diff -urN punbb-1.2.4/upload/admin_bans.php punbb-1.2.17/upload/admin_bans.php --- punbb-1.2.4/upload/admin_bans.php 2005-03-18 23:15:14.000000000 +0100 +++ punbb-1.2.17/upload/admin_bans.php 2006-10-14 18:40:28.000000000 +0200 @@ -44,7 +44,7 @@ if (isset($_GET['add_ban'])) { $add_ban = intval($_GET['add_ban']); - if ($add_ban < 1) + if ($add_ban < 2) message($lang_common['Bad request']); $user_id = $add_ban; @@ -61,7 +61,7 @@ if ($ban_user != '') { - $result = $db->query('SELECT id, group_id, username, email FROM '.$db->prefix.'users WHERE username=\''.$db->escape($ban_user).'\'') or error('Unable to fetch user info', __FILE__, __LINE__, $db->error()); + $result = $db->query('SELECT id, group_id, username, email FROM '.$db->prefix.'users WHERE username=\''.$db->escape($ban_user).'\' AND id>1') or error('Unable to fetch user info', __FILE__, __LINE__, $db->error()); if ($db->num_rows($result)) list($user_id, $group_id, $ban_user, $ban_email) = $db->fetch_row($result); else @@ -192,6 +192,8 @@ if ($ban_user == '' && $ban_ip == '' && $ban_email == '') message('You must enter either a username, an IP address or an e-mail address (at least).'); + else if (strtolower($ban_user) == 'guest') + message('The guest user cannot be banned.'); // Validate IP/IP range (it's overkill, I know) if ($ban_ip != '') @@ -244,7 +246,7 @@ if ($_POST['mode'] == 'add') $db->query('INSERT INTO '.$db->prefix.'bans (username, ip, email, message, expire) VALUES('.$ban_user.', '.$ban_ip.', '.$ban_email.', '.$ban_message.', '.$ban_expire.')') or error('Unable to add ban', __FILE__, __LINE__, $db->error()); else - $db->query('UPDATE '.$db->prefix.'bans SET username='.$ban_user.', ip='.$ban_ip.', email='.$ban_email.', message='.$ban_message.', expire='.$ban_expire.' WHERE id='.$_POST['ban_id']) or error('Unable to update ban', __FILE__, __LINE__, $db->error()); + $db->query('UPDATE '.$db->prefix.'bans SET username='.$ban_user.', ip='.$ban_ip.', email='.$ban_email.', message='.$ban_message.', expire='.$ban_expire.' WHERE id='.intval($_POST['ban_id'])) or error('Unable to update ban', __FILE__, __LINE__, $db->error()); // Regenerate the bans cache require_once PUN_ROOT.'include/cache.php'; diff -urN punbb-1.2.4/upload/admin_categories.php punbb-1.2.17/upload/admin_categories.php --- punbb-1.2.4/upload/admin_categories.php 2005-03-18 23:15:15.000000000 +0100 +++ punbb-1.2.17/upload/admin_categories.php 2007-04-10 23:37:34.000000000 +0200 @@ -118,12 +118,12 @@
Confirm delete category
-

Are you sure that you want to delete the category ""?

+

Are you sure that you want to delete the category ""?

WARNING! Deleting a category will delete all forums and posts (if any) in that category!

-

   Go back

+

Go back

@@ -151,7 +151,7 @@ if ($cat_name[$i] == '') message('You must enter a category name.'); - if (!preg_match('#^\d+$#', $cat_order[$i])) + if (!@preg_match('#^\d+$#', $cat_order[$i])) message('Position must be an integer value.'); list($cat_id, $position) = $db->fetch_row($result); diff -urN punbb-1.2.4/upload/admin_censoring.php punbb-1.2.17/upload/admin_censoring.php --- punbb-1.2.4/upload/admin_censoring.php 2005-03-18 23:15:15.000000000 +0100 +++ punbb-1.2.17/upload/admin_censoring.php 2005-04-07 21:38:23.000000000 +0200 @@ -57,7 +57,7 @@ { confirm_referrer('admin_censoring.php'); - $id = key($_POST['update']); + $id = intval(key($_POST['update'])); $search_for = trim($_POST['search_for'][$id]); $replace_with = trim($_POST['replace_with'][$id]); diff -urN punbb-1.2.4/upload/admin_forums.php punbb-1.2.17/upload/admin_forums.php --- punbb-1.2.4/upload/admin_forums.php 2005-03-18 23:15:14.000000000 +0100 +++ punbb-1.2.17/upload/admin_forums.php 2008-01-15 00:23:25.000000000 +0100 @@ -117,7 +117,7 @@ -

   Go back

+

Go back

@@ -137,10 +137,10 @@ while (list($forum_id, $disp_position) = @each($_POST['position'])) { - if (!preg_match('#^\d+$#', $disp_position)) + if (!@preg_match('#^\d+$#', $disp_position)) message('Position must be a positive integer value.'); - $db->query('UPDATE '.$db->prefix.'forums SET disp_position='.$disp_position.' WHERE id='.$forum_id) or error('Unable to update forum', __FILE__, __LINE__, $db->error()); + $db->query('UPDATE '.$db->prefix.'forums SET disp_position='.$disp_position.' WHERE id='.intval($forum_id)) or error('Unable to update forum', __FILE__, __LINE__, $db->error()); } // Regenerate the quickjump cache @@ -186,9 +186,9 @@ $result = $db->query('SELECT g_id, g_read_board, g_post_replies, g_post_topics FROM '.$db->prefix.'groups WHERE g_id!='.PUN_ADMIN) or error('Unable to fetch user group list', __FILE__, __LINE__, $db->error()); while ($cur_group = $db->fetch_assoc($result)) { - $read_forum_new = ($cur_group['g_read_board'] == '1') ? isset($_POST['read_forum_new'][$cur_group['g_id']]) ? $_POST['read_forum_new'][$cur_group['g_id']] : '0' : $_POST['read_forum_old'][$cur_group['g_id']]; - $post_replies_new = isset($_POST['post_replies_new'][$cur_group['g_id']]) ? $_POST['post_replies_new'][$cur_group['g_id']] : '0'; - $post_topics_new = isset($_POST['post_topics_new'][$cur_group['g_id']]) ? $_POST['post_topics_new'][$cur_group['g_id']] : '0'; + $read_forum_new = ($cur_group['g_read_board'] == '1') ? isset($_POST['read_forum_new'][$cur_group['g_id']]) ? '1' : '0' : intval($_POST['read_forum_old'][$cur_group['g_id']]); + $post_replies_new = isset($_POST['post_replies_new'][$cur_group['g_id']]) ? '1' : '0'; + $post_topics_new = isset($_POST['post_topics_new'][$cur_group['g_id']]) ? '1' : '0'; // Check if the new settings differ from the old if ($read_forum_new != $_POST['read_forum_old'][$cur_group['g_id']] || $post_replies_new != $_POST['post_replies_old'][$cur_group['g_id']] || $post_topics_new != $_POST['post_topics_old'][$cur_group['g_id']]) @@ -385,8 +385,13 @@ query('SELECT id, cat_name FROM '.$db->prefix.'categories ORDER BY disp_position') or error('Unable to fetch category list', __FILE__, __LINE__, $db->error()); - while ($cur_cat = $db->fetch_assoc($result)) - echo "\t\t\t\t\t\t\t\t\t".''."\n"; + if ($db->num_rows($result) > 0) + { + while ($cur_cat = $db->fetch_assoc($result)) + echo "\t\t\t\t\t\t\t\t\t".''."\n"; + } + else + echo "\t\t\t\t\t\t\t\t\t".''."\n"; ?> @@ -399,7 +404,15 @@ +query('SELECT c.id AS cid, c.cat_name, f.id AS fid, f.forum_name, f.disp_position FROM '.$db->prefix.'categories AS c INNER JOIN '.$db->prefix.'forums AS f ON c.id=f.cat_id ORDER BY c.disp_position, c.id, f.disp_position') or error('Unable to fetch category/forum list', __FILE__, __LINE__, $db->error()); + +if ($db->num_rows($result) > 0) +{ +?>

Edit forums

@@ -408,9 +421,6 @@ $tabindex_count = 4; -// Display all the categories and forums -$result = $db->query('SELECT c.id AS cid, c.cat_name, f.id AS fid, f.forum_name, f.disp_position FROM '.$db->prefix.'categories AS c INNER JOIN '.$db->prefix.'forums AS f ON c.id=f.cat_id ORDER BY c.disp_position, c.id, f.disp_position') or error('Unable to fetch category/forum list', __FILE__, __LINE__, $db->error()); - $cur_category = 0; while ($cur_forum = $db->fetch_assoc($result)) { @@ -449,6 +459,11 @@

+
diff -urN punbb-1.2.4/upload/admin_groups.php punbb-1.2.17/upload/admin_groups.php --- punbb-1.2.4/upload/admin_groups.php 2005-03-18 23:15:16.000000000 +0100 +++ punbb-1.2.17/upload/admin_groups.php 2006-10-14 18:41:53.000000000 +0200 @@ -209,15 +209,15 @@ $title = trim($_POST['req_title']); $user_title = trim($_POST['user_title']); - $read_board = isset($_POST['read_board']) ? $_POST['read_board'] : '1'; - $post_replies = isset($_POST['post_replies']) ? $_POST['post_replies'] : '1'; - $post_topics = isset($_POST['post_topics']) ? $_POST['post_topics'] : '1'; - $edit_posts = isset($_POST['edit_posts']) ? $_POST['edit_posts'] : ($is_admin_group) ? '1' : '0'; - $delete_posts = isset($_POST['delete_posts']) ? $_POST['delete_posts'] : ($is_admin_group) ? '1' : '0'; - $delete_topics = isset($_POST['delete_topics']) ? $_POST['delete_topics'] : ($is_admin_group) ? '1' : '0'; - $set_title = isset($_POST['set_title']) ? $_POST['set_title'] : ($is_admin_group) ? '1' : '0'; - $search = isset($_POST['search']) ? $_POST['search'] : '1'; - $search_users = isset($_POST['search_users']) ? $_POST['search_users'] : '1'; + $read_board = isset($_POST['read_board']) ? intval($_POST['read_board']) : '1'; + $post_replies = isset($_POST['post_replies']) ? intval($_POST['post_replies']) : '1'; + $post_topics = isset($_POST['post_topics']) ? intval($_POST['post_topics']) : '1'; + $edit_posts = isset($_POST['edit_posts']) ? intval($_POST['edit_posts']) : ($is_admin_group) ? '1' : '0'; + $delete_posts = isset($_POST['delete_posts']) ? intval($_POST['delete_posts']) : ($is_admin_group) ? '1' : '0'; + $delete_topics = isset($_POST['delete_topics']) ? intval($_POST['delete_topics']) : ($is_admin_group) ? '1' : '0'; + $set_title = isset($_POST['set_title']) ? intval($_POST['set_title']) : ($is_admin_group) ? '1' : '0'; + $search = isset($_POST['search']) ? intval($_POST['search']) : '1'; + $search_users = isset($_POST['search_users']) ? intval($_POST['search_users']) : '1'; $edit_subjects_interval = isset($_POST['edit_subjects_interval']) ? intval($_POST['edit_subjects_interval']) : '0'; $post_flood = isset($_POST['post_flood']) ? intval($_POST['post_flood']) : '0'; $search_flood = isset($_POST['search_flood']) ? intval($_POST['search_flood']) : '0'; @@ -243,11 +243,11 @@ } else { - $result = $db->query('SELECT 1 FROM '.$db->prefix.'groups WHERE g_title=\''.$db->escape($title).'\' && g_id!='.$_POST['group_id']) or error('Unable to check group title collision', __FILE__, __LINE__, $db->error()); + $result = $db->query('SELECT 1 FROM '.$db->prefix.'groups WHERE g_title=\''.$db->escape($title).'\' AND g_id!='.intval($_POST['group_id'])) or error('Unable to check group title collision', __FILE__, __LINE__, $db->error()); if ($db->num_rows($result)) message('There is already a group with the title \''.pun_htmlspecialchars($title).'\'.'); - $db->query('UPDATE '.$db->prefix.'groups SET g_title=\''.$db->escape($title).'\', g_user_title='.$user_title.', g_read_board='.$read_board.', g_post_replies='.$post_replies.', g_post_topics='.$post_topics.', g_edit_posts='.$edit_posts.', g_delete_posts='.$delete_posts.', g_delete_topics='.$delete_topics.', g_set_title='.$set_title.', g_search='.$search.', g_search_users='.$search_users.', g_edit_subjects_interval='.$edit_subjects_interval.', g_post_flood='.$post_flood.', g_search_flood='.$search_flood.' WHERE g_id='.$_POST['group_id']) or error('Unable to update group', __FILE__, __LINE__, $db->error()); + $db->query('UPDATE '.$db->prefix.'groups SET g_title=\''.$db->escape($title).'\', g_user_title='.$user_title.', g_read_board='.$read_board.', g_post_replies='.$post_replies.', g_post_topics='.$post_topics.', g_edit_posts='.$edit_posts.', g_delete_posts='.$delete_posts.', g_delete_topics='.$delete_topics.', g_set_title='.$set_title.', g_search='.$search.', g_search_users='.$search_users.', g_edit_subjects_interval='.$edit_subjects_interval.', g_post_flood='.$post_flood.', g_search_flood='.$search_flood.' WHERE g_id='.intval($_POST['group_id'])) or error('Unable to update group', __FILE__, __LINE__, $db->error()); } // Regenerate the quickjump cache @@ -264,7 +264,7 @@ confirm_referrer('admin_groups.php'); $group_id = intval($_POST['default_group']); - if ($group_id < 1) + if ($group_id < 4) message($lang_common['Bad request']); $db->query('UPDATE '.$db->prefix.'config SET conf_value='.$group_id.' WHERE conf_name=\'o_default_user_group\'') or error('Unable to update board config', __FILE__, __LINE__, $db->error()); diff -urN punbb-1.2.4/upload/admin_index.php punbb-1.2.17/upload/admin_index.php --- punbb-1.2.4/upload/admin_index.php 2005-03-18 23:15:14.000000000 +0100 +++ punbb-1.2.17/upload/admin_index.php 2005-09-02 16:03:18.000000000 +0200 @@ -86,14 +86,14 @@ $load_averages = @explode(' ', $load_averages); $server_load = isset($load_averages[2]) ? $load_averages[0].' '.$load_averages[1].' '.$load_averages[2] : 'Not available'; } -else if (preg_match('/averages?: ([0-9\.]+),[\s]+([0-9\.]+),[\s]+([0-9\.]+)/i', @exec('uptime'), $load_averages)) +else if (!in_array(PHP_OS, array('WINNT', 'WIN32')) && preg_match('/averages?: ([0-9\.]+),[\s]+([0-9\.]+),[\s]+([0-9\.]+)/i', @exec('uptime'), $load_averages)) $server_load = $load_averages[1].' '.$load_averages[2].' '.$load_averages[3]; else $server_load = 'Not available'; // Get number of current visitors -$result = $db->query('SELECT COUNT(user_id) FROM '.$db->prefix.'online') or error('Unable to fetch online count', __FILE__, __LINE__, $db->error()); +$result = $db->query('SELECT COUNT(user_id) FROM '.$db->prefix.'online WHERE idle=0') or error('Unable to fetch online count', __FILE__, __LINE__, $db->error()); $num_online = $db->result($result); diff -urN punbb-1.2.4/upload/admin_loader.php punbb-1.2.17/upload/admin_loader.php --- punbb-1.2.4/upload/admin_loader.php 2005-03-18 23:15:14.000000000 +0100 +++ punbb-1.2.17/upload/admin_loader.php 2007-04-10 23:37:34.000000000 +0200 @@ -37,7 +37,7 @@ // The plugin to load should be supplied via GET $plugin = isset($_GET['plugin']) ? $_GET['plugin'] : ''; -if (!preg_match('/^AM?P_(\w*?)\.php$/i', $plugin)) +if (!@preg_match('/^AM?P_(\w*?)\.php$/i', $plugin)) message($lang_common['Bad request']); // AP_ == Admins only, AMP_ == admins and moderators diff -urN punbb-1.2.4/upload/admin_maintenance.php punbb-1.2.17/upload/admin_maintenance.php --- punbb-1.2.4/upload/admin_maintenance.php 2005-03-18 23:15:14.000000000 +0100 +++ punbb-1.2.17/upload/admin_maintenance.php 2008-01-19 16:16:24.000000000 +0100 @@ -52,7 +52,7 @@ // This is the only potentially "dangerous" thing we can do here, so we check the referer confirm_referrer('admin_maintenance.php'); - $truncate_sql = ($db_type != 'sqlite') ? 'TRUNCATE TABLE ' : 'DELETE FROM '; + $truncate_sql = ($db_type != 'sqlite' && $db_type != 'pgsql') ? 'TRUNCATE TABLE ' : 'DELETE FROM '; $db->query($truncate_sql.$db->prefix.'search_matches') or error('Unable to empty search index match table', __FILE__, __LINE__, $db->error()); $db->query($truncate_sql.$db->prefix.'search_words') or error('Unable to empty search index words table', __FILE__, __LINE__, $db->error()); @@ -65,12 +65,10 @@ break; case 'pgsql'; - $result = $db->query('SELECT setval(\'search_words_id_seq\', 1, false)') or error('Unable to update sequence', __FILE__, __LINE__, $db->error()); + $result = $db->query('SELECT setval(\''.$db->prefix.'search_words_id_seq\', 1, false)') or error('Unable to update sequence', __FILE__, __LINE__, $db->error()); } } - $end_at = $start_at + $per_page; - ?> @@ -95,7 +93,7 @@ require PUN_ROOT.'include/search_idx.php'; // Fetch posts to process - $result = $db->query('SELECT DISTINCT t.id, p.id, p.message FROM '.$db->prefix.'topics AS t INNER JOIN '.$db->prefix.'posts AS p ON t.id=p.topic_id WHERE t.id>='.$start_at.' AND t.id<'.$end_at.' ORDER BY t.id') or error('Unable to fetch topic/post info', __FILE__, __LINE__, $db->error()); + $result = $db->query('SELECT DISTINCT t.id, p.id, p.message FROM '.$db->prefix.'topics AS t INNER JOIN '.$db->prefix.'posts AS p ON t.id=p.topic_id WHERE t.id>='.$start_at.' ORDER BY t.id LIMIT '.$per_page) or error('Unable to fetch topic/post info', __FILE__, __LINE__, $db->error()); $cur_topic = 0; while ($cur_post = $db->fetch_row($result)) @@ -118,9 +116,9 @@ } // Check if there is more work to do - $result = $db->query('SELECT id FROM '.$db->prefix.'topics WHERE id>'.$end_at) or error('Unable to fetch topic info', __FILE__, __LINE__, $db->error()); + $result = $db->query('SELECT id FROM '.$db->prefix.'topics WHERE id>'.$cur_topic.' ORDER BY id ASC LIMIT 1') or error('Unable to fetch topic info', __FILE__, __LINE__, $db->error()); - $query_str = ($db->num_rows($result)) ? '?i_per_page='.$per_page.'&i_start_at='.$end_at : ''; + $query_str = ($db->num_rows($result)) ? '?i_per_page='.$per_page.'&i_start_at='.$db->result($result) : ''; $db->end_transaction(); $db->close(); diff -urN punbb-1.2.4/upload/admin_options.php punbb-1.2.17/upload/admin_options.php --- punbb-1.2.4/upload/admin_options.php 2005-03-18 23:15:14.000000000 +0100 +++ punbb-1.2.17/upload/admin_options.php 2007-04-11 13:35:44.000000000 +0200 @@ -37,15 +37,18 @@ if (isset($_POST['form_sent'])) { - // Lazy referer check (in case base_url isn't correct) - if (!isset($_SERVER['HTTP_REFERER']) || !preg_match('#/admin_options\.php#i', $_SERVER['HTTP_REFERER'])) - message($lang_common['Bad referrer']); + // Custom referrer check (so we can output a custom error message) + if (!preg_match('#^'.preg_quote(str_replace('www.', '', $pun_config['o_base_url']).'/admin_options.php', '#').'#i', str_replace('www.', '', (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '')))) + message('Bad HTTP_REFERER. If you have moved these forums from one location to another or switched domains, you need to update the Base URL manually in the database (look for o_base_url in the config table) and then clear the cache by deleting all .php files in the /cache directory.'); $form = array_map('trim', $_POST['form']); if ($form['board_title'] == '') message('You must enter a board title.'); + // Clean default_lang + $form['default_lang'] = preg_replace('#[\.\\\/]#', '', $form['default_lang']); + require PUN_ROOT.'include/email.php'; $form['admin_email'] = strtolower($form['admin_email']); @@ -63,6 +66,9 @@ if (substr($form['base_url'], -1) == '/') $form['base_url'] = substr($form['base_url'], 0, -1); + // Clean avatars_dir + $form['avatars_dir'] = str_replace("\0", '', $form['avatars_dir']); + // Make sure avatars_dir doesn't end with a slash if (substr($form['avatars_dir'], -1) == '/') $form['avatars_dir'] = substr($form['avatars_dir'], 0, -1); @@ -117,14 +123,14 @@ while (list($key, $input) = @each($form)) { // Only update values that have changed - if ($pun_config['o_'.$key] != $input) + if (array_key_exists('o_'.$key, $pun_config) && $pun_config['o_'.$key] != $input) { if ($input != '' || is_int($input)) $value = '\''.$db->escape($input).'\''; else $value = 'NULL'; - $db->query('UPDATE '.$db->prefix.'config SET conf_value='.$value.' WHERE conf_name=\'o_'.$key.'\'') or error('Unable to update board config', __FILE__, __LINE__, $db->error()); + $db->query('UPDATE '.$db->prefix.'config SET conf_value='.$value.' WHERE conf_name=\'o_'.$db->escape($key).'\'') or error('Unable to update board config', __FILE__, __LINE__, $db->error()); } } @@ -229,11 +235,13 @@ $d = dir(PUN_ROOT.'lang'); while (($entry = $d->read()) !== false) { - if ($entry != '.' && $entry != '..' && is_dir(PUN_ROOT.'lang/'.$entry)) + if ($entry != '.' && $entry != '..' && is_dir(PUN_ROOT.'lang/'.$entry) && file_exists(PUN_ROOT.'lang/'.$entry.'/common.php')) $languages[] = $entry; } $d->close(); + @natsort($languages); + while (list(, $temp) = @each($languages)) { if ($pun_config['o_default_lang'] == $temp) @@ -262,6 +270,8 @@ } $d->close(); + @natsort($styles); + while (list(, $temp) = @each($styles)) { if ($pun_config['o_default_style'] == $temp) diff -urN punbb-1.2.4/upload/admin_permissions.php punbb-1.2.17/upload/admin_permissions.php --- punbb-1.2.4/upload/admin_permissions.php 2005-03-18 23:15:14.000000000 +0100 +++ punbb-1.2.17/upload/admin_permissions.php 2005-09-02 01:36:11.000000000 +0200 @@ -39,23 +39,13 @@ { confirm_referrer('admin_permissions.php'); - $form = array_map('trim', $_POST['form']); - - $form['sig_length'] = intval($form['sig_length']); - $form['sig_lines'] = intval($form['sig_lines']); + $form = array_map('intval', $_POST['form']); while (list($key, $input) = @each($form)) { // Only update values that have changed - if ($pun_config['p_'.$key] != $input) - { - if ($input != '' || is_int($input)) - $value = '\''.$db->escape($input).'\''; - else - $value = 'NULL'; - - $db->query('UPDATE '.$db->prefix.'config SET conf_value='.$value.' WHERE conf_name=\'p_'.$key.'\'') or error('Unable to update board config', __FILE__, __LINE__, $db->error()); - } + if (array_key_exists('p_'.$key, $pun_config) && $pun_config['p_'.$key] != $input) + $db->query('UPDATE '.$db->prefix.'config SET conf_value='.$input.' WHERE conf_name=\'p_'.$db->escape($key).'\'') or error('Unable to update board config', __FILE__, __LINE__, $db->error()); } // Regenerate the config cache diff -urN punbb-1.2.4/upload/admin_prune.php punbb-1.2.17/upload/admin_prune.php --- punbb-1.2.4/upload/admin_prune.php 2005-03-18 23:15:14.000000000 +0100 +++ punbb-1.2.17/upload/admin_prune.php 2007-04-10 23:37:34.000000000 +0200 @@ -62,6 +62,7 @@ } else { + $prune_from = intval($prune_from); prune($prune_from, $_POST['prune_sticky'], $prune_date); update_forum($prune_from); } @@ -83,7 +84,7 @@ $prune_days = $_POST['req_prune_days']; - if (!preg_match('#^\d+$#', $prune_days)) + if (!@preg_match('#^\d+$#', $prune_days)) message('Days to prune must be a positive integer.'); $prune_date = time() - ($prune_days*86400); @@ -97,6 +98,7 @@ if ($prune_from != 'all') { + $prune_from = intval($prune_from); $sql .= ' AND forum_id='.$prune_from; // Fetch the forum name (just for cosmetic reasons) @@ -135,7 +137,7 @@ -

   Go back

+

Go back

diff -urN punbb-1.2.4/upload/admin_ranks.php punbb-1.2.17/upload/admin_ranks.php --- punbb-1.2.4/upload/admin_ranks.php 2005-03-18 23:15:16.000000000 +0100 +++ punbb-1.2.17/upload/admin_ranks.php 2007-04-10 23:37:34.000000000 +0200 @@ -46,7 +46,7 @@ if ($rank == '') message('You must enter a rank title.'); - if (!preg_match('#^\d+$#', $min_posts)) + if (!@preg_match('#^\d+$#', $min_posts)) message('Minimum posts must be a positive integer value.'); // Make sure there isn't already a rank with the same min_posts value @@ -77,11 +77,11 @@ if ($rank == '') message('You must enter a rank title.'); - if (!preg_match('#^\d+$#', $min_posts)) + if (!@preg_match('#^\d+$#', $min_posts)) message('Minimum posts must be a positive integer value.'); // Make sure there isn't already a rank with the same min_posts value - $result = $db->query('SELECT 1 FROM '.$db->prefix.'ranks WHERE id!='.$id.' && min_posts='.$min_posts) or error('Unable to fetch rank info', __FILE__, __LINE__, $db->error()); + $result = $db->query('SELECT 1 FROM '.$db->prefix.'ranks WHERE id!='.$id.' AND min_posts='.$min_posts) or error('Unable to fetch rank info', __FILE__, __LINE__, $db->error()); if ($db->num_rows($result)) message('There is already a rank with a minimun posts value of '.$min_posts.'.'); diff -urN punbb-1.2.4/upload/admin_users.php punbb-1.2.17/upload/admin_users.php --- punbb-1.2.4/upload/admin_users.php 2005-03-18 23:15:16.000000000 +0100 +++ punbb-1.2.17/upload/admin_users.php 2007-04-10 23:37:34.000000000 +0200 @@ -49,7 +49,7 @@ ?>
-
Go back
+
Go back
@@ -98,7 +98,7 @@
-
Go back
+
Go back
-
Go back
+
Go back
@@ -202,7 +202,7 @@
-
Go back
+
Go back
escape($key).' '.$like_command.' \''.$db->escape(str_replace('*', '%', $input)).'\''; } if ($posts_greater != '') @@ -266,9 +267,9 @@ $conditions[] = 'u.num_posts<'.$posts_less; if ($user_group != 'all') - $conditions[] = 'u.group_id='.$db->escape($user_group); + $conditions[] = 'u.group_id='.intval($user_group); - if (!isset($conditions)) + if (empty($conditions)) message('You didn\'t enter any search terms.'); @@ -278,7 +279,7 @@ ?>
-
Go back
+
Go back
@@ -338,7 +339,7 @@
-
Go back
+
Go back
@@ -184,7 +184,7 @@
- +
@@ -197,7 +197,7 @@ ?>
-

+

@@ -208,7 +208,7 @@ +
  • :
  • :
    • diff -urN punbb-1.2.4/upload/extern.php punbb-1.2.17/upload/extern.php --- punbb-1.2.4/upload/extern.php 2005-03-18 23:15:15.000000000 +0100 +++ punbb-1.2.17/upload/extern.php 2007-01-15 01:51:05.000000000 +0100 @@ -116,8 +116,8 @@ exit('The file \'config.php\' doesn\'t exist or is corrupt. Please run install.php to install PunBB first.'); -// Disable error reporting for uninitialized variables -error_reporting(E_ALL); +// Make sure PHP reports all errors except E_NOTICE +error_reporting(E_ALL ^ E_NOTICE); // Turn off magic_quotes_runtime set_magic_quotes_runtime(0); @@ -129,10 +129,14 @@ // Load DB abstraction layer and try to connect require PUN_ROOT.'include/dblayer/common_db.php'; -// Get the forum config -$result = $db->query('SELECT * FROM '.$db->prefix.'config') or error('Unable to fetch forum config', __FILE__, __LINE__, $db->error()); -while ($cur_config_item = $db->fetch_row($result)) - $pun_config[$cur_config_item[0]] = $cur_config_item[1]; +// Load cached config +@include PUN_ROOT.'cache/cache_config.php'; +if (!defined('PUN_CONFIG_LOADED')) +{ + require PUN_ROOT.'include/cache.php'; + generate_config_cache(); + require PUN_ROOT.'cache/cache_config.php'; +} // Make sure we (guests) have permission to read the forums $result = $db->query('SELECT g_read_board FROM '.$db->prefix.'groups WHERE g_id=3') or error('Unable to fetch group info', __FILE__, __LINE__, $db->error()); @@ -145,6 +149,10 @@ if (!isset($lang_common)) exit('There is no valid language pack \''.$pun_config['o_default_lang'].'\' installed. Please reinstall a language of that name.'); +// Check if we are to display a maintenance message +if ($pun_config['o_maintenance'] && !defined('PUN_TURN_OFF_MAINT')) + maintenance_message(); + if (!isset($_GET['action'])) exit('No parameters supplied. See extern.php for instructions.'); diff -urN punbb-1.2.4/upload/footer.php punbb-1.2.17/upload/footer.php --- punbb-1.2.4/upload/footer.php 2005-03-18 23:15:14.000000000 +0100 +++ punbb-1.2.17/upload/footer.php 2007-04-10 18:19:24.000000000 +0200 @@ -139,18 +139,6 @@ // END SUBST - -// START SUBST - -while (preg_match('//', $tpl_main, $cur_include)) -{ - ob_start(); - include PUN_ROOT.$cur_include[1]; - $tpl_temp = ob_get_contents(); - $tpl_main = str_replace($cur_include[0], $tpl_temp, $tpl_main); - ob_end_clean(); -} -// END SUBST - - - // Close the db connection (and free up any result data) $db->close(); diff -urN punbb-1.2.4/upload/header.php punbb-1.2.17/upload/header.php --- punbb-1.2.4/upload/header.php 2005-03-18 23:15:14.000000000 +0100 +++ punbb-1.2.17/upload/header.php 2008-01-14 12:58:26.000000000 +0100 @@ -43,6 +43,21 @@ $tpl_main = file_get_contents(PUN_ROOT.'include/template/main.tpl'); +// START SUBST - +while (preg_match('##', $tpl_main, $cur_include)) +{ + if (!file_exists(PUN_ROOT.'include/user/'.$cur_include[1].'.'.$cur_include[2])) + error('Unable to process user include '.htmlspecialchars($cur_include[0]).' from template main.tpl. There is no such file in folder /include/user/'); + + ob_start(); + include PUN_ROOT.'include/user/'.$cur_include[1].'.'.$cur_include[2]; + $tpl_temp = ob_get_contents(); + $tpl_main = str_replace($cur_include[0], $tpl_temp, $tpl_main); + ob_end_clean(); +} +// END SUBST - + + // START SUBST - $tpl_main = str_replace('', $lang_common['lang_direction'], $tpl_main); // END SUBST - @@ -68,10 +83,7 @@ if (defined('PUN_ADMIN_CONSOLE')) echo ''."\n"; -if (isset($destination_url)) - echo ''."\n"; - -else if (isset($required_fields)) +if (isset($required_fields)) { // Output JavaScript to validate form (make sure required fields are filled out) @@ -134,8 +146,8 @@ // START SUBST - -$tpl_main = str_replace('', basename($_SERVER['PHP_SELF'], '.php'), $tpl_main); -// END SUBST - +$tpl_main = str_replace('', htmlspecialchars(basename($_SERVER['PHP_SELF'], '.php')), $tpl_main); +// END SUBST - // START SUBST - diff -urN punbb-1.2.4/upload/include/cache.php punbb-1.2.17/upload/include/cache.php --- punbb-1.2.4/upload/include/cache.php 2005-03-18 23:15:15.000000000 +0100 +++ punbb-1.2.17/upload/include/cache.php 2005-07-07 19:00:08.000000000 +0200 @@ -129,7 +129,7 @@ global $db; // Get the rank list from the DB - $result = $db->query('SELECT * FROM '.$db->prefix.'ranks', true) or error('Unable to fetch rank list', __FILE__, __LINE__, $db->error()); + $result = $db->query('SELECT * FROM '.$db->prefix.'ranks ORDER BY min_posts', true) or error('Unable to fetch rank list', __FILE__, __LINE__, $db->error()); $output = array(); while ($cur_rank = $db->fetch_assoc($result)) @@ -174,7 +174,7 @@ if (!$fh) error('Unable to write quickjump cache file to cache directory. Please make sure PHP has write access to the directory \'cache\'', __FILE__, __LINE__); - $output = ''; + $output = ''; $output .= "\t\t\t\t".''."\n\t\t\t\t\t".'
    @@ -324,7 +324,7 @@ if (preg_match('#\[b\]|\[/b\]|\[u\]|\[/u\]|\[i\]|\[/i\]|\[color|\[/color\]|\[quote\]|\[/quote\]|\[code\]|\[/code\]|\[img\]|\[/img\]|\[url|\[/url\]|\[email|\[/email\]#i', $username)) error('Usernames may not contain any of the text formatting tags (BBCode) that the forum uses. Please go back and correct.'); - if (!preg_match('/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$/', $email)) + if (strlen($email) > 50 || !preg_match('/^(([^<>()[\]\\.,;:\s@"\']+(\.[^<>()[\]\\.,;:\s@"\']+)*)|("[^"\']+"))@((\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\])|(([a-zA-Z\d\-]+\.)+[a-zA-Z]{2,}))$/', $email)) error('The administrator e-mail address you entered is invalid. Please go back and correct.'); @@ -346,6 +346,9 @@ case 'sqlite': require PUN_ROOT.'include/dblayer/sqlite.php'; break; + + default: + error('\''.$db_type.'\' is not a valid database type.'); } // Create the database object (and connect/select db) @@ -525,7 +528,7 @@ break; } - $db->query($sql) or error('Unable to create table '.$db_prefix.'online. Please check your settings and try again.', __FILE__, __LINE__, $db->error()); + $db->query($sql) or error('Unable to create table '.$db_prefix.'config. Please check your settings and try again.', __FILE__, __LINE__, $db->error()); @@ -754,7 +757,7 @@ poster_id INT(10) UNSIGNED NOT NULL DEFAULT 1, poster_ip VARCHAR(15), poster_email VARCHAR(50), - message TEXT NOT NULL DEFAULT '', + message TEXT, hide_smilies TINYINT(1) NOT NULL DEFAULT 0, posted INT(10) UNSIGNED NOT NULL DEFAULT 0, edited INT(10) UNSIGNED, @@ -771,7 +774,7 @@ poster_id INT NOT NULL DEFAULT 1, poster_ip VARCHAR(15), poster_email VARCHAR(50), - message TEXT NOT NULL DEFAULT '', + message TEXT, hide_smilies SMALLINT NOT NULL DEFAULT 0, posted INT NOT NULL DEFAULT 0, edited INT, @@ -788,7 +791,7 @@ poster_id INTEGER NOT NULL DEFAULT 1, poster_ip VARCHAR(15), poster_email VARCHAR(50), - message TEXT NOT NULL DEFAULT '', + message TEXT, hide_smilies INTEGER NOT NULL DEFAULT 0, posted INTEGER NOT NULL DEFAULT 0, edited INTEGER, @@ -849,7 +852,7 @@ forum_id INT(10) UNSIGNED NOT NULL DEFAULT 0, reported_by INT(10) UNSIGNED NOT NULL DEFAULT 0, created INT(10) UNSIGNED NOT NULL DEFAULT 0, - message TEXT NOT NULL DEFAULT '', + message TEXT, zapped INT(10) UNSIGNED, zapped_by INT(10) UNSIGNED, PRIMARY KEY (id) @@ -864,7 +867,7 @@ forum_id INT NOT NULL DEFAULT 0, reported_by INT NOT NULL DEFAULT 0, created INT NOT NULL DEFAULT 0, - message TEXT NOT NULL DEFAULT '', + message TEXT, zapped INT, zapped_by INT, PRIMARY KEY (id) @@ -879,7 +882,7 @@ forum_id INTEGER NOT NULL DEFAULT 0, reported_by INTEGER NOT NULL DEFAULT 0, created INTEGER NOT NULL DEFAULT 0, - message TEXT NOT NULL DEFAULT '', + message TEXT, zapped INTEGER, zapped_by INTEGER, PRIMARY KEY (id) @@ -898,7 +901,7 @@ $sql = 'CREATE TABLE '.$db_prefix."search_cache ( id INT(10) UNSIGNED NOT NULL DEFAULT 0, ident VARCHAR(200) NOT NULL DEFAULT '', - search_data TEXT NOT NULL DEFAULT '', + search_data TEXT, PRIMARY KEY (id) ) TYPE=MyISAM;"; break; @@ -907,7 +910,7 @@ $sql = 'CREATE TABLE '.$db_prefix."search_cache ( id INT NOT NULL DEFAULT 0, ident VARCHAR(200) NOT NULL DEFAULT '', - search_data TEXT NOT NULL DEFAULT '', + search_data TEXT, PRIMARY KEY (id) )"; break; @@ -916,7 +919,7 @@ $sql = 'CREATE TABLE '.$db_prefix."search_cache ( id INTEGER NOT NULL DEFAULT 0, ident VARCHAR(200) NOT NULL DEFAULT '', - search_data TEXT NOT NULL DEFAULT '', + search_data TEXT, PRIMARY KEY (id) )"; break; @@ -1231,6 +1234,7 @@ case 'mysql': case 'mysqli': // We use MySQL's ALTER TABLE ... ADD INDEX syntax instead of CREATE INDEX to avoid problems with users lacking the INDEX privilege + $queries[] = 'ALTER TABLE '.$db_prefix.'online ADD UNIQUE INDEX '.$db_prefix.'online_user_id_ident_idx(user_id,ident)'; $queries[] = 'ALTER TABLE '.$db_prefix.'online ADD INDEX '.$db_prefix.'online_user_id_idx(user_id)'; $queries[] = 'ALTER TABLE '.$db_prefix.'posts ADD INDEX '.$db_prefix.'posts_topic_id_idx(topic_id)'; $queries[] = 'ALTER TABLE '.$db_prefix.'posts ADD INDEX '.$db_prefix.'posts_multi_idx(poster_id, topic_id)'; @@ -1397,7 +1401,7 @@ /// Display config.php and give further instructions - $config = ' @@ -1420,7 +1424,7 @@
    -

    To finalize the installation all you need to do is to copy and paste the text in the text box below into a file called config.php and then upload this file to the root directory of your PunBB installation. Make sure there are no linebreaks or spaces before <?php and after ?> in the file. You can later edit config.php if you reconfigure your setup (e.g. change the database password or ).

    +

    To finalize the installation all you need to do is to copy and paste the text in the text box below into a file called config.php and then upload this file to the root directory of your PunBB installation. Make sure there are no linebreaks or spaces before <?php. You can later edit config.php if you reconfigure your setup (e.g. change the database password or ).

    diff -urN punbb-1.2.4/upload/login.php punbb-1.2.17/upload/login.php --- punbb-1.2.4/upload/login.php 2005-03-18 23:15:14.000000000 +0100 +++ punbb-1.2.17/upload/login.php 2008-02-20 00:09:45.000000000 +0100 @@ -40,7 +40,9 @@ $form_username = trim($_POST['req_username']); $form_password = trim($_POST['req_password']); - $result = $db->query('SELECT id, group_id, password, save_pass FROM '.$db->prefix.'users WHERE username=\''.$db->escape($form_username).'\'') or error('Unable to fetch user info', __FILE__, __LINE__, $db->error()); + $username_sql = ($db_type == 'mysql' || $db_type == 'mysqli') ? 'username=\''.$db->escape($form_username).'\'' : 'LOWER(username)=LOWER(\''.$db->escape($form_username).'\')'; + + $result = $db->query('SELECT id, group_id, password, save_pass FROM '.$db->prefix.'users WHERE '.$username_sql) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error()); list($user_id, $group_id, $db_password_hash, $save_pass) = $db->fetch_row($result); $authorized = false; @@ -76,13 +78,13 @@ $expire = ($save_pass == '1') ? time() + 31536000 : 0; pun_setcookie($user_id, $form_password_hash, $expire); - redirect($_POST['redirect_url'], $lang_login['Login redirect']); + redirect(htmlspecialchars($_POST['redirect_url']), $lang_login['Login redirect']); } else if ($action == 'out') { - if ($pun_user['is_guest'] || !isset($_GET['id']) || $_GET['id'] != $pun_user['id']) + if ($pun_user['is_guest'] || !isset($_GET['id']) || $_GET['id'] != $pun_user['id'] || !isset($_GET['csrf_token']) || $_GET['csrf_token'] != sha1($pun_user['id'].sha1(get_remote_address()))) { header('Location: index.php'); exit; @@ -95,7 +97,7 @@ if (isset($pun_user['logged'])) $db->query('UPDATE '.$db->prefix.'users SET last_visit='.$pun_user['logged'].' WHERE id='.$pun_user['id']) or error('Unable to update user visit data', __FILE__, __LINE__, $db->error()); - pun_setcookie(1, random_pass(8), time() + 31536000); + pun_setcookie(1, md5(uniqid(rand(), true)), time() + 31536000); redirect('index.php', $lang_login['Logout redirect']); } @@ -151,7 +153,7 @@ message($lang_login['Forget mail'].' '.$pun_config['o_admin_email'].'.'); } else - message($lang_login['No e-mail match'].' '.$email.'.'); + message($lang_login['No e-mail match'].' '.htmlspecialchars($email).'.'); } @@ -189,7 +191,7 @@ header('Location: index.php'); // Try to determine if the data in HTTP_REFERER is valid (if not, we redirect to index.php after login) -$redirect_url = (isset($_SERVER['HTTP_REFERER']) && preg_match('#^'.preg_quote($pun_config['o_base_url']).'/(.*?)\.php#i', $_SERVER['HTTP_REFERER'])) ? $_SERVER['HTTP_REFERER'] : 'index.php'; +$redirect_url = (isset($_SERVER['HTTP_REFERER']) && preg_match('#^'.preg_quote($pun_config['o_base_url']).'/(.*?)\.php#i', $_SERVER['HTTP_REFERER'])) ? htmlspecialchars($_SERVER['HTTP_REFERER']) : 'index.php'; $page_title = pun_htmlspecialchars($pun_config['o_board_title']).' / '.$lang_common['Login']; $required_fields = array('req_username' => $lang_common['Username'], 'req_password' => $lang_common['Password']); diff -urN punbb-1.2.4/upload/misc.php punbb-1.2.17/upload/misc.php --- punbb-1.2.4/upload/misc.php 2005-03-18 23:15:15.000000000 +0100 +++ punbb-1.2.17/upload/misc.php 2008-02-03 16:42:49.000000000 +0100 @@ -76,7 +76,7 @@ message($lang_common['No permission']); $recipient_id = intval($_GET['email']); - if ($recipient_id < 1) + if ($recipient_id < 2) message($lang_common['Bad request']); $result = $db->query('SELECT username, email, email_setting FROM '.$db->prefix.'users WHERE id='.$recipient_id) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error()); @@ -118,14 +118,14 @@ require_once PUN_ROOT.'include/email.php'; - pun_mail($recipient_email, $mail_subject, $mail_message, $pun_user['username'].' <'.$pun_user['email'].'>'); + pun_mail($recipient_email, $mail_subject, $mail_message, '"'.str_replace('"', '', $pun_user['username']).'" <'.$pun_user['email'].'>'); - redirect($_POST['redirect_url'], $lang_misc['E-mail sent redirect']); + redirect(htmlspecialchars($_POST['redirect_url']), $lang_misc['E-mail sent redirect']); } // Try to determine if the data in HTTP_REFERER is valid (if not, we redirect to the users profile after the e-mail is sent) - $redirect_url = (isset($_SERVER['HTTP_REFERER']) && preg_match('#^'.preg_quote($pun_config['o_base_url']).'/(.*?)\.php#i', $_SERVER['HTTP_REFERER'])) ? $_SERVER['HTTP_REFERER'] : 'index.php'; + $redirect_url = (isset($_SERVER['HTTP_REFERER']) && preg_match('#^'.preg_quote($pun_config['o_base_url']).'/(.*?)\.php#i', $_SERVER['HTTP_REFERER'])) ? htmlspecialchars($_SERVER['HTTP_REFERER']) : 'index.php'; $page_title = pun_htmlspecialchars($pun_config['o_board_title']).' / '.$lang_misc['Send e-mail to'].' '.pun_htmlspecialchars($recipient); $required_fields = array('req_subject' => $lang_misc['E-mail subject'], 'req_message' => $lang_misc['E-mail message']); @@ -252,6 +252,11 @@ if ($topic_id < 1) message($lang_common['Bad request']); + // Make sure the user can view the topic + $result = $db->query('SELECT 1 FROM '.$db->prefix.'topics AS t LEFT JOIN '.$db->prefix.'forum_perms AS fp ON (fp.forum_id=t.forum_id AND fp.group_id=1) WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.id='.$topic_id.' AND t.moved_to IS NULL') or error('Unable to fetch topic info', __FILE__, __LINE__, $db->error()); + if (!$db->num_rows($result)) + message($lang_common['Bad request']); + $result = $db->query('SELECT 1 FROM '.$db->prefix.'subscriptions WHERE user_id='.$pun_user['id'].' AND topic_id='.$topic_id) or error('Unable to fetch subscription info', __FILE__, __LINE__, $db->error()); if ($db->num_rows($result)) message($lang_misc['Already subscribed']); diff -urN punbb-1.2.4/upload/moderate.php punbb-1.2.17/upload/moderate.php --- punbb-1.2.4/upload/moderate.php 2005-03-18 23:15:15.000000000 +0100 +++ punbb-1.2.17/upload/moderate.php 2008-02-20 00:18:27.000000000 +0100 @@ -35,7 +35,7 @@ message($lang_common['No permission']); // Is get_host an IP address or a post ID? - if (preg_match('/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/', $_GET['get_host'])) + if (@preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $_GET['get_host'])) $ip = $_GET['get_host']; else { @@ -98,7 +98,13 @@ { confirm_referrer('moderate.php'); - if (preg_match('/[^0-9,]/', $posts)) + if (@preg_match('/[^0-9,]/', $posts)) + message($lang_common['Bad request']); + + // Verify that the post IDs are valid + $result = $db->query('SELECT 1 FROM '.$db->prefix.'posts WHERE id IN('.$posts.') AND topic_id='.$tid) or error('Unable to check posts', __FILE__, __LINE__, $db->error()); + + if ($db->num_rows($result) != substr_count($posts, ',') + 1) message($lang_common['Bad request']); // Delete the posts @@ -281,7 +287,7 @@ { confirm_referrer('moderate.php'); - if (preg_match('/[^0-9,]/', $_POST['topics'])) + if (@preg_match('/[^0-9,]/', $_POST['topics'])) message($lang_common['Bad request']); $topics = explode(',', $_POST['topics']); @@ -289,6 +295,12 @@ if (empty($topics) || $move_to_forum < 1) message($lang_common['Bad request']); + // Verify that the topic IDs are valid + $result = $db->query('SELECT 1 FROM '.$db->prefix.'topics WHERE id IN('.implode(',',$topics).') AND forum_id='.$fid) or error('Unable to check topics', __FILE__, __LINE__, $db->error()); + + if ($db->num_rows($result) != count($topics)) + message($lang_common['Bad request']); + // Delete any redirect topics if there are any (only if we moved/copied the topic back to where it where it was once moved from) $db->query('DELETE FROM '.$db->prefix.'topics WHERE forum_id='.$move_to_forum.' AND moved_to IN('.implode(',',$topics).')') or error('Unable to delete redirect topics', __FILE__, __LINE__, $db->error()); @@ -351,7 +363,7 @@

    +
    • :
    • :
      • diff -urN punbb-1.2.4/upload/profile.php punbb-1.2.17/upload/profile.php --- punbb-1.2.4/upload/profile.php 2005-03-18 23:15:15.000000000 +0100 +++ punbb-1.2.17/upload/profile.php 2007-11-19 00:14:16.000000000 +0100 @@ -87,6 +87,9 @@ if (isset($_POST['form_sent'])) { + if ($pun_user['g_id'] < PUN_GUEST) + confirm_referrer('profile.php'); + $old_password = isset($_POST['req_old_password']) ? trim($_POST['req_old_password']) : ''; $new_password1 = trim($_POST['req_new_password1']); $new_password2 = trim($_POST['req_new_password2']); @@ -190,17 +193,20 @@ $result = $db->query('SELECT activate_string, activate_key FROM '.$db->prefix.'users WHERE id='.$id) or error('Unable to fetch activation data', __FILE__, __LINE__, $db->error()); list($new_email, $new_email_key) = $db->fetch_row($result); - if ($key != $new_email_key) + if ($key == '' || $key != $new_email_key) message($lang_profile['E-mail key bad'].' '.$pun_config['o_admin_email'].'.'); else { - $db->query('UPDATE '.$db->prefix.'users SET email=\''.$new_email.'\', activate_string=NULL, activate_key=NULL WHERE id='.$id) or error('Unable to update e-mail address', __FILE__, __LINE__, $db->error()); + $db->query('UPDATE '.$db->prefix.'users SET email=activate_string, activate_string=NULL, activate_key=NULL WHERE id='.$id) or error('Unable to update e-mail address', __FILE__, __LINE__, $db->error()); message($lang_profile['E-mail updated'], true); } } else if (isset($_POST['form_sent'])) { + if (pun_hash($_POST['req_password']) !== $pun_user['password']) + message($lang_profile['Wrong pass']); + require PUN_ROOT.'include/email.php'; // Validate the email-address @@ -264,7 +270,7 @@ } $page_title = pun_htmlspecialchars($pun_config['o_board_title']).' / '.$lang_common['Profile']; - $required_fields = array('req_new_email' => $lang_profile['New e-mail']); + $required_fields = array('req_new_email' => $lang_profile['New e-mail'], 'req_password' => $lang_common['Password']); $focus_element = array('change_email', 'req_new_email'); require PUN_ROOT.'header.php'; @@ -279,6 +285,7 @@
      +

    @@ -303,6 +310,9 @@ if (isset($_POST['form_sent'])) { + if (!isset($_FILES['req_file'])) + message($lang_profile['No file']); + $uploaded_file = $_FILES['req_file']; // Make sure the upload went smooth @@ -359,12 +369,17 @@ message($lang_profile['Move failed'].' '.$pun_config['o_admin_email'].'.'); // Now check the width/height - list($width, $height, ,) = getimagesize($pun_config['o_avatars_dir'].'/'.$id.'.tmp'); - if ($width > $pun_config['o_avatars_width'] || $height > $pun_config['o_avatars_height']) + list($width, $height, $type,) = getimagesize($pun_config['o_avatars_dir'].'/'.$id.'.tmp'); + if (empty($width) || empty($height) || $width > $pun_config['o_avatars_width'] || $height > $pun_config['o_avatars_height']) { @unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp'); message($lang_profile['Too wide or high'].' '.$pun_config['o_avatars_width'].'x'.$pun_config['o_avatars_height'].' '.$lang_profile['pixels'].'.'); } + else if ($type == 1 && $uploaded_file['type'] != 'image/gif') // Prevent dodgy uploads + { + @unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp'); + message($lang_profile['Bad type']); + } // Delete any old avatars and put the new one in place @unlink($pun_config['o_avatars_dir'].'/'.$id.$extensions[0]); @@ -527,6 +542,9 @@ $result = $db->query('SELECT group_id, username FROM '.$db->prefix.'users WHERE id='.$id) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error()); list($group_id, $username) = $db->fetch_row($result); + if ($group_id == PUN_ADMIN) + message('Administrators cannot be deleted. In order to delete this user, you must first move him/her to a different user group.'); + if (isset($_POST['delete_user_comply'])) { // If the user is a moderator or an administrator, we remove him/her from the moderator list in all forums as well @@ -704,6 +722,14 @@ message($lang_common['Invalid e-mail']); } + // Make sure we got a valid language string + if (isset($form['language'])) + { + $form['language'] = preg_replace('#[\.\\\/]#', '', $form['language']); + if (!file_exists(PUN_ROOT.'lang/'.$form['language'].'/common.php')) + message($lang_common['Bad request']); + } + break; } @@ -729,7 +755,7 @@ } // Add http:// if the URL doesn't contain it already - if ($form['url'] != '' && !stristr($form['url'], 'http://')) + if ($form['url'] != '' && strpos(strtolower($form['url']), 'http://') !== 0) $form['url'] = 'http://'.$form['url']; break; @@ -740,7 +766,7 @@ $form = extract_elements(array('jabber', 'icq', 'msn', 'aim', 'yahoo')); // If the ICQ UIN contains anything other than digits it's invalid - if ($form['icq'] != '' && preg_match('/[^0-9]/', $form['icq'])) + if ($form['icq'] != '' && @preg_match('/[^0-9]/', $form['icq'])) message($lang_prof_reg['Bad ICQ']); break; @@ -795,7 +821,7 @@ { $form = extract_elements(array('email_setting', 'save_pass', 'notify_with_post')); - $form['email_setting'] == intval($form['email_setting']); + $form['email_setting'] = intval($form['email_setting']); if ($form['email_setting'] < 0 && $form['email_setting'] > 2) $form['email_setting'] = 1; if (!isset($form['save_pass']) || $form['save_pass'] != '1') $form['save_pass'] = '0'; @@ -817,6 +843,7 @@ // Singlequotes around non-empty values and NULL for empty values + $temp = array(); while (list($key, $input) = @each($form)) { $value = ($input !== '') ? '\''.$db->escape($input).'\'' : 'NULL'; @@ -824,6 +851,9 @@ $temp[] = $key.'='.$value; } + if (empty($temp)) + message($lang_common['Bad request']); + $db->query('UPDATE '.$db->prefix.'users SET '.implode(',', $temp).' WHERE id='.$id) or error('Unable to update profile', __FILE__, __LINE__, $db->error()); @@ -864,7 +894,7 @@ } -$result = $db->query('SELECT u.username, u.email, u.title, u.realname, u.url, u.jabber, u.icq, u.msn, u.aim, u.yahoo, u.location, u.use_avatar, u.signature, u.disp_topics, u.disp_posts, u.email_setting, u.save_pass, u.notify_with_post, u.show_smilies, u.show_img, u.show_img_sig, u.show_avatars, u.show_sig, u.timezone, u.style, u.num_posts, u.last_post, u.registered, u.registration_ip, u.admin_note, g.g_id, g.g_user_title FROM '.$db->prefix.'users AS u LEFT JOIN '.$db->prefix.'groups AS g ON g.g_id=u.group_id WHERE u.id='.$id) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error()); +$result = $db->query('SELECT u.username, u.email, u.title, u.realname, u.url, u.jabber, u.icq, u.msn, u.aim, u.yahoo, u.location, u.use_avatar, u.signature, u.disp_topics, u.disp_posts, u.email_setting, u.save_pass, u.notify_with_post, u.show_smilies, u.show_img, u.show_img_sig, u.show_avatars, u.show_sig, u.timezone, u.language, u.style, u.num_posts, u.last_post, u.registered, u.registration_ip, u.admin_note, g.g_id, g.g_user_title FROM '.$db->prefix.'users AS u LEFT JOIN '.$db->prefix.'groups AS g ON g.g_id=u.group_id WHERE u.id='.$id) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error()); if (!$db->num_rows($result)) message($lang_common['Bad request']); @@ -1128,7 +1158,7 @@ $d = dir(PUN_ROOT.'lang'); while (($entry = $d->read()) !== false) { - if ($entry != '.' && $entry != '..' && is_dir(PUN_ROOT.'lang/'.$entry)) + if ($entry != '.' && $entry != '..' && is_dir(PUN_ROOT.'lang/'.$entry) && file_exists(PUN_ROOT.'lang/'.$entry.'/common.php')) $languages[] = $entry; } $d->close(); @@ -1136,6 +1166,7 @@ // Only display the language selection box if there's more than one language available if (count($languages) > 1) { + natsort($languages); ?>