Skip to content

Commit 06a3bfd

Browse files
committed
Merge branch '3.2.x'
2 parents 5849fb6 + 7801bac commit 06a3bfd

25 files changed

Lines changed: 141 additions & 375 deletions

File tree

build/build.xml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,8 @@
33
<project name="phpBB" description="The phpBB forum software" default="all" basedir="../">
44
<!-- a few settings for the build -->
55
<property name="newversion" value="3.3.0-a1-dev" />
6-
<property name="prevversion" value="3.2.4-RC1" />
7-
<property name="olderversions" value="3.0.14, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0-a1, 3.2.0-a2, 3.2.0-b1, 3.2.0-b2, 3.2.0-RC1, 3.2.0-RC2, 3.2.0, 3.2.1, 3.2.2, 3.2.3" />
6+
<property name="prevversion" value="3.2.4" />
7+
<property name="olderversions" value="3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0-a1, 3.2.0-a2, 3.2.0-b1, 3.2.0-b2, 3.2.0-RC1, 3.2.0-RC2, 3.2.0, 3.2.1, 3.2.2, 3.2.3" />
88
<!-- no configuration should be needed beyond this point -->
99

1010
<property name="oldversions" value="${olderversions}, ${prevversion}" />

phpBB/adm/style/acp_attachments.html

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -37,12 +37,6 @@ <h2>{L_UPLOADING_FILES}</h2>
3737

3838
<!-- IF S_ATTACHMENT_SETTINGS -->
3939

40-
<!-- IF not S_THUMBNAIL_SUPPORT -->
41-
<div class="errorbox">
42-
<p>{L_NO_THUMBNAIL_SUPPORT}</p>
43-
</div>
44-
<!-- ENDIF -->
45-
4640
<form id="attachsettings" method="post" action="{U_ACTION}">
4741
<!-- BEGIN options -->
4842
<!-- IF options.S_LEGEND -->

phpBB/config/installer/container/services_install_obtain_data.yml

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -33,13 +33,6 @@ services:
3333
tags:
3434
- { name: install_obtain_data, order: 40 }
3535

36-
installer.obtain_data.obtain_imagick_path:
37-
class: phpbb\install\module\obtain_data\task\obtain_imagick_path
38-
arguments:
39-
- '@installer.helper.config'
40-
tags:
41-
- { name: install_obtain_data, order: 60 }
42-
4336
installer.obtain_data.obtain_server_data:
4437
class: phpbb\install\module\obtain_data\task\obtain_server_data
4538
arguments:

phpBB/docs/CHANGELOG.html

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,7 @@ <h1>Changelog</h1>
5050
<ol>
5151
<li><a href="#changelog">Changelog</a>
5252
<ul>
53+
<li><a href="#v324rc1">Changes since 3.2.4-RC1</a></li>
5354
<li><a href="#v323">Changes since 3.2.3</a></li>
5455
<li><a href="#v323rc2">Changes since 3.2.3-RC2</a></li>
5556
<li><a href="#v323rc1">Changes since 3.2.3-RC1</a></li>
@@ -132,6 +133,16 @@ <h1>Changelog</h1>
132133
<div class="inner">
133134

134135
<div class="content">
136+
<a name="v324rc1"></a><h3>Changes since 3.2.4-RC1</h3>
137+
<h4>Bug</h4>
138+
<ul>
139+
<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-15860">PHPBB3-15860</a>] - Backups filenames arent saved in the expected format</li>
140+
</ul>
141+
<h4>Security Issue</h4>
142+
<ul>
143+
<li>[SECURITY-227] - Phar deserialization in ACP leads to Remote Code Execution</li>
144+
</ul>
145+
135146
<a name="v323"></a><h3>Changes since 3.2.3</h3>
136147
<h4>Bug</h4>
137148
<ul>

phpBB/docs/INSTALL.html

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -159,7 +159,6 @@ <h1>Install</h1>
159159
<li>zlib Compression support</li>
160160
<li>Remote FTP support</li>
161161
<li>XML support</li>
162-
<li>ImageMagick support</li>
163162
<li>GD Support</li>
164163
</ul>
165164
</li>

phpBB/includes/acp/acp_attachments.php

Lines changed: 27 additions & 57 deletions
Original file line numberDiff line numberDiff line change
@@ -163,7 +163,6 @@ function main($id, $mode)
163163
'img_create_thumbnail' => array('lang' => 'CREATE_THUMBNAIL', 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => true),
164164
'img_max_thumb_width' => array('lang' => 'MAX_THUMB_WIDTH', 'validate' => 'int:0:999999999999999', 'type' => 'number:0:999999999999999', 'explain' => true, 'append' => ' ' . $user->lang['PIXEL']),
165165
'img_min_thumb_filesize' => array('lang' => 'MIN_THUMB_FILESIZE', 'validate' => 'int:0:999999999999999', 'type' => 'number:0:999999999999999', 'explain' => true, 'append' => ' ' . $user->lang['BYTES']),
166-
'img_imagick' => array('lang' => 'IMAGICK_PATH', 'validate' => 'absolute_path', 'type' => 'text:20:200', 'explain' => true, 'append' => '&nbsp;&nbsp;<span>[ <a href="' . $this->u_action . '&amp;action=imgmagick">' . $user->lang['SEARCH_IMAGICK'] . '</a> ]</span>'),
167166
'img_max' => array('lang' => 'MAX_IMAGE_SIZE', 'validate' => 'int:0:9999', 'type' => 'dimension:0:9999', 'explain' => true, 'append' => ' ' . $user->lang['PIXEL']),
168167
'img_link' => array('lang' => 'IMAGE_LINK_SIZE', 'validate' => 'int:0:9999', 'type' => 'dimension:0:9999', 'explain' => true, 'append' => ' ' . $user->lang['PIXEL']),
169168
)
@@ -230,38 +229,6 @@ function main($id, $mode)
230229

231230
$template->assign_var('S_ATTACHMENT_SETTINGS', true);
232231

233-
if ($action == 'imgmagick')
234-
{
235-
$this->new_config['img_imagick'] = $this->search_imagemagick();
236-
}
237-
238-
// We strip eventually manual added convert program, we only want the patch
239-
if ($this->new_config['img_imagick'])
240-
{
241-
// Change path separator
242-
$this->new_config['img_imagick'] = str_replace('\\', '/', $this->new_config['img_imagick']);
243-
$this->new_config['img_imagick'] = str_replace(array('convert', '.exe'), array('', ''), $this->new_config['img_imagick']);
244-
245-
// Check for trailing slash
246-
if (substr($this->new_config['img_imagick'], -1) !== '/')
247-
{
248-
$this->new_config['img_imagick'] .= '/';
249-
}
250-
}
251-
252-
$supported_types = get_supported_image_types();
253-
254-
// Check Thumbnail Support
255-
if (!$this->new_config['img_imagick'] && (!isset($supported_types['format']) || !count($supported_types['format'])))
256-
{
257-
$this->new_config['img_create_thumbnail'] = 0;
258-
}
259-
260-
$template->assign_vars(array(
261-
'U_SEARCH_IMAGICK' => $this->u_action . '&amp;action=imgmagick',
262-
'S_THUMBNAIL_SUPPORT' => (!$this->new_config['img_imagick'] && (!isset($supported_types['format']) || !count($supported_types['format']))) ? false : true)
263-
);
264-
265232
// Secure Download Options - Same procedure as with banning
266233
$allow_deny = ($this->new_config['secure_allow_deny']) ? 'ALLOWED' : 'DISALLOWED';
267234

@@ -1485,44 +1452,47 @@ function group_select($select_name, $default_group = false, $key = '')
14851452
}
14861453

14871454
/**
1488-
* Search Imagick
1455+
* Test Settings
14891456
*/
1490-
function search_imagemagick()
1457+
function test_upload(&$error, $upload_dir, $create_directory = false)
14911458
{
1492-
$imagick = '';
1493-
1494-
$exe = ((defined('PHP_OS')) && (preg_match('#^win#i', PHP_OS))) ? '.exe' : '';
1459+
global $user, $phpbb_root_path;
14951460

1496-
$magic_home = getenv('MAGICK_HOME');
1497-
1498-
if (empty($magic_home))
1461+
// Does the target directory exist, is it a directory and writable.
1462+
if ($create_directory)
14991463
{
1500-
$locations = array('C:/WINDOWS/', 'C:/WINNT/', 'C:/WINDOWS/SYSTEM/', 'C:/WINNT/SYSTEM/', 'C:/WINDOWS/SYSTEM32/', 'C:/WINNT/SYSTEM32/', '/usr/bin/', '/usr/sbin/', '/usr/local/bin/', '/usr/local/sbin/', '/opt/', '/usr/imagemagick/', '/usr/bin/imagemagick/');
1501-
$path_locations = str_replace('\\', '/', (explode(($exe) ? ';' : ':', getenv('PATH'))));
1502-
1503-
$locations = array_merge($path_locations, $locations);
1504-
1505-
foreach ($locations as $location)
1464+
if (!file_exists($phpbb_root_path . $upload_dir))
15061465
{
1507-
// The path might not end properly, fudge it
1508-
if (substr($location, -1) !== '/')
1466+
@mkdir($phpbb_root_path . $upload_dir, 0777);
1467+
1468+
try
15091469
{
1510-
$location .= '/';
1470+
$this->filesystem->phpbb_chmod($phpbb_root_path . $upload_dir, CHMOD_READ | CHMOD_WRITE);
15111471
}
1512-
1513-
if (@file_exists($location) && @is_readable($location . 'mogrify' . $exe) && @filesize($location . 'mogrify' . $exe) > 3000)
1472+
catch (\phpbb\filesystem\exception\filesystem_exception $e)
15141473
{
1515-
$imagick = str_replace('\\', '/', $location);
1516-
continue;
1474+
// Do nothing
15171475
}
15181476
}
15191477
}
1520-
else
1478+
1479+
if (!file_exists($phpbb_root_path . $upload_dir))
15211480
{
1522-
$imagick = str_replace('\\', '/', $magic_home);
1481+
$error[] = sprintf($user->lang['NO_UPLOAD_DIR'], $upload_dir);
1482+
return;
15231483
}
15241484

1525-
return $imagick;
1485+
if (!is_dir($phpbb_root_path . $upload_dir))
1486+
{
1487+
$error[] = sprintf($user->lang['UPLOAD_NOT_DIR'], $upload_dir);
1488+
return;
1489+
}
1490+
1491+
if (!$this->filesystem->is_writable($phpbb_root_path . $upload_dir))
1492+
{
1493+
$error[] = sprintf($user->lang['NO_WRITE_UPLOAD'], $upload_dir);
1494+
return;
1495+
}
15261496
}
15271497

15281498
/**

phpBB/includes/acp/acp_database.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -266,7 +266,7 @@ function main($id, $mode)
266266
$file = $request->variable('file', '');
267267
$download = $request->variable('download', '');
268268

269-
if (!preg_match('#^backup_\d{10,}_[a-z\d]{16}\.(sql(?:\.(?:gz|bz2))?)$#', $file, $matches))
269+
if (!preg_match('#^backup_\d{10,}_(?:[a-z\d]{16}|[a-z\d]{32})\.(sql(?:\.(?:gz|bz2))?)$#i', $file, $matches))
270270
{
271271
trigger_error($user->lang['BACKUP_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
272272
}
@@ -504,7 +504,7 @@ function main($id, $mode)
504504

505505
while ($row = $db->sql_fetchrow($result))
506506
{
507-
if (preg_match('#^backup_(\d{10,})_[a-z\d]{16}\.(sql(?:\.(?:gz|bz2))?)$#', $row['filename'], $matches))
507+
if (preg_match('#^backup_(\d{10,})_(?:[a-z\d]{16}|[a-z\d]{32})\.(sql(?:\.(?:gz|bz2))?)$#i', $row['filename'], $matches))
508508
{
509509
if (in_array($matches[2], $methods))
510510
{

phpBB/includes/functions.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -103,7 +103,7 @@ function gen_rand_string_friendly($num_chars = 8)
103103
*/
104104
function unique_id()
105105
{
106-
return gen_rand_string(32);
106+
return strtolower(gen_rand_string(16));
107107
}
108108

109109
/**

phpBB/includes/functions_acp.php

Lines changed: 2 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -567,9 +567,6 @@ function validate_config_vars($config_vars, &$cfg_array, &$error)
567567

568568
$cfg_array[$config_name] = trim($destination);
569569

570-
// Absolute file path
571-
case 'absolute_path':
572-
case 'absolute_path_writable':
573570
// Path being relative (still prefixed by phpbb_root_path), but with the ability to escape the root dir...
574571
case 'path':
575572
case 'wpath':
@@ -588,7 +585,7 @@ function validate_config_vars($config_vars, &$cfg_array, &$error)
588585
break;
589586
}
590587

591-
$path = in_array($config_definition['validate'], array('wpath', 'path', 'rpath', 'rwpath')) ? $phpbb_root_path . $cfg_array[$config_name] : $cfg_array[$config_name];
588+
$path = $phpbb_root_path . $cfg_array[$config_name];
592589

593590
if (!file_exists($path))
594591
{
@@ -601,7 +598,7 @@ function validate_config_vars($config_vars, &$cfg_array, &$error)
601598
}
602599

603600
// Check if the path is writable
604-
if ($config_definition['validate'] == 'wpath' || $config_definition['validate'] == 'rwpath' || $config_definition['validate'] === 'absolute_path_writable')
601+
if ($config_definition['validate'] == 'wpath' || $config_definition['validate'] == 'rwpath')
605602
{
606603
if (file_exists($path) && !$phpbb_filesystem->is_writable($path))
607604
{

phpBB/includes/functions_posting.php

Lines changed: 24 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -491,7 +491,7 @@ function get_supported_image_types($type = false)
491491
*/
492492
function create_thumbnail($source, $destination, $mimetype)
493493
{
494-
global $config, $phpbb_filesystem;
494+
global $config, $phpbb_filesystem, $phpbb_dispatcher;
495495

496496
$min_filesize = (int) $config['img_min_thumb_filesize'];
497497
$img_filesize = (file_exists($source)) ? @filesize($source) : false;
@@ -523,25 +523,31 @@ function create_thumbnail($source, $destination, $mimetype)
523523
return false;
524524
}
525525

526-
$used_imagick = false;
526+
$thumbnail_created = false;
527527

528-
// Only use ImageMagick if defined and the passthru function not disabled
529-
if ($config['img_imagick'] && function_exists('passthru'))
530-
{
531-
if (substr($config['img_imagick'], -1) !== '/')
532-
{
533-
$config['img_imagick'] .= '/';
534-
}
535-
536-
@passthru(escapeshellcmd($config['img_imagick']) . 'convert' . ((defined('PHP_OS') && preg_match('#^win#i', PHP_OS)) ? '.exe' : '') . ' -quality 85 -geometry ' . $new_width . 'x' . $new_height . ' "' . str_replace('\\', '/', $source) . '" "' . str_replace('\\', '/', $destination) . '"');
537-
538-
if (file_exists($destination))
539-
{
540-
$used_imagick = true;
541-
}
542-
}
528+
/**
529+
* Create thumbnail event to replace GD thumbnail creation with for example ImageMagick
530+
*
531+
* @event core.thumbnail_create_before
532+
* @var string source Image source path
533+
* @var string destination Thumbnail destination path
534+
* @var string mimetype Image mime type
535+
* @var float new_width Calculated thumbnail width
536+
* @var float new_height Calculated thumbnail height
537+
* @var bool thumbnail_created Set to true to skip default GD thumbnail creation
538+
* @since 3.2.4
539+
*/
540+
$vars = array(
541+
'source',
542+
'destination',
543+
'mimetype',
544+
'new_width',
545+
'new_height',
546+
'thumbnail_created',
547+
);
548+
extract($phpbb_dispatcher->trigger_event('core.thumbnail_create_before', compact($vars)));
543549

544-
if (!$used_imagick)
550+
if (!$thumbnail_created)
545551
{
546552
$type = get_supported_image_types($type);
547553

0 commit comments

Comments
 (0)