[prep-release-3.2.7] Add changelog for 3.2.7-RC1

[ticket/16042] Use S_LOGIN_REDIRECT to output login form token

build/build.xml

@@ -2,9 +2,9 @@
 
 <project name="phpBB" description="The phpBB forum software" default="all" basedir="../">
 	<!-- a few settings for the build -->
-	<property name="newversion" value="3.2.6-RC1" />
-	<property name="prevversion" value="3.2.5" />
-	<property name="olderversions" value="3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0-a1, 3.2.0-a2, 3.2.0-b1, 3.2.0-b2, 3.2.0-RC1, 3.2.0-RC2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4" />
+	<property name="newversion" value="3.2.7-RC1" />
+	<property name="prevversion" value="3.2.6" />
+	<property name="olderversions" value="3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0-a1, 3.2.0-a2, 3.2.0-b1, 3.2.0-b2, 3.2.0-RC1, 3.2.0-RC2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5" />
 	<!-- no configuration should be needed beyond this point -->
 
 	<property name="oldversions" value="${olderversions}, ${prevversion}" />

phpBB/docs/CHANGELOG.html

@@ -50,6 +50,8 @@
 <ol>
 	<li><a href="#changelog">Changelog</a>
 	<ul>
+		<li><a href="#v326">Changes since 3.2.6</a></li>
+		<li><a href="#v326rc1">Changes since 3.2.6-RC1</a></li>
 		<li><a href="#v325">Changes since 3.2.5</a></li>
 		<li><a href="#v325rc1">Changes since 3.2.5-RC1</a></li>
 		<li><a href="#v324">Changes since 3.2.4</a></li>
@@ -136,6 +138,36 @@
 		<div class="inner">
 
 		<div class="content">
+			<a name="v326"></a><h3>Changes since 3.2.6</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16034">PHPBB3-16034</a>] - Links created with [url=] - are sometimes incorrectly shortened</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16036">PHPBB3-16036</a>] - Cannot login with 3.2.6</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16037">PHPBB3-16037</a>] - Private message ViewFolder Broken</li>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16039">PHPBB3-16039</a>] - Unable to change announcement to standard topic due to missing global</li>
+			</ul>
+			<h4>Improvement</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16042">PHPBB3-16042</a>] - Use S_LOGIN_REDIRECT to output login form token</li>
+			</ul>
+
+			<a name="v326rc1"></a><h3>Changes since 3.2.6-RC1</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-16027">PHPBB3-16027</a>] - Appveyor builds fail on PHP 7.0</li>
+			</ul>
+			<h4>Security Issue</h4>
+			<ul>
+				<li>[SECURITY-231] - Remote avatar functionality allows checking for files and ports on local network</li>
+				<li>[SECURITY-235] - Fulltext native search can be used to cause long execution times</li>
+			</ul>
+			<h4>Hardening</h4>
+			<ul>
+				<li>[SECURITY-228] - Require form token in login_box</li>
+				<li>[SECURITY-233] - SMTP auth data shouldn't be cached</li>
+				<li>[SECURITY-234] - Main website URL in Admin Control Panel should not support JS URLs</li>
+			</ul>
+
 			<a name="v325"></a><h3>Changes since 3.2.5</h3>
 			<h4>Bug</h4>
 			<ul>

phpBB/includes/acp/acp_board.php

@@ -30,10 +30,13 @@ class acp_board
 
 	function main($id, $mode)
 	{
-		global $user, $template, $request;
+		global $user, $template, $request, $language;
 		global $config, $phpbb_root_path, $phpEx;
 		global $cache, $phpbb_container, $phpbb_dispatcher, $phpbb_log;
 
+		/** @var \phpbb\language\language $language Language object */
+		$language = $phpbb_container->get('language');
+
 		$user->add_lang('acp/board');
 
 		$submit = (isset($_POST['submit']) || isset($_POST['allow_quick_reply_enable'])) ? true : false;
@@ -56,7 +59,7 @@ class acp_board
 						'legend1'				=> 'ACP_BOARD_SETTINGS',
 						'sitename'				=> array('lang' => 'SITE_NAME',				'validate' => 'string',	'type' => 'text:40:255', 'explain' => false),
 						'site_desc'				=> array('lang' => 'SITE_DESC',				'validate' => 'string',	'type' => 'text:40:255', 'explain' => false),
-						'site_home_url'			=> array('lang' => 'SITE_HOME_URL',			'validate' => 'string',	'type' => 'url:40:255', 'explain' => true),
+						'site_home_url'			=> array('lang' => 'SITE_HOME_URL',			'validate' => 'url',	'type' => 'url:40:255', 'explain' => true),
 						'site_home_text'		=> array('lang' => 'SITE_HOME_TEXT',		'validate' => 'string',	'type' => 'text:40:255', 'explain' => true),
 						'board_index_text'		=> array('lang' => 'BOARD_INDEX_TEXT',		'validate' => 'string',	'type' => 'text:40:255', 'explain' => true),
 						'board_disable'			=> array('lang' => 'DISABLE_BOARD',			'validate' => 'bool',	'type' => 'custom', 'method' => 'board_disable', 'explain' => true),
@@ -122,6 +125,7 @@ class acp_board
 				$avatar_vars = array();
 				foreach ($avatar_drivers as $current_driver)
 				{
+					/** @var \phpbb\avatar\driver\driver_interface $driver */
 					$driver = $phpbb_avatar_manager->get_driver($current_driver, false);
 
 					/*
@@ -730,7 +734,7 @@ class acp_board
 			$template->assign_block_vars('options', array(
 				'KEY'			=> $config_key,
 				'TITLE'			=> (isset($user->lang[$vars['lang']])) ? $user->lang[$vars['lang']] : $vars['lang'],
-				'S_EXPLAIN'		=> $vars['explain'],
+				'S_EXPLAIN'		=> $vars['explain'] && !empty($l_explain),
 				'TITLE_EXPLAIN'	=> $l_explain,
 				'CONTENT'		=> $content,
 				)

phpBB/includes/constants.php

@@ -28,7 +28,7 @@ if (!defined('IN_PHPBB'))
 */
 
 // phpBB Version
-@define('PHPBB_VERSION', '3.2.6-RC1');
+@define('PHPBB_VERSION', '3.2.7-RC1');
 
 // QA-related
 // define('PHPBB_QA', 1);

phpBB/includes/functions.php

@@ -2288,6 +2288,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 	global $request, $phpbb_container, $phpbb_dispatcher, $phpbb_log;
 
 	$err = '';
+	$form_name = 'login';
 
 	// Make sure user->setup() has been called
 	if (!$user->is_setup())
@@ -2363,8 +2364,19 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 			trigger_error('NO_AUTH_ADMIN_USER_DIFFER');
 		}
 
-		// If authentication is successful we redirect user to previous page
-		$result = $auth->login($username, $password, $autologin, $viewonline, $admin);
+		// Check form key
+		if ($password && !check_form_key($form_name))
+		{
+			$result = array(
+				'status' => false,
+				'error_msg' => 'FORM_INVALID',
+			);
+		}
+		else
+		{
+			// If authentication is successful we redirect user to previous page
+			$result = $auth->login($username, $password, $autologin, $viewonline, $admin);
+		}
 
 		// If admin authentication and login, we will log if it was a success or not...
 		// We also break the operation on the first non-success login - it could be argued that the user already knows
@@ -2515,6 +2527,9 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 		));
 	}
 
+	// Add form token for login box
+	add_form_key($form_name, '_LOGIN');
+
 	$s_hidden_fields = build_hidden_fields($s_hidden_fields);
 
 	$login_box_template_data = array(
@@ -2649,6 +2664,9 @@ function login_forum_box($forum_data)
 
 	page_header($user->lang['LOGIN']);
 
+	// Add form token for login box
+	add_form_key('login', '_LOGIN');
+
 	$template->assign_vars(array(
 		'FORUM_NAME'			=> isset($forum_data['forum_name']) ? $forum_data['forum_name'] : '',
 		'S_LOGIN_ACTION'		=> build_url(array('f')),
@@ -4421,6 +4439,19 @@ function page_header($page_title = '', $display_online_list = false, $item_id =
 	$controller_helper = $phpbb_container->get('controller.helper');
 	$notification_mark_hash = generate_link_hash('mark_all_notifications_read');
 
+	$s_login_redirect = build_hidden_fields(array('redirect' => $phpbb_path_helper->remove_web_root_path(build_url())));
+	/**
+	 * Workaround for missing template variable in pre phpBB 3.2.6 styles.
+	 * @deprecated 3.2.7 (To be removed: 3.3.0-a1)
+	 */
+	$form_token_login = $template->retrieve_var('S_FORM_TOKEN_LOGIN');
+	if (!empty($form_token_login))
+	{
+		$s_login_redirect .= $form_token_login;
+		// Remove S_FORM_TOKEN_LOGIN as it's already appended to S_LOGIN_REDIRECT
+		$template->assign_var('S_FORM_TOKEN_LOGIN', '');
+	}
+
 	// The following assigns all _common_ variables that may be used at any point in a template.
 	$template->assign_vars(array(
 		'SITENAME'						=> $config['sitename'],
@@ -4510,7 +4541,7 @@ function page_header($page_title = '', $display_online_list = false, $item_id =
 		'S_TOPIC_ID'			=> $topic_id,
 
 		'S_LOGIN_ACTION'		=> ((!defined('ADMIN_START')) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=login') : append_sid("{$phpbb_admin_path}index.$phpEx", false, true, $user->session_id)),
-		'S_LOGIN_REDIRECT'		=> build_hidden_fields(array('redirect' => $phpbb_path_helper->remove_web_root_path(build_url()))),
+		'S_LOGIN_REDIRECT'		=> $s_login_redirect,
 
 		'S_ENABLE_FEEDS'			=> ($config['feed_enable']) ? true : false,
 		'S_ENABLE_FEEDS_OVERALL'	=> ($config['feed_overall']) ? true : false,

phpBB/includes/functions_acp.php

@@ -419,7 +419,7 @@ function build_cfg_template($tpl_type, $key, &$new_ary, $config_key, $vars)
 */
 function validate_config_vars($config_vars, &$cfg_array, &$error)
 {
-	global $phpbb_root_path, $user, $phpbb_dispatcher, $phpbb_filesystem;
+	global $phpbb_root_path, $user, $phpbb_dispatcher, $phpbb_filesystem, $language;
 
 	$type	= 0;
 	$min	= 1;
@@ -442,6 +442,16 @@ function validate_config_vars($config_vars, &$cfg_array, &$error)
 		// Validate a bit. ;) (0 = type, 1 = min, 2= max)
 		switch ($validator[$type])
 		{
+			case 'url':
+				$cfg_array[$config_name] = trim($cfg_array[$config_name]);
+
+				if (!empty($cfg_array[$config_name]) && !preg_match('#^' . get_preg_expression('url') . '$#iu', $cfg_array[$config_name]))
+				{
+					$error[] = $language->lang('URL_INVALID', $language->lang($config_definition['lang']));
+				}
+
+			// no break here
+
 			case 'string':
 				$length = utf8_strlen($cfg_array[$config_name]);
 

phpBB/includes/mcp/mcp_main.php

@@ -378,7 +378,7 @@ function lock_unlock($action, $ids)
 */
 function change_topic_type($action, $topic_ids)
 {
-	global $user, $db, $request, $phpbb_log;
+	global $user, $db, $request, $phpbb_log, $phpbb_dispatcher;
 
 	switch ($action)
 	{

phpBB/includes/ucp/ucp_pm_viewfolder.php

@@ -138,9 +138,9 @@ function view_folder($id, $mode, $folder_id, $folder)
 				$row_indicator = '';
 				foreach ($color_rows as $var)
 				{
-					if (($var != 'friend' && $var != 'foe' && $row['pm_' . $var])
+					if (($var !== 'friend' && $var !== 'foe' && $row[($var === 'message_reported') ? $var : "pm_{$var}"])
 						||
-						(($var == 'friend' || $var == 'foe') && isset(${$var}[$row['author_id']]) && ${$var}[$row['author_id']]))
+						(($var === 'friend' || $var === 'foe') && isset(${$var}[$row['author_id']]) && ${$var}[$row['author_id']]))
 					{
 						$row_indicator = $var;
 						break;

phpBB/index.php

@@ -211,6 +211,9 @@ if ($show_birthdays)
 	$template->assign_block_vars_array('birthdays', $birthdays);
 }
 
+// Add form token for login box
+add_form_key('login', '_LOGIN');
+
 // Assign index specific vars
 $template->assign_vars(array(
 	'TOTAL_POSTS'	=> $user->lang('TOTAL_POSTS_COUNT', (int) $config['num_posts']),

phpBB/install/convertors/convert_phpbb20.php

@@ -38,7 +38,7 @@ $dbms = $phpbb_config_php_file->convert_30_dbms_to_31($dbms);
 $convertor_data = array(
 	'forum_name'	=> 'phpBB 2.0.x',
 	'version'		=> '1.0.3',
-	'phpbb_version'	=> '3.2.6',
+	'phpbb_version'	=> '3.2.7',
 	'author'		=> '<a href="https://www.phpbb.com/">phpBB Limited</a>',
 	'dbms'			=> $dbms,
 	'dbhost'		=> $dbhost,

phpBB/install/phpbbcli.php

@@ -23,7 +23,7 @@ if (php_sapi_name() !== 'cli')
 define('IN_PHPBB', true);
 define('IN_INSTALL', true);
 define('PHPBB_ENVIRONMENT', 'production');
-define('PHPBB_VERSION', '3.2.6-RC1');
+define('PHPBB_VERSION', '3.2.7-RC1');
 $phpbb_root_path = __DIR__ . '/../';
 $phpEx = substr(strrchr(__FILE__, '.'), 1);
 

phpBB/install/schemas/schema_data.sql

@@ -269,9 +269,9 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('smilies_per_page',
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_auth_method', 'PLAIN');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_delivery', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_host', '');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_password', '');
+INSERT INTO phpbb_config (config_name, config_value, is_dynamic) VALUES ('smtp_password', '', 1);
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_port', '25');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('smtp_username', '');
+INSERT INTO phpbb_config (config_name, config_value, is_dynamic) VALUES ('smtp_username', '', 1);
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('teampage_memberships', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('teampage_forums', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('topics_per_page', '25');
@@ -279,7 +279,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('tpl_allow_php', '0
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_icons_path', 'images/upload_icons');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_path', 'files');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('use_system_cron', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.2.6-RC1');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.2.7-RC1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_expire_days', '90');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_gc', '14400');
 

phpBB/language/en/acp/board.php

@@ -111,9 +111,9 @@ $lang = array_merge($lang, array(
 	'ALLOW_GRAVATAR'				=> 'Enable gravatar avatars',
 	'ALLOW_LOCAL'					=> 'Enable gallery avatars',
 	'ALLOW_REMOTE'					=> 'Enable remote avatars',
-	'ALLOW_REMOTE_EXPLAIN'			=> 'Avatars linked to from another website.',
+	'ALLOW_REMOTE_EXPLAIN'			=> 'Avatars linked to from another website.<br><em><strong class="error">Warning:</strong> Enabling this feature might allow users to check for the existence of files and services that are only accessible on the local network.</em>',
 	'ALLOW_REMOTE_UPLOAD'			=> 'Enable remote avatar uploading',
-	'ALLOW_REMOTE_UPLOAD_EXPLAIN'	=> 'Allow uploading of avatars from another website.',
+	'ALLOW_REMOTE_UPLOAD_EXPLAIN'	=> 'Allow uploading of avatars from another website.<br><em><strong class="error">Warning:</strong> Enabling this feature might allow users to check for the existence of files and services that are only accessible on the local network.</em>',
 	'ALLOW_UPLOAD'					=> 'Enable avatar uploading',
 	'AVATAR_GALLERY_PATH'			=> 'Avatar gallery path',
 	'AVATAR_GALLERY_PATH_EXPLAIN'	=> 'Path under your phpBB root directory for pre-loaded images, e.g. <samp>images/avatars/gallery</samp>.<br>Double dots like <samp>../</samp> will be stripped from the path for security reasons.',

phpBB/language/en/acp/common.php

@@ -325,6 +325,7 @@ $lang = array_merge($lang, array(
 	'TOTAL_SIZE'			=> 'Total size',
 
 	'UCP'					=> 'User Control Panel',
+	'URL_INVALID'			=> 'The provided URL for the setting “%1$s” is invalid.',
 	'USERNAMES_EXPLAIN'		=> 'Place each username on a separate line.',
 	'USER_CONTROL_PANEL'	=> 'User Control Panel',
 

phpBB/phpbb/avatar/driver/upload.php

@@ -148,7 +148,8 @@ class upload extends \phpbb\avatar\driver\driver
 
 			// Do not allow specifying the port (see RFC 3986) or IP addresses
 			// remote_upload() will do its own check for allowed filetypes
-			if (preg_match('@^(http|https|ftp)://[^/:?#]+:[0-9]+[/:?#]@i', $url) ||
+			if (!preg_match('#^(http|https|ftp)://(?:(.*?\.)*?[a-z0-9\-]+?\.[a-z]{2,4}|(?:\d{1,3}\.){3,5}\d{1,3}):?([0-9]*?).*?\.('. implode('|', $this->allowed_extensions) . ')$#i', $url) ||
+				preg_match('@^(http|https|ftp)://[^/:?#]+:[0-9]+[/:?#]@i', $url) ||
 				preg_match('#^(http|https|ftp)://(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])#i', $url) ||
 				preg_match('#^(http|https|ftp)://(?:(?:(?:[\dA-F]{1,4}:){6}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:::(?:[\dA-F]{1,4}:){0,5}(?:[\dA-F]{1,4}(?::[\dA-F]{1,4})?|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:):(?:[\dA-F]{1,4}:){4}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,2}:(?:[\dA-F]{1,4}:){3}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,3}:(?:[\dA-F]{1,4}:){2}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,4}:(?:[\dA-F]{1,4}:)(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,5}:(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,6}:[\dA-F]{1,4})|(?:(?:[\dA-F]{1,4}:){1,7}:)|(?:::))#i', $url))
 			{

phpBB/phpbb/avatar/manager.php

@@ -271,7 +271,7 @@ class manager
 		$config_name = $driver->get_config_name();
 
 		return array(
-			'allow_avatar_' . $config_name	=> array('lang' => 'ALLOW_' . strtoupper(str_replace('\\', '_', $config_name)),		'validate' => 'bool',	'type' => 'radio:yes_no', 'explain' => false),
+			'allow_avatar_' . $config_name	=> array('lang' => 'ALLOW_' . strtoupper(str_replace('\\', '_', $config_name)),		'validate' => 'bool',	'type' => 'radio:yes_no', 'explain' => true),
 		);
 	}
 

phpBB/phpbb/db/migration/data/v32x/disable_remote_avatar.php

@@ -0,0 +1,34 @@
+<?php
+/**
+ *
+ * This file is part of the phpBB Forum Software package.
+ *
+ * @copyright (c) phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+namespace phpbb\db\migration\data\v32x;
+
+use phpbb\db\migration\migration;
+
+class disable_remote_avatar extends migration
+{
+	static public function depends_on()
+	{
+		return array(
+			'\phpbb\db\migration\data\v32x\v325',
+		);
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('config.update', array('allow_avatar_remote', '0')),
+			array('config.update', array('allow_avatar_remote_upload', '0')),
+		);
+	}
+}

phpBB/phpbb/db/migration/data/v32x/smtp_dynamic_data.php

@@ -0,0 +1,42 @@
+<?php
+/**
+ *
+ * This file is part of the phpBB Forum Software package.
+ *
+ * @copyright (c) phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+namespace phpbb\db\migration\data\v32x;
+
+class smtp_dynamic_data extends \phpbb\db\migration\migration
+{
+	static public function depends_on()
+	{
+		return array(
+			'\phpbb\db\migration\data\v32x\v326rc1',
+		);
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('custom', array(array($this, 'set_smtp_dynamic'))),
+		);
+	}
+
+	public function set_smtp_dynamic()
+	{
+		$smtp_auth_entries = [
+			'smtp_password',
+			'smtp_username',
+		];
+		$this->sql_query('UPDATE ' . CONFIG_TABLE . '
+			SET is_dynamic = 1
+			WHERE ' . $this->db->sql_in_set('config_name', $smtp_auth_entries));
+	}
+}

phpBB/phpbb/db/migration/data/v32x/v326.php

@@ -0,0 +1,39 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v32x;
+
+class v326 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return phpbb_version_compare($this->config['version'], '3.2.6', '>=');
+	}
+
+	static public function depends_on()
+	{
+		return array(
+			'\phpbb\db\migration\data\v32x\v326rc1',
+			'\phpbb\db\migration\data\v32x\disable_remote_avatar',
+			'\phpbb\db\migration\data\v32x\smtp_dynamic_data',
+		);
+
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('config.update', array('version', '3.2.6')),
+		);
+	}
+}

phpBB/phpbb/db/migration/data/v32x/v327rc1.php

@@ -0,0 +1,36 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v32x;
+
+class v327rc1 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return phpbb_version_compare($this->config['version'], '3.2.7-RC1', '>=');
+	}
+
+	static public function depends_on()
+	{
+		return array(
+			'\phpbb\db\migration\data\v32x\v326',
+		);
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('config.update', array('version', '3.2.7-RC1')),
+		);
+	}
+}

phpBB/phpbb/install/helper/config.php

@@ -330,6 +330,8 @@ class config
 
 		fwrite($fp, $file_content);
 		fclose($fp);
+		// Enforce 0600 permission for install config
+		$this->filesystem->chmod([$this->install_config_file], 0600);
 	}
 
 	/**

phpBB/phpbb/search/fulltext_native.php

@@ -190,7 +190,7 @@ class fulltext_native extends \phpbb\search\base
 	*/
 	public function split_keywords($keywords, $terms)
 	{
-		$tokens = '+-|()*';
+		$tokens = '+-|()* ';
 
 		$keywords = trim($this->cleanup($keywords, $tokens));
 
@@ -224,12 +224,10 @@ class fulltext_native extends \phpbb\search\base
 						$keywords[$i] = '|';
 					break;
 					case '*':
-						if ($i === 0 || ($keywords[$i - 1] !== '*' && strcspn($keywords[$i - 1], $tokens) === 0))
+						// $i can never be 0 here since $open_bracket is initialised to false
+						if (strpos($tokens, $keywords[$i - 1]) !== false && ($i + 1 === $n || strpos($tokens, $keywords[$i + 1]) !== false))
 						{
-							if ($i === $n - 1 || ($keywords[$i + 1] !== '*' && strcspn($keywords[$i + 1], $tokens) === 0))
-							{
-								$keywords = substr($keywords, 0, $i) . substr($keywords, $i + 1);
-							}
+							$keywords[$i] = '|';
 						}
 					break;
 				}
@@ -264,7 +262,7 @@ class fulltext_native extends \phpbb\search\base
 			}
 		}
 
-		if ($open_bracket)
+		if ($open_bracket !== false)
 		{
 			$keywords .= ')';
 		}
@@ -307,6 +305,20 @@ class fulltext_native extends \phpbb\search\base
 			}
 		}
 
+		// Remove non trailing wildcards from each word to prevent a full table scan (it's now using the database index)
+		$match = '#\*(?!$|\s)#';
+		$replace = '$1';
+		$keywords = preg_replace($match, $replace, $keywords);
+
+		// Only allow one wildcard in the search query to limit the database load
+		$match = '#\*#';
+		$replace = '$1';
+		$count_wildcards = substr_count($keywords, '*');
+
+		// Reverse the string to remove all wildcards except the first one
+		$keywords = strrev(preg_replace($match, $replace, strrev($keywords), $count_wildcards - 1));
+		unset($count_wildcards);
+
 		// set the search_query which is shown to the user
 		$this->search_query = $keywords;
 
@@ -409,8 +421,16 @@ class fulltext_native extends \phpbb\search\base
 				{
 					if (strpos($word_part, '*') !== false)
 					{
-						$id_words[] = '\'' . $this->db->sql_escape(str_replace('*', '%', $word_part)) . '\'';
-						$non_common_words[] = $word_part;
+						$len = utf8_strlen(str_replace('*', '', $word_part));
+						if ($len >= $this->word_length['min'] && $len <= $this->word_length['max'])
+						{
+							$id_words[] = '\'' . $this->db->sql_escape(str_replace('*', '%', $word_part)) . '\'';
+							$non_common_words[] = $word_part;
+						}
+						else
+						{
+							$this->common_words[] = $word_part;
+						}
 					}
 					else if (isset($words[$word_part]))
 					{

phpBB/phpbb/textformatter/s9e/link_helper.php

@@ -60,8 +60,10 @@ class link_helper
 		$length = $end - $start;
 		$text   = substr($parser->getText(), $start, $length);
 
-		// Create a tag that consumes the link's text
-		$parser->addSelfClosingTag('LINK_TEXT', $start, $length)->setAttribute('text', $text);
+		// Create a tag that consumes the link's text and make it depends on this tag
+		$link_text_tag = $parser->addSelfClosingTag('LINK_TEXT', $start, $length);
+		$link_text_tag->setAttribute('text', $text);
+		$tag->cascadeInvalidationTo($link_text_tag);
 	}
 
 	/**

phpBB/styles/prosilver/style.cfg

@@ -21,8 +21,8 @@
 # General Information about this style
 name = prosilver
 copyright = © phpBB Limited, 2007
-style_version = 3.2.6
-phpbb_version = 3.2.6
+style_version = 3.2.7
+phpbb_version = 3.2.7
 
 # Defining a different template bitfield
 # template_bitfield = //g=

phpBB/styles/prosilver/template/index_body.html

@@ -29,6 +29,7 @@
 			<!-- ENDIF -->
 			<input type="submit" tabindex="5" name="login" value="{L_LOGIN}" class="button2" />
 			{S_LOGIN_REDIRECT}
+			{S_FORM_TOKEN_LOGIN}
 		</fieldset>
 	</form>
 <!-- ENDIF -->

phpBB/styles/prosilver/template/login_body.html

@@ -33,6 +33,7 @@
 		<!-- ENDIF -->
 
 		{S_LOGIN_REDIRECT}
+		{S_FORM_TOKEN_LOGIN}
 		<dl>
 			<dt>&nbsp;</dt>
 			<dd>{S_HIDDEN_FIELDS}<input type="submit" name="login" tabindex="6" value="{L_LOGIN}" class="button1" /></dd>

phpBB/styles/prosilver/template/login_forum.html

@@ -25,6 +25,7 @@
 				<dd><input type="password" tabindex="1" id="password" name="password" size="25" class="inputbox narrow" autocomplete="off" /></dd>
 			</dl>
 			{S_LOGIN_REDIRECT}
+			{S_FORM_TOKEN_LOGIN}
 			<dl>
 				<dt>&nbsp;</dt>
 				<dd>{S_HIDDEN_FIELDS}<input type="submit" name="login" id="login" class="button1" value="{L_LOGIN}" tabindex="2" /></dd>

phpBB/styles/prosilver/template/viewforum_body.html

@@ -114,6 +114,7 @@
 					<dd><input type="submit" name="login" tabindex="5" value="{L_LOGIN}" class="button1" /></dd>
 				</dl>
 				{S_LOGIN_REDIRECT}
+				{S_FORM_TOKEN_LOGIN}
 				</fieldset>
 			</div>
 

phpBB/viewforum.php

@@ -198,6 +198,9 @@ if (!($forum_data['forum_type'] == FORUM_POST || (($forum_data['forum_flags'] &
 // We also make this circumstance available to the template in case we want to display a notice. ;)
 if (!$auth->acl_gets('f_read', 'f_list_topics', $forum_id))
 {
+	// Add form token for login box
+	add_form_key('login', '_LOGIN');
+
 	$template->assign_vars(array(
 		'S_NO_READ_ACCESS'		=> true,
 	));

tests/avatar/manager_test.php

@@ -185,7 +185,7 @@ class phpbb_avatar_manager_test extends \phpbb_database_test_case
 		$avatar_settings = $this->manager->get_avatar_settings($this->avatar_foobar);
 
 		$expected_settings = array(
-			'allow_avatar_' . get_class($this->avatar_foobar)	=> array('lang' => 'ALLOW_' . strtoupper(get_class($this->avatar_foobar)), 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => false),
+			'allow_avatar_' . get_class($this->avatar_foobar)	=> array('lang' => 'ALLOW_' . strtoupper(get_class($this->avatar_foobar)), 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => true),
 		);
 
 		$this->assertEquals($expected_settings, $avatar_settings);

tests/functions_acp/validate_config_vars_test.php

@@ -19,10 +19,11 @@ class phpbb_functions_acp_validate_config_vars_test extends phpbb_test_case
 	{
 		parent::setUp();
 
-		global $user;
+		global $language, $user;
 
 		$user = new phpbb_mock_user();
 		$user->lang = new phpbb_mock_lang();
+		$language = $user->lang;
 	}
 
 	/**
@@ -44,6 +45,7 @@ class phpbb_functions_acp_validate_config_vars_test extends phpbb_test_case
 					'test_int_32'			=> array('lang' => 'TEST_INT',			'validate' => 'int:32'),
 					'test_int_32_64'		=> array('lang' => 'TEST_INT',			'validate' => 'int:32:64'),
 					'test_lang'				=> array('lang' => 'TEST_LANG',			'validate' => 'lang'),
+					'test_url'				=> array('lang' => 'TEST_URL',			'validate' => 'url'),
 					/*
 					'test_sp'				=> array('lang' => 'TEST_SP',			'validate' => 'script_path'),
 					'test_rpath'			=> array('lang' => 'TEST_RPATH',		'validate' => 'rpath'),
@@ -64,6 +66,7 @@ class phpbb_functions_acp_validate_config_vars_test extends phpbb_test_case
 					'test_int_32'		=> 32,
 					'test_int_32_64'	=> 48,
 					'test_lang'			=> 'en',
+					'test_url'			=> 'http://foobar.com',
 				),
 			),
 		);
@@ -148,6 +151,11 @@ class phpbb_functions_acp_validate_config_vars_test extends phpbb_test_case
 				array('test_lang'		=> 'this_is_no_language'),
 				array('WRONG_DATA_LANG'),
 			),
+			array(
+				array('test_url'		=> array('lang' => 'TEST_URL',			'validate' => 'url')),
+				array('test_url'		=> 'javascript://foobar.com'),
+				array('URL_INVALID TEST_URL'),
+			),
 		);
 	}
 

tests/search/native_test.php

@@ -70,7 +70,7 @@ class phpbb_search_native_test extends phpbb_search_test_case
 				'ba*az',
 				'all',
 				true,
-				array('\'ba%az\''),
+				array(4),
 				array(),
 				array(),
 			),
@@ -78,7 +78,7 @@ class phpbb_search_native_test extends phpbb_search_test_case
 				'ba*z',
 				'all',
 				true,
-				array('\'ba%z\''),
+				array(), // <= 3 chars after removing *
 				array(),
 				array(),
 			),
@@ -86,7 +86,7 @@ class phpbb_search_native_test extends phpbb_search_test_case
 				'baa* baaz*',
 				'all',
 				true,
-				array('\'baa%\'', '\'baaz%\''),
+				array('\'baa%\'', 4),
 				array(),
 				array(),
 			),
@@ -94,7 +94,7 @@ class phpbb_search_native_test extends phpbb_search_test_case
 				'ba*z baa*',
 				'all',
 				true,
-				array('\'ba%z\'', '\'baa%\''),
+				array('\'baa%\''), // baz is <= 3 chars, only baa* is left
 				array(),
 				array(),
 			),

tests/test_framework/phpbb_functional_test_case.php

@@ -397,6 +397,14 @@ class phpbb_functional_test_case extends phpbb_test_case
 		global $phpbb_container;
 		$phpbb_container->reset();
 
+		// Purge cache to remove cached files
+		$phpbb_container = new phpbb_mock_container_builder();
+		$phpbb_container->setParameter('core.environment', PHPBB_ENVIRONMENT);
+		$phpbb_container->setParameter('core.cache_dir', $phpbb_root_path . 'cache/' . PHPBB_ENVIRONMENT . '/');
+
+		$cache = new \phpbb\cache\driver\file;
+		$cache->purge();
+
 		$blacklist = ['phpbb_class_loader_mock', 'phpbb_class_loader_ext', 'phpbb_class_loader'];
 
 		foreach (array_keys($GLOBALS) as $key)

tests/text_formatter/s9e/default_formatting_test.php

@@ -253,6 +253,10 @@ class phpbb_textformatter_s9e_default_formatting_test extends phpbb_test_case
 				'[url=http://example.org/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx[/url]',
 				'<a href="http://example.org/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" class="postlink">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</a>'
 			),
+			array(
+				'[url=http://example.org/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]http://example.org/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx[/url]',
+				'<a href="http://example.org/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" class="postlink">http://example.org/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</a>'
+			),
 			array(
 				'[quote="[url=http://example.org]xxx[/url]"]...[/quote]',
 				'<blockquote><div><cite><a href="http://example.org" class="postlink">xxx</a> wrote:</cite>...</div></blockquote>'