From 9c8b210ef0884af193c1fe89ac7c6f428b2c1aab Mon Sep 17 00:00:00 2001 From: Igor Wiedler Date: Thu, 14 Oct 2010 08:28:05 +0200 Subject: [PATCH 1/4] [feature/request-class] Special case of direct access to _REQUEST PHPBB3-9716 --- phpBB/includes/auth/auth_db.php | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index b672e212bf..cef58297d3 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -27,6 +27,7 @@ if (!defined('IN_PHPBB')) function login_db(&$username, &$password) { global $db, $config; + global $request; // do not allow empty password if (!$password) @@ -96,12 +97,23 @@ function login_db(&$username, &$password) // If the password convert flag is set we need to convert it if ($row['user_pass_convert']) { + // enable super globals to get literal value + // this is needed to prevent unicode normalization + $super_globals_disabled = $request->super_globals_disabled(); + if ($super_globals_disabled) + { + $request->enable_super_globals(); + } + // in phpBB2 passwords were used exactly as they were sent, with addslashes applied $password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : ''; $password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format; - $password_new_format = ''; + $password_new_format = $request->variable('password', '', true); - set_var($password_new_format, stripslashes($password_old_format), 'string'); + if ($super_globals_disabled) + { + $request->disable_super_globals(); + } if ($password == $password_new_format) { From 30016a7084845fd50d7d18c2c556e26b62fa14ee Mon Sep 17 00:00:00 2001 From: Igor Wiedler Date: Thu, 14 Oct 2010 08:54:28 +0200 Subject: [PATCH 2/4] [feature/request-class] Remove direct access to _REQUEST in acp_search PHPBB3-9716 --- phpBB/adm/style/acp_search.html | 6 ++++-- phpBB/includes/acp/acp_search.php | 10 +--------- 2 files changed, 5 insertions(+), 11 deletions(-) diff --git a/phpBB/adm/style/acp_search.html b/phpBB/adm/style/acp_search.html index 5fd7a23d97..baadb70855 100644 --- a/phpBB/adm/style/acp_search.html +++ b/phpBB/adm/style/acp_search.html @@ -139,9 +139,11 @@

- + + - + +

{S_FORM_TOKEN} diff --git a/phpBB/includes/acp/acp_search.php b/phpBB/includes/acp/acp_search.php index 930c8d2a26..9821338e40 100644 --- a/phpBB/includes/acp/acp_search.php +++ b/phpBB/includes/acp/acp_search.php @@ -232,15 +232,7 @@ class acp_search global $db, $user, $auth, $template, $cache; global $config, $phpbb_root_path, $phpbb_admin_path, $phpEx; - if (isset($_REQUEST['action']) && is_array($_REQUEST['action'])) - { - $action = request_var('action', array('' => false)); - $action = key($action); - } - else - { - $action = request_var('action', ''); - } + $action = request_var('action', ''); $this->state = explode(',', $config['search_indexing_state']); if (isset($_POST['cancel'])) From de5ef675ace0bf6cf047a5be6bea76fce6e95226 Mon Sep 17 00:00:00 2001 From: Igor Wiedler Date: Thu, 14 Oct 2010 18:39:33 +0200 Subject: [PATCH 3/4] [feature/request-class] Adjust misleading comment PHPBB3-9716 --- tests/request/request_var.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/request/request_var.php b/tests/request/request_var.php index 1c360d45d0..53a4d8097b 100644 --- a/tests/request/request_var.php +++ b/tests/request/request_var.php @@ -87,7 +87,7 @@ class phpbb_request_var_test extends phpbb_test_case $this->unset_variables('var'); // cannot set $_REQUEST directly because in phpbb_request implementation - // $_REQUEST = $_GET + $_POST + // $_REQUEST = $_POST + $_GET $_POST['var'] = array( 0 => array( 'b' => array( From b08e0d17728f8733a403834a8ffa85b01c16d805 Mon Sep 17 00:00:00 2001 From: Igor Wiedler Date: Thu, 14 Oct 2010 22:03:09 +0200 Subject: [PATCH 4/4] [feature/request-class] Convert some remaining cookies Convert some remaining accesses to cookie to use the request class instead. Thanks to bantu for the note. PHPBB3-9716 --- phpBB/includes/functions.php | 19 ++++++++++--------- phpBB/includes/functions_display.php | 3 ++- phpBB/includes/session.php | 3 ++- phpBB/includes/ucp/ucp_main.php | 2 +- phpBB/search.php | 2 +- phpBB/viewtopic.php | 4 ++-- 6 files changed, 18 insertions(+), 15 deletions(-) diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 912d39e0f0..0b19b498ed 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -1148,6 +1148,7 @@ function tz_select($default = '', $truncate = false) function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $user_id = 0) { global $db, $user, $config; + global $request; if ($mode == 'all') { @@ -1162,7 +1163,7 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $ } else if ($config['load_anon_lastread'] || $user->data['is_registered']) { - $tracking_topics = (isset($_COOKIE[$config['cookie_name'] . '_track'])) ? ((STRIP) ? stripslashes($_COOKIE[$config['cookie_name'] . '_track']) : $_COOKIE[$config['cookie_name'] . '_track']) : ''; + $tracking_topics = $request->variable($config['cookie_name'] . '_track', '', true, phpbb_request_interface::COOKIE); $tracking_topics = ($tracking_topics) ? tracking_unserialize($tracking_topics) : array(); unset($tracking_topics['tf']); @@ -1171,7 +1172,7 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $ $tracking_topics['l'] = base_convert(time() - $config['board_startdate'], 10, 36); $user->set_cookie('track', tracking_serialize($tracking_topics), time() + 31536000); - $_COOKIE[$config['cookie_name'] . '_track'] = (STRIP) ? addslashes(tracking_serialize($tracking_topics)) : tracking_serialize($tracking_topics); + $request->overwrite($config['cookie_name'] . '_track', tracking_serialize($tracking_topics), phpbb_request_interface::COOKIE); unset($tracking_topics); @@ -1241,7 +1242,7 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $ } else if ($config['load_anon_lastread'] || $user->data['is_registered']) { - $tracking = (isset($_COOKIE[$config['cookie_name'] . '_track'])) ? ((STRIP) ? stripslashes($_COOKIE[$config['cookie_name'] . '_track']) : $_COOKIE[$config['cookie_name'] . '_track']) : ''; + $tracking = $request->variable($config['cookie_name'] . '_track', '', true, phpbb_request_interface::COOKIE); $tracking = ($tracking) ? tracking_unserialize($tracking) : array(); foreach ($forum_id as $f_id) @@ -1272,7 +1273,7 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $ } $user->set_cookie('track', tracking_serialize($tracking), time() + 31536000); - $_COOKIE[$config['cookie_name'] . '_track'] = (STRIP) ? addslashes(tracking_serialize($tracking)) : tracking_serialize($tracking); + $request->overwrite($config['cookie_name'] . '_track', tracking_serialize($tracking), phpbb_request_interface::COOKIE); unset($tracking); } @@ -1313,7 +1314,7 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $ } else if ($config['load_anon_lastread'] || $user->data['is_registered']) { - $tracking = (isset($_COOKIE[$config['cookie_name'] . '_track'])) ? ((STRIP) ? stripslashes($_COOKIE[$config['cookie_name'] . '_track']) : $_COOKIE[$config['cookie_name'] . '_track']) : ''; + $tracking = $request->variable($config['cookie_name'] . '_track', '', true, phpbb_request_interface::COOKIE); $tracking = ($tracking) ? tracking_unserialize($tracking) : array(); $topic_id36 = base_convert($topic_id, 10, 36); @@ -1328,7 +1329,7 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $ // If the cookie grows larger than 10000 characters we will remove the smallest value // This can result in old topics being unread - but most of the time it should be accurate... - if (isset($_COOKIE[$config['cookie_name'] . '_track']) && strlen($_COOKIE[$config['cookie_name'] . '_track']) > 10000) + if (strlen($request->variable($config['cookie_name'] . '_track', '', true, phpbb_request_interface::COOKIE)) > 10000) { //echo 'Cookie grown too large' . print_r($tracking, true); @@ -1368,7 +1369,7 @@ function markread($mode, $forum_id = false, $topic_id = false, $post_time = 0, $ } $user->set_cookie('track', tracking_serialize($tracking), time() + 31536000); - $_COOKIE[$config['cookie_name'] . '_track'] = (STRIP) ? addslashes(tracking_serialize($tracking)) : tracking_serialize($tracking); + $request->overwrite($config['cookie_name'] . '_track', tracking_serialize($tracking), phpbb_request_interface::COOKIE); } return; @@ -1550,7 +1551,7 @@ function get_complete_topic_tracking($forum_id, $topic_ids, $global_announce_lis if (!isset($tracking_topics) || !sizeof($tracking_topics)) { - $tracking_topics = (isset($_COOKIE[$config['cookie_name'] . '_track'])) ? ((STRIP) ? stripslashes($_COOKIE[$config['cookie_name'] . '_track']) : $_COOKIE[$config['cookie_name'] . '_track']) : ''; + $tracking_topics = $request->variable($config['cookie_name'] . '_track', '', true, phpbb_request_interface::COOKIE); $tracking_topics = ($tracking_topics) ? tracking_unserialize($tracking_topics) : array(); } @@ -1760,7 +1761,7 @@ function update_forum_tracking_info($forum_id, $forum_last_post_time, $f_mark_ti } else if ($config['load_anon_lastread'] || $user->data['is_registered']) { - $tracking_topics = (isset($_COOKIE[$config['cookie_name'] . '_track'])) ? ((STRIP) ? stripslashes($_COOKIE[$config['cookie_name'] . '_track']) : $_COOKIE[$config['cookie_name'] . '_track']) : ''; + $tracking_topics = $request->variable($config['cookie_name'] . '_track', '', true, phpbb_request_interface::COOKIE); $tracking_topics = ($tracking_topics) ? tracking_unserialize($tracking_topics) : array(); if (!$user->data['is_registered']) diff --git a/phpBB/includes/functions_display.php b/phpBB/includes/functions_display.php index 7f9070740f..fc1f133214 100644 --- a/phpBB/includes/functions_display.php +++ b/phpBB/includes/functions_display.php @@ -23,6 +23,7 @@ function display_forums($root_data = '', $display_moderators = true, $return_mod { global $db, $auth, $user, $template; global $phpbb_root_path, $phpEx, $config; + global $request; $forum_rows = $subforums = $forum_ids = $forum_ids_moderator = $forum_moderators = $active_forum_ary = array(); $parent_id = $visible_forums = 0; @@ -69,7 +70,7 @@ function display_forums($root_data = '', $display_moderators = true, $return_mod } else if ($config['load_anon_lastread'] || $user->data['is_registered']) { - $tracking_topics = (isset($_COOKIE[$config['cookie_name'] . '_track'])) ? ((STRIP) ? stripslashes($_COOKIE[$config['cookie_name'] . '_track']) : $_COOKIE[$config['cookie_name'] . '_track']) : ''; + $tracking_topics = $request->variable($config['cookie_name'] . '_track', '', true, phpbb_request_interface::COOKIE); $tracking_topics = ($tracking_topics) ? tracking_unserialize($tracking_topics) : array(); if (!$user->data['is_registered']) diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 0e6a23762e..f75021b493 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -206,6 +206,7 @@ class session function session_begin($update_session_page = true) { global $phpEx, $SID, $_SID, $_EXTRA_URL, $db, $config, $phpbb_root_path; + global $request; // Give us some basic information $this->time_now = time(); @@ -241,7 +242,7 @@ class session $this->forwarded_for = ''; } - if (isset($_COOKIE[$config['cookie_name'] . '_sid']) || isset($_COOKIE[$config['cookie_name'] . '_u'])) + if ($request->is_set($config['cookie_name'] . '_sid', phpbb_request_interface::COOKIE) || $request->is_set($config['cookie_name'] . '_u', phpbb_request_interface::COOKIE)) { $this->cookie_data['u'] = request_var($config['cookie_name'] . '_u', 0, false, true); $this->cookie_data['k'] = request_var($config['cookie_name'] . '_k', '', false, true); diff --git a/phpBB/includes/ucp/ucp_main.php b/phpBB/includes/ucp/ucp_main.php index 3fde308309..0759f35675 100644 --- a/phpBB/includes/ucp/ucp_main.php +++ b/phpBB/includes/ucp/ucp_main.php @@ -288,7 +288,7 @@ class ucp_main } else { - $tracking_topics = (isset($_COOKIE[$config['cookie_name'] . '_track'])) ? ((STRIP) ? stripslashes($_COOKIE[$config['cookie_name'] . '_track']) : $_COOKIE[$config['cookie_name'] . '_track']) : ''; + $tracking_topics = $request->variable($config['cookie_name'] . '_track', '', true, phpbb_request_interface::COOKIE); $tracking_topics = ($tracking_topics) ? tracking_unserialize($tracking_topics) : array(); } diff --git a/phpBB/search.php b/phpBB/search.php index 2a13e20477..fdac388aca 100644 --- a/phpBB/search.php +++ b/phpBB/search.php @@ -640,7 +640,7 @@ if ($keywords || $author || $author_id || $search_id || $submit) if ($config['load_anon_lastread'] || ($user->data['is_registered'] && !$config['load_db_lastread'])) { - $tracking_topics = (isset($_COOKIE[$config['cookie_name'] . '_track'])) ? ((STRIP) ? stripslashes($_COOKIE[$config['cookie_name'] . '_track']) : $_COOKIE[$config['cookie_name'] . '_track']) : ''; + $tracking_topics = $request->variable($config['cookie_name'] . '_track', '', true, phpbb_request_interface::COOKIE); $tracking_topics = ($tracking_topics) ? tracking_unserialize($tracking_topics) : array(); } diff --git a/phpBB/viewtopic.php b/phpBB/viewtopic.php index fecd87bbc1..b8d816d02b 100644 --- a/phpBB/viewtopic.php +++ b/phpBB/viewtopic.php @@ -701,9 +701,9 @@ if (!empty($topic_data['poll_start'])) // Cookie based guest tracking ... I don't like this but hum ho // it's oft requested. This relies on "nice" users who don't feel // the need to delete cookies to mess with results. - if (isset($_COOKIE[$config['cookie_name'] . '_poll_' . $topic_id])) + if ($request->is_set($config['cookie_name'] . '_poll_' . $topic_id, phpbb_request_interface::COOKIE)) { - $cur_voted_id = explode(',', $_COOKIE[$config['cookie_name'] . '_poll_' . $topic_id]); + $cur_voted_id = explode(',', $request->variable($config['cookie_name'] . '_poll_' . $topic_id, '', true, phpbb_request_interface::COOKIE)); $cur_voted_id = array_map('intval', $cur_voted_id); } }