makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-12 06:18:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

[ticket/9661] Remove eval() from functions_privmsgs.php

Browse source 
Tested by sending messages to myself on a test board.

PHPBB3-9661
This commit is contained in:
Cullen Walsh 2011-09-18 19:40:04 -07:00
parent 5e768036f7
commit 6fce68b9b6
1 changed files with 79 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

113
phpBB/includes/functions_privmsgs.php
View file

@ -19,7 +19,8 @@ if (!defined('IN_PHPBB'))
Ability to simply add own rules by doing three things: Ability to simply add own rules by doing three things:
1) Add an appropriate constant 1) Add an appropriate constant
2) Add a new check array to the global_privmsgs_rules variable and the condition array (if one is required) 2) Add a new check array to the global_privmsgs_rules variable and the condition array (if one is required)
3) Add a new language variable to ucp.php 3) Implement the rule logic in the check_rule() function
4) Add a new language variable to ucp.php
The user is then able to select the new rule. It will be checked against and handled as specified. The user is then able to select the new rule. It will be checked against and handled as specified.
To add new actions (yes, checks can be added here too) to the rule management, the core code has to be modified. To add new actions (yes, checks can be added here too) to the rule management, the core code has to be modified.
@ -57,42 +58,42 @@ define('CHECK_TO', 5);
*/ */
$global_privmsgs_rules = array( $global_privmsgs_rules = array(
CHECK_SUBJECT => array( CHECK_SUBJECT => array(
RULE_IS_LIKE => array('check0' => 'message_subject', 'function' => 'preg_match("/" . preg_quote({STRING}, "/") . "/i", {CHECK0})'), RULE_IS_LIKE => array('check0' => 'message_subject'),
RULE_IS_NOT_LIKE => array('check0' => 'message_subject', 'function' => '!(preg_match("/" . preg_quote({STRING}, "/") . "/i", {CHECK0}))'), RULE_IS_NOT_LIKE => array('check0' => 'message_subject'),
RULE_IS => array('check0' => 'message_subject', 'function' => '{CHECK0} == {STRING}'), RULE_IS => array('check0' => 'message_subject'),
RULE_IS_NOT => array('check0' => 'message_subject', 'function' => '{CHECK0} != {STRING}'), RULE_IS_NOT => array('check0' => 'message_subject'),
RULE_BEGINS_WITH => array('check0' => 'message_subject', 'function' => 'preg_match("/^" . preg_quote({STRING}, "/") . "/i", {CHECK0})'), RULE_BEGINS_WITH => array('check0' => 'message_subject'),
RULE_ENDS_WITH => array('check0' => 'message_subject', 'function' => 'preg_match("/" . preg_quote({STRING}, "/") . "$/i", {CHECK0})'), RULE_ENDS_WITH => array('check0' => 'message_subject'),
), ),
CHECK_SENDER => array( CHECK_SENDER => array(
RULE_IS_LIKE => array('check0' => 'username', 'function' => 'preg_match("/" . preg_quote({STRING}, "/") . "/i", {CHECK0})'), RULE_IS_LIKE => array('check0' => 'username'),
RULE_IS_NOT_LIKE => array('check0' => 'username', 'function' => '!(preg_match("/" . preg_quote({STRING}, "/") . "/i", {CHECK0}))'), RULE_IS_NOT_LIKE => array('check0' => 'username'),
RULE_IS => array('check0' => 'username', 'function' => '{CHECK0} == {STRING}'), RULE_IS => array('check0' => 'username'),
RULE_IS_NOT => array('check0' => 'username', 'function' => '{CHECK0} != {STRING}'), RULE_IS_NOT => array('check0' => 'username'),
RULE_BEGINS_WITH => array('check0' => 'username', 'function' => 'preg_match("/^" . preg_quote({STRING}, "/") . "/i", {CHECK0})'), RULE_BEGINS_WITH => array('check0' => 'username'),
RULE_ENDS_WITH => array('check0' => 'username', 'function' => 'preg_match("/" . preg_quote({STRING}, "/") . "$/i", {CHECK0})'), RULE_ENDS_WITH => array('check0' => 'username'),
RULE_IS_FRIEND => array('check0' => 'friend', 'function' => '{CHECK0} == 1'), RULE_IS_FRIEND => array('check0' => 'friend'),
RULE_IS_FOE => array('check0' => 'foe', 'function' => '{CHECK0} == 1'), RULE_IS_FOE => array('check0' => 'foe'),
RULE_IS_USER => array('check0' => 'author_id', 'function' => '{CHECK0} == {USER_ID}'), RULE_IS_USER => array('check0' => 'author_id'),
RULE_IS_GROUP => array('check0' => 'author_in_group', 'function' => 'in_array({GROUP_ID}, {CHECK0})'), RULE_IS_GROUP => array('check0' => 'author_in_group'),
), ),
CHECK_MESSAGE => array( CHECK_MESSAGE => array(
RULE_IS_LIKE => array('check0' => 'message_text', 'function' => 'preg_match("/" . preg_quote({STRING}, "/") . "/i", {CHECK0})'), RULE_IS_LIKE => array('check0' => 'message_text'),
RULE_IS_NOT_LIKE => array('check0' => 'message_text', 'function' => '!(preg_match("/" . preg_quote({STRING}, "/") . "/i", {CHECK0}))'), RULE_IS_NOT_LIKE => array('check0' => 'message_text'),
RULE_IS => array('check0' => 'message_text', 'function' => '{CHECK0} == {STRING}'), RULE_IS => array('check0' => 'message_text'),
RULE_IS_NOT => array('check0' => 'message_text', 'function' => '{CHECK0} != {STRING}'), RULE_IS_NOT => array('check0' => 'message_text'),
), ),
CHECK_STATUS => array( CHECK_STATUS => array(
RULE_ANSWERED => array('check0' => 'pm_replied', 'function' => '{CHECK0} == 1'), RULE_ANSWERED => array('check0' => 'pm_replied'),
RULE_FORWARDED => array('check0' => 'pm_forwarded', 'function' => '{CHECK0} == 1'), RULE_FORWARDED => array('check0' => 'pm_forwarded'),
), ),
CHECK_TO => array( CHECK_TO => array(
RULE_TO_GROUP => array('check0' => 'to', 'check1' => 'bcc', 'check2' => 'user_in_group', 'function' => 'in_array("g_" . {CHECK2}, {CHECK0}) || in_array("g_" . {CHECK2}, {CHECK1})'), RULE_TO_GROUP => array('check0' => 'to', 'check1' => 'bcc', 'check2' => 'user_in_group'),
RULE_TO_ME => array('check0' => 'to', 'check1' => 'bcc', 'function' => 'in_array("u_" . $user_id, {CHECK0}) || in_array("u_" . $user_id, {CHECK1})'), RULE_TO_ME => array('check0' => 'to', 'check1' => 'bcc'),
) )
); );
@ -260,16 +261,60 @@ function check_rule(&$rules, &$rule_row, &$message_row, $user_id)
$check_ary = $rules[$rule_row['rule_check']][$rule_row['rule_connection']]; $check_ary = $rules[$rule_row['rule_check']][$rule_row['rule_connection']];
// Replace Check Literals
$evaluate = $check_ary['function'];
$evaluate = preg_replace('/{(CHECK[0-9])}/', '$message_row[$check_ary[strtolower("\1")]]', $evaluate);
// Replace Rule Literals
$evaluate = preg_replace('/{(STRING|USER_ID|GROUP_ID)}/', '$rule_row["rule_" . strtolower("\1")]', $evaluate);
// Evil Statement
$result = false; $result = false;
eval('$result = (' . $evaluate . ') ? true : false;');
$check0 = $message_row[$check_ary['check0']];
switch ($rule_row['rule_connection'])
{
case RULE_IS_LIKE:
$result = preg_match("/" . preg_quote($rule_row['rule_string'], '/') . '/i', $check0);
break;
case RULE_IS_NOT_LIKE:
$result = !preg_match("/" . preg_quote($rule_row['rule_string'], '/') . '/i', $check0);
break;
case RULE_IS:
$result = ($check0 == $rule_row['rule_string']);
break;
case RULE_IS_NOT:
$result = ($check0 != $rule_row['rule_string']);
break;
case RULE_BEGINS_WITH:
$result = preg_match("/^" . preg_quote($rule_row['rule_string'], '/') . '/i', $check0);
break;
case RULE_ENDS_WITH:
$result = preg_match("/" . preg_quote($rule_row['rule_string'], '/') . '$/i', $check0);
break;
case RULE_IS_FRIEND:
case RULE_IS_FOE:
case RULE_ANSWERED:
case RULE_FORWARDED:
$result = ($check0 == 1);
break;
case RULE_IS_USER:
$result = ($check0 == $rule_row['rule_user_id']);
break;
case RULE_IS_GROUP:
$result = in_array($rule_row['rule_group_id'], $check0);
break;
case RULE_TO_GROUP:
$result = (in_array('g_' . $message_row[$check_ary['check2']], $check0) || in_array('g_' . $message_row[$check_ary['check2']], $message_row[$check_ary['check1']]));
break;
case RULE_TO_ME:
$result = (in_array('u_' . $user_id, $check0) || in_array('u_' . $user_id, $message_row[$check_ary['check1']]));
break;
}
if (!$result) if (!$result)
{ {