- auto sync attachment topic flag [Bug #2949]

- corrected paths for templates stored in the db and filenames displayed in the template editor [Bug #3662] - removed some useless language strings [Bug #3648] - corrected escaping of usernames and passwords in auth modules [Bug #3696], added ldap_escape git-svn-id: file:///svn/phpbb/trunk@6266 89ea8834-ac86-4346-8a33-228a782c2dd0
2025-06-28 14:18:52 +00:00 · 2006-08-12 01:58:58 +00:00 · 2006-08-12 01:58:58 +00:00 · b1ef984526
commit b1ef984526
parent b5a6291fa5
6 changed files with 32 additions and 16 deletions
--- a/phpBB/includes/acp/acp_styles.php
+++ b/phpBB/includes/acp/acp_styles.php
@ -2355,7 +2355,7 @@ pagination_sep = \'{PAGINATION_SEP}\'
 				// heck of a lot of data ...
 				$sql_ary = array(
 					'template_id'			=> $style_id,
-					'template_filename'		=> "$template_path$pathfile$file",
+					'template_filename'		=> "$pathfile$file",
 					'template_included'		=> (isset($includes[$file])) ? implode(':', $includes[$file]) . ':' : '',
 					'template_mtime'		=> filemtime("{$phpbb_root_path}styles/$template_path$pathfile$file"),
 					'template_data'			=> file_get_contents("{$phpbb_root_path}styles/$template_path$pathfile$file"),
--- a/phpBB/includes/auth/auth_apache.php
+++ b/phpBB/includes/auth/auth_apache.php
@ -121,6 +121,9 @@ function autologin_apache()

 	if (!empty($php_auth_user) && !empty($php_auth_pw))
 	{
+		set_var($php_auth_user, $php_auth_user, 'string');
+		set_var($php_auth_pw, $php_auth_pw, 'string');
+
 		$sql = 'SELECT *
 			FROM ' . USERS_TABLE . "
 			WHERE username = '" . $db->sql_escape($php_auth_user) . "'";
@ -190,7 +193,15 @@ function user_row_apache($username, $password)
 */
 function validate_session_apache(&$user)
 {
-	return (isset($_SERVER['PHP_AUTH_USER']) && ($_SERVER['PHP_AUTH_USER'] === $user['username'])) ? true : false;
+	if (!isset($_SERVER['PHP_AUTH_USER']))
+	{
+		return false;
+	}
+
+	$php_auth_user = '';
+	set_var($php_auth_user, $_SERVER['PHP_AUTH_USER'], 'string');
+
+	return ($php_auth_user === $user['username']) ? true : false;
 }

 ?>
--- a/phpBB/includes/auth/auth_ldap.php
+++ b/phpBB/includes/auth/auth_ldap.php
@ -38,7 +38,7 @@ function init_ldap()
 	$search = @ldap_search(
 		$ldap,
 		$config['ldap_base_dn'],
-		'(' . $config['ldap_uid'] . '=' . $user->data['username'] . ')',
+		'(' . $config['ldap_uid'] . '=' . ldap_escape(html_entity_decode($user->data['username'])) . ')',
 		(empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']),
 		0,
 		1
@ -53,19 +53,20 @@ function init_ldap()

 	@ldap_close($ldap);

+
+	if (!is_array($result) || sizeof($result) < 2)
+	{
+		return sprintf($user->lang['LDAP_NO_IDENTITY'], $user->data['username']);
+	}
+
 	if (!empty($config['ldap_email']) && !isset($result[0][$config['ldap_email']]))
 	{
 		return $user->lang['LDAP_NO_EMAIL'];
 	}

-	if (is_array($result) && sizeof($result) > 1)
-	{
 	return false;
 }

-	return sprintf($user->lang['LDAP_NO_IDENTITY'], $user->data['username']);
-}
-
 /**
 * Login function
 */
@ -97,7 +98,7 @@ function login_ldap(&$username, &$password)
 	$search = @ldap_search(
 		$ldap,
 		$config['ldap_base_dn'],
-		'(' . $config['ldap_uid'] . '=' . $username . ')',
+		'(' . $config['ldap_uid'] . '=' . ldap_escape(html_entity_decode($username)) . ')',
 		(empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']),
 		0,
 		1
@ -107,7 +108,7 @@ function login_ldap(&$username, &$password)

 	if (is_array($ldap_result) && sizeof($ldap_result) > 1)
 	{
-		if (@ldap_bind($ldap, $ldap_result[0]['dn'], $password))
+		if (@ldap_bind($ldap, $ldap_result[0]['dn'], html_entity_decode($password)))
 		{
 			@ldap_close($ldap);

@ -198,6 +199,14 @@ function login_ldap(&$username, &$password)
 	);
 }

+/**
+* Escapes an LDAP AttributeValue
+*/
+function ldap_escape($string)
+{
+	return str_replace(array('*', '\\', '(', ')'), array('\\*', '\\\\', '\\(', '\\)'), $string);
+}
+
 /**
 * This function is used to output any required fields in the authentication
 * admin panel. It also defines any required configuration table fields.
--- a/phpBB/includes/functions_admin.php
+++ b/phpBB/includes/functions_admin.php
@ -465,6 +465,7 @@ function move_posts($post_ids, $topic_id, $auto_sync = true)
 		$forum_ids[] = $forum_row['forum_id'];

 		sync('topic_reported', 'topic_id', $topic_ids);
+		sync('topic_attachment', 'topic_id', $topic_ids);
 		sync('topic', 'topic_id', $topic_ids, true);
 		sync('forum', 'forum_id', $forum_ids, true);
 	}
--- a/phpBB/language/en/mcp.php
+++ b/phpBB/language/en/mcp.php
@ -172,9 +172,6 @@ $lang = array_merge($lang, array(
 	'MCP_QUEUE_UNAPPROVED_TOPICS'			=> 'Topics awaiting approval',
 	'MCP_QUEUE_UNAPPROVED_TOPICS_EXPLAIN'	=> 'This is a list of all topics which require approving before they will be visible to users',

-	'MCP_VIEW_ALL'			=> 'View all (%s)',
-	'MCP_VIEW_LOGS'			=> 'View logs',
-	'MCP_VIEW_RECENT'		=> 'View recent (%s)',
 	'MCP_VIEW_USER'			=> 'View warnings for a specific user',

 	'MCP_WARN'				=> 'Warnings',
--- a/phpBB/language/en/ucp.php
+++ b/phpBB/language/en/ucp.php
@ -409,7 +409,6 @@ $lang = array_merge($lang, array(
 	'UCP_REGISTER_DISABLE'			=> 'Creating a new account is currently not possible.',
 	'UCP_REMIND'					=> 'Send password',
 	'UCP_RESEND'					=> 'Send activation email',
-	'UCP_WATCHED'					=> 'Watched items',
 	'UCP_WELCOME'					=> 'Welcome to the User Control Panel. From here you can monitor, view and update your profile, preferences, subscribed forums and topics. You can also send messages to other users (if permitted). Please ensure you read any announcements before continuing.',
 	'UCP_YIM'						=> 'Yahoo Messenger',
 	'UCP_ZEBRA'						=> 'Friends and Foes',
@ -486,7 +485,6 @@ $lang = array_merge($lang, array(
 		'IS_GROUP'		=> 'is in usergroup',
 		'ANSWERED'		=> 'answered',
 		'FORWARDED'		=> 'forwarded',
-		'REPORTED'		=> 'reported',
 		'TO_GROUP'		=> 'to my default usergroup',
 		'TO_ME'			=> 'to me'
 	),