diff -urN punbb-1.2.1/upload/admin_censoring.php punbb-1.2.3/upload/admin_censoring.php --- punbb-1.2.1/upload/admin_censoring.php Tue Jan 11 20:41:14 2005 +++ punbb-1.2.3/upload/admin_censoring.php Fri Mar 11 19:17:26 2005 @@ -76,7 +76,7 @@ { confirm_referrer('admin_censoring.php'); - $id = key($_POST['remove']); + $id = intval(key($_POST['remove'])); $db->query('DELETE FROM '.$db->prefix.'censoring WHERE id='.$id) or error('Unable to delete censor word', __FILE__, __LINE__, $db->error()); diff -urN punbb-1.2.1/upload/admin_forums.php punbb-1.2.3/upload/admin_forums.php --- punbb-1.2.1/upload/admin_forums.php Tue Jan 11 20:41:14 2005 +++ punbb-1.2.3/upload/admin_forums.php Fri Feb 18 22:05:02 2005 @@ -229,6 +229,9 @@ // Fetch forum info $result = $db->query('SELECT id, forum_name, forum_desc, redirect_url, num_topics, sort_by, cat_id FROM '.$db->prefix.'forums WHERE id='.$forum_id) or error('Unable to fetch forum info', __FILE__, __LINE__, $db->error()); + if (!$db->num_rows($result)) + message($lang_common['Bad request']); + $cur_forum = $db->fetch_assoc($result); diff -urN punbb-1.2.1/upload/admin_groups.php punbb-1.2.3/upload/admin_groups.php --- punbb-1.2.1/upload/admin_groups.php Tue Feb 1 16:16:46 2005 +++ punbb-1.2.3/upload/admin_groups.php Fri Feb 18 22:05:02 2005 @@ -54,6 +54,9 @@ message($lang_common['Bad request']); $result = $db->query('SELECT * FROM '.$db->prefix.'groups WHERE g_id='.$group_id) or error('Unable to fetch user group info', __FILE__, __LINE__, $db->error()); + if (!$db->num_rows($result)) + message($lang_common['Bad request']); + $group = $db->fetch_assoc($result); $mode = 'edit'; diff -urN punbb-1.2.1/upload/admin_loader.php punbb-1.2.3/upload/admin_loader.php --- punbb-1.2.1/upload/admin_loader.php Tue Jan 11 20:41:14 2005 +++ punbb-1.2.3/upload/admin_loader.php Thu Feb 24 22:15:54 2005 @@ -36,8 +36,8 @@ // The plugin to load should be supplied via GET -$plugin = isset($_GET['plugin']) ? $_GET['plugin'] : null; -if (!$plugin) +$plugin = isset($_GET['plugin']) ? $_GET['plugin'] : ''; +if (!preg_match('/^AM?P_(\w*?)\.php$/i', $plugin)) message($lang_common['Bad request']); // AP_ == Admins only, AMP_ == admins and moderators @@ -49,6 +49,9 @@ if (!file_exists(PUN_ROOT.'plugins/'.$plugin)) message('There is no plugin called \''.$plugin.'\' in the plugin directory.'); +// Construct REQUEST_URI if it isn't set +if (!isset($_SERVER['REQUEST_URI'])) + $_SERVER['REQUEST_URI'] = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] : '').'?'.(isset($_SERVER['QUERY_STRING']) ? $_SERVER['QUERY_STRING'] : ''); $page_title = pun_htmlspecialchars($pun_config['o_board_title']).' / Admin / '.$plugin; require PUN_ROOT.'header.php'; diff -urN punbb-1.2.1/upload/admin_options.php punbb-1.2.3/upload/admin_options.php --- punbb-1.2.1/upload/admin_options.php Sun Jan 23 20:08:54 2005 +++ punbb-1.2.3/upload/admin_options.php Mon Feb 28 01:52:52 2005 @@ -38,7 +38,7 @@ if (isset($_POST['form_sent'])) { // Lazy referer check (in case base_url isn't correct) - if (!preg_match('#/admin_options\.php#i', $_SERVER['HTTP_REFERER'])) + if (!isset($_SERVER['HTTP_REFERER']) || !preg_match('#/admin_options\.php#i', $_SERVER['HTTP_REFERER'])) message($lang_common['Bad referrer']); $form = array_map('trim', $_POST['form']); diff -urN punbb-1.2.1/upload/admin_ranks.php punbb-1.2.3/upload/admin_ranks.php --- punbb-1.2.1/upload/admin_ranks.php Tue Jan 11 20:41:14 2005 +++ punbb-1.2.3/upload/admin_ranks.php Fri Mar 11 19:17:26 2005 @@ -69,7 +69,7 @@ { confirm_referrer('admin_ranks.php'); - $id = key($_POST['update']); + $id = intval(key($_POST['update'])); $rank = trim($_POST['rank'][$id]); $min_posts = trim($_POST['min_posts'][$id]); @@ -100,7 +100,7 @@ { confirm_referrer('admin_ranks.php'); - $id = key($_POST['remove']); + $id = intval(key($_POST['remove'])); $db->query('DELETE FROM '.$db->prefix.'ranks WHERE id='.$id) or error('Unable to delete rank', __FILE__, __LINE__, $db->error()); diff -urN punbb-1.2.1/upload/admin_reports.php punbb-1.2.3/upload/admin_reports.php --- punbb-1.2.1/upload/admin_reports.php Tue Jan 11 20:41:14 2005 +++ punbb-1.2.3/upload/admin_reports.php Fri Mar 11 19:17:26 2005 @@ -40,7 +40,7 @@ { confirm_referrer('admin_reports.php'); - $zap_id = key($_POST['zap_id']); + $zap_id = intval(key($_POST['zap_id'])); $result = $db->query('SELECT zapped FROM '.$db->prefix.'reports WHERE id='.$zap_id) or error('Unable to fetch report info', __FILE__, __LINE__, $db->error()); $zapped = $db->result($result); diff -urN punbb-1.2.1/upload/admin_users.php punbb-1.2.3/upload/admin_users.php --- punbb-1.2.1/upload/admin_users.php Tue Feb 1 16:16:46 2005 +++ punbb-1.2.3/upload/admin_users.php Fri Mar 11 19:17:26 2005 @@ -266,7 +266,7 @@ $conditions[] = 'u.num_posts<'.$posts_less; if ($user_group != 'all') - $conditions[] = 'u.group_id='.$user_group; + $conditions[] = 'u.group_id='.$db->escape($user_group); if (!isset($conditions)) message('You didn\'t enter any search terms.'); @@ -300,7 +300,7 @@ query('SELECT u.id, u.username, u.email, u.title, u.num_posts, u.admin_note, g.g_id, g.g_user_title FROM '.$db->prefix.'users AS u LEFT JOIN '.$db->prefix.'groups AS g ON g.g_id=u.group_id WHERE u.id>1 AND '.implode(' AND ', $conditions).' ORDER BY '.$order_by.' '.$direction) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error()); + $result = $db->query('SELECT u.id, u.username, u.email, u.title, u.num_posts, u.admin_note, g.g_id, g.g_user_title FROM '.$db->prefix.'users AS u LEFT JOIN '.$db->prefix.'groups AS g ON g.g_id=u.group_id WHERE u.id>1 AND '.implode(' AND ', $conditions).' ORDER BY '.$db->escape($order_by).' '.$db->escape($direction)) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error()); if ($db->num_rows($result)) { while ($user_data = $db->fetch_assoc($result)) diff -urN punbb-1.2.1/upload/footer.php punbb-1.2.3/upload/footer.php --- punbb-1.2.1/upload/footer.php Tue Jan 11 20:41:14 2005 +++ punbb-1.2.3/upload/footer.php Tue Feb 22 23:31:02 2005 @@ -140,12 +140,12 @@ // START SUBST - -while (preg_match('', $tpl_main, $cur_include)) +while (preg_match('//', $tpl_main, $cur_include)) { ob_start(); include PUN_ROOT.$cur_include[1]; $tpl_temp = ob_get_contents(); - $tpl_main = str_replace('<'.$cur_include[0].'>', $tpl_temp, $tpl_main); + $tpl_main = str_replace($cur_include[0], $tpl_temp, $tpl_main); ob_end_clean(); } // END SUBST - diff -urN punbb-1.2.1/upload/header.php punbb-1.2.3/upload/header.php --- punbb-1.2.1/upload/header.php Tue Feb 1 16:16:46 2005 +++ punbb-1.2.3/upload/header.php Wed Mar 9 22:04:02 2005 @@ -15,7 +15,7 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - You should have received a copy of the GNU G>eneral Public License + You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA @@ -171,10 +171,8 @@ $tpl_temp .= "\n\t\t\t\t".'
  • Maintenance mode is enabled!
    • '; } - if (basename($_SERVER['PHP_SELF']) == 'index.php') + if (in_array(basename($_SERVER['PHP_SELF']), array('index.php', 'search.php'))) $tpl_temp .= "\n\t\t\t".''."\n\t\t\t".''."\n\t\t\t".'
    '."\n\t\t".''; - else if (isset($_SERVER['QUERY_STRING']) && $_SERVER['QUERY_STRING'] == 'action=show_new') - $tpl_temp .= "\n\t\t\t".''."\n\t\t\t".'

    '.$lang_common['Mark all as read'].'

    '."\n\t\t\t".'
    '."\n\t\t".''; else $tpl_temp .= "\n\t\t\t".''."\n\t\t\t".'
    '."\n\t\t".''; } diff -urN punbb-1.2.1/upload/include/email.php punbb-1.2.3/upload/include/email.php --- punbb-1.2.1/upload/include/email.php Mon Jan 31 18:56:12 2005 +++ punbb-1.2.3/upload/include/email.php Fri Mar 11 19:15:58 2005 @@ -67,16 +67,18 @@ if (!$from) $from = '"'.$pun_config['o_board_title'].' '.$lang_common['Mailer'].'" <'.$pun_config['o_webmaster_email'].'>'; - // Make sure the from line doesn't contain a colon (the character, that is :D) - $from = str_replace(':', ' ', $from); + // Do a little spring cleaning + $to = trim(preg_replace('#[\n\r]+#s', '', $to)); + $subject = trim(preg_replace('#[\n\r]+#s', '', $subject)); + $from = trim(preg_replace('#[\n\r:]+#s', '', $from)); // Detect what linebreak we should use for the headers - if (strtoupper(substr(PHP_OS, 0, 3) == 'WIN')) - $eol = "\r\n"; - else if (strtoupper(substr(PHP_OS, 0, 3) == 'MAC')) - $eol = "\r"; - else - $eol = "\n"; + if (strtoupper(substr(PHP_OS, 0, 3) == 'WIN')) + $eol = "\r\n"; + else if (strtoupper(substr(PHP_OS, 0, 3) == 'MAC')) + $eol = "\r"; + else + $eol = "\n"; $headers = 'From: '.$from.$eol.'Date: '.date('r').$eol.'MIME-Version: 1.0'.$eol.'Content-transfer-encoding: 8bit'.$eol.'Content-type: text/plain; charset='.$lang_common['lang_encoding'].$eol.'X-Mailer: PunBB Mailer'; diff -urN punbb-1.2.1/upload/include/functions.php punbb-1.2.3/upload/include/functions.php --- punbb-1.2.1/upload/include/functions.php Sat Jan 29 17:12:52 2005 +++ punbb-1.2.3/upload/include/functions.php Fri Mar 11 18:57:06 2005 @@ -46,7 +46,7 @@ $pun_user = $db->fetch_assoc($result); // If user authorisation failed - if (!isset($pun_user['id']) || md5($cookie_seed.$pun_user['password']) != $cookie['password_hash']) + if (!isset($pun_user['id']) || md5($cookie_seed.$pun_user['password']) !== $cookie['password_hash']) { pun_setcookie(0, random_pass(8), $expire); set_default_user(); @@ -108,6 +108,9 @@ // Fetch guest user $result = $db->query('SELECT u.*, g.*, o.logged FROM '.$db->prefix.'users AS u INNER JOIN '.$db->prefix.'groups AS g ON u.group_id=g.g_id LEFT JOIN '.$db->prefix.'online AS o ON o.ident=\''.$remote_addr.'\' WHERE u.id=1') or error('Unable to fetch guest information', __FILE__, __LINE__, $db->error()); + if (!$db->num_rows($result)) + exit('Unable to fetch guest information. The table \''.$db->prefix.'users\' must contain an entry with id = 1 that represents anonymous users.'); + $pun_user = $db->fetch_assoc($result); // Update online list @@ -229,40 +232,40 @@ global $pun_config, $lang_common, $pun_user; // Index and Userlist should always be displayed - $links[] = '