- fix security issue in download.php

- fixing some phpdocumentor warnings/errors - adjust pop-before-smtp "auth" (nowadays no one should rely on it) - add backtrace for smtp email errors if DEBUG_EXTRA is enabled git-svn-id: file:///svn/phpbb/trunk@6352 89ea8834-ac86-4346-8a33-228a782c2dd0
2025-06-29 06:38:52 +00:00 · 2006-09-04 20:35:46 +00:00 · 2006-09-04 20:35:46 +00:00 · 8ab85ebdb0
commit 8ab85ebdb0
parent 8c567e8c68
6 changed files with 106 additions and 39 deletions
--- a/phpBB/download.php
+++ b/phpBB/download.php
@ -133,7 +133,7 @@ if ($thumbnail)
 {
 	$attachment['physical_filename'] = 'thumb_' . $attachment['physical_filename'];
 }
-else if ($display_cat == ATTACHMENT_CATEGORY_NONE)
+else if ($display_cat == ATTACHMENT_CATEGORY_NONE || $display_cat == ATTACHMENT_CATEGORY_IMAGE)
 {
 	// Update download count
 	$sql = 'UPDATE ' . ATTACHMENTS_TABLE . ' 
@ -210,9 +210,9 @@ function send_file_to_browser($attachment, $upload_dir, $category)
 	// lighttpd has core support for it. An apache2 module is available at http://celebnamer.celebworld.ws/stuff/mod_xsendfile/
 	header('X-Sendfile: ' . $filename);
-	// Send out the Headers
+	// Send out the Headers. Do not set Content-Disposition to inline please, it is a security measure for users using the Internet Explorer.
 	header('Content-Type: ' . $attachment['mimetype'] . '; name="' . $attachment['real_filename'] . '"');
-	header('Content-Disposition: inline; filename="' . $attachment['real_filename'] . '"');
+	header('Content-Disposition: attachment; filename="' . $attachment['real_filename'] . '"');
 	if ($size)
 	{
--- a/phpBB/includes/captcha/captcha_non_gd.php
+++ b/phpBB/includes/captcha/captcha_non_gd.php
@ -11,6 +11,7 @@
 /**
 * Main non-gd captcha class
 * @ignore
 * @package VC
 */
 class captcha
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@ -3302,6 +3302,7 @@ function garbage_collection()
 }
 /**
 * @package phpBB3
 */
 class bitfield
 {
--- a/phpBB/includes/functions_messenger.php
+++ b/phpBB/includes/functions_messenger.php
@ -790,11 +790,14 @@ function smtpmail($addresses, $subject, $message, &$err_msg, $encoding, $headers
 	$mail_rcpt = $mail_to = $mail_cc = array();
 	// Build correct addresses for RCPT TO command and the client side display (TO, CC)
 	if (isset($addresses['to']) && sizeof($addresses['to']))
 	{
 		foreach ($addresses['to'] as $which_ary)
 		{
 			$mail_to[] = ($which_ary['name'] != '') ? mail_encode(trim($which_ary['name']), $encoding) . ' <' . trim($which_ary['email']) . '>' : '<' . trim($which_ary['email']) . '>';
 			$mail_rcpt['to'][] = '<' . trim($which_ary['email']) . '>';
 		}
 	}
 	if (isset($addresses['bcc']) && sizeof($addresses['bcc']))
 	{
@ -813,11 +816,13 @@ function smtpmail($addresses, $subject, $message, &$err_msg, $encoding, $headers
 		}
 	}
-	$smtp = new smtp_class;
+	$smtp = new smtp_class();
 	$errno = 0;
 	$errstr = '';
 	$smtp->add_backtrace('Connecting to ' . $config['smtp_host'] . ':' . $config['smtp_port']);
 	// Ok we have error checked as much as we can to this point let's get on it already.
 	if (!$smtp->socket = @fsockopen($config['smtp_host'], $config['smtp_port'], $errno, $errstr, 20))
 	{
@ -828,14 +833,14 @@ function smtpmail($addresses, $subject, $message, &$err_msg, $encoding, $headers
 	// Wait for reply
 	if ($err_msg = $smtp->server_parse('220', __LINE__))
 	{
-		$smtp->close_session();
+		$smtp->close_session($err_msg);
 		return false;
 	}
 	// Let me in. This function handles the complete authentication process
 	if ($err_msg = $smtp->log_into_server($config['smtp_host'], $config['smtp_username'], $config['smtp_password'], $config['smtp_auth_method']))
 	{
-		$smtp->close_session();
+		$smtp->close_session($err_msg);
 		return false;
 	}
@ -844,7 +849,7 @@ function smtpmail($addresses, $subject, $message, &$err_msg, $encoding, $headers
 	$smtp->server_send('MAIL FROM:<' . $config['board_email'] . '>');
 	if ($err_msg = $smtp->server_parse('250', __LINE__))
 	{
-		$smtp->close_session();
+		$smtp->close_session($err_msg);
 		return false;
 	}
@ -867,7 +872,7 @@ function smtpmail($addresses, $subject, $message, &$err_msg, $encoding, $headers
 					// We continue... if users are not resolved we do not care
 					if ($smtp->numeric_response_code != 550)
 					{
-						$smtp->close_session();
+						$smtp->close_session($err_msg);
 						return false;
 					}
 				}
@ -885,7 +890,7 @@ function smtpmail($addresses, $subject, $message, &$err_msg, $encoding, $headers
 		$user->session_begin();
 		$err_msg .= '<br /><br />';
 		$err_msg .= (isset($user->lang['INVALID_EMAIL_LOG'])) ? sprintf($user->lang['INVALID_EMAIL_LOG'], htmlspecialchars($mail_to_address)) : '<strong>' . htmlspecialchars($mail_to_address) . '</strong> possibly an invalid email address?';
-		$smtp->close_session();
+		$smtp->close_session($err_msg);
 		return false;
 	}
@ -895,7 +900,7 @@ function smtpmail($addresses, $subject, $message, &$err_msg, $encoding, $headers
 	// This is the last response code we look for until the end of the message.
 	if ($err_msg = $smtp->server_parse('354', __LINE__))
 	{
-		$smtp->close_session();
+		$smtp->close_session($err_msg);
 		return false;
 	}
@ -922,13 +927,13 @@ function smtpmail($addresses, $subject, $message, &$err_msg, $encoding, $headers
 	$smtp->server_send('.');
 	if ($err_msg = $smtp->server_parse('250', __LINE__))
 	{
-		$smtp->close_session();
+		$smtp->close_session($err_msg);
 		return false;
 	}
 	// Now tell the server we are done and close the socket...
 	$smtp->server_send('QUIT');
-	$smtp->close_session();
+	$smtp->close_session($err_msg);
 	return true;
 }
@ -947,13 +952,38 @@ class smtp_class
 	var $commands = array();
 	var $numeric_response_code = 0;
 	var $backtrace = false;
 	var $backtrace_log = array();
 	function smtp_class()
 	{
 		if (defined('DEBUG_EXTRA'))
 		{
 			$this->backtrace = true;
 			$this->backtrace_log = array();
 		}
 	}
 	/**
 	* Add backtrace message for debugging
 	*/
 	function add_backtrace($message)
 	{
 		if ($this->backtrace)
 		{
 			$this->backtrace_log[] = $message;
 		}
 	}
 	/**
 	* Send command to smtp server
 	*/
-	function server_send($command)
+	function server_send($command, $private_info = false)
 	{
 		fputs($this->socket, $command . "\r\n");
 		(!$private_info) ? $this->add_backtrace("# $command") : $this->add_backtrace('# Ommitting sensitive Informations');
 		// We could put additional code here
 	}
@ -976,6 +1006,8 @@ class smtp_class
 			}
 			$this->responses[] = substr(rtrim($this->server_response), 4);
 			$this->numeric_response_code = (int) substr($this->server_response, 0, 3);
 			$this->add_backtrace("LINE: $line <- {$this->server_response}");
 		}
 		if (!(substr($this->server_response, 0, 3) == $response))
@ -990,9 +1022,15 @@ class smtp_class
 	/**
 	* Close session
 	*/
-	function close_session()
+	function close_session(&$err_msg)
 	{
 		fclose($this->socket);
 		if ($this->backtrace)
 		{
 			$message = '<h1>Backtrace</h1><p>' . implode('<br />', array_map('htmlspecialchars', $this->backtrace_log)) . '</p>';
 			$err_msg .= $message;
 		}
 	}
 	/**
@ -1008,10 +1046,37 @@ class smtp_class
 		// If we are authenticating through pop-before-smtp, we
 		// have to login ones before we get authenticated
 		// NOTE: on some configurations the time between an update of the auth database takes so 
 		// long that the first email send does not work. This is not a biggie on a live board (only
 		// the install mail will most likely fail) - but on a dynamic ip connection this might produce
 		// severe problems and is not fixable!
 		if ($default_auth_method == 'POP-BEFORE-SMTP' && $username && $password)
 		{
 			global $config;
 			$errno = 0;
 			$errstr = '';
 			$this->server_send("QUIT");
 			fclose($this->socket);
 			$result = $this->pop_before_smtp($hostname, $username, $password);
 			$username = $password = $default_auth_method = '';
 			// We need to close the previous session, else the server is not
 			// able to get our ip for matching...
 			if (!$this->socket = @fsockopen($config['smtp_host'], $config['smtp_port'], $errno, $errstr, 10))
 			{
 				$err_msg = (isset($user->lang['NO_CONNECT_TO_SMTP_HOST'])) ? sprintf($user->lang['NO_CONNECT_TO_SMTP_HOST'], $errno, $errstr) : "Could not connect to smtp host : $errno : $errstr";
 				return $err_msg;
 			}
 			// Wait for reply
 			if ($err_msg = $this->server_parse('220', __LINE__))
 			{
 				$this->close_session($err_msg);
 				return $err_msg;
 			}
 		}
 		// Try EHLO first
@ -1090,32 +1155,26 @@ class smtp_class
 	{
 		global $user;
-		$old_socket = $this->socket;
+		if (!$this->socket = @fsockopen($hostname, 110, $errno, $errstr, 10))
 		if (!$this->socket = fsockopen($hostname, 110, $errno, $errstr, 20))
 		{
 			$this->socket = $old_socket;
 			return (isset($user->lang['NO_CONNECT_TO_SMTP_HOST'])) ? sprintf($user->lang['NO_CONNECT_TO_SMTP_HOST'], $errno, $errstr) : "Could not connect to smtp host : $errno : $errstr";
 		}
-		$this->server_parse('0', __LINE__);
+		$this->server_send("USER $username", true);
-		if (substr($this->server_response, 0, 3) == '+OK')
+		if ($err_msg = $this->server_parse('+OK', __LINE__))
 		{
-			fputs($this->socket, "USER $username\r\n");
+			return $err_msg;
 			fputs($this->socket, "PASS $password\r\n");
 		}
-		else
+
 		$this->server_send("PASS $password", true);
 		if ($err_msg = $this->server_parse('+OK', __LINE__))
 		{
-			$this->socket = $old_socket;
+			return $err_msg;
 			return $this->responses[0];
 		}
 		$this->server_send('QUIT');
 		$this->server_parse('0', __LINE__);
 		fclose($this->socket);
 		$this->socket = $old_socket;
 		return false;
 	}
@ -1131,7 +1190,7 @@ class smtp_class
 		}
 		$base64_method_plain = base64_encode("\0" . $username . "\0" . $password);
-		$this->server_send($base64_method_plain);
+		$this->server_send($base64_method_plain, true);
 		if ($err_msg = $this->server_parse('235', __LINE__))
 		{
 			return $err_msg;
@ -1151,13 +1210,13 @@ class smtp_class
 			return ($this->numeric_response_code == 503) ? false : $err_msg;
 		}
-		$this->server_send(base64_encode($username));
+		$this->server_send(base64_encode($username), true);
 		if ($err_msg = $this->server_parse('334', __LINE__))
 		{
 			return $err_msg;
 		}
-		$this->server_send(base64_encode($password));
+		$this->server_send(base64_encode($password), true);
 		if ($err_msg = $this->server_parse('235', __LINE__))
 		{
 			return $err_msg;
@ -1183,7 +1242,7 @@ class smtp_class
 		$base64_method_cram_md5 = base64_encode($username . ' ' . $md5_digest);
-		$this->server_send($base64_method_cram_md5);
+		$this->server_send($base64_method_cram_md5, true);
 		if ($err_msg = $this->server_parse('235', __LINE__))
 		{
 			return $err_msg;
@ -1287,7 +1346,7 @@ class smtp_class
 		}
 		$base64_method_digest_md5 = base64_encode($input_string);
-		$this->server_send($base64_method_digest_md5);
+		$this->server_send($base64_method_digest_md5, true);
 		if ($err_msg = $this->server_parse('334', __LINE__))
 		{
 			return $err_msg;
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@ -601,9 +601,14 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas
 					FROM ' . USERS_TABLE . '
 					WHERE ' . $db->sql_in_set('LOWER(username)', $sql_usernames);
 				// Do not allow banning yourself
 				if (sizeof($founder))
 				{
-					$sql .= ' AND ' . $db->sql_in_set('user_id', array_keys($founder), true);
+					$sql .= ' AND ' . $db->sql_in_set('user_id', array_merge(array_keys($founder), array($user->data['user_id'])), true);
 				}
 				else
 				{
 					$sql .= ' AND user_id <> ' . $user->data['user_id'];
 				}
 				$result = $db->sql_query($sql);
--- a/phpBB/includes/utf/utf_normalizer.php
+++ b/phpBB/includes/utf/utf_normalizer.php
@ -43,6 +43,7 @@ if (function_exists('utf8_normalize'))
 	* utf_normalizer class for the utfnormal extension
 	*
 	* @ignore
 	* @package phpBB3
 	*/
 	class utf_normalizer
 	{