makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-07 20:08:53 +00:00
Code Issues Projects Releases Packages Wiki Activity

some changes for the new version

Browse source 
- it would be nice if anyone able would be testing these changes on their installations and report bugs as soon as possible (also do not hestitate to PM the developers. ;)).
- the changelog is ommitted for now - it will get checked in later.


git-svn-id: file:///svn/phpbb/branches/phpBB-2_0_0@6772 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Meik Sievertsen 2006-12-16 13:11:28 +00:00
parent e105aa68bb
commit 688d57f99c
20 changed files with 190 additions and 132 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
phpBB/admin/admin_board.php
View file

@ -59,6 +59,16 @@ else
$new['server_name'] = str_replace('http://', '', $new['server_name']);
}
// Attempt to prevent a mistake with this value.
if ($config_name == 'avatar_path')
{
$new['avatar_path'] = trim($new['avatar_path']);
if (strstr($new['avatar_path'], "\0") || !is_dir($phpbb_root_path . $new['avatar_path']) || !is_writable($phpbb_root_path . $new['avatar_path']))
{
$new['avatar_path'] = $default_config['avatar_path'];
}
}
if( isset($HTTP_POST_VARS['submit']) )
{
$sql = "UPDATE " . CONFIG_TABLE . " SET

4
phpBB/docs/INSTALL.html
View file

@ -194,7 +194,7 @@ p,ul,td {font-size:10pt;}
<a name="upgradeSTABLE_files"></a><h3 class="h3">7.ii. Changed files only</h3>
<p>This package contains a number of archives, each contains the files changed from a given release to the latest version. You should select the appropriate archive for your current version, e.g. if you currently have 2.0.20 you should select the phpBB-2.0.20_to_2.0.21.zip/tar.gz file.</p>
<p>This package contains a number of archives, each contains the files changed from a given release to the latest version. You should select the appropriate archive for your current version, e.g. if you currently have 2.0.21 you should select the phpBB-2.0.21_to_2.0.22.zip/tar.gz file.</p>
<p>The directory structure has been preserved enabling you (if you wish) to simply upload the contents of the archive to the appropriate location on your server, i.e. simply overwrite the existing files with the new versions. Do not forget that if you have installed any Mods these files will overwrite the originals possibly destroying them in the process. You will need to re-add Mods to any affected file before uploading.</p>
@ -204,7 +204,7 @@ p,ul,td {font-size:10pt;}
<p>The patch file is probably the best solution for those with many Mods or other changes who do not want to re-add them back to all the changed files. To use this you will need command line access to a standard UNIX type <b>patch</b> application.</p>
<p>A number of patch files are provided to allow you to upgrade from previous stable releases. Select the correct patch, e.g. if your current version is 2.0.20 you need the phpBB-2.0.20_to_2.0.21.patch. Place the correct patch in the parent directory containing the phpBB 2 core files (i.e. index.php, viewforum.php, etc.). With this done you should run the following command: <b>patch -cl -d [PHPBB DIRECTORY] -p1 &lt; [PATCH NAME]</b> (where PHPBB DIRECTORY is the directory name your phpBB Installation resides in, for example phpBB2, and where PATCH NAME is the relevant filename of the selected patch file). This should complete quickly, hopefully without any HUNK FAILED comments.</p>
<p>A number of patch files are provided to allow you to upgrade from previous stable releases. Select the correct patch, e.g. if your current version is 2.0.21 you need the phpBB-2.0.21_to_2.0.22.patch. Place the correct patch in the parent directory containing the phpBB 2 core files (i.e. index.php, viewforum.php, etc.). With this done you should run the following command: <b>patch -cl -d [PHPBB DIRECTORY] -p1 &lt; [PATCH NAME]</b> (where PHPBB DIRECTORY is the directory name your phpBB Installation resides in, for example phpBB2, and where PATCH NAME is the relevant filename of the selected patch file). This should complete quickly, hopefully without any HUNK FAILED comments.</p>
<p>If you do get failures you should look at using the <a href="#upgradeSTABLE_files">Changed files only</a> package to replace the files which failed to patch, please note that you will need to manually re-add any Mods to these particular files. Alternatively if you know how you can examine the .rej files to determine what failed where and make manual adjustments to the relevant source.</p>

1
phpBB/groupcp.php
View file

@ -148,6 +148,7 @@ $confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : 0;
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : 0;
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
$start = ($start < 0) ? 0 : $start;
//
// Default var values

2
phpBB/includes/functions.php
View file

@ -917,7 +917,7 @@ function redirect($url)
$db->sql_close();
}
if (strstr(urldecode($url), "\n") || strstr(urldecode($url), "\r"))
if (strstr(urldecode($url), "\n") || strstr(urldecode($url), "\r") || strstr(urldecode($url), ';url'))
{
message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');
}

244
phpBB/includes/usercp_email.php
View file

@ -52,84 +52,67 @@ $sql = "SELECT username, user_email, user_viewemail, user_lang
WHERE user_id = $user_id";
if ( $result = $db->sql_query($sql) )
{
$row = $db->sql_fetchrow($result);
$username = $row['username'];
$user_email = $row['user_email'];
$user_lang = $row['user_lang'];
if ( $row['user_viewemail'] || $userdata['user_level'] == ADMIN )
if ( $row = $db->sql_fetchrow($result) )
{
if ( time() - $userdata['user_emailtime'] < $board_config['flood_interval'] )
$username = $row['username'];
$user_email = $row['user_email'];
$user_lang = $row['user_lang'];
if ( $row['user_viewemail'] || $userdata['user_level'] == ADMIN )
{
message_die(GENERAL_MESSAGE, $lang['Flood_email_limit']);
}
if ( isset($HTTP_POST_VARS['submit']) )
{
$error = FALSE;
if ( !empty($HTTP_POST_VARS['subject']) )
if ( time() - $userdata['user_emailtime'] < $board_config['flood_interval'] )
{
$subject = trim(stripslashes($HTTP_POST_VARS['subject']));
message_die(GENERAL_MESSAGE, $lang['Flood_email_limit']);
}
else
if ( isset($HTTP_POST_VARS['submit']) )
{
$error = TRUE;
$error_msg = ( !empty($error_msg) ) ? $error_msg . '<br />' . $lang['Empty_subject_email'] : $lang['Empty_subject_email'];
}
if ( !empty($HTTP_POST_VARS['message']) )
{
$message = trim(stripslashes($HTTP_POST_VARS['message']));
}
else
{
$error = TRUE;
$error_msg = ( !empty($error_msg) ) ? $error_msg . '<br />' . $lang['Empty_message_email'] : $lang['Empty_message_email'];
}
if ( !$error )
{
$sql = "UPDATE " . USERS_TABLE . "
SET user_emailtime = " . time() . "
WHERE user_id = " . $userdata['user_id'];
if ( $result = $db->sql_query($sql) )
$error = FALSE;
if ( !empty($HTTP_POST_VARS['subject']) )
{
include($phpbb_root_path . 'includes/emailer.'.$phpEx);
$emailer = new emailer($board_config['smtp_delivery']);
$emailer->from($userdata['user_email']);
$emailer->replyto($userdata['user_email']);
$email_headers = 'X-AntiAbuse: Board servername - ' . $server_name . "\n";
$email_headers .= 'X-AntiAbuse: User_id - ' . $userdata['user_id'] . "\n";
$email_headers .= 'X-AntiAbuse: Username - ' . $userdata['username'] . "\n";
$email_headers .= 'X-AntiAbuse: User IP - ' . decode_ip($user_ip) . "\n";
$emailer->use_template('profile_send_email', $user_lang);
$emailer->email_address($user_email);
$emailer->set_subject($subject);
$emailer->extra_headers($email_headers);
$emailer->assign_vars(array(
'SITENAME' => $board_config['sitename'],
'BOARD_EMAIL' => $board_config['board_email'],
'FROM_USERNAME' => $userdata['username'],
'TO_USERNAME' => $username,
'MESSAGE' => $message)
);
$emailer->send();
$emailer->reset();
if ( !empty($HTTP_POST_VARS['cc_email']) )
$subject = trim(stripslashes($HTTP_POST_VARS['subject']));
}
else
{
$error = TRUE;
$error_msg = ( !empty($error_msg) ) ? $error_msg . '<br />' . $lang['Empty_subject_email'] : $lang['Empty_subject_email'];
}
if ( !empty($HTTP_POST_VARS['message']) )
{
$message = trim(stripslashes($HTTP_POST_VARS['message']));
}
else
{
$error = TRUE;
$error_msg = ( !empty($error_msg) ) ? $error_msg . '<br />' . $lang['Empty_message_email'] : $lang['Empty_message_email'];
}
if ( !$error )
{
$sql = "UPDATE " . USERS_TABLE . "
SET user_emailtime = " . time() . "
WHERE user_id = " . $userdata['user_id'];
if ( $result = $db->sql_query($sql) )
{
include($phpbb_root_path . 'includes/emailer.'.$phpEx);
$emailer = new emailer($board_config['smtp_delivery']);
$emailer->from($userdata['user_email']);
$emailer->replyto($userdata['user_email']);
$emailer->use_template('profile_send_email');
$emailer->email_address($userdata['user_email']);
$email_headers = 'X-AntiAbuse: Board servername - ' . $server_name . "\n";
$email_headers .= 'X-AntiAbuse: User_id - ' . $userdata['user_id'] . "\n";
$email_headers .= 'X-AntiAbuse: Username - ' . $userdata['username'] . "\n";
$email_headers .= 'X-AntiAbuse: User IP - ' . decode_ip($user_ip) . "\n";
$emailer->use_template('profile_send_email', $user_lang);
$emailer->email_address($user_email);
$emailer->set_subject($subject);
$emailer->extra_headers($email_headers);
$emailer->assign_vars(array(
'SITENAME' => $board_config['sitename'],
'BOARD_EMAIL' => $board_config['board_email'],
@ -139,72 +122,95 @@ if ( $result = $db->sql_query($sql) )
);
$emailer->send();
$emailer->reset();
if ( !empty($HTTP_POST_VARS['cc_email']) )
{
$emailer->from($userdata['user_email']);
$emailer->replyto($userdata['user_email']);
$emailer->use_template('profile_send_email');
$emailer->email_address($userdata['user_email']);
$emailer->set_subject($subject);
$emailer->assign_vars(array(
'SITENAME' => $board_config['sitename'],
'BOARD_EMAIL' => $board_config['board_email'],
'FROM_USERNAME' => $userdata['username'],
'TO_USERNAME' => $username,
'MESSAGE' => $message)
);
$emailer->send();
$emailer->reset();
}
$template->assign_vars(array(
'META' => '<meta http-equiv="refresh" content="5;url=' . append_sid("index.$phpEx") . '">')
);
$message = $lang['Email_sent'] . '<br /><br />' . sprintf($lang['Click_return_index'], '<a href="' . append_sid("index.$phpEx") . '">', '</a>');
message_die(GENERAL_MESSAGE, $message);
}
else
{
message_die(GENERAL_ERROR, 'Could not update last email time', '', __LINE__, __FILE__, $sql);
}
$template->assign_vars(array(
'META' => '<meta http-equiv="refresh" content="5;url=' . append_sid("index.$phpEx") . '">')
);
$message = $lang['Email_sent'] . '<br /><br />' . sprintf($lang['Click_return_index'], '<a href="' . append_sid("index.$phpEx") . '">', '</a>');
message_die(GENERAL_MESSAGE, $message);
}
else
{
message_die(GENERAL_ERROR, 'Could not update last email time', '', __LINE__, __FILE__, $sql);
}
}
}
include($phpbb_root_path . 'includes/page_header.'.$phpEx);
$template->set_filenames(array(
'body' => 'profile_send_email.tpl')
);
make_jumpbox('viewforum.'.$phpEx);
if ( $error )
{
include($phpbb_root_path . 'includes/page_header.'.$phpEx);
$template->set_filenames(array(
'reg_header' => 'error_body.tpl')
'body' => 'profile_send_email.tpl')
);
make_jumpbox('viewforum.'.$phpEx);
if ( $error )
{
$template->set_filenames(array(
'reg_header' => 'error_body.tpl')
);
$template->assign_vars(array(
'ERROR_MESSAGE' => $error_msg)
);
$template->assign_var_from_handle('ERROR_BOX', 'reg_header');
}
$template->assign_vars(array(
'ERROR_MESSAGE' => $error_msg)
'USERNAME' => $username,
'S_HIDDEN_FIELDS' => '',
'S_POST_ACTION' => append_sid("profile.$phpEx?mode=email&amp;" . POST_USERS_URL . "=$user_id"),
'L_SEND_EMAIL_MSG' => $lang['Send_email_msg'],
'L_RECIPIENT' => $lang['Recipient'],
'L_SUBJECT' => $lang['Subject'],
'L_MESSAGE_BODY' => $lang['Message_body'],
'L_MESSAGE_BODY_DESC' => $lang['Email_message_desc'],
'L_EMPTY_SUBJECT_EMAIL' => $lang['Empty_subject_email'],
'L_EMPTY_MESSAGE_EMAIL' => $lang['Empty_message_email'],
'L_OPTIONS' => $lang['Options'],
'L_CC_EMAIL' => $lang['CC_email'],
'L_SPELLCHECK' => $lang['Spellcheck'],
'L_SEND_EMAIL' => $lang['Send_email'])
);
$template->assign_var_from_handle('ERROR_BOX', 'reg_header');
$template->pparse('body');
include($phpbb_root_path . 'includes/page_tail.'.$phpEx);
}
else
{
message_die(GENERAL_MESSAGE, $lang['User_prevent_email']);
}
$template->assign_vars(array(
'USERNAME' => $username,
'S_HIDDEN_FIELDS' => '',
'S_POST_ACTION' => append_sid("profile.$phpEx?mode=email&amp;" . POST_USERS_URL . "=$user_id"),
'L_SEND_EMAIL_MSG' => $lang['Send_email_msg'],
'L_RECIPIENT' => $lang['Recipient'],
'L_SUBJECT' => $lang['Subject'],
'L_MESSAGE_BODY' => $lang['Message_body'],
'L_MESSAGE_BODY_DESC' => $lang['Email_message_desc'],
'L_EMPTY_SUBJECT_EMAIL' => $lang['Empty_subject_email'],
'L_EMPTY_MESSAGE_EMAIL' => $lang['Empty_message_email'],
'L_OPTIONS' => $lang['Options'],
'L_CC_EMAIL' => $lang['CC_email'],
'L_SPELLCHECK' => $lang['Spellcheck'],
'L_SEND_EMAIL' => $lang['Send_email'])
);
$template->pparse('body');
include($phpbb_root_path . 'includes/page_tail.'.$phpEx);
}
else
{
message_die(GENERAL_MESSAGE, $lang['User_prevent_email']);
message_die(GENERAL_MESSAGE, $lang['User_not_exist']);
}
}
else
{
message_die(GENERAL_MESSAGE, $lang['User_not_exist']);
message_die(GENERAL_ERROR, 'Could not select user data', '', __LINE__, __FILE__, $sql);
}
?>

9
phpBB/includes/usercp_register.php
View file

@ -144,6 +144,7 @@ if (
$notifyreply = ( isset($HTTP_POST_VARS['notifyreply']) ) ? ( ($HTTP_POST_VARS['notifyreply']) ? TRUE : 0 ) : 0;
$notifypm = ( isset($HTTP_POST_VARS['notifypm']) ) ? ( ($HTTP_POST_VARS['notifypm']) ? TRUE : 0 ) : TRUE;
$popup_pm = ( isset($HTTP_POST_VARS['popup_pm']) ) ? ( ($HTTP_POST_VARS['popup_pm']) ? TRUE : 0 ) : TRUE;
$sid = (isset($HTTP_POST_VARS['sid'])) ? $HTTP_POST_VARS['sid'] : 0;
if ( $mode == 'register' )
{
@ -253,6 +254,13 @@ if ( isset($HTTP_POST_VARS['submit']) )
{
include($phpbb_root_path . 'includes/usercp_avatar.'.$phpEx);
// session id check
if ($sid == '' || $sid != $userdata['session_id'])
{
$error = true;
$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . $lang['Session_invalid'];
}
$passwd_sql = '';
if ( $mode == 'editprofile' )
{
@ -893,6 +901,7 @@ else
}
$s_hidden_fields = '<input type="hidden" name="mode" value="' . $mode . '" /><input type="hidden" name="agreed" value="true" /><input type="hidden" name="coppa" value="' . $coppa . '" />';
$s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';
if( $mode == 'editprofile' )
{
$s_hidden_fields .= '<input type="hidden" name="user_id" value="' . $userdata['user_id'] . '" />';

BIN
phpBB/install/schemas/ms_access_primer.zip
View file

Binary file not shown.

2
phpBB/install/schemas/mssql_basic.sql
View file

@ -75,7 +75,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('record_online_date
INSERT INTO phpbb_config (config_name, config_value) VALUES ('server_name', 'www.yourdomain.tld');
INSERT INTO phpbb_config (config_name, config_value) VALUES ('server_port', '80');
INSERT INTO phpbb_config (config_name, config_value) VALUES ('script_path', '/phpBB2/');
INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '.0.21');
INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '.0.22');
INSERT INTO phpbb_config (config_name, config_value) VALUES ('rand_seed', '0');
/*

2
phpBB/install/schemas/mysql_basic.sql
View file

@ -68,7 +68,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('record_online_date
INSERT INTO phpbb_config (config_name, config_value) VALUES ('server_name', 'www.myserver.tld');
INSERT INTO phpbb_config (config_name, config_value) VALUES ('server_port', '80');
INSERT INTO phpbb_config (config_name, config_value) VALUES ('script_path', '/phpBB2/');
INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '.0.21');
INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '.0.22');
INSERT INTO phpbb_config (config_name, config_value) VALUES ('rand_seed', '0');

2
phpBB/install/schemas/postgres_basic.sql
View file

@ -69,7 +69,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('record_online_date
INSERT INTO phpbb_config (config_name, config_value) VALUES ('server_name', 'www.yourdomain.tld');
INSERT INTO phpbb_config (config_name, config_value) VALUES ('server_port', '80');
INSERT INTO phpbb_config (config_name, config_value) VALUES ('script_path', '/phpBB2/');
INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '.0.21');
INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '.0.22');
INSERT INTO phpbb_config (config_name, config_value) VALUES ('rand_seed', '0');
-- Categories

4
phpBB/install/update_to_latest.php
View file

@ -59,7 +59,7 @@ include($phpbb_root_path . 'includes/db.'.$phpEx);
//
//
//
$updates_to_version = '.0.21';
$updates_to_version = '.0.22';
//
//
//
@ -1143,7 +1143,7 @@ switch (SQL_LAYER)
{
case 'mysql':
case 'mysql4':
$sql = 'OPTIMIZE TABLE ' . $table_prefix . 'auth_access, ' . $table_prefix . 'banlist, ' . $table_prefix . 'categories, ' . $table_prefix . 'config, ' . $table_prefix . 'disallow, ' . $table_prefix . 'forum_prune, ' . $table_prefix . 'forums, ' . $table_prefix . 'groups, ' . $table_prefix . 'posts, ' . $table_prefix . 'posts_text, ' . $table_prefix . 'privmsgs, ' . $table_prefix . 'privmsgs_text, ' . $table_prefix . 'ranks, ' . $table_prefix . 'search_results, ' . $table_prefix . 'search_wordlist, ' . $table_prefix . 'search_wordmatch, ' . $table_prefix . 'sessions_keys' . $table_prefix . 'smilies, ' . $table_prefix . 'themes, ' . $table_prefix . 'themes_name, ' . $table_prefix . 'topics, ' . $table_prefix . 'topics_watch, ' . $table_prefix . 'user_group, ' . $table_prefix . 'users, ' . $table_prefix . 'vote_desc, ' . $table_prefix . 'vote_results, ' . $table_prefix . 'vote_voters, ' . $table_prefix . 'words';
$sql = 'OPTIMIZE TABLE ' . $table_prefix . 'auth_access, ' . $table_prefix . 'banlist, ' . $table_prefix . 'categories, ' . $table_prefix . 'config, ' . $table_prefix . 'disallow, ' . $table_prefix . 'forum_prune, ' . $table_prefix . 'forums, ' . $table_prefix . 'groups, ' . $table_prefix . 'posts, ' . $table_prefix . 'posts_text, ' . $table_prefix . 'privmsgs, ' . $table_prefix . 'privmsgs_text, ' . $table_prefix . 'ranks, ' . $table_prefix . 'search_results, ' . $table_prefix . 'search_wordlist, ' . $table_prefix . 'search_wordmatch, ' . $table_prefix . 'sessions_keys, ' . $table_prefix . 'smilies, ' . $table_prefix . 'themes, ' . $table_prefix . 'themes_name, ' . $table_prefix . 'topics, ' . $table_prefix . 'topics_watch, ' . $table_prefix . 'user_group, ' . $table_prefix . 'users, ' . $table_prefix . 'vote_desc, ' . $table_prefix . 'vote_results, ' . $table_prefix . 'vote_voters, ' . $table_prefix . 'words';
_sql($sql, $errored, $error_ary);
break;

2
phpBB/language/lang_english/lang_main.php
View file

@ -1018,6 +1018,8 @@ $lang['Admin_reauthenticate'] = 'To administer the board you must re-authenticat
$lang['Login_attempts_exceeded'] = 'The maximum number of %s login attempts has been exceeded. You are not allowed to login for the next %s minutes.';
$lang['Please_remove_install_contrib'] = 'Please ensure both the install/ and contrib/ directories are deleted';
$lang['Session_invalid'] = 'Invalid Session. Please resubmit the form.';
//
// That's all, Folks!
// -------------------------------------------------

4
phpBB/login.php
View file

@ -123,7 +123,7 @@ if( isset($HTTP_POST_VARS['login']) || isset($HTTP_GET_VARS['login']) || isset($
$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&amp;', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : '';
$redirect = str_replace('?', '&', $redirect);
if (strstr(urldecode($redirect), "\n") || strstr(urldecode($redirect), "\r"))
if (strstr(urldecode($redirect), "\n") || strstr(urldecode($redirect), "\r") || strstr(urldecode($redirect), ';url'))
{
message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');
}
@ -142,7 +142,7 @@ if( isset($HTTP_POST_VARS['login']) || isset($HTTP_GET_VARS['login']) || isset($
$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&amp;', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : "";
$redirect = str_replace("?", "&", $redirect);
if (strstr(urldecode($redirect), "\n") || strstr(urldecode($redirect), "\r"))
if (strstr(urldecode($redirect), "\n") || strstr(urldecode($redirect), "\r") || strstr(urldecode($redirect), ';url'))
{
message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');
}

1
phpBB/memberlist.php
View file

@ -34,6 +34,7 @@ init_userprefs($userdata);
//
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
$start = ($start < 0) ? 0 : $start;
if ( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) )
{

1
phpBB/modcp.php
View file

@ -71,6 +71,7 @@ $confirm = ( $HTTP_POST_VARS['confirm'] ) ? TRUE : 0;
// Continue var definitions
//
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
$start = ($start < 0) ? 0 : $start;
$delete = ( isset($HTTP_POST_VARS['delete']) ) ? TRUE : FALSE;
$move = ( isset($HTTP_POST_VARS['move']) ) ? TRUE : FALSE;

14
phpBB/posting.php
View file

@ -44,6 +44,7 @@ while( list($var, $param) = @each($params) )
}
$confirm = isset($HTTP_POST_VARS['confirm']) ? true : false;
$sid = (isset($HTTP_POST_VARS['sid'])) ? $HTTP_POST_VARS['sid'] : 0;
$params = array('forum_id' => POST_FORUM_URL, 'topic_id' => POST_TOPIC_URL, 'post_id' => POST_POST_URL);
while( list($var, $param) = @each($params) )
@ -430,6 +431,7 @@ if ( ( $delete || $poll_delete || $mode == 'delete' ) && !$confirm )
//
$s_hidden_fields = '<input type="hidden" name="' . POST_POST_URL . '" value="' . $post_id . '" />';
$s_hidden_fields .= ( $delete || $mode == "delete" ) ? '<input type="hidden" name="mode" value="delete" />' : '<input type="hidden" name="mode" value="poll_delete" />';
$s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';
$l_confirm = ( $delete || $mode == 'delete' ) ? $lang['Confirm_delete'] : $lang['Confirm_delete_poll'];
@ -541,6 +543,12 @@ else if ( $submit || $confirm )
$return_message = '';
$return_meta = '';
// session id check
if ($sid == '' || $sid != $userdata['session_id'])
{
$error_msg .= (!empty($error_msg)) ? '<br />' . $lang['Session_invalid'] : $lang['Session_invalid'];
}
switch ( $mode )
{
case 'editpost':
@ -566,6 +574,11 @@ else if ( $submit || $confirm )
case 'delete':
case 'poll_delete':
if ($error_msg != '')
{
message_die(GENERAL_MESSAGE, $error_msg);
}
delete_post($mode, $post_data, $return_message, $return_meta, $forum_id, $topic_id, $post_id, $poll_id);
break;
}
@ -928,6 +941,7 @@ if ( $mode == 'newtopic' || ( $mode == 'editpost' && $post_data['first_post'] )
}
$hidden_form_fields = '<input type="hidden" name="mode" value="' . $mode . '" />';
$hidden_form_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';
switch( $mode )
{

17
phpBB/privmsg.php
View file

@ -50,6 +50,7 @@ $confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : 0;
$delete = ( isset($HTTP_POST_VARS['delete']) ) ? TRUE : 0;
$delete_all = ( isset($HTTP_POST_VARS['deleteall']) ) ? TRUE : 0;
$save = ( isset($HTTP_POST_VARS['save']) ) ? TRUE : 0;
$sid = (isset($HTTP_POST_VARS['sid'])) ? $HTTP_POST_VARS['sid'] : 0;
$refresh = $preview || $submit_search;
@ -101,6 +102,7 @@ else
}
$start = ( !empty($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
$start = ($start < 0) ? 0 : $start;
if ( isset($HTTP_POST_VARS[POST_POST_URL]) || isset($HTTP_GET_VARS[POST_POST_URL]) )
{
@ -1161,6 +1163,13 @@ else if ( $submit || $refresh || $mode != '' )
if ( $submit )
{
// session id check
if ($sid == '' || $sid != $userdata['session_id'])
{
$error = true;
$error_msg .= ( ( !empty($error_msg) ) ? '<br />' : '' ) . $lang['Session_invalid'];
}
if ( !empty($HTTP_POST_VARS['username']) )
{
$to_username = phpbb_clean_username($HTTP_POST_VARS['username']);
@ -1376,7 +1385,7 @@ else if ( $submit || $refresh || $mode != '' )
$privmsg_subject = ( isset($HTTP_POST_VARS['subject']) ) ? trim(htmlspecialchars(stripslashes($HTTP_POST_VARS['subject']))) : '';
$privmsg_message = ( isset($HTTP_POST_VARS['message']) ) ? trim($HTTP_POST_VARS['message']) : '';
$privmsg_message = preg_replace('#<textarea>#si', '&lt;textarea&gt;', $privmsg_message);
// $privmsg_message = preg_replace('#<textarea>#si', '&lt;textarea&gt;', $privmsg_message);
if ( !$preview )
{
$privmsg_message = stripslashes($privmsg_message);
@ -1480,7 +1489,7 @@ else if ( $submit || $refresh || $mode != '' )
}
$privmsg_message = str_replace('<br />', "\n", $privmsg_message);
$privmsg_message = preg_replace('#</textarea>#si', '&lt;/textarea&gt;', $privmsg_message);
// $privmsg_message = preg_replace('#</textarea>#si', '&lt;/textarea&gt;', $privmsg_message);
$user_sig = ( $board_config['allow_sig'] ) ? (($privmsg['privmsgs_type'] == PRIVMSGS_NEW_MAIL) ? $user_sig : $privmsg['user_sig']) : '';
@ -1523,7 +1532,7 @@ else if ( $submit || $refresh || $mode != '' )
$privmsg_message = preg_replace("/\:(([a-z0-9]:)?)$privmsg_bbcode_uid/si", '', $privmsg_message);
$privmsg_message = str_replace('<br />', "\n", $privmsg_message);
$privmsg_message = preg_replace('#</textarea>#si', '&lt;/textarea&gt;', $privmsg_message);
// $privmsg_message = preg_replace('#</textarea>#si', '&lt;/textarea&gt;', $privmsg_message);
$privmsg_message = preg_replace($orig_word, $replacement_word, $privmsg_message);
$msg_date = create_date($board_config['default_dateformat'], $privmsg['privmsgs_date'], $board_config['board_timezone']);
@ -1650,6 +1659,7 @@ else if ( $submit || $refresh || $mode != '' )
//
if ($error)
{
$privmsg_message = htmlspecialchars($privmsg_message);
$template->set_filenames(array(
'reg_header' => 'error_body.tpl')
);
@ -1736,6 +1746,7 @@ else if ( $submit || $refresh || $mode != '' )
$s_hidden_fields = '<input type="hidden" name="folder" value="' . $folder . '" />';
$s_hidden_fields .= '<input type="hidden" name="mode" value="' . $mode . '" />';
$s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';
if ( $mode == 'edit' )
{
$s_hidden_fields .= '<input type="hidden" name="' . POST_POST_URL . '" value="' . $privmsg_id . '" />';

1
phpBB/search.php
View file

@ -118,6 +118,7 @@ else
}
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
$start = ($start < 0) ? 0 : $start;
$sort_by_types = array($lang['Sort_Time'], $lang['Sort_Post_Subject'], $lang['Sort_Topic_Title'], $lang['Sort_Author'], $lang['Sort_Forum']);

1
phpBB/viewforum.php
View file

@ -42,6 +42,7 @@ else
}
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
$start = ($start < 0) ? 0 : $start;
if ( isset($HTTP_GET_VARS['mark']) || isset($HTTP_POST_VARS['mark']) )
{

1
phpBB/viewtopic.php
View file

@ -46,6 +46,7 @@ if ( isset($HTTP_GET_VARS[POST_POST_URL]))
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
$start = ($start < 0) ? 0 : $start;
if (!$topic_id && !$post_id)
{