From dd63f57344321a47eac235005ff9975aafa3051e Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Wed, 4 Aug 2010 12:35:19 +0200 Subject: [PATCH 1/2] [ticket/9615] magic_quotes_gpc: call stripslashes() before utf8_basename() When magic_quotes_gpc is 'On' it also affects the $_FILES array and a filename like 'bantu"s testfile.txt' will be returned as 'bantu\"s testfile.txt'. Because utf8_basename() also strips off anything before the last backslash the filename was returned as '"s testfile.txt'. Calling stripslashes() before utf8_basename() solves the problem. PHPBB3-9615 --- phpBB/includes/functions_upload.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/phpBB/includes/functions_upload.php b/phpBB/includes/functions_upload.php index 51fed45ebd..7f09cc1640 100644 --- a/phpBB/includes/functions_upload.php +++ b/phpBB/includes/functions_upload.php @@ -58,8 +58,9 @@ class filespec $this->filename = $upload_ary['tmp_name']; $this->filesize = $upload_ary['size']; - $name = trim(utf8_htmlspecialchars(utf8_basename($upload_ary['name']))); - $this->realname = $this->uploadname = (STRIP) ? stripslashes($name) : $name; + $name = (STRIP) ? stripslashes($upload_ary['name']) : $upload_ary['name']; + $name = trim(utf8_htmlspecialchars(utf8_basename($name))); + $this->realname = $this->uploadname = $name; $this->mimetype = $upload_ary['type']; // Opera adds the name to the mime type From c901a9eb70b9d66966f853b0381e05bc9f50fb00 Mon Sep 17 00:00:00 2001 From: Josh Woody Date: Fri, 20 Aug 2010 14:22:56 -0500 Subject: [PATCH 2/2] [ticket/9662] Search flood interval no longer applies to non-keyword searches The search interval was not consistently applied to "special" searches like "unread posts" and "view your topics." Now the special searches are always exempt from the flood interval. PHPBB3-9662 --- phpBB/search.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/phpBB/search.php b/phpBB/search.php index 1e1e42d01f..96f320fe9f 100644 --- a/phpBB/search.php +++ b/phpBB/search.php @@ -81,9 +81,10 @@ if ($user->load && $config['limit_search_load'] && ($user->load > doubleval($con trigger_error('NO_SEARCH_TIME'); } -// Check flood limit ... if applicable +// It is applicable if the configuration setting is non-zero, and the user cannot +// ignore the flood setting, and the search is a keyword search. $interval = ($user->data['user_id'] == ANONYMOUS) ? $config['search_anonymous_interval'] : $config['search_interval']; -if ($interval && !$auth->acl_get('u_ignoreflood')) +if ($interval && !in_array($search_id, array('unreadposts', 'unanswered', 'active_topics', 'egosearch')) && !$auth->acl_get('u_ignoreflood')) { if ($user->data['user_last_search'] > time() - $interval) {