Menu
▾
▴
[Phpbb-checkins] CVS: phpBB2/includes bbcode.php,1.36.2.8,1.36.2.9 functions.php,1.133.2.2,1.133.2.3 functions_post.php,1.9.2.8,1.9.2.9 usercp_avatar.php,1.8.2.4,1.8.2.5 usercp_register.php,1.20.2.12,1.20.2.13
Update of /cvsroot/phpbb/phpBB2/includes
In directory usw-pr-cvs1:/tmp/cvs-serv2600/includes
Modified Files:
Tag: phpBB-2_0_0
bbcode.php functions.php functions_post.php usercp_avatar.php
usercp_register.php
Log Message:
Ok, I've done so much here, I can hardly remember what I've done...
There are various security updates throughout the commit, along with a few
bug fixes; I'll try to name them here.
---
Bug #453: Fixed.
Bug #485: Duplicate of #453, but still fixed.
Bug #476: Ok, the typo is fixed.
---
That should be it, but I'll have more fixes tomorrow. (Finally, I have
figured out regular expressions!!!)
--Doug
Index: bbcode.php
===================================================================
RCS file: /cvsroot/phpbb/phpBB2/includes/bbcode.php,v
retrieving revision 1.36.2.8
retrieving revision 1.36.2.9
diff -C2 -r1.36.2.8 -r1.36.2.9
*** bbcode.php 12 Jun 2002 05:33:54 -0000 1.36.2.8
--- bbcode.php 23 Jun 2002 02:47:55 -0000 1.36.2.9
***************
*** 283,287 ****
// [img]image_url_here[/img] code..
! $text = preg_replace("#\[img\]([http|https]+?://)([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+]+)\[/img\]#si", "[img:$uid]\\1\\2[/img:$uid]", $text);
// Remove our padding from the string..
--- 283,287 ----
// [img]image_url_here[/img] code..
! $text = preg_replace("#\[img\](http(s)?://)([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+]+)\[/img\]#si", "[img:$uid]\\1\\3[/img:$uid]", $text);
// Remove our padding from the string..
***************
*** 621,625 ****
// xxxx can only be alpha characters.
// yyyy is anything up to the first space, newline, or comma.
! $ret = preg_replace("#([\n ])([a-z]+?)://([^\t <\n\r]+)#i", "\\1<a href=\"\\2://\\3\" target=\"_blank\">\\2://\\3</a>", $ret);
// matches a "www.xxxx.yyyy[/zzzz]" kinda lazy URL thing
--- 621,625 ----
// xxxx can only be alpha characters.
// yyyy is anything up to the first space, newline, or comma.
! $ret = preg_replace("#([\n ])([a-z]+?)://([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+]+)#i", "\\1<a href=\"\\2://\\3\" target=\"_blank\">\\2://\\3</a>", $ret);
// matches a "www.xxxx.yyyy[/zzzz]" kinda lazy URL thing
***************
*** 629,633 ****
// This is slightly restrictive - it's not going to match stuff like "forums.foo.com"
// This is to keep it from getting annoying and matching stuff that's not meant to be a link.
! $ret = preg_replace("#([\n ])www\.([a-z0-9\-]+)\.([a-z0-9\-.\~]+)((?:/[^\t <\n\r]*)?)#i", "\\1<a href=\"http://www.\\2.\\3\\4\" target=\"_blank\">www.\\2.\\3\\4</a>", $ret);
// matches an email@domain type address at the start of a line, or after a space.
--- 629,633 ----
// This is slightly restrictive - it's not going to match stuff like "forums.foo.com"
// This is to keep it from getting annoying and matching stuff that's not meant to be a link.
! $ret = preg_replace("#([\n ])www\.([a-z0-9\-]+)\.([a-z0-9\-.\~]+)((?:/[a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+]*)?)#i", "\\1<a href=\"http://www.\\2.\\3\\4\" target=\"_blank\">www.\\2.\\3\\4</a>", $ret);
// matches an email@domain type address at the start of a line, or after a space.
Index: functions.php
===================================================================
RCS file: /cvsroot/phpbb/phpBB2/includes/functions.php,v
retrieving revision 1.133.2.2
retrieving revision 1.133.2.3
diff -C2 -r1.133.2.2 -r1.133.2.3
*** functions.php 12 May 2002 00:47:40 -0000 1.133.2.2
--- functions.php 23 Jun 2002 02:47:55 -0000 1.133.2.3
***************
*** 671,674 ****
exit;
}
-
?>
--- 671,673 ----
Index: functions_post.php
===================================================================
RCS file: /cvsroot/phpbb/phpBB2/includes/functions_post.php,v
retrieving revision 1.9.2.8
retrieving revision 1.9.2.9
diff -C2 -r1.9.2.8 -r1.9.2.9
*** functions_post.php 12 Jun 2002 05:33:54 -0000 1.9.2.8
--- functions_post.php 23 Jun 2002 02:47:56 -0000 1.9.2.9
***************
*** 75,85 ****
{
$match_tag = trim($allowed_html_tags[$i]);
!
! if ( preg_match('/^<\/?' . $match_tag . '\b/i', $hold_string) )
{
! if ( !preg_match('/style[="](.*?)["]/i', $hold_string) )
! {
! $tagallowed = true;
! }
}
}
--- 75,81 ----
{
$match_tag = trim($allowed_html_tags[$i]);
! if ( preg_match('/^<\/?' . $match_tag . '(?!(\s*)style(\s*)\\=)/i', $hold_string) )
{
! $tagallowed = true;
}
}
Index: usercp_avatar.php
===================================================================
RCS file: /cvsroot/phpbb/phpBB2/includes/usercp_avatar.php,v
retrieving revision 1.8.2.4
retrieving revision 1.8.2.5
diff -C2 -r1.8.2.4 -r1.8.2.5
*** usercp_avatar.php 12 May 2002 15:57:45 -0000 1.8.2.4
--- usercp_avatar.php 23 Jun 2002 02:47:56 -0000 1.8.2.5
***************
*** 70,73 ****
--- 70,74 ----
function user_avatar_url($mode, &$error, &$error_msg, $avatar_filename)
{
+ $avatar_filename = rawurlencode($avatar_filename);
if ( !preg_match('#^http:\/\/#i', $avatar_filename) )
{
***************
*** 75,79 ****
}
! if ( !preg_match('#^(http:\/\/[a-z0-9\-]+?\.([a-z0-9\-]+\.)*[a-z]+(:[0-9]+)*\/[^\"]*?\.(gif|jpg|jpeg|png)$)#is', $avatar_filename) )
{
$error = true;
--- 76,80 ----
}
! if ( !preg_match('#^(http:\/\/[a-z0-9\-]+?\.([a-z0-9\-]+\.)*[a-z]+(:[0-9]+)*\/\.(gif|jpg|jpeg|png)$)#is', $avatar_filename) )
{
$error = true;
Index: usercp_register.php
===================================================================
RCS file: /cvsroot/phpbb/phpBB2/includes/usercp_register.php,v
retrieving revision 1.20.2.12
retrieving revision 1.20.2.13
diff -C2 -r1.20.2.12 -r1.20.2.13
*** usercp_register.php 4 Jun 2002 04:14:17 -0000 1.20.2.12
--- usercp_register.php 23 Jun 2002 02:47:56 -0000 1.20.2.13
***************
*** 362,365 ****
--- 362,370 ----
}
+ if ( $website != '' )
+ {
+ rawurlencode($website);
+ }
+
if ( isset($HTTP_POST_VARS['avatardel']) && $mode == 'editprofile' )
{
|
