
@@ -396,7 +399,10 @@ class ucp_groups
 				$action		= (isset($_POST['addusers'])) ? 'addusers' : $request->variable('action', '');
 				$group_id	= $request->variable('g', 0);
 
-				include($phpbb_root_path . 'includes/functions_display.' . $phpEx);
+				if (!function_exists('phpbb_get_user_rank'))
+				{
+					include($phpbb_root_path . 'includes/functions_display.' . $phpEx);
+				}
 
 				add_form_key('ucp_groups');
 
@@ -528,7 +534,12 @@ class ucp_groups
 								'teampage'	=> $group_row['group_teampage'],
 							);
 
-							if ($config['allow_avatar'])
+							if (!check_form_key('ucp_groups'))
+							{
+								$error[] = $user->lang['FORM_INVALID'];
+							}
+
+							if (!count($error) && $config['allow_avatar'])
 							{
 								// Handle avatar
 								$driver_name = $phpbb_avatar_manager->clean_driver_name($request->variable('avatar_driver', ''));
@@ -550,11 +561,6 @@ class ucp_groups
 								$error = array_merge($error, $phpbb_avatar_manager->localize_errors($user, $avatar_error));
 							}
 
-							if (!check_form_key('ucp_groups'))
-							{
-								$error[] = $user->lang['FORM_INVALID'];
-							}
-
 							// Validate submitted colour value
 							if ($colour_error = validate_data($submit_ary, array('colour'	=> array('hex_colour', true))))
 							{
@@ -869,6 +875,11 @@ class ucp_groups
 							trigger_error($user->lang['NO_GROUP'] . $return_page);
 						}
 
+						if (!check_form_key('ucp_groups'))
+						{
+							trigger_error($user->lang('FORM_INVALID') . $return_page);
+						}
+
 						if (!($row = group_memberships($group_id, $user->data['user_id'])))
 						{
 							trigger_error($user->lang['NOT_MEMBER_OF_GROUP'] . $return_page);
@@ -1054,13 +1065,27 @@ class ucp_groups
 
 						if (confirm_box(true))
 						{
+							$return_manage_page = '<br /><br />' . $language->lang('RETURN_PAGE', '<a href="' . $this->u_action . '&amp;action=list&amp;g=' . $group_id . '">', '</a>');
+
 							// Add user/s to group
 							if ($error = group_user_add($group_id, false, $name_ary, $group_name, $default, 0, 0, $group_row))
 							{
-								trigger_error($user->lang[$error] . $return_page);
+								$display_message = $language->lang($error);
+
+								if ($error == 'GROUP_USERS_INVALID')
+								{
+									// Find which users don't exist
+									$actual_name_ary = $name_ary;
+									$actual_user_id_ary = [];
+									user_get_id_name($actual_user_id_ary, $actual_name_ary, false, true);
+
+									$display_message = $language->lang('GROUP_USERS_INVALID', implode($language->lang('COMMA_SEPARATOR'), array_udiff($name_ary, $actual_name_ary, 'strcasecmp')));
+								}
+
+								trigger_error($display_message . $return_manage_page);
 							}
 
-							trigger_error($user->lang['GROUP_USERS_ADDED'] . '<br /><br />' . sprintf($user->lang['RETURN_PAGE'], '<a href="' . $this->u_action . '&amp;action=list&amp;g=' . $group_id . '">', '</a>'));
+							trigger_error($language->lang('GROUP_USERS_ADDED') . $return_manage_page);
 						}
 						else
 						{

phpBB/includes/ucp/ucp_main.php

@@ -28,9 +28,9 @@ class ucp_main
 	var $p_master;
 	var $u_action;
 
-	function __construct(&$p_master)
+	function __construct($p_master)
 	{
-		$this->p_master = &$p_master;
+		$this->p_master = $p_master;
 	}
 
 	function main($id, $mode)
@@ -245,7 +245,10 @@ class ucp_main
 
 			case 'subscribed':
 
-				include($phpbb_root_path . 'includes/functions_display.' . $phpEx);
+				if (!function_exists('topic_status'))
+				{
+					include($phpbb_root_path . 'includes/functions_display.' . $phpEx);
+				}
 
 				$user->add_lang('viewforum');
 
@@ -481,7 +484,10 @@ class ucp_main
 					break;
 				}
 
-				include($phpbb_root_path . 'includes/functions_display.' . $phpEx);
+				if (!function_exists('topic_status'))
+				{
+					include($phpbb_root_path . 'includes/functions_display.' . $phpEx);
+				}
 
 				$user->add_lang('viewforum');
 

phpBB/includes/ucp/ucp_pm.php

@@ -82,7 +82,10 @@ class ucp_pm
 			$mode = 'view';
 		}
 
-		include($phpbb_root_path . 'includes/functions_privmsgs.' . $phpEx);
+		if (!function_exists('get_folder'))
+		{
+			include($phpbb_root_path . 'includes/functions_privmsgs.' . $phpEx);
+		}
 
 		switch ($mode)
 		{
@@ -104,7 +107,10 @@ class ucp_pm
 					break;
 				}
 
-				include($phpbb_root_path . 'includes/ucp/ucp_pm_compose.' . $phpEx);
+				if (!function_exists('compose_pm'))
+				{
+					include($phpbb_root_path . 'includes/ucp/ucp_pm_compose.' . $phpEx);
+				}
 				compose_pm($id, $mode, $action, $user_folders);
 
 				$tpl_file = 'posting_body';
@@ -114,7 +120,10 @@ class ucp_pm
 				set_user_message_limit();
 				get_folder($user->data['user_id']);
 
-				include($phpbb_root_path . 'includes/ucp/ucp_pm_options.' . $phpEx);
+				if (!function_exists('message_options'))
+				{
+					include($phpbb_root_path . 'includes/ucp/ucp_pm_options.' . $phpEx);
+				}
 				message_options($id, $mode, $global_privmsgs_rules, $global_rule_conditions);
 
 				$tpl_file = 'ucp_pm_options';
@@ -125,8 +134,10 @@ class ucp_pm
 				get_folder($user->data['user_id']);
 				$this->p_name = 'pm';
 
-				// Call another module... please do not try this at home... Hoochie Coochie Man
-				include($phpbb_root_path . 'includes/ucp/ucp_main.' . $phpEx);
+				if (!class_exists('ucp_main'))
+				{
+					include($phpbb_root_path . 'includes/ucp/ucp_main.' . $phpEx);
+				}
 
 				$module = new ucp_main($this);
 				$module->u_action = $this->u_action;
@@ -182,6 +193,8 @@ class ucp_pm
 					trigger_error('NO_AUTH_READ_HOLD_MESSAGE');
 				}
 
+				add_form_key('ucp_pm_view');
+
 				// First Handle Mark actions and moving messages
 				$submit_mark	= (isset($_POST['submit_mark'])) ? true : false;
 				$move_pm		= (isset($_POST['move_pm'])) ? true : false;
@@ -196,6 +209,11 @@ class ucp_pm
 					$submit_mark = false;
 				}
 
+				if (($move_pm || $submit_mark) && !check_form_key('ucp_pm_view'))
+				{
+					trigger_error('FORM_INVALID');
+				}
+
 				// Move PM
 				if ($move_pm)
 				{
@@ -375,7 +393,10 @@ class ucp_pm
 
 				if ($action == 'view_folder')
 				{
-					include($phpbb_root_path . 'includes/ucp/ucp_pm_viewfolder.' . $phpEx);
+					if (!function_exists('view_folder'))
+					{
+						include($phpbb_root_path . 'includes/ucp/ucp_pm_viewfolder.' . $phpEx);
+					}
 					view_folder($id, $mode, $folder_id, $folder);
 
 					$tpl_file = 'ucp_pm_viewfolder';
@@ -393,7 +414,10 @@ class ucp_pm
 						trigger_error('NO_MESSAGE');
 					}
 
-					include($phpbb_root_path . 'includes/ucp/ucp_pm_viewmessage.' . $phpEx);
+					if (!function_exists('view_message'))
+					{
+						include($phpbb_root_path . 'includes/ucp/ucp_pm_viewmessage.' . $phpEx);
+					}
 					view_message($id, $mode, $folder_id, $msg_id, $folder, $message_row);
 
 					$tpl_file = ($view == 'print') ? 'ucp_pm_viewmessage_print' : 'ucp_pm_viewmessage';

phpBB/includes/ucp/ucp_pm_compose.php

@@ -26,16 +26,27 @@ if (!defined('IN_PHPBB'))
 function compose_pm($id, $mode, $action, $user_folders = array())
 {
 	global $template, $db, $auth, $user, $cache;
-	global $phpbb_root_path, $phpEx, $config;
+	global $phpbb_root_path, $phpEx, $config, $language;
 	global $request, $phpbb_dispatcher, $phpbb_container;
 
 	// Damn php and globals - i know, this is horrible
 	// Needed for handle_message_list_actions()
 	global $refresh, $submit, $preview;
 
-	include($phpbb_root_path . 'includes/functions_posting.' . $phpEx);
-	include($phpbb_root_path . 'includes/functions_display.' . $phpEx);
-	include($phpbb_root_path . 'includes/message_parser.' . $phpEx);
+	if (!function_exists('generate_smilies'))
+	{
+		include($phpbb_root_path . 'includes/functions_posting.' . $phpEx);
+	}
+
+	if (!function_exists('display_custom_bbcodes'))
+	{
+		include($phpbb_root_path . 'includes/functions_display.' . $phpEx);
+	}
+
+	if (!class_exists('parse_message'))
+	{
+		include($phpbb_root_path . 'includes/message_parser.' . $phpEx);
+	}
 
 	if (!$action)
 	{
@@ -788,7 +799,10 @@ function compose_pm($id, $mode, $action, $user_folders = array())
 		extract($phpbb_dispatcher->trigger_event('core.ucp_pm_compose_modify_parse_before', compact($vars)));
 
 		// Parse Attachments - before checksum is calculated
-		$message_parser->parse_attachments('fileupload', $action, 0, $submit, $preview, $refresh, true);
+		if ($message_parser->check_attachment_form_token($language, $request, 'ucp_pm_compose'))
+		{
+			$message_parser->parse_attachments('fileupload', $action, 0, $submit, $preview, $refresh, true);
+		}
 
 		if (count($message_parser->warn_msg) && !($remove_u || $remove_g || $add_to || $add_bcc))
 		{
@@ -985,13 +999,30 @@ function compose_pm($id, $mode, $action, $user_folders = array())
 		{
 			$quote_attributes['post_id'] = $post['msg_id'];
 		}
-
-		phpbb_format_quote($bbcode_status, $quote_attributes, $phpbb_container->get('text_formatter.utils'), $message_parser, $message_link);
+		if ($action === 'quote')
+		{
+			$quote_attributes['msg_id'] = $post['msg_id'];
+		}
+		/** @var \phpbb\language\language $language */
+		$language = $phpbb_container->get('language');
+		/** @var \phpbb\textformatter\utils_interface $text_formatter_utils */
+		$text_formatter_utils = $phpbb_container->get('text_formatter.utils');
+		phpbb_format_quote($language, $message_parser, $text_formatter_utils, $bbcode_status, $quote_attributes, $message_link);
 	}
 
 	if (($action == 'reply' || $action == 'quote' || $action == 'quotepost') && !$preview && !$refresh)
 	{
 		$message_subject = ((!preg_match('/^Re:/', $message_subject)) ? 'Re: ' : '') . censor_text($message_subject);
+
+		/**
+		* This event allows you to modify the PM subject of the PM being quoted
+		*
+		* @event core.pm_modify_message_subject
+		* @var	string		message_subject		String with the PM subject already censored.
+		* @since 3.2.8-RC1
+		*/
+		$vars = array('message_subject');
+		extract($phpbb_dispatcher->trigger_event('core.pm_modify_message_subject', compact($vars)));
 	}
 
 	if ($action == 'forward' && !$preview && !$refresh && !$submit)
@@ -1191,7 +1222,7 @@ function compose_pm($id, $mode, $action, $user_folders = array())
 	$controller_helper = $phpbb_container->get('controller.helper');
 
 	// Start assigning vars for main posting page ...
-	$template->assign_vars(array(
+	$template_ary = array(
 		'L_POST_A'					=> $page_title,
 		'L_ICON'					=> $user->lang['PM_ICON'],
 		'L_MESSAGE_BODY_EXPLAIN'	=> $user->lang('MESSAGE_BODY_EXPLAIN', (int) $config['max_post_chars']),
@@ -1236,7 +1267,19 @@ function compose_pm($id, $mode, $action, $user_folders = array())
 		'S_CLOSE_PROGRESS_WINDOW'	=> isset($_POST['add_file']),
 		'U_PROGRESS_BAR'			=> append_sid("{$phpbb_root_path}posting.$phpEx", 'f=0&mode=popup'),
 		'UA_PROGRESS_BAR'			=> addslashes(append_sid("{$phpbb_root_path}posting.$phpEx", 'f=0&mode=popup')),
-	));
+	);
+
+	/**
+	* Modify the default template vars
+	*
+	* @event core.ucp_pm_compose_template
+	* @var	array	template_ary	Template variables
+	* @since 3.2.6-RC1
+	*/
+	$vars = array('template_ary');
+	extract($phpbb_dispatcher->trigger_event('core.ucp_pm_compose_template', compact($vars)));
+
+	$template->assign_vars($template_ary);
 
 	// Build custom bbcodes array
 	display_custom_bbcodes();

phpBB/includes/ucp/ucp_pm_viewfolder.php

@@ -32,6 +32,8 @@ function view_folder($id, $mode, $folder_id, $folder)
 
 	$folder_info = get_pm_from($folder_id, $folder, $user->data['user_id']);
 
+	add_form_key('ucp_pm_view_folder');
+
 	if (!$submit_export)
 	{
 		$user->add_lang('viewforum');
@@ -39,7 +41,7 @@ function view_folder($id, $mode, $folder_id, $folder)
 		// Grab icons
 		$icons = $cache->obtain_icons();
 
-		$color_rows = array('marked', 'replied');
+		$color_rows = array('message_reported', 'marked', 'replied');
 
 		$_module = new p_master();
 		$_module->list_modules('ucp');
@@ -138,9 +140,9 @@ function view_folder($id, $mode, $folder_id, $folder)
 				$row_indicator = '';
 				foreach ($color_rows as $var)
 				{
-					if (($var != 'friend' && $var != 'foe' && $row['pm_' . $var])
+					if (($var !== 'friend' && $var !== 'foe' && $row[($var === 'message_reported') ? $var : "pm_{$var}"])
 						||
-						(($var == 'friend' || $var == 'foe') && isset(${$var}[$row['author_id']]) && ${$var}[$row['author_id']]))
+						(($var === 'friend' || $var === 'foe') && isset(${$var}[$row['author_id']]) && ${$var}[$row['author_id']]))
 					{
 						$row_indicator = $var;
 						break;
@@ -197,6 +199,11 @@ function view_folder($id, $mode, $folder_id, $folder)
 		$enclosure = $request->variable('enclosure', '');
 		$delimiter = $request->variable('delimiter', '');
 
+		if (!check_form_key('ucp_pm_view_folder'))
+		{
+			trigger_error('FORM_INVALID');
+		}
+
 		if ($export_type == 'CSV' && ($delimiter === '' || $enclosure === ''))
 		{
 			$template->assign_var('PROMPT', true);

phpBB/includes/ucp/ucp_pm_viewmessage.php

@@ -296,7 +296,9 @@ function view_message($id, $mode, $folder_id, $msg_id, $folder, $message_row)
 	 * @var	array	cp_row		Array with senders custom profile field data
 	 * @var	array	msg_data	Template array with message data
 	 * @var array	user_info	User data of the sender
+	 * @var array	attachments	Attachments data
 	 * @since 3.2.2-RC1
+	 * @changed 3.2.5-RC1 Added attachments
 	 */
 	$vars = array(
 		'id',
@@ -308,6 +310,7 @@ function view_message($id, $mode, $folder_id, $msg_id, $folder, $message_row)
 		'cp_row',
 		'msg_data',
 		'user_info',
+		'attachments',
 	);
 	extract($phpbb_dispatcher->trigger_event('core.ucp_pm_view_message', compact($vars)));
 

phpBB/includes/ucp/ucp_profile.php

@@ -133,7 +133,6 @@ class ucp_profile
 							'user_email'		=> ($auth->acl_get('u_chgemail')) ? $data['email'] : $user->data['user_email'],
 							'user_email_hash'	=> ($auth->acl_get('u_chgemail')) ? phpbb_email_hash($data['email']) : $user->data['user_email_hash'],
 							'user_password'		=> ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? $passwords_manager->hash($data['new_password']) : $user->data['user_password'],
-							'user_passchg'		=> ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? time() : 0,
 						);
 
 						if ($auth->acl_get('u_chgname') && $config['allow_namechange'] && $data['username'] != $user->data['username'])
@@ -147,6 +146,8 @@ class ucp_profile
 
 						if ($auth->acl_get('u_chgpasswd') && $data['new_password'] && !$passwords_manager->check($data['new_password'], $user->data['user_password']))
 						{
+							$sql_ary['user_passchg'] = time();
+
 							$user->reset_login_keys();
 							$phpbb_log->add('user', $user->data['user_id'], $user->ip, 'LOG_USER_NEW_PASSWORD', false, array(
 								'reportee_id' => $user->data['user_id'],
@@ -469,8 +470,15 @@ class ucp_profile
 					trigger_error('NO_AUTH_SIGNATURE');
 				}
 
-				include($phpbb_root_path . 'includes/functions_posting.' . $phpEx);
-				include($phpbb_root_path . 'includes/functions_display.' . $phpEx);
+				if (!function_exists('generate_smilies'))
+				{
+					include($phpbb_root_path . 'includes/functions_posting.' . $phpEx);
+				}
+
+				if (!function_exists('display_custom_bbcodes'))
+				{
+					include($phpbb_root_path . 'includes/functions_display.' . $phpEx);
+				}
 
 				$preview	= $request->is_set_post('preview');
 

phpBB/includes/ucp/ucp_register.php

@@ -39,12 +39,23 @@ class ucp_register
 			trigger_error('UCP_REGISTER_DISABLE');
 		}
 
-		$coppa			= $request->is_set('coppa') ? (int) $request->variable('coppa', false) : false;
+		$coppa			= $request->is_set('coppa_yes') ? 1 : ($request->is_set('coppa_no') ? 0 : false);
+		$coppa			= $request->is_set('coppa') ? $request->variable('coppa', 0) : $coppa;
 		$agreed			= $request->variable('agreed', false);
 		$submit			= $request->is_set_post('submit');
 		$change_lang	= $request->variable('change_lang', '');
 		$user_lang		= $request->variable('lang', $user->lang_name);
 
+		if ($agreed && !check_form_key('ucp_register'))
+		{
+			$agreed = false;
+		}
+
+		if ($coppa !== false && !check_form_key('ucp_register'))
+		{
+			$coppa = false;
+		}
+
 		/**
 		* Add UCP register data before they are assigned to the template or submitted
 		*
@@ -67,14 +78,7 @@ class ucp_register
 		);
 		extract($phpbb_dispatcher->trigger_event('core.ucp_register_requests_after', compact($vars)));
 
-		if ($agreed)
-		{
-			add_form_key('ucp_register');
-		}
-		else
-		{
-			add_form_key('ucp_register_terms');
-		}
+		add_form_key('ucp_register');
 
 		if ($change_lang || $user_lang != $config['default_lang'])
 		{
@@ -168,11 +172,8 @@ class ucp_register
 
 				$template_vars = array(
 					'S_LANG_OPTIONS'	=> (count($lang_row) > 1) ? language_select($user_lang) : '',
-					'L_COPPA_NO'		=> sprintf($user->lang['UCP_COPPA_BEFORE'], $coppa_birthday),
-					'L_COPPA_YES'		=> sprintf($user->lang['UCP_COPPA_ON_AFTER'], $coppa_birthday),
-
-					'U_COPPA_NO'		=> append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=register&coppa=0'),
-					'U_COPPA_YES'		=> append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=register&coppa=1'),
+					'L_COPPA_NO'		=> $user->lang('UCP_COPPA_BEFORE', $coppa_birthday),
+					'L_COPPA_YES'		=> $user->lang('UCP_COPPA_ON_AFTER', $coppa_birthday),
 
 					'S_SHOW_COPPA'		=> true,
 					'S_HIDDEN_FIELDS'	=> build_hidden_fields($s_hidden_fields),

phpBB/includes/utf/utf_tools.php

@@ -418,24 +418,43 @@ function utf8_recode($string, $encoding)
 }
 
 /**
-* Replace all UTF-8 chars that are not in ASCII with their NCR
-*
-* @param	string	$text		UTF-8 string in NFC
-* @return	string				ASCII string using NCRs for non-ASCII chars
-*/
+ * Replace some special UTF-8 chars that are not in ASCII with their UCR.
+ * using their Numeric Character Reference's Hexadecimal notation.
+ *
+ * Doesn't interfere with Japanese or Cyrillic etc.
+ * Unicode character visualization will depend on the character support
+ * of your web browser and the fonts installed on your system.
+ *
+ * @see https://en.wikibooks.org/wiki/Unicode/Character_reference/1F000-1FFFF
+ *
+ * @param	string	$text		UTF-8 string in NFC
+ * @return	string				ASCII string using NCR for non-ASCII chars
+ */
+function utf8_encode_ucr($text)
+{
+	return preg_replace_callback('/[\\xF0-\\xF4].../', 'utf8_encode_ncr_callback', $text);
+}
+
+/**
+ * Replace all UTF-8 chars that are not in ASCII with their NCR
+ * using their Numeric Character Reference's Hexadecimal notation.
+ *
+ * @param	string	$text		UTF-8 string in NFC
+ * @return	string				ASCII string using NCRs for non-ASCII chars
+ */
 function utf8_encode_ncr($text)
 {
 	return preg_replace_callback('#[\\xC2-\\xF4][\\x80-\\xBF]{1,3}#', 'utf8_encode_ncr_callback', $text);
 }
 
 /**
-* Callback used in encode_ncr()
-*
-* Takes a UTF-8 char and replaces it with its NCR. Attention, $m is an array
-*
-* @param	array	$m			0-based numerically indexed array passed by preg_replace_callback()
-* @return	string				A HTML NCR if the character is valid, or the original string otherwise
-*/
+ * Callback used in utf8_encode_ncr() and utf8_encode_ucr()
+ *
+ * Takes a UTF-8 char and replaces it with its NCR. Attention, $m is an array
+ *
+ * @param	array	$m			0-based numerically indexed array passed by preg_replace_callback()
+ * @return	string				A HTML NCR if the character is valid, or the original string otherwise
+ */
 function utf8_encode_ncr_callback($m)
 {
 	return '&#' . utf8_ord($m[0]) . ';';

phpBB/index.php

@@ -55,6 +55,17 @@ if (($mark_notification = $request->variable('mark_notification', 0)))
 
 			$notification->mark_read();
 
+			/**
+			* You can use this event to perform additional tasks or redirect user elsewhere.
+			*
+			* @event core.index_mark_notification_after
+			* @var	int										mark_notification	Notification ID
+			* @var	\phpbb\notification\type\type_interface	notification		Notification instance
+			* @since 3.2.6-RC1
+			*/
+			$vars = array('mark_notification', 'notification');
+			extract($phpbb_dispatcher->trigger_event('core.index_mark_notification_after', compact($vars)));
+
 			if ($request->is_ajax())
 			{
 				$json_response = new \phpbb\json_response();