* [gentoo-commits] proj/forums:origin/3.2.x commit in: phpBB/phpbb/avatar/driver/, phpBB/docs/
@ 2019-05-04 5:20 Jimi Huotari
0 siblings, 0 replies; only message in thread
From: Jimi Huotari @ 2019-05-04 5:20 UTC (permalink / raw
To: gentoo-commits
commit: 2575b499a38ccf2480d5da9d5c566f47a9e2d824
Author: Marc Alexander <admin <AT> m-a-styles <DOT> de>
AuthorDate: Sun Apr 28 16:15:33 2019 +0000
Commit: Jimi Huotari <chiitoo <AT> gentoo <DOT> org>
CommitDate: Sun Apr 28 16:15:44 2019 +0000
URL: https://gitweb.gentoo.org/proj/forums.git/commit/?id=2575b499
[prep-release-3.2.6] Update Changelog and add missing preg_match
phpBB/docs/CHANGELOG.html | 2 +-
phpBB/phpbb/avatar/driver/upload.php | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html
index e8dcc2be2..c6f05ca30 100644
--- a/phpBB/docs/CHANGELOG.html
+++ b/phpBB/docs/CHANGELOG.html
@@ -151,7 +151,7 @@
<ul>
<li>[SECURITY-228] - Require form token in login_box</li>
<li>[SECURITY-233] - SMTP auth data shouldn't be cached</li>
- <li>[SECURITY-234] - Main website URL can be set to JS URL in Admin Control Panel</li>
+ <li>[SECURITY-234] - Main website URL in Admin Control Panel should not support JS URLs</li>
</ul>
<a name="v325"></a><h3>Changes since 3.2.5</h3>
diff --git a/phpBB/phpbb/avatar/driver/upload.php b/phpBB/phpbb/avatar/driver/upload.php
index 77b44754a..a012bb15b 100644
--- a/phpBB/phpbb/avatar/driver/upload.php
+++ b/phpBB/phpbb/avatar/driver/upload.php
@@ -148,7 +148,8 @@ class upload extends \phpbb\avatar\driver\driver
// Do not allow specifying the port (see RFC 3986) or IP addresses
// remote_upload() will do its own check for allowed filetypes
- if (preg_match('@^(http|https|ftp)://[^/:?#]+:[0-9]+[/:?#]@i', $url) ||
+ if (!preg_match('#^(http|https|ftp)://(?:(.*?\.)*?[a-z0-9\-]+?\.[a-z]{2,4}|(?:\d{1,3}\.){3,5}\d{1,3}):?([0-9]*?).*?\.('. implode('|', $this->allowed_extensions) . ')$#i', $url) ||
+ preg_match('@^(http|https|ftp)://[^/:?#]+:[0-9]+[/:?#]@i', $url) ||
preg_match('#^(http|https|ftp)://(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])#i', $url) ||
preg_match('#^(http|https|ftp)://(?:(?:(?:[\dA-F]{1,4}:){6}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:::(?:[\dA-F]{1,4}:){0,5}(?:[\dA-F]{1,4}(?::[\dA-F]{1,4})?|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:):(?:[\dA-F]{1,4}:){4}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,2}:(?:[\dA-F]{1,4}:){3}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,3}:(?:[\dA-F]{1,4}:){2}(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,4}:(?:[\dA-F]{1,4}:)(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,5}:(?:[\dA-F]{1,4}:[\dA-F]{1,4}|(?:(?:\d{1,2}|1\d
\d|2[0-4]\d|25[0-5])\.){3}(?:\d{1,2}|1\d\d|2[0-4]\d|25[0-5])))|(?:(?:[\dA-F]{1,4}:){1,6}:[\dA-F]{1,4})|(?:(?:[\dA-F]{1,4}:){1,7}:)|(?:::))#i', $url))
{
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2019-05-04 5:20 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-05-04 5:20 [gentoo-commits] proj/forums:origin/3.2.x commit in: phpBB/phpbb/avatar/driver/, phpBB/docs/ Jimi Huotari
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox