From b21463b2ab0b33d00cca45aea23a228795322716 Mon Sep 17 00:00:00 2001
From: "Paul S. Owen" <psotfx@users.sourceforge.net>
Date: Tue, 26 Nov 2002 11:42:12 +0000
Subject: [PATCH] More updates, append sid to admin browsing

git-svn-id: file:///svn/phpbb/branches/phpBB-2_0_0@3101 89ea8834-ac86-4346-8a33-228a782c2dd0
---
 phpBB/admin/admin_disallow.php        |  6 +++++-
 phpBB/admin/pagestart.php             | 22 +++++++++++++++++-----
 phpBB/db/oracle.php                   |  2 +-
 phpBB/docs/CHANGELOG.html             |  4 +++-
 phpBB/includes/functions_validate.php |  4 ++--
 phpBB/includes/page_tail.php          |  2 +-
 phpBB/includes/sessions.php           | 10 +++++-----
 7 files changed, 34 insertions(+), 16 deletions(-)

diff --git a/phpBB/admin/admin_disallow.php b/phpBB/admin/admin_disallow.php
index be983d9d2a..54871098db 100644
--- a/phpBB/admin/admin_disallow.php
+++ b/phpBB/admin/admin_disallow.php
@@ -41,8 +41,12 @@ if( isset($HTTP_POST_VARS['add_name']) )
 {
 	include($phpbb_root_path . 'includes/functions_validate.'.$phpEx);
 
-	$disallowed_user = ( isset($HTTP_POST_VARS['disallowed_user']) ) ? $HTTP_POST_VARS['disallowed_user'] : $HTTP_GET_VARS['disallowed_user'];
+	$disallowed_user = ( isset($HTTP_POST_VARS['disallowed_user']) ) ? trim($HTTP_POST_VARS['disallowed_user']) : trim($HTTP_GET_VARS['disallowed_user']);
 
+	if ($disallowed_user == '')
+	{
+		message_die(MESSAGE, $lang['Fields_empty']);
+	}
 	if( !validate_username($disallowed_user) )
 	{
 		$message = $lang['Disallowed_already'];
diff --git a/phpBB/admin/pagestart.php b/phpBB/admin/pagestart.php
index db7133071f..ac0831ef56 100644
--- a/phpBB/admin/pagestart.php
+++ b/phpBB/admin/pagestart.php
@@ -20,13 +20,13 @@
  *
  ***************************************************************************/
 
-if ( !defined('IN_PHPBB') )
+if (!defined('IN_PHPBB'))
 {
 	die("Hacking attempt");
 }
 
 define('IN_ADMIN', true);
-
+// Include files
 include($phpbb_root_path . 'common.'.$phpEx);
 
 //
@@ -37,18 +37,30 @@ init_userprefs($userdata);
 //
 // End session management
 //
-if( !$userdata['session_logged_in'] )
+
+if (!$userdata['session_logged_in'])
 {
 	$header_location = ( @preg_match('/Microsoft|WebSTAR|Xitami/', getenv('SERVER_SOFTWARE')) ) ? 'Refresh: 0; URL=' : 'Location: ';
 	header($header_location . '../' . append_sid("login.$phpEx?redirect=admin/"));
 	exit;
 }
-else if( $userdata['user_level'] != ADMIN )
+else if ($userdata['user_level'] != ADMIN)
 {
 	message_die(GENERAL_MESSAGE, $lang['Not_admin']);
 }
 
-if ( empty($no_page_header) )
+if ($HTTP_GET_VARS['sid'] != $userdata['session_id'])
+{
+	$url = preg_replace('/sid=([^&]*)(&?)/i', '', $HTTP_SERVER_VARS['REQUEST_URI']);
+	$url = preg_replace('/\?$/', '', $url);
+	$url .= ((strpos($url, '?')) ? '&' : '?') . 'sid=' . $userdata['session_id'];
+
+	$header_location = ( @preg_match('/Microsoft|WebSTAR|Xitami/', getenv('SERVER_SOFTWARE')) ) ? 'Refresh: 0; URL=' : 'Location: ';
+	header($header_location . $url);
+	exit;
+}
+
+if (empty($no_page_header))
 {
 	// Not including the pageheader can be neccesarry if META tags are
 	// needed in the calling script.
diff --git a/phpBB/db/oracle.php b/phpBB/db/oracle.php
index 3319bca4ec..aceb444114 100644
--- a/phpBB/db/oracle.php
+++ b/phpBB/db/oracle.php
@@ -296,7 +296,7 @@ class sql_db
 		{
 			$rows = @OCIFetchStatement($query_id, $results);
 			@OCIExecute($query_id, OCI_DEFAULT);
-			for($i = 0; $i <= $rows; $i++)
+			for($i = 0; $i < $rows; $i++)
 			{
 				@OCIFetchInto($query_id, $tmp_result, OCI_ASSOC+OCI_RETURN_NULLS);
 
diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html
index 985a82ecb8..5c5583f7fc 100644
--- a/phpBB/docs/CHANGELOG.html
+++ b/phpBB/docs/CHANGELOG.html
@@ -91,7 +91,9 @@ h3 {font-size:12pt;color:blue}
 <li>Changed field size of timezone to decimal(5,2) where applicable</li>
 <li>Fixed missing sid append to URL when redirecting to newest reply</li>
 <li>Fixed missing slashes in private IP preg check</li>
-<li></li>
+<li>Fixed session not setting userdata['user_id'] to ANON as appropriate</li>
+<li>Added check for non-empty name in disallow admin</li>
+<li>Fixed validation of SSL website addresses in profile</li>
 <li></li>
 <li></li>
 </ul>
diff --git a/phpBB/includes/functions_validate.php b/phpBB/includes/functions_validate.php
index 2ae915090c..02492d639e 100644
--- a/phpBB/includes/functions_validate.php
+++ b/phpBB/includes/functions_validate.php
@@ -164,12 +164,12 @@ function validate_optional_fields(&$icq, &$aim, &$msnm, &$yim, &$website, &$loca
 	// contains at least one dot.
 	if ( $website != "" )
 	{
-		if ( !preg_match('#^http:\/\/#i', $website) )
+		if ( !preg_match('#^http[s]?:\/\/#i', $website) )
 		{
 			$website = 'http://' . $website;
 		}
 
-		if ( !preg_match('#^http\\:\\/\\/[a-z0-9\-]+\.([a-z0-9\-]+\.)?[a-z]+#i', $website) )
+		if ( !preg_match('#^http[s]?\\:\\/\\/[a-z0-9\-]+\.([a-z0-9\-]+\.)?[a-z]+#i', $website) )
 		{
 			$website = '';
 		}
diff --git a/phpBB/includes/page_tail.php b/phpBB/includes/page_tail.php
index bd06a3e4de..6ce12fb1b3 100644
--- a/phpBB/includes/page_tail.php
+++ b/phpBB/includes/page_tail.php
@@ -28,7 +28,7 @@ if ( !defined('IN_PHPBB') )
 //
 // Show the overall footer.
 //
-$admin_link = ( $userdata['user_level'] == ADMIN ) ? '<a href="' . append_sid("admin/index.$phpEx") . '">' . $lang['Admin_panel'] . '</a><br /><br />' : '';
+$admin_link = ( $userdata['user_level'] == ADMIN ) ? '<a href="admin/index.' . $phpEx . '?sid=' . $userdata['session_id'] . '">' . $lang['Admin_panel'] . '</a><br /><br />' : '';
 
 $template->set_filenames(array(
 	'overall_footer' => ( empty($gen_simple_header) ) ? 'overall_footer.tpl' : 'simple_footer.tpl')
diff --git a/phpBB/includes/sessions.php b/phpBB/includes/sessions.php
index bc6d0b5218..4d91484028 100644
--- a/phpBB/includes/sessions.php
+++ b/phpBB/includes/sessions.php
@@ -84,7 +84,7 @@ function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_a
 					// No match; don't login, set as anonymous user
 					$login = 0; 
 					$enable_autologin = 0; 
-					$user_id = ANONYMOUS;
+					$user_id = $userdata['user_id'] = ANONYMOUS;
 				}
 			}
 			else
@@ -92,7 +92,7 @@ function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_a
 				// Autologin is not set. Don't login, set as anonymous user
 				$login = 0;
 				$enable_autologin = 0;
-				$user_id = ANONYMOUS;
+				$user_id = $userdata['user_id'] = ANONYMOUS;
 			}
 		}
 		else
@@ -182,7 +182,7 @@ function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_a
 	setcookie($cookiename . '_data', serialize($sessiondata), $current_time + 31536000, $cookiepath, $cookiedomain, $cookiesecure);
 	setcookie($cookiename . '_sid', $session_id, 0, $cookiepath, $cookiedomain, $cookiesecure);
 
-	$SID = ( $sessionmethod == SESSION_METHOD_GET ) ? 'sid=' . $session_id : '';
+	$SID = ($sessionmethod == SESSION_METHOD_GET || defined('IN_ADMIN')) ? 'sid=' . $session_id : '';
 
 	return $userdata;
 }
@@ -250,9 +250,9 @@ function session_pagestart($user_ip, $thispage_id)
 			$ip_check_s = substr($userdata['session_ip'], 0, 6);
 			$ip_check_u = substr($user_ip, 0, 6);
 
-			if ( $ip_check_s == $ip_check_u )
+			if ($ip_check_s == $ip_check_u)
 			{
-				$SID = ( $sessionmethod == SESSION_METHOD_GET ) ? 'sid=' . $session_id : '';
+				$SID = ($sessionmethod == SESSION_METHOD_GET || defined('IN_ADMIN')) ? 'sid=' . $session_id : '';
 
 				//
 				// Only update session DB a minute or so after last update