[Xfce4-commits] [www/forum.xfce.org] 01/01: Update to fluxbb 1.5.7.
noreply at xfce.org
noreply at xfce.org
Tue Nov 25 17:25:39 CET 2014
This is an automated email from the git hooks/post-receive script.
nick pushed a commit to branch master
in repository www/forum.xfce.org.
commit be3144a5d1f2a15dc6012ed16876252db8cbbac3
Author: Nick Schermer <nick at xfce.org>
Date: Tue Nov 25 17:25:22 2014 +0100
Update to fluxbb 1.5.7.
---
admin_bans.php | 6 +++---
admin_options.php | 4 ++--
db_update.php | 2 +-
include/common.php | 2 +-
include/functions.php | 34 +++++++++++++++++++++++++++++++++-
install.php | 2 +-
login.php | 28 +++++-----------------------
misc.php | 28 +++++-----------------------
profile.php | 2 +-
9 files changed, 52 insertions(+), 56 deletions(-)
diff --git a/admin_bans.php b/admin_bans.php
index 5d6d5b5..0208805 100644
--- a/admin_bans.php
+++ b/admin_bans.php
@@ -134,7 +134,7 @@ if (isset($_REQUEST['add_ban']) || isset($_GET['edit_ban']))
<tr>
<th scope="row"><?php echo $lang_admin_bans['E-mail label'] ?></th>
<td>
- <input type="text" name="ban_email" size="40" maxlength="80" value="<?php if (isset($ban_email)) echo $ban_email; ?>" tabindex="3" />
+ <input type="text" name="ban_email" size="40" maxlength="80" value="<?php if (isset($ban_email)) echo pun_htmlspecialchars($ban_email); ?>" tabindex="3" />
<span><?php echo $lang_admin_bans['E-mail help'] ?></span>
</td>
</tr>
@@ -259,7 +259,7 @@ else if (isset($_POST['add_edit_ban']))
require PUN_ROOT.'include/email.php';
if ($ban_email != '' && !is_valid_email($ban_email))
{
- if (!preg_match('%^[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$%', $ban_email))
+ if (!preg_match('%^[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,63})$%', $ban_email))
message($lang_admin_bans['Invalid e-mail message']);
}
@@ -434,7 +434,7 @@ else if (isset($_GET['find_ban']))
?>
<tr>
<td class="tcl"><?php echo ($ban_data['username'] != '') ? pun_htmlspecialchars($ban_data['username']) : ' ' ?></td>
- <td class="tc2"><?php echo ($ban_data['email'] != '') ? $ban_data['email'] : ' ' ?></td>
+ <td class="tc2"><?php echo ($ban_data['email'] != '') ? pun_htmlspecialchars($ban_data['email']) : ' ' ?></td>
<td class="tc3"><?php echo ($ban_data['ip'] != '') ? pun_htmlspecialchars($ban_data['ip']) : ' ' ?></td>
<td class="tc4"><?php echo $expire ?></td>
<td class="tc5"><?php echo ($ban_data['message'] != '') ? pun_htmlspecialchars($ban_data['message']) : ' ' ?></td>
diff --git a/admin_options.php b/admin_options.php
index d0988be..c14c77e 100644
--- a/admin_options.php
+++ b/admin_options.php
@@ -705,14 +705,14 @@ generate_admin_menu('options');
<tr>
<th scope="row"><?php echo $lang_admin_options['Admin e-mail label'] ?></th>
<td>
- <input type="text" name="form[admin_email]" size="50" maxlength="80" value="<?php echo $pun_config['o_admin_email'] ?>" />
+ <input type="text" name="form[admin_email]" size="50" maxlength="80" value="<?php echo pun_htmlspecialchars($pun_config['o_admin_email']) ?>" />
<span><?php echo $lang_admin_options['Admin e-mail help'] ?></span>
</td>
</tr>
<tr>
<th scope="row"><?php echo $lang_admin_options['Webmaster e-mail label'] ?></th>
<td>
- <input type="text" name="form[webmaster_email]" size="50" maxlength="80" value="<?php echo $pun_config['o_webmaster_email'] ?>" />
+ <input type="text" name="form[webmaster_email]" size="50" maxlength="80" value="<?php echo pun_htmlspecialchars($pun_config['o_webmaster_email']) ?>" />
<span><?php echo $lang_admin_options['Webmaster e-mail help'] ?></span>
</td>
</tr>
diff --git a/db_update.php b/db_update.php
index d8307a1..be43dd3 100644
--- a/db_update.php
+++ b/db_update.php
@@ -7,7 +7,7 @@
*/
// The FluxBB version this script updates to
-define('UPDATE_TO', '1.5.6');
+define('UPDATE_TO', '1.5.7');
define('UPDATE_TO_DB_REVISION', 20);
define('UPDATE_TO_SI_REVISION', 2);
diff --git a/include/common.php b/include/common.php
index ab61a7c..dba883f 100644
--- a/include/common.php
+++ b/include/common.php
@@ -10,7 +10,7 @@ if (!defined('PUN_ROOT'))
exit('The constant PUN_ROOT must be defined and point to a valid FluxBB installation root directory.');
// Define the version and database revision that this code was written for
-define('FORUM_VERSION', '1.5.6');
+define('FORUM_VERSION', '1.5.7');
define('FORUM_DB_REVISION', 20);
define('FORUM_SI_REVISION', 2);
diff --git a/include/functions.php b/include/functions.php
index 3956d25..dd720f5 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -1093,12 +1093,44 @@ function confirm_referrer($scripts, $error_msg = false)
}
// Check the host and path match. Ignore the scheme, port, etc.
- if ($referrer['host'] != $valid_host || !in_array($referrer['path'], $valid_paths))
+ if ($referrer['host'] != $valid_host || !in_array($referrer['path'], $valid_paths, true))
message($error_msg ? $error_msg : $lang_common['Bad referrer']);
}
//
+// Validate the given redirect URL, use the fallback otherwise
+//
+function validate_redirect($redirect_url, $fallback_url)
+{
+ $referrer = parse_url(strtolower($redirect_url));
+
+ // Remove www subdomain if it exists
+ if (strpos($referrer['host'], 'www.') === 0)
+ $referrer['host'] = substr($referrer['host'], 4);
+
+ // Make sure the path component exists
+ if (!isset($referrer['path']))
+ $referrer['path'] = '';
+
+ $valid = parse_url(strtolower(get_base_url()));
+
+ // Remove www subdomain if it exists
+ if (strpos($valid['host'], 'www.') === 0)
+ $valid['host'] = substr($valid['host'], 4);
+
+ // Make sure the path component exists
+ if (!isset($valid['path']))
+ $valid['path'] = '';
+
+ if ($referrer['host'] == $valid['host'] && preg_match('%^'.preg_quote($valid['path'], '%').'/(.*?)\.php%i', $referrer['path']))
+ return $redirect_url;
+ else
+ return $fallback_url;
+}
+
+
+//
// Generate a random password of length $len
// Compatibility wrapper for random_key
//
diff --git a/install.php b/install.php
index 056545b..e39d92c 100644
--- a/install.php
+++ b/install.php
@@ -7,7 +7,7 @@
*/
// The FluxBB version this script installs
-define('FORUM_VERSION', '1.5.6');
+define('FORUM_VERSION', '1.5.7');
define('FORUM_DB_REVISION', 20);
define('FORUM_SI_REVISION', 2);
diff --git a/login.php b/login.php
index 4d4683e..931ca44 100644
--- a/login.php
+++ b/login.php
@@ -84,7 +84,10 @@ if (isset($_POST['form_sent']) && $action == 'in')
// Reset tracked topics
set_tracked_topics(null);
- redirect(pun_htmlspecialchars($_POST['redirect_url']), $lang_login['Login redirect']);
+ // Try to determine if the data in redirect_url is valid (if not, we redirect to index.php after login)
+ $redirect_url = validate_redirect($_POST['redirect_url'], 'index.php');
+
+ redirect(pun_htmlspecialchars($redirect_url), $lang_login['Login redirect']);
}
@@ -238,28 +241,7 @@ if (!$pun_user['is_guest'])
// Try to determine if the data in HTTP_REFERER is valid (if not, we redirect to index.php after login)
if (!empty($_SERVER['HTTP_REFERER']))
-{
- $referrer = parse_url($_SERVER['HTTP_REFERER']);
- // Remove www subdomain if it exists
- if (strpos($referrer['host'], 'www.') === 0)
- $referrer['host'] = substr($referrer['host'], 4);
-
- // Make sure the path component exists
- if (!isset($referrer['path']))
- $referrer['path'] = '';
-
- $valid = parse_url(get_base_url());
- // Remove www subdomain if it exists
- if (strpos($valid['host'], 'www.') === 0)
- $valid['host'] = substr($valid['host'], 4);
-
- // Make sure the path component exists
- if (!isset($valid['path']))
- $valid['path'] = '';
-
- if ($referrer['host'] == $valid['host'] && preg_match('%^'.preg_quote($valid['path'], '%').'/(.*?)\.php%i', $referrer['path']))
- $redirect_url = $_SERVER['HTTP_REFERER'];
-}
+ $redirect_url = validate_redirect($_SERVER['HTTP_REFERER'], null);
if (!isset($redirect_url))
$redirect_url = 'index.php';
diff --git a/misc.php b/misc.php
index a758892..d72a310 100644
--- a/misc.php
+++ b/misc.php
@@ -136,34 +136,16 @@ else if (isset($_GET['email']))
$db->query('UPDATE '.$db->prefix.'users SET last_email_sent='.time().' WHERE id='.$pun_user['id']) or error('Unable to update user', __FILE__, __LINE__, $db->error());
- redirect(pun_htmlspecialchars($_POST['redirect_url']), $lang_misc['Email sent redirect']);
+ // Try to determine if the data in redirect_url is valid (if not, we redirect to index.php after login)
+ $redirect_url = validate_redirect($_POST['redirect_url'], 'index.php');
+
+ redirect(pun_htmlspecialchars($redirect_url), $lang_misc['Email sent redirect']);
}
// Try to determine if the data in HTTP_REFERER is valid (if not, we redirect to the user's profile after the email is sent)
if (!empty($_SERVER['HTTP_REFERER']))
- {
- $referrer = parse_url($_SERVER['HTTP_REFERER']);
- // Remove www subdomain if it exists
- if (strpos($referrer['host'], 'www.') === 0)
- $referrer['host'] = substr($referrer['host'], 4);
-
- // Make sure the path component exists
- if (!isset($referrer['path']))
- $referrer['path'] = '';
-
- $valid = parse_url(get_base_url());
- // Remove www subdomain if it exists
- if (strpos($valid['host'], 'www.') === 0)
- $valid['host'] = substr($valid['host'], 4);
-
- // Make sure the path component exists
- if (!isset($valid['path']))
- $valid['path'] = '';
-
- if ($referrer['host'] == $valid['host'] && preg_match('%^'.preg_quote($valid['path'], '%').'/(.*?)\.php%i', $referrer['path']))
- $redirect_url = $_SERVER['HTTP_REFERER'];
- }
+ $redirect_url = validate_redirect($_SERVER['HTTP_REFERER'], null);
if (!isset($redirect_url))
$redirect_url = 'profile.php?id='.$recipient_id;
diff --git a/profile.php b/profile.php
index ce4e6dc..6076f10 100644
--- a/profile.php
+++ b/profile.php
@@ -55,7 +55,7 @@ if ($action == 'change_pass')
message($lang_profile['Pass key bad'].' <a href="mailto:'.pun_htmlspecialchars($pun_config['o_admin_email']).'">'.pun_htmlspecialchars($pun_config['o_admin_email']).'</a>.');
else
{
- $db->query('UPDATE '.$db->prefix.'users SET password=\''.$cur_user['activate_string'].'\', activate_string=NULL, activate_key=NULL'.(!empty($cur_user['salt']) ? ', salt=NULL' : '').' WHERE id='.$id) or error('Unable to update password', __FILE__, __LINE__, $db->error());
+ $db->query('UPDATE '.$db->prefix.'users SET password=\''.$db->escape($cur_user['activate_string']).'\', activate_string=NULL, activate_key=NULL'.(!empty($cur_user['salt']) ? ', salt=NULL' : '').' WHERE id='.$id) or error('Unable to update password', __FILE__, __LINE__, $db->error());
message($lang_profile['Pass updated'], true);
}
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Xfce4-commits
mailing list