5 files changed, 47 insertions, 9 deletions

diff --git a/engine/lib/river.php b/engine/lib/river.php
index 4926a85c4..e92040eb7 100644
--- a/engine/lib/river.php
+++ b/engine/lib/river.php
@@ -120,7 +120,7 @@ $posted = 0, $annotation_id = 0) {
  *   subtypes             => STR|ARR Entity subtype string(s)
  *   type_subtype_pairs   => ARR     Array of type => subtype pairs where subtype
  *                                   can be an array of subtype strings
- * 
+ *
  *   posted_time_lower    => INT     The lower bound on the time posted
  *   posted_time_upper    => INT     The upper bound on the time posted
  *
@@ -434,8 +434,13 @@ function elgg_list_river(array $options = array()) {
 		'pagination' => TRUE,
 		'list_class' => 'elgg-list-river elgg-river', // @todo remove elgg-river in Elgg 1.9
 	);
-
+	
 	$options = array_merge($defaults, $options);
+	
+	if (!$options["limit"] && !$options["offset"]) {

+		// no need for pagination if listing is unlimited

+		$options["pagination"] = false;

+	}
 
 	$options['count'] = TRUE;
 	$count = elgg_get_river($options);
@@ -445,6 +450,7 @@ function elgg_list_river(array $options = array()) {
 
 	$options['count'] = $count;
 	$options['items'] = $items;
+	
 	return elgg_view('page/components/list', $options);
 }
 
diff --git a/engine/lib/users.php b/engine/lib/users.php
index 9a5194896..a8fb9121c 100644
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -553,6 +553,11 @@ function get_user($guid) {
 function get_user_by_username($username) {
 	global $CONFIG, $USERNAME_TO_GUID_MAP_CACHE;
 
+	// Fixes #6052. Username is frequently sniffed from the path info, which,
+	// unlike $_GET, is not URL decoded. If the username was not URL encoded,
+	// this is harmless.
+	$username = rawurldecode($username);
+
 	$username = sanitise_string($username);
 	$access = get_access_sql_suffix('e');
 
@@ -1091,6 +1096,7 @@ function friends_page_handler($segments, $handler) {
  * @access private
  */
 function collections_page_handler($page_elements) {
+	gatekeeper();
 	elgg_set_context('friends');
 	$base = elgg_get_config('path');
 	if (isset($page_elements[0])) {
diff --git a/engine/lib/views.php b/engine/lib/views.php
index 65ba20204..7f179f572 100644
--- a/engine/lib/views.php
+++ b/engine/lib/views.php
@@ -218,7 +218,7 @@ function elgg_register_ajax_view($view) {
 
 /**
  * Unregister a view for ajax calls
- * 
+ *
  * @param string $view The view name
  * @return void
  * @since 1.8.3
@@ -992,6 +992,11 @@ function elgg_view_annotation(ElggAnnotation $annotation, array $vars = array(),
 function elgg_view_entity_list($entities, $vars = array(), $offset = 0, $limit = 10, $full_view = true,
 $list_type_toggle = true, $pagination = true) {
 
+	if (!$vars["limit"] && !$vars["offset"]) {
+		// no need for pagination if listing is unlimited

+		$vars["pagination"] = false;

+	}

+		
 	if (!is_int($offset)) {
 		$offset = (int)get_input('offset', 0);
 	}
@@ -1064,8 +1069,13 @@ function elgg_view_annotation_list($annotations, array $vars = array()) {
 		'full_view' => true,
 		'offset_key' => 'annoff',
 	);
-
+	
 	$vars = array_merge($defaults, $vars);
+	
+	if (!$vars["limit"] && !$vars["offset"]) {

+		// no need for pagination if listing is unlimited

+		$vars["pagination"] = false;

+	}
 
 	return elgg_view('page/components/list', $vars);
 }
@@ -1334,12 +1344,12 @@ function elgg_view_list_item($item, array $vars = array()) {
 
 /**
  * View one of the elgg sprite icons
- * 
+ *
  * Shorthand for <span class="elgg-icon elgg-icon-$name"></span>
- * 
+ *
  * @param string $name  The specific icon to display
  * @param string $class Additional class: float, float-alt, or custom class
- * 
+ *
  * @return string The html for displaying an icon
  */
 function elgg_view_icon($name, $class = '') {
diff --git a/engine/tests/objects/users.php b/engine/tests/objects/users.php
index dc9129326..7d2ef6961 100644
--- a/engine/tests/objects/users.php
+++ b/engine/tests/objects/users.php
@@ -159,6 +159,22 @@ class ElggCoreUserTest extends ElggCoreUnitTest {
 		$this->assertFalse($user);
 	}
 
+	public function testGetUserByUsernameAcceptsUrlEncoded() {
+		$username = (string)time();
+		$this->user->username = $username;
+		$guid = $this->user->save();
+
+		// percent encode first letter
+		$first_letter = $username[0];
+		$first_letter = str_pad('%' . dechex(ord($first_letter)), 2, '0', STR_PAD_LEFT);
+		$username =   $first_letter . substr($username, 1);
+
+		$user = get_user_by_username($username);
+		$this->assertTrue((bool) $user);
+		$this->assertEqual($guid, $user->guid);
+
+		$this->user->delete();
+	}
 
 	public function testElggUserMakeAdmin() {
 		global $CONFIG;
diff --git a/mod/pages/pages/pages/history.php b/mod/pages/pages/pages/history.php
index 872596179..7f5fa4f4f 100644
--- a/mod/pages/pages/pages/history.php
+++ b/mod/pages/pages/pages/history.php
@@ -9,12 +9,12 @@ $page_guid = get_input('guid');
 
 $page = get_entity($page_guid);
 if (!$page) {
-
+	forward('', '404');
 }
 
 $container = $page->getContainerEntity();
 if (!$container) {
-
+	forward('', '404');
 }
 
 elgg_set_page_owner_guid($container->getGUID());