Merge remote-tracking branch 'upstream/master'

Author: marc1706

.github/workflows/tests.yml

@@ -503,7 +503,7 @@ jobs:
               uses: shivammathur/setup-php@v2
               with:
                   php-version: ${{ matrix.php }}
-                  extensions: dom, curl, libxml, mbstring, zip, pcntl, pdo, intl, gd, exif, iconv, pgsql, pdo_pgsql
+                  extensions: dom, curl, libxml, mbstring, zip, pcntl, pdo, intl, gd, exif, iconv, pgsql, pdo_pgsql, sodium
                   ini-values: upload_tmp_dir=${{ runner.temp }}, sys_temp_dir=${{ runner.temp }}
                   coverage: none
 

SECURITY.md

@@ -0,0 +1,13 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please do not post potential security vulnerabilities publicly. Instead, report them to the phpBB team.
+We take security very seriously and will respond to reports about potential security vulnerabilities as quickly as possible.
+There are multiple ways a potential security vulnerability can be reported:
+
+- HackerOne: [phpBB | Vulnerability Disclosure Program | HackerOne](https://hackerone.com/phpbb)
+- Create a report in the security tracker: [Security Tracker](https://www.phpbb.com/security/)
+- Send an email: [security@phpbb.com](mailto:security@phpbb.com)
+
+Please provide as much detail as possible when reporting a vulnerability. You can expect to receive an update on your report within a few days. If the vulnerability is accepted, we will work on a fix and keep you informed of the progress. If the vulnerability is declined, we will provide an explanation.

Vagrantfile

@@ -11,15 +11,15 @@ aliasesPath = "vagrant/aliases"
 require File.expand_path(confDir + '/scripts/homestead.rb')
 
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
-    if File.exists? aliasesPath then
+    if File.exist? aliasesPath then
         config.vm.provision "file", source: aliasesPath, destination: "~/.bash_aliases"
     end
 
-    if File.exists? homesteadYamlPath then
+    if File.exist? homesteadYamlPath then
         Homestead.configure(config, YAML::load(File.read(homesteadYamlPath)))
     end
 
-    if File.exists? afterScriptPath then
+    if File.exist? afterScriptPath then
         config.vm.provision "shell", path: afterScriptPath
     end
 end

build/build.xml

@@ -3,8 +3,8 @@
 <project name="phpBB" description="The phpBB forum software" default="all" basedir="../">
 	<!-- a few settings for the build -->
 	<property name="newversion" value="4.0.0-a1-dev" />
-	<property name="prevversion" value="3.3.14" />
-	<property name="olderversions" value="3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.3.11, 3.3.12, 3.3.13" />
+	<property name="prevversion" value="3.3.15" />
+	<property name="olderversions" value="3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.3.11, 3.3.12, 3.3.13, 3.3.14" />
 	<!-- no configuration should be needed beyond this point -->
 
 	<property name="oldversions" value="${olderversions}, ${prevversion}" />

build/psalm_bootstrap.php

@@ -33,7 +33,6 @@
 require_once $phpbb_root_path . 'includes/functions_content.' . $phpEx;
 require_once $phpbb_root_path . 'includes/functions_display.' . $phpEx;
 require_once $phpbb_root_path . 'includes/functions_mcp.' . $phpEx;
-require_once $phpbb_root_path . 'includes/functions_messenger.' . $phpEx;
 require_once $phpbb_root_path . 'includes/functions_module.' . $phpEx;
 require_once $phpbb_root_path . 'includes/functions_posting.' . $phpEx;
 require_once $phpbb_root_path . 'includes/functions_privmsgs.' . $phpEx;

phpBB/adm/style/acp_bbcodes.html

@@ -14,7 +14,7 @@ <h1>{L_ACP_BBCODES}</h1>
 
 	<fieldset>
 		<legend>{L_BBCODE_USAGE}</legend>
-		<p>{L_BBCODE_USAGE_EXPLAIN}</p>
+		<p>{{ lang('BBCODE_USAGE_EXPLAIN', '<a href="#down">', '</a>') }}</p>
 	<dl>
 		<dt><label for="bbcode_match">{L_EXAMPLES}</label><br /><br /><span>{L_BBCODE_USAGE_EXAMPLE}</span></dt>
 		<dd><textarea id="bbcode_match" name="bbcode_match" cols="60" rows="5">{BBCODE_MATCH}</textarea></dd>
@@ -47,6 +47,17 @@ <h1>{L_ACP_BBCODES}</h1>
 	</dl>
 	</fieldset>
 
+	<fieldset>
+		<legend>{{ lang('APPEARANCE') }}</legend>
+	<dl>
+		<dt><label for="bbcode_font_icon">{{ lang('BBCODE_FONT_ICON') }}</label><br><span>{{ lang('BBCODE_FONT_ICON_EXPLAIN', '<a href="https://fontawesome.com/v6/icons/" target="_blank">', '</a>') }}</span></dt>
+		<dd>
+			<input type="text" name="bbcode_font_icon" id="bbcode_font_icon" value="{{ BBCODE_FONT_ICON }}" />
+			{{ Icon('font', ' ', '', false, '', {'id':'bbcode_icon_preview'}) }}
+		</dd>
+	</dl>
+	</fieldset>
+
 	<!-- EVENT acp_bbcodes_edit_fieldsets_after -->
 
 	<fieldset class="submit-buttons">

phpBB/adm/style/acp_storage.html

@@ -47,7 +47,7 @@ <h3>{{ lang('WARNING') }}</h3>
 						{% for provider in PROVIDERS %}
 							{% if provider.is_available %}
 								<option value="{{ get_class(provider) }}"{{ attribute(config, 'storage\\' ~ storage.get_name ~ '\\provider') ==  get_class(provider) ? ' selected' : '' }} data-toggle-setting="#{{ storage.get_name }}_{{ provider.get_name }}_settings">
-									{{ lang('STORAGE_ADAPTER_' ~ provider.get_name | upper ~ '_NAME') }}
+									{{ provider.get_title }}
 								</option>
 							{% endif %}
 						{% endfor %}
@@ -59,43 +59,42 @@ <h3>{{ lang('WARNING') }}</h3>
 		{% for provider in PROVIDERS %}
 			{% if provider.is_available %}
 				<fieldset id="{{ storage.get_name }}_{{ provider.get_name }}_settings">
-					<legend>{{ lang('STORAGE_' ~ storage.get_name | upper ~ '_TITLE') }} - {{ lang('STORAGE_ADAPTER_' ~ provider.get_name | upper ~ '_NAME') }}</legend>
+					<legend>{{ lang('STORAGE_' ~ storage.get_name | upper ~ '_TITLE') }} - {{ provider.get_title }}</legend>
 					{% for name, options in provider.get_options %}
 						<dl>
 							<dt>
-								{% set title = 'STORAGE_ADAPTER_' ~ provider.get_name | upper ~ '_OPTION_' ~ name | upper %}
-								{% set description = 'STORAGE_ADAPTER_' ~ provider.get_name | upper ~ '_OPTION_' ~ name | upper ~ '_EXPLAIN' %}
-								<label>{{ lang(title) ~ lang('COLON') }}</label>
-								{% if lang_defined(description) %}
-									<br /><span>{{ lang(description) }}</span>
+								<label>{{ options.title ~ lang('COLON') }}</label>
+								{% if options.description %}
+									<br /><span>{{ options.description }}</span>
 								{% endif %}
 							</dt>
 							<dd>
 								{% set input_name = storage.get_name ~ '[' ~ name ~ ']' %}
 								{% set input_value = attribute(config, 'storage\\' ~ storage.get_name ~ '\\config\\' ~ name) %}
+								{% set form_macro = options.form_macro %}
 
-								{% if options.tag == 'input' %}
-									{{ FormsInput(options | merge({"name": input_name, "value": input_value})) }}
-								{% elseif options.tag == 'textarea' %}
-									{{ FormsTextarea(options | merge({"name": input_name, "content": input_value})) }}
-								{% elseif options.tag == 'radio' %}
+								{% if form_macro.tag == 'input' %}
+									{{ FormsInput(form_macro | merge({"name": input_name, "value": input_value})) }}
+								{% elseif form_macro.tag == 'textarea' %}
+									{{ FormsTextarea(form_macro | merge({"name": input_name, "content": input_value})) }}
+								{% elseif form_macro.tag == 'radio' %}
 									{% set buttons = [] %}
 
-									{% for button in options.buttons %}
+									{% for button in form_macro.buttons %}
 										{% set new_button = button | merge({"name": input_name, "checked": button.value == input_value}) %}
 										{% set buttons = buttons | merge([new_button]) %}
 									{% endfor %}
 
-									{{ FormsRadioButtons(options | merge({"buttons": buttons})) }}
-								{% elseif options.tag == 'select' %}
+									{{ FormsRadioButtons(form_macro | merge({"buttons": buttons})) }}
+								{% elseif form_macro.tag == 'select' %}
 									{% set select_options = [] %}
 
-									{% for option in options.options %}
+									{% for option in form_macro.options %}
 										{% set new_option = option | merge({"selected": option.value == input_value}) %}
 										{% set select_options = select_options | merge([new_option]) %}
 									{% endfor %}
 
-									{{ FormsSelect(options | merge({"name": input_name, "options": select_options})) }}
+									{{ FormsSelect(form_macro | merge({"name": input_name, "options": select_options})) }}
 								{% endif %}
 							</dd>
 						</dl>
@@ -109,9 +108,9 @@ <h3>{{ lang('WARNING') }}</h3>
 		<dl>
 			<dt><label for="update_type">{{ lang('STORAGE_UPDATE_TYPE') ~ lang('COLON') }}</label></dt>
 			<dd>
-				<label><input id="update_type" class="radio" name="update_type" value="{{ STORAGE_UPDATE_TYPE_CONFIG }}" checked="checked" type="radio"> {{ lang('STORAGE_UPDATE_TYPE_CONFIG') }}</label>
+				<label><input class="radio" name="update_type" value="{{ STORAGE_UPDATE_TYPE_CONFIG }}" type="radio"> {{ lang('STORAGE_UPDATE_TYPE_CONFIG') }}</label>
 				<label><input class="radio" name="update_type" value="{{ STORAGE_UPDATE_TYPE_COPY }}" type="radio"> {{ lang('STORAGE_UPDATE_TYPE_COPY') }}</label>
-				<label><input class="radio" name="update_type" value="{{ STORAGE_UPDATE_TYPE_MOVE }}" type="radio"> {{ lang('STORAGE_UPDATE_TYPE_MOVE') }}</label>
+				<label><input class="radio" name="update_type" value="{{ STORAGE_UPDATE_TYPE_MOVE }}" type="radio" checked="checked" id="update_type"> {{ lang('STORAGE_UPDATE_TYPE_MOVE') }}</label>
 			</dd>
 		</dl>
 	</fieldset>

phpBB/adm/style/admin.js

@@ -123,8 +123,8 @@ function parse_document(container)
 				}
 
 				if ((text.length && text !== '-') || cell.children().length) {
-					if (headers[column] != '') {
-						cell.prepend('<dfn style="display: none;">' + headers[column] + '</dfn>');
+					if (headers[column].length) {
+						cell.prepend($("<dfn>").css('display', 'none').text(headers[column]));
 					}
 				}
 				else {
@@ -145,7 +145,7 @@ function parse_document(container)
 	*/
 	container.find('table.responsive > tbody').each(function() {
 		var items = $(this).children('tr');
-		if (items.length == 0)
+		if (!items.length)
 		{
 			$(this).parent('table:first').addClass('responsive-hide');
 		}
@@ -159,7 +159,21 @@ function parse_document(container)
 		if ($this.html() == '&nbsp;') {
 			$this.addClass('responsive-hide');
 		}
+	});
 
+	/**
+	 * Dynamically control a text field's maxlength (allows emoji to be counted as 1 character)
+	 */
+	container.find('#sitename_short').each(function() {
+		const $this = this;
+		const maxLength = $this.maxLength;
+		$this.maxLength = maxLength * 2;
+		$this.addEventListener('input', () => {
+			const inputChars = Array.from($this.value);
+			if (inputChars.length > maxLength) {
+				$this.value = inputChars.slice(0, maxLength).join('');
+			}
+		});
 	});
 
 	/**
@@ -186,7 +200,7 @@ function parse_document(container)
 			var width = $body.width(),
 				height = $this.height();
 
-			if (arguments.length == 0 && (!responsive || width <= lastWidth) && height <= maxHeight) {
+			if (!arguments.length && (!responsive || width <= lastWidth) && height <= maxHeight) {
 				return;
 			}
 
@@ -261,5 +275,34 @@ function parse_document(container)
 		$('.actions a:has(i.acp-icon)').mouseover(function () {
 			$(this).css("text-decoration", "none");
 		});
+
+		// Live update BBCode font icon preview
+		const updateIconClass = (element, newClass) => {
+			// Ignore invalid class names
+			const faIconRegex = /^(?!-)(?!.*--)[a-z0-9-]+(?<!-)$/;
+			if (!faIconRegex.test(newClass)) {
+				return;
+			}
+
+			element.classList.forEach(className => {
+				if (className.startsWith('fa-') && className !== 'fa-fw') {
+					element.classList.remove(className);
+				}
+			});
+
+			element.classList.add(`fa-${newClass}`);
+		};
+
+		const pageIconFont = document.getElementById('bbcode_font_icon');
+
+		if (pageIconFont) {
+			pageIconFont.addEventListener('keyup', function () {
+				updateIconClass(this.nextElementSibling, this.value);
+			});
+
+			pageIconFont.addEventListener('blur', function () {
+				updateIconClass(this.nextElementSibling, this.value);
+			});
+		}
 	});
 })(jQuery);

phpBB/adm/style/ajax.js

@@ -284,14 +284,20 @@ function submitPermissions() {
 				if ($alertBoxLink) {
 					// Remove forum_id[] from URL
 					$alertBoxLink.attr('href', $alertBoxLink.attr('href').replace(/(&forum_id\[\]=[0-9]+)/g, ''));
-					var previousPageForm = '<form action="' + $alertBoxLink.attr('href') + '" method="post">';
+					const $previousPageForm = $('<form>').attr({
+						action: $alertBoxLink.attr('href'),
+						method: 'post'
+					});
+
 					$.each(forumIds, function (key, value) {
-						previousPageForm += '<input type="text" name="forum_id[]" value="' + value + '" />';
+						$previousPageForm.append($('<input>').attr({
+							type: 'text',
+							name: 'forum_id[]',
+							value: value
+						}));
 					});
-					previousPageForm += '</form>';
 
 					$alertBoxLink.on('click', function (e) {
-						var $previousPageForm = $(previousPageForm);
 						$('body').append($previousPageForm);
 						e.preventDefault();
 						$previousPageForm.submit();
@@ -306,12 +312,19 @@ function submitPermissions() {
 					setTimeout(function () {
 						// Create forum to submit using POST. This will prevent
 						// exceeding the maximum length of URLs
-						var form = '<form action="' + res.REFRESH_DATA.url.replace(/(&forum_id\[\]=[0-9]+)/g, '') + '" method="post">';
+						const $form = $('<form>').attr({
+							action: res.REFRESH_DATA.url.replace(/(&forum_id\[\]=[0-9]+)/g, ''),
+							method: 'post'
+						});
+
 						$.each(forumIds, function (key, value) {
-							form += '<input type="text" name="forum_id[]" value="' + value + '" />';
+							$form.append($('<input>').attr({
+								type: 'text',
+								name: 'forum_id[]',
+								value: value
+							}));
 						});
-						form += '</form>';
-						$form = $(form);
+
 						$('body').append($form);
 
 						// Hide the alert even if we refresh the page, in case the user

phpBB/composer.json

@@ -27,9 +27,10 @@
 	},
 	"require": {
 		"php": "^8.1",
-		"ext-json": "*",
 		"ext-pdo": "*",
+		"ext-zip": "*",
 		"ext-zlib": "*",
+		"ext-sodium": "*",
 		"bantu/ini-get-wrapper": "~1.0",
 		"carlos-mg89/oauth": "^0.8.15",
 		"chita/topological_sort": "^3.0",
@@ -52,6 +53,7 @@
 		"symfony/http-foundation": "^6.3",
 		"symfony/http-kernel": "^6.3",
 		"symfony/polyfill-mbstring": "^1.23",
+		"symfony/mailer": "^6.3",
 		"symfony/mime": "^6.3",
 		"symfony/process": "^6.3",
 		"symfony/proxy-manager-bridge": "^6.3",